摘要
随着计算机性能的飞速提升和数据量的爆炸式增长,深度学习在越来越多的领域取得了惊人的成果。然而,研究者们发现深度网络也存在对抗攻击。在图像分类领域,攻击者可以通过向原始的图片上加入人为设计的微小的扰动,来使得深度神经网络分类器给出错误的分类,而这种扰动对于人类来说是不可见的,加入了扰动之后的图片就是对抗样本。基于梯度攻击的对抗样本生成算法(projected gradient descent,PGD)是目前有效的攻击算法,但是这类算法容易产生过拟合。该文提出了积分损失快速梯度符号法,利用积分损失来衡量输入对于损失函数的重要性程度,规避梯度更新方向上可能陷入局部最优值的情况,不仅进一步提升了对抗样本的攻击成功率,而且也增加了对抗样本的迁移性。实验结果证明了所提方法的有效性,可以作为测试防御模型的一个基准。
With the rapid improvement of computer performance and the explosive growth of data,deep learning has achieved amazing results in more and more fields.However,researchers have found that deep networks are also vulnerable to adversarial attacks.In the field of image classification,the attackers can add artificially designed small perturbations to the original image to make the deep neural network classifier give the wrong classification,which is invisible to human beings.The image with perturbations is called the adversarial example.The projected gradient descent(PGD)algorithm based on gradient attack is an effective adversarial examples generation algorithm at present,but this kind of algorithm is easy to over fit.In this paper,the integrated loss fast gradient sign method is proposed,which uses the integrated loss to measure the importance of the input to the loss function,and avoids the situation that the gradient update direction may fall into the local optimal value.The proposed algorithm further improves the attack success rate of the adversarial sample.Furthermore,it also increases the transferability of the adversarial examples.The experiments results show the effectiveness of the proposed method,which can be used as a benchmark to test the defense model.
作者
章进
李琦
ZHANG Jin;LI Qi(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)
出处
《计算机技术与发展》
2022年第7期1-7,共7页
Computer Technology and Development
基金
科技部重点研发计划(2019YFB2101704)。
关键词
对抗样本
白盒攻击
积分梯度
卷积神经网络
深度学习
adversarial examples
white-box attack
integrated gradients
convolutional neural network
deep learning
