基于图像边缘的语义对抗样本

Semantic Adversarial Examples Based on Edge

对抗攻击通过在图片上添加微小的扰动使得神经网络错误分类,引起了科研人员的广泛关注。当前,传统攻击对图片整体添加全局扰动缺乏语义相关性的考虑,在纯色背景区域的扰动容易被人眼感知。针对此问题,利用神经网络对于轮廓纹理信息偏好的特点,采用边缘检测算法,得到图像的边缘信息图片作为掩码区域,与整体添加的扰动相结合,使生成的对抗样本获得更好的语义性和迁移性,同时不易感知到。实验结果表明:显著减少扰动总量同时,提高了对鲁棒模型的攻击成功率,验证了方法的有效性。最后使用提取的边缘图片数据集对比卷积神经网络(CNN)和Transformer模型的泛化能力。实验发现Transformer模型对边缘图片识别的准确率是CNN模型的3~4倍,从新的角度验证了Transformer与CNN模型依赖特征的差异,同时表明对抗训练提高CNN模型对于轮廓全局特征的依赖。

The adversarial attack makes the neural networks misclassify by adding small perturbations to images,which has attracted a lot of attention from researchers.Traditional attacks add perturbations to the whole image,but they lack the consideration of semantic relevance and are easily detectable in the solid color background area.To address this problem,exploiting the characteristics of neural networks for contour texture information preference,using edge detection algorithms on the images to get mask regions and making adversarial examples obtain better semantic and transferability properties combining with the global perturbations were carried out.Experiments showed that the effectiveness of the method was verified by significantly reducing the amount of perturbations while improving the success rate of attacks on robust models.Finally,the generalization ability of convolutional neural networks(CNN)and that of Transformer models were compared by using counter images dataset.It was found that the Transformer models were 3-4 times more accurate than the CNN model in contour image recognition,which verified the difference between Transformer and CNN model dependent features from a new perspective and resealed that the adversarial training wouldimprove the dependence of CNN models on contour global features.