摘要
对抗性攻击是研究深度神经网络脆弱性的前沿技术.然而现有工作大多关注基于加性噪声扰动的攻击,无法代表现实世界中的扰动因素,阻碍了对抗性攻击的实际应用.雾作为现实世界中广泛存在的自然现象,对图像造成显著影响,不可避免地对深度模型构成潜在威胁.本文首次尝试从对抗性攻击的角度研究雾对深度神经网络的影响,并提出两种基于雾扰动的对抗性攻击方法:基于优化的雾扰动对抗性攻击OAdvHaze,在深度神经网络的指引下优化大气散射模型参数,以合成有雾图像,该方法具有较高的攻击成功率.预测式雾扰动对抗性攻击PAdvHaze,采用深度神经网络直接预测雾合成参数,提高了对抗性攻击的速度.本文在ILSVRC 2012和NIPS 2017两个公开数据集上验证了所提出方法的有效性,OAdvHaze和PAdvHaze取得了与最先进攻击方法相当的攻击成功率和可迁移性.该工作将有助于评估和提高深度神经网络对现实世界中潜在雾扰动的鲁棒性.
The adversarial attack is a cutting-edge technique used to study the vulnerability of deep neural networks(DNNs).However,most existing studies focus on the additive perturbation-based attack,which cannot represent real-world corruption and limit their applications.In particular,haze is a common natural phenomenon that significantly corrupts an image,which inevitably poses a potential threat to deep models.In this work,for the first attempt,we study the effects of haze on DNNs from the perspective of adversarial attacks and propose two adversarial haze attack methods.We first propose the optimization-based adversarial haze attack(OAdvHaze)that optimizes the parameters of the atmospheric scattering model with the guidance of a DNN to synthesize a hazy image,which leads to a high attack success rate.To achieve a more efficient attack,we further propose a predictive adversarial haze attack(PAdvHaze)employing a DNN to predict the hazing parameters through a one-step way.To validate the effectiveness of both methods,we conducted extensive experiments on two publicly available datasets,i.e.,ILSVRC 2012 and NIPS 2017.OAdvHaze and PAdvHaze achieve comparable attack success rates and transferability to state-of-the-art attacks.This work would contribute to the evaluation and enhancement of the robustness of DNNs against haze perturbation that may happen in the real world.
作者
高瑞均
郭青
余洪凯
冯伟
Ruijun GAO;Qing GUO;Hongkai YU;Wei FENG(College of Intelligence and Computing,Tianjin University,Tianjin 300350,China;Key Research Center for Surface Monitoring and Analysis of Relics,State Administration of Cultural Heritage,Tianjin 300350,China;School of Computer Science and Engineering,Nanyang Technological University,Singapore 639798,Singapore;Department of Electrical Engineering and Computer Science,Cleveland State University,Cleveland 44115,USA)
出处
《中国科学:信息科学》
CSCD
北大核心
2023年第2期309-324,共16页
Scientia Sinica(Informationis)
基金
国家重点研发计划(批准号:2020YFC1522701)
天津市面上项目(批准号:18JCYBJC15200)
国家自然科学基金(批准号:62072334)资助项目。
关键词
对抗性攻击
图像分类
雾合成
深度学习
图像处理
adversarial attack
image classification
haze synthesis
deep learning
image processing