摘要
大部分网络模型在面临对抗攻击时表现不佳,这给网络算法的安全性带来了严重威胁。因此,对抗攻击已成为评估网络模型安全性的有效方式之一。现有的白盒攻击方法已经能够取得较高的攻击成功率,但是在黑盒攻击条件下,攻击成功率还有待提升。文章以梯度优化为出发点,将自适应梯度优化算法AdaN引入对抗样本生成过程中,以加速收敛,使梯度更新方向更稳定,从而增强对抗攻击的迁移性。为了进一步增强攻击效果,将文章所提方法与其他数据增强方法进行结合,从而形成攻击成功率更高的攻击方法。此外,还通过集成多个已知模型生成对抗样本,以便对已进行对抗训练的网络模型进行更有效的黑盒攻击。实验结果表明,采用AdaN梯度优化的对抗样本在黑盒攻击成功率上高于当前的基准方法,并具有更好的迁移性。
Most network models are vulnerable to adversarial attack,which poses a serious threat to the security of network algorithms.Therefore,adversarial attack becomes an effective method to evaluate network security and robustness.The existing white-box attack methods have been able to achieve high success rates,but black-box condition remains to be improved.This paper referred to gradient optimization and introduced AdaN optimizer to the process of generating adversarial examples.The main purpose was to accelerate gradient convergence.Thus,the overfitting was relieved and transferability was enhanced.In order to further enhance the attack effectiveness,the method proposed in the article is combined with other data augmentation methods to form a more effective attack method.Besides,generating adversarial examples by ensemble models shows better performance on defense models.The experimental results show that the adversarial samples optimized using AdaN gradient can achieve higher success rates in black-box attacks than the current benchmark method and have better transferability.
作者
李晨蔚
张恒巍
高伟
杨博
LI Chenwei;ZHANG Hengwei;GAO Wei;YANG Bo(Department of Cryptogram Engineering,PLA Information Engineering University,Zhengzhou 450001,China;Beijing Subway Science and Technology Development Co.,Ltd.,Beijing 100160,China)
出处
《信息网络安全》
CSCD
北大核心
2023年第7期64-73,共10页
Netinfo Security
基金
国家重点研发计划[2017YFB0801904]。
关键词
神经网络
图像分类
对抗样本
黑盒攻击
迁移性
neural network
image classification
adversarial examples
black-box attack
transferability
