基于图片高频和对抗子空间的迁移性攻击

Transfer-based attack based on image frequency and adversarial subspace

针对对抗样本在白盒模型上过拟合和攻击者在搜索对抗子空间时受到约束等问题,从频域和可搜索对抗子空间的角度,提出了一种提升对抗样本迁移性的方法。首先,在生成对抗样本的过程中,通过减少图像的高频成分来减轻对抗样本在白盒模型上的过拟合效应。其次,通过扩大对抗子空间的搜索范围来捕获更多信息,从而提升对抗样本迁移性。值得注意的是,所提方法可以与现有的攻击相结合。在ImageNet数据集上进行的大量实验验证了所提方法的有效性,所提方法的黑盒攻击成功率较基于快速梯度符号法这一类攻击方法平均高出8.6%(针对正常训练模型)和18.2%(针对防御模型)。

To address the issues such as overfitting of adversarial examples on white-box models and constraints on attackers when searching for adversarial subspaces,a method to improve the transferability of adversarial examples from the perspectives of frequency domain and searchable adversarial subspaces is proposed.Firstly,in the process of generating adversarial examples,the overfitting effect of adversarial examples on the white-box model is mitigated by reducing the high-frequency components of the image.Secondly,by expanding the searching range of the adversarial subspace to capture more information,the transferability of adversarial examples is improved.It is worthy noting that the proposed method can be combined with existing attacks.A large number of experiments on the ImageNet dataset have verified the effectiveness of the proposed method.The black-box attack success rate of the proposed method is 8.6%(for normal training models)and 18.2%higher(for defensive models),respectively than the attack methods based on fast gradient sign method on average.