一种基于注意力的两段式单像素对抗样本生成方法

Attention Based Two-stage One Pixel Adversarial Samples Generation Method

随着深度神经网络在计算机视觉各类任务中被广泛应用,深度学习暴露出脆弱性,对抗攻击及对抗样本生成算法成为研究热点,并取得了一系列进展.单像素攻击通过只修改图像中的单个像素点实现对抗样本生成,在隐蔽性上较其他对抗攻击算法更具优势.然而,因其使用差分进化算法大量轮询访问模型搜索目标像素点,导致攻击效率低下;同时由于搜索过程中易于陷入局部最优解,导致攻击效果不佳.本文针对以上问题进行改进,提出一种基于注意力的两段式单像素攻击方法.该方法通过引入注意力机制确定候选扰动区域,减少冗余计算,并在一定程度上避免陷入局部最优,实现更高效的单像素对抗样本生成.通过在多个深度卷积模型上的实验,证明本方案生成的对抗样本能够以较高的成功率实现对抗攻击,并具有较高的可迁移性,在隐蔽性上也保持了单像素攻击固有的优势.

With the wide application of deep neural networks in various tasks of computer vision,deep learning has exposed vulnerability,and adversarial attack and adversarial sample generation algorithms have become hot research topics,and a series of progress have been made.One pixel attack achieved adversarial sample generation by modifying only one pixel in the image,which has more advantages over other adversarial attack algorithms in terms of concealment.However,because it uses differential evolution to poll the access model a lot to search for the target pixel,the attack is inefficient;At the same time,due to the easy fall into the local optimal solution during the search process,the attack effect is not good.This paper improves the above problems and proposes an attention based two-stage one pixel attack.This method reduces redundant computation by introducing attention mechanism to determine candidate perturbation regions,and to a certain extent avoids falling into local optimization,so as to achieve more efficient generation of one pixel adversarial sample.Through experiments on multiple deep convolutional models,it is proved that the adversarial samples generated by this scheme can achieve adversarial attacks with a high success rate,and have high portability,and maintain the inherent advantages of one pixel attack in terms of concealment.