摘要
当前,基于迁移性的黑盒攻击通常使用较高的扰动系数生成具有较强可迁移性的对抗样本,导致对抗扰动较易被防御者察觉,因此提出了一种基于噪声融合的黑盒攻击优化方法来提高对抗样本的隐蔽性。该方法从常用的图像噪声中筛选出了最适用于优化对抗样本迁移性的噪声,并降低了对抗样本的黑盒攻击能力与扰动系数的耦合程度,即在不修改扰动系数的情况下增强了对抗样本的可迁移性。在ImageNet数据集中的实验结果表明,通过噪声增强后的对抗攻击在黑盒攻击强度上有显著提升。此外,通过实验从高斯噪声、高斯白噪声、泊松噪声、椒盐噪声、乘性噪声和单形噪声中筛选出了最佳噪声,其能根据相同的扰动系数将待优化攻击算法的黑盒成功率平均提升12.64%。
Currently,mobility-based black-box attacks usually use higher perturbation coefficients to generate adversarial samples with strong mobility,resulting in adversarial perturbations perceivable.In order to improve the concealment of adversarial examples without increasing the maximum perturbation,this paper proposes a black-box attack optimization method based on noise fusion to improve the concealment of adversarial examples.The method filters out the most suitable noise from commonly used image noises to optimize the mobility of the adversarial examples and reduces the coupling between the black-box attack capability of the adversarial samples and the perturbation coefficients,i.e.,it enhances the mobility of the adversarial samples without modifying the perturbation coefficients.Experimental results in the ImageNet dataset indicate that the adversarial attack through noise enhancement has a significant improvement in black-box attack strength.Moreover,the best noise selected in this paper from Gaussian noise,Gaussian white noise,Poisson noise,salt and pepper noise,multiplicative noise and simplex noise can improve the black-box success rate of the attack algorithm to be optimized by 12.64%on average based on the same perturbation coefficient.
作者
张朝阳
洪军
李晖
ZHANG Zhaoyang;HONG Jun;LI Hui(College of Information Science and Engineering,Shenyang University of Technology,Shenyang Liaoning 110023,China)
出处
《通信技术》
2023年第8期984-991,共8页
Communications Technology
关键词
黑盒攻击
数据增强
对抗样本
优化方法
可迁移性
black-box attack
data augmentation
adversarial example
optimizing method
mobility
