摘要
随着深度学习的快速发展,视觉领域的众多任务得到了有效解决。在性能不断提升的同时,对抗样本的发现引发了关于深度学习可靠性、安全性的反思。相较于早期的白盒攻击,黑盒迁移攻击无需获取被攻击模型的网络架构、参数等敏感信息,因而不易察觉,威胁相对较大。目前的综述文献主要围绕对抗攻击或对抗攻击和防御做全面总结,对视觉识别深度模型的黑盒迁移攻击方法往往未做专题性回顾与展望,为此文中特别围绕黑盒迁移攻击的最新进展进行了全面的梳理和总结。首先,从优化和学习两种视角介绍了黑盒迁移攻击的基本模型。对于优化视角下的迁移攻击,具体从梯度扰动更新、样本邻域增广以及模型决策代理等三方面对现有文献做了梳理和分析。对于学习视角下的迁移攻击,具体从通用扰动和生成扰动两方面对现有文献做了进一步梳理和分析。最后,总结出了当前黑盒迁移攻击方法的两个核心:最优解平滑性和特征语义引导,同时指出未来工作的重点和难点在于黑盒迁移攻击的可解释性与泛化性。
With the rapid development of deep learning,numerous tasks in the field of vision have been effectively achieved.With the increasing performance,the emergence of adversarial samples has inspired reflections on the reliability and security of deep learning.Compared with the early white-box attacks,black-box transfer attacks do not need to gather sensitive information of a victim model such as its network architecture,weights,and so on,and therefore,they are not easy to perceive and relatively more challenging.It is noted that the current literature mainly concentrates on a comprehensive survey of adversarial attacks or both adversarial attacks and defenses,and a specific,detailed review on black-box transfer attacks is quite limited.Thus,this paper presents a comprehensive overview and summary of the latest progress on black-box transfer attacks.Firstly,the foundations of black-box transfer attacks are introduced from both optimization-based and learning-based perspectives.As to the optimization-based transfer attacks,the existing methods are categorized and analyzed in terms of three aspects:gradient perturbation update,sample neighborhood augmentation,and model decision agent.As to the learningbased transfer attacks,the existing methods are further reviewed and analyzed in terms of generic perturbation and generative perturbation.Finally,two cores of current black-box transfer attack methods are summarized,i.e.,smoothness of the optimal solution and the guidance of feature semantics.It is also pointed out that the crucial direction of future work should be the interpretability and generalization of transfer perturbations.
作者
邵文泽
滕臻
朱富坤
孙玉宝
SHAO Wenze;TENG Zhen;ZHU Funkun;SUN Yubao(School of Communications and Information Engineering,Nanjing University of Posts and Telecommunications,Nanjing 210003,China;Bell Hornors School,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;Engineering Research Center for Digital Forensics,Ministry of Education,Nanjing University of Information Science and Technology,Nanjing 210000,China)
出处
《南京邮电大学学报(自然科学版)》
北大核心
2024年第5期47-60,共14页
Journal of Nanjing University of Posts and Telecommunications:Natural Science Edition
基金
国家自然科学基金(92470126,62276139,U2001211)资助项目。
关键词
迁移攻击
对抗攻击
黑盒攻击
深度学习
优化攻击
学习攻击
transfer attack
adversarial attack
black-box attack
deep learning
optimization attack
learning attack
