基于仿射变换和梯度细化的对抗样本生成方法

Generating Adversarial Example Based on Affine Transformation and Gradient Refining

尽管白盒攻击已实现了较高的攻击成功率,但样本的过拟合现象,使得生成的对抗样本在攻击其它分类模型时成功率偏低。为缓解过拟合现象以提高对抗样本的迁移性,增加其在黑盒条件下的攻击成功率,本文提出了一种基于仿射变换和梯度细化的对抗样本生成方法AF-R-MI-FGSM。该方法不是仅使用原始图像生成对抗样本,而是在每次迭代时对输入图像进行随机的仿射变换来提高输入图像的多样性,利用数据增强技术来缓解对抗样本的过拟合现象,使得对抗样本更具有迁移性。由于引入图像随机变换导致噪声梯度随机性增加,影响攻击性能,本文提出了一种梯度细化的方式来缓解消极的梯度影响。此外,还通过使用集成模型来进一步提高样本的迁移性。并在ImageNet数据集上进行了实验,验证了本文方法的有效性,在黑盒条件下,与MI-FGSM相比,本文所提方法的单模型攻击的平均攻击成功率提升了14.3%,集成模型攻击的平均攻击成功率提升了22.1%。

Although the white-box attack has achieved a high rate of attack success, the over-fitting phenomenon of samples makes the generated adversarial samples have a low success rate when attacking other classification models. Therefore, it is necessary to alleviate the over-fitting phenomenon to improve the migration of the adversarial samples, so as to enhance its attack performance under the condition of black-box. Therefore, it is necessary to improve the migration of adversarial samples to enhance their attack performance under black-box conditions. To solve this problem, this paper proposes a method of generating adversarial example based on affine transformation and gradient refining, AF-R-MI-FGSM. This method does not only use the original image to generate adversarial example, but performs random affine transformation on the input image at each iteration to improve the diversity of the input image, and uses data enhancement technology to alleviate the over-fitting phenomenon of adversarial example, so as to improve the attack success rate of adversarial example under black-box conditions. Because the introduction of image random transformation leads to the increase of noise gradient randomness and affects the attack performance, this paper proposes a gradient thinning method to alleviate the negative gradient effect. In addition, the migration of samples is improved by attacking the integration model. Experiments are carried out on ImageNet datasets to verify the significance of the proposed method. Compared with MI-FGSM, the average black-box attack success rate of AF-R-MI-FGSM in attacking a single model is increased by 14.3%, and the average black-box attack success rate of attack integration model is increased by 22.1%.