1.陆军工程大学指挥控制工程学院,南京 210007;2.陆军军事交通学院镇江校区,镇江 212001;3.陆军工程大学通信工程学院,南京 210007
国家自然科学基金(62076251)资助项目。
1.Command and Control Engineering College, Army Engineering University of PLA, Nanjing 210007, China;2.Zhenjiang Campus, Army Military Transportation University of PLA, Zhenjiang 212001, China;3.Communication Engineering College, Army Engineering University of PLA, Nanjing 210007, China
- 摘要 |
- 图/表 |
- 访问统计 |
- 参考文献 |
- 相似文献 |
- 引证文献 |
- 资源附件
在对抗攻击研究领域,黑盒攻击相比白盒攻击更具挑战性和现实意义。目前实现黑盒攻击的主流方法是利用对抗样本的迁移性,然而现有大多数方法所得的对抗样本在黑盒攻击时效果不佳。本文提出了一种基于高斯噪声和翻转组合策略方法来增强对抗样本的迁移性,进而提升其黑盒攻击性能。同时,该方法可与现有基于梯度的攻击方法相结合形成更强的对抗攻击。本文在一个与ImageNet相容的数据集上做了大量实验,实验结果表明本文方法所得的对抗样本在黑盒攻击性能上有显著提升。并且,本文最佳攻击组合能以86.2%的平均成功率欺骗6种先进防御模型,相比目前最强攻击方法提升约8.0%。
For adversarial attacks, black-box attacks are more challenging and applicable than white-box attacks. Recently, black-box attacks based on the transferability of adversarial examples have become mainstream methods. However, the adversarial examples generated by most existing methods exhibit low efficiency in black-box attacks. In this paper, a combination strategy based on Gaussian noise and flipping is proposed to enhance the transferability of adversarial examples, thus achieving higher black-box attack success rates. Moreover, this strategy can be integrated into any gradient-based method to obtain stronger attacks. Extensive experiments on an ImageNet-compatible dataset show that our proposed method can generate more transferable adversarial examples. In addition, our best attack can fool six state-of-the-art defense models with an average success rate of 86.2%, and deliver 8.0% success rate increasement compared with the state-of-the-art gradient-based attack.
引用本文
张武,段晔鑫,邹军华,潘志松,周星宇.融合高斯噪声和翻转策略的对抗攻击[J].数据采集与处理,2021,36(2):248-259
复制分享
文章指标
- 点击次数:
- 下载次数:
历史
- 收稿日期:2020-08-23
- 最后修改日期:2020-12-14
- 录用日期:
- 在线发布日期: 2021-03-25
