A General Adversarial Attack Method Based on Random Gradient Ascent and Spherical Projection

被引:0
|
作者
Fan C.-L. [1 ,2 ]
Li Y.-D. [2 ]
Xia X.-F. [2 ]
Qiao J.-Z. [1 ]
机构
[1] School of Computer Science & Engineering, Northeastern University, Shenyang
[2] School of Computer, Shenyang Aerospace University, Shenyang
来源
Dongbei Daxue Xuebao/Journal of Northeastern University | 2022年 / 43卷 / 02期
关键词
Adversarial attack; Convolutional neural network; General perturbation; Gradient ascent; Spherical surface projection;
D O I
10.12068/j.issn.1005-3026.2022.02.003
中图分类号
学科分类号
摘要
In general adversarial attacks oriented to sample sets, the general perturbation design that causes most sample to output errors is the key to the research. This paper takes the typical convolutional neural networks as the research object, summarizes the existing general perturbation generation algorithms, and proposes a general perturbation generation algorithm that combines batch random gradient ascent and spherical projection search. In each iteration of the algorithm, a small batch of samples are extracted from the sample set, and the general perturbation is calculated by using the random gradient rising strategy which reduces the value of the loss function. The general perturbation is then projected to the high-dimensional spherical surface with a radius of ε, so as to reduce the search space of general disturbances. The algorithm also introduces a regularization technique to improve the generation quality of general disturbances. Experimental results show that compared with the baseline algorithm, the attack success rate is significantly increased, and the solution efficiency of general perturbation is improved by about 30 times. © 2022, Editorial Department of Journal of Northeastern University. All right reserved.
引用
收藏
页码:168 / 175
页数:7
相关论文
共 20 条
  • [1] Deng J, Dong W, Socher R, Et al., ImageNet:a large-scale hierarchical image database[C], Proceedings of 2009 IEEE Conference on Computer Vision and Pattern Recognition, pp. 248-255, (2009)
  • [2] Szegedy C, Zaremba W, Sutskever I, Et al., Intriguing properties of neural networks[C/OL], Proceedings of 2nd International Conference on Learning Representations, (2014)
  • [3] Chen C, Seff A, Kornhauser A, Et al., DeepDriving:learning affordance for direct perception in autonomous driving [C], Proceedings of 2nd International Conference on Computer Vision, pp. 2722-2730, (2015)
  • [4] Jia R, Lian P., Adversarial examples for evaluating reading comprehension systems[C], Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing, pp. 2021-2031, (2017)
  • [5] Samanta S, Mehta S., Towards crafting text adversarial samples
  • [6] Goodfellow I J, Shlens J, Szegedy C., Explaining and harnessing adversarial examples[C], Proceedings of 3rd International Conference on Learning Representations, (2015)
  • [7] Sarkar S, Bansal A, Mahbub U, Et al., UPSET and ANGRI:breaking high performance image classifiers
  • [8] Chen P Y, Zhang H, Sharma Y, Et al., ZOO:zeroth order optimization based black-box attacks to deep neural networks without training substitute models, Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15-26, (2017)
  • [9] Dong Y P, Liao F Z, Pang T Y, Et al., Discovering adversarial examples with momentum
  • [10] Papernot N, McDaniel P, Jha S., The limitations of deep learning in adversarial settings[C], Proceedings of IEEE European Symposium on Security and Privacy, pp. 372-387, (2016)
12