Black-box Transferable Attack Method for Object Detection Based on GAN

被引:0
|
作者
Lu Y.-X. [1 ]
Liu Z.-Y. [2 ]
Luo Y.-G. [3 ]
Deng S.-Y. [1 ]
Jiang T. [3 ]
Ma J.-Y. [3 ]
Dong Y.-P. [1 ,2 ]
机构
[1] Beijing RealAI Intelligent Technology Co. Ltd., Beijing
[2] Department of Computer Science and Technology, Tsinghua University, Beijing
[3] Chongqing Changan Automobile Software Technology Co. Ltd., Chongqing
来源
Ruan Jian Xue Bao/Journal of Software | 2024年 / 35卷 / 07期
关键词
adversarial attack; attention loss; black-box transferable attack; generative adversarial network (GAN); object detection;
D O I
10.13328/j.cnki.jos.006937
中图分类号
学科分类号
摘要
Object detection is widely used in various fields such as autonomous driving, industry, and medical care. Using the object detection algorithm to solve key tasks in different fields has gradually become the main method. However, the robustness of the object detection model based on deep learning is seriously insufficient under the attack of adversarial samples. It is easy to make the model prediction wrong by adding the adversarial samples constructed by small perturbations, which greatly limits the application of the object detection model in key security fields. In practical applications, the models are black-box models. Related research on black-box attacks against object detection models is relatively lacking, and there are many problems such as incomplete robustness evaluation, low attack success rate of black-box, and high resource consumption. To address the aforementioned issues, this study proposes a black-box object detection attack algorithm based on a generative adversarial network. The algorithm uses the generative network fused with an attention mechanism to output the adversarial perturbations and employs the alternative model loss and the category attention loss to optimize the generated network parameters, which can support two scenarios of target attack and vanish attack. A large number of experiments are conducted on the Pascal VOC and the MSCOCO datasets. The results demonstrate that the proposed method has a higher black-box transferable attack success rate and can perform transferable attacks between different datasets. © 2024 Chinese Academy of Sciences. All rights reserved.
引用
收藏
页码:3531 / 3550
页数:19
相关论文
共 62 条
  • [21] Goodfellow IJ, Shlens J, Szegedy C., Explaining and harnessing adversarial examples, Proc. of the 3rd Int’l Conf. on Learning Representations, (2015)
  • [22] Moosavi-Dezfooli SM, Fawzi A, Frossard P., DeepFool: A simple and accurate method to fool deep neural networks, Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition, pp. 2574-2582, (2016)
  • [23] Carlini N, Wagner D., Towards evaluating the robustness of neural networks, Proc. of the 2017 IEEE Symp. on Security and Privacy, pp. 39-57, (2017)
  • [24] Dong YP, Liao FZ, Pang TY, Su H, Zhu J, Hu XL, Li JG., Boosting adversarial attacks with momentum, Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition, pp. 9185-9193, (2018)
  • [25] Xie CH, Wang JY, Zhang ZS, Zhou YY, Xie LX, Yuille A., Adversarial examples for semantic segmentation and object detection, Proc. of the 2017 IEEE Int’l Conf. on Computer Vision, pp. 1378-1387, (2017)
  • [26] Li YZ, Tian D, Chang MC, Bian X, Lyu S., Robust adversarial perturbation on deep proposal-based models, Proc. of the 2018 British Machine Vision Conf, (2018)
  • [27] Chow KH, Liu L, Loper M, Bae J, Gursoy ME, Truex S, Wei WQ, Wu YZ., Adversarial objectness gradient attacks in real-time object detection systems, Proc. of the 2nd IEEE Int’l Conf. on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), pp. 263-272, (2020)
  • [28] Baluja S, Fischer I., Adversarial transformation networks: Learning to generate adversarial examples, (2017)
  • [29] Poursaeed O, Katsman I, Gao BC, Belongie S., Generative adversarial perturbations, Proc. of the 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition, pp. 4422-4431, (2018)
  • [30] Naseer M, Khan S, Khan MH, Khan FS, Porikli F., Cross-domain transferability of adversarial perturbations, Proc. of the 33rd Int’l Conf. on Neural Information Processing Systems, (2019)
1234567