| 引用本文: |
邹军华1, 段晔鑫1,2, 潘 雨3, 张 磊1, 黎 维1, 潘志松1.PIDI-FGSM:一种对抗样本生成的梯度处理新方法[J].陆军工程大学,2022,(5):13-22
[点击复制] |
|
| |
|
|
| 本文已被:浏览 129次 下载 133次 |
| PIDI-FGSM:一种对抗样本生成的梯度处理新方法 |
| 邹军华1,段晔鑫1,2,潘雨3,张磊1,黎维1,潘志松1 |
| (1.陆军工程大学 指挥控制工程学院,江苏 南京 210007;2.陆军军事交通学院,江苏 镇江 212003;
3.31436部队,辽宁 沈阳 110005) |
| 摘要:深度神经网络在多种模式识别任务上均取得卓越表现,然而相关研究表明深度神经网络非常脆弱,极易受到对抗样本的攻击。且人眼不易察觉的对抗样本还具有迁移性,即针对某个模型生成的对抗样本能够使得其他不同的深度模型也产生误判。主要研究提升对抗样本的迁移性,提出了基于PID控制优化器的快速梯度符号方法(PIDI-FGSM),用于替代原有的基于动量优化器生成方法(MI-FGSM)。不同于MI-FGSM只累加一阶动量项,PIDI-FGSM同时考虑当前梯度、一阶动量项和一阶微分动量项。此外,PIDI-FGSM经过相应变化后,可与现有其他对抗样本生成方法相结合,在不需要额外运行时间和运算资源的情况下大大提高了对抗样本对于黑盒防御模型的攻击成功率。在ImageNet数据集上的实验表明,结合了PIDI-FGSM的对抗样本生成方法能够更快速地生成攻击成功率更高的对抗样本。通过提出最强攻击组合NI-TI-DI-PIDM2,对6个经典黑盒防御模型的平均攻击达到87.4%的成功率,比现有的动量方法提高3.8%,对3个较为先进的黑盒防御模型的平均攻击达到80.0%的成功率,比现有的动量方法提高4.9%。 |
| 关键词: 对抗样本 PID 黑盒攻击 迁移性 |
| DOI:10.12018/j.issn.2097-0730.20211109006 |
| 投稿时间:2021-11-09 |
| 基金项目:国家自然科学基金(62076251) |
|
| Generating Adversarial Examples with PID Iterative Fast Gradient Sign Method |
| ZOU Junhua1,DUAN Yexin1,2,PAN Yu3,ZHANG Lei1,LI Wei1,PAN Zhisong1 |
| (1.College of Command & Control Engineering,Army Engineering University of PLA,Nanjing 210007,China;
2.Army Military Transportation University,Zhenjiang 212003,China;3.Unit 31436 of PLA,Shenyang 110005,China) |
| Abstract: Deep neural networks (DNNs) have achieved excellent performance on a variety of pattern recognition tasks. However, related studies have shown that DNNs are vulnerable to adversarial examples. In addition, adversarial examples that are difficult to detect by human eye are also transferable. In other words, adversarial examples crafted by a known DNN can also fool other black-box DNNs. This paper focuses on improving the transferability of adversarial examples and proposes a PID iterative fast gradient sign method (PIDI-FGSM) based on a PID control optimizer to replace the original momentum iterative fast gradient method (MI-FGSM). Unlike MI-FGSM, which only accumulates first-order momentum terms, PIDI-FGSM simultaneously takes into consideration the current gradient, first-order momentum terms, and first-order differential momentum terms. In addition, with some modifications, PIDI-FGSM can be combined with other existing adversarial example generation methods to greatly improve the attack success rate of adversarial examples against black-box defense models without requiring additional runtime and computing resources. The experiments on the ImageNet dataset show that the adversarial example generating methods combined with PIDI-FGSM can generate adversarial examples with a higher attack success rate and at a higher speed. The strongest attack combination NI-TI-DI-PIDM2 proposed in this paper can achieve an average attack success rate of 87.4% against the six classic black-box defense models and 80.0% against the three more advanced models, exceeding the existing momentum method by 3.8% and 4.9% respectively. |
| Key words: adversarial examples PID black-box attack transferability |
|
