基于集成advGAN的黑盒迁移对抗攻击  被引量：1

作　　者：黄帅娜 李玉祥 毛岳恒 班爱莹 张志勇 HUANG Shuai-na;LI Yu-xiang;MAO Yue-heng;BAN Ai-ying;ZHANG Zhi-yong(School of Information Engineering,Henan University of Science and Technology,Luoyang 471023,China;Henan International Joint Laboratory for Cyberspace Security Applications,Henan University of Science and Technology,Luoyang 471023,China)

机构地区：[1]河南科技大学信息工程学院,河南洛阳471023 [2]河南科技大学河南省网络空间安全应用国际联合实验室,河南洛阳471023

出　　处：《吉林大学学报（工学版）》2022年第10期2391-2398,共8页Journal of Jilin University:Engineering and Technology Edition

基　　金：国家自然科学基金项目(61972133);河南省中原千人计划中原科技创新领军人才项目(204200510021);河南省重点科技攻关项目(192102210130,202102210162);河南省高等学校重点科研项目(19B520008).

摘　　要：针对传统advGAN方法可高效地生成高保真度的对抗样本,但advGAN容易过拟合于原始样本空间流形导致迁移性变差的问题,,提出了一种集成advGAN的方法。在生成对抗网络中添加由多个分类模型的logits集成构成目标分类模型,汇聚所有模型输出的期望,着力降低过拟合现象,使得生成的对抗样本迁移性强且保真度高。在MNIST数据集上,使用集成advGAN方法生成的对抗样本迁移攻击成功率平均提高了6%,最高可达43.9%,在CIFAR-10数据集上,对抗样本迁移攻击成功率平均提高了7.6%,最高可达75.62%,且PSNR比起传统advGAN有提升。实验结果表明:集成advGAN方法可以生成具备更高对抗迁移性的高保真对抗样本。The traditional advGAN method can efficiently generate adversarial samples with high fidelity,but advGAN tends to overfit the original sample spatial manifold,resulting in poor transferability.To address this defect,an approach based on ensemble generative adversarial networks was proposed.Generating adversarial examples with high fidelity and high attack success rate in real-time is available according to previous approach based on generative adversarial networks,however it lacks the adversarial transferability.For generating transferable adversarial examples in real-time,an ensemble training strategywas proposed for adversarial transferability improvement.By using the expectation of an ensemble of substitute models,the generative network generates adversarial examples with better transferability and still holds good fidelity.The experiment result shows that the proposed approach:On MNIST datasets,the transferable attack success rate increases by 6%on average,up to 43.9%;On CIFAR-10 datasets,the transferable attack success rate increases by 7.6%on average,up to 75.62%;The PSNR increases slightly on both datasets.The experimental evidence indicates that the proposed ensemble advGAN method generates adversarial examples with higher transferability and fidelity in real time comparing with normal advGAN.

关 键 词：对抗样本 迁移性 advGAN 对抗攻击 深度学习 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]