基于图像颜色随机变换的对抗样本生成方法  被引量：2

作　　者：白祉旭 王衡军 郭可翔 BAI Zhixu;WANG Hengjun;GUO Kexiang(Strategic Support Force Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]战略支援部队信息工程大学,郑州450001

出　　处：《计算机科学》2023年第4期88-95,共8页Computer Science

摘　　要：尽管深度神经网络(Deep Neural Networks,DNNs)在大多数分类任务中拥有良好的表现,但在面对对抗样本(Adversarial Example)时显得十分脆弱,使得DNNs的安全性受到质疑。研究设计生成强攻击性的对抗样本可以帮助提升DNNs的安全性和鲁棒性。在生成对抗样本的方法中,相比需要依赖模型结构参数的白盒攻击,黑盒攻击更具实用性。黑盒攻击一般基于迭代方法来生成对抗样本,其迁移性较差,从而导致其黑盒攻击的成功率普遍偏低。针对这一问题,在对抗样本生成过程中引入数据增强技术,在有限范围内随机改变原始图像的颜色,可有效改善对抗样本的迁移性,从而提高对抗样本黑盒攻击的成功率。在ImageNet数据集上利用所提方法对正常网络及对抗训练网络进行对抗攻击实验,结果显示该方法能够有效提升所生成对抗样本的迁移性。Although deep neural networks(DNNs)have good performance in most classification tasks,they are vulnerable to adversarial examples,making the security of DNNs questionable.Research designs to generate strongly aggressive adversarial examples can help improve the security and robustness of DNNs.Among the methods for generating adversarial examples,black-box attacks are more practical than white-box attacks,which need to rely on model structural parameters.Black-box attacks are gene-rally based on iterative methods to generate adversarial examples,which are less migratory,leading to a generally low success rate of their black-box attacks.To address this problem,introducing data enhancement techniques in the process of countermeasure example generation to randomly change the color of the original image within a limited range can effectively improve the migration of countermeasure examples,thus increasing the success rate of countermeasure example black box attacks.This method is validated through adversarial attack experiments on ImageNet dataset with normal network and adversarial training network,and the experimental results indicate that the method can effectively improve the mobility of the generated adversarial examples.

关 键 词：深度神经网络 对抗样本 白盒攻击 黑盒攻击 迁移性 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]