面向图像分析领域的黑盒对抗攻击技术综述  

作　　者：武阳 刘靖[1] WU Yang;LIU Jing(College of Computer Science,Inner Mongolia University,Hohhot 010021)

机构地区：[1]内蒙古大学计算机学院,呼和浩特010021

出　　处：《计算机学报》2024年第5期1138-1178,共41页Chinese Journal of Computers

基　　金：国家自然科学基金(61662051);内蒙古科技计划项目(2020GG0187);内蒙古自然科学基金重点项目(2023ZD18)资助.

摘　　要：图像领域下的黑盒攻击(Black-box Attack)已成为当前深度神经网络对抗攻击领域的热点研究方向.黑盒攻击的特点在于仅利用模型输入与输出的映射关系,而无需模型内部参数信息及梯度信息,通过向图像数据加入人类难以察觉的微小扰动,进而造成深度神经网络(Deep Neural Network,DNN)推理与识别失准,导致图像分析任务的准确率下降,因此由黑盒攻击引起的鲁棒性问题成为当前DNN模型研究的关键问题.为提高黑盒攻击在图像分析任务下的攻击成效,现有相关研究以低查询次数、低扰动幅度、高攻击成功率作为优化目标,针对不同图像分析任务采用不同的攻击模式与评估方式.本文以主流的图像分析任务为出发点,阐述图像分类、目标检测与图像分割三类任务中黑盒攻击算法的核心思想和难点,总结黑盒对抗攻击领域中的关键概念与评估指标,分析不同图像分析任务中黑盒对抗攻击的实现策略与研究目标.阐明各个黑盒攻击算法间的关系与优势,从攻击成功率、查询次数以及相似性度量等多个方面对不同的黑盒攻击算法进行性能比较,以提出目前图像分析领域中黑盒对抗攻击仍存在的主要挑战与未来研究方向.In the domain of image processing,black-box adversarial attacks have emerged as a prominent and hot area of research within the current landscape of adversarial attacks on deep neural networks(DNNs).Distinguished by their exclusive reliance on the input-output mapping of a model,black-box attacks forego internal model parameters and gradient information.By subtly introducing imperceptible perturbations into image data,these attacks induce misalignment in the inference and recognition capabilities of deep neural networks(DNNs),resulting in a deterioration of accuracy in image analysis tasks.Consequently,the robustness issues posed by black-box attacks have become a critical and focal concern in current DNN model research.To enhance the efficacy of black-box attacks in image analysis tasks,current research endeavors focus on optimizing objectives such as achieving low query counts,minimal perturbation amplitude,and high attack success rates.Different attack modes and evaluation methodologies are employed for distinct image analysis tasks.Beginning with mainstream image analysis tasks,including image classification,object detection,and image segmentation,this paper expounds on the core ideas and challenges presented by black-box attack algorithms within each category.The paper systematically summa-rizes key concepts and evaluation metrics in the domain of black-box adversarial attacks.The current evaluation metrics predominantly encompass three critical aspects.Firstly,the attack success rate is measured distinctively for various image analysis tasks.In image classification,the success of an attack implies a discrepancy between the model's output category and the original label category,often quantified through image misclassification rates.Object detection tasks frequently rely on the mean Average Precision(mAP)metric,where lower post-attack mAP values indicate heightened attack effectiveness.In image segmentation tasks,the success of a black-box attack is gauged by differences between generated pixel-wise segmenta

关 键 词：黑盒对抗攻击 深度神经网络 鲁棒性 图像分类 目标检测 图像分割 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]