二维码掩膜下的稀疏对抗补丁攻击  

作　　者：叶乙轩 杜侠 陈思 朱顺痣 严严[2] Ye Yixuan;Du Xia;Chen Si;Zhu Shunzhi;Yan Yan(School of Computer and Information Engineering,Xiamen University of Technology,Xiamen 361024,China;School of Informatics,Xiamen University,Xiamen 361005,China)

机构地区：[1]厦门理工学院计算机与信息工程学院,厦门361024 [2]厦门大学信息学院,厦门361005

出　　处：《中国图象图形学报》2024年第7期1889-1901,共13页Journal of Image and Graphics

基　　金：厦门市留学人员科研项目(厦人社[2022]205号-02);厦门市科技计划项目(3502Z20231042);厦门理工学院高层次人才启动项目(YKJ22041R);福建省自然科学基金项目(2021J011185);中央财政高校基础研究经费(108220412364)。

摘　　要：目的 传统的基于对抗补丁的对抗攻击方法通常将大量扰动集中于图像的掩膜位置,然而要生成难以察觉的扰动在这类攻击方法中十分困难,并且对抗补丁在人类感知中仅为冗余的密集噪声,这大大降低了其迷惑性。相比之下,二维码在图像领域有着广泛的应用,并且本身能够携带附加信息,因此作为对抗补丁更具有迷惑性。基于这一背景,本文提出了一种基于二维码掩膜的对抗补丁攻击方法。方法 首先获取目标模型对输入图像的预测信息,为提高非目标攻击的效率,设定伪目标标签。通过计算能够远离原标签同时靠近伪目标标签的梯度噪声,制作掩膜将扰动噪声限制在二维码的有色区域。同时,本文利用基于Lp-Box的交替方向乘子法(alternating direction method of multipliers,ADMM)算法优化添加扰动点的稀疏性,在实现高效攻击成功率的条件下保证二维码本身携带的原有信息不被所添加的密集高扰动所破坏,最终训练出不被人类察觉的对抗补丁。结果 使用ImageNet数据集分别在Inception-v3及ResNet-50(residual networks-50)模型上进行对比实验,结果表明,本文方法在非目标攻击场景的攻击成功率要比基于L∞的快速梯度符号法(fast gradient sign method,FGSM)、DeepFool和投影梯度下降(projected gradient descent,PGD)方法分别高出8.6%、14.6%和4.6%。其中,对抗扰动稀疏度L0和扰动噪声值在L2、L1、L∞范数指标上对比目前典型的攻击方法均取得了优异的结果。对于量化对抗样本与原图像的相似性度量,相比FSGM方法,在峰值信噪比(peak signal-to-noise ratio,PSNR)和相对整体维数综合误差(erreur relative globale adimensionnelle de synthèse,ERGAS)指标上,本文方法分别提高4.82 dB和576.3,并在可视化效果上实现真正的噪声隐蔽。同时,面对多种先进防御算法时,本文方法仍能保持100%攻击成功率的高鲁棒性。结论 本文提出的基于二维�Objective Convolutional neural networks(CNNs) and other deep networks have revolutionized the field of computer vision,particularly in the area of image recognition,leading to significant advancements in various visual tasks.Recent studies have unequivocally demonstrated that the performance of deep neural networks is significantly compromised in the presence of adversarial examples.Maliciously crafted inputs can cause a notable decline in the accuracy and reliability of deep learning models.Traditional adversarial attacks based on adversarial patches tend to concentrate a significant amount of perturbations in the masked regions of an image.However,crafting imperceptible perturbations for patch attack is highly challenging.Adversarial patches consist solely of noise and are visually redundant,lacking any practical significance in their existence.To address this issue,this paper proposes a novel approach called quick response(QR) codebased sparse adversarial patch attack.A QR code is a square symbol consisting of alternating dark and light modules,extensively employed in images.It uses a specialized encoding technique to store meaningful information.Utilizing QR codes as adversarial patches not only inherits the robustness of traditional adversarial patches but also increases the likelihood of evading suspicion.A crucial detail to highlight is that global-based perturbations can potentially disrupt the integrity of the valuable information stored in the QR code.Particularly when attacking robust images,excessive superimposed perturbations can significantly affect the white background of the QR code,thus ultimately rendering the generated adversarial QR code unscannable,preventing its successful detection and decoding.In this regard,we hope to ensure the integrity of QR code by limiting the amount of noise.Inspired by sparse attacks,we integrate the QR code patch with sparse attack techniques to control the sparsity of adversarial perturbations.By doing so,our proposed method effectively limits the number of noise

关 键 词：对抗补丁 稀疏噪声 图像分类 二维码 非目标攻击 

分 类 号：TP391.4[自动化与计算机技术—计算机应用技术]