一种基于迭代累积梯度的多层特征重要性攻击方法  

作　　者：吴骥 邵文泽[1] 葛琦[1] 孙玉宝[2] WU Ji;SHAO Wen-ze;GE Qi;SUN Yu-bao(School of Telecommunications and Information Engineering,Nanjing University of Posts and Telecommunications,Nanjing,Jiangsu 210003,China;Engineering Research Center for Digital Forensics Ministry of Education,Nanjing University of Information Science and Technology,Nanjing,Jiangsu 210044,China)

机构地区：[1]南京邮电大学通信与信息工程学院,江苏南京210003 [2]南京信息工程大学教育部数字取证工程研究中心,江苏南京210044

出　　处：《电子学报》2024年第11期3798-3808,共11页Acta Electronica Sinica

基　　金：国家自然科学基金(No.61771250,No.61972213)。

摘　　要：对抗样本的可迁移性对于攻击未知模型至关重要,这在实际场景中为对抗性攻击提供了可行性.现有的迁移攻击倾向于通过不加选择地扭曲特征来降低源模型的预测精度,但是忽略了图像中目标的内在特征.受到现有关于提取特征重要性工作的启发,本文提出一种多层累积梯度攻击方法,以破坏主导模型决策的重要目标感知特征.具体而言,本文通过引入迭代累积梯度来获得特征重要性,这种梯度将与目标主体部分高度相关,从而帮助实现更好的迁移攻击.进一步,本文在不同中间层进行组合攻击,最终实现了多层累积梯度攻击.大量结果表明,相较对比实验中的最好方法,本文所提方法在正常训练模型下以更高的攻击效率取得了与之相当的攻击成功率,而在防御模型下的攻击成功率提高了2.6个百分点.The transferability of adversarial samples is crucial for attacking unknown models,providing feasibility for adversarial attacks in practical scenarios.Existing transfer attacks tend to indiscriminately distort features to degrade predic⁃tion accuracy of the source model.However,they overlook the intrinsic features of objects in the images.Inspired by exist⁃ing work on feature importance extraction,this paper proposes a method termed multi-layer accumulated gradient attack,which disrupts crucial object-aware features that dominate the model decision.Specifically,this paper introduces the itera⁃tive accumulated gradients to quantify feature importance,which are highly correlated with the target object and helpful to improve transfer attacks.Furthermore,combining attacks across various intermediate layers,this paper finally achieves multi-layer accumulated gradient attack.Compared with the best performing method,experimental results demonstrate a more efficient performance of the proposed one,the attacking success rates of which are comparable as to the normally trained models while increased by 2.6 percentage points as to the defense models.

关 键 词：对抗攻击 黑盒攻击 迁移性 特征重要性 迭代累积梯度 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]