面向迁移攻击的视频对抗样本生成方法研究  

作　　者：林哲伟 何春兰 刘兴伟 王奇 孙宏 Lin Zhewei;He Chunlan;Liu Xingwei;Wang Qi;Sun Hong(School of Computer and Software Engineering,Xihua University,Chengdu 610039;Chendu Jiuzhou Electronic Information System Co.,Ltd.,Chengdu 610041)

机构地区：[1]西华大学计算机与软件工程学院,成都610039 [2]成都九洲电子信息系统股份有限公司,成都610041

出　　处：《信息安全研究》2025年第3期249-256,共8页Journal of Information Security Research

基　　金：四川省科技计划“揭榜挂帅”项目(2024YFCY0001)。

摘　　要：不同的视频识别模型具备不同的时间判别模式.在迁移攻击中,视频对抗样本生成时会对白盒模型的时间判别模式产生过拟合,从而导致对抗样本的迁移性较差.针对这一现象,提出了一种有效缓解该过拟合现象的算法.该算法通过抽帧的方式生成多个增广视频,放入白盒模型,反向传播得到增广梯度,然后对这些梯度进行归位并加权求和,获得最终的梯度信息,最终将梯度信息带入基于梯度的白盒攻击方法,如FGSM,BIM等,获得最终的对抗样本.对交叉熵损失函数进行了改进,交叉熵损失函数在指导对抗样本的生成时,优先目的是快速找到能够让模型分类错误的方向,而没有考虑分类结果与其他概率较高类别在语义空间的距离.针对这一现象,对经典的交叉熵损失函数进行了改进,增加了基于KL散度的正则项,基于该损失函数生成的对抗样本迁移性更强.在Kinetics-400以及UCF-101数据集上,以ResNet50和ResNet101为主干网络,分别训练了Non-Local,SlowFast以及TPN共计6个视频识别领域常用的模型.将上述模型中的一种作为白盒模型,对其余模型进行迁移攻击,实验证明了该方法的有效性.Different video recognition models possess distinct temporal discrimination patterns.In transfer attacks,the generation of video adversarial examples can lead to overfitting to the whitebox model’s temporal discrimination pattern,resulting in poor transferability of the adversarial examples.In view of this phenomenon,an effective algorithm is proposed to alleviate the overfitting phenomenon.The algorithm generates multiple augmented videos by frame extraction,inputs them into a white-box model,and obtains augmented gradients through backpropagation.Then,it repositions these gradients and calculates a weighted sum to acquire the final gradient information.Finally,it introduces this gradient information into gradient-based white-box attack methods,such as FGSM and BIM,to obtain the final adversarial samples.The cross-entropy loss function was improved;while guiding the generation of adversarial examples,its primary goal was to quickly find a direction that causes the model to misclassify,without considering the semantic space distance between the classification result and other categories with higher probabilities.In response to this issue,a regularization term based on KL divergence was introduced.When combined with the cross-entropy function,the adversarial examples generated based on this loss function have stronger transferability.On the Kinetics-400and UCF-101datasets,six commonly used models in the video recognition domain were trained,specifically Non-Local,SlowFast,and TPN,with ResNet50and ResNet101serving as the backbone networks.One of these models was selected as the white-box model to conduct transfer attacks on the remaining models,and a large number of experiments demonstrated the effectiveness of the method.

关 键 词：视频识别模型 对抗样本 损失函数 迁移攻击 交叉熵 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]