基于分层结构的多任务对抗样本归因方法  

作　　者：孙旭 张文琼 龙显忠[1] 李云[1] SUN Xu;ZHANG Wenqiong;LONG Xianzhong;LI Yun(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)

机构地区：[1]南京邮电大学计算机学院,江苏南京210023

出　　处：《网络与信息安全学报》2025年第1期92-105,共14页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(62476137)。

摘　　要：深度神经网络在计算机视觉的各种任务中表现出优异的性能。然而,它们非常容易受到对抗攻击的威胁,这种攻击是在推理阶段向样本中加入人眼难以察觉的扰动来完成的。为了防御对抗攻击,目前已有部分工作研究对抗样本的欺骗逆向工程,这也被称为对抗样本归因。通过归因生成对抗样本的攻击算法和受害者模型,能够帮助防御者掌握攻击者拥有的知识及其攻击目标,从而设计针对相应攻击最有效的防御算法。已有方法更多地把对抗样本归因转化为单任务学习。随着攻击算法和受害者模型可取范围的扩大,单任务学习面临着组合爆炸问题。为了提升对抗样本归因的准确率及满足不同归因粒度的需求,对攻击算法和受害者模型进行了分层,并利用不同层次之间的依赖关系,提出了一种基于分层结构的多任务对抗样本归因方法。该方法在不同层次同时执行攻击算法和受害者模型的归因任务,并使用分层路径预测学习不同层次之间的依赖关系。实验结果表明,相比其他归因方法,所提方法能够获得更好的归因效果。Deep neural networks have demonstrated superior performance in various computer vision tasks.How‐ever,they have been found to be highly susceptible to adversarial attacks,which involve the addition of perturba‐tions to examples during the inference phase that are imperceptible to the human eye.To defend against adversarial attacks,some works have explored the reverse engineering of adversarial examples,known as the adversarial attri‐bution problem.By attributing the attack algorithm and victim model used to generate adversarial examples,de‐fenders can gain insights into the attacker’s knowledge and targets,thereby enabling the design of more effective defense algorithms against corresponding attacks.Existing methods have mostly approached the adversarial attribu‐tion problem as a single-task learning problem.However,as the scope of attack algorithms and victim models has expanded,single-task learning has faced the challenge of combinatorial explosion.To improve the accuracy of ad‐versarial attribution and meet the requirements for different attribution granularities,attack algorithms and victim models were layered,and the dependencies between different levels were utilized.A multi-task adversarial attribu‐tion method based on a hierarchical structure was proposed.This method simultaneously performed the attribution tasks of attack algorithms and victim models at different levels and employed hierarchical path prediction to learn the dependencies between these levels.Experimental results on multiple datasets demonstrate that the proposed method achieves better attribution performance compared to other attribution methods.

关 键 词：深度学习 对抗样本归因 多任务学习 分层结构 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程]