基于多空间概率增强的图像对抗样本生成方法  

作　　者：王华华[1,2] 范子健 刘泽[2,3] WANG Huahua;FAN Zijian;LIU Ze(School of Software Engineering,Chongqing University of Posts and Telecommunications,Chongqing 400065,China;Chongqing Key Laboratory of Mobile Communication Technology(Chongqing University of Posts and Telecommunications),Chongqing 400065,China;School of Communication and Information Engineering,Chongqing University of Posts and Telecommunications,Chongqing 400065,China)

机构地区：[1]重庆邮电大学软件工程学院,重庆400065 [2]移动通信技术重庆市重点实验室(重庆邮电大学),重庆400065 [3]重庆邮电大学通信与信息工程学院,重庆400065

出　　处：《计算机应用》2025年第3期883-890,共8页journal of Computer Applications

基　　金：重庆市自然科学基金创新发展联合基金(中国星网)资助项目(CSTB2023NSCQ-LZX0114)。

摘　　要：对抗样本能够有效评估深度神经网络的鲁棒性和安全性。针对黑盒场景下对抗攻击成功率低的问题,为提高对抗样本的可迁移性,提出一种基于多空间概率增强的对抗样本生成方法(MPEAM)。所提方法通过在对抗样本生成方法中引入2条随机数据增强支路,而各支路分别基于像素空间和HSV颜色空间实现图像的随机裁剪填充(CP)和随机颜色变换(CC),并通过构建概率模型控制返回的图像样本,从而在增加原始样本多样性的同时降低对抗样本对原数据集的依赖,进而提高对抗样本的可迁移性。在此基础上,将所提方法引入集成模型中,以进一步提升黑盒场景下对抗样本攻击的成功率。在ImageNet数据集上的大量实验结果表明,相较于基准方法——迭代快速梯度符号方法(IFGSM)和动量迭代快速梯度符号方法(MIFGSM),所提方法的黑盒攻击成功率分别平均提升了28.72和8.44个百分点;相较于基于单空间概率增强的对抗攻击方法,所提方法的黑盒攻击成功率最高提升了6.81个百分点。以上验证了所提方法能够以较小的复杂度代价提高对抗样本的可迁移性,并实现黑盒场景下的有效攻击。Adversarial examples can evaluate the robustness and safety of deep neural networks effectively.Aiming at the problem of low success rate of adversarial attacks in black-box scenarios and to improve the transferability of adversarial examples,a Multi-space Probability Enhancement Adversarial example generation Method(MPEAM)was proposed.The transferability of the adversarial examples was improved by the proposed method through introduction of two pieces of random data enhancement branches in the adversarial example generation method.In this process,random image Cropping and Padding(CP)based on the pixel space,as well as random Color Changing(CC)based on HSV color space,were implemented,respectively,by each branch.At the same time,the returned image examples were controlled by constructing a probability model,which increased the diversity of the original examples while decreasing the dependence of the adversarial examples on the original dataset,thereby enhancing the transferability of adversarial examples.On this basis,the proposed method was introduced into the integration model to further improve the success rate of the adversarial example attack in black-box scenarios.After extensive experiments on ImageNet dataset,the experimental results show that the proposed method improves the black-box attack success rate by 28.72 and 8.44 percentage points,averagely and respectively,compared to the benchmark methods Iterative Fast Gradient Sign Method(IFGSM)and Momentum Iterative Fast Gradient Sign Method(MIFGSM),and improves the black-box attack success rate by up to 6.81 percentage points compared to the attack methods based on single-space probability enhancement.The above indicates that the proposed method can improve the transferability of adversarial examples at a small cost of complexity and achieve effective attacks in black-box scenarios.

关 键 词：对抗样本 深度神经网络 黑盒场景 可迁移性 多空间概率增强 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]