基于GAN的无数据黑盒对抗攻击方法  

作　　者：赵恩浩 凌捷[1] ZHAO Enhao;LING Jie(School of Computer,Guangdong University of Technology,Guangzhou 510006,China)

机构地区：[1]广东工业大学计算机学院,广州510006

出　　处：《计算机工程与应用》2025年第7期204-212,共9页Computer Engineering and Applications

基　　金：广州市重点领域研发计划项目(202007010004)。

摘　　要：对抗样本能够使深度神经网络以高置信度输出错误的结果。在黑盒攻击中,现有的替代模型训练方法需要目标模型全部或部分训练数据才能取得较好的攻击效果,但实际应用中目标模型的训练数据难以获取。因此,提出一种基于GAN的无数据黑盒对抗攻击方法。无需目标模型的训练数据,使用混合标签信息的噪声生成替代模型所需的训练样本,通过目标模型的标记信息以及多样化损失函数使训练样本分布均匀且包含更多特征信息,进而使替代模型高效学习目标模型的分类功能。对比DaST和MAZE,该方法在降低35%~60%的对抗扰动和查询次数的同时对CIFAR-100、CIFAR-10、SVHN、FMNIST、MNIST五个数据集的FGSM、BIM、PGD三种攻击的成功率平均提高6~10个百分点,并且在实际应用中的黑盒模型场景Microsoft Azure取得78%以上的攻击成功率。Adversarial examples can make deep neural networks output wrong results with high confidence.In black-box attacks,existing alternative model training methods require all or part of the training data of the target model to achieve good attack effects,but the training data of the target model is difficult to obtain in practical applications.Therefore,this paper proposes a GAN-based data-free black box adversarial attack method.Without the training data of the target model,the noise of mixed label information is used to generate the training samples required by the substitute model.The label information of the target model and diversified loss functions are used to make the training samples evenly distributed and contain more feature information,so that the substitute model can effectively learn the classification function of the target model.Compared with DaST and MAZE,the proposed method reduces the number of adversarial perturbations and queries by 35%~60%,while increasing the success rate of FGSM,BIM,PGD attacks on CIFAR-100,CIFAR-10,SVHN,FMNIST,MNIST datasets by 6~10 percentage points on average.And in the actual application of the black-box model scenario Microsoft Azure achieves more than 78%attack success rate.

关 键 词：黑盒对抗攻击 生成对抗网络 替代训练 迁移攻击 深度神经网络 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]