基于敏感区域的双掩码集合对抗攻击研究  

作　　者：闫振豪 张晓琳[1] 王永平[2] YAN Zhenhao;ZHANG Xiaolin;WANG Yongping(School of Digital and Intelligent Industry,Inner Mongolia University of Science&Technology,Baotou 014010,China;School of Automation and Electrical Engineering,Inner Mongolia University of Science&Technology,Baotou 014010,China)

机构地区：[1]内蒙古科技大学数智产业学院,内蒙古包头014010 [2]内蒙古科技大学自动化与电气工程学院,内蒙古包头014010

出　　处：《内蒙古科技大学学报》2025年第1期92-96,共5页Journal of Inner Mongolia University of Science and Technology

基　　金：国家自然科学基金(62466045);内蒙古自治区自然科学基金(2023MS06012);内蒙古自治区直属高校基本科研业务费(2024QNJS047,2023RCTD027)。

摘　　要：在黑盒场景下,现有集合攻击方法的迁移性能有限,大多数方法对整个图像添加扰动,容易破坏平滑背景,降低对抗样本的不可感知性。针对迁移性与不可感知性难以兼顾的问题,提出了一种基于敏感区域的双掩码集合对抗攻击方法。该方法通过融合集合中每个代理模型的敏感区域,并利用硬掩码限制扰动区域。这种局部攻击策略减少了对平滑背景的修改,提高了对抗样本的不可感知性。同时,设计了特征正则化模块,利用软掩码筛选攻击特征,避免攻击陷入局部最优,提高了对抗样本的迁移性。在不同数据集上的实验结果表明,所提方法生成的对抗样本在黑盒模型中的攻击效果和不可感知性优于现有的集合攻击方法。In black-box scenarios,existing ensemble attack methods exhibit limited transferability.Most methods add perturbations to the entire image,which can easily disrupt smooth background regions and reduce the imperceptibility of adversarial examples.To address the challenge of balancing transferability and imperceptibility,a dual-mask ensemble adversarial attack method based on sensitive regions is proposed.This method fuses the sensitive regions of each surrogate model in the ensemble and employs a hard mask to constrain the perturbation region.This local attack strategy reduces modifications to smooth backgrounds,enhancing the imperceptibility of adversarial examples.Additionally,a feature regularization module is designed,utilizing a soft mask to select critical attack features,avoiding local optima and enhancing the transferability of adversarial examples.Experimental results on different datasets show that the proposed method achieves superior attack performance and imperceptibility in black-box models compared to existing ensemble attack methods.

关 键 词：对抗样本 集合攻击 局部攻击 迁移性 不可感知性 

分 类 号：TP309.1[自动化与计算机技术—计算机系统结构]