计算机科学与探索

• 学术研究 •    下一篇

SBA:基于球几何性质的黑盒攻击方法

郑德生, 田野, 柯武平,李晓瑜, 殷浩, 王聪   

  1. 1.西南石油大学 计算机与软件学院,成都 610500
    2.喀什地区电子信息产业技术研究院,喀什 844000
    3.电子科技大学 计算机科学与工程学院,成都 611731
    4.电子科技大学 信息与软件工程学院,成都 610054
    5.电子科技大学 物理学院,成都 611731
    6.四川警察学院 智能警务四川省重点实验室,泸州 646000

SBA: Black Box Attack Method Based on Sphere Geometric Properties

ZHENG Desheng, TIAN Ye, KE Wuping, LI Xiaoyu, YIN Hao, WANG Cong   

  1. 1.School of Computer Science and Software Engineering, Southwest Petroleum University, Chengdu, 610500, China
    2.Kash Institute of Electronics and Information Industry, Kash 844000, China.
    3.School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China
    4.School of Information and Software Engineering, University of Electronic Science and Technology of China, Chengdu 610054, China
    5.School of Physics, University of Electronic Science and Technology of China, Chengdu 611731, China
    6.Intelligent Policing Key Laboratory of Sichuan Province, Sichuan Police College, Luzhou 646000, China

摘要: 深度神经网络(Deep Neural Networks, DNNs)很容易受到微小扰动生成的对抗样本的攻击,它对基于DNNs的应用构成极大威胁。基于决策的攻击是一类仅依赖目标模型预测硬标签的黑盒攻击。目前基于决策的攻击方法通常采用梯度估计在目标模型决策边界附近发动攻击,但需要高昂的查询代价。因此,该研究提出一种基于球几何性质的黑盒攻击方法,称为球攻击(Sphere-based Black-box Attack,SBA)。它利用球的空间几何性质寻找最优对抗样本点,避免了梯度估计,实现了高攻击成功率和低质量损失的对抗样本。首先,通过添加随机大噪声和线性查找得到初始对抗样本。接着,利用离散余弦变换将输入样本和对抗样本变换到频率空间并利用几何位置关系采样三维子空间。然后,将频率空间决策边界近似为超平面并利用球的几何性质迭代更新频率空间内更优的对抗样本,重复此步骤不断更新。最后,利用逆离散余弦变换将其变换回输入空间最终得到最佳对抗样本。在ImageNet数据集上的实验结果表明,SBA的攻击成功率取得了当前的最优效果,并且PSNR和SSIM结果表明,SBA生成的图像质量更佳。

关键词: 对抗样本, 黑盒攻击, 决策攻击, 图像处理

Abstract: Deep Neural Networks (DNNs) are susceptible to attacks with adversarial examples generated by tiny perturbations, which now pose a great threat to DNNs-based applications. Decision-based attacks are a class of black-box attacks that rely only on the target model to predict hard labels. Current decision-based attack methods usually use gradient estimation to launch attacks near the decision boundary of the target model, but require costly queries. Therefore, this research proposes a black-box attack method based on the geometric properties of the ball, called Sphere-based Black-box Attack (SBA). It utilizes the spatial geometric properties of the ball to find optimal adversarial examples points, avoids gradient estimation, and achieves high attack success rate and low quality loss of adversarial examples. First, initial adversarial examples are obtained by adding random large noise and linear lookup. Then, the input samples and adversarial examples are transformed to a two-dimensional frequency space using the discrete cosine transform and sampling a three-dimensional subspace using their relative position relations. Then, the frequency space decision boundary is approximated as a hyperplane and the geometric properties of the ball are used to iteratively update the better adversarial examples in the frequency space, and this step is repeated for continuous updating. Finally, the inverse discrete cosine transform is utilized to transform it back to the input space to finally obtain the best adversarial examples. Experimental results on the ImageNet dataset show that SBA achieves the current optimum in terms of attack success rate, and the PSNR and SSIM results indicate that SBA generates better quality images.

Key words: adversarial examples, black-box attack, decision-based attack, image processing