感知相似的图像分类对抗样本生成模型

doi:10.3778/j.issn.1673-9418.1912062

摘要/Abstract

摘要：

现有基于生成器的对抗样本生成模型相比基于迭代修改原图的算法可有效降低对抗样本的构造时间，但其生成的对抗样本与原图在感知上具有明显差异，人眼易察觉。该模型旨在增加对抗样本与原图在人眼观察感知上的相似性，并保证攻击成功率。模型将对抗样本生成的过程视为对原图进行图像增强的操作，引入生成对抗网络，并改进感知损失函数以增加对抗样本与原图在内容与特征空间上的相似性，采用多分类器损失函数优化训练从而提高攻击效率。实验结果表明，相比其他基于生成器的对抗样本生成模型，该模型有效提高了对抗样本与原图的结构相似性指标，并且攻击成功率未出现下降。说明在保持攻击成功率的同时，该模型可有效提高人眼观察下对抗样本与原图的相似性。

关键词: 对抗攻击, 生成对抗网络（GAN）, 感知内容损失, 对抗样本, 深度神经网络（DNN）

Abstract:

The existing generator-based adversarial example generation model can effectively reduce the construction time of an adversarial example compared to the algorithms based on iterative original image modification, but the obvious differences between generated adversarial example and original image are noticeable in human perception. This model aims to increase the similarity between the adversarial example and the original image in human per-ception, while maintaining the fooling ratio. The model considers adversarial example generation process as image enhancement to the original image, introduces generative adversarial network, and improves perceptual loss func-tion to increase the similarity between adversarial example and original image in content and latent space. It also uses multi-classifier loss function to train the generator so that it can improve attack efficiency. The experimental results show that compared with other generator-based models, this model effectively improves the structural simi-larity index between the adversarial example and the original one, and the fooling ratio does not decrease. It shows that while maintaining the fooling ratio, this model can effectively improve the similarity between adversarial exa-mple and original image in human perception.

Key words: adversarial attack, generative adversarial networks (GAN), perceptual loss, adversarial example, deep neural networks (DNN)

李俊杰，王茜. 感知相似的图像分类对抗样本生成模型[J]. 计算机科学与探索, 2020, 14(11): 1930-1942.

LI Junjie, WANG Qian. Perceptually Similar Image Classification Adversarial Example Generation Model[J]. Journal of Frontiers of Computer Science and Technology, 2020, 14(11): 1930-1942.

参考文献

[1] Krizhevsky A, Sutskever I, Hinton G E. Imagenet classifica-tion with deep convolutional neural networks[J]. Communi-cations of the ACM, 2017, 60(6): 84-90.
[2] Collobert R, Weston J. A unified architecture for natural lan-guage processing: deep neural networks with multitask lear-ning[C]//Proceedings of the 25th International Conference on Machine Learning, Helsinki, Jul 5-9, 2008. New York: ACM, 2008: 160-167.
[3] Hinton G, Deng L, Yu D, et al. Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups[J]. IEEE Signal Processing Magazine, 2012, 29(6): 82-97.
[4] Eykholt K, Evtimov I, Fernandes E, et al. Robust physical-world attacks on deep learning models[J]. arXiv:1707.08945, 2017.
[5] Carlini N, Wagner D A. Towards evaluating the robustness of neural networks[C]//Proceedings of the 2017 IEEE Sym-posium on Security and Privacy, San Jose, May 22-26, 2017. Washington: IEEE Computer Society, 2017: 39-57.
[6] Xiao C W, Zhu J Y, Li B, et al. Spatially transformed adver-sarial examples[J]. arXiv:1801.02612, 2018.
[7] Bhattad A, Chong M J, Liang K Z, et al. Big but imperceptible adversarial perturbations via semantic manipulation[J]. arXiv:1904.06347, 2019.
[8] Poursaeed O, Katsman I, Gao B C, et al. Generative adver-sarial perturbations[C]//Proceedings of the 2018 IEEE Con-ference on Computer Vision and Pattern Recognition, Salt Lake City, Jun 18-23, 2018. Washington: IEEE Computer Society, 2018: 4422-4431.
[9] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing pro-perties of neural networks[J]. arXiv:1312.6199, 2013.
[10] Papernot N, McDaniel P D, Jha S, et al. The limitations of deep learning in adversarial settings[C]//Proceedings of the 2016 IEEE European Symposium on Security and Privacy, Saar-brücken, Mar 21-24, 2016. Piscataway: IEEE, 2016: 372-387.
[11] Moosavi-Dezfooli S M, Fawzi A, Frossard P. Deepfool: a simple and accurate method to fool deep neural networks[C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, Jun 27-30, 2016. Washington: IEEE Computer Society, 2016: 2574-2582.
[12] Goodfellow I J, Shlens J, Szegedy C. Explaining and harne-ssing adversarial examples[J]. arXiv:1412.6572, 2014.
[13] Zhao Z, Dua D, Singh S. Generating natural adversarial exa-mples[J]. arXiv:1710.11342, 2017.
[14] Wang Z, Bovik A C, Lu L G. Why is image quality assess-ment so difficult?[C]//Proceedings of the 2002 IEEE Inter-national Conference on Acoustics, Speech, and Signal Pro-cessing, Orlando, May 13-17, 2002. Piscataway: IEEE, 2002: 3313-3316.
[15] Goodfellow I J, Pouget-Abadie J, Mirza M M, et al. Genera-tive adversarial nets[C]//Proceedings of the 2014 Annual Conference on Neural Information Processing Systems, Mon-treal, Dec 8-13, 2014. Red Hook: Curran Associates, 2014: 2672-2680.
[16] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition[C]//Proceedings of the 2016 IEEE Con-ference on Computer Vision and Pattern Recognition, Las Vegas, Jun 27-30, 2016. Washington: IEEE Computer Society, 2016: 770-778.
[17] Ledig C, Theis L, Huszár F, et al. Photo-realistic single image super-resolution using a generative adversarial network[C]//Proceedings of the 30th IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, Jul 21-26, 2017. Washington: IEEE Computer Society, 2017: 105-114.
[18] Wang X T, Yu K, Wu S X, et al. ESRGAN: enhanced super-resolution generative adversarial networks[C]//LNCS 11133: Proceedings of the 2018 European Conference on Computer Vision, Munich, Sep 8-14, 2018. Berlin, Heidelberg: Springer, 2019: 63-79.
[19] Mahendran A, Vedaldi A. Understanding deep image repre-sentations by inverting them[C]//Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recogni-tion, Boston, Jun 7-12, 2015. Washington: IEEE Computer Society, 2015: 5188-5196.
[20] Bau D, Zhou B L, Khosla A, et al. Network dissection: quantifying interpretability of deep visual representations[C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, Jul 21-26, 2017. Washington: IEEE Computer Society, 2017: 3319-3327.
[21] Hochreiter S, Bengio Y, Frasconi P, et al. Gradient flow in recurrent nets: the difficulty of learning long-term depende-ncies[M]//Kolen J F, Kremer S C A. Field Guide to Dyna-mical Recurrent Networks. Piscataway: IEEE, 2001: 237-243.
[22] Pascanu R, Mikolov T, Bengio Y. On the difficulty of training recurrent neural networks[C]//Proceedings of the 30th Inter-national Conference on Machine Learning, Atlanta, Jun 16-21, 2013: 1310-1318.
[23] Sharma A, Al Haj M, Choi J, et al. Robust pose invariant face recognition using coupled latent space discriminant ana-lysis[J]. Computer Vision and Image Understanding, 2012, 116(11): 1095-1110.
[24] Le Y, Yang X. Tiny ImageNet visual recognition challenge: CS 231N[R]. Stanford, 2015.