基于集成advGAN的黑盒迁移对抗攻击

doi:10.13229/j.cnki.jdxbgxb20210891

吉林大学学报(工学版) ›› 2022, Vol. 52 ›› Issue (10): 2391-2398.doi: 10.13229/j.cnki.jdxbgxb20210891

• 计算机科学与技术 • 上一篇

基于集成advGAN的黑盒迁移对抗攻击

黄帅娜^1,²(),李玉祥^1,²,毛岳恒^1,²,班爱莹^1,²,张志勇^1,²()

^1.河南科技大学信息工程学院，河南洛阳 471023
^2.河南科技大学河南省网络空间安全应用国际联合实验室，河南洛阳 471023

收稿日期:2021-09-08 出版日期:2022-10-01 发布日期:2022-11-11
通讯作者: 张志勇 E-mail:205400000024@stu.haust.edu.cn;xidianzzy@126.com
作者简介:黄帅娜（1987-），女，博士研究生.研究方向：网络信息安全，敏感信息检测.E-mail： 205400000024@stu.haust.edu.cn
基金资助:
国家自然科学基金项目(61972133);河南省中原千人计划中原科技创新领军人才项目(204200510021);河南省重点科技攻关项目(192102210130);河南省高等学校重点科研项目(19B520008)

Black-box transferable adversarial attacks based on ensemble advGAN

Shuai-na HUANG^1,²(),Yu-xiang LI^1,²,Yue-heng MAO^1,²,Ai-ying BAN^1,²,Zhi-yong ZHANG^1,²()

^1.School of Information Engineering，Henan University of Science and Technology，Luoyang 471023，China
^2.Henan International Joint Laboratory for Cyberspace Security Applications，Henan University of Science and Technology，Luoyang 471023，China

Received:2021-09-08 Online:2022-10-01 Published:2022-11-11
Contact: Zhi-yong ZHANG E-mail:205400000024@stu.haust.edu.cn;xidianzzy@126.com

摘要/Abstract

摘要：

针对传统advGAN方法可高效地生成高保真度的对抗样本，但advGAN容易过拟合于原始样本空间流形导致迁移性变差的问题，，提出了一种集成advGAN的方法。在生成对抗网络中添加由多个分类模型的logits集成构成目标分类模型，汇聚所有模型输出的期望，着力降低过拟合现象，使得生成的对抗样本迁移性强且保真度高。在MNIST数据集上，使用集成advGAN方法生成的对抗样本迁移攻击成功率平均提高了6%，最高可达43.9%，在CIFAR-10数据集上，对抗样本迁移攻击成功率平均提高了7.6%，最高可达75.62%，且PSNR比起传统advGAN有提升。实验结果表明：集成advGAN方法可以生成具备更高对抗迁移性的高保真对抗样本。

关键词: 对抗样本, 迁移性, advGAN, 对抗攻击, 深度学习

Abstract:

The traditional advGAN method can efficiently generate adversarial samples with high fidelity， but advGAN tends to overfit the original sample spatial manifold， resulting in poor transferability. To address this defect， an approach based on ensemble generative adversarial networks was proposed. Generating adversarial examples with high fidelity and high attack success rate in real-time is available according to previous approach based on generative adversarial networks， however it lacks the adversarial transferability. For generating transferable adversarial examples in real-time， an ensemble training strategywas proposed for adversarial transferability improvement. By using the expectation of an ensemble of substitute models， the generative network generates adversarial examples with better transferability and still holds good fidelity. The experiment result shows that the proposed approach： On MNIST datasets， the transferable attack success rate increases by 6% on average， up to 43.9%； On CIFAR-10 datasets， the transferable attack success rate increases by 7.6% on average， up to 75.62%；The PSNR increases slightly on both datasets. The experimental evidence indicates that the proposed ensemble advGAN method generates adversarial examples with higher transferability and fidelity in real time comparing with normal advGAN.

Key words: adversarial examples, transferability, advGAN, adversarial attacks, deep learning

中图分类号:

TP391

黄帅娜,李玉祥,毛岳恒,班爱莹,张志勇. 基于集成advGAN的黑盒迁移对抗攻击[J]. 吉林大学学报(工学版), 2022, 52(10): 2391-2398.

Shuai-na HUANG,Yu-xiang LI,Yue-heng MAO,Ai-ying BAN,Zhi-yong ZHANG. Black-box transferable adversarial attacks based on ensemble advGAN[J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(10): 2391-2398.

图/表 8

图1

表1

表2

表3

图2

图3

表4

表5

参考文献 25

1	Guo J Z, Zhu X Y, Zhao C X, et al. Learning meta face recognition in unseen domains[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Seattle, USA, 2020: 6163-6172.
2	Tang T A, Mhamdi L, Mclernon D, et al. Deep learning approach for network intrusion detection in software defined networking[C]∥Proceedings of the International Conference on Wireless Networks & Mobile Communications, Fez, Morocco, 2016: 258-263.
3	Yurtsever E, Lambert J, Carballo A, et al. A survey of autonomous driving:common practices and emerging technologies[J]. IEEE Access, 2019, 8: 58443- 58469.
4	Devlin J, Chang M W, Lee K, et al. BERT: pretraining of deep bidirectional transformers for language understanding[C]∥Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis,USA, 2019: 4171-4186.
5	Kurakin A, Goodfellow I J, Bengio S. Adversarial machine learning at scale[C]∥Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017: 1-17.
6	Moosavi-Dezfooli S M, Fawzi A, Frossard P. DeepFool: a simple and accurate method to fool deep neural networks[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2574-2582.
7	Moosavi-Dezfooli S M, Fawzi A, Fawzi O, et al. Universal adversarial perturbations[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, USA, 2017: 86-94.
8	陈阳, 王勇. 绿色云计算环境中基于温度感知的虚拟机迁移策略[J]. 重庆邮电大学学报:自然科学版, 2020, 32(2): 192-199.
	Chen Yang, Wang Yong. Temperature-aware virtual machine migration strategy for green cloud computing environments[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2020, 32(2): 192-199.
9	Dong Y, Pang T, Su H, et al. Evading defenses to transferable adversarial examples by translation invariant attacks[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 4307-4316.
10	Xiao C, Li B, Zhu J Y, et al. Generating adversarial examples with adversarial networks[C]∥Proceedings of IJCAI International Joint Conference on Artificial Intelligence, Stockholm, Sweden, 2018: 3905-3911.
11	Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks[C]∥ Proceedings of the 2nd International Conference on Learning Representations, Banff, Canada, 2014.
12	Carlini N, Wagner D. Towards evaluating the robustness of neural networks[C]∥Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, USA, 2017: 39-57.
13	Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples[C]∥Proceedings of the 3rd International Conference on Learning Representations, DiegoSan, USA, 2015: 1-11.
14	Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world[C]∥Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2016: 1-14.
15	Baluja S, Fischer I. Adversarial transformation networks: Learning to generate adversarial examples[C]∥Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017.
16	Peng X, Xian H, Lu Q, et al. Semantics aware adversarial malware examples generation for black-box attacks[J]. Applied Soft Computing, 2021, 109: No. 107506
17	Papernot N, Mcdaniel P, Goodfellow I, et al. Practical Black-Box attacks against machine learning[C]∥Proceedings of the ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2017: 506-519.
18	Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 9185-9193.
19	Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 2725-2734.
20	王超, 魏祥麟, 田青, 等. 基于特征梯度的调制识别深度网络对抗攻击方法[J]. 计算机科学, 2021, 48(7): 25-32.
	Wang Chao, Wei Xiang-lin, Tian Qing, et al. Feature gradient-based adversarial attack on modulation recognition oriented deep neural networks[J]. Computer Science, 2021, 48(7): 25-32.
21	陈晓楠, 胡建敏, 张本俊, 等. 基于模型间迁移性的黑盒对抗攻击起点提升方法[J]. 计算机工程, 2021, 47(8): 162-169.
	Chen Xiao-nan, Hu Jian-min, Zhang Ben-jun, et al. Black box adversarial attack starting point promotion method based on mobility between models[J]. Computer Engineering, 2021, 47(8): 162-169.
22	廖俊帆, 顾益军, 张培晶, 等. 端到端说话人辨认的对抗样本应用比较研究[J]. 计算机工程, 2021, 47(6): 132-141.
	Liao Jun-fan, Gu Yi-jun, Zhang Pei-jing, et al. Comparative research on application of adversarial samples for end-to-end speaker identification[J]. Computer Engineering, 2021, 47(6): 132-141.
23	宋娟, 潘欢, 马晓. 带安全检测的云数据中心虚拟机迁移策略[J]. 重庆邮电大学学报:自然科学版, 2021, 33(2): 311-318.
	Song Juan, Pan Huan, Ma Xiao. A virtual machine migration strategy with secure checking for cloud data centers[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2021, 33(2): 311-318.
24	Inkawhich N, Wen W, Li H H, et al. Feature space perturbations yield more transferable adversarial examples[C]∥Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 7059-7067.
25	吴建, 许镜, 丁韬. 基于集成迁移学习的细粒度图像分类算法[J]. 重庆邮电大学学报:自然科学版, 2020, 32(3): 452-458.
	Wu Jian, Xu Jing, Ding Tao. Fine-grained image classification algorithm based on ensemble methods of transfer learning[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2020, 32(3): 452-458.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

网络层结构	卷积核	步长	输出	使用IN操作	使用BN操作	使用激活函数
Conv1	3×3	1	［8，28，28］	是	否	ReLu
Conv2	3×3	2	［16，14，14］	是	否	ReLu
Conv3	3×3	2	［32，7，7］	是	否	ReLu
Conv4	3×3	1	［32，7，7］	是	否	ReLu
Conv5	3×3	2	［32，7，7］	否	是	否
Conv6	3×3	1	［32，7，7］	否	是	ReLu
Conv7	3×3	2	［32，7，7］	否	是	否
Conv8	3×3	1	［32，7，7］	否	是	ReLu
Conv9	3×3	2	［32，7，7］	否	是	否
Conv10	3×3	1	［32，7，7］	否	是	ReLu
Conv11	3×3	2	［32，7，7］	否	是	否
Unsampling1	3×3	1	［16，14，14］	是	否	ReLu
Unsamplng2	3×3	1	［8，28，28］	是	否	ReLu
Conv12	3×3	1	［1，28，28］	是	否	否

网络层结构	卷积核	步长	输出	使用IN操作	使用BN操作	使用激活函数
Conv1	4×4	2	［8，14，14］	否	是	Leaky ReLu
Conv2	4×4	2	［16，7，7］	是	否	Leaky ReLu
Conv3	4×4	2	［32，3，3］	是	否	Leaky ReLu
Fc	—	—	1	否	是	Sigmoid

模型A	模型B	模型C
Conv（64，5，5）+Relu	Dropout（0.2）	Conv（32，3，3）+Relu
Conv（64，5，5）+Relu	Conv（64，8，8）+Relu	Conv（32，3，3）+Relu
Dropout（0.25）	Conv（128，6，6）+Relu	MaxPooling（2，2）
FC（128）+Relu	Conv（128，5，5）+Relu	Conv（64，3，3）+Relu
Dropout（0.5）	Dropout（0.5）	Conv（64，3，3）+Relu
FC（10）+Softmax	FC（10）+Softmax	MaxPooling（2，2）
		FC（200）+Relu
		FC（200）+Relu
		FC（10）+Softmax

方法	Target model	A	B	C	方法	Target model	Wide?Resnet	Resnet
advGAN	A	-	34.7	4.6	advGAN	Wide?Resnet	-	62.21
	B	1.7	-	1.2		ResNet	48.10	-
	C	20.6	25.3	-		ResNet	48.10	-
集成advGAN	ensA	-	41	6.7	集成advGAN	ensWide?Resnet	-	75.62
	ensB	1.8	-	1.2		ensResnet	48.29	-
	ensC	39.3	43.9	-		ensResnet	48.29	-

方法	MNIST	CIFAR?10
AdvGAN	27.66	30.17
集成AdvGAN	28.24	30.19

基于集成advGAN的黑盒迁移对抗攻击

Black-box transferable adversarial attacks based on ensemble advGAN

RICH HTML

PDF (PC)

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 25

相关文章 15

Metrics

本文评价

推荐阅读 0

[1]	高金武,贾志桓,王向阳,邢浩. 基于PSO-LSTM的质子交换膜燃料电池退化趋势预测[J]. 吉林大学学报(工学版), 2022, 52(9): 2192-2202.
[2]	李晓英,杨名,全睿,谭保华. 基于深度学习的不均衡文本分类方法[J]. 吉林大学学报(工学版), 2022, 52(8): 1889-1895.
[3]	申铉京,张雪峰,王玉,金玉波. 像素级卷积神经网络多聚焦图像融合算法[J]. 吉林大学学报(工学版), 2022, 52(8): 1857-1864.
[4]	胡丹,孟新. 基于时变网格的对地观测卫星搜索海上船舶方法[J]. 吉林大学学报(工学版), 2022, 52(8): 1896-1903.
[5]	高明华,杨璨. 基于改进卷积神经网络的交通目标检测方法[J]. 吉林大学学报(工学版), 2022, 52(6): 1353-1361.
[6]	欧阳继红,郭泽琪,刘思光. 糖尿病视网膜病变分期双分支混合注意力决策网络[J]. 吉林大学学报(工学版), 2022, 52(3): 648-656.
[7]	宋林,王立平,吴军,关立文,刘知贵. 基于信息物理融合和数字孪生的可靠性分析[J]. 吉林大学学报(工学版), 2022, 52(2): 439-449.
[8]	曹洁,马佳林,黄黛麟,余萍. 一种基于多通道马尔可夫变迁场的故障诊断方法[J]. 吉林大学学报(工学版), 2022, 52(2): 491-496.
[9]	刘桂霞,裴志尧,宋佳智. 基于深度学习的蛋白质⁃ATP结合位点预测[J]. 吉林大学学报(工学版), 2022, 52(1): 187-194.
[10]	曲优,李文辉. 基于锚框变换的单阶段旋转目标检测方法[J]. 吉林大学学报(工学版), 2022, 52(1): 162-173.
[11]	张杰,景雯,陈富. 基于被动分簇算法的即时通信网络协议漏洞检测[J]. 吉林大学学报(工学版), 2021, 51(6): 2253-2258.
[12]	董丽丽,杨丹,张翔. 基于深度学习的大规模语义文本重叠区域检索[J]. 吉林大学学报(工学版), 2021, 51(5): 1817-1822.
[13]	金立生,郭柏苍,王芳荣,石健. 基于改进YOLOv3的车辆前方动态多目标检测算法[J]. 吉林大学学报(工学版), 2021, 51(4): 1427-1436.
[14]	兰凤崇,李继文,陈吉清. 面向动态场景复合深度学习与并行计算的DG-SLAM算法[J]. 吉林大学学报(工学版), 2021, 51(4): 1437-1446.
[15]	李锦青,周健,底晓强. 基于循环生成对抗网络的学习型光学图像加密方案[J]. 吉林大学学报(工学版), 2021, 51(3): 1060-1066.