Journal of Jilin University(Engineering and Technology Edition) ›› 2022, Vol. 52 ›› Issue (10): 2391-2398.doi: 10.13229/j.cnki.jdxbgxb20210891

Previous Articles    

Black-box transferable adversarial attacks based on ensemble advGAN

Shuai-na HUANG1,2(),Yu-xiang LI1,2,Yue-heng MAO1,2,Ai-ying BAN1,2,Zhi-yong ZHANG1,2()   

  1. 1.School of Information Engineering,Henan University of Science and Technology,Luoyang 471023,China
    2.Henan International Joint Laboratory for Cyberspace Security Applications,Henan University of Science and Technology,Luoyang 471023,China
  • Received:2021-09-08 Online:2022-10-01 Published:2022-11-11
  • Contact: Zhi-yong ZHANG E-mail:205400000024@stu.haust.edu.cn;xidianzzy@126.com

RICH HTML

 24   

PDF (PC)

321

Abstract:

The traditional advGAN method can efficiently generate adversarial samples with high fidelity, but advGAN tends to overfit the original sample spatial manifold, resulting in poor transferability. To address this defect, an approach based on ensemble generative adversarial networks was proposed. Generating adversarial examples with high fidelity and high attack success rate in real-time is available according to previous approach based on generative adversarial networks, however it lacks the adversarial transferability. For generating transferable adversarial examples in real-time, an ensemble training strategywas proposed for adversarial transferability improvement. By using the expectation of an ensemble of substitute models, the generative network generates adversarial examples with better transferability and still holds good fidelity. The experiment result shows that the proposed approach: On MNIST datasets, the transferable attack success rate increases by 6% on average, up to 43.9%; On CIFAR-10 datasets, the transferable attack success rate increases by 7.6% on average, up to 75.62%;The PSNR increases slightly on both datasets. The experimental evidence indicates that the proposed ensemble advGAN method generates adversarial examples with higher transferability and fidelity in real time comparing with normal advGAN.

Key words: adversarial examples, transferability, advGAN, adversarial attacks, deep learning

CLC Number: 

  • TP391

Fig.1

Overall framework of ensemble advGAN"

Table 1

Network structure of generator"

网络层结构卷积核步 长输 出使用IN操作使用BN操作使用激活函数
Conv13×31[8,28,28]ReLu
Conv23×32[16,14,14]ReLu
Conv33×32[32,7,7]ReLu
Conv43×31[32,7,7]ReLu
Conv53×32[32,7,7]
Conv63×31[32,7,7]ReLu
Conv73×32[32,7,7]
Conv83×31[32,7,7]ReLu
Conv93×32[32,7,7]
Conv103×31[32,7,7]ReLu
Conv113×32[32,7,7]
Unsampling13×31[16,14,14]ReLu
Unsamplng23×31[8,28,28]ReLu
Conv123×31[1,28,28]

Table 2

Network structure of discriminator"

网络层结构卷积核步长输出使用IN操作使用BN操作使用激活函数
Conv14×42[8,14,14]Leaky ReLu
Conv24×42[16,7,7]Leaky ReLu
Conv34×42[32,3,3]Leaky ReLu
Fc1Sigmoid

Table 3

Network structure of target models"

模型A模型B模型C
Conv(64,5,5)+ReluDropout(0.2)Conv(32,3,3)+Relu
Conv(64,5,5)+ReluConv(64,8,8)+ReluConv(32,3,3)+Relu
Dropout(0.25)Conv(128,6,6)+ReluMaxPooling(2,2)
FC(128)+ReluConv(128,5,5)+ReluConv(64,3,3)+Relu
Dropout(0.5)Dropout(0.5)Conv(64,3,3)+Relu
FC(10)+SoftmaxFC(10)+SoftmaxMaxPooling(2,2)
FC(200)+Relu
FC(200)+Relu
FC(10)+Softmax

Fig.2

Comparison of adversarial examples generated by normal advGAN and ensemble advGAN"

Fig.3

Comparison of adversarial examples generated by normal advGAN and ensemble advGAN"

Table 4

Transferable adversarial success rate of adversarial examples generated by ensemble advGAN and normal advGAN"

方 法Target modelABC方 法Target modelWide?ResnetResnet
advGANA-34.74.6advGANWide?Resnet-62.21
B1.7-1.2ResNet48.10-
C20.625.3-
集成advGANensA-416.7集成advGANensWide?Resnet-75.62
ensB1.8-1.2ensResnet48.29-
ensC39.343.9-

Table 5

PSNR of adversarial examples generated by different methods"

方 法MNISTCIFAR?10
AdvGAN27.6630.17
集成AdvGAN28.2430.19
1 Guo J Z, Zhu X Y, Zhao C X, et al. Learning meta face recognition in unseen domains[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Seattle, USA, 2020: 6163-6172.
2 Tang T A, Mhamdi L, Mclernon D, et al. Deep learning approach for network intrusion detection in software defined networking[C]∥Proceedings of the International Conference on Wireless Networks & Mobile Communications, Fez, Morocco, 2016: 258-263.
3 Yurtsever E, Lambert J, Carballo A, et al. A survey of autonomous driving:common practices and emerging technologies[J]. IEEE Access, 2019, 8: 58443- 58469.
4 Devlin J, Chang M W, Lee K, et al. BERT: pretraining of deep bidirectional transformers for language understanding[C]∥Proceedings of Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis,USA, 2019: 4171-4186.
5 Kurakin A, Goodfellow I J, Bengio S. Adversarial machine learning at scale[C]∥Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017: 1-17.
6 Moosavi-Dezfooli S M, Fawzi A, Frossard P. DeepFool: a simple and accurate method to fool deep neural networks[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2574-2582.
7 Moosavi-Dezfooli S M, Fawzi A, Fawzi O, et al. Universal adversarial perturbations[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, USA, 2017: 86-94.
8 陈阳, 王勇. 绿色云计算环境中基于温度感知的虚拟机迁移策略[J]. 重庆邮电大学学报:自然科学版, 2020, 32(2): 192-199.
Chen Yang, Wang Yong. Temperature-aware virtual machine migration strategy for green cloud computing environments[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2020, 32(2): 192-199.
9 Dong Y, Pang T, Su H, et al. Evading defenses to transferable adversarial examples by translation invariant attacks[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 4307-4316.
10 Xiao C, Li B, Zhu J Y, et al. Generating adversarial examples with adversarial networks[C]∥Proceedings of IJCAI International Joint Conference on Artificial Intelligence, Stockholm, Sweden, 2018: 3905-3911.
11 Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks[C]∥ Proceedings of the 2nd International Conference on Learning Representations, Banff, Canada, 2014.
12 Carlini N, Wagner D. Towards evaluating the robustness of neural networks[C]∥Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, USA, 2017: 39-57.
13 Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples[C]∥Proceedings of the 3rd International Conference on Learning Representations, DiegoSan, USA, 2015: 1-11.
14 Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world[C]∥Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2016: 1-14.
15 Baluja S, Fischer I. Adversarial transformation networks: Learning to generate adversarial examples[C]∥Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017.
16 Peng X, Xian H, Lu Q, et al. Semantics aware adversarial malware examples generation for black-box attacks[J]. Applied Soft Computing, 2021, 109: No. 107506
17 Papernot N, Mcdaniel P, Goodfellow I, et al. Practical Black-Box attacks against machine learning[C]∥Proceedings of the ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2017: 506-519.
18 Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 9185-9193.
19 Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity[C]∥Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 2725-2734.
20 王超, 魏祥麟, 田青, 等. 基于特征梯度的调制识别深度网络对抗攻击方法[J]. 计算机科学, 2021, 48(7): 25-32.
Wang Chao, Wei Xiang-lin, Tian Qing, et al. Feature gradient-based adversarial attack on modulation recognition oriented deep neural networks[J]. Computer Science, 2021, 48(7): 25-32.
21 陈晓楠, 胡建敏, 张本俊, 等. 基于模型间迁移性的黑盒对抗攻击起点提升方法[J]. 计算机工程, 2021, 47(8): 162-169.
Chen Xiao-nan, Hu Jian-min, Zhang Ben-jun, et al. Black box adversarial attack starting point promotion method based on mobility between models[J]. Computer Engineering, 2021, 47(8): 162-169.
22 廖俊帆, 顾益军, 张培晶, 等. 端到端说话人辨认的对抗样本应用比较研究[J]. 计算机工程, 2021, 47(6): 132-141.
Liao Jun-fan, Gu Yi-jun, Zhang Pei-jing, et al. Comparative research on application of adversarial samples for end-to-end speaker identification[J]. Computer Engineering, 2021, 47(6): 132-141.
23 宋娟, 潘欢, 马晓. 带安全检测的云数据中心虚拟机迁移策略[J]. 重庆邮电大学学报:自然科学版, 2021, 33(2): 311-318.
Song Juan, Pan Huan, Ma Xiao. A virtual machine migration strategy with secure checking for cloud data centers[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2021, 33(2): 311-318.
24 Inkawhich N, Wen W, Li H H, et al. Feature space perturbations yield more transferable adversarial examples[C]∥Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 7059-7067.
25 吴建, 许镜, 丁韬. 基于集成迁移学习的细粒度图像分类算法[J]. 重庆邮电大学学报:自然科学版, 2020, 32(3): 452-458.
Wu Jian, Xu Jing, Ding Tao. Fine-grained image classification algorithm based on ensemble methods of transfer learning[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2020, 32(3): 452-458.
[1] Jin-wu GAO,Zhi-huan JIA,Xiang-yang WANG,Hao XING. Degradation trend prediction of proton exchange membrane fuel cell based on PSO⁃LSTM [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(9): 2192-2202.
[2] Xiao-ying LI,Ming YANG,Rui QUAN,Bao-hua TAN. Unbalanced text classification method based on deep learning [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(8): 1889-1895.
[3] Xuan-jing SHEN,Xue-feng ZHANG,Yu WANG,Yu-bo JIN. Multi⁃focus image fusion algorithm based on pixel⁃level convolutional neural network [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(8): 1857-1864.
[4] Dan HU,Xin MENG. Vessel search method by earth observation satellite based on time⁃varying grid [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(8): 1896-1903.
[5] Ming-hua GAO,Can YANG. Traffic target detection method based on improved convolution neural network [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(6): 1353-1361.
[6] Ji-hong OUYANG,Ze-qi GUO,Si-guang LIU. Dual⁃branch hybrid attention decision net for diabetic retinopathy classification [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(3): 648-656.
[7] Lin SONG,Li-ping WANG,Jun WU,Li-wen GUAN,Zhi-gui LIU. Reliability analysis based on cyber⁃physical system and digital twin [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(2): 439-449.
[8] Jie CAO,Jia-lin MA,Dai-lin HUANG,Ping YU. A fault diagnosis method based on multi Markov transition field [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(2): 491-496.
[9] Gui-xia LIU,Zhi-yao PEI,Jia-zhi SONG. Prediction of protein-ATP binding site based on deep learning [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(1): 187-194.
[10] You QU,Wen-hui LI. Single-stage rotated object detection network based on anchor transformation [J]. Journal of Jilin University(Engineering and Technology Edition), 2022, 52(1): 162-173.
[11] Jie ZHANG,Wen JING,Fu CHEN. Vulnerability detection of instant messaging network protocol based on passive clustering algorithm [J]. Journal of Jilin University(Engineering and Technology Edition), 2021, 51(6): 2253-2258.
[12] Li-li DONG,Dan YANG,Xiang ZHANG. Large⁃scale semantic text overlapping region retrieval based on deep learning [J]. Journal of Jilin University(Engineering and Technology Edition), 2021, 51(5): 1817-1822.
[13] Li-sheng JIN,Bai-cang GUO,Fang-rong WANG,Jian SHI. Dynamic multiple object detection algorithm for vehicle forward based on improved YOLOv3 [J]. Journal of Jilin University(Engineering and Technology Edition), 2021, 51(4): 1427-1436.
[14] Feng-chong LAN,Ji-wen LI,Ji-qing CHEN. DG-SLAM algorithm for dynamic scene compound deep learning and parallel computing [J]. Journal of Jilin University(Engineering and Technology Edition), 2021, 51(4): 1437-1446.
[15] Jin-qing LI,Jian ZHOU,Xiao-qiang DI. Learning optical image encryption scheme based on CycleGAN [J]. Journal of Jilin University(Engineering and Technology Edition), 2021, 51(3): 1060-1066.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
Copyright © Journal of Jilin University(Engineering and Technology Edition), All Rights Reserved.
Tel: +86-431-85095297 Fax: +86-431-85094074 E-mail: xbgxb@jlu.edu.cn
Powered by Beijing Magtech Co. Ltd