信息网络安全 ›› 2020, Vol. 20 ›› Issue (5): 57-64.doi: 10.3969/j.issn.1671-1122.2020.05.007

• 技术研究 • 上一篇    下一篇

基于生成式对抗网络的通用性对抗扰动生成方法

刘恒, 吴德鑫, 徐剑*()   

  1. 东北大学软件学院,沈阳 110169
  • 收稿日期:2020-03-28 出版日期:2020-05-10 发布日期:2020-06-05
  • 通讯作者: 徐剑 E-mail:xuj@mail.neu.edu.cn
  • 作者简介:刘恒(1994—),男,河南,硕士研究生,主要研究方向为对抗机器学习|吴德鑫(1997—),男,辽宁,硕士研究生,主要研究方向为对抗机器学习|徐剑(1978—),男,辽宁,副教授,博士,主要研究方向为信息安全。
  • 基金资助:
    国家自然科学基金(61872069);中央高校基本科研业务费(N2017012)

Generating Universal Adversarial Perturbations with Generative Adversarial Networks

LIU Heng, WU Dexin, XU Jian*()   

  1. Software College, Northeastern University, Shenyang 110169, China
  • Received:2020-03-28 Online:2020-05-10 Published:2020-06-05
  • Contact: Jian XU E-mail:xuj@mail.neu.edu.cn

摘要:

深度神经网络在图像分类应用中具有很高的准确率,然而,当在原始图像中添加微小的对抗扰动后,深度神经网络的分类准确率会显著下降。研究表明,对于一个分类器和数据集存在一种通用性对抗扰动,其可对大部分原始图像产生攻击效果。文章设计了一种通过生成式对抗网络来制作通用性对抗扰动的方法。通过生成式对抗网络的训练,生成器可制作出通用性对抗扰动,将该扰动添加到原始图像中制作对抗样本,从而达到攻击的目的。文章在CIFAR-10数据集上进行了无目标攻击、目标攻击和迁移性攻击实验。实验表明,生成式对抗网络生成的通用性对抗扰动可在较低范数约束下达到89%的攻击成功率,且利用训练后的生成器可在短时间内制作出大量的对抗样本,利于深度神经网络的鲁棒性研究。

关键词: 深度神经网络, 通用性对抗扰动, 生成式对抗网络

Abstract:

Deep neural networks have high accuracy in image classification. However, when small adversarial perturbation is added to the original image, the accuracy of classification will decrease significantly. Studies show that there is an universal adversarial perturbation for a classifier and a data set, which can attack most of the original images. This paper designs a method for making universal adversarial perturbation with generative adversarial network. Through the training of the generative adversarial network, the generator can make an universal adversarial perturbation which added to the original image to make the adversarial sample, so as to achieve the purpose of attack. This paper conducts no target attack, target attack and transfer attack experiments on the CIFAR-10 dataset. Experiments show that the universal adversarial perturbation generated by the generative adversarial network can reach an attack success rate of 89% under lower norm constraints, and the trained generator can produce a large number of adversarial samples in a short time, which is conducive to the robustness research of deep neural network.

Key words: deep neural network, universal adversarial perturbation, generative adversarial network

中图分类号: