基于空间及能量维度的黑盒对抗样本生成方法

doi:10.3969/j.issn.1671-1122.2021.03.009

信息网络安全 ›› 2021, Vol. 21 ›› Issue (3): 72-78.doi: 10.3969/j.issn.1671-1122.2021.03.009

基于空间及能量维度的黑盒对抗样本生成方法

于克辰¹(), 郭莉², 姚萌萌²

1.信息工程大学,郑州 450001
2.江南计算技术研究所,无锡 214063

收稿日期:2020-09-21 出版日期:2021-03-10 发布日期:2021-03-16
通讯作者: 于克辰 E-mail:305810944@qq.com
作者简介:于克辰（1995—）,男,辽宁,硕士研究生,主要研究方向为神经网络对抗样本、信息安全|郭莉（1978—）,女,湖南,高级工程师,硕士,主要研究方向为信息安全|姚萌萌（1982—）,男,山东,工程师,博士,主要研究方向为信息安全
基金资助:
国家自然科学基金(91430214);核高基重大专项(2017ZX01028101)

The Generation of Black Box Adversarial Sample Based on Spatial and Energy Dimension

YU Kechen¹(), GUO Li², YAO Mengmeng²

1. Information Engineering University, Zhengzhou 450001, China
2. Jiangnan Institute of Computing Technology, Wuxi 214063, China

Received:2020-09-21 Online:2021-03-10 Published:2021-03-16
Contact: YU Kechen E-mail:305810944@qq.com

摘要/Abstract

摘要：

神经网络在图像识别领域发挥着重要作用,但其会被对抗样本干扰,出现识别错误的情况。经典的对抗样本生成方法在约束变量和衡量指标上有局限性,因此,文章提出一种以余弦相似度为约束的基于空间及能量维度的对抗样本生成方法。该方法在空间维度对原始样本进行平移和旋转,并在能量维度叠加一定强度的高斯噪声,进而生成对抗样本。空间维度的旋转平移及能量维度的噪声在图片生成、传输、处理过程中大概率存在,所以对抗样本生成更自然。实验结果表明,能量维度与空间维度同时作用生成的对抗样本比只进行空间维度变换生成的对抗样本更有效。

关键词: 人工智能, 对抗样本生成, 空间维度, 扰动

Abstract:

As a significant role in image recognition, neural network can be disturbed by adversarial samples, resulting in recognition errors. Considering that classical adversarial sample generation methods are limited in terms of constraint variables and measurement metrics, this paper puts forward an adversarial sample generation method based on spatial and energy dimensions constrained by cosine similarity, which generates an adversarial sample by spatially translating and rotating the original sample and superimposing a certain strength of Gaussian noise on the energy dimension. Compared with the classic artificial perturbations, rotational shift of spatial dimension and noise of energy dimension exist in large probability in picture generation, transmission, and processing, therefore, the generation of adversarial samples is more natural. The experimental results demonstrate that adversarial sample with both energy and spatial dimensions acting simultaneously is more effective than adversarial sample with only spatial dimensions.

Key words: artificial intelligence, adversarial sample generation, spatial dimension, perturbation

中图分类号:

TP309

于克辰, 郭莉, 姚萌萌. 基于空间及能量维度的黑盒对抗样本生成方法[J]. 信息网络安全, 2021, 21(3): 72-78.

YU Kechen, GUO Li, YAO Mengmeng. The Generation of Black Box Adversarial Sample Based on Spatial and Energy Dimension[J]. Netinfo Security, 2021, 21(3): 72-78.

图/表 7

表1

图1

表2

表3

图2

图3

图4

参考文献 13

[1]	HINTON G, DENG L, YU D, et al. Deep Neural Networks for Acoustic Modeling in Speech Recognition: The Shared Views of Four Research Groups[J]. IEEE Signal Processing Magazine, 2012,29(6):82-97. doi: 10.1109/MSP.2012.2205597 URL
[2]	SUTSKEVER I, VINYALS O, LE Q V. Sequence to Sequence Learning with Neural Networks[EB/OL]. http://de.arxiv.org/pdf/1409.3215, 2020-05-11.
[3]	ACKERMAN E. How Drive.ai is Mastering Autonomous Driving With Deep Learning[EB/OL] https://spectrum.ieee.org/cars-that-think/transportation/self-driving/+how-driveai-is-mastering-autonomous-driving-with-deep-learning, 2020-08-10.
[4]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[EB/OL]. http://arxiv.org/abs/1312.6199, 2020-08-03.
[5]	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[EB/OL]. http://arxiv.org/abs/1412.6572, 2020-08-03.
[6]	PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical Black-box Attacks against Machine Learning[EB/OL]. http://arxiv.org/abs/1602.02697, 2020-08-05.
[7]	KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial Examples in the Physical World[EB/OL]. http://arxiv.org/abs/1607.02533, 2020-08-03.
[8]	SHARIF M, BHAGAVATULA S, BAUER L, et al. Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-art Face Recognition [C]//ACM. 2016 ACM SIGSAC Conference on Computer and Communications Security, October 24-28, 2016, Vienna, Austria. New York: ACM, 2016: 1528-1540.
[9]	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks [C]//IEEE. 2016 IEEE Conference on Computer Vision and Pattern Recognition, June 27-30, 2016, Las Vegas, NV, USA. New Jersey: IEEE, 2016: 2574-2582.
[10]	CARLINI N, WAGNER D. Towards Evaluating the Robustness of Neural Networks [C]//IEEE. 2017 IEEE Symposium on Security and Privacy, May 22-26, 2017, San Jose, CA, USA. New Jersey: IEEE, 2017: 39-57.
[11]	CHEN Pinyu, SHARMA Y, ZHANG Huan, et al. EAD: Elastic-net Attacks to Deep Neural Networks via Adversarial Examples[EB/OL]. http://arxiv.org/abs/1709.04114, 2020-08-03.
[12]	ROZSA A, RUDD E M, BOULT T E. Adversarial Diversity and Hard Positive Generation [C]//IEEE. 2016 IEEE Conference on Computer Vision and Pattern Recognition Workshops, June 26-July 1, 2016, Las Vegas, NV, USA. New Jersey: IEEE, 2016: 410-417.
[13]	ENGSTROM L, TRAN B, TSIPRAS D, et al. Exploring the Landscape of Spatial Robustness[EB/OL]. http://arxiv.org/abs/1712.02779, 2020-08-03.

名称	型号
处理器	英特尔Core i7-10875H @2.30 GHz 8核
主板	华硕 G512LV（LPC Controller-068D）
内存	16 GB（海力士 DDR4 3200 MHz）
硬盘	英特尔SSDPEKNW512 GB（512 GB/固态硬盘）
显卡	NVIDIA GeForce RTX 2060（6 GB）

变量	回归系数	标准误差	T值	P值
MAX_ROTATION__FLOAT__	1.563	0.084	18.672	0.000
MAX_TRANSLATION__FLOAT__	0.806	0.089	9.076	0.000
C（常数）	28.313	1.996	14.188	0.000
统计量	估计值	—	—	—
调整后R²	0.828	—	—	—
F检验P值	0.000	—	—	—

基于空间及能量维度的黑盒对抗样本生成方法

The Generation of Black Box Adversarial Sample Based on Spatial and Energy Dimension

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 13

相关文章 10

编辑推荐

Metrics

本文评价

[1]	仝鑫, 王罗娜, 王润正, 王靖亚. 面向中文文本分类的词级对抗样本生成方法[J]. 信息网络安全, 2020, 20(9): 12-16.
[2]	张润滋, 刘文懋, 尤扬, 解烽. AISecOps自动化能力分级与技术趋势研究[J]. 信息网络安全, 2020, 20(9): 22-26.
[3]	刘恒, 吴德鑫, 徐剑. 基于生成式对抗网络的通用性对抗扰动生成方法[J]. 信息网络安全, 2020, 20(5): 57-64.
[4]	郭启全, 张海霞. 关键信息基础设施安全保护技术体系[J]. 信息网络安全, 2020, 20(11): 1-9.
[5]	郭敏, 曾颖明, 于然, 吴朝雄. 基于对抗训练和VAE样本修复的对抗攻击防御技术研究[J]. 信息网络安全, 2019, 19(9): 66-70.
[6]	朱海麒, 姜峰. 人工智能时代面向运维数据的异常检测技术研究与分析[J]. 信息网络安全, 2019, 19(11): 24-35.
[7]	裘玥, 李思其. 人工智能发展应用过程的安全威胁分析及解决策略研究[J]. 信息网络安全, 2018, 18(9): 35-41.
[8]	方跃坚, 朱锦钟, 周文, 李同亮. 数据挖掘隐私保护算法研究综述[J]. 信息网络安全, 2017, 17(2): 6-11.
[9]	邹蕾;张先锋. 人工智能及其发展应用[J]. , 2012, 12(2): 0-0.
[10]	方育柯;傅彦;周俊临;曾金全. 基于孤立点检测的自适应入侵检测技术研究[J]. , 2009, 9(7): 0-0.