信息网络安全 ›› 2022, Vol. 22 ›› Issue (3): 62-69.doi: 10.3969/j.issn.1671-1122.2022.03.007

• 技术研究 • 上一篇    下一篇

基于Logits向量的JSMA对抗样本攻击改进算法

胡卫, 赵文龙, 陈璐(), 付伟   

  1. 海军工程大学信息安全系,武汉 430000
  • 收稿日期:2021-09-29 出版日期:2022-03-10 发布日期:2022-03-28
  • 通讯作者: 陈璐 E-mail:553235208@qq.com
  • 作者简介:胡卫(1979—),男,湖北,副教授,硕士,主要研究方向为密码学和网络空间安全|赵文龙(1993—),男,河北,硕士研究生,主要研究方向为网络空间安全|陈璐(1979—),女,广东,副教授,博士,主要研究方向为信息安全与可信计算|付伟(1978—),男,湖北,副教授,博士,主要研究方向为信息安全与可信计算
  • 基金资助:
    国家自然科学基金(61672531)

An Improved JSMA Algorithm against Sample Attack Based on Logits Vector

HU Wei, ZHAO Wenlong, CHEN Lu(), FU Wei   

  1. Department of Information Security, Naval University of Engineering, Wuhan 430000, China
  • Received:2021-09-29 Online:2022-03-10 Published:2022-03-28
  • Contact: CHEN Lu E-mail:553235208@qq.com

摘要:

文章针对目前典型基于显著图的对抗样本攻击算法JSMA开展研究,提出基于Logits向量的JSMA对抗样本攻击改进算法L-JSMA。该算法在MNIST数据集和CIFAR-10数据集上证明了攻击效果与Logits排序成正相关。为进一步验证该理论,在Alexnet模型和Inception-v3模型上对攻击目标根据Logits排序进行攻击,结论支持该理论。通过实验分析,攻击能力越强的JSMA衍生算法越能够充分利用神经网络的线性特性,在实验结果中表现出的线性相关性越强。由于神经网络同时具有线性特征和非线性特征,攻击效果并不是与Logits排序严格的正相关。文章通过对白盒攻击的神经网络性质探讨,有利于理解神经网络的本质特征,并对黑盒攻击的研究具有借鉴意义。

关键词: 神经网络, 对抗样本攻击, JSMA, Logits

Abstract:

This paper studied the current typical JSMA against sample attack algorithm based on saliency graph, and proposes an improved JSMA against sample attack algorithm L-JSMA based on Logits vector. The algorithm proves that the attack effect is positively correlated with Logits ranking on MNIST data set and CIFAR-10 data set. In order to further verify the theory, attack the targets according to Logits on the Alexnet model and Inception-v3 model, and the conclusion is further proved. Through experimental analysis, it is found that the stronger the attack ability of JSMA derivative algorithm, the more it can make full use of the linear characteristics of neural network, and the stronger the linear correlation in the experimental results. Because neural networks have both linear and nonlinear characteristics, the attack effect is not strictly positively correlated with Logits. By discussing the nature of neural network of white box attack, it is helpful to understand the essential characteristics of neural network, and also referential for black box attack.

Key words: neural network, resist sample attack, JSMA, Logits

中图分类号: