Generating Universal Adversarial Perturbations with Generative Adversarial Networks

doi:10.3969/j.issn.1671-1122.2020.05.007

Abstract

Abstract:

Deep neural networks have high accuracy in image classification. However, when small adversarial perturbation is added to the original image, the accuracy of classification will decrease significantly. Studies show that there is an universal adversarial perturbation for a classifier and a data set, which can attack most of the original images. This paper designs a method for making universal adversarial perturbation with generative adversarial network. Through the training of the generative adversarial network, the generator can make an universal adversarial perturbation which added to the original image to make the adversarial sample, so as to achieve the purpose of attack. This paper conducts no target attack, target attack and transfer attack experiments on the CIFAR-10 dataset. Experiments show that the universal adversarial perturbation generated by the generative adversarial network can reach an attack success rate of 89% under lower norm constraints, and the trained generator can produce a large number of adversarial samples in a short time, which is conducive to the robustness research of deep neural network.

Key words: deep neural network, universal adversarial perturbation, generative adversarial network

CLC Number:

TP309

LIU Heng, WU Dexin, XU Jian. Generating Universal Adversarial Perturbations with Generative Adversarial Networks[J]. Netinfo Security, 2020, 20(5): 57-64.

Figures/Tables 8

References 23

[1]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing , et al. Identity Mappings in Deep Residual Networks[M] //Springer. Computer Vision- ECCV 2016. Cham: Springer, 2016: 630-645.
[2]	DURAND T, MEHRASA N, MORI G . Learning a Deep ConvNet for Multi-label Classification with Partial Labels[EB/OL]. https://arxiv.org/abs/1902.09720v1, 2020-3-20.
[3]	ALOM M Z, ASPIRAS T, TAHA T M , et al. Skin Cancer Segmentation and Classification with NABLA-N and Inception Recurrent Residual Convolutional Networks[EB/OL]. https://arxiv.org/abs/1904.1112, 2020-3-20.
[4]	ISLAM J, ZHANG Yanqing . Early Diagnosis of Alzheimer's Disease: A Neuroimaging Study with Deep Learning Architectures[EB/OL]. https://www.researchgate.net/publication/329751271_Early_Diagnosis_of_Alzheimer's_Disease_A_Neuroimaging_Study_with_Deep_Learning_Architectures, 2020-3-20.
[5]	ANTON S D, KANOOR S, FRAUNHOLZ D , et al. Evaluation of Machine Learning-based Anomaly Detection Algorithms on an Industrial Modbus/tcp Data Set[EB/OL]. https://arxiv.org/abs/1905.11757v1, 2020-3-20.
[6]	YAN Weizhong, YU Lijie . On Accurate and Reliable Anomaly Detection for Gas Turbine Combustors: A Deep Learning Approach[EB/OL]. https://arxiv.org/abs/1908.09238, 2020-3-20.
[7]	SZEGEDY C, ZAREMBA W, SUTSKEVER I , et al. Intriguing Properties of Neural Networks[EB/OL]. https://arxiv.org/abs/1312.6199, 2020-3-20.
[8]	MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O , et al. Universal Adversarial Perturbations [C]//IEEE. 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), July 21-26, 2017, Honolulu, HI, USA. NJ: IEEE, 2017: 1765-1773.
[9]	CARLINI N, WAGNER D . Towards Evaluating the Robustness of Neural Networks[EB/OL]. https://arxiv.org/abs/1608.04644v1, 2020-3-20.
[10]	GOODFELLOW I, POUGET-ABADIE J, MIRZA M , et al. Generative Adversarial Nets[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.747.1316&rep=rep1&type=pdf, 2020-3-20.
[11]	RADFORD A, METZ L, CHINTALA S . Unsupervised Representation Learning with Deep Convolutional Generative Adversarial Networks[EB/OL]. https://arxiv.org/abs/1511.06434, 2020-3-20.
[12]	GOODFELLOW I J, SHLENS J, SZEGEDY C . Explaining and Harnessing Adversarial Examples[EB/OL]. http://de.arxiv.org/pdf/1412.6572, 2020-3-20.
[13]	TRAMÈR F, KURAKIN A, PAPERNOT N , et al. Ensemble Adversarial Training: Attacks and Defenses[EB/OL]. https://arxiv.org/abs/1705.07204, 2020-3-20.
[14]	DONG Yinpeng, LIAO Fangzhou, PANG Tianyu , et al. Boosting Adversarial Attacks with Momentum[EB/OL]. https://arxiv.org/abs/1710.06081, 2020-3-20.
[15]	CHEN Jianbo, JORDAN M I, WAINWRIGHT M J . Hopskipjumpattack: A Query-efficient Decision-based Attack[EB/OL]. , 2020-3-20.
[16]	MOPURI K R, GARG U, BABU R V . Fast Feature Fool: A Data Independent Approach to Universal Adversarial Perturbations[EB/OL]. https://arxiv.org/abs/1707.05572, 2020-3-20.
[17]	HAYES J, DANEZIS G . Learning Universal Adversarial Perturbations with Generative Models[EB/OL]. https://arxiv.org/abs/1708.05207?context=stat, 2020-3-20.
[18]	POURSAEED O, KATSMAN I, GAO Bicheng , et al. Generative Adversarial Perturbations[EB/OL]. https://arxiv.org/abs/1712.02328, 2020-3-20.
[19]	SHAFAHI A, NAJIBI M, XU Zheng , et al. Universal Adversarial Training[EB/OL]. https://arxiv.org/abs/1811.11304, 2020-3-20.
[20]	KRIZHEVSKY A . Learning Multiple Layers of Features from Tiny Images[EB/OL]. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.222.9220, 2020-3-20.
[21]	SIMONYAN K, ZISSERMAN A . Very Deep Convolutional Networks for Large-scale Image Recognition[EB/OL]. https://arxiv.org/abs/1409.1556, 2020-3-20.
[22]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing , et al. Deep Residual Learning for Image Recognition[EB/OL]. https://arxiv.org/abs/1512.03385, 2020-3-20.
[23]	HUANG Gao, LIU Zhuang, VAN DER MAATEN L , et al. Densely Connected Convolutional Networks[EB/OL]. https://arxiv.org/abs/1608.06993, 2020-3-20.

层数	类型	卷积核	步长	填充	激活函数
输入层	随机噪声
0~1	反卷积	(4,4)	(2,2)	(1,1)	ReLU
	批标准化
1~2	反卷积	(4,4)	(2,2)	(1,1)	ReLU
	批标准化
2~3	反卷积	(4,4)	(2,2)	(1,1)	ReLU
	批标准化
3~4	反卷积	(4,4)	(2,2)	(1,1)	ReLU
	批标准化
输出层	反卷积	(4,4)	(2,2)	(1,1)	Tanh

层数	类型	卷积核	步长	填充	激活函数
输入层	图像
0~1	卷积	(4,4)	(2,2)	(1,1)	ReLU
1~2	卷积
	批标准化	(4,4)	(2,2)	(1,1)	ReLU
2~3	卷积
	批标准化	(4,4)	(2,2)	(1,1)	ReLU
3~4	卷积
	批标准化	(4,4)	(2,2)	(1,1)	ReLU
输出层	卷积	(4,4)	(1,1)	(1,1)	Sigmoid

攻击方法	数据集	攻击成功率
攻击方法	数据集	Vgg-19	DenseNet	ResNet-101
UAP-GAN	训练集	69%	89%	89%
UAP-GAN	测试集	69%	89%	89%
GAP	训练集	64%	65%	78%
GAP	测试集	64%	65%	78%
UAN	训练集	64%	75%	83%
UAN	测试集	66%	75%	85%

分类器	攻击成功率
分类器	Vgg-19	DenseNet	ResNet-101
针对Vgg-19制作的对抗样本	69%	88%	90%
针对DenseNet制作的对抗样本	57%	89%	89%
针对ResNet-101制作的对抗样本	63%	89%	89%