| Citation: | LIU Hongyi, FANG Yutong, WEN Weipinget al. A method for filtering the attack pairs of adversarial examples based on attack distance[J]. Journal of Beijing University of Aeronautics and Astronautics, 2022, 48(2): 339-347. doi: 10.13700/j.bh.1001-5965.2020.0529(in Chinese)
|
During the generation of black-box adversarial examples, an attack pair is usually specified, including a source example and a target example. The purpose is to let the generated adversarial example only have little norm difference from the source example, but it is recognized by the classifier as the classification of the target sample. In order to solve the problem of the instability of adversarial attacks caused by different attack difficulty of attack pairs, taking the image recognition field as an example, this paper presented an attack distance measurement method based on the length of the decision boundary, which provided a measurement method for the attack difficulty of attack pairs. Then this paper designed a filtering method based on attack distance of the attack pairs, which filtered out attack pairs that were difficult to attack before the attack started, so this method can improve the attack performance without modifying the attack algorithm. Experiments show that, compared with the attack pairs before filtering, the filtered attack pairs improve the overall attack performance by 42.07%, improve the attack efficiency by 24.99%, and stabilize the variance by 76.23%. It is recommended that all methods of generating adversarial examples using attack pairs should filter attack pairs before attack to stabilize and improve the attack performance.
| [1] |
KRIZHEVSKY A, SUTSKEVER I, HINTON G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84-90. doi: 10.1145/3065386
|
| [2] |
SZEGEDY C, LIU W, JIA Y Q, et al. Going deeper with convolutions[C]//2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE Press, 2015: 1-9.
|
| [3] |
SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL]. (2015-04-10)[2020-09-21].
|
| [4] |
HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE Press, 2016: 770-778.
|
| [5] |
HUANG G, LIU Z, VAN DER MAATEN L, et al. Densely connected convolutional networks[C]//2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE Press, 2017: 2261-2269.
|
| [6] |
SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. (2014-02-19)[2020-09-21].
|
| [7] |
GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. (2015-05-20)[2020-09-21].
|
| [8] |
KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial machine learning at scale[EB/OL]. (2017-02-11)[2020-09-21].
|
| [9] |
MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. (2019-09-04)[2020-09-21].
|
| [10] |
DONG Y P, LIAO F Z, PANG T, et al. Boosting adversarial attacks with momentum[C]//2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE Press, 2018: 9185-9193.
|
| [11] |
CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//2017 IEEE Symposium on Security and Privacy (SP). Piscataway: IEEE Press, 2017: 39-57.
|
| [12] |
PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]//2016 IEEE European Symposium on Security and Privacy (EuroS&P). Piscataway: IEEE Press, 2016: 372-387.
|
| [13] |
MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: A simple and accurate method to fool deep neural networks[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE Press, 2016: 2574-2582.
|
| [14] |
PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against deep learning systems using adversarial examples[EB/OL]. (2017-05-19)[2020-09-21].
|
| [15] |
XIE C H, ZHANG Z S, ZHOU Y Y, et al. Improving transferability of adversarial examples with input diversity[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE Press, 2019: 2725-2734.
|
| [16] |
TRAMER F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: Attacks and defenses[EB/OL]. (2020-04-26)[2020-09-21].
|
| [17] |
ILYAS A, ENGSTROM L, ATHALYE A, et al. Black-box adversarial attacks with limited queries and information[C]//International Conference on Machine Learning, 2018: 2137-2146.
|
| [18] |
KUANG X H, LIU H Y, WANG Y, et al. A CMA-ES-based adversarial attack on black-box deep neural networks[J]. IEEE Access, 2019, 7: 172938-172947. doi: 10.1109/ACCESS.2019.2956553
|
| [19] |
DONG Y P, SU H, WU B Y, et al. Efficient decision-based black-box adversarial attacks on face recognition[C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE Press, 2019: 7706-7714.
|
| [20] |
BRENDEL W, RAUBER J, BETHGE M. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models[EB/OL]. (2018-02-16)[2020-09-21].
|
| [21] |
LECUN Y, BENGIO Y, HINTON G. Deep learning[J]. Nature, 2015, 521(7553): 436-444. doi: 10.1038/nature14539
|
| [22] |
HELMSTAEDTER M, BRIGGMAN K L, TURAGA S C, et al. Connectomic reconstruction of the inner plexiform layer in the mouse retina[J]. Nature, 2013, 500(7461): 168-174. doi: 10.1038/nature12346
|
| [23] |
XIONG H Y, ALIPANAHI B, LEE L J, et al. The human splicing code reveals new insights into the genetic determinants of disease[J]. Science, 2015, 347(6218): 1254806. doi: 10.1126/science.1254806
|
| [24] |
HINTON G, DENG L, YU D, et al. Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups[J]. IEEE Signal Processing Magazine, 2012, 29(6): 82-97. doi: 10.1109/MSP.2012.2205597
|
| [25] |
SUTSKEVER I, VINYALS O, LE Q V. Sequence to sequence learning with neural networks[C]//Annual Conference on Neural Information Processing Systems (NeurIPS). Cambridge: MIT Press, 2014: 3104-3112.
|
| [26] |
MNIH V, KAVUKCUOGLU K, SILVER D, et al. Human-level control through deep reinforcement learning[J]. Nature, 2015, 518(7540): 529-533. doi: 10.1038/nature14236
|
| [27] |
GIUSTI A, GUZZI J, CIRŞAN D C, et al. A machine learning approach to visual perception of forest trails for mobile robots[J]. IEEE Robotics and Automation Letters, 2016, 1(2): 661-667. doi: 10.1109/LRA.2015.2509024
|
| [28] |
MIDDLEHURST C. China unveils world's first facial recognition atm[EB/OL]. (2015-01-01)[2020-09-01].
|
| [29] |
刘恒, 吴德鑫, 徐剑. 基于生成式对抗网络的通用性对抗扰动生成方法[J]. 信息网络安全, 2020, 20(5): 57-64.
LIU H, WU D X, XU J. Generating universal adversarial perturbations with generative adversarial networks[J]. Netinfo Security, 2020, 20(5): 57-64(in Chinese).
|
| [30] |
HUANG Q, KATSMAN I, GU Z Q, et al. Enhancing adversarial example transferability with an intermediate level attack[C]//2019 IEEE/CVF International Conference on Computer Vision. Piscataway: IEEE Press, 2019: 4732-4741.
|
| [31] |
WIERSTRA D, SCHAUL T, PETERS J, et al. Natural evolution strategies[C]//2008 IEEE Congress on Evolutionary Computation (IEEE World Congress on Computational Intelligence). Piscataway: IEEE Press, 2008: 3381-3387.
|
| [32] |
HANSEN N. The CMA evolution strategy: A tutorial[EB/OL]. (2016-04-04)[2020-09-21].
|
| [33] |
侯留洋, 罗森林, 潘丽敏, 等. 融合多特征的Android恶意软件检测方法[J]. 信息网络安全, 2020, 20(1): 67-74.
HOU L Y, LUO S L, PAN L M, et al. Multi-feature Android malware detection method[J]. Netinfo Security, 2020, 20(1): 67-74(in Chinese).
|
| [1] | ZHU Yuanjun, LI Yan, ZHANG Xuejun, ZHANG Weidong. Risk-Constrained Safe Path Planning for Unmanned Aerial Vehicles in Urban Airspace[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2024.0843 |
| [2] | LI Huan, CUI Pengcheng, JIA Hongyin, GONG Xiaoquan, WU Xiaojun. Numerical Simulation of TSTO Interstage Separation Considering Constraint Force[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2024.0839 |
| [3] | CHEN Hui, LIU Meng-bo, LIAN Feng, HAN Chong-zhao. Star convex irregular shape multi-extended target PMBM filter[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2023.0766 |
| [4] | ZHANG W,GAO Z H,WANG C,et al. Efficient surrogate-based aerodynamic optimization with parameter-free adaptive penalty function[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(4):1262-1272 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.0451. |
| [5] | LIU S Y,YANG H L,ZHANG Z G,et al. Vibration control of flexible spacecraft with output constraints and external disturbances[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(5):1560-1567 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.0622. |
| [6] | ZHANG Y L,MA Z Z,SHI L,et al. Multi-agent coverage control based on communication connectivity maintenance constraints[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(2):519-528 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.0340. |
| [7] | JIANG W H,CHEN Z L,CHENG Y B,et al. Image captioning model based on divergence-based and spatial consistency constraints[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(2):456-465 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.0400. |
| [8] | ZHAO Ru-jian, YANG Wei, WU Zhen-yu, CENG Hong-cheng, CHEN Jie, MA Lei. Ship track prediction method based on LSTM and nautical chart constraints[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2023.0516 |
| [9] | CHAI G Q,BO X S,LIU H J,et al. Self-supervised scene depth estimation for monocular images based on uncertainty[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(12):3780-3787 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.0943. |
| [10] | REN Si-yuan, WANG Song, CHEN Gong, DENG Chen, PAN Zheng-xiao. Research on task planning of multiple UAVs with simultaneous arrival constraints[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2023.0783 |
| [11] | NIE Li, LI Chenliang, LIU Wangkui, SHEN Haidong, LIU Yanbin, CHEN Jinbao. Adaptive neural network based fixed-time command-filtered control for quadrotor unmanned aerial vehicles[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2024.0403 |
| [12] | GONG Fengxun, LIU Tao. Simplified S-mode signal pulse structure with kernel function constraints and TOA accuracy study[J]. Journal of Beijing University of Aeronautics and Astronautics. doi: 10.13700/j.bh.1001-5965.2024.0204 |
| [13] | YANG Y,ZHANG S,SHU T. Double light curtain-constrained hazy image restoration algorithm based on improved atmospheric scattering model[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(12):3632-3644 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.1010. |
| [14] | PAN C Z,HE G,LI Z J,et al. Adaptive filtered control for uncertain electro-hydraulic servo systems with time-varying output constraints[J]. Journal of Beijing University of Aeronautics and Astronautics,2024,50(6):1819-1828 (in Chinese). doi: 10.13700/j.bh.1001-5965.2022.0497. |
| [15] | GUO Q,WU T H,XU W,et al. Target tracking algorithm based on saliency awareness and consistency constraint[J]. Journal of Beijing University of Aeronautics and Astronautics,2023,49(9):2244-2257 (in Chinese). doi: 10.13700/j.bh.1001-5965.2021.0688. |
| [16] | CHEN J J,YUAN H,XU Y,et al. GNSS instantaneous attitude determination method based on multi-variable constraints[J]. Journal of Beijing University of Aeronautics and Astronautics,2023,49(6):1394-1401 (in Chinese). doi: 10.13700/j.bh.1001-5965.2021.0453. |
| [17] | LYU Y,CAO F. Robust beamforming based on linear constraint minimum variance algorithm[J]. Journal of Beijing University of Aeronautics and Astronautics,2023,49(3):617-624 (in Chinese). doi: 10.13700/j.bh.1001-5965.2021.0280. |
| [18] | ZHANG S,SONG T L,JIAO W,et al. Cooperative guidance method with interception time constraint[J]. Journal of Beijing University of Aeronautics and Astronautics,2023,49(8):1956-1963 (in Chinese). doi: 10.13700/j.bh.1001-5965.2021.0569. |
| [19] | ZHU Y,XIAO S H,CHEN Z T. A registration algorithm with datum constraints and allowance constraints[J]. Journal of Beijing University of Aeronautics and Astronautics,2023,49(3):580-587 (in Chinese). doi: 10.13700/j.bh.1001-5965.2021.0314. |
| [20] | ZHAO G R,GU H L,HAN X,et al. NNS distributed fusion estimator under multiple network constraints[J]. Journal of Beijing University of Aeronautics and Astronautics,2023,49(2):229-241 (in Chinese). doi: 10.13700/j.bh.1001-5965.2021.0225. |
| 1. | 李云红,于惠康,马登飞,苏雪平,段姣姣,史含驰. 改进迁移学习的双分支卷积神经网络图像去雾. 北京航空航天大学学报. 2024(01): 30-38 .  本站查看 | |
| 2. | 彭文竹. 基于天空区域分离和自适应中值滤波的偏振图像复原方法. 曲靖师范学院学报. 2023(03): 33-38 .  |
Figures(6) / Tables(1)
Copyright © Journal of Beijing University of Aeronautics and Astronautics
Address: Editorial Department of Journal of Beijing University of Aeronautics and Astronautics, 37 Xueyuan Road, Haidian District, Beijing Post Code: 100191 Email: jbuaa@buaa.edu.cn
Supported by:
Beijing Renhe Information Technology Co., Ltd.
Zhang Guoliang, Liu Hong, Jiang Zainan, et al. Visual aid for teleoperation applied to satellite on-orbit self-servicing[J]. Journal of Beijing University of Aeronautics and Astronautics, 2009, 35(7): 882-886. (in Chinese)
DownLoad:
