Perturbation Initialization, Adam-Nesterov and Quasi-Hyperbolic Momentum for Adversarial Examples

ZOU Jun-hua; DUAN Ye-xin; REN Chuan-lun; QIU Jun-yang; ZHOU Xing-yu; PAN Zhi-song

doi:10.12263/DZXB.20200839

您当前的位置：

首页 >

文章列表页 >

Perturbation Initialization, Adam-Nesterov and Quasi-Hyperbolic Momentum for Adversarial Examples

PAPERS | 更新时间：2025-12-08

- Perturbation Initialization, Adam-Nesterov and Quasi-Hyperbolic Momentum for Adversarial Examples
- ACTA ELECTRONICA SINICA Vol. 50, Issue 1, Pages: 207-216(2022)
- 作者机构：
  
  1.陆军工程大学指挥控制工程学院，江苏南京 210007
  2.陆军军事交通学院镇江校区，江苏镇江 212003
  3.华北计算技术研究所，北京 100083
  4.江南计算所数字工程与先进计算国家重点实验室，江苏无锡 214083
- 作者简介：
- 基金信息：
- DOI：10.12263/DZXB.20200839
  CLC： TP391;
- Received：04 August 2020，
  
  Revised：2021-01-22，
  
  Published：25 January 2022
- 稿件说明：
移动端阅览
邹军华,段晔鑫,任传伦等.基于噪声初始化、Adam-Nesterov方法和准双曲动量方法的对抗样本生成方法[J].电子学报,2022,50(01):207-216.

ZOU Jun-hua,DUAN Ye-xin,REN Chuan-lun,et al.Perturbation Initialization, Adam-Nesterov and Quasi-Hyperbolic Momentum for Adversarial Examples[J].ACTA ELECTRONICA SINICA,2022,50(01):207-216.
邹军华,段晔鑫,任传伦等.基于噪声初始化、Adam-Nesterov方法和准双曲动量方法的对抗样本生成方法[J].电子学报,2022,50(01):207-216. DOI： 10.12263/DZXB.20200839.

ZOU Jun-hua,DUAN Ye-xin,REN Chuan-lun,et al.Perturbation Initialization, Adam-Nesterov and Quasi-Hyperbolic Momentum for Adversarial Examples[J].ACTA ELECTRONICA SINICA,2022,50(01):207-216. DOI： 10.12263/DZXB.20200839.

摘要

深度神经网络在多种模式识别任务上都取得了巨大突破，但相关研究表明深度神经网络存在脆弱性，容易被精心设计的对抗样本攻击.本文以分类任务为着手点，研究对抗样本的迁移性，提出基于噪声初始化、Adam-Nesterov方法和准双曲动量方法的对抗样本生成方法.本文提出一种对抗噪声的初始化方法，通过像素偏移方法来预先增强干净样本的攻击性能.同时，本文使用Adam-Nesterov方法和准双曲动量方法来改进现有方法中的Nesterov方法和动量方法，实现更高的黑盒攻击成功率.在不需要额外运行时间和运算资源的情况下，本文方法可以和其他的攻击方法组合，并显著提高了对抗样本的黑盒攻击成功率.实验表明，本文的最强攻击组合为ANI-TI-DIQHM*（其中*代表噪声初始化），其对经典防御方法的平均黑盒攻击成功率达到88.68%，对较为先进的防御方法的平均黑盒攻击成功率达到82.77%，均超过现有最高水平.

Abstract

Deep neural networks(DNNs) have made great breakthrough in many pattern recognition tasks. However

relevant research shows that the DNNs are vulnerable to adversarial examples. In this paper

we study the transferability of adversarial examples in the classification task

and propose perturbation initialization

the quasi-hyperbolic momentum iterative fast gradient sign method(QHMI-FGSM) and the adam-nesterov iterative fast gradient sign method(ANI-FGSM). We propose perturbation initialization method called pixel shift in adversarial attack. Furthermore

QHMI-FGSM and ANI-FGSM proposed in this paper are the improvements on the existing momentum iterative fast gradient sign method(MI-FGSM) and nesterov iterative fast gradient sign method(NI-FGSM). Additionally

perturbation initialization

QHMI-FGSM and ANI-FGSM are easily integrated into other existing methods

which can significantly improve the success rates of black-box attacks without additional running time and computing resources. Experimental results show that our best attack ANI-TI-DIQHM* can fool six classic black-box defense models with an average success rate of 88.68%

and fool four advance black-box defense models with an average success rate of 82.77%

which are higher than the state-of-the-art results.

关键词

Keywords

references

HE K M ， ZHANG X G ， REN S Q ， et al . Identity mappings in deep residual networks ［C］// 2016 14th European Conference on Computer Vision . Amsterdam，NEP ： Springer ， 2016 ： 630 - 645 .

HE K M ， GKIOXARI G ， DOLLÁR P ， et al . Mask R-CNN ［C］// 2017 IEEE International Conference on Computer Vision . Venice，Italy ： IEEE Computer Society ， 2017 ： 2980 - 2988 .

GOODFELLOW I J ， SHLENS J ， SZEGEDY C . Explaining and harnessing adversarial examples ［C］// 2015 3rd International Conference on Learning Representations . San Diego，USA ： Conference Track Proceedings ， 2015 ： 1 - 11 .

LIU Y P ， CHEN X Y ， LIU C ， et al . Delving into transferable adversarial examples and black-box attacks ［C］// 2017 5th International Conference on Learning Representations . Toulon，France ： Conference Track Proceedings ， 2017 ： 1 - 24 .

ATHALYE A ， ENGSTROM L ， ILYAS A ， et al . Synthesizing robust adversarial examples ［C］// 2018 35th International Conference on Machine Learning . Stockholmsmässan，SWE ： Proceedings of Machine Learning Research ， 2018 ： 284 - 293 .

TRAMÈR F ， KURAKIN A ， PAPERNOT N ， et al . Ensemble adversarial training： Attacks and defenses ［C］// 2018 6th International Conference on Learning Representations . Vancouver，CAN ： Conference Track Proceedings ， 2018 ： 1 - 22 .

LIAO F Z ， LIANG M ， DONG Y P ， et al . Defense against adversarial attacks using high-level representation guided denoiser ［C］// 2018 IEEE Conference on Computer Vision and Pattern Recognition . Salt Lake City，USA ： IEEE Computer Society ， 2018 ： 1778 - 1787 .

XIE C H ， WANG J Y ， ZHANG Z S ， et al . Mitigating adversarial effects through randomization ［C］// 2018 6th International Conference on Learning Representations . Vancouver，CAN ： Conference Track Proceedings ， 2018 ： 1 - 16 .

RAGHUNATHAN A ， STEINHARDT J ， LIANG P . Certified defenses against adversarial examples ［C］// 2018 6th International Conference on Learning Representations . Vancouver，CAN ： Conference Track Proceedings ， 2018 ： 1 - 15 .

RAUBER J ， BRENDEL W ， BETHGE M . Foolbox v 0 . 8 . 0 ： A python toolbox to benchmark the robustness of machine learning models［J/OL］. ［2020］. https：//arxiv.org/abs/1707.04131 https://arxiv.org/abs/1707.04131 .

DONG Y P ， LIAO F Z ， PANG T Y ， et al . Boosting adversarial attacks with momentum ［C］// 2018 IEEE Conference on Computer Vision and Pattern Recognition . Salt Lake City，USA ： IEEE Computer Society ， 2018 ： 9185 - 9193 .

NARODYTSKA N ， KASIVISWANATHAN S P . Simple black-box adversarial perturbations for deep networks ［J/OL］. （ 2016-12-19 ）［2020］. https：//arxiv.org/abs/1612.06299 https://arxiv.org/abs/1612.06299 .

CHEN J B ， JORDAN M I . Boundary attack++： Query-efficient decision-based adversarial attack ［J/OL］. ［2020］. https：//arxiv.org/abs/1904.02144 https://arxiv.org/abs/1904.02144 .

LIN J D ， SONG C B ， HE K ， et al . Nesterov accelerated gradient and scale invariance for improving transferability of adversarial examples ［J/OL］. ［2020］. https：//arxiv.org/abs/1908.06281 https://arxiv.org/abs/1908.06281 .

XIE C H ， ZHANG Z S ， ZHOU Y Y ， et al . Improving transferability of adversarial examples with input diversity ［C］// 2019 IEEE Conference on Computer Vision and Pattern Recognition . Long Beach，USA ： Computer Vision Foundation ， 2019 ： 2730 - 2739 .

DONG Y P ， PANG T Y ， SU H ， et al . Evading defenses to transferable adversarial examples by translation-invariant attacks ［C］// 2019 IEEE Conference on Computer Vision and Pattern Recognition . Long Beach，USA ： Computer Vision Foundation ， 2019 ： 4312 - 4321 .

KURAKIN A ， IAN J. GOODFELLOW ， SAMY BENGIO . Adversarial examples in the physical world ［C］// 2017 5th International Conference on Learning Representations . Toulon，France ： Conference Track Proceedings ， 2017 ： 1 - 14 .

MA J ， YARATS D . Quasi-hyperbolic momentum and adam for deep learning ［C］// 2019 7th International Conference on Learning Representations . New Orleans，USA ： Conference Track Proceedings ， 2019 ： 1 - 38 .

贾熹滨，史佳帅 . Ada_Nesterov动量方法——种具有自适应学习率的Nesterov动量方法［J］. 计算机科学与应用， 2019 ， 9 ： 351 - 358 .

JIA X B ， SHI J S . Ada_Nesterov momentum algorithm—the nesterov momentum algorithm with adaptive learning rate ［J］. Computer Science and Application ， 2019 ， 9 ： 351 - 358 . （in Chinese）

KINGMA D P ， BA J . Adam： A method for stochastic optimization ［C］// 2015 3rd International Conference on Learning Representations . San Diego，USA ： Conference Track Proceedings ， 2015 ： 1 - 15 .

DUCHI ， JOHN ， HAZAN ， et al . Adaptive subgradient methods for online learning and stochastic optimization ［J］. The Journal of Machine Learning Research ， 2011 ， 12 ： 2121 - 2159 .

SZEGEDY C ， VANHOUCKE V ， IOFFE S ， et al . Rethinking the inception architecture for computer vision ［C］// 2016 IEEE Conference on Computer Vision and Pattern Recognition . Las Vegas，USA ： IEEE Computer Society ， 2016 ： 2818 - 2826 .

SZEGEDY C ， IOFFE S ， VANHOUCKE V ， et al . Alemi. Inception-v4， inception-resnet and the impact of residual connections on learning ［C］// 2017 31st AAAI Conference on Artificial Intelligence . San Francisco，USA ： AAAI Press ， 2017 ： 4278 - 4284 .

LIU Z H ， LIU Q ， LIU T ， et al . Feature distillation： DNN-Oriented JPEG compression against adversarial examples ［C］// 2019 IEEE Conference on Computer Vision and Pattern Recognition . Long Beach，USA ： Computer Vision Foundation ， 2019 ： 860 - 868 .

JIA X J ， WEI X X ， CAO X C ， et al . ComDefend： An efficient image compression model to defend adversarial examples ［C］// 2019 IEEE Conference on Computer Vision and Pattern Recognition . Long Beach，USA ： Computer Vision Foundation ， 2019 ： 6084 - 6092 .

COHEN J M ， ROSENFELD E ， KOLTER J Z . Certified adversarial robustness via randomized smoothing ［C］// 2019 36th International Conference on Machine Learning ICML . Long Beach，USA ： Proceedings of Machine Learning Research ， 2019 ： 1310 - 1320 .

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Research on Category Similarity-Driven Dynamic Fake Target Adversarial Attack Methods

Boosting Adversarial Transferability Through Adaptive-Learning-Rate with Data Augmentation Mechanism

An Electromagnetic Signal Adversarial Examples Generation Method Based on Saliency Map

Anti-Customization Adversarial Examples against Text-to-Image Diffusion Models with Multi-Element Collaboration

Related Author

ZHANG Lin-jun

YU Hong-xia

LU Lei-ji

BAO Lei

CHEN Jun

BAO Lei

TAO Wei

TAO Qing

Related Institution

Department of Information Engineering, PLA Army Services University

Department of Information Engineering， PLA Army Academy of Artillery and Air Defense

PLA Academy of Military Science

Wuhan Digital Engineering Institute

School of Cyberspace Security, Guangzhou University

⁰