针对图像分类的鲁棒物理域对抗伪装
Robust Physical Adversarial Camouflages for Image Classifiers
- 电子学报 2024年52卷第3期 页码:863-871
- 作者机构:
1.陆军军事交通学院镇江校区,江苏镇江 212003
2.湖南工业大学轨道交通学院,湖南株洲 412007
3.北京电子科技学院网络空间安全系,北京 100071
4.陆军工程大学指挥控制工程学院,江苏南京 210007
- 作者简介:
[ "段晔鑫 男,1987年生,江西余干人,2021年在陆军工程大学获得计算机科学与技术专业博士学位.现为陆军军事交通学院讲师,主要研究方向为对抗机器学习. Email:duanyexin0713@163.com" ]
贺正芸 女,1976 年生,湖南衡阳人,2005 年、2023 年分别在湖南大学、陆军工程大学获硕士学位和博士学位 . 现为湖南工业大学讲师,主要研究方向为人工智能、机器视觉.Email: zhengyun_he@126.com
潘志松 男,1973年生,江苏南京人. 2003年获南京航空航天大学博士学位,现为陆军工程大学教授、博士生导师. 主要研究方向为人工智能、模式识别 Email:panzs@nuaa.edu.cn
- 基金信息:国家自然科学基金(62076251)
DOI:10.12263/DZXB.20221301
中图分类号: TP181收稿:2022-11-11,
修回:2023-09-02,
纸质出版:2024-03-25
- 稿件说明:
移动端阅览
段晔鑫,贺正芸,张颂等.针对图像分类的鲁棒物理域对抗伪装[J].电子学报,2024,52(03):863-871.
DUAN Ye-xin,HE Zheng-yun,ZHANG Song,et al.Robust Physical Adversarial Camouflages for Image Classifiers[J].ACTA ELECTRONICA SINICA,2024,52(03):863-871.
段晔鑫,贺正芸,张颂等.针对图像分类的鲁棒物理域对抗伪装[J].电子学报,2024,52(03):863-871. DOI: 10.12263/DZXB.20221301.
DUAN Ye-xin,HE Zheng-yun,ZHANG Song,et al.Robust Physical Adversarial Camouflages for Image Classifiers[J].ACTA ELECTRONICA SINICA,2024,52(03):863-871. DOI: 10.12263/DZXB.20221301.
摘要
深度学习模型对对抗样本表现出脆弱性.作为一种对现实世界深度系统更具威胁性的攻击形式,物理域对抗样本近年来受到了广泛的研究关注.现有方法大多利用局部对抗贴片噪声在物理域实现对图像分类模型的攻击,然而二维贴片在三维空间的攻击效果将由于视角变化而不可避免地下降.为了解决这一问题,所提Adv-Camou方法利用空间组合变换来实时生成任意视角及变换背景的训练样本,并最小化预测类与目标类交叉熵损失,使模型输出指定错误类别.此外,所建立的仿真三维场景能公平且可重复地评估不同的攻击.实验结果表明,Adv-Camou生成的一体式对抗伪装可在全视角欺骗智能图像分类器,在三维仿真场景比多贴片拼接纹理平均有目标攻击成功率高出25%以上,对Clarifai商用分类系统黑盒有目标攻击成功率达42%,此外3D打印模型实验在现实世界平均攻击成功率约为66%,展现出先进的攻击性能.
Abstract
Deep learning models are vulnerable to adversarial examples. As a more threatening type for practical deep learning systems
physical adversarial examples have received extensive research attention in recent years. Most of the existing methods use the local adversarial patch noise to attack the image classification model in the physical world. However
the attack effect of 2D patches in 3D space would inevitably decline due to the change in the view angle. To address this issue
the proposed Adv-Camou method uses spatial combination transformation to generate training examples of arbitrary viewpoints and transformed backgrounds in real time. Moreover
the cross-entropy loss between the prediction class and target class is minimized to make the model output the specified incorrect class. In addition
the established 3D scene can evaluate different attacks fairly and reproducibly. The experimental results show that the coated adversarial camouflage generated by the Adv-Camou method can fool image classifiers from arbitrary viewpoints. In the 3D simulation scene
the average targeted attack success rate of Adv-Camou is more than 25% higher than that of piecing together patches. The success rate of black-box targeted attacks on the Clarifai commercial classification system reaches 42%. In addition
the average attack success rate of 3D printing model experiments in the real world is about 66%
which significantly demonstrates that our method outperforms state-of-the-art methods.
关键词
Keywords
references
KIRAN B R , SOBH I , TALPAERT V , et al . Deep reinforcement learning for autonomous driving: A survey [J ] . IEEE Transactions on Intelligent Transportation Systems , 2021 , 23 ( 6 ): 4909 - 4926 .
SZEGEDY C , ZAREMBA W , SUTSKEVERET I , et al . Intriguing properties of neural networks [C ] // 2nd International Conference on Learning Representations . Banff : ICLR , 2014 : 2632 - 2640 .
DUAN Y , CHEN J , ZHOU X , et al . Learning coated adversarial camouflages for object detectors [C ] // Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence . Vienna : IJCAI , 2022 : 891 - 897 .
BRENDEL W , RAUBER J , BETHGE M . Decision-based adversarial attacks: Reliable attacks against black-box machine learning models [C ] // 6th International Conference on Learning Representations . Vancouver : ICLR , 2018 : 1083 - 1092 .
EYKHOLT K , EVTIMOV I , FERNANDES E , et al . Robust physical-world attacks on deep learning visual classification [C ] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2018 : 1625 - 1634 .
LU J , SIBAI H , FABRY E , et al . No need to worry about adversarial examples in object detection in autonomous vehicles [EB/OL ] . ( 2017-07-12 )[ 2022-10-12 ] . https://arxiv.org/abs/1707.03501 https://arxiv.org/abs/1707.03501 .
BROWN T B , MANE D , ROY A , et al . Adversarial patch [EB/OL ] . ( 2017-12-27 )[ 2022-10-12 ] . https://arxiv.org/abs/1712.09665 https://arxiv.org/abs/1712.09665 .
WANG J , LIU A , YIN Z , et al . Dual attention suppression attack: Generate adversarial camouflage in physical world [C ] // IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2021 : 8565 - 8574 .
ATHALYE A , ENGSTROM L , et al . Synthesizing robust adversarial examples [C ] // International Conference on Machine Learning . New York : ICML , 2018 : 284 - 293 .
GOODFELLOW I J , SHLENS J , SZEGEDY C , et al . Explaining and harnessing adversarial examples [C ] // 3rd International Conference on Learning Representations . San Diego : ICLR , 2015 : 1 - 11 .
KURAKIN A , GOODFELLOW I , BENGIO S , et al . Adversarial examples in the physical world [C ] // 5th International Conference on Learning Representations . Toulon : ICLR , 2017 : 1 - 14 .
DONG Y , LIAO F , PANG T , et al . Boosting adversarial attacks with momentum [C ] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2018 : 9185 - 9193 .
XIE C , ZHANG Z , et al . Improving transferability of adversarial examples with input diversity [C ] // Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 2730 - 2739 .
DONG Y , PANG T , SU H , et al . Evading defenses to transferable adversarial examples by translation-invariant attacks [C ] // Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2019 : 4312 - 4321 .
DUAN Y , ZOU J , ZHOU X , et al . Adversarial attack via dual-stage network erosion [J ] . Computers & Security , 2022 , 122 : 102888 .
RUSSAKOVSKY O , DENG J , SU H , et al . Imagenet large scale visual recognition challenge [J ] . International Journal of Computer Vision , 2015 , 115 ( 3 ): 211 - 252 .
SZEGEDY C , VANHOUCKE V , et al . Rethinking the inception architecture for computer vision [C ] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2016 : 2818 - 2826 .
SZEGEDY C , IOFFE S , VANHOUCKE V , et al . Inception-v4, inception-resnet and the impact of residual connections on learning [C ] // Thirty-first AAAI Conference on Artificial Intelligence . New York : AAAI , 2017 : 4278 - 4284 .
HE K , ZHANG X , REN S , et al . Identity mappings in deep residual networks [C ] // European Conference on Computer Vision . Cham : Springer , 2016 : 630 - 645 .
HUANG G , LIU Z , VAN D M , et al . Densely connected convolutional networks [C ] // Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition . Piscataway : IEEE , 2017 : 4700 - 4708 .
CHOLLET F . Xception: Deep learning with depthwise separable convolutions [C ] // Proceedings of the IEEE conference on computer vision and pattern recognition . Piscataway : IEEE , 2017 : 1251 - 1258 .
LIU C , ZOPH B , et al . Progressive neural architecture search [C ] // Proceedings of the European Conference on Computer Vision . Cham : Springer , 2018 : 19 - 34 .
0
浏览量
12
下载量
0
CSCD
- 网络PDF下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies