计算机工程与应用 ›› 2023, Vol. 59 ›› Issue (13): 61-73.DOI: 10.3778/j.issn.1002-8331.2210-0470

• 热点与综述 • 上一篇    下一篇

黑盒攻击智能识别对抗算法研究现状

魏健,宋小庆,王钦钊   

  1. 陆军装甲兵学院 兵器与控制系,北京 100071
  • 出版日期:2023-07-01 发布日期:2023-07-01

Research Status of Black-Box Intelligent Adversarial Attack Algorithms

WEI Jian, SONG Xiaoqing, WANG Qinzhao   

  1. Department of Weaponry and Control, Army Academy of Armored Forces, Beijing 100071, China
  • Online:2023-07-01 Published:2023-07-01

摘要: 智能识别对抗算法是深度学习领域一个全新的研究方向,获得越来越多的关注。介绍针对目标识别技术的黑盒攻击智能识别对抗算法的工作流程和主要环节,从算法原理、代价函数、攻击性能和应用场景等方面进行综述:分析开展黑盒攻击对训练数据和模型的条件需求及运用策略,归纳基于数据和基于代理模型开展智能识别对抗算法的原理及优缺点;从提高攻击有效性、增强攻击泛化性、降低模型迭代次数和拓展对抗样本应用场景角度,剖析基于代理模型的智能识别对抗算法研究进展,即多样化代价函数、集成训练模型、优化参数更新空间、改进参数更新策略等手段在对抗样本生成过程中的作用;以攻击人脸识别系统、自动驾驶系统和追踪系统为典型应用场景,梳理算法现实应用情况;以军事应用为背景,探讨开展黑盒攻击智能识别对抗算法研究面临的困难挑战及解决方案。

关键词: 黑盒攻击, 对抗样本, 生成对抗网络, 代理模型

Abstract: The adversarial examples are used to attack the intellectual algorithm and become more and more attractive in the field of deep learning. The workflow and main contacts of adversarial attack are introduced, and the present algorithms are summarized in terms of algorithm principle, loss function, attack ability, and application scenario. The requirements and strategies are analyzed, and the strengths and weaknesses of algorithms based on data and surrogate models are studied. The status is elaborated in terms of enhancing attack efficiency, improving attack generation, deducing iteration, and enlarging application scenarios, that is, the function of diversifying loss function, integrating model, optimizing the parameter update space, and designing proper update strategy is further analyzed. The typical application scenarios, that is, attacking the face recognition system, auto driving system and tracking system are introduced briefly. Finally, the potential challenges and corresponding solutions are explored in terms of military application.

Key words: black-box attack, adversarial example, generative adversarial network, surrogate mode