基于改进积分梯度的黑盒迁移攻击算法

doi:10.3778/j.issn.1002-8331.2212-0377

摘要/Abstract

摘要： 对抗样本可以轻易攻击深度神经网络，影响模型的使用安全。虽然白盒攻击方法有优秀的成功率，但是在黑盒迁移攻击时通常表现出较差的效果。目前最先进的TAIG算法基于积分梯度，可以提升对抗样本的迁移性。但研究发现其积分路径缺失到饱和区的有效信息，并且使用不恰当的基线和梯度计算，限制了算法攻击成功率的上限。改进了积分梯度并提出了IIGA攻击算法（improved integrated gradients attack）。改进积分梯度将有限路径扩展为无限路径，融合输入到真实饱和区的梯度累计，可以表征每个分量更准确的重要性；并提出信息熵基线，确保基线相对于模型不含任何信息。IIGA将生成的改进积分梯度进行平滑处理作为攻击的反向优化方向，平滑操作过滤因神经网络在小范围偏导剧烈跳动而产生的大量噪点，使梯度信息集中于视觉特征，并在迭代过程中加入动量信息稳定梯度方向。在ImageNet数据集上进行的大量实验表明IIGA不仅在白盒攻击下优于FGSM、C&W等算法，在黑盒迁移攻击模式下也大大超过了SI-NI、VMI、AOA和TAIG等先进的算法。

关键词: 对抗攻击, 扩展路径, 信息熵基线, 迁移攻击

Abstract: Adversarial samples can easily attack deep neural networks and hinder the safety of the model applications. While white-box attack methods have excellent success rates, they usually perform poorly when attacking black-box models. Currently, the best algorithm TAIG is based on integrated gradients, which can improve transferability of adversarial samples. However, its integrated path is missing valid information to the saturation region and uses improper baseline and gradient calculations, which limits the success rate. This paper improves the integrated gradients and proposes the IIGA attack algorithm (improved integrated gradients attack). The improved integrated gradients extend the finite path to infinity by adding the part from the input to the true saturation region to show the importance of each component more accurately, and the information entropy baseline is proposed to ensure the baseline is free of any information relative to the model. IIGA uses the smoothed improved integrated gradient as attack reverse optimization direction. The smoothing operation filters the large amount of noise generated by the sharp perturbation of the neural network in a small bias, concentrates the gradient information on the visual features, and adds momentum information to stabilize the direction during iteration. Extensive experiments on ImageNet dataset show that IIGA not only outperforms algorithms such as FGSM and C&W in the white-box attack mode, but also exceeds the advanced transferable algorithm like SI-NI, VMI, AOA, TAIG and other in the black-box mode.

Key words: adversarial attack, extended path, information entropy baseline, transferable attack

王正来, 关胜晓. 基于改进积分梯度的黑盒迁移攻击算法[J]. 计算机工程与应用, 2024, 60(9): 309-316.

WANG Zhenglai, GUAN Shengxiao. Black-Box Transferable Attack Method Based on Improved Integrated Gradients[J]. Computer Engineering and Applications, 2024, 60(9): 309-316.

参考文献

[1] SZEGEDY C, ZARAMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[C]//2nd International Conference on Learning Representations, 2014.
[2] KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial examples in the physical world[M]//Artificial intelligence safety and security. [S.l.]: Chapman and Hall/CRC, 2018: 99-112.
[3] HU S, LIU X, ZHANG Y, et al. Protecting facial privacy: generating adversarial identity masks via style-robust makeup transfer[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 14994-15003.
[4] DUAN R, MAO X, QIN A K, et al. Adversarial laser beam: effective physical-world attack to dnns in a blink[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 16062-16071.
[5] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[C]//International Conference on Learning Representations, 2015.
[6] CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//2017 IEEE Symposium on Security and Privacy (SP), 2017: 39-57.
[7] ALEKSANDER M, ALEKSANDAR M, LUDWIG S, et al. Towards deep learning models resistant to adversarial attacks[C]//International Conference on Learning Representations, 2018.
[8] DONG Y, LIAO F, PANG T, et al. Boosting adversarial attacks with momentum[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018: 9185-9193.
[9] LIN J, SONG C, HE K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks[C]//International Conference on Learning Representations, 2020.
[10] WANG Z, GUO H, ZHANG Z, et al. Feature importance-aware transferable adversarial attacks[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021: 7639-7648.
[11] ZHANG J, WU W, HUANG J, et al. Improving adversarial transferability via neuron attribution-based attacks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 14993-15002.
[12] WU W, SU Y, CHEN X, et al. Boosting the transferability of adversarial samples via attention[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020: 1161-1170.
[13] HUANG Y, KONG A W K. Transferable adversarial attack based on integrated gradients[C]//International Conference on Learning Representations, 2022.
[14] SUNDARARAJAN M, TALY A, YAN Q. Gradients of counterfactuals[C]//International Conference on Learning Representations, 2017.
[15] SMILKOV D, THORAT N, KIM B, et al. Smoothgrad: removing noise by adding noise[J]. arXiv:1706.03825, 2017.
[16] ZHOU B, KHOSLA A, LAPEDRIZA A, et al. Learning deep features for discriminative localization[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016: 2921-2929.
[17] SELVARAJU R R, COGSWELL M, DAS A, et al. Grad-cam: visual explanations from deep networks via gradient-based localization[C]//Proceedings of the IEEE International Conference on Computer Vision, 2017: 618-626.
[18] SHRIKUMAR A, GREENSIDE P, KUNDAJE A. Learning important features through propagating activation differences[C]//International Conference on Machine Learning, 2017: 3145-3153.
[19] WANG X, HE K. Enhancing the transferability of adversarial attacks through variance tuning[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 1924-1933.
[20] WANG G, YAN H, WEI X. Enhancing Transferability of adversarial examples with spatial momentum[C]//Chinese Conference on Pattern Recognition and Computer Vision, 2022: 593-604.
[21] CHEN S, HE Z, SUN C, et al. Universal adversarial attack on attention and the resulting dataset damagenet[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2020, 44(4): 2188-2197.
[22] STURMFELS P, LUNDBERG S, LEE S I. Visualizing the impact of feature attribution baselines[J]. Distill, 2020, 5(1): e22.
[23] SHANNON C E. A mathematical theory of communication[J]. The Bell System Technical Journal, 1948, 27(3): 379-423.
[24] DENG J, DONG W, SOCHER R, et al. Imagenet: a large-scale hierarchical image database[C]//2009 IEEE Conference on Computer Vision and Pattern Recognition, 2009: 248-255.
[25] HE K, ZHANG X, REN S, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[26] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016: 2818-2826.
[27] TAN M, LE Q. Efficientnet: rethinking model scaling for convolutional neural networks[C]//International Conference on Machine Learning, 2019: 6105-6114.
[28] LIU Z, LIN Y, CAO Y, et al. Swin transformer: hierarchical vision transformer using shifted windows[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021: 10012-10022.
[29] LI Y, WU C Y, FAN H, et al. MViTv2: improved multiscale vision transformers for classification and detection[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 4804-4814.
[30] WU H, XIAO B, CODELLA N, et al. Cvt: introducing convolutions to vision transformers[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021: 22-31.