计算机工程与应用 ›› 2022, Vol. 58 ›› Issue (7): 68-76.DOI: 10.3778/j.issn.1002-8331.2102-0210

• 理论与研发 • 上一篇    下一篇

基于小样本学习和因果干预的ResNeXt对抗攻击

王志勇,邢凯,邓洪武,李亚鸣,胡璇   

  1. 1.中国科学技术大学 网络空间安全学院,合肥 230026
    2.中国科学技术大学 苏州研究院,江苏 苏州 215123
  • 出版日期:2022-04-01 发布日期:2022-04-01

Adversarial Attack Against ResNeXt Based on Few-Shot Learning and Causal Intervention

WANG Zhiyong, XING Kai, DENG Hongwu, LI Yaming, HU Xuan   

  1. 1.School of Cyberspace Security, University of Science and Technology of China, Hefei 230026, China
    2.Suzhou Research Institute, University of Science and Technology of China, Suzhou, Jiangsu 215123, China
  • Online:2022-04-01 Published:2022-04-01

摘要: 随着深度学习相关技术在计算机视觉、自然语言处理等领域的快速发展和广泛应用,深度学习模型逐渐成为了高价值攻击目标,其固有的易受噪声干扰的安全隐患也逐步暴露出来,如基于生成对抗网络(GAN)或机器学习的方式,通过添加少量特定的噪声来生成对抗样本,导致现有的深度学习模型失效。目前的对抗攻击技术一般针对特定深度学习模型,使用海量算力搜索特定扰动噪声,无论是GAN还是传统机器学习方式,其计算效率和对抗攻击成功率受制于数据、算力和模型网络结构。为了解决对抗攻击的计算效率和对抗攻击成功率问题,着眼于深度学习模型的结构化分析,以ResNeXt50/ResNeXt101为例,基于数据增强技术,经过调制干预,由非序列图像数据生成序列数据,进而分析ResNeXt50/ResNeXt101模型的结构弱点-时不变稳定结构,提出一种基于Wasserstein距离,仅需少量样本即可定位该结构性弱点的方法,最后基于[L]范数提出一种针对其结构性弱点的新型对抗攻击方法,对算力、数据的要求大幅下降。基于ImageNet数据集的测试表明,新方法能大幅降低对抗攻击所需的算力要求,以C&W方法为基准进行的理论分析和实验结果均表明,在同样环境下,该对抗攻击方法的成功率为0.99,相对于C&W方法提高了5.32%;平均攻击时间为6.52?s,相对于C&W算法降低了10.81%;对抗样本的失真度为0.50,相对于C&W算法降低了18.03%,各指标分析均表明本方法显著优于C&W方法。

关键词: 对抗攻击, 时不变稳定结构, Wasserstein距离, 小样本学习, ResNeXt

Abstract: With the rapid development of deep learning technologies, deep learning models have been widely applied in computer vision, natural language processing and other fields, and gradually become high-value attack targets. Various attack methods with generative adversarial network(GAN) or machine learning, by adding limited but sophisticatedly designed noise to the data, have already exposed the inherent security risks of existing deep learning models. Current attack methods usually target specific deep learning models and need massive computing power and data sets for searching the sophisticated noise. Their computing efficiency and the attack success rate are thus restricted by data scale, computing power, and model structure. To tackle this problem, the paper provides a novel structural analysis of deep learning models. Taking ResNeXt50/ResNeXt101 as an example, based on data enhancement technology, it launchs causal intervention to generate sequence data from non-sequential image data, and analyzes the structural weakness based on the extracted time-invariant stable substructure, and then proposes a method to locate the structural weakness, then provides a general method to attack deep learning models with the L norm. The experimental results on ImageNet dataset show that the proposed method can dramatically reduce the requirements on computing power and data size. The theoretical analysis and experimental results based on the C&W method show that the attack success rate of the attack method under the same environment is 0.99, which is 5.32% higher than the C&W method; the average attack launch time is 6.52?s, which is 10.81% lower than the C&W algorithm; the distortion of the adversarial sample is 0.50, which is 18.03% lower than the C&W algorithm. These indicators show that this method generally outperforms the typical method, C&W method.

Key words: adversarial attack, time-invariant stable structure, Wasserstein distance, few-shot learning, ResNeXt