Abstract:

For adversarial examples generation research, gradient-based attack methods are widely used due to fast generation speed and low resource consumption. However, the adversarial examples generated by most existing gradient-based attack methods still exhibit low efficiency in black-box attacks. The state-of-the-art gradient-based attack method only reaches an average success rate of 78.2% when attacking six advanced defense black-box models. To this end, a generation algorithm based on erosion batch normalization layer in deep neural network architecture is proposed to improve existing gradient-based attack methods, so as to generate adversarial examples with higher black-box attack success rates. Extensive experiments on an ImageNet-compatible dataset are conducted under single-model setting and multi-model setting, and the results show that the proposed algorithm can be effectively combined with existing gradient-based attack methods and obtain higher attack success rates with similar computational cost. In addition, the proposed algorithm makes the state-of-the-art gradient-based attack method achieve an increase of 9.0 percentage points in the average success attack rate against six advanced black-box defense models.

Key words: adversarial examples, black-box attacks, erosion, batch normalization layer

摘要：

目前在对抗样本生成研究领域，基于梯度的攻击方法由于生成速度快和资源消耗低而得到广泛应用。然而，现有大多数基于梯度的攻击方法所得对抗样本的黑盒攻击成功率并不高。最强基于梯度的攻击方法在攻击6个先进防御黑盒模型时的平均成功率只有78.2%。为此，提出一种基于腐蚀深度神经网络架构中批归一化层的对抗攻击算法来改进现有基于梯度的攻击方法，以实现所得对抗样本的黑盒攻击成功率进一步提升。在一个ImageNet兼容数据集上做了大量实验，实验结果表明所提出的算法在单模型攻击和集成模型攻击中均能与现有基于梯度的攻击方法有效组合，实现在几乎不增加额外计算开销条件下增强对抗样本的攻击性能。此外，所提算法还使得最强基于梯度的攻击方法针对6个先进防御黑盒模型的平均攻击成功率提升了9.0个百分点。

关键词: 对抗样本, 黑盒攻击, 腐蚀, 批归一化层