当前位置:
X-MOL 学术
›
arXiv.cs.CV
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Patch-wise Attack for Fooling Deep Neural Network
arXiv - CS - Computer Vision and Pattern Recognition Pub Date : 2020-07-14 , DOI: arxiv-2007.06765 Lianli Gao and Qilong Zhang and Jingkuan Song and Xianglong Liu and Heng Tao Shen
arXiv - CS - Computer Vision and Pattern Recognition Pub Date : 2020-07-14 , DOI: arxiv-2007.06765 Lianli Gao and Qilong Zhang and Jingkuan Song and Xianglong Liu and Heng Tao Shen
By adding human-imperceptible noise to clean images, the resultant
adversarial examples can fool other unknown models. Features of a pixel
extracted by deep neural networks (DNNs) are influenced by its surrounding
regions, and different DNNs generally focus on different discriminative regions
in recognition. Motivated by this, we propose a patch-wise iterative algorithm
-- a black-box attack towards mainstream normally trained and defense models,
which differs from the existing attack methods manipulating pixel-wise noise.
In this way, without sacrificing the performance of white-box attack, our
adversarial examples can have strong transferability. Specifically, we
introduce an amplification factor to the step size in each iteration, and one
pixel's overall gradient overflowing the $\epsilon$-constraint is properly
assigned to its surrounding regions by a project kernel. Our method can be
generally integrated to any gradient-based attack methods. Compared with the
current state-of-the-art attacks, we significantly improve the success rate by
9.2\% for defense models and 3.7\% for normally trained models on average. Our
code is available at
\url{https://github.com/qilong-zhang/Patch-wise-iterative-attack}
中文翻译:
欺骗深度神经网络的补丁式攻击
通过在干净的图像中添加人类无法察觉的噪声,由此产生的对抗样本可以欺骗其他未知模型。深度神经网络 (DNN) 提取的像素特征受其周围区域的影响,不同的 DNN 在识别中通常侧重于不同的判别区域。受此启发,我们提出了一种逐块迭代算法——一种针对主流正常训练和防御模型的黑盒攻击,它不同于现有的操纵逐像素噪声的攻击方法。这样,在不牺牲白盒攻击性能的情况下,我们的对抗样本可以具有很强的可迁移性。具体来说,我们在每次迭代的步长中引入了一个放大因子,一个像素' 溢出 $\epsilon$-constraint 的整体梯度由项目内核正确分配给其周围区域。我们的方法通常可以集成到任何基于梯度的攻击方法中。与当前最先进的攻击相比,我们将防御模型的成功率显着提高了 9.2%,正常训练模型的成功率平均提高了 3.7%。我们的代码位于 \url{https://github.com/qilong-zhang/Patch-wise-iterative-attack}
更新日期:2020-07-17
中文翻译:
欺骗深度神经网络的补丁式攻击
通过在干净的图像中添加人类无法察觉的噪声,由此产生的对抗样本可以欺骗其他未知模型。深度神经网络 (DNN) 提取的像素特征受其周围区域的影响,不同的 DNN 在识别中通常侧重于不同的判别区域。受此启发,我们提出了一种逐块迭代算法——一种针对主流正常训练和防御模型的黑盒攻击,它不同于现有的操纵逐像素噪声的攻击方法。这样,在不牺牲白盒攻击性能的情况下,我们的对抗样本可以具有很强的可迁移性。具体来说,我们在每次迭代的步长中引入了一个放大因子,一个像素' 溢出 $\epsilon$-constraint 的整体梯度由项目内核正确分配给其周围区域。我们的方法通常可以集成到任何基于梯度的攻击方法中。与当前最先进的攻击相比,我们将防御模型的成功率显着提高了 9.2%,正常训练模型的成功率平均提高了 3.7%。我们的代码位于 \url{https://github.com/qilong-zhang/Patch-wise-iterative-attack}