Simplex噪声区域中目标特征的对抗攻击算法

针对当前黑盒环境中,主流的图像对抗攻击算法在有限的目标模型访问查询次数条件下攻击准确率低的问题,提出一种基于目标特征和限定区域采样的目标攻击算法.首先根据原始图像和目标图像生成初始对抗样本;然后在Simplex-mean噪声区域中进行扰动采样,并根据对抗样本和原始图像差异度以及目标特征区域位置决定扰动大小;最后将扰动作用于初始对抗样本中,使新的对抗样本在保持对抗性的同时缩小与原始图像的差异度.以常见的图像分类模型InceptionV3和VGG16等为基础,在相同的目标模型访问查询,以及与对抗样本和原始图像的l₂距离小于55.89的条件下,采用BBA等算法对同一图像集和目标集进行攻击.实验结果表明,在同样的目标模型访问查询和l₂=55.89的限制条件下,不超过5 000次目标查询时,在InceptionV3模型上该算法的攻击准确率比同类攻击算法提升至少50%.

Adversarial Attack Algorithm on Target Features in Simplex Noise Area

A target adversarial attack algorithm based on target features and limited area sampling is proposed to improve the low attack accuracy of the current adversarial attack algorithms when only limited target model access queries are allowed in the black-box scenario.Firstly,an initial adversarial example is generated by the original image and the target image.Then the disturbance is sampled in the Simplex-mean noise region and determined by the location of target feature region and the difference between the adversarial example and the original image.The disturbance is used in the initial adversarial example to keep the newly generated one adversarial and to reduce the difference between it and the original image.Based on the common image classification model InceptionV3 and VGG16,under the same target model access query and the l₂ distance between the adversarial example and the original image is less than 55.89.The experimental results using algorithms such as BBA to attack the same image set and target set show that the accuracy of the proposed algorithm is at least 50%higher than that of similar attack algorithms under the same target model access query and l2=55.89,with no more than 5000 target queries in InceptionV3 model.