聚焦图像对抗攻击算法PS-MIFGSM

针对目前主流对抗攻击算法通过扰动全局图像特征导致攻击隐蔽性降低的问题,提出一种聚焦图像的无目标攻击算法——PS-MIFGSM。首先,通过Grad-CAM算法捕获卷积神经网络(CNN)在分类任务中对图像的重点关注区域;然后,使用MI-FGSM攻击分类网络,生成对抗扰动,并且将扰动作用于图像的重点关注区域,而图像的非关注区域保持不变,从而生成新的对抗样本。在实验部分,以三种图像分类模型Inception_v1、Resnet_v1和Vgg_16为基础,对比了PS-MIFGSM和MI-FGSM两种方法分别进行单模型攻击和集合模型攻击的效果。实验结果表明,PSMIFGSM能够在攻击成功率不变的同时,有效降低对抗样本与真实样本的差异大小。

PS-MIFGSM: focus image adversarial attack algorithm

Aiming at the problem of the present mainstream adversarial attack algorithm that the attack invisibility is reduced by disturbing the global image features, an untargeted attack algorithm named PS-MIFGSM (Perceptual-Sensitive Momentum Iterative Fast Gradient Sign Method) was proposed. Firstly, the areas of the image focused by Convolutional Neural Network (CNN) in the classification task were captured by using Grad-CAM algorithm. Then, MI-FGSM (Momentum Iterative Fast Gradient Sign Method) was used to attack the classification network to generate the adversarial disturbance, and the disturbance was applied to the focus areas of the image with the non-focus areas of the image unchanged, thereby, a new adversarial sample was generated. In the experiment, based on three image classification models Inception_v1, Resnet_v1 and Vgg_16, the effects of PS-MIFGSM and MI-FGSM on single model attack and set model attack were compared. The results show that PS-MIFGSM can effectively reduce the difference between the real sample and the adversarial sample with the attack success rate unchanged.