基于输入通道拆分的对抗攻击迁移性增强算法

深度神经网络已被应用于人脸识别、自动驾驶等场景中，但容易受到对抗样本的攻击。对抗样本的生成方法被分为白盒攻击和黑盒攻击，当对抗攻击算法攻击白盒模型时存在过拟合问题，导致生成对抗样本的迁移性降低。提出一种用于生成高迁移性对抗样本的对抗攻击算法CSA。在每次迭代过程中，通过对输入RGB图片的通道进行拆分，得到三张具有一个通道的输入图片，并对其进行零值填充，获得三张具有三个通道的输入图片。将最终得到的图片与原始RGB输入图片共同传入到模型中进行梯度计算，调整原始梯度的更新方向，避免出现局部最优。在此基础上，通过符号法生成对抗样本。在ImageNet数据集上的实验验证该算法的有效性，结果表明，CSA算法能够有效提高对抗攻击的迁移性，在四种常规训练模型上的攻击成功率平均为84.2%，与DIM、TIM结合所得DI-TI-CSA算法在三种对抗训练黑盒模型上的攻击成功率平均为94.7%，对七种防御模型的攻击成功率平均为91.8%。

Adversarial Attack Transferability Enhancement Algorithm Based on Input Channel Splitting

The Deep Neural Network(DNN) has been widely used in face recognition, automatic driving, and other scenarios;however, it is vulnerable to attacks by adversarial samples.Methods by which adversarial samples are generated can be classified into white-box and black-box attacks.When the adversarial attack algorithm attacks the white-box model, overfitting occurs, which reduces the transferability of the generated adversarial samples.Herein, an adversarial attack algorithm CSA is proposed to generate high transferability adversarial samples.During the iteration of each attack, three input pictures with one channel are obtained by splitting the channels of the input RGB pictures, and zero filling is performed to obtain three input pictures with three channels.The final image and the original RGB input image are transferred to the model for gradient calculation, and the update direction of the original gradient is adjusted to avoid local optimization.Subsequently, adversarial samples are generated symbolically.An experiment performed on the ImageNet dataset verifies the effectiveness of the proposed algorithm.In particular, the results show that the proposed algorithm can effectively improve the transferability of adversarial attacks.The average attack success rate on four conventional training models is 84.2%, whereas the DI-TI-CSA algorithm based on the combination of CSA, DIM and TIM is 94.7% on three adversarial training black-box models and 91.8% on seven defense models.