A hypothetical defenses-based training framework for generating transferable adversarial examples

IF 7.2 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Knowledge-Based Systems Pub Date : 2024-10-08 DOI:10.1016/j.knosys.2024.112602

Lingguang Hao , Kuangrong Hao , Yaochu Jin , Hongzhi Zhao

{"title":"A hypothetical defenses-based training framework for generating transferable adversarial examples","authors":"Lingguang Hao , Kuangrong Hao , Yaochu Jin , Hongzhi Zhao","doi":"10.1016/j.knosys.2024.112602","DOIUrl":null,"url":null,"abstract":"<div><div>Transfer-based attacks utilize the proxy model to craft adversarial examples against the target model and make significant advancements in the realm of black-box attacks. Recent research suggests that these attacks can be enhanced by incorporating adversarial defenses into the training process of adversarial examples. Specifically, adversarial defenses supervise the training process, forcing the attacker to overcome greater challenges and produce more robust adversarial examples with enhanced transferability. However, current methods mainly rely on limited input transformation defenses, which apply only linear affine changes. These defenses are insufficient for effectively removing harmful content from adversarial examples, resulting in restricted improvements in their transferability. To address this issue, we propose a novel training framework named Transfer-based Attacks through Hypothesis Defense (TA-HD). This framework enhances the generalization of adversarial examples by integrating a hypothesis defense mechanism into the proxy model. Specifically, we propose an input denoising network as the hypothesis defense to effectively remove harmful noise from adversarial examples. Furthermore, we introduce an adversarial training strategy and design specific adversarial loss functions to optimize the input denoising network’s parameters. The visualization of the training process demonstrates the effective denoising capability of the hypothesized defense mechanism and the stability of the training process. Extensive experiments show that the proposed training framework significantly improves the success rate of transfer-based attacks by up to 19.9%. The code is available at <span><span>https://github.com/haolingguang/TA-HD</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":49939,"journal":{"name":"Knowledge-Based Systems","volume":null,"pages":null},"PeriodicalIF":7.2000,"publicationDate":"2024-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Knowledge-Based Systems","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S095070512401236X","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Transfer-based attacks utilize the proxy model to craft adversarial examples against the target model and make significant advancements in the realm of black-box attacks. Recent research suggests that these attacks can be enhanced by incorporating adversarial defenses into the training process of adversarial examples. Specifically, adversarial defenses supervise the training process, forcing the attacker to overcome greater challenges and produce more robust adversarial examples with enhanced transferability. However, current methods mainly rely on limited input transformation defenses, which apply only linear affine changes. These defenses are insufficient for effectively removing harmful content from adversarial examples, resulting in restricted improvements in their transferability. To address this issue, we propose a novel training framework named Transfer-based Attacks through Hypothesis Defense (TA-HD). This framework enhances the generalization of adversarial examples by integrating a hypothesis defense mechanism into the proxy model. Specifically, we propose an input denoising network as the hypothesis defense to effectively remove harmful noise from adversarial examples. Furthermore, we introduce an adversarial training strategy and design specific adversarial loss functions to optimize the input denoising network’s parameters. The visualization of the training process demonstrates the effective denoising capability of the hypothesized defense mechanism and the stability of the training process. Extensive experiments show that the proposed training framework significantly improves the success rate of transfer-based attacks by up to 19.9%. The code is available at https://github.com/haolingguang/TA-HD.

查看原文本刊更多论文

基于假设防御的训练框架，用于生成可转移的对抗性实例

基于转移的攻击利用代理模型制作针对目标模型的对抗示例，在黑盒攻击领域取得了重大进展。最近的研究表明，将对抗防御纳入对抗示例的训练过程，可以增强这些攻击的效果。具体来说，对抗性防御可对训练过程进行监督，迫使攻击者克服更大的挑战，生成更强大的对抗示例，从而提高可转移性。然而，目前的方法主要依赖于有限的输入变换防御，这种防御只适用于线性仿射变化。这些防御措施不足以有效去除对抗示例中的有害内容，从而限制了对抗示例可转移性的提高。为了解决这个问题，我们提出了一个新颖的训练框架，名为 "通过假设防御的基于转移的攻击"（TA-HD）。该框架将假设防御机制整合到代理模型中，从而增强了对抗示例的泛化能力。具体来说，我们提出了一种输入去噪网络作为假设防御机制，以有效去除对抗示例中的有害噪声。此外，我们还引入了一种对抗训练策略，并设计了特定的对抗损失函数来优化输入去噪网络的参数。训练过程的可视化展示了假设防御机制的有效去噪能力和训练过程的稳定性。大量实验表明，所提出的训练框架能显著提高基于传输的攻击的成功率，最高可达 19.9%。代码见 https://github.com/haolingguang/TA-HD。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Knowledge-Based Systems 工程技术-计算机：人工智能

CiteScore

14.80

自引率

12.50%

发文量

1245

审稿时长

7.8 months

期刊介绍： Knowledge-Based Systems, an international and interdisciplinary journal in artificial intelligence, publishes original, innovative, and creative research results in the field. It focuses on knowledge-based and other artificial intelligence techniques-based systems. The journal aims to support human prediction and decision-making through data science and computation techniques, provide a balanced coverage of theory and practical study, and encourage the development and implementation of knowledge-based intelligence models, methods, systems, and software tools. Applications in business, government, education, engineering, and healthcare are emphasized.