旋转变换:一种提高对抗性示例可转移性的方法

2021 International Conference on Digital Society and Intelligent Systems (DSInS) Pub Date : 2021-12-03 DOI:10.1109/dsins54396.2021.9670580

Zheming Li, Hengwei Zhang, Junqiang Ma, Bo Yang, Chenwei Li, Jingwen Li

{"title":"旋转变换:一种提高对抗性示例可转移性的方法","authors":"Zheming Li, Hengwei Zhang, Junqiang Ma, Bo Yang, Chenwei Li, Jingwen Li","doi":"10.1109/dsins54396.2021.9670580","DOIUrl":null,"url":null,"abstract":"Convolutional neural network models are fragile to adversarial examples. Adding disturbances that humans cannot observe in clean images can make the model classification error. Among the adversarial attack methods, white-box attacks have achieved a high attack success rate, but the \"overfitting\" between the adversarial examples and the model has led to a low success rate of black-box attacks. To this end, this paper introduces the data augmentation method into the adversarial examples generation process, establishes a probability model to perform random rotation transformation on clean images, improves the mobility of adversarial examples, and improves the success rate of adversarial examples under black-box setting. The experimental results on ImageNet show that the RO-MI-FGSM method we proposed has a stronger attack effect, achieving a black-box attack success rate up to 80.3%.","PeriodicalId":243724,"journal":{"name":"2021 International Conference on Digital Society and Intelligent Systems (DSInS)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Rotation Transformation: A Method to Improve the Transferability of Adversarial Examples\",\"authors\":\"Zheming Li, Hengwei Zhang, Junqiang Ma, Bo Yang, Chenwei Li, Jingwen Li\",\"doi\":\"10.1109/dsins54396.2021.9670580\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Convolutional neural network models are fragile to adversarial examples. Adding disturbances that humans cannot observe in clean images can make the model classification error. Among the adversarial attack methods, white-box attacks have achieved a high attack success rate, but the \\\"overfitting\\\" between the adversarial examples and the model has led to a low success rate of black-box attacks. To this end, this paper introduces the data augmentation method into the adversarial examples generation process, establishes a probability model to perform random rotation transformation on clean images, improves the mobility of adversarial examples, and improves the success rate of adversarial examples under black-box setting. The experimental results on ImageNet show that the RO-MI-FGSM method we proposed has a stronger attack effect, achieving a black-box attack success rate up to 80.3%.\",\"PeriodicalId\":243724,\"journal\":{\"name\":\"2021 International Conference on Digital Society and Intelligent Systems (DSInS)\",\"volume\":\"30 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-12-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 International Conference on Digital Society and Intelligent Systems (DSInS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/dsins54396.2021.9670580\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 International Conference on Digital Society and Intelligent Systems (DSInS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/dsins54396.2021.9670580","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

卷积神经网络模型在对抗例子面前是脆弱的。添加人类在干净图像中无法观察到的干扰会使模型产生分类误差。在对抗性攻击方法中，白盒攻击取得了较高的攻击成功率，而对抗性示例与模型之间的“过拟合”导致黑盒攻击的成功率较低。为此，本文将数据增强方法引入到对抗样例生成过程中，建立概率模型对干净图像进行随机旋转变换，提高了对抗样例的移动性，提高了黑箱设置下对抗样例的成功率。在ImageNet上的实验结果表明，我们提出的RO-MI-FGSM方法具有较强的攻击效果，黑盒攻击成功率高达80.3%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Rotation Transformation: A Method to Improve the Transferability of Adversarial Examples

Convolutional neural network models are fragile to adversarial examples. Adding disturbances that humans cannot observe in clean images can make the model classification error. Among the adversarial attack methods, white-box attacks have achieved a high attack success rate, but the "overfitting" between the adversarial examples and the model has led to a low success rate of black-box attacks. To this end, this paper introduces the data augmentation method into the adversarial examples generation process, establishes a probability model to perform random rotation transformation on clean images, improves the mobility of adversarial examples, and improves the success rate of adversarial examples under black-box setting. The experimental results on ImageNet show that the RO-MI-FGSM method we proposed has a stronger attack effect, achieving a black-box attack success rate up to 80.3%.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2021 International Conference on Digital Society and Intelligent Systems (DSInS)

自引率

0.00%

发文量