低频域历史驱动的有效对抗摄动分布学习

IF 3 4区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Han Cao, Qindong Sun, Yaqi Li, Rong Geng, Xiaoxiong Wang
{"title":"低频域历史驱动的有效对抗摄动分布学习","authors":"Han Cao, Qindong Sun, Yaqi Li, Rong Geng, Xiaoxiong Wang","doi":"10.1145/3632293","DOIUrl":null,"url":null,"abstract":"The existence of adversarial image makes us have to doubt the credibility of artificial intelligence system. Attackers can use carefully processed adversarial images to carry out a variety of attacks. Inspired by the theory of image compressed sensing, this paper proposes a new black-box attack, \\(\\mathcal {N}\\text{-HSA}_{LF} \\) . It uses covariance matrix adaptive evolution strategy (CMA-ES) to learn the distribution of adversarial perturbation in low frequency domain, reducing the dimensionality of solution space. And sep-CMA-ES is used to set the covariance matrix as a diagonal matrix, which further reduces the dimensions that need to be updated for the covariance matrix of multivariate Gaussian distribution learned in attacks, thereby reducing the computational cost of attack. And on this basis, we propose history-driven mean update and current optimal solution-guided improvement strategies to avoid the evolution of distribution to a worse direction. The experimental results show that the proposed \\(\\mathcal {N}\\text{-HSA}_{LF} \\) can achieve a higher attack success rate with fewer queries on attacking both CNN-based and transformer-based target models under L 2 -norm and L ∞ -norm constraints of perturbation. We also conduct an ablation study and the results show that the proposed improved strategies can effectively reduce the number of visits to the target model when making adversarial examples for hard examples. In addition, our attack is able to make the integrated defense strategy of GRIP-GAN and noise-embedded training ineffective to a certain extent.","PeriodicalId":56050,"journal":{"name":"ACM Transactions on Privacy and Security","volume":"110 s425","pages":"0"},"PeriodicalIF":3.0000,"publicationDate":"2023-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Efficient History-Driven Adversarial Perturbation Distribution Learning in Low Frequency Domain\",\"authors\":\"Han Cao, Qindong Sun, Yaqi Li, Rong Geng, Xiaoxiong Wang\",\"doi\":\"10.1145/3632293\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The existence of adversarial image makes us have to doubt the credibility of artificial intelligence system. Attackers can use carefully processed adversarial images to carry out a variety of attacks. Inspired by the theory of image compressed sensing, this paper proposes a new black-box attack, \\\\(\\\\mathcal {N}\\\\text{-HSA}_{LF} \\\\) . It uses covariance matrix adaptive evolution strategy (CMA-ES) to learn the distribution of adversarial perturbation in low frequency domain, reducing the dimensionality of solution space. And sep-CMA-ES is used to set the covariance matrix as a diagonal matrix, which further reduces the dimensions that need to be updated for the covariance matrix of multivariate Gaussian distribution learned in attacks, thereby reducing the computational cost of attack. And on this basis, we propose history-driven mean update and current optimal solution-guided improvement strategies to avoid the evolution of distribution to a worse direction. The experimental results show that the proposed \\\\(\\\\mathcal {N}\\\\text{-HSA}_{LF} \\\\) can achieve a higher attack success rate with fewer queries on attacking both CNN-based and transformer-based target models under L 2 -norm and L ∞ -norm constraints of perturbation. We also conduct an ablation study and the results show that the proposed improved strategies can effectively reduce the number of visits to the target model when making adversarial examples for hard examples. In addition, our attack is able to make the integrated defense strategy of GRIP-GAN and noise-embedded training ineffective to a certain extent.\",\"PeriodicalId\":56050,\"journal\":{\"name\":\"ACM Transactions on Privacy and Security\",\"volume\":\"110 s425\",\"pages\":\"0\"},\"PeriodicalIF\":3.0000,\"publicationDate\":\"2023-11-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Transactions on Privacy and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3632293\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Privacy and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3632293","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

对抗性图像的存在使我们不得不对人工智能系统的可信度产生怀疑。攻击者可以使用经过精心处理的对抗图像来进行各种攻击。受图像压缩感知理论的启发,本文提出了一种新的黑盒攻击方法\(\mathcal {N}\text{-HSA}_{LF} \)。它采用协方差矩阵自适应进化策略(CMA-ES)来学习对抗扰动在低频域的分布,降低解空间的维数。利用sep-CMA-ES将协方差矩阵设置为对角矩阵,进一步降低了攻击中学习到的多元高斯分布协方差矩阵需要更新的维数,从而降低了攻击的计算代价。在此基础上,提出了历史驱动的均值更新策略和当前最优解导向的改进策略,以避免分布向较差方向演化。实验结果表明,在扰动的l2范数和L∞范数约束下,本文提出的\(\mathcal {N}\text{-HSA}_{LF} \)在攻击基于cnn和基于变压器的目标模型时,能够以较少的查询次数获得较高的攻击成功率。我们还进行了消融研究,结果表明所提出的改进策略可以有效地减少对目标模型的访问次数。此外,我们的攻击可以在一定程度上使GRIP-GAN与噪声嵌入训练的综合防御策略失效。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Efficient History-Driven Adversarial Perturbation Distribution Learning in Low Frequency Domain
The existence of adversarial image makes us have to doubt the credibility of artificial intelligence system. Attackers can use carefully processed adversarial images to carry out a variety of attacks. Inspired by the theory of image compressed sensing, this paper proposes a new black-box attack, \(\mathcal {N}\text{-HSA}_{LF} \) . It uses covariance matrix adaptive evolution strategy (CMA-ES) to learn the distribution of adversarial perturbation in low frequency domain, reducing the dimensionality of solution space. And sep-CMA-ES is used to set the covariance matrix as a diagonal matrix, which further reduces the dimensions that need to be updated for the covariance matrix of multivariate Gaussian distribution learned in attacks, thereby reducing the computational cost of attack. And on this basis, we propose history-driven mean update and current optimal solution-guided improvement strategies to avoid the evolution of distribution to a worse direction. The experimental results show that the proposed \(\mathcal {N}\text{-HSA}_{LF} \) can achieve a higher attack success rate with fewer queries on attacking both CNN-based and transformer-based target models under L 2 -norm and L ∞ -norm constraints of perturbation. We also conduct an ablation study and the results show that the proposed improved strategies can effectively reduce the number of visits to the target model when making adversarial examples for hard examples. In addition, our attack is able to make the integrated defense strategy of GRIP-GAN and noise-embedded training ineffective to a certain extent.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
ACM Transactions on Privacy and Security
ACM Transactions on Privacy and Security Computer Science-General Computer Science
CiteScore
5.20
自引率
0.00%
发文量
52
期刊介绍: ACM Transactions on Privacy and Security (TOPS) (formerly known as TISSEC) publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信