摘要
由于对抗样本存在通过不易察觉的微小扰动破坏模型准确度的特性,在很大程度上影响深度学习在高安全性需求领域中的应用和部署,例如无人驾驶系统、无人机和入侵检测等。为了生成一种含有轻微语义扰动的对抗样本,文中利用对抗生成网络,设计并实现了一种高质量映射转换的AE-WGAN(Auto Encoder WGAN),然后利用隐层编码迁移算法(Latent Encodings Targeted Transfer,LE-TT)生成定向对抗样本,实现无需获取目标模型内部信息即可定向改变模型预测结果的黑盒攻击。基于经典图像数据集MNIST、CIFAR-10的对抗样本生成结果表明:LE-TT算法不仅展现出良好的黑盒攻击效果,还具有良好的可转移性;此外,作为一种半监督数据扩增方式,该算法生成的对抗样本被赋予正确的标签后,加入模型再训练后提升了对已知分布外数据的泛化能力。
Due to the existence of adversarial examples decreasing the accuracy of target model by imperceptible distortion,it greatly limits the application and the deployment of deep learning in the fields of high-security requirements,such as driverless system,unmanned aerial vehicle and intrusion detection.By introducing and recomposing generative adversarial networks,auto encoder WGAN(AE-WGAN)is implemented to perform the process of generation in latent space by using the mapping transformation and the image discrimination.The process needs no access to the target model to acquiring the internal information.In the MNIST and CIFAR-10 datasets,the result shows that a good blackbox attack and the adversarial examples crafted by the process have great transferability.In addition,the process can be seen as a way for semi-supervised data-augmentation,when the generalization of the target model is improved by adding these adversarial examples with correct labels to retrain the target model.
作者
张洁
张志昊
ZHANG Jie;ZHANG Zhihao(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)
出处
《南京邮电大学学报(自然科学版)》
北大核心
2020年第1期63-69,共7页
Journal of Nanjing University of Posts and Telecommunications:Natural Science Edition
基金
南京邮电大学校级科研基金(NY219122)
国家重点研发计划(2018YFB1500902)资助项目。
关键词
生成对抗网络
对抗样本
黑盒攻击
半监督学习
generative adversarial networks
adversarial examples
black-box attack
semi-supervised learning
