摘要
现有黑盒对抗攻击方法可以通过替代模型模拟目标黑盒模型的决策边界,并据此生成对抗样本,但替代模型通常具有固定的结构,这在某种程度上可能会限制其攻击效果。为了解决这一问题,提出了一种基于动态替代结构增强黑盒对抗攻击的方法。方法包含一个新颖的动态网络结构,能够自适应地寻找与目标模型最匹配的替代模型结构,全过程不依赖任何先验知识。实验证明了该方法的攻击成功率较现有方法有所提升,且替代模型的决策边界与目标模型的决策边界吻合度高,使得原本设计用于白盒攻击的策略也能有效地应用于黑盒攻击。
The existing black-box adversarial attack methods can simulate the decision boundaries of the target black-box models by establishing substitute models,thereby generating adversarial samples.However,these substitute models often have fixed network structures,which may constrain their attack effectiveness to some extent.To address this issue,a method of enhancing black-box adversarial attack based on dynamic substitute structure is proposed.This method includes an innovative dynamic network structure,which can adaptively find the best matching substitute model structure with the target model,and the whole process does not depend on any prior knowledge.Experiments show that this method improves the success rate of attacks compared to existing methods,and the decision boundary of the substitute model closely aligns with that of the target model,enabling strategies originally designed for white-box attacks to be effectively applied to black-box attacks.
作者
曾繁茂
ZENG Fanmao(School of Computer Science and Engineering,Anhui University of Science and Technology,Huainan Anhui 232001,China)
出处
《兰州工业学院学报》
2024年第2期19-23,共5页
Journal of Lanzhou Institute of Technology
基金
国家自然科学基金(61572034)
安徽省自然科学基金(2008085MF220)。
关键词
黑盒攻击
知识蒸馏
对抗攻击
对抗样本
black-box attack
knowledge distillation
adversarial attack
adversarial examples
