An Universal Adversarial Attack Method Based on Spherical Projection
Abstract
Adversarial attack on neural networks has become an important problem restricting its security applications, and among adversarial attacks oriented towards the sample set, the universal perturbation design causing most sample output errors is critical to the study. This paper takes the neural network for image classification as the research object, summarizes the existing universal perturbation generation algorithm, proposes a universal perturbation generation algorithm combining batch stochastic gradient rise and spherical projection search, achieves loss function reduction through the iterative training of stochastic gradient rise in batch samples, and limits the universal perturbation search to a high-dimensional sphere with radius to reduce the search space of universal perturbation. Moreover, the regularized technology is introduced to improve the generation quality of universal perturbations. The experimental results show that compared with the baseline algorithm, the attack success rate increases by more than 10%, the solution efficiency of universal perturbation is improved by one order of magnitude, and the quality controllability of universal perturbation is better.
This paper was recommended by Regional Editor Takuro Sato.
References
- 1. , ImageNet: A large-scale hierarchical image database, Proc. 2009 IEEE Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2009) pp. 248–255. Crossref, Google Scholar
- 2. G. Hinton et al., Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups, IEEE Signal Process. Mag. 29 (2012) 82–97. Google Scholar
- 3. , 3D reconstruction for motion blurred images using deep learning-based intelligent systems, Comput. Mater. Continua 66 (2021) 2087–2104, https://doi.org/10.32604/cmc.2020.014220. Crossref, Web of Science, Google Scholar
- 4. C. Szegedy et al., Intriguing properties of neural networks, arXiv preprint arXiv:1312.6199, 2013. Google Scholar
- 5. , Deepdriving: Learning affordance for direct perception in autonomous driving, Proc. Int. Conf. Computer Vision (Piscataway, NJ, 2015) pp. 2722–2730. Crossref, Google Scholar
- 6. , Adversarial examples for evaluating reading comprehension systems, Proc. 2017 Conf. Empirical Methods in Natural Language Processing (Stroudsburg, PA, 2017), pp. 2021–2031. Crossref, Google Scholar
- 7. S. Samanta and S. Mehta, Towards crafting text adversarial samples (2017), http://arxiv.org/abs/1707.02812 (accessed on May 25, 2021). Google Scholar
- 8. , Adversarial policies: Attacking deep reinforcement learning, in 8th International Conference on Learning Representations,
Addis Ababa, Ethiopia ,April 2020 . Google Scholar - 9. , Intelligent digital twin-based software-defined vehicular networks, IEEE Netw. 99 (2020) 1–7, https://doi.org/10.1109/MNET.011.1900587. Google Scholar
- 10. , Explaining and harnessing adversarial examples, in 3rd International Conference on Learning Representations,
San Diego, CA, USA ,May 2015 . Google Scholar - 11. , Adversarial examples in the physical world, in 5th International Conference on Learning Representations,
Toulon, France ,April 2017 , pp. 99–112. Google Scholar - 12. , Towards deep learning models resistant to adversarial attacks, in 6th International Conference on Learning Representations,
Vancouver, BC, Canada ,April 2018 . Google Scholar - 13. S. Sarkar et al., UPSET and ANGRI: Breaking high performance image classifiers (2017),http://arxiv.org/abs/1707.01159 (accessed on May 25, 2021). Google Scholar
- 14. , ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models, Proc. 10th ACM Workshop on Artificial Intelligence and Security (ACM, New York, 2017), pp. 15–26. Crossref, Google Scholar
- 15. , One pixel attack for fooling deep neural networks, IEEE Trans. Evol.Comput. 23 (2019) 828–841. Crossref, Web of Science, Google Scholar
- 16. D. Yinpeng et al., Discovering adversarial examples with momentum (2017), http://arxiv.org/abs/1710.06081 (accessed on May 25, 2021). Google Scholar
- 17. , The limitations of deep learning in adversarial settings, Proc. IEEE European Symp Security and Privacy, Saarbrucken (Piscataway, NJ, 2016), pp. 372–387. Crossref, Google Scholar
- 18. , Universal adversarial perturbations, Proc. 2017 IEEE Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2017), pp. 86–94. Crossref, Google Scholar
- 19. , DeepFool: A simple and accurate method to fool deep neural networks, Proc. 2016 IEEE Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2016), pp. 2574–2582. Crossref, Google Scholar
- 20. , Towards evaluating the robustness of neural networks, Proc. 2017 IEEE Symp. Security and Privacy (Piscataway, NJ, 2017), pp. 39–57. Crossref, Google Scholar
- 21. , CD-UAP: Class discriminative universal adversarial perturbation, Proc. 34th AAAI Conf. Artificial Intelligence (Menlo Park, CA, 2020), pp. 6754–6761. Google Scholar
- 22. , Adaptive iterative attack towards explainable adversarial robustness, Pattern Recognit. 105 (2020) 107309. Crossref, Web of Science, Google Scholar
- 23. , Improving transferability of adversarial examples with input diversity, Proc. 2019 IEEE/CVF Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2019), pp. 2730–2739. Google Scholar
- 24. , Art of singular vectors and universal adversarial perturbations, Proc. 2018 IEEE/CVF Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2018), pp. 8562–8570. Crossref, Google Scholar
- 25. , Fast feature fool: A data independent approach to universal adversarial perturbations, in British Machine Vision Conference 2017,
London, UK ,September 2017 . Google Scholar - 26. , Universal perturbation generation for black-box attack using evolutionary algorithms, Proc. 24th Int. Conf. Pattern Recognition (Piscataway, NJ, 2018), pp. 1277–1282. Google Scholar
- 27. W. Jing et al., Decision-based universal adversarial attack (2020), https://arxiv.org/abs/2009.07024v1 (accessed on May 25, 2021). Google Scholar
- 28. , Learning universal adversarial perturbations with generative models, Proc. IEEE Security and Privacy Workshops (Piscataway, NJ, 2018), pp. 43–49. Crossref, Google Scholar
- 29. , NAG: Network for adversary generation, Proc. 2018 IEEE/CVF Conf. on Computer Vision and Pattern Recognition (Piscataway, NJ, 2018), pp. 742–751. Crossref, Google Scholar
- 30. , Ask, acquire, and attack: Data-free uap generation using class impressions, Proc. European Conf. Computer Vision (Springer, Berlin, 2018), pp. 19–34. Crossref, Google Scholar
- 31. , Universal adversarial perturbation generated by attacking layer-wise relevance propagation, Proc. 2020 IEEE 10th Int. Conf. Intelligent Systems (Piscataway, NJ, 2020), pp. 431–437. Google Scholar
- 32. , Steganographic universal adversarial perturbations, Pattern Recogni. Lett. 135 (2020) 146–152. Crossref, Web of Science, Google Scholar
- 33. , Universalizable data-free objective for crafting universal adversarial perturbations, IEEE Trans. Pattern Anal. Mach. Intell. 41 (2019) 2452–2465. Crossref, Web of Science, Google Scholar
- 34. , Understanding adversarial examples from the mutual influence of images and perturbations, Proc. 2020 IEEE/CVF Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2020), pp. 14521–14530. Google Scholar
- 35. A. Krizhevsky, Learning multiple layers of features from tiny images (2009), http://www.cs.toronto.edu/kriz/learning-features-2009-TR.pdf (accessed on May 5, 2021). Google Scholar
- 36. Y. Netzer et al., Reading digits in natural images with unsupervised feature learning (2011), http://ai.stanford.edu/twangcat/papers/nips2011_housenumbers.pdf (accessed on May 5, 2021). Google Scholar
- 37. , Network in network, in 2nd International Conference on Learning Representations,
Banff, AB, Canada ,April 2014 ,Conference Track Proceedings . ICLR, 2014. Google Scholar - 38. , Very deep convolutional networks for large-scale image recognition, International Conference on Learning Representations,
San Diego ,May 2015 , pp. 1–14. Google Scholar - 39. , Deep residual learning for image recognition, Proc. 2016 IEEE Conf. Computer Vision and Pattern Recognition (Piscataway, NJ, 2016), pp. 770–778. Crossref, Google Scholar