基于GAN的对抗样本生成研究
|
摘要
深度卷积神经网络在图像分类、目标检测和人脸识别等任务上取得了较好性能,但其在面临对抗攻击时容易发生误判。为了提高卷积神经网络的安全性,针对图像分类中的定向对抗攻击问题,提出一种基于生成对抗网络的对抗样本生成方法。利用类别概率向量重排序函数和生成对抗网络,在待攻击神经网络内部结构未知的前提下对其作对抗攻击。实验结果显示,提出的方法在对样本的扰动不超过5%的前提下,定向对抗攻击的平均成功率较对抗变换网络提高了1.5%,生成对抗样本所需平均时间降低了20%。
Deep convolution neural network has achieved good performance in image classification, target detection and face recognition. At the same time, some studies have found that deep convolution neural network is prone to misjudgment when facing adversarial attack. In order to improve the security of convolutional neural network, aiming at the problem of directional countermeasure attack in image classification, we proposed adversarial examples generation based on GAN. Using the re-ordering function of the class probability vector and GAN, the antagonistic attack was made on the premise that the internal structure of the neural network to be attacked was unknown. The experimental results show that the method improves the average success rate of directional countermeasure attack by 1.5% and reduces the average time required to generate countermeasure samples by 20% when the perturbation to the samples is not more than 5%.
Deep convolution neural network has achieved good performance in image classification, target detection and face recognition. At the same time, some studies have found that deep convolution neural network is prone to misjudgment when facing adversarial attack. In order to improve the security of convolutional neural network, aiming at the problem of directional countermeasure attack in image classification, we proposed adversarial examples generation based on GAN. Using the re-ordering function of the class probability vector and GAN, the antagonistic attack was made on the premise that the internal structure of the neural network to be attacked was unknown. The experimental results show that the method improves the average success rate of directional countermeasure attack by 1.5% and reduces the average time required to generate countermeasure samples by 20% when the perturbation to the samples is not more than 5%.
引文
[1] Lecun Y,Bengio Y,Hinton G.Deep learning[J].Nature,2015,521(7553):436.
[2] Szegedy C,Zaremba W,Sutskever I,et al.Intriguing properties of neural networks[EB/OL].[2013-12-21].https://arxiv.org/abs/1312.6199v4.
[3] Goodfellow I,Shlens J,Szegedy C.Explaining and Harnessing Adversarial Examples[EB/OL].[2014-12-20].https://arxiv.org/abs/1412.6572.
[4] Kurakin A,Goodfellow I,Bengio S.Adversarial Machine Learning at Scale[EB].arXiv:1611.01236,2016.
[5] Papernot N,McDaniel P,Wu X,et al.Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks[C]//2016 IEEE Symposium on Security and Privacy(SP).IEEE,2015.
[6] Baluja S,Fischer I.Adversarial Transformation Networks:Learning to Generate Adversarial Examples[EB].arXiv:1703.09387,2017.
[7] Goodfellow I,Pouget-Abadie J,Mirza M,et al.Generative Adversarial Networks[EB].arXiv:1406.2661,2014
[8] 王坤峰,苟超,段艳杰,等.生成式对抗网络GAN的研究进展与展望[J].自动化学报,2017,43(3):321-332.
[9] Reed S,Akata Z,Mohan S,et al.Learning What and Where to Draw[EB].arXiv:1610.02454,2016.
[10] Isola P,Zhu J Y,Zhou T,et al.Image-to-Image Translation with Conditional Adversarial Networks[EB].arXiv:1611.07004,2016.
[11] Zhu J Y,Park T,Isola P,et al.Unpaired Image-to-Image Translation Using Cycle-Consistent Adversarial Networks[C]//2017 IEEE International Conference on Computer Vision(ICCV).IEEE,2017:2242-2251.
[12] Radford A,Metz L,Chintala S.Unsupervised Representation Learning with Deep Convolutional Generative Adversarial Networks[EB].arXiv:1511.06434,2015.
[13] Shi W,Caballero J,Huszar F,et al.Real-Time Single Image and Video Super-Resolution Using an Efficient Sub-Pixel Convolutional Neural Network[C]//Computer Vision and Pattern Recognition.IEEE,2016:1874-1883.
[14] Ioffe S,Szegedy C.Batch normalization:accelerating deep network training by reducing internal covariate shift[C]//International Conference on International Conference on Machine Learning.JMLR.org,2015:448-456.
[15] Ulyanov D,Vedaldi A,Lempitsky V.Instance Normalization:The Missing Ingredient for Fast Stylization[EB].arXiv:1607.08022,2016.
[16] 廖星宇.深度学习入门之PyTorch[M].北京:电子工业出版社,2017.
[17] Krizhevsky A,Sutskever I,Hinton G E.ImageNet classification with deep convolutional neural networks[C]//International Conference on Neural Information Processing Systems.Curran Associates Inc.2012:1097-1105.
[18] Russakovsky O,Deng J,Su H.et al.ImageNet Large Scale Visual Recognition Challenge[J].International Journal of Computer Vision,2014,115(3):211-252.
[2] Szegedy C,Zaremba W,Sutskever I,et al.Intriguing properties of neural networks[EB/OL].[2013-12-21].https://arxiv.org/abs/1312.6199v4.
[3] Goodfellow I,Shlens J,Szegedy C.Explaining and Harnessing Adversarial Examples[EB/OL].[2014-12-20].https://arxiv.org/abs/1412.6572.
[4] Kurakin A,Goodfellow I,Bengio S.Adversarial Machine Learning at Scale[EB].arXiv:1611.01236,2016.
[5] Papernot N,McDaniel P,Wu X,et al.Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks[C]//2016 IEEE Symposium on Security and Privacy(SP).IEEE,2015.
[6] Baluja S,Fischer I.Adversarial Transformation Networks:Learning to Generate Adversarial Examples[EB].arXiv:1703.09387,2017.
[7] Goodfellow I,Pouget-Abadie J,Mirza M,et al.Generative Adversarial Networks[EB].arXiv:1406.2661,2014
[8] 王坤峰,苟超,段艳杰,等.生成式对抗网络GAN的研究进展与展望[J].自动化学报,2017,43(3):321-332.
[9] Reed S,Akata Z,Mohan S,et al.Learning What and Where to Draw[EB].arXiv:1610.02454,2016.
[10] Isola P,Zhu J Y,Zhou T,et al.Image-to-Image Translation with Conditional Adversarial Networks[EB].arXiv:1611.07004,2016.
[11] Zhu J Y,Park T,Isola P,et al.Unpaired Image-to-Image Translation Using Cycle-Consistent Adversarial Networks[C]//2017 IEEE International Conference on Computer Vision(ICCV).IEEE,2017:2242-2251.
[12] Radford A,Metz L,Chintala S.Unsupervised Representation Learning with Deep Convolutional Generative Adversarial Networks[EB].arXiv:1511.06434,2015.
[13] Shi W,Caballero J,Huszar F,et al.Real-Time Single Image and Video Super-Resolution Using an Efficient Sub-Pixel Convolutional Neural Network[C]//Computer Vision and Pattern Recognition.IEEE,2016:1874-1883.
[14] Ioffe S,Szegedy C.Batch normalization:accelerating deep network training by reducing internal covariate shift[C]//International Conference on International Conference on Machine Learning.JMLR.org,2015:448-456.
[15] Ulyanov D,Vedaldi A,Lempitsky V.Instance Normalization:The Missing Ingredient for Fast Stylization[EB].arXiv:1607.08022,2016.
[16] 廖星宇.深度学习入门之PyTorch[M].北京:电子工业出版社,2017.
[17] Krizhevsky A,Sutskever I,Hinton G E.ImageNet classification with deep convolutional neural networks[C]//International Conference on Neural Information Processing Systems.Curran Associates Inc.2012:1097-1105.
[18] Russakovsky O,Deng J,Su H.et al.ImageNet Large Scale Visual Recognition Challenge[J].International Journal of Computer Vision,2014,115(3):211-252.