当前位置:
X-MOL 学术
›
IEEE Trans. Inform. Forensics Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Improving Transferability of Adversarial Samples via Critical Region-Oriented Feature-Level Attack
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 2024-05-23 , DOI: 10.1109/tifs.2024.3404857 Zhiwei Li 1 , Min Ren 2 , Fangling Jiang 3 , Qi Li 1 , Zhenan Sun 1
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 2024-05-23 , DOI: 10.1109/tifs.2024.3404857 Zhiwei Li 1 , Min Ren 2 , Fangling Jiang 3 , Qi Li 1 , Zhenan Sun 1
Affiliation
Deep neural networks (DNNs) have received a lot of attention because of their impressive progress in computer vision. However, it has been recently shown that DNNs are vulnerable to being spoofed by carefully crafted adversarial samples. These samples are generated by specific attack algorithms that can obfuscate the target model without being detected by humans. Recently, feature-level attacks have been the focus of research due to their high transferability. Existing state-of-the-art feature-level attacks all improve the transferability by greedily changing the attention of the model. However, for images that contain multiple target class objects, the attention of different models may differ significantly. Thus greedily changing attention may cause the adversarial samples corresponding to these images to fall into the local optimum of the surrogate model. Furthermore, due to the great structural differences between vision transformers (ViTs) and convolutional neural networks (CNNs), adversarial samples generated on CNNs with feature-level attacks are more difficult to successfully attack ViTs. To overcome these drawbacks, we perform the Critical Region-oriented Feature-level Attack (CRFA) in this paper. Specifically, we first propose the Perturbation Attention-aware Weighting (PAW), which destroys critical regions of the image by performing feature-level attention weighting on the adversarial perturbations without changing the model attention as much as possible. Then we propose the Region ViT-critical Retrieval (RVR), which enables the generator to accommodate the transferability of adversarial samples on ViTs by adding extra prior knowledge of ViTs to the decoder. Extensive experiments demonstrate significant performance improvements achieved by our approach, i.e., improving the fooling rate by 19.9% against CNNs and 25.0% against ViTs as compared to state-of-the-art feature-level attack method.
中文翻译:
通过面向关键区域的特征级攻击提高对抗性样本的可转移性
深度神经网络(DNN)因其在计算机视觉方面取得的令人瞩目的进展而受到广泛关注。然而,最近的研究表明,DNN 很容易被精心设计的对抗性样本欺骗。这些样本是由特定的攻击算法生成的,这些算法可以混淆目标模型而不被人类检测到。近年来,特征级攻击因其高可转移性而成为研究的焦点。现有最先进的特征级攻击都是通过贪婪地改变模型的注意力来提高可转移性。然而,对于包含多个目标类对象的图像,不同模型的注意力可能会有显着差异。因此,贪婪地改变注意力可能会导致这些图像对应的对抗样本落入代理模型的局部最优。此外,由于视觉变换器(ViT)和卷积神经网络(CNN)之间存在巨大的结构差异,在具有特征级攻击的CNN上生成的对抗样本更难成功攻击ViT。为了克服这些缺点,我们在本文中执行了面向关键区域的特征级攻击(CRFA)。具体来说,我们首先提出扰动注意感知加权(PAW),它通过对对抗性扰动执行特征级注意加权来破坏图像的关键区域,而不尽可能改变模型注意力。然后,我们提出了区域 ViT 关键检索(RVR),它使生成器能够通过向解码器添加 ViT 的额外先验知识来适应 ViT 上对抗性样本的可转移性。大量的实验证明我们的方法取得了显着的性能改进,即,与最先进的特征级攻击方法相比,针对 CNN 的愚弄率提高了 19.9%,针对 ViT 的愚弄率提高了 25.0%。
更新日期:2024-05-23
中文翻译:
通过面向关键区域的特征级攻击提高对抗性样本的可转移性
深度神经网络(DNN)因其在计算机视觉方面取得的令人瞩目的进展而受到广泛关注。然而,最近的研究表明,DNN 很容易被精心设计的对抗性样本欺骗。这些样本是由特定的攻击算法生成的,这些算法可以混淆目标模型而不被人类检测到。近年来,特征级攻击因其高可转移性而成为研究的焦点。现有最先进的特征级攻击都是通过贪婪地改变模型的注意力来提高可转移性。然而,对于包含多个目标类对象的图像,不同模型的注意力可能会有显着差异。因此,贪婪地改变注意力可能会导致这些图像对应的对抗样本落入代理模型的局部最优。此外,由于视觉变换器(ViT)和卷积神经网络(CNN)之间存在巨大的结构差异,在具有特征级攻击的CNN上生成的对抗样本更难成功攻击ViT。为了克服这些缺点,我们在本文中执行了面向关键区域的特征级攻击(CRFA)。具体来说,我们首先提出扰动注意感知加权(PAW),它通过对对抗性扰动执行特征级注意加权来破坏图像的关键区域,而不尽可能改变模型注意力。然后,我们提出了区域 ViT 关键检索(RVR),它使生成器能够通过向解码器添加 ViT 的额外先验知识来适应 ViT 上对抗性样本的可转移性。大量的实验证明我们的方法取得了显着的性能改进,即,与最先进的特征级攻击方法相比,针对 CNN 的愚弄率提高了 19.9%,针对 ViT 的愚弄率提高了 25.0%。
京公网安备 11010802027423号