通过可迁移性差距提升对抗可迁移性

doi:10.3969/j.issn.0255-8297.2025.05.007

应用科学学报 ›› 2025, Vol. 43 ›› Issue (5): 799-807.doi: 10.3969/j.issn.0255-8297.2025.05.007

• 信号与信息处理 • 上一篇

通过可迁移性差距提升对抗可迁移性

王金伟^1,2, 王海桦¹, 吴昊¹, 罗向阳³, 马宾⁴

1. 南京信息工程大学计算机学院, 江苏南京 210044;
2. 南京信息工程大学数字取证教育部工程研究中心, 江苏南京 210044;
3. 数学工程与先进计算国家重点实验室, 河南郑州 450001;
4. 齐鲁工业大学山东省计算机网络重点实验室, 山东济南 250353

收稿日期:2023-08-31 发布日期:2025-10-16
通信作者: 王金伟，教授，研究方向为信息安全、多媒体取证、人工智能安全。E-mail:wjwei_2004@163.com E-mail:wjwei_2004@163.com
基金资助:
国家自然科学基金（No. 62072250, No. 62172435, No. U1804263, No. U20B2065, No. 61872203,No. 71802110, No. 61802212）；中国中原科技创新领军人才项目基金（No. 214200510019）；江苏省自然科学基金（No. BK20200750）；河南省网络空间态势感知重点实验室开放课题基金（No. HNTS2022002）；江苏省研究生科研与实践创新计划基金（No. KYCX200974）；广东省信息安全技术重点实验室开放项目基金（No. 2020B1212060078）；山东省计算机网络重点实验室开放项目基金（No. SDKLCN-2022-05）；教育部人文社会科学项目基金（No. 19YJA630061）；江苏省高校优势学科建设基金

Improvement of Adversarial Transferability via Transferability Gap

WANG Jingwei^1,2, WANG Haihua¹, WU Hao¹, LUO Xiangyang³, MA Bin⁴

1. School of Computer Science, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
2. Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
3. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, Henan, China;
4. Shandong Provincial Key Laboratory of Computer Networks, Qilu University of Technology, Jinan 250353, Shandong, China

Received:2023-08-31 Published:2025-10-16

摘要/Abstract

摘要： 现有的迁移攻击仅聚焦于经验风险的最大化，未考虑到迁移攻击的期望风险，从而导致迁移性不足，为此本文提出了一种基于可迁移性差距的迁移攻击。将迁移攻击的目标定义为一种期望风险的形式，并进一步定义了可迁移性差距，用来衡量迁移攻击的经验风险和期望风险之间的绝对误差。可以发现，当可迁移性差距较小时，最大化经验风险近似等价于最大化期望风险，从而获得可迁移的对抗样本。所提方案在最大化经验风险的同时，引入对抗机制，在最小化和最大化可迁移性差距之间寻求平衡。这种对抗思想使得该方案能够在最难迁移的情况下寻找到迁移能力最强的攻击算法，因此保证了对抗样本的高度可迁移性。实验结果表明，所提方案的性能优于最新的一些迁移攻击，可实现高可迁移性的对抗样本快速生成。

关键词: 对抗攻击, 可迁移性, 期望风险, 可迁移性差距

Abstract: Existing transfer-based attacks primarily focus on maximizing the empirical risk while ignoring the expected risk, which often leads to suboptimal transferability. To address this issue, we propose a transferability-gap-aware attack framework. First, we formulate the objective of transfer-based attacks as an expected risk and introduce the notion of the transferability gap, which quantifies the absolute discrepancy between the empirical risk and the expected risk. Our analysis reveals that when the transferability gap is small, maximizing the empirical risk becomes approximately equivalent to maximizing the expected risk, thereby leading to highly transferable adversarial examples. Based on this insight, the proposed method min-max the transferability gap while maximizing the empirical risk. Such min-max problem allows the attack algorithm with the strongest transferability to be found in the case of the hardest transferability. Experimental results show that the proposed method outperforms the recent state-of-the-art transfer-based attacks and achieves fast generation of highly transferable adversarial examples.

Key words: adversarial attack, transferability, expected risk, transferability gap

中图分类号:

王金伟, 王海桦, 吴昊, 罗向阳, 马宾. 通过可迁移性差距提升对抗可迁移性[J]. 应用科学学报, 2025, 43(5): 799-807.

WANG Jingwei, WANG Haihua, WU Hao, LUO Xiangyang, MA Bin. Improvement of Adversarial Transferability via Transferability Gap[J]. Journal of Applied Sciences, 2025, 43(5): 799-807.

参考文献

[1] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks [DB/OL]. (2013-12-21) [2023-08-31]. https://arxiv.org/abs/1312.6199.
[2] Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples [DB/OL]. (2014-12-20) [2023-08-31]. https://arxiv.org/abs/1412.6572.
[3] Guo Y, Li Q, Chen H. Backpropagating linearly improves transferability of adversarial examples [C]//Advances in Neural Information Processing Systems, 2020, 33: 85-95.
[4] Papernot N, Mcdaniel P, Goodfellow I, et al. Practical black-box attacks against machine learning [C]//ACM on Asia Conference on Computer and Communications Security, 2017: 506- 519.
[5] Zhu Y, Sun J, Li Z. Rethinking adversarial transferability from a data distribution perspective [EB/OL]. (2022-01-29) [2023-08-31]. https://openreview.net/forum?id=gVRhIEajG1k.
[6] Zhu Y, Chen Y, Li X, et al. Toward understanding and boosting adversarial transferability from a distribution perspective [J]. IEEE Transactions on Image Processing, 2022, 31: 6487-6501.
[7] Liu Y P, Chen X Y, Liu C, et al. Delving into transferable adversarial examples and black-box attacks [EB/OL]. (2017-02-06) [2023-08-31]. https://openreview.net/forum?id=Sys6GJqxl.
[8] Tramèr F, Papernot N, Goodfellow I, et al. The space of transferable adversarial examples [DB/OL]. (2017-04-11) [2023-08-31]. https://arxiv.org/abs/1704.03453.
[9] Liu F, Zhang C, Zhang H. Towards transferable unrestricted adversarial examples with minimum changes [C]//IEEE Conference on Secure and Trustworthy Machine Learning, 2023: 327- 338.
[10] Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 9185-9193.
[11] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world [J]. Artificial Intelligence Safety and Security, 2018: 99-112.
[12] Polyak B T. Some methods of speeding up the convergence of iteration methods [J]. USSR Computational Mathematics and Mathematical Physics, 1964, 4(5): 1-17.
[13] Nesterov Y. A method for unconstrained convex minimization problem with the rate of convergence O (1/k2) [J]. Academy of Sciences of the USSR, 1983, 269(3): 543.
[14] Lin J, Song C, He K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks [EB/OL]. (2019-12-20) [2023-08-31]. https://openreview.net/forum?id=SJlHwkBYDH.
[15] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 2730- 2739.
[16] Wang X, He K. Enhancing the transferability of adversarial attacks through variance tuning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 1924-1933.
[17] Wang Z, Guo H, Zhang Z, et al. Feature importance-aware transferable adversarial attacks [C]//IEEE/CVF International Conference on Computer Vision, 2021: 7639-7648.
[18] Salzmann M. Learning transferable adversarial perturbations [C]//2021 Advances in Neural Information Processing Systems, 2021, 34: 13950-13962.
[19] Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks [DB/OL]. (2017-06-19) [2023-08-31]. https://arxiv.org/abs/1706.06083.
[20] Girshick R. Fast R-CNN [C]//IEEE International Conference on Computer Vision, 2015: 1440- 1448.
[21] Goodfellow I, Pouget A J, Mirza M, et al. Generative adversarial nets [C]//2014 Advances in Neural Information Processing Systems, 2014, 27: 2672-2680.
[22] Von N J, Morgenstern O. Theory of games and economic behavior [M]//Princeton, NJ, The US: Princeton University Press, 1947.
[23] Griffin G, Holub A, Perona P. Caltech-256 object category dataset [EB/OL] (2007-03-10) [2023-08-31]. https://authors.library.caltech.edu/records/5sv1j-ytw97.
[24] Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 2818-2826.
[25] Szegedy C, Ioffe S, Vanhoucke V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning [C]//AAAI Conference on Artificial Intelligence, 2017, 31(1): 4278-4284.
[26] He K, Zhang X, Ren S, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[27] Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition [DB/OL]. (2014-09-04) [2023-08-31]. https://arxiv.org/abs/1409.1556.
[28] Liao F, Liang M, Dong Y, et al. Defense against adversarial attacks using high-level representation guided denoiser [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 1778-1787.
[29] Xie C, Wang J, Zhang Z, et al. Mitigating adversarial effects through randomization [EB/OL]. (2018-02-16) [2023-08-31]. https://openreview.net/forum?id=Sk9yuql0Z.
[30] Liu Z, Liu Q, Liu T, et al. Feature distillation: DNN-oriented JPEG compression against adversarial examples [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 860-868.
[31] Johnson J, Alahi A, Fei-Fei L. Perceptual losses for real-time style transfer and superresolution [C]//14th European Conference on Computer Vision, 2016: 694-711.
[32] Zhang J, Wu W, Huang J, et al. Improving adversarial transferability via neuron attributionbased attacks [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 14993-15002.
[33] Li Y, Bai S, Zhou Y, et al. Learning transferable adversarial examples via ghost networks [C]//AAAI Conference on Artificial Intelligence, 2020, 34(07): 11458-11465.
[34] Poursaeed O, Katsman I, Gao B, et al. Generative adversarial perturbations [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 4422-4431.
[35] Naseer M M, Khan S H, Khan M H, et al. Cross-domain transferability of adversarial perturbations [C]//2019 Advances in Neural Information Processing Systems, 2019, 32.
[36] Zhang Q, Li X, Chen Y, et al. Beyond ImageNet attack: towards crafting adversarial examples for black-box domains [DB/OL]. (2022-01-27) [2023-08-31]. https://arxiv.org/abs/2201.11528.

通过可迁移性差距提升对抗可迁移性

Improvement of Adversarial Transferability via Transferability Gap

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	贺加贝, 周菊香, 甘健侯, 吴迪, 温晓宇. 基于多任务学习的课堂表情分类模型[J]. 应用科学学报, 2024, 42(6): 947-961.
[2]	栗莎, 王永雄, 王哲, 陈旭, 何嘉欣. 融合局部和全局特征的铸件缺陷检测[J]. 应用科学学报, 2024, 42(5): 757-768.
[3]	华怡坦, 黄影平, 过文昊. 基于CNN和Transformer点云图像融合的道路检测[J]. 应用科学学报, 2024, 42(4): 695-708.
[4]	崔帅华, 余磊, 何茜, 熊邦书, 欧巧凤. 一种大视场汇聚型双目立体视觉标定方法[J]. 应用科学学报, 2024, 42(2): 269-279.
[5]	熊娟, 张孙杰, 阚亚亚, 陈家豪. 基于CAFPN和细化双头解耦的遥感图像目标检测[J]. 应用科学学报, 2023, 41(6): 989-1003.
[6]	王辉, 丁铂栩. 三维点云表示的人体动作序列预测[J]. 应用科学学报, 2023, 41(3): 461-475.
[7]	萧晓彤, 丁建伟, 张琪. 基于局部和全局梯度上升的分段后门防御[J]. 应用科学学报, 2023, 41(2): 218-227.
[8]	徐增敏, 陆光建, 陈俊彦, 陈金龙, 丁勇. 基于通道特征聚合的行人重识别算法[J]. 应用科学学报, 2023, 41(1): 107-120.
[9]	邹倩颖, 陈晖阳, 李永生, 胡力雯, 王小芳. 粒子群优化的深海图像暗边缘检测优化算法[J]. 应用科学学报, 2023, 41(1): 153-169.
[10]	张育斌, 陈锋, 乐娟, 程起有. 直升机桨叶图像中圆形标记点圆心检测及修正方法[J]. 应用科学学报, 2022, 40(2): 212-223.
[11]	郑智文, 甘健侯, 周菊香, 欧阳昭相, 鹿泽光. 基于注意力网络推理图的细粒度图像分类[J]. 应用科学学报, 2022, 40(1): 36-46.
[12]	魏明军, 周太宇, 纪占林, 张鑫楠. 基于Mask-YOLO的复杂场景口罩佩戴检测[J]. 应用科学学报, 2022, 40(1): 93-104.
[13]	雷前慧, 潘丽丽, 邵伟志, 胡海鹏, 黄瑶. 基于三重注意力机制的新冠肺炎病灶分割模型[J]. 应用科学学报, 2022, 40(1): 105-115.
[14]	于群, 张建新, 魏小鹏, 张强. 基于级联可分离空洞残差U-Net的肝脏肿瘤分割[J]. 应用科学学报, 2021, 39(3): 378-377.
[15]	张育斌, 熊邦书, 欧巧凤, 黄建萍, 陈垚锋. 基于YOLOv3与分水岭的直升机桨叶欠曝光图像圆形标记点检测[J]. 应用科学学报, 2020, 38(6): 906-915.