English

应用科学学报 >

2025 , Vol. 43 >Issue 5: 799 - 807

DOI: https://doi.org/10.3969/j.issn.0255-8297.2025.05.007

信号与信息处理

通过可迁移性差距提升对抗可迁移性

  • 王金伟 ,
  • 王海桦 ,
  • 吴昊 ,
  • 罗向阳 ,
  • 马宾
展开
  • 1. 南京信息工程大学 计算机学院, 江苏 南京 210044;
    2. 南京信息工程大学 数字取证教育部工程研究中心, 江苏 南京 210044;
    3. 数学工程与先进计算国家重点实验室, 河南 郑州 450001;
    4. 齐鲁工业大学 山东省计算机网络重点实验室, 山东 济南 250353

收稿日期: 2023-08-31

  网络出版日期: 2025-10-16

基金资助

国家自然科学基金(No. 62072250, No. 62172435, No. U1804263, No. U20B2065, No. 61872203,No. 71802110, No. 61802212);中国中原科技创新领军人才项目基金(No. 214200510019);江苏省自然科学基金(No. BK20200750);河南省网络空间态势感知重点实验室开放课题基金(No. HNTS2022002);江苏省研究生科研与实践创新计划基金(No. KYCX200974);广东省信息安全技术重点实验室开放项目基金(No. 2020B1212060078);山东省计算机网络重点实验室开放项目基金(No. SDKLCN-2022-05);教育部人文社会科学项目基金(No. 19YJA630061);江苏省高校优势学科建设基金

收起

Improvement of Adversarial Transferability via Transferability Gap

  • WANG Jingwei ,
  • WANG Haihua ,
  • WU Hao ,
  • LUO Xiangyang ,
  • MA Bin
Expand
  • 1. School of Computer Science, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
    2. Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
    3. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, Henan, China;
    4. Shandong Provincial Key Laboratory of Computer Networks, Qilu University of Technology, Jinan 250353, Shandong, China

Received date: 2023-08-31

  Online published: 2025-10-16

Fold

摘要

现有的迁移攻击仅聚焦于经验风险的最大化,未考虑到迁移攻击的期望风险,从而导致迁移性不足,为此本文提出了一种基于可迁移性差距的迁移攻击。将迁移攻击的目标定义为一种期望风险的形式,并进一步定义了可迁移性差距,用来衡量迁移攻击的经验风险和期望风险之间的绝对误差。可以发现,当可迁移性差距较小时,最大化经验风险近似等价于最大化期望风险,从而获得可迁移的对抗样本。所提方案在最大化经验风险的同时,引入对抗机制,在最小化和最大化可迁移性差距之间寻求平衡。这种对抗思想使得该方案能够在最难迁移的情况下寻找到迁移能力最强的攻击算法,因此保证了对抗样本的高度可迁移性。实验结果表明,所提方案的性能优于最新的一些迁移攻击,可实现高可迁移性的对抗样本快速生成。

关键词: 对抗攻击; 可迁移性; 期望风险; 可迁移性差距

本文引用格式

王金伟 , 王海桦 , 吴昊 , 罗向阳 , 马宾 . 通过可迁移性差距提升对抗可迁移性[J]. 应用科学学报, 2025 , 43(5) : 799 -807 . DOI: 10.3969/j.issn.0255-8297.2025.05.007

Abstract

Existing transfer-based attacks primarily focus on maximizing the empirical risk while ignoring the expected risk, which often leads to suboptimal transferability. To address this issue, we propose a transferability-gap-aware attack framework. First, we formulate the objective of transfer-based attacks as an expected risk and introduce the notion of the transferability gap, which quantifies the absolute discrepancy between the empirical risk and the expected risk. Our analysis reveals that when the transferability gap is small, maximizing the empirical risk becomes approximately equivalent to maximizing the expected risk, thereby leading to highly transferable adversarial examples. Based on this insight, the proposed method min-max the transferability gap while maximizing the empirical risk. Such min-max problem allows the attack algorithm with the strongest transferability to be found in the case of the hardest transferability. Experimental results show that the proposed method outperforms the recent state-of-the-art transfer-based attacks and achieves fast generation of highly transferable adversarial examples.

Key words: adversarial attack; transferability; expected risk; transferability gap

参考文献

[1] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks [DB/OL]. (2013-12-21) [2023-08-31]. https://arxiv.org/abs/1312.6199.
[2] Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples [DB/OL]. (2014-12-20) [2023-08-31]. https://arxiv.org/abs/1412.6572.
[3] Guo Y, Li Q, Chen H. Backpropagating linearly improves transferability of adversarial examples [C]//Advances in Neural Information Processing Systems, 2020, 33: 85-95.
[4] Papernot N, Mcdaniel P, Goodfellow I, et al. Practical black-box attacks against machine learning [C]//ACM on Asia Conference on Computer and Communications Security, 2017: 506- 519.
[5] Zhu Y, Sun J, Li Z. Rethinking adversarial transferability from a data distribution perspective [EB/OL]. (2022-01-29) [2023-08-31]. https://openreview.net/forum?id=gVRhIEajG1k.
[6] Zhu Y, Chen Y, Li X, et al. Toward understanding and boosting adversarial transferability from a distribution perspective [J]. IEEE Transactions on Image Processing, 2022, 31: 6487-6501.
[7] Liu Y P, Chen X Y, Liu C, et al. Delving into transferable adversarial examples and black-box attacks [EB/OL]. (2017-02-06) [2023-08-31]. https://openreview.net/forum?id=Sys6GJqxl.
[8] Tramèr F, Papernot N, Goodfellow I, et al. The space of transferable adversarial examples [DB/OL]. (2017-04-11) [2023-08-31]. https://arxiv.org/abs/1704.03453.
[9] Liu F, Zhang C, Zhang H. Towards transferable unrestricted adversarial examples with minimum changes [C]//IEEE Conference on Secure and Trustworthy Machine Learning, 2023: 327- 338.
[10] Dong Y, Liao F, Pang T, et al. Boosting adversarial attacks with momentum [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 9185-9193.
[11] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world [J]. Artificial Intelligence Safety and Security, 2018: 99-112.
[12] Polyak B T. Some methods of speeding up the convergence of iteration methods [J]. USSR Computational Mathematics and Mathematical Physics, 1964, 4(5): 1-17.
[13] Nesterov Y. A method for unconstrained convex minimization problem with the rate of convergence O (1/k2) [J]. Academy of Sciences of the USSR, 1983, 269(3): 543.
[14] Lin J, Song C, He K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks [EB/OL]. (2019-12-20) [2023-08-31]. https://openreview.net/forum?id=SJlHwkBYDH.
[15] Xie C, Zhang Z, Zhou Y, et al. Improving transferability of adversarial examples with input diversity [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 2730- 2739.
[16] Wang X, He K. Enhancing the transferability of adversarial attacks through variance tuning [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021: 1924-1933.
[17] Wang Z, Guo H, Zhang Z, et al. Feature importance-aware transferable adversarial attacks [C]//IEEE/CVF International Conference on Computer Vision, 2021: 7639-7648.
[18] Salzmann M. Learning transferable adversarial perturbations [C]//2021 Advances in Neural Information Processing Systems, 2021, 34: 13950-13962.
[19] Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks [DB/OL]. (2017-06-19) [2023-08-31]. https://arxiv.org/abs/1706.06083.
[20] Girshick R. Fast R-CNN [C]//IEEE International Conference on Computer Vision, 2015: 1440- 1448.
[21] Goodfellow I, Pouget A J, Mirza M, et al. Generative adversarial nets [C]//2014 Advances in Neural Information Processing Systems, 2014, 27: 2672-2680.
[22] Von N J, Morgenstern O. Theory of games and economic behavior [M]//Princeton, NJ, The US: Princeton University Press, 1947.
[23] Griffin G, Holub A, Perona P. Caltech-256 object category dataset [EB/OL] (2007-03-10) [2023-08-31]. https://authors.library.caltech.edu/records/5sv1j-ytw97.
[24] Szegedy C, Vanhoucke V, Ioffe S, et al. Rethinking the inception architecture for computer vision [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 2818-2826.
[25] Szegedy C, Ioffe S, Vanhoucke V, et al. Inception-v4, Inception-ResNet and the impact of residual connections on learning [C]//AAAI Conference on Artificial Intelligence, 2017, 31(1): 4278-4284.
[26] He K, Zhang X, Ren S, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[27] Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition [DB/OL]. (2014-09-04) [2023-08-31]. https://arxiv.org/abs/1409.1556.
[28] Liao F, Liang M, Dong Y, et al. Defense against adversarial attacks using high-level representation guided denoiser [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 1778-1787.
[29] Xie C, Wang J, Zhang Z, et al. Mitigating adversarial effects through randomization [EB/OL]. (2018-02-16) [2023-08-31]. https://openreview.net/forum?id=Sk9yuql0Z.
[30] Liu Z, Liu Q, Liu T, et al. Feature distillation: DNN-oriented JPEG compression against adversarial examples [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 860-868.
[31] Johnson J, Alahi A, Fei-Fei L. Perceptual losses for real-time style transfer and superresolution [C]//14th European Conference on Computer Vision, 2016: 694-711.
[32] Zhang J, Wu W, Huang J, et al. Improving adversarial transferability via neuron attributionbased attacks [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022: 14993-15002.
[33] Li Y, Bai S, Zhou Y, et al. Learning transferable adversarial examples via ghost networks [C]//AAAI Conference on Artificial Intelligence, 2020, 34(07): 11458-11465.
[34] Poursaeed O, Katsman I, Gao B, et al. Generative adversarial perturbations [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2018: 4422-4431.
[35] Naseer M M, Khan S H, Khan M H, et al. Cross-domain transferability of adversarial perturbations [C]//2019 Advances in Neural Information Processing Systems, 2019, 32.
[36] Zhang Q, Li X, Chen Y, et al. Beyond ImageNet attack: towards crafting adversarial examples for black-box domains [DB/OL]. (2022-01-27) [2023-08-31]. https://arxiv.org/abs/2201.11528.
Options
文章导航

/