基于快速特征欺骗的通用扰动生成改进方法

doi:10.3969/j.issn.0255-8297.2020.06.015

Abstract

Abstract: Although deep neural networks have been widely applied in recent years, they are readily fooled by adversarial input perturbations which are imperceptible to humans. Such vulnerability to adversarial attacks has imposed threats for system deployment in security-crucial setting, thus it is necessary to study the risky generation method of perturbations to boost the anti-risk capability. As a universal perturbation, fast feature fool (FFF) is an effective attacking method for visual tasks. Beyond solely mixing the convolutional layer's output irrespective of the input activation status, this paper improves the FFF method by maximizing the feature difference between the input image and corresponding adversarial image during which the contributions of multiple convolutional layers are weighted differently. Experimental results demonstrate that the improved FFF actually has obtained higher success attacking rate and stronger cross-model transfer ability than the original one.

Key words: deep neural networks, universal perturbations, fast feature fool (FFF), feature difference

CLC Number:

TP183

WEI Jianjie, Lü Donghui, LU Xiaofeng, SUN Guangling. Improved Method to Craft Universal Perturbations Based on Fast Feature Fool[J]. Journal of Applied Sciences, 2020, 38(6): 986-994.

References

[1] Krizhevsky A, Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6):84-90.
[2] Ren S Q, He K M, Girshick R, et al. Faster R-CNN:towards real-time object detection with region proposal networks[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2017, 39(6):1137-1149.
[3] Sutskever I, Vinyals O, Le V. Sequence to sequence learning with neural networks[C]//Advances in Neural Information Processing Systems, Montreal, Canada, 2014:3104-3112.
[4] Szegedy C, Zaremba W, SutskeveR I, et al. Intriguing properties of neural networks[C]//International Conference on Learning Representations, Banff, Canada, 2014:64-70.
[5] 张思思, 左信, 刘建伟. 深度学习中的对抗样本问题[J]. 计算机学报, 2018, 41(8):1886-1904. Zhang S S, Zuo X, Liu J W. The problem of the adversarial examples in deep learning[J]. Chinese Journal of Computers, 2018, 41(8):1886-1904. (in Chinese)
[6] Mahendran A, Vedaldi A. Understanding deep image representations by inverting them[C]//IEEE Conference on Computer Vision and Pattern Recognition Boston, USA, 2015:188-5196.
[7] Goodfellow I, Shlens J, Szegedy C. Explaining and harnessing adversarial examples[J/OL].[2014-12-20]. https://arxiv.org/abs/1412.6572.
[8] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world[J/OL].[2016-07-08]. https://arxiv.org/abs/1607.02533.
[9] Carlini N, Wagner D. Towards evaluating the robustness of neural networks[C]//IEEE Symposium on Security and Privacy, San Jose, USA, 2017:39-57.
[10] Moosavi-Dezfooli S M, Fawzi A, Frossard P. DeepFool:a simple and accurate method to fool deep neural networks[C]//IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016:2574-2582.
[11] Moosavi-Dezfooli S M, Fawzi A, Fawzi O, et al. Universal adversarial perturbations[C]//IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, USA, 2017:86-94.
[12] Mopuri K R, Garg U, Babu V. Fast feature fool:a data independent approach to universal adversarial perturbations[J/OL].[2017-07-18]. https://arxiv.org/abs/1707.05572.
[13] Mopuri K R, Ganeshan A, Babu R. Generalizable data-free objective for crafting universal adversarial perturbations[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019, 41(10):2452-2465.
[14] Ross A S, Doshivelez F. Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients[C]//AAAI Conference on Artificial Intelligence, New Orleans, USA, 2018:1660-1669.
[15] Miyato T, Maeda S, Koyama M, et al. Distributional smoothing with virtual adversarial training[J/OL].[2016-06-11]. https://arxiv.org/abs/1507.00677.
[16] Song C, Cheng H P, Wu C. A multi-strength adversarial training method to mitigate adversarial attacks[C]//IEEE Computer Society Annual Symposium on VLSI, Hong Kong, China, 2018:476-481.
[17] Hinton G, Vinyals O, Dean J. Distilling the knowledge in a neural network[J/OL].[2015-03-09]. https://arxiv.org/abs/1503.02531.

Improved Method to Craft Universal Perturbations Based on Fast Feature Fool

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

[1]	WEI Wei, QUAN Haiyan. Radial Basis Network Training Algorithm Based on Surface-Simplex Swarm Evolution [J]. Journal of Applied Sciences, 2019, 37(4): 459-468.
[2]	ZHU Cheng, CHEN Mou. Robust Control of Missile Launch Vehicle Erecting Device Based on Disturbance Observer [J]. Journal of Applied Sciences, 2014, 32(3): 319-324.
[3]	LIU Wen-peng, CHEN Xu, LU Hua-xiang. Spiking Neuron Model Based on Single-Electron Transistors [J]. Journal of Applied Sciences, 2012, 30(6): 649-654.
[4]	LI Yong-mei1;2, ZHOU Yong-quan1, WEI Jun2. Using Hierarchical Structure Glowworm Swarm Algorithm for Function Optimization [J]. Journal of Applied Sciences, 2012, 30(4): 391-396.
[5]	CHENG Yue-hua1;2, JIANG Bin1, YANG Ming-kai1, GAO Zhi-feng1. Self-Organizing Fuzzy Neural Network-Based Actuator Fault Estimation for Satellite Attitude Systems [J]. Journal of Applied Sciences, 2010, 28(1): 72-76.
[6]	ZHOU Yong-quan1, LUO Qi-fang1, L?U Yong-mei1, ZHAO Bin2. Online Incremental Learning Algorithm and Application to Functional Networks [J]. Journal of Applied Sciences, 2009, 27(4): 409-413.
[7]	FANG Hui-juan;WANG Yong-ji. Spiking Neural Networks with Neurons Firing Multiple Spikes [J]. Journal of Applied Sciences, 2008, 26(6): 638-644 .
[8]	CHEN Lei, ZHANG Dao-qiang, ZHOU Peng, CHEN Song-can. Small-World Architecture Based Kernel Auto-Associative Memory Model and Its Application to Face Recognition [J]. Journal of Applied Sciences, 2005, 23(5): 497-501.
[9]	XU Dong, WANG Yi-fei. ANN-CE: An Improved Neural Network Method for Predicting DNA Binding Sites [J]. Journal of Applied Sciences, 2005, 23(2): 187-191.
[10]	ZHENG Jian-ming, LI Yan, XIAO Ji-ming, HONG Wei. Artificial Neural Network Based Drill Wear Monitoring Using the Wavelet Decomposition of a Power Spectrum [J]. Journal of Applied Sciences, 2004, 22(4): 513-517.
[11]	ZHANG Dao-qiang, CHEN Song-can, PAN Zhi-song. A General Model for the Multi-valued BAM and Its Applications in IP Address Recognition [J]. Journal of Applied Sciences, 2004, 22(3): 279-282.
[12]	CAI An-hui, PAN Ye, LIU Yong-gang, SUN Guo-xiong. Forecasting Characters of L⁹(3⁴) Orthogonal Test Based on the Artificial Neural Network [J]. Journal of Applied Sciences, 2004, 22(2): 228-232.
[13]	GONG Xin-bao, ZHOU Xi-lang. A RBF Designing Method Based on Immune Clustering and Genetic Algorithm [J]. Journal of Applied Sciences, 2004, 22(1): 81-84.
[14]	SHENG Zhao-han, LIU Bing-xiang. A Method Based on the Rough Neural Network for Analysing Deception Risks [J]. Journal of Applied Sciences, 2003, 21(2): 209-213.
[15]	TANG Bin, HU Guang-rui. Recognition of the Scanning Style of the Radar Antenna Using Immune Neural Networks [J]. Journal of Applied Sciences, 2003, 21(1): 36-38.