Perturbation Initialization, Adam-Nesterov and Quasi-Hyperbolic Momentum for Adversarial Examples

被引：0

作者：

Zou J.-H. ^{[1
]}

Duan Y.-X. ^{[1
,2
]}

Ren C.-L. ^{[3
]}

Qiu J.-Y. ^{[4
]}

Zhou X.-Y. ^{[1
]}

Pan Z.-S. ^{[1
]}

机构：

[1] Command and Control Engineering College, Army Engineering University of PLA, Nanjing

[2] Zhenjiang Campus, Army Military Transportation University of PLA, Zhenjiang

[3] North China Institute of Computer Technology, Beijing

[4] Mathematical Engineering and Advanced Computing, Jiangnan Institute of Computing Technology, Wuxi

来源：

Tien Tzu Hsueh Pao/Acta Electronica Sinica | 2022年 / 50卷 / 01期

关键词：

Adam-Nesterov method; Adversarial examples; Perturbation initialization; Quasi-hyperbolic momentum method; Transferability;

D O I：

10.12263/DZXB.20200839

中图分类号：

学科分类号：

摘要：

Deep neural networks(DNNs) have made great breakthrough in many pattern recognition tasks. However, relevant research shows that the DNNs are vulnerable to adversarial examples. In this paper, we study the transferability of adversarial examples in the classification task, and propose perturbation initialization, the quasi-hyperbolic momentum iterative fast gradient sign method(QHMI-FGSM) and the adam-nesterov iterative fast gradient sign method(ANI-FGSM). We propose perturbation initialization method called pixel shift in adversarial attack. Furthermore, QHMI-FGSM and ANI-FGSM proposed in this paper are the improvements on the existing momentum iterative fast gradient sign method(MI-FGSM) and nesterov iterative fast gradient sign method(NI-FGSM). Additionally, perturbation initialization, QHMI-FGSM and ANI-FGSM are easily integrated into other existing methods, which can significantly improve the success rates of black-box attacks without additional running time and computing resources. Experimental results show that our best attack ANI-TI-DIQHM* can fool six classic black-box defense models with an average success rate of 88.68%, and fool four advance black-box defense models with an average success rate of 82.77%, which are higher than the state-of-the-art results. © 2022, Chinese Institute of Electronics. All right reserved.

引用

页码：207 / 216

页数：9

共 26 条

[21] DUCHI, JOHN, HAZAN, Et al., Adaptive subgradient methods for online learning and stochastic optimization, The Journal of Machine Learning Research, 12, pp. 2121-2159, (2011)
[22] SZEGEDY C, VANHOUCKE V, IOFFE S, Et al., Rethinking the inception architecture for computer vision, 2016 IEEE Conference on Computer Vision and Pattern Recognition, pp. 2818-2826, (2016)
[23] SZEGEDY C, IOFFE S, VANHOUCKE V, Et al., Alemi. Inception-v4, inception-resnet and the impact of residual connections on learning, 2017 31st AAAI Conference on Artificial Intelligence, pp. 4278-4284, (2017)
[24] LIU Z H, LIU Q, LIU T, Et al., Feature distillation: DNN-Oriented JPEG compression against adversarial examples, 2019 IEEE Conference on Computer Vision and Pattern Recognition, pp. 860-868, (2019)
[25] JIA X J, WEI X X, CAO X C, Et al., ComDefend: An efficient image compression model to defend adversarial examples, 2019 IEEE Conference on Computer Vision and Pattern Recognition, pp. 6084-6092, (2019)
[26] COHEN J M, ROSENFELD E, KOLTER J Z., Certified adversarial robustness via randomized smoothing, 2019 36th International Conference on Machine Learning ICML, pp. 1310-1320, (2019)

← 1 2 3 →