摘要
近年来,物理世界中的对抗补丁攻击因其对深度学习模型安全的影响而引起了广泛关注.现有的工作主要集中在生成在物理世界中攻击性能良好的对抗补丁,没有考虑到对抗补丁图案与自然图像的差别,因此生成的对抗补丁往往不自然且容易被观察者发现.为了解决这个问题,本文提出了一种基于引导的扩散模型的自然对抗补丁生成方法.具体而言,本文通过解析目标检测器的输出构建预测对抗补丁攻击成功率的预测器,利用该预测器的梯度作为条件引导预训练的扩散模型的逆扩散过程,从而生成自然度更高且保持高攻击成功率的对抗补丁.本文在数字世界和物理世界中进行了广泛的实验,评估了对抗补丁针对各种目标检测模型的攻击效果以及对抗补丁的自然度.实验结果表明,通过将所构建的攻击成功率预测器与扩散模型相结合,本文的方法能够生成比现有方案更自然的对抗补丁,同时保持攻击性能.
Adversarial patch attacks in the physical world have gained a lot of attention in recent years due to their safety implications.Existing work has mostly focused on generating adversarial patches that can attack certain models in the physical world,but the resulting patterns are often unnatural and easy to identify.To tackle this problem,we propose a guided diffusion-based approach to natural adversarial patch generation.Specifically,we construct a predictor for attack success rate(ASR)prediction by parsing the output of the target detector,such that the reverse process of a pre-trained diffu⁃sion model can be guided by the gradient of the classifier to generate adversarial patches with improved naturalness and high ASR.We conduct extensive experiments in both the digital and the physical worlds to evaluate the attack effective⁃ness against various object detection models,as well as the naturalness of generated patches.The experimental results show that by combining the ASR predictor with a pre-trained diffusion model,our method is able to produce more natural adver⁃sarial patches than the state-of-art approaches while remaining highly effective.
作者
何琨
佘计思
张子君
陈晶
汪欣欣
杜瑞颖
HE Kun;SHE Ji-si;ZHANG Zi-jun;CHEN Jing;WANG Xin-xin;DU Rui-ying(School of Cyber Science and Engineering,Wuhan University,Wuhan,Hubei 430072,China;Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education,Wuhan University,Wuhan,Hubei 430072,China;Rizhao Institute of Information Technology,Wuhan University,Rizhao,Shandong 276800,China;Collaborative Innovation Center of Geospatial Technology,Wuhan,Hubei 430079,China)
出处
《电子学报》
EI
CAS
CSCD
北大核心
2024年第2期564-573,共10页
Acta Electronica Sinica
基金
国家重点研发计划项目(No.2022YFB3102100)
中央高校基本科研业务费专项资金(No.2042022kf1034)
国家自然科学基金(No.62206203,No.62076187)
湖北省重点研发计划项目(No.2022BAA039)
山东省重点研发计划项目(No.2022CXPT055)。
关键词
目标检测
对抗补丁
扩散模型
对抗样本
对抗攻击
深度学习
object detection
adversarial patch
diffusion model
adversarial example
adversarial attack
deep learning
