Probability-Distribution-Guided Adversarial Sample Attacks for Boosting Transferability and Interpretability
-
Published:2023-07-06
Issue:13
Volume:11
Page:3015
-
ISSN:2227-7390
-
Container-title:Mathematics
-
language:en
-
Short-container-title:Mathematics
Author:
Li Hongying1, Yu Miaomiao1, Li Xiaofei1, Zhang Jun1, Li Shuohao1, Lei Jun1, Huang Hairong2
Affiliation:
1. Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China 2. Teacher Training School, Zhongxian, Chongqing 404300, China
Abstract
In recent years, with the rapid development of technology, artificial intelligence (AI) security issues represented by adversarial sample attack have aroused widespread concern in society. Adversarial samples are often generated by surrogate models and then transfer to attack the target model, and most AI models in real-world scenarios belong to black boxes; thus, transferability becomes a key factor to measure the quality of adversarial samples. The traditional method relies on the decision boundary of the classifier and takes the boundary crossing as the only judgment metric without considering the probability distribution of the sample itself, which results in an irregular way of adding perturbations to the adversarial sample, an unclear path of generation, and a lack of transferability and interpretability. In the probabilistic generative model, after learning the probability distribution of the samples, a random term can be added to the sampling to gradually transform the noise into a new independent and identically distributed sample. Inspired by this idea, we believe that by removing the random term, the adversarial sample generation process can be regarded as the static sampling of the probabilistic generative model, which guides the adversarial samples out of the original probability distribution and into the target probability distribution and helps to boost transferability and interpretability. Therefore, we proposed a score-matching-based attack (SMBA) method to perform adversarial sample attacks by manipulating the probability distribution of the samples, which showed good transferability in the face of different datasets and models and provided reasonable explanations from the perspective of mathematical theory and feature space. Compared with the current best methods based on the decision boundary of the classifier, our method increased the attack success rate by 51.36% and 30.54% to the maximum extent in non-targeted and targeted attack scenarios, respectively. In conclusion, our research established a bridge between probabilistic generative models and adversarial samples, provided a new entry angle for the study of adversarial samples, and brought new thinking to AI security.
Funder
National Natural Science Foundation of China Natural Science Foundation of Hunan Hunan Provincial Innovation Foundation for Postgraduate
Subject
General Mathematics,Engineering (miscellaneous),Computer Science (miscellaneous)
Reference59 articles.
1. Threat of adversarial attacks on deep learning in computer vision: A survey;Akhtar;IEEE Access,2018 2. Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., and Fergus, R. (2013). Intriguing properties of neural networks. arXiv. 3. Duan, R., Ma, X., Wang, Y., Bailey, J., Qin, A.K., and Yang, Y. (2020, January 13–19). Adversarial camouflage: Hiding physical-world attacks with natural styles. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, WA, USA. 4. Boosting transferability of physical attack against detectors by redistributing separable attention;Zhang;Pattern Recognit.,2023 5. Welling, M., and Teh, Y.W. (July, January 28). Bayesian learning via stochastic gradient Langevin dynamics. Proceedings of the 28th International Conference on Machine Learning (ICML-11), Washington, DC, USA.
|
|