基于动态替代结构增强黑盒对抗攻击
Enhancing Black-box Adversarial Attack Based on Dynamic Substitute Structure
曾繁茂1
作者信息
- 1. 安徽理工大学 计算机科学与工程学院,安徽 淮南 232001
- 折叠
摘要
现有黑盒对抗攻击方法可以通过替代模型模拟目标黑盒模型的决策边界,并据此生成对抗样本,但替代模型通常具有固定的结构,这在某种程度上可能会限制其攻击效果.为了解决这一问题,提出了一种基于动态替代结构增强黑盒对抗攻击的方法.方法包含一个新颖的动态网络结构,能够自适应地寻找与目标模型最匹配的替代模型结构,全过程不依赖任何先验知识.实验证明了该方法的攻击成功率较现有方法有所提升,且替代模型的决策边界与目标模型的决策边界吻合度高,使得原本设计用于白盒攻击的策略也能有效地应用于黑盒攻击.
Abstract
The existing black-box adversarial attack methods can simulate the decision boundaries of the target black-box models by establishing substitute models,thereby generating adversarial samples.However,these sub-stitute models often have fixed network structures,which may constrain their attack effectiveness to some extent.To address this issue,a method of enhancing black-box adversarial attack based on dynamic substitute structure is proposed.This method includes an innovative dynamic network structure,which can adaptively find the best matching substitute model structure with the target model,and the whole process does not depend on any prior knowledge.Experiments show that this method improves the success rate of attacks compared to existing methods,and the decision boundary of the substitute model closely aligns with that of the target model,enabling strategies originally designed for white-box attacks to be effectively applied to black-box attacks.
关键词
黑盒攻击/知识蒸馏/对抗攻击/对抗样本Key words
black-box attack/knowledge distillation/adversarial attack/adversarial examples引用本文复制引用
基金项目
国家自然科学基金(61572034)
安徽省自然科学基金(2008085MF220)
出版年
2024
NETL
NSTL
维普
万方数据