| At present,the application field of deep learning is gradually increasing,and the ensuing security problem has attracted the attention of all researchers.Many researchers have shown that if deep neural network does not impose any defensive means in the training process,then the network is extremely fragile,and the related security risks become increasingly prominent.For example,automatic driving target recognition errors lead to traffic accidents;Misidentification in face payment resulted in loss of account amount.The commonly used network attack methods are mainly divided into white box attack and black box attack.Compared with white box attack,black box attack has the problem of low success rate and slow speed because it requires a large number of access attack results.Therefore,this paper proposes a boundary-based black box called Like Attack with shorter time and less query times.This is a kind of decision based attack,in which the attacker can only access the final decision of the target model.This paper discusses targeted attack and untargeted attack against the-similarity index of "l2" and "l∞".Then,the golden section search algorithm is adopted to accelerate the approximation of sample boundaries and shorten the algorithm time.Three improved gradient estimation algorithms are introduced to effectively improve the estimation effect of gradient direction and reduce the number of queries.Finally,this paper uses the proposed algorithm to carry out experiments.Through comparative analysis,it was confirmed that Like Attack had improved execution time and query times compared with other algorithms and had better Attack effect.The main contributions of this paper are as follows:1.Black box attack process designIn view of the problem that the Attack algorithm based on decision has too many visits,this paper proposes and designs the Attack process of the proposed Like Attack algorithm.The algorithm process is divided into four parts:estimation of gradient direction,step size search of geometric series,boundary search by golden section method and random replacement of multipixel points.2.Optimization design of subspace regionIn the algorithm based on decision,gradient estimation takes up most of the query time of the whole algorithm,so the optimization of the algorithm focuses on the optimization direction of gradient estimation.A large number of experimental results show that gradient estimation in the whole gradient space is ineffective in the number of queries,so this paper introduces a subspace for gradient estimation,which is a part of the original image subregion.This paper discusses the optimization method of gradient subspace from three aspects:1)Upsampling spatial transformation:The so-called spatial transformation is the basic image transformation of the image.In this paper,the upsampling method is used to carry out the spatial transformation of the image,that is,the low-dimensional random disturbance is generated first,and the image is enlarged to the original image size by upsampling method.2)ROI regional convolution optimization:In a single object recognition image,the object to be recognized usually occupies only a part of the image,and the rest of the area is the background information.Generally speaking,the background information has little effect on the recognition of the target object,so the region where the target object is located can be selected by artificial way,so that the disturbance starts from the selected part of the frame,and then the disturbance is pushed to the edge of the image through convolution calculation.3)Frequency transform:DCT is used for projection,and DCT transform is used for image compression to solve the problem of redundant information in images.Generally speaking,when observing an image,more attention will be paid to the low-frequency components,and the high-frequency components in the image will be filtered out during the compression process to eliminate the redundancy in the image,thus improving the optimization rate of the algorithm.3.Black box attack system designThis paper used PyQt5 to design a Like Attack black box Attack system.The system contains all the methods provided in this article as well as a variety of data set choices.We can dynamically see the attack process of target attack and target-free attack,intuitively showing the difference of different methods for noise point optimization process.Like Attack black box attack system can be expanded and applied to attack more black box model networks,which has reference significance for defense design of various network models. |
PDF Full Text Request