二维码掩膜下的稀疏对抗补丁攻击

叶乙轩; 杜侠; 陈思; 朱顺痣; 严严

doi:10.11834/jig.230453

可信人工智能 | 浏览量 : 0 下载量: 12 CSCD: 0

PDF
导出
分享
收藏
专辑

二维码掩膜下的稀疏对抗补丁攻击
Sparse adversarial patch attack based on QR code mask
2024年29卷第7期页码：1889-1901
纸质出版日期： 2024-07-16 ，
DOI： 10.11834/jig.230453
稿件说明：

移动端阅览

叶乙轩，杜侠，陈思，朱顺痣，严严. 2024. 二维码掩膜下的稀疏对抗补丁攻击. 中国图象图形学报， 29(07):1889-1901

Ye Yixuan， Du Xia， Chen Si， Zhu Shunzhi， Yan Yan. 2024. Sparse adversarial patch attack based on QR code mask. Journal of Image and Graphics， 29(07):1889-1901
叶乙轩，杜侠，陈思，朱顺痣，严严. 2024. 二维码掩膜下的稀疏对抗补丁攻击. 中国图象图形学报， 29(07):1889-1901 DOI： 10.11834/jig.230453.

Ye Yixuan， Du Xia， Chen Si， Zhu Shunzhi， Yan Yan. 2024. Sparse adversarial patch attack based on QR code mask. Journal of Image and Graphics， 29(07):1889-1901 DOI： 10.11834/jig.230453.

摘要

目的

传统的基于对抗补丁的对抗攻击方法通常将大量扰动集中于图像的掩膜位置，然而要生成难以察觉的扰动在这类攻击方法中十分困难，并且对抗补丁在人类感知中仅为冗余的密集噪声，这大大降低了其迷惑性。相比之下，二维码在图像领域有着广泛的应用，并且本身能够携带附加信息，因此作为对抗补丁更具有迷惑性。基于这一背景，本文提出了一种基于二维码掩膜的对抗补丁攻击方法。

方法

首先获取目标模型对输入图像的预测信息，为提高非目标攻击的效率，设定伪目标标签。通过计算能够远离原标签同时靠近伪目标标签的梯度噪声，制作掩膜将扰动噪声限制在二维码的有色区域。同时，本文利用基于Lp-Box的交替方向乘子法（alternating direction method of multipliers，ADMM）算法优化添加扰动点的稀疏性，在实现高效攻击成功率的条件下保证二维码本身携带的原有信息不被所添加的密集高扰动所破坏，最终训练出不被人类察觉的对抗补丁。

结果

使用ImageNet数据集分别在Inception-v3及ResNet-50（residual networks-50）模型上进行对比实验，结果表明，本文方法在非目标攻击场景的攻击成功率要比基于

∞

的快速梯度符号法（fast gradient sign method，FGSM）、DeepFool和投影梯度下降（projected gradient descent，PGD）方法分别高出8.6%、14.6%和4.6%。其中，对抗扰动稀疏度

和扰动噪声值在

、

∞

范数指标上对比目前典型的攻击方法均取得了优异的结果。对于量化对抗样本与原图像的相似性度量，相比FSGM方法，在峰值信噪比（peak signal-to-noise ratio，PSNR）和相对整体维数综合误差（erreur relative globale adimensionnelle de synthèse，ERGAS）指标上，本文方法分别提高4.82 dB和576.3，并在可视化效果上实现真正的噪声隐蔽。同时，面对多种先进防御算法时，本文方法仍能保持100%攻击成功率的高鲁棒性。

结论

本文提出的基于二维码掩膜的对抗补丁攻击方法于现实攻击场景中更具合理性，同时采用稀疏性算法保护二维码自身携带信息，从而生成更具迷惑性的对抗样本，为高隐蔽性对抗补丁的研究提供了新思路。

Abstract

Objective

Convolutional neural networks （CNNs） and other deep networks have revolutionized the field of computer vision， particularly in the area of image recognition， leading to significant advancements in various visual tasks. Recent studies have unequivocally demonstrated that the performance of deep neural networks is significantly compromised in the presence of adversarial examples. Maliciously crafted inputs can cause a notable decline in the accuracy and reliability of deep learning models. Traditional adversarial attacks based on adversarial patches tend to concentrate a significant amount of perturbations in the masked regions of an image. However， crafting imperceptible perturbations for patch attack is highly challenging. Adversarial patches consist solely of noise and are visually redundant， lacking any practical significance in their existence. To address this issue， this paper proposes a novel approach called quick response （QR） code-based sparse adversarial patch attack. A QR code is a square symbol consisting of alternating dark and light modules， extensively employed in images. It uses a specialized encoding technique to store meaningful information. Utilizing QR codes as adversarial patches not only inherits the robustness of traditional adversarial patches but also increases the likelihood of evading suspicion. A crucial detail to highlight is that global-based perturbations can potentially disrupt the integrity of the valuable information stored in the QR code. Particularly when attacking robust images， excessive superimposed perturbations can significantly affect the white background of the QR code， thus ultimately rendering the generated adversarial QR code unscannable， preventing its successful detection and decoding. In this regard， we hope to ensure the integrity of QR code by limiting the amount of noise. Inspired by sparse attacks， we integrate the QR code patch with sparse attack techniques to control the sparsity of adversarial perturbations. By doing so， our proposed method effectively limits the number of noise points， minimizing the influence of noise on the QR code pixels and ensuring the robustness of the encoded information. Furthermore， our approach exhibits attack performance and maintains a certain level of imperceptibility， making it a compelling solution.

Method

Building upon the aforementioned analysis， our proposed method follows a step-by-step approach. First， we gather the prediction information of the target model on the input image. Next， we calculate the gradient that steers the prediction result away from the category with the highest probability. Simultaneously， we create a mask to confine the perturbation noise within the colored area of the QR code， thereby preserving the original information. Taking inspiration from recent advances， we employ the Lp-Box alternating direction method of multipliers algorithm to optimize the sparsity of added perturbation points. This optimization aims to ensure that the original information carried by QR codes remains intact even under the efficient conditions for successful adversarial attacks. By mitigating the impact of densely added high-distortion points， our approach achieves a balance between high attack success rates and preserving the inherent recognizability of QR codes. The final result is an adversarial patch that remains imperceptible to human observers.

Result

Experiments were conducted on the Inception-v3 and ResNet-50 models using the ImageNet dataset. Our method was compared against representative adversarial attacks in non-target scenarios， considering the attack success rate and

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083432&type=

3.21733332

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083435&type=

2.70933342

-norm perturbation. To assess the similarity between adversarial examples and t

he original image， we utilized several similarity measures （peak signal-to-noise ratio（PSNR）， erreur relative globale adimensionnelle de synthèse（ERGAS）， structural similarity index measure（SSIM）， spectral angle mapping（SAM）） to calculate the similarity scores and compared them with other attacks. We also evaluated the robustness of our attack after applying several defense algorithms as pre-processing steps. In addition， we investigated the impact of different QR code sizes on the attack success rate and

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083437&type=

3.21733332

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083439&type=

2.70933342

-norm of the perturbation of our method. Experimental results demonstrate that our approach achieves a balance between attack success rate and imperceptible noise in non-target scenarios. The adversarial examples generated by our method exhibit the smallest

norm of perturbation among all the methods. Although our method may not always achieve the best similarity scores， visual results demonstrate that our crafted adversarial noise is optimally imperceptible. Moreover， even after pre-processing with various defense methods， our method continues to outperform other attacks. In the ablation study on QR code sizes for non-target attacks， we observed that reducing the QR code size from 55 × 55 pixels to 50 × 50 pixels led to a 3.8% decrease in the attack success rate. Conversely， increasing the size to 60 × 60 pixels resulted in a 2.7% improvement compared with 55 × 55 pixels. Similarly， reduc

ing the size to 65 × 65 pixels led to a 1.1% decrease compared with 60 × 60 pixels， while increasing it to 70 × 70 pixels resulted in a 6.4% improvement compared with 65 × 65 pixels. With regard to the

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083442&type=

3.21733332

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083445&type=

2.70933342

-norm of perturbations， we found a positive correlation between the

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083461&type=

3.21733332

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083464&type=

2.70933342

-norm and the number of perturbation points， whereas the

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083468&type=

3.21733332

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083452&type=

2.70933342

-norm and

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083472&type=

3.21733332

https://html.publish.founderss.cn/rc-pub/api/common/picture?pictureId=62083475&type=

2.70933342

-norm perturbations exhibited a negative correlation with the number of perturbed points.

Conclusion

The proposed QR code-based adversarial patch attack is more reasonable for real attack scenarios. By utilizing sparsity algorithms， we ensure the preservation of the information carried by the two-dimensional code itself， resulting in the generation of more perplexing adversarial samples. This approach provides novel insights into the research of highly imperceptible adversarial patches.

关键词

对抗补丁稀疏噪声图像分类二维码非目标攻击

Keywords

adversarial patchsparse noiseimage classificationQR codenon-targeted attack

references

Brown T B， Mané D， Roy A， Abadi M and Gilmer J. 2018. Adversarial patch ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1712.09665.pdfhttp://arxiv.org/pdf/1712.09665.pdf

Carlini N and Wagner D. 2017. Towards evaluating the robustness of neural networks//Proceedings of 2017 IEEE Symposium on Security and Privacy （SP）. San Jose， USA： IEEE： 39-57 ［DOI： 10.1109/SP.2017.49http://dx.doi.org/10.1109/SP.2017.49］

Chindaudom A， Siritanawan P， Sumongkayothin K and Kotani K. 2020. AdversarialQR： an adversarial patch in QR code format//Proceedings of 2020 Joint the 9th International Conference on Informatics， Electronics and Vision （ICIEV） and the 4th International Conference on Imaging， Vision and Pattern Recognition （icIVPR）. Kitakyushu， Japan： IEEE： 1-6 ［DOI： 10.1109/icievicivpr48672.2020.9306675http://dx.doi.org/10.1109/icievicivpr48672.2020.9306675］

Croce F and Hein M. 2019. Sparse and imperceivable adversarial attacks//Proceedings of 2019 IEEE/CVF International Conference on Computer Vision （ICCV 2019）. Seoul， Korea （South）： IEEE： 4723-4731 ［DOI： 10.1109/ICCV.2019.00482http://dx.doi.org/10.1109/ICCV.2019.00482］

Das N， Shanbhogue M， Chen S T， Hohman F， Chen L， Kounavis M E and Chau D H. 2017. Keeping the bad guys out： protecting and vaccinating deep learning with JPEG compression ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1705.02900.pdfhttp://arxiv.org/pdf/1705.02900.pdf

DeVries T and Taylor G W. 2017. Improved regularization of convolutional neural networks with cutout ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1708.04552.pdfhttp://arxiv.org/pdf/1708.04552.pdf

Fan Y B， Wu B Y， Li T H， Zhang Y， Li M Y， Li Z F and Yang Y J. 2020. Sparse adversarial attack via perturbation factorization//Proceedings of the 16th European Conference on Computer Vision. Glasgow， UK： Springer： 35-50 ［DOI： 10.1007/978-3-030-58542-6_3http://dx.doi.org/10.1007/978-3-030-58542-6_3］

Goodfellow I J， Shlens J and Szegedy C. 2015. Explaining and harnessing adversarial examples ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1512.03012.pdfhttp://arxiv.org/pdf/1512.03012.pdf

Jia X J， Wei X X， Cao X C and Han X G. 2020. Adv-watermark： a novel watermark perturbation for adversarial examples//Proceedings of the 28th ACM International Conference on Multimedia. Seattle， USA： ACM： 1579-1587 ［DOI： 10.1145/3394171.3413976http://dx.doi.org/10.1145/3394171.3413976］

Karmon D， Zoran D and Goldberg Y. 2018. LaVAN： localized and visible adversarial noise//Proceedings of the 35th International Conference on Machine Learning. Stockholm， Sweden： PMLR： 2507-2515

Kurakin A， Goodfellow I and Bengio S. 2017. Adversarial examples in the physical world ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1607.02533.pdfhttp://arxiv.org/pdf/1607.02533.pdf

Liu A S， Liu X L， Fan J X， Ma Y Q， Zhang A L， Xie H Y and Tao D C. 2019a. Perceptual-sensitive GAN for generating adversarial patches//Proceedings of the 33rd AAAI Conference on Artificial Intelligence. Honolulu， USA： AAAI： 1028-1035 ［DOI： 10.1609/aaai.v33i01.33011028http://dx.doi.org/10.1609/aaai.v33i01.33011028］

Liu F C， Nan B and Miao Y W. 2022. Point cloud replacement adversarial attack based on saliency map. Journal of Image and Graphics， 27（2）： 500-510

刘复昌，南博，缪永伟. 2022. 基于显著性图的点云替换对抗攻击. 中国图象图形学报， 27（2）： 500-510 ［DOI： 10.11834/jig.210546http://dx.doi.org/10.11834/jig.210546］

Liu X， Yang H R， Liu Z W， Song L H， Li H and Chen Y R. 2019b. DPATCH： an adversarial patch attack on object detectors ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1806.02299.pdfhttp://arxiv.org/pdf/1806.02299.pdf

Madry A， Makelov A， Schmidt L， Tsipras D and Vladu A. 2019. Towards deep learning models resistant to adversarial attacks ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1706.06083.pdfhttp://arxiv.org/pdf/1706.06083.pdf

Moosavi-Dezfooli S M， Fawzi A and Frossard P. 2016. DeepFool： a simple and accurate method to fool deep neural networks//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Las Vegas， USA： IEEE： 2574-2582 ［DOI： 10.1109/CVPR.2016.282http://dx.doi.org/10.1109/CVPR.2016.282］

Pintor M， Roli F， Brendel W and Biggio B. 2021. Fast minimum-norm adversarial attacks through adaptive norm constraints ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/2102.12827.pdfhttp://arxiv.org/pdf/2102.12827.pdf

Su J W， Vargas D V and Sakurai K. 2019. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation， 23（5）： 828-841 ［DOI： 10.1109/TEVC.2019.2890858http://dx.doi.org/10.1109/TEVC.2019.2890858］

Szegedy C， Zaremba W， Sutskever I， Bruna J， Erhan D， Goodfellow I and Fergus R. 2014. Intriguing properties of neural networks ［EB/OL］. ［2023-07-25］. http://arxiv.org/pdf/1312.6199.pdfhttp://arxiv.org/pdf/1312.6199.pdf

Ulyanov D， Vedaldi A and Lempitsky V. 2020. Deep image prior. International Journal of Computer Vision， 128（7）： 1867-1888 ［DOI： 10.1007/s11263-020-01303-4http://dx.doi.org/10.1007/s11263-020-01303-4］

Wang Y， Cao T Y， Yang J B， Zheng Y F， Fang Z and Deng X T. 2022. A perturbation constraint related weak perceptual adversarial example generation method. Journal of Image and Graphics， 27（7）： 2287-2299

王杨，曹铁勇，杨吉斌，郑云飞，方正，邓小桐. 2022. 结合扰动约束的低感知性对抗样本生成方法. 中国图象图形学报， 27（7）： 2287-2299 ［DOI： 10.11834/jig.200681http://dx.doi.org/10.11834/jig.200681］

Wu B Y and Ghanem B. 2019. ℓ 20-box ADMM： a versatile framework for integer programming. IEEE Transactions on Pattern Analysis and Machine Intelligence， 41（7）： 1695-1708 ［DOI： 10.1109/TPAMI.2018.2845842http://dx.doi.org/10.1109/TPAMI.2018.2845842］

Xu W L， Evans D and Qi Y J. 2018. Feature squeezing： detecting adversarial examples in deep neural networks//2018 Annual Network and Distributed System Security Symposium （NDSS 2018. DiegoSan， USA： ISOC： 1-15 ［DOI： 10.14722/ndss.2018.23198http://dx.doi.org/10.14722/ndss.2018.23198］

Zhang J P， Wu W B， Huang J T， Huang Y Z， Wang W X， Su Y X and Lyu M R. 2022. Improving adversarial transferability via neuron attribution-based attacks//Proceedings of 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition （CVPR）. New Orleans， USA： IEEE： 14973-14982 ［DOI： 10.1109/CVPR52688.2022.01457http://dx.doi.org/10.1109/CVPR52688.2022.01457］

文章被引用时，请邮件提醒。

提交

智能交通系统中的车辆标志识别方法综述

TransAS-UNet:融合Swin Transformer和UNet的乳腺癌区域分割

融合帧间时序关系的标准胎儿四腔心超声切面自动获取

面向元余弦损失的少样本图像分类

元迁移学习在少样本跨域图像分类中的研究