[论文解读] Functional Adversarial Attacks
本文提出了函数式对抗威胁模型,尤其是图像的 ReColorAdv,展示了将函数性威胁与加性威胁结合比任一单独威胁产生更强的攻击。
We propose functional adversarial attacks, a novel class of threat models for crafting adversarial examples to fool machine learning models. Unlike a standard $\ell_p$-ball threat model, a functional adversarial threat model allows only a single function to be used to perturb input features to produce an adversarial example. For example, a functional adversarial attack applied on colors of an image can change all red pixels simultaneously to light red. Such global uniform changes in images can be less perceptible than perturbing pixels of the image individually. For simplicity, we refer to functional adversarial attacks on image colors as ReColorAdv, which is the main focus of our experiments. We show that functional threat models can be combined with existing additive ($\ell_p$) threat models to generate stronger threat models that allow both small, individual perturbations and large, uniform changes to an input. Moreover, we prove that such combinations encompass perturbations that would not be allowed in either constituent threat model. In practice, ReColorAdv can significantly reduce the accuracy of a ResNet-32 trained on CIFAR-10. Furthermore, to the best of our knowledge, combining ReColorAdv with other attacks leads to the strongest existing attack even after adversarial training. An implementation of ReColorAdv is available at https://github.com/cassidylaidlaw/ReColorAdv .
研究动机与目标
- 提出一种新的威胁模型类别,称为函数式对抗威胁模型。
- 证明函数性威胁可以与加性威胁结合,以扩展扰动空间。
- 开发 ReColorAdv 作为一种通过全局扰动颜色的实际实现来攻击图像分类器的方法。
- 分析感知影响并在各种防御下与现有攻击进行比较。
- 为防御函数式对抗攻击提供建议。
提出的方法
- 定义函数式威胁模型及正则化方案以保持扰动不可感知。
- 证明将加性威胁模型和函数式威胁模型结合会产生在单独模型下不可能的扰动。
- 引入 ReColorAdv,它通过离散网格和三线性插值对所有像素颜色应用参数化扰动函数 f。
- 通过拉格朗日松弛和 PGD 优化加强颜色空间特定约束(diff 与平滑)。
- 在 CIFAR-10(ResNet-32)和 ImageNet(Inception-v4)上评估 ReColorAdv,包括对抗训练场景。
- 比较 RGB 与感知均匀的 CIELUV 颜色空间在攻击强度与感知质量上的差异。
实验结果
研究问题
- RQ1函数式威胁模型是否能实现对人眼不可感知但单独的加性威胁不允许的扰动?
- RQ2将函数式与加性威胁模型结合是否会产生一个扰动全集,提升攻击强度?
- RQ3ReColorAdv 对有防御和无防御的模型的有效性如何,颜色空间选择是否影响结果?
- RQ4将 ReColorAdv 与其他攻击结合对对抗鲁棒性(对抗性训练后)的影响如何?
主要发现
| 攻击 | 防御 | 无 | C-RGB | C | D | S | C+S | C+D | S+D | C+S+D | TRADES |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 无防御 | 92.2 | 5.9 | 3.0 | 0.0 | 0.9 | 0.8 | 0.0 | 0.0 | 0.0 | ||
| 对抗 | 88.7 | 43.5 | 45.8 | 5.7 | 3.6 | 3.4 | 0.9 | 0.2 | 0.2 | ||
| D | 84.8 | 74.9 | 50.6 | 30.6 | 16.0 | 11.7 | 8.9 | 2.7 | 2.2 | ||
| S | 82.7 | 16.9 | 8.0 | 0.5 | 26.2 | 4.8 | 0.0 | 0.1 | 0.0 | ||
| C+S | 89.5 | 31.7 | 23.0 | 0.7 | 10.9 | 8.7 | 0.5 | 0.6 | 0.4 | ||
| C+D | 88.5 | 36.3 | 19.5 | 7.5 | 2.7 | 2.8 | 5.2 | 4.1 | 4.6 | ||
| S+D | 82.1 | 66.9 | 42.7 | 35.4 | 21.9 | 13.4 | 12.2 | 7.6 | 4.1 | ||
| C+S+D | 88.9 | 30.6 | 17.2 | 7.3 | 3.5 | 3.3 | 5.5 | 3.7 | 3.6 | ||
| TRADES | 84.4 | 81.3 | 59.2 | 53.6 | 26.6 | 17.5 | 22.0 | 8.6 | 5.7 |
- 函数式威胁模型可以实现大规模、均匀的扰动,并且由于特征依赖而保持不可感知。
- 将加性与函数式威胁模型结合会产生不在任一模型单独包含的扰动。
- ReColorAdv 通过对图像颜色应用扰动函数,在 CIFAR-10 的 ResNet-32 上可将准确率降至 3.0%,在与其他攻击结合并进行对抗训练后降至 3.6%。
- CIELUV 颜色空间相较于 RGB 能产生更强且感知性更低的 ReColorAdv 扰动,提升攻击效力。
- 将 ReColorAdv 与 StAdv 和 delta 攻击结合,通常在对抗训练(TRADES)下产生最强攻击。
- 灰度预处理对 ReColorAdv 的防御效果不佳,且可能降低自然与鲁棒准确率。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。