In recent years,with the rapid advancement of artificial intelligence,object detection algorithms have made significant strides in accuracy and computational efficiency.Notably,research and applications of Anchor-Free...In recent years,with the rapid advancement of artificial intelligence,object detection algorithms have made significant strides in accuracy and computational efficiency.Notably,research and applications of Anchor-Free models have opened new avenues for real-time target detection in optical remote sensing images(ORSIs).However,in the realmof adversarial attacks,developing adversarial techniques tailored to Anchor-Freemodels remains challenging.Adversarial examples generated based on Anchor-Based models often exhibit poor transferability to these new model architectures.Furthermore,the growing diversity of Anchor-Free models poses additional hurdles to achieving robust transferability of adversarial attacks.This study presents an improved cross-conv-block feature fusion You Only Look Once(YOLO)architecture,meticulously engineered to facilitate the extraction ofmore comprehensive semantic features during the backpropagation process.To address the asymmetry between densely distributed objects in ORSIs and the corresponding detector outputs,a novel dense bounding box attack strategy is proposed.This approach leverages dense target bounding boxes loss in the calculation of adversarial loss functions.Furthermore,by integrating translation-invariant(TI)and momentum-iteration(MI)adversarial methodologies,the proposed framework significantly improves the transferability of adversarial attacks.Experimental results demonstrate that our method achieves superior adversarial attack performance,with adversarial transferability rates(ATR)of 67.53%on the NWPU VHR-10 dataset and 90.71%on the HRSC2016 dataset.Compared to ensemble adversarial attack and cascaded adversarial attack approaches,our method generates adversarial examples in an average of 0.64 s,representing an approximately 14.5%improvement in efficiency under equivalent conditions.展开更多
Deep neural networks are extremely vulnerable to externalities from intentionally generated adversarial examples which are achieved by overlaying tiny noise on the clean images.However,most existing transfer-based att...Deep neural networks are extremely vulnerable to externalities from intentionally generated adversarial examples which are achieved by overlaying tiny noise on the clean images.However,most existing transfer-based attack methods are chosen to add perturbations on each pixel of the original image with the same weight,resulting in redundant noise in the adversarial examples,which makes them easier to be detected.Given this deliberation,a novel attentionguided sparse adversarial attack strategy with gradient dropout that can be readily incorporated with existing gradient-based methods is introduced to minimize the intensity and the scale of perturbations and ensure the effectiveness of adversarial examples at the same time.Specifically,in the gradient dropout phase,some relatively unimportant gradient information is randomly discarded to limit the intensity of the perturbation.In the attentionguided phase,the influence of each pixel on the model output is evaluated by using a soft mask-refined attention mechanism,and the perturbation of those pixels with smaller influence is limited to restrict the scale of the perturbation.After conducting thorough experiments on the NeurIPS 2017 adversarial dataset and the ILSVRC 2012 validation dataset,the proposed strategy holds the potential to significantly diminish the superfluous noise present in adversarial examples,all while keeping their attack efficacy intact.For instance,in attacks on adversarially trained models,upon the integration of the strategy,the average level of noise injected into images experiences a decline of 8.32%.However,the average attack success rate decreases by only 0.34%.Furthermore,the competence is possessed to substantially elevate the attack success rate by merely introducing a slight degree of perturbation.展开更多
Deep neural networks remain susceptible to adversarial examples,where the goal of an adversarial attack is to introduce small perturbations to the original examples in order to confuse the model without being easily d...Deep neural networks remain susceptible to adversarial examples,where the goal of an adversarial attack is to introduce small perturbations to the original examples in order to confuse the model without being easily detected.Although many adversarial attack methods produce adversarial examples that have achieved great results in the whitebox setting,they exhibit low transferability in the black-box setting.In order to improve the transferability along the baseline of the gradient-based attack technique,we present a novel Stochastic Gradient Accumulation Momentum Iterative Attack(SAMI-FGSM)in this study.In particular,during each iteration,the gradient information is calculated using a normal sampling approach that randomly samples around the sample points,with the highest probability of capturing adversarial features.Meanwhile,the accumulated information of the sampled gradient from the previous iteration is further considered to modify the current updated gradient,and the original gradient attack direction is changed to ensure that the updated gradient direction is more stable.Comprehensive experiments conducted on the ImageNet dataset show that our method outperforms existing state-of-the-art gradient-based attack techniques,achieving an average improvement of 10.2%in transferability.展开更多
This paper focuses on an important type of black-box attacks,i.e.,transfer-based adversarial attacks,where the adversary generates adversarial examples using a substitute(source)model and utilizes them to attack an un...This paper focuses on an important type of black-box attacks,i.e.,transfer-based adversarial attacks,where the adversary generates adversarial examples using a substitute(source)model and utilizes them to attack an unseen target model,without knowing its information.Existing methods tend to give unsatisfactory adversarial transferability when the source and target models are from different types of DNN architectures(e.g.,ResNet-18 and Swin Transformer).In this paper,we observe that the above phenomenon is induced by the output inconsistency problem.To alleviate this problem while effectively utilizing the existing DNN models,we propose a common knowledge learning(CKL)framework to learn better network weights to generate adversarial examples with better transferability,under fixed network architectures.Specifically,to reduce the model-specific features and obtain better output distributions,we construct a multi-teacher framework,where the knowledge is distilled from different teacher architectures into one student network.By considering that the gradient of input is usually utilized to generate adversarial examples,we impose constraints on the gradients between the student and teacher models,to further alleviate the output inconsistency problem and enhance the adversarial transferability.Extensive experiments demonstrate that our proposed work can significantly improve the adversarial transferability.展开更多
文摘In recent years,with the rapid advancement of artificial intelligence,object detection algorithms have made significant strides in accuracy and computational efficiency.Notably,research and applications of Anchor-Free models have opened new avenues for real-time target detection in optical remote sensing images(ORSIs).However,in the realmof adversarial attacks,developing adversarial techniques tailored to Anchor-Freemodels remains challenging.Adversarial examples generated based on Anchor-Based models often exhibit poor transferability to these new model architectures.Furthermore,the growing diversity of Anchor-Free models poses additional hurdles to achieving robust transferability of adversarial attacks.This study presents an improved cross-conv-block feature fusion You Only Look Once(YOLO)architecture,meticulously engineered to facilitate the extraction ofmore comprehensive semantic features during the backpropagation process.To address the asymmetry between densely distributed objects in ORSIs and the corresponding detector outputs,a novel dense bounding box attack strategy is proposed.This approach leverages dense target bounding boxes loss in the calculation of adversarial loss functions.Furthermore,by integrating translation-invariant(TI)and momentum-iteration(MI)adversarial methodologies,the proposed framework significantly improves the transferability of adversarial attacks.Experimental results demonstrate that our method achieves superior adversarial attack performance,with adversarial transferability rates(ATR)of 67.53%on the NWPU VHR-10 dataset and 90.71%on the HRSC2016 dataset.Compared to ensemble adversarial attack and cascaded adversarial attack approaches,our method generates adversarial examples in an average of 0.64 s,representing an approximately 14.5%improvement in efficiency under equivalent conditions.
基金Fundamental Research Funds for the Central Universities,China(No.2232021A-10)Shanghai Sailing Program,China(No.22YF1401300)+1 种基金Natural Science Foundation of Shanghai,China(No.20ZR1400400)Shanghai Pujiang Program,China(No.22PJ1423400)。
文摘Deep neural networks are extremely vulnerable to externalities from intentionally generated adversarial examples which are achieved by overlaying tiny noise on the clean images.However,most existing transfer-based attack methods are chosen to add perturbations on each pixel of the original image with the same weight,resulting in redundant noise in the adversarial examples,which makes them easier to be detected.Given this deliberation,a novel attentionguided sparse adversarial attack strategy with gradient dropout that can be readily incorporated with existing gradient-based methods is introduced to minimize the intensity and the scale of perturbations and ensure the effectiveness of adversarial examples at the same time.Specifically,in the gradient dropout phase,some relatively unimportant gradient information is randomly discarded to limit the intensity of the perturbation.In the attentionguided phase,the influence of each pixel on the model output is evaluated by using a soft mask-refined attention mechanism,and the perturbation of those pixels with smaller influence is limited to restrict the scale of the perturbation.After conducting thorough experiments on the NeurIPS 2017 adversarial dataset and the ILSVRC 2012 validation dataset,the proposed strategy holds the potential to significantly diminish the superfluous noise present in adversarial examples,all while keeping their attack efficacy intact.For instance,in attacks on adversarially trained models,upon the integration of the strategy,the average level of noise injected into images experiences a decline of 8.32%.However,the average attack success rate decreases by only 0.34%.Furthermore,the competence is possessed to substantially elevate the attack success rate by merely introducing a slight degree of perturbation.
基金supported in part by the National Natural Science Foundation(62202118,U24A20241)in part by Major Scientific and Technological Special Project of Guizhou Province([2024]014,[2024]003)+1 种基金in part by Scientific and Technological Research Projects from Guizhou Education Department(Qian jiao ji[2023]003)in part by Guizhou Science and Technology Department Hundred Level Innovative Talents Project(GCC[2023]018).
文摘Deep neural networks remain susceptible to adversarial examples,where the goal of an adversarial attack is to introduce small perturbations to the original examples in order to confuse the model without being easily detected.Although many adversarial attack methods produce adversarial examples that have achieved great results in the whitebox setting,they exhibit low transferability in the black-box setting.In order to improve the transferability along the baseline of the gradient-based attack technique,we present a novel Stochastic Gradient Accumulation Momentum Iterative Attack(SAMI-FGSM)in this study.In particular,during each iteration,the gradient information is calculated using a normal sampling approach that randomly samples around the sample points,with the highest probability of capturing adversarial features.Meanwhile,the accumulated information of the sampled gradient from the previous iteration is further considered to modify the current updated gradient,and the original gradient attack direction is changed to ensure that the updated gradient direction is more stable.Comprehensive experiments conducted on the ImageNet dataset show that our method outperforms existing state-of-the-art gradient-based attack techniques,achieving an average improvement of 10.2%in transferability.
基金supported in part by the National Natural Science Foundation of China(Grant Nos.62272020 and U20B2069)in part by the State Key Laboratory of Complex&Critical Software Environment(SKLSDE2023ZX-16)in part by the Fundamental Research Funds for Central Universities.
文摘This paper focuses on an important type of black-box attacks,i.e.,transfer-based adversarial attacks,where the adversary generates adversarial examples using a substitute(source)model and utilizes them to attack an unseen target model,without knowing its information.Existing methods tend to give unsatisfactory adversarial transferability when the source and target models are from different types of DNN architectures(e.g.,ResNet-18 and Swin Transformer).In this paper,we observe that the above phenomenon is induced by the output inconsistency problem.To alleviate this problem while effectively utilizing the existing DNN models,we propose a common knowledge learning(CKL)framework to learn better network weights to generate adversarial examples with better transferability,under fixed network architectures.Specifically,to reduce the model-specific features and obtain better output distributions,we construct a multi-teacher framework,where the knowledge is distilled from different teacher architectures into one student network.By considering that the gradient of input is usually utilized to generate adversarial examples,we impose constraints on the gradients between the student and teacher models,to further alleviate the output inconsistency problem and enhance the adversarial transferability.Extensive experiments demonstrate that our proposed work can significantly improve the adversarial transferability.
