Adversarial sample generation method based on generative adversarial network

Abstract

The invention discloses an adversarial sample generation method based on a generative adversarial network. The adversarial sample generation method comprises a generator G, a discriminator D, a spacetransformation module ST and a target classification network F, wherein the generator G generates disturbance, superposes the disturbance to an original sample to generate an adversarial sample, thentrains the generator G according to the discriminator D and a loss function of the target classification network F to finally obtain a trained generator G, and generates adaptive adversarial samples for different input samples by using the trained generator G. According to the adversarial sample generation method, the generative adversarial network is utilized, and the enhancement module based onspatial transformation is embedded, and adversarial training is carried out in an unsupervised mode, and the generalization ability and robustness of an attack model are improved, and then the mobility and robustness of adversarial samples are enhanced.

Description

technical field [0001] The present invention relates to the field of machine learning, and more specifically, to a method for generating an adversarial example based on a generative adversarial network. Background technique [0002] Adversarial attacks are a hot topic in the field of machine learning. The principle of adversarial attack is to deceive the deep neural network to make wrong judgments by adversarial samples (new samples obtained by adding carefully trained tiny perturbations that are imperceptible to the human eye to the original data samples). [0003] Most of the current attack algorithms based on deep neural networks (such as gradient-based and optimization-based methods) are aimed at the test process or test data set, and require white-box access to the model's architecture and parameters all the time (such as getting and input The associated gradient requires knowledge of the weights of the target network). However, current deep learning systems usually d...

AI Technical Summary

Problems solved by technology

[0005] In summary, although existing studies have proved that existing attack methods have certain transferability between neural networks with the same structure trained on different data, and between neural networks with different structures trained on the same task, such as [1] Goodfellow I J, Shlens J, Szegedy C, et al. Explaining and Harnessing Adversarial Examples [J]. International Conference on Learning Representations, 2015, Literature [2] Kurakin A, Goodfellow I J, Bengio S, et al. Adversarial examples in the physical world [J ].arXiv:Computer Vision and Pattern Recognition,2017, literature [3]Moosavidezfooli S,Fawzi A,Frossard P,et al.DeepFool:A Simple and Accurate Method to Fool Deep Neural Networks[J].Computer Vision and Pattern Recognition,2016: 2574-2582 and literature [4] Xiao C, Li B, Zhu J Y, et al. Generating Adversarial Examples with Adversarial Networks [J]. 2018; but there are still adversarial examples that rely too much on the target model, which leads to poor transferability of adversarial examples and successful attacks Low rate, low attack efficiency and other issues

Images