论文题目:深入研究对抗样本和黑盒攻击的可转移性
本文内容来源于论文:Delving into Transferable Adversarial Examples and Black-box Attacks
论文地址:arxiv: 1611.02770
非目标攻击方法
约束条件:
f θ ( x ⋆ ) ≠ y d ( x , x ⋆ ) ≤ B \begin{aligned} f_{\theta}\left(x^{\star}\right) & \neq y \\ d\left(x, x^{\star}\right) & \leq B \end{aligned} fθ(x⋆)d(x,x⋆)̸=y≤B
基于优化的方法
argmin x ⋆ λ d ( x , x ⋆ ) − ℓ ( 1 y , J θ ( x ⋆ ) ) \operatorname{argmin}_{x^{\star}} \lambda d\left(x, x^{\star}\right)-\ell\left(\mathbf{1}_{y}, J_{\theta}\left(x^{\star}\right)\right) argminx⋆λd(x,x⋆)−ℓ(1y,Jθ(x⋆))
其中 ℓ ( u , v ) = log ( 1 − u ⋅ v ) \ell(u, v)=\log (1-u \cdot v) ℓ(u,v)=log(1−u⋅v)
FGS方法
x ⋆ ← clip ( x + B sgn ( ∇ x ℓ ( 1 y , J θ ( x ) ) ) ) x^{\star} \leftarrow \operatorname{clip}\left(x+B \operatorname{sgn}\left(\nabla_{x} \ell\left(\mathbf{1}_{y}, J_{\theta}(x)\right)\right)\right) x⋆←clip(x+Bsgn(∇xℓ