2021.12.5 第二篇(ICCV2021)精读
原文链接:Feature Importance-aware Transferable Adversarial Attacks
代码链接:Feature Importance-aware Transferable Adversarial Attacks
Contributions
- propose Feature Importance-aware Attack (FIA) that enhances the transferability of adversarial examples by disrupting the critical object-aware features that dominate the decision of different models.
- analyze the rationale behind the relatively low transferability of existing works, i.e., overfitting to model-specific “noisy” features, against which they introduce aggregate gradient to guide the generation of more transferable adversarial examples.
- Extensive experiments on diverse classification models
demonstrate the superior transferability of adversarial examples generated by the proposed FIA as compared to state-of-the-art transferable attacking methods.
Methodology
a
r
g
m
a
x
x
a
d
v
J
(
x
a
d
v
,
y
)
\underset {x^{adv}}{arg\,max}\,{J(x^{adv},y)}
xadvargmaxJ(xadv,y)
s
.
t
.
∣
∣
x
−
x
a
d
v
∣
∣
p
≤
ϵ
s.t. \ ||x-x^{adv}||_p \leq \epsilon
s.t. ∣∣x−xadv∣∣p≤ϵ其中
x
x
x是正常样本,
x
a
d
v
x^{adv}
xadv是对抗样本,
x
a
d
v
=
x
+
ϵ
x^{adv}=x+\epsilon
xadv=x+ϵ &
f
θ
(
x
a
d
v
)
≠
y
f_{\theta}(x^{adv}) \neq y
fθ(xadv)=y,
J
(
,
)
J(,)
J(,)是正常标签和预测标签的距离。
Figure2是FIA的总体框架图
具体来说,通过mask原始图片得到聚合梯度,然后对聚合梯度进行归一化后乘上对应层的输出得到新的优化目标,用MIM的攻击方法得到对抗样本。
Figure3展示了相较于原始图片,经过多种变换后的图片的聚合特征和聚合梯度更清晰。那么他是怎么进行特征和梯度聚合的呢?Figure4给出了答案:
通过随机mask部分输入图片,得到对应的梯度进行累加,从而实现梯度聚合。这样做能distort image details but preserve the spatial structure and general texture.
Experimental Evaluation
Figure5展示了不同图片mask率和聚合梯度的数量对攻击成功率的影响。
Figure6展示了不同层攻击成功率。
消融实验
最后为了证明是聚合梯度对提高对抗样本迁移性有促进作用,文章设计了3个损失函数:
可以看出
L
3
L3
L3的攻击成功率相较其他有明显提升,这也证明了聚合梯度的有效性。
个人总结
这篇文章同样比较浅显易懂,写作的思路很清晰,实验量也比较大,值得学习。