针对视频分类模型的共轭梯度攻击

Adversarial attacks on videos based on the conjugate gradient method

  • 摘要: 基于深度神经网络的视频分类模型目前应用广泛,然而最近的研究表明,深度神经网络极易受到对抗样本的欺骗. 这类对抗样本含有对人类来说难以察觉的噪声,而其存在对深度神经网络的安全性构成严重威胁. 尽管目前已经针对图像的对抗样本产生了相当多的研究,针对视频的对抗攻击仍存在复杂性. 通常的对抗攻击采用快速梯度符号方法(FGSM),然而该方法生成的对抗样本攻击成功率低,以及易被察觉,隐蔽性不足. 为解决这两个问题,本文受非线性共轭梯度下降法(FR–CG)启发,提出一种针对视频模型的非线性共轭梯度攻击方法. 该方法通过松弛约束条件,令搜索步长满足强Wolfe条件,保证了每次迭代的搜索方向与目标函数损失值上升的方向一致. 针对UCF-101的实验结果表明,在扰动上界设置为3/255时,本文攻击方法具有91%的攻击成功率. 同时本文方法在各个扰动上界下的攻击成功率均比FGSM方法高,且具有更强的隐蔽性,在攻击成功率与运行时间之间实现了良好的平衡.

     

    Abstract: Deep neural network-based video classification models enjoy widespread use because of their superior performance on visual tasks. However, with its broad-based application comes a deep-rooted concern about its security aspect. Recent research signals highlight these models’ high susceptibility to deception by adversarial examples. These adversarial examples, subtly laced with humanly imperceptible noise, escape the scope of human detection while posing a substantial risk to the integrity and security of these deep neural network constructs. Considerable research has been directed toward image-based adversarial examples, resulting in notable advances in understanding and combating such adversarial attacks within that scope. However, video-based adversarial attacks highlight a different landscape of complexities and challenges. The nuances of motion information, temporal coherence, and frame-to-frame correlation introduce a multidimensional battlefield, necessitating purpose-built solutions. The most straightforward implementation of adversarial attacks uses the fast gradient sign method (FGSM). Unfortunately, FGSM attacks lack several respects: the attack success rates are far from satisfactory, they are frequently easily identifiable, and their stealth measures do not pass muster in rigorous environments. Therefore, this study introduces a novel nonlinear conjugate gradient attack method inspired by the nonlinear conjugate gradient descent method. By relaxing the search step size constraints to comply with the strong Wolfe conditions, we aimed to maintain pace with the increasing loss value of our objective function. This critical enhancement helps maintain the trajectory of each iteration’s search direction and the simultaneous increase in the loss value, thereby yielding more consistent results, which ensures that our attack method can achieve a high attack success rate and concealment after each iteration. Further invigorating testament to our approach’s efficacy came through experimental results on the UCF101 dataset, underlining an impressive 91% attack success rate when the perturbation upper limit is 3/255. Our method consistently and markedly outshone the FGSM in attack success rates across various perturbation thresholds—even as it offered superior stealth. More critically, it allowed us to strike an effective balance between the attack success rate and runtime, a potent recipe for a disruptive contribution to the fraternity of adversarial attacks in video classification models. This adversarial attack method considers generating video adversarial examples from an optimization perspective. This represents a step forward in the ongoing drive to develop robust, reliable, and efficient techniques to understand adversarial attacks, specifically for deep neural network-based video classification models.

     

/

返回文章
返回