机器学习安全:图像多分类任务的测试时对抗样本转移攻击实战(一)

Content

[Contribution Declaration](#Contribution Declaration)

Introduction

Method

Experiment

Settings

[Results and Discussion](#Results and Discussion)

[(1) Training and Single sample attack(Surrogate model, No ensemble for attack sample generation):Error-generic(1-100)](#(1) Training and Single sample attack(Surrogate model, No ensemble for attack sample generation):Error-generic(1-100))

[(2) Error-specific attack(51-100)](#(2) Error-specific attack(51-100))

[(3) Hyperparameters Setting: alpha(step size), steps(step count), momentum(employed in Momentum Iterative PGD)](#(3) Hyperparameters Setting: alpha(step size), steps(step count), momentum(employed in Momentum Iterative PGD))

[(4) Evaluate adversarial attack performance on "ground truth" model(No ensemble, transfer attack)](#(4) Evaluate adversarial attack performance on “ground truth” model(No ensemble, transfer attack))

[(5) Use Ensemble Adversarial Attack Method based on ResNet18 and VGG-11-BN and evaluate on surrogate/"ground truth" model](#(5) Use Ensemble Adversarial Attack Method based on ResNet18 and VGG-11-BN and evaluate on surrogate/”ground truth” model)

[Surrogate Model Case](#Surrogate Model Case)

["Ground Truth" Model Case](#“Ground Truth” Model Case)

Conclusion


Contribution Declaration

Code implementation framework is provided by the other group member, I revise the code, optimize the training process to actually implement training and evaluation on NVIDIA GPUs, correct testing ground-truth label marking, expand the code to support testing adversarial attack effect with different hyperparameter settings, do transfer attack robustness analysis, add figure and table recording functions. By the way, I offer a batch-samples based addversarial attack mode to accelerate attack process and lower costs. Notice that normalization is necessary and standardization is critical.

Introduction

This is a task aiming to carry out transfer adversarial attack and craft perturbation on the 3x32x32(CHW) images from CIFAR10 dataset. The basic task is a image classification task and the targeted model is not seen by attackers and hence use surrogate models to generate adversarial examples.

We choose ResNet18 and VGG-11-BN as two robust surrogate models and use Momentum Iterative PGD method with L-infinity norm restraint within a given budget epsilon. And then we do attack test on surrogate models to roughly verify attack effectiveness. 10000 images from 10 even distributed classes in CIFAR10 are used for surrogate model training and 100 images are used for adversarial attack testing.

Our innovation points including:

(1)Discussing relation between attack budget epsilon and ASR(Attack Success Rate) to check model robustness and verify attack effectiveness;

(2)Discussing about impacts of PGD step, PGD iteration count and momentum on ASR;

(3)Discussing about ensemble strategy for adversarial attack sample generation and generalization consideration in transfer attack scenario;

(4) Discussing about PGD acceleration strategy.

Method

  1. Then we construct training dataset and data loader, start surrogate model training;
  2. Then construct testing dataset and data loader with batch size=1 (BN is invalid in model evaluation mode so it can be larger to accelerate attack), do adversarial attack and evaluate on 1-50 and 51-100 samples with different targets;
  3. Change PGD iteration steps, step size and momentum hyperparameter settings and repeat process (2);
  4. Adjust batch size to 50 (maximum support size) to verify result consistency and accelerate attack speed.

Figure 1 Project Workflow

Experiment

Settings

We run python code on PyCharm IDE, do iteration searching in hyperparameter space under variable control setting (change one by one) , including adversarial attack budget epsilon, PGD step size, PGD iteration count and momentum of MIPGD.

Results and Discussion

(1) Training and Single sample attack(Surrogate model, No ensemble for attack sample generation):Error-generic(1-100)

Training Result on the left, an attack result given alpha=0.01, steps=25, momentum=0.9 is plotted on the right. It seems that the generalized ability of ResNet18 is still problematic due to accuracy drop from 62% to 29% (without any attack).

For epsilon=8/255, accuracy drops to 11%; epsilon=12/255, drops to 5%; For epsilon of 16/255 and 20/255, the final accuracy drops to about 4% and maintains because there are and are only 4 class-2 (bird) images in all 51-100 test samples. (Batch_Infer=1)

(2) Error-specific attack(51-100)

Below are five 2x2 confusion matrix plots concentrating on all 51-100 test images under five epsilon budget settings to further verify attack effiectiveness.(Batch_Infer=50)

(3) Hyperparameters Setting: alpha(step size), steps(step count), momentum(employed in Momentum Iterative PGD)

Influence of momentum is not obvious for momentum in 0.9, 0.95,0.99; However, steps count makes ASR curve descends faster and AUC smaller and alpha (step size) has a greater impact when epsilon starts from small values, causing some perturbation on the ASR curve especially when steps count is small.(Batch_Infer=50)

(4) Evaluate adversarial attack performance on "ground truth" model(No ensemble, transfer attack)

Obviously, ASR starts from much higher accuracy and has a much larger AUC than surrogate model evaluation. For budget epsilon=20/255, the ASR is 100%-31%=69% while that reaches 100%-4%=96%(ASR upper bound) in the surrogate model case.

(5) Use Ensemble Adversarial Attack Method based on ResNet18 and VGG-11-BN and evaluate on surrogate/"ground truth" model

Surrogate Model Case
"Ground Truth" Model Case

Ensemble adversarial sample generation method indeed enhance the generalization ability of attack, which is interpretable because true data and model distribution is unknown and a more powerful and common model system gets closer to the true model going to be attacked.

What's more, collecting more generalized data such as images from the rest of the CIFAR10 dataset (there are still about 50000 images not imported for surrogate models training), from CIFAR100 or from the well-known ImageNet-2012 dataset may also help a lot.

Conclusion

To conclude,

(1) adversarial attack with L-infinity(maximum) attack greatly depends on epsilon setting and has an epsilon effective boundary relevant to model ability and training data.

(2) Momentum parameter is not so important in MIPGD method and attackers should decide step size and steps count reasonably.

(3) We can employ batch mode adversarial attack to accelerate and lower cost.

(4) Transfer attack usually has lower actual performance after employing surrogation.

(5)Ensemble adversarial attack has a more robust propulsion attack effect practically for attack budget increment under larger epsilon scenario.

相关推荐
国科安芯18 小时前
航天器多路并联大功率电源系统设计与ASP4644均流特性分析
单片机·嵌入式硬件·fpga开发·安全性测试
wumingxiaoyao20 小时前
从 0 开始学 AI:第 2 课,AI、机器学习、深度学习和大模型是什么关系?
人工智能·深度学习·机器学习·ai·大模型·llm
weixin_4000056021 小时前
Vision-Language-Action:LMDrive双损失函数训练模块与 LangAuto 基准评测框架
人工智能·深度学习·算法·机器学习·自动驾驶
phoenix@Capricornus21 小时前
单位球面在线性变换下的像以及线性变换诱导的加权 2-范数的等值面(To 战老师)
线性代数·机器学习·矩阵
shushangyun_1 天前
2026智能采购商城系统选型指南:如何引领企业数字化采购升级
java·大数据·数据库·人工智能·机器学习
z小猫不吃鱼1 天前
03 Optimal Brain Surgeon 详解:Hessian 剪枝为什么有效?
算法·机器学习·剪枝
weixin_400005601 天前
RL-frenet-trajectory-planning-in-CARLA
人工智能·深度学习·算法·机器学习·自动驾驶
大鱼>1 天前
超参数调优进阶:Optuna/Bayesian/Early Stopping
人工智能·学习·机器学习·聚类
z小猫不吃鱼1 天前
02 Optimal Brain Damage 详解:二阶信息剪枝的起点
算法·机器学习·剪枝