✅博主简介:擅长数据搜集与处理、建模仿真、程序设计、仿真代码、论文写作与指导,毕业论文、期刊论文经验交流。
✅成品或者定制,扫描文章底部微信二维码。
(1) 基于差分进化与C&W攻击结合的通用对抗样本生成算法
深度学习模型在图像分类、目标检测等任务中取得了卓越的性能,但研究表明这些模型对精心设计的对抗扰动十分敏感,在输入样本上添加人眼难以察觉的微小扰动就可能导致模型产生错误的预测结果。现有的对抗样本生成方法存在普适性不强、需要大量访问被攻击网络、攻击成本高等问题。本研究提出了基于差分进化算法与C&W攻击结合的通用对抗样本生成方法,该方法分为两个阶段协同工作,有效提升对抗攻击的成功率和效率。第一阶段利用差分进化算法对原始样本进行预处理,寻找图像中容易被攻击的敏感区域。差分进化是一种高效的全局优化算法,通过种群的变异、交叉和选择操作在搜索空间中寻找最优解。在敏感点搜索过程中,将图像的像素位置编码为个体,以扰动该位置后模型输出置信度的变化作为适应度函数,通过多代进化找到对模型决策影响最大的敏感像素点。在识别出的敏感点上添加随机扰动生成初始对抗样本,作为后续精细化攻击的起点。第二阶段基于初始对抗样本构建C&W攻击的目标函数和损失函数,C&W攻击是一种基于优化的强力攻击方法,通过最小化扰动幅度和最大化攻击效果的联合目标生成对抗样本。采用Adam优化器对损失函数进行迭代优化,自适应调整学习率加快收敛速度。两阶段方法的优势在于,差分进化预处理提供了良好的初始化,使C&W攻击从更接近最优解的位置开始搜索,减少了优化迭代次数和网络查询次数。实验结果表明,该算法生成的对抗样本具有更高的攻击成功率和更好的可迁移性,同时显著降低了攻击成本。
(2) 基于改进差分进化的自适应黑盒攻击算法
在实际应用场景中,攻击者通常无法获取目标模型的内部结构和参数信息,只能通过查询模型获得输入输出的对应关系,这种场景被称为黑盒攻击。黑盒攻击的主要挑战在于如何在有限的查询次数内找到有效的对抗扰动,降低攻击成本。本研究提出了基于改进差分进化的自适应黑盒攻击算法,通过对差分进化算法的关键参数和操作进行优化,提升黑盒环境下的攻击效率。在缩放因子的设计上,传统差分进化采用固定的缩放因子,难以平衡全局探索和局部开发的需求。本研究提出自适应缩放因子策略,根据产生差分向量的两个个体之间的距离动态调整缩放因子,当两个个体距离较远时采用较小的缩放因子以保持搜索的稳定性,当两个个体距离较近时采用较大的缩放因子以增强局部搜索能力。在交叉概率因子的设计上,利用个体的适应度值自适应控制交叉概率的变化,适应度较好的个体采用较小的交叉概率以保留优秀基因,适应度较差的个体采用较大的交叉概率以引入新的遗传信息。在变异策略上,设计了兼顾全局搜索和局部开发能力的新型变异算子,在种群最优个体和随机个体之间进行差分变异,既能利用最优个体的引导作用加快收敛,又能保持种群的多样性避免早熟收敛。实验结果表明,改进的差分进化算法在保证攻击时间和查询次数不受影响的前提下,显著提高了黑盒攻击的成功率,为深度学习模型的安全性评估提供了有效的技术手段。
(3) 对抗样本攻击的可迁移性增强与防御对策分析
对抗样本的可迁移性是指针对一个模型生成的对抗样本能够成功攻击其他未知模型的能力,这种特性使得攻击者可以在本地模型上生成对抗样本,然后迁移攻击部署在云端的目标模型,大大降低了攻击的门槛。本研究深入分析了影响对抗样本可迁移性的关键因素,并提出了增强可迁移性的技术策略。研究发现,对抗扰动的可迁移性与扰动所影响的特征层次密切相关,作用于底层通用特征的扰动具有更好的可迁移性,而作用于高层任务特定特征的扰动可迁移性较差。基于这一发现,提出了多层特征攻击策略,在生成对抗样本时同时优化多个特征层的扰动目标,使生成的扰动能够影响不同层次的特征表示,增强对不同模型架构的迁移攻击能力。
import numpy as np import torch import torch.nn as nn import torch.nn.functional as F import torch.optim as optim from torchvision import models class DifferentialEvolution: def __init__(self, population_size=50, max_generations=100, F=0.5, CR=0.9): self.population_size = population_size self.max_generations = max_generations self.F = F self.CR = CR def initialize_population(self, dim, bounds): population = np.random.uniform(bounds[0], bounds[1], (self.population_size, dim)) return population def adaptive_scaling_factor(self, individual1, individual2): distance = np.linalg.norm(individual1 - individual2) max_distance = np.sqrt(len(individual1)) normalized_distance = distance / max_distance adaptive_F = self.F * (1 + 0.5 * (1 - normalized_distance)) return np.clip(adaptive_F, 0.1, 1.0) def adaptive_crossover_rate(self, fitness, best_fitness, worst_fitness): if best_fitness == worst_fitness: return self.CR normalized_fitness = (fitness - worst_fitness) / (best_fitness - worst_fitness + 1e-8) adaptive_CR = self.CR * (1 - 0.5 * normalized_fitness) return np.clip(adaptive_CR, 0.1, 1.0) def mutate(self, population, target_idx, best_idx): indices = list(range(self.population_size)) indices.remove(target_idx) r1, r2 = np.random.choice(indices, 2, replace=False) F_adaptive = self.adaptive_scaling_factor(population[r1], population[r2]) mutant = population[best_idx] + F_adaptive * (population[r1] - population[r2]) return mutant def crossover(self, target, mutant, CR): dim = len(target) trial = np.copy(target) j_rand = np.random.randint(dim) for j in range(dim): if np.random.rand() < CR or j == j_rand: trial[j] = mutant[j] return trial def evolve(self, fitness_func, dim, bounds): population = self.initialize_population(dim, bounds) fitness = np.array([fitness_func(ind) for ind in population]) for generation in range(self.max_generations): best_idx = np.argmax(fitness) best_fitness = fitness[best_idx] worst_fitness = np.min(fitness) for i in range(self.population_size): mutant = self.mutate(population, i, best_idx) mutant = np.clip(mutant, bounds[0], bounds[1]) CR_adaptive = self.adaptive_crossover_rate(fitness[i], best_fitness, worst_fitness) trial = self.crossover(population[i], mutant, CR_adaptive) trial_fitness = fitness_func(trial) if trial_fitness > fitness[i]: population[i] = trial fitness[i] = trial_fitness best_idx = np.argmax(fitness) return population[best_idx], fitness[best_idx] class CWAttack: def __init__(self, model, c=1.0, kappa=0, max_iterations=1000, learning_rate=0.01): self.model = model self.c = c self.kappa = kappa self.max_iterations = max_iterations self.learning_rate = learning_rate def attack(self, image, target_class): self.model.eval() w = torch.zeros_like(image, requires_grad=True) optimizer = optim.Adam([w], lr=self.learning_rate) best_adv = None best_l2 = float('inf') for iteration in range(self.max_iterations): adv_image = 0.5 * (torch.tanh(w) + 1) l2_dist = torch.sum((adv_image - image) ** 2) outputs = self.model(adv_image) target_logit = outputs[0, target_class] max_other_logit = torch.max(torch.cat([outputs[0, :target_class], outputs[0, target_class+1:]])) f_loss = torch.clamp(max_other_logit - target_logit + self.kappa, min=0) total_loss = l2_dist + self.c * f_loss optimizer.zero_grad() total_loss.backward() optimizer.step() if f_loss.item() == 0 and l2_dist.item() < best_l2: best_l2 = l2_dist.item() best_adv = adv_image.detach().clone() return best_adv class DECWAttack: def __init__(self, model, num_classes=1000): self.model = model self.num_classes = num_classes self.de = DifferentialEvolution(population_size=30, max_generations=50) self.cw = CWAttack(model, c=1.0) def find_sensitive_points(self, image, original_class): image_np = image.detach().cpu().numpy().flatten() def fitness_func(perturbation_mask): perturbed = image.clone() mask = perturbation_mask.reshape(image.shape) noise = torch.randn_like(image) * 0.1 perturbed = perturbed + torch.from_numpy(mask).float() * noise perturbed = torch.clamp(perturbed, 0, 1) with torch.no_grad(): outputs = self.model(perturbed) original_conf = outputs[0, original_class].item() return 1 - original_conf dim = image.numel() best_mask, _ = self.de.evolve(fitness_func, dim, bounds=(0, 1)) return best_mask.reshape(image.shape) def attack(self, image, original_class, target_class): sensitive_mask = self.find_sensitive_points(image, original_class) noise = torch.randn_like(image) * 0.05 initial_adv = image + torch.from_numpy(sensitive_mask).float() * noise initial_adv = torch.clamp(initial_adv, 0, 1) initial_adv.requires_grad = True final_adv = self.cw.attack(initial_adv, target_class) return final_adv class AdaptiveBlackBoxAttack: def __init__(self, query_func, max_queries=10000): self.query_func = query_func self.max_queries = max_queries self.query_count = 0 def attack(self, image, target_class, epsilon=0.05): best_adv = image.clone() best_score = self.query_model(image, target_class) population_size = 20 dim = image.numel() population = [image.clone() + torch.randn_like(image) * epsilon for _ in range(population_size)] fitness = [self.query_model(ind, target_class) for ind in population] while self.query_count < self.max_queries: best_idx = np.argmax(fitness) if fitness[best_idx] > best_score: best_score = fitness[best_idx] best_adv = population[best_idx].clone() if best_score > 0.9: break new_population = [] for i in range(population_size): indices = list(range(population_size)) indices.remove(i) r1, r2 = np.random.choice(indices, 2, replace=False) distance = torch.norm(population[r1] - population[r2]).item() F = 0.5 * (1 + 0.5 * np.exp(-distance)) mutant = population[best_idx] + F * (population[r1] - population[r2]) mutant = torch.clamp(mutant, 0, 1) mutant = torch.clamp(mutant, image - epsilon, image + epsilon) new_population.append(mutant) population = new_population fitness = [self.query_model(ind, target_class) for ind in population] return best_adv def query_model(self, image, target_class): self.query_count += 1 confidence = self.query_func(image) return confidence[target_class].item() class TransferableAttack: def __init__(self, models_list, epsilon=0.03, num_iterations=100): self.models = models_list self.epsilon = epsilon self.num_iterations = num_iterations def ensemble_gradient(self, image, target_class): total_grad = torch.zeros_like(image) for model in self.models: model.eval() image_var = image.clone().requires_grad_(True) outputs = model(image_var) loss = F.cross_entropy(outputs, torch.tensor([target_class])) loss.backward() total_grad += image_var.grad.data return total_grad / len(self.models) def attack(self, image, target_class): adv_image = image.clone() alpha = self.epsilon / self.num_iterations for _ in range(self.num_iterations): grad = self.ensemble_gradient(adv_image, target_class) adv_image = adv_image - alpha * grad.sign() adv_image = torch.clamp(adv_image, image - self.epsilon, image + self.epsilon) adv_image = torch.clamp(adv_image, 0, 1) return adv_image class MultiLayerAttack: def __init__(self, model, layer_names, epsilon=0.03): self.model = model self.layer_names = layer_names self.epsilon = epsilon self.hooks = [] self.activations = {} def register_hooks(self): def get_activation(name): def hook(model, input, output): self.activations[name] = output return hook for name, module in self.model.named_modules(): if name in self.layer_names: self.hooks.append(module.register_forward_hook(get_activation(name))) def attack(self, image, target_activations): self.register_hooks() adv_image = image.clone().requires_grad_(True) optimizer = optim.Adam([adv_image], lr=0.01) for _ in range(100): optimizer.zero_grad() _ = self.model(adv_image) loss = 0 for name in self.layer_names: if name in target_activations: loss += F.mse_loss(self.activations[name], target_activations[name]) loss.backward() optimizer.step() with torch.no_grad(): adv_image.data = torch.clamp(adv_image.data, image - self.epsilon, image + self.epsilon) adv_image.data = torch.clamp(adv_image.data, 0, 1) for hook in self.hooks: hook.remove() return adv_image.detach() if __name__ == "__main__": model = models.resnet50(pretrained=True) model.eval() de_cw_attack = DECWAttack(model) dummy_image = torch.randn(1, 3, 224, 224) dummy_image = torch.clamp(dummy_image, 0, 1)如有问题,可以直接沟通
👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇👇
