| With the wave of the information revolution,the production of visual data has experienced explosive growth,and traditional computer vision technologies have become increasingly difficult to adapt to the needs of the times.Nowadays,deep learning technology has been widely used in computer vision fields such as image understanding,action recognition,medical imaging,UAV,and self-driving,and has brought far-reaching impact to society with its remarkable performance.The development of visual adversarial attack techniques,such as adversarial example attacks and deepfake attacks,however,makes it possible for deep learning to be exploited by malicious attackers.This phenomenon undoubtedly poses a significant threat to the application of deep vision systems.Therefore,in order to better evaluate the robustness of deep vision systems against threats,it is necessary for us to investigate adversarial attack techniques.In this paper,we investigate adversarial attack techniques from both adversary and user perspectives.From the adversary perspective,we analyze the shortcomings of existing adversarial attack methods and broaden the application scenarios of attacks by designing new adversarial attack algorithms.From the user perspective,we defend the belief of AI for social good and develop effective deepfake attack detection algorithms by utilizing the characteristics of adversarial samples to protect users from them.The main contributions are as follows:1.A new targeted adversarial attack method is proposed.Most of the existing adversarial attack methods focus on non-targeted settings,and there is a lack of research on targeted adversarial attacks.However,in real-world applications,targeted attacks are often more threatening.In this paper,we show that targeted attacks are significantly harder than nontargeted attacks,and that simply expanding non-targeted attacks to targeted attacks will result in low attack success rates.To address this issue,we provide an in-depth analysis of the characteristics of targeted attacks from both theoretical and experimental perspectives and clearly point out the reasons that constrain the success rate of attacks under the targeted setting.Based on our findings,we introduce the Poincare distance metric and triplet loss to overcome these constraints and effectively improve the targeted attack success rate.Our experiments on several large-scale ImageNet pre-trained models with different structures confirm the superiority of our approach.2.An efficient universal adversarial perturbation generation method is proposed.In order to solve the issue of high generation cost caused by image-specific adversarial attacks which require individual optimization for each input sample during generation,we also develop a novel universal adversarial attack method,where only one perturbation is needed for generating adversarial examples.We combine the benefits of image-specific adversarial attacks with universal adversarial perturbations and also incorporate a consistency regularity to increase the effectiveness of the universal adversarial perturbations.In addition,we extend our method to the unsupervised setting,which greatly reduces the data dependence of universal adversarial attacks.3.A deepfake detection algorithm based on adversarial de-biasing is proposed.Currently,more and more temporal models are introduced into deepfake video detection.However,we find that existing temporal models in deepfake video detection can not make good use of temporal information;instead,their decision basis relies on spatial information.To address this problem,we propose to use the idea of adversarial attack to perform targeted erasure of overly simple spatial features in the samples,while helping the model to retain more temporal information through an auxiliary task.In intra-dataset and cross-dataset detection experiments with multiple datasets,our method demonstrates excellent temporal information mining ability and improves the detection of deepfake videos. |
PDF Full Text Request