| Adversarial examples refer to malicious examples that can attack the neural net-work model and are not easily detected.To enhance the authenticity of the adversarial examples,the concept of semantic adversarial examples is proposed.It only modifies the semantic information of the example,which ensures that the example conforms to the semantics and makes the model output wrong results concurrently.The current gen-eration methods of semantic adversarial examples will make major changes to the image,so the quality of the generated adversarial examples is low.This paper mainly focuses on the generation method of high-quality semantic adversarial examples,and the con-tributions are as follows:Firstly,according to the characteristics of semantic adversarial examples,this paper proposes a novel method for generating semantic adversarial examples based on color perturbation with less image modification.This method can modify the color values of Lab color channel in some areas of the image and limit the modified values to create a semantic adversarial example.Compared with the existing semantic adversarial exam-ple generation methods,our method limits the modification of the color channel value,so that the quality of the generated adversarial examples is higher.Secondly,in order to limit the area where the perturbation is added,we improve the above method,and proposes a dual-semantic adversarial example generation method based on the area lim-itation and color perturbation.By specifying the size of the area where the perturbation is added,this method can automatically select the area with the largest entropy in the image and modify its color to generate adversarial examples.In this way,we solve the shortcomings of modifying the input example too much during the semantic adversarial attack process.Thirdly,in order to make the area for adding perturbation more flexible and generate higher-quality adversarial examples,we propose a dual-semantic adversar-ial example generation method based on object detection and color perturbation.This method can modify the color of other objects without changing the object in the im-age,and then generate the adversarial example.The quality of adversarial examples generated by this method is higher,which is more consistent with people’s perception and harder to be detected.Finally,we propose a general semantic adversarial exam-ple generation framework,which combines the advantages of the three methods and compensates for each other’s shortcomings.This method can generate higher-quality semantic adversarial examples with a higher attack success rate.The performances of our proposed four methods are verified through corresponding experiments,including the success rate of adversarial attack,the attack efficiency,the robustness and so on.The experimental results show that our attack success rate has increased by at least 30% compared with the traditional method after Com Defend and Feature Squeezing defense processing. |
PDF Full Text Request