Research On Adversarial Attack Methods Based On Hard Labels

Adversarial Attack means that the carefully designed noise is superimposed to a clean sample that is classified correctly,so that the neural network makes an error classification.The adversarial attack method based on hard label can generate adversarial samples by sending a query to the target neural network and using only the hard label information.In the real world,the attacker does not obtain the probability distribution of neural network output,and often can only obtain hard label.Therefore,the robustness of neural networks against decision-based black-box attacks is a more practical problem.Black-box adversarial attack methods based on hard labels are mainly divided into two major research directions:(1)Gradient estimation of adversarial images on decision boundary to generate adversarial samples to achieve the purpose of high query utilization and rapid reduction of distortion.This method is also known as the Boundary Attacks(BAS)method.Only using hard label information can achieve a 100% success rate of the attack;(2)Focus on attacking some important pixels that affect the decision of the neural network,and propose algorithms to reduce the number of dimensions to be attacked.This thesis focuses on these two major directions of adversarial attacks based on hard labels,and the specific work is as follows:(1)A boundary attack method based on Latin Hypercube Sampling(LHS)is proposed.Latin hypercube sampling is used to estimate the gradient direction,and adversarial samples are generated by querying the hard label of the target model,so as to achieve high query utilization and rapid distortion reduction.LHS-BA has the following advantages:(i)further saving the number of queries by efficiently estimating gradient direction: the noises sampled by the Latin hypercube sampling is uniformly dispersed,so the noises can effectively represent the sampling space and improve the accuracy of estimating gradient direction;(ii)The experimental results show that the adversarial samples generated by LHS-BA have lower sample distortion and achieve better attack effects.(2)A Specific to Large-Size Image Attack(SLIA)is proposed.SLIA algorithm is specifically aimed at large-size image datasets such as Image Net,and uses less model queries to generate adversarial samples.SLIA has the following advantages:(i)Significantly reduces query complexity: only estimate gradient direction of the lowfrequency band of the image and perturb it,reducing the number of dimensions to be optimized to 1/4;(ii)In the untargeted attack initialization,SLIA replaces the lowfrequency band of the original image with randomly sampling uniform noise,and reserves more details of the original sample,keeping neural network classification wrong;(iii)Through extensive experiments on the Image Net dataset,it is proved that the proposed SLIA performs best in distortion reduction and has better attack effect.