Black Box Adversarial Attack Algorithm Based on Deep Reinforcement Learning

Abstract

Abstract: Aiming at the problem of black box adversarial attack in the field of image recognition, a black box adversarial attack algorithm is proposed based on the DDQN framework and Dueling network structure in reinforcement learning. The agent generates an adversarial sample by imitating human adjustment of the image, interacts with the attacked model to obtain misclassification results, and calculates the structural similarity of the clean sample and the adversarial sample to generate a reward. During the attack, only the label output information of the attacked model was obtained. The experimental results show that the success rate of attacking the four deep neural network models trained on the CIFAR10 and CIFAR100 datasets exceeds 90%. The quality of the generated adversarial samples is similar to the white box attack algorithm FGSM and the success rate is more advantageous.

Key words: adversarial samples, black box attacks, deep learning, reinforcement learning

LI Meng, HAN Li-xin. Black Box Adversarial Attack Algorithm Based on Deep Reinforcement Learning[J]. Computer and Modernization, 2021, 0(04): 117-121.

References ［25］

［1］	TAIGMAN Y, YANG M, RANZATO M, et al. DeepFace: Closing the gap to human-level performance in face verification［C］// Proceedings of the 2014 IEEE Conference on Computer Vision and Pattern Recognition. 2014:1701-1708.
［2］	GIRSHICK R, DONAHUE J, DARRELL T, et al. Rich feature hierarchies for accurate object detection and semantic segmentation［C］// Proceedings of the 2014 IEEE Conference on Computer Vision and Pattern Recognition. 2014:580-587.
［3］	DANELLJAN M, HAGER G, KHAN F S, et al. Convolutional features for correlation filter based visual tracking［C］// Proceedings of the 2015 IEEE International Conference on Computer Vision Workshop (ICCVW). 2015:621-629.
［4］	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks［J］. arXiv preprint arXiv:1312.6199, 2013.
［5］	YUAN X Y, HE P, ZHU Q L, et al. Adversarial examples: Attacks and defenses for deep learning［J］. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9):2805-2824.
［6］	〖KG-*4/5〗CHEN J B, JORDAN M I, WAINWRIGHT M J. HopSkipJumpAttack: A query-efficient decision-based attack［J］. arXiv preprint arXiv:1904.02144, 2019.
［7］	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572, 2014.
［8］	PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings［C］// Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P). 2016:372-387.
［9］	CHEN P Y, ZHANG H, SHARMA Y, et al. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models［C］// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. 2017:15-26.
［10］	SU J W, VARGAS D V, SAKURAI K. One pixel attack for fooling deep neural networks［J］. IEEE Transactions on Evolutionary Computation, 2019,23(5):828-841.
［11］	RITTER S, BARRETT D G T, SANTORO A, et al. Cognitive psychology for deep neural networks: A shape bias case study［C］// Proceedings of the 34th International Conference on Machine Learning. 2017:2940-2949.
［12］	LI Y X. Deep reinforcement learning: An overview［J］. arXiv preprint arXiv:1701.07274, 2017.
［13］	MNIH V, KAVUKCUOGLU K, SILVER D, et al. Human-level control through deep reinforcement learning［J］. Nature, 2015,518(7540):529-533.
［14］	SILVER D, HUANG A, MADDISON C J, et al. Mastering the game of Go with deep neural networks and tree search［J］. Nature, 2016,529(7587):484-489.
［15］	VAN HASSELT H, GUEZ A, SILVER D. Deep reinforcement learning with double Q-Learning［C］// Proceedings of the 30th AAAI Conference on Artificial Intelligence. 2016:2094-2100.
［16］	WANG Z Y, SCHAUL T, HESSEL M, et al. Dueling network architectures for deep reinforcement learning［C］// Proceedings of the 33rd International Conference on Machine Learning. 2016:1995-2003.
［17］	WANG Z, BOVIK A C, SHEIKH H R, et al. Image quality assessment: From error visibility to structural similarity［J］. IEEE Transactions on Image Processing, 2004,13(4):600-612.
［18］	YANG C Y, MA C, YANG M H. Single-image super-resolution: A benchmark［C］// Proceedings of the 2014 European Conference on Computer Vision. 2014:372-386
［19］	LAI W S, HUANG J B, HU Z, et al. A comparative study for single image blind deblurring［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. 2016:1701-1709.
［20］	KRIZHEVSKY A, HINTON G. Learning Multiple Layers of Features from Tiny Images［R］. University of Toronto, 2009.
［21］	HU J, SHEN L, SUN G. Squeeze-and-excitation networks［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018:7132-7141.
［22］	SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition［J］. arXiv preprint arXiv:1409.1556, 2014.
［23］	SZEGEDY C, LIU W, JIA Y Q, et al. Going deeper with convolutions［C］// Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition. 2015:1-9.
［24］	HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. 2016:770-778.
［25］	KINGMA D P, BA J. Adam: A method for stochastic optimization［J］. arXiv preprint arXiv:1412.6980, 2014.

[1]	HU Chong-jia, LIU Jin-zhou, FANG Li. Unsupervised Domain Adaptation for Outdoor Point Cloud Semantic Segmentation [J]. Computer and Modernization, 2024, 0(01): 74-79.
[2]	LI Peng, XU Luo. An Autonomous Navigation Method for Intelligent Vehicles in Urban Battlefield [J]. Computer and Modernization, 2024, 0(01): 92-98.
[3]	LIN Wei. Incremental News Recommendation Method Based on Self-supervised Learning and Data Replay [J]. Computer and Modernization, 2023, 0(12): 1-6.
[4]	LIANG Tian-kai, HUANG Kang-hua, LIU Kai-hang, LAN Lan, ZENG Bi. Deep Federated Image Classification Method Based on Bilateral Homomorphic Encryption [J]. Computer and Modernization, 2023, 0(12): 36-40.
[5]	QIU Kai-xing, FENG Guang. A Multi-label Image Classification Model Based on Dual Feature Attention [J]. Computer and Modernization, 2023, 0(12): 41-47.
[6]	ZHANG Bo-quan, MAI Hai-peng, CHEN Jia-min, Pang Jin-ju. White Matter Hyperintensities Segmentation Based on High Gray Value#br# Attention Mechanism [J]. Computer and Modernization, 2023, 0(12): 67-75.
[7]	LI Yan-man, WANG Bi-heng, ZHAO Ling-yan. Safety Helmet Detection Based on Lightweight YOLOv5 [J]. Computer and Modernization, 2023, 0(10): 59-64.
[8]	LI Shi-da, XIANG Jian-wen. A Weakened Joint Reinforcement Method to Improve Robustness of Image Recognition Models [J]. Computer and Modernization, 2023, 0(10): 70-76.
[9]	SHEN Jia-wei, LU Yi-ming, CHEN Xiao-yi, QIAN Mei-ling, LU Wei-zhong, . Review of Research on Human Behavior Detection Methods Based on Deep Learning [J]. Computer and Modernization, 2023, 0(09): 1-9.
[10]	LIU Chan-yi, HUANG Dan, XUE Lin-yan, WANG Tao, ZHU Tao, . COVID-19 X-ray Classification Based on Improved Efficientnet Network [J]. Computer and Modernization, 2023, 0(09): 94-99.
[11]	MA Guo-xiang, YANG Ling-fei, YAN Chuan-bo, ZHANG Zhi-hao, SUN Bing, WANG Xiao-rong. Ultrasonic Image Diagnosis of Hepatic Echinococcosis Based on Deep DenseNet Network [J]. Computer and Modernization, 2023, 0(09): 100-104.
[12]	NONG Hao-cheng, REN De-jun, REN Qiu-lin, LIU Peng-li, HUANG De-cheng. Surface Anomaly Detection Algorithm of Flexible Plastic Packaging Based on Improved ConvNeXt [J]. Computer and Modernization, 2023, 0(08): 12-17.
[13]	OUYANG Fei, WU Xu, XIANG Dong-sheng. Garbage Classification and Detection Method Based on Improved YOLOX [J]. Computer and Modernization, 2023, 0(08): 68-73.
[14]	HU Rui-jie, CHE Dou. Review of Infrared Small Target Detection [J]. Computer and Modernization, 2023, 0(08): 79-86.
[15]	JIANG Lei, TANG Jian, YANG Chao-yue, LYU Ting-ting. Bearing Fault Diagnosis Based on CWGAN-GP and CNN [J]. Computer and Modernization, 2023, 0(07): 1-6.