[1]刘明林,周传金,王润泽,等.基于基因重组知识蒸馏策略的对抗攻击方法[J].郑州大学学报(工学版),2025,46(06):40-48.[doi:10.13705/j.issn.1671-6833.2025.03.007]
 LIU Minglin,ZHOU Chuanjin,WANG Runze,et al.Adversarial Attack Method Based on Genetic Recombination Knowledge Distillation Strategy[J].Journal of Zhengzhou University (Engineering Science),2025,46(06):40-48.[doi:10.13705/j.issn.1671-6833.2025.03.007]
点击复制

基于基因重组知识蒸馏策略的对抗攻击方法()
分享到:

《郑州大学学报(工学版)》[ISSN:1671-6833/CN:41-1339/T]

卷:
46
期数:
2025年06期
页码:
40-48
栏目:
出版日期:
2025-10-25

文章信息/Info

Title:
Adversarial Attack Method Based on Genetic Recombination Knowledge Distillation Strategy
文章编号:
1671-6833(2025)06-0040-09
作者:
刘明林 周传金 王润泽 王 超 曹仰杰
郑州大学 网络空间安全学院,河南 郑州 450002
Author(s):
LIU Minglin ZHOU Chuanjin WANG Runze WANG Chao CAO Yangjie
School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou 450002, China
关键词:
集成攻击 对抗样本 迁移性 基因重组 知识蒸馏
Keywords:
ensemble attacks adversarial examples transferability genetic recombination knowledge distillation
分类号:
TP181TP183TP309
DOI:
10.13705/j.issn.1671-6833.2025.03.007
文献标志码:
A
摘要:
针对传统集成攻击方法存在因计算资源(包括训练数据和训练时间)需求高而在应用中受限制的问题,提出了一种基于基因重组的低计算复杂度集成攻击方法,通过生成更多样的集成模型来增强现有对抗攻击的迁移性。首先,将基因重组思想引入知识蒸馏领域,在此过程中,学生模型被视为独立个体,其参数被看作该个体的基因,每一轮的蒸馏学习视为基因的一次进化;其次,通过在进化过程中随机交换学生模型的参数,实现了人为的基因重组,从而获得更优的后代基因,通过设置不同的蒸馏温度,能够获得多个多样化的学生模型;再次,将这些多样化的学生模型与源教师模型进行集成;最后,使用集成模型生成迁移性更强的对抗样本。在ImageNet验证集子集上的实验结果表明:相较于其他算法,所提方法显著提高了对抗样本的迁移性。以ResNet152作为源模型并采用PGD攻击为例,所提方法在11种黑盒模型上的迁移攻击成功率表现最优,比基线PGD方法平均提高了34.52百分点,比PGI方法平均提高了5.30百分点,比DGM方法平均提高了2.12百分点。
Abstract:
To address limitations of traditional ensemble attack methods, which were constrained by high computational resource requirements, including training data and time, a low computational complexity ensemble attack method based on genetic recombination was proposed. This method aimed to enhance the transferability of existing adversarial attacks by generating a more diverse set of ensemble models. Firstly, the concept of genetic recombination was introduced into knowledge distillation. In this process, student models were treated as independent individuals, with their parameters considered as genes. Each round of distillation learning was viewed as a gene evolution. Randomly exchanging parameters among student models during the evolution process achieves artificial genetic recombination, resulting in superior offspring genes. By setting different distillation temperatures, multiple diversified student models were obtained. Next, these diverse student models were integrated with the source teacher model. Finally, the integrated model was used to generate adversarial examples with stronger transferability. Experimental results on a subset of the ImageNet validation set demonstrated that the proposed method significantly improved the transferability of adversarial samples compared to other baseline algorithms. Using ResNet152 as the source model and PGD as the attack method, the proposed method achieved the highest transfer attack success rate across 11 black-box models, outperforming the baseline PGD method by an average of 34.52 percentage point, the PGI method by an average of 5.30 percentage point, and the DGM method by an average of 2.12 percentage point.

参考文献/References:

[1]罗荣辉, 袁航, 钟发海, 等. 基于卷积神经网络的道路拥堵识别研究[J]. 郑州大学学报(工学版), 2019, 40(2): 18-22. 

LUO R H, YUAN H, ZHONG F H, et al. Traffic jam detection based on convolutional neural network[J]. Journal of Zhengzhou University (Engineering Science), 2019, 40(2): 18-22. 
[2]GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. (2015-03-20)[2024-05-10]. http:∥arxiv. org/ abs/1412.6572. 
[3]SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. (2014-0219)[2024-05-10]. http:∥arxiv.org/abs/1312.6199. 
[4]赵俊杰, 王金伟. 基于SmsGAN的对抗样本修复[J]. 郑州大学学报(工学版), 2021, 42(1): 50-55. 
ZHAO J J, WANG J W. Recovery of adversarial examples based on SmsGAN[J]. Journal of Zhengzhou University (Engineering Science), 2021, 42(1): 50-55. 
[5]YUAN X Y, HE P, ZHU Q L, et al. Adversarial examples: attacks and defenses for deep learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019, 30(9): 2805-2824. 
[6]KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial examples in the physical world[EB/OL]. (2017-02-11) [2024-05-10]. https:∥arxiv.org/abs/1607.02533. 
[7]MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/ OL]. (2019-09-04)[2024-05-10]. https:∥arxiv. org/abs/1706.06083. 
[8]DONG Y P, LIAO F Z, PANG T Y, et al. Boosting adversarial attacks with momentum[C]∥2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2018: 9185-9193. 
[9]XIE C H, ZHANG Z S, ZHOU Y Y, et al. Improving transferability of adversarial examples with input diversity [C]∥2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE, 2019: 2725-2734.
[10]WANG X S, HE K. Enhancing the transferability of adversarial attacks through variance tuning[C]∥2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE, 2021: 1924-1933. 
[11] CAO Y J, WANG H B, ZHU C X, et al. Improving the transferability of adversarial examples with diverse gradients[C]∥2023 International Joint Conference on Neural Networks (IJCNN). Piscataway: IEEE, 2023: 1-9. 
[12]何英哲, 胡兴波, 何锦雯, 等. 机器学习系统的隐私和安全问题综述[J]. 计算机研究与发展, 2019, 56 (10): 2049-2070. 
HE Y Z, HU X B, HE J W, et al. Privacy and security issues in machine learning systems: a survey[J]. Journal of Computer Research and Development, 2019, 56(10): 2049-2070. 
[13] LIN J D, SONG C B, HE K, et al. Nesterov accelerated gradient and scale invariance for adversarial attacks[EB/ OL]. (2020-02-03)[2024-05-10]. https:∥arxiv. org/abs/1908.06281. 
[14]WANG X S, LIN J D, HU H, et al. Boosting adversarial transferability through enhanced momentum[EB/OL]. (2021-03-19)[2024-05-10]. https:∥arxiv. org/ abs/2103.10609. 
[15] DONG Y P, PANG T Y, SU H, et al. Evading defenses to transferable adversarial examples by translation-invariant attacks[C]∥2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE, 2019: 4307-4316. 
[16] GAO L L, ZHANG Q L, SONG J K, et al. Patch-wise attack for fooling deep neural network[C]∥European Conference on Computer Vision. Cham: Springer, 2020: 307-322. 
[17]马克平.试论生物多样性的概念[J].生物多样性, 1993(1):20-22. 
MA K P. Oiscussion on the concept of biodiversity[J]. Chinese Biodiversity,1993(1):20-22. 
[18] MENDEL G, LIBRARY B, PUNNETT R C. Versuche über Pflanzen-Hybriden[M]. Brünn: Im Verlage des Vereines, 1866. 
[19] LIU Y P, CHEN X Y, LIU C, et al. Delving into transferable adversarial examples and black-box attacks[EB/ OL]. (2017-06-07)[2024-05-10]. http:∥arxiv.org/ abs/1611.02770. 
[20] RUSSAKOVSKY O, DENG J, SU H, et al. ImageNet large scale visual recognition challenge[J]. International Journal of Computer Vision, 2015, 115(3): 211-252. 
[21]WU D X, WANG Y S, XIA S T, et al. Skip connections matter: on the transferability of adversarial examples generated with ResNets[EB/OL]. (2020-02-14)[202405-10]. http:∥arxiv.org/abs/2002.05990. 
[22] HE K M, ZHANG X Y, REN S Q, et al. Identity mappings in deep residual networks[C]∥European Conference on Computer Vision. Cham: Springer, 2016: 630-645. 
[23] HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]∥2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE, 2016: 770-778. 
[24] HUANG G, LIU Z, VAN DER MAATEN L, et al. Densely connected convolutional networks[C]∥2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE, 2017: 2261-2269. 
[25] HU J, SHEN L, SUN G. Squeeze-and-excitation networks[C]∥2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2018: 7132-7141. 
[26] SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL]. (2015-04-10)[2024-05-10]. http:∥arxiv. org/ abs/1409.1556. 
[27] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision [C]∥2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway: IEEE, 2016: 2818-2826. 
[28] SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, inception-ResNet and the impact of residual connections on learning[EB/OL].(2016-08-23)[2024-0510]. https:∥arxiv.org/abs/1602.07261. 
[29] TRAMÈR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: attacks and defenses[EB/ OL].(2020-04-26)[2024-05-10]. http:∥arxiv.org/ abs/1705.07204.

更新日期/Last Update: 2025-10-21