FGSM对抗样本trick汇总

1.FGSM

单步攻击，fast gradient sign method对抗样本生成方法，通过更新对抗扰动，增大图片分类损失，将样本推过分类决策边界。

对抗扰动更新方法如下
Xadv=X+ϵ×sign(∇XL(X,ytrue;θ))X^{\mathbf{adv}} = X + \epsilon \times \mathbf{sign}\big(\nabla_{X}L(X,y^{\mathbf{true}}; \theta)\big) Xadv=X+ϵ×sign(∇XL(X,ytrue;θ))

2.I_FGSM

对单步攻击FGSM进行迭代，扰动更新方法如下
X0adv=X;Xn+1adv=ClipXϵ{Xnadv+α×sign(∇XL(Xnadv,ytrue;θ))}X^{\mathbf{adv}}_{0} = X; \\ \\ X^{\mathbf{adv}}_{n+1} = \mathbf{Clip}^{\epsilon}_X \{X^{\mathbf{adv}}_n + \alpha \times \mathbf{sign}\big(\nabla_{X}L(X^{\mathbf{adv}}_n,y^{\mathbf{true}}; \theta)\big) \} X0adv=X;Xn+1adv=ClipXϵ{Xnadv+α×sign(∇XL(Xnadv,ytrue;θ))}

3.MI-FGSM

在i-FGSM的基础上加入动量m\mathbf{m}m，类似于优化方法中的动量法，给参数更新的方向增加一个历史的惯性，提升参数梯度变化的稳定性。

对抗样本更新方法如下
gn+1=μ×gn+∇XL(Xnadv,ytrue;θ)∣∣∇XL(Xnadv,ytrue;θ)∣∣1;Xn+1adv=ClipXϵ{Xnadv+α×sign(gn+1)}\mathcal{g}_{n + 1} = \mu \times \mathcal{g}_n + \frac{\nabla_{X}L(X^{\mathbf{adv}}_n,y^{\mathbf{true}}; \theta)}{||\nabla_{X}L(X^{\mathbf{adv}}_n,y^{\mathbf{true}}; \theta)||_1}; \\ \\ X^{\mathbf{adv}}_{n+1} = \mathbf{Clip}^{\epsilon}_X \{X^{\mathbf{adv}}_n + \alpha \times \mathbf{sign}\big(\mathcal{g}_{n+1}\big) \} gn+1=μ×gn+∣∣∇XL(Xnadv,ytrue;θ)∣∣1∇XL(Xnadv,ytrue;θ);Xn+1adv=ClipXϵ{Xnadv+α×sign(gn+1)}

其中μ\muμ为动量参数，当为0时，即为I-FGSM方法。

4.DI-2-FGSM

输入多样化，输入图片进入一个input diversity函数T(Xnadv;p)T(X^{adv}_n; p)T(Xnadv;p)，以p的概率对输入进行多样化处理，提升对抗样本的转移性

对抗样本更新方法
Xn+1adv=ClipXϵ{Xnadv+α×sign(∇XL(T(Xnadv;p),ytrue;θ))}X^{\mathbf{adv}}_{n+1} = \mathbf{Clip}^{\epsilon}_X \{X^{\mathbf{adv}}_n + \alpha \times \mathbf{sign}\big(\nabla_{X}L(T(X^{\mathbf{adv}}_n; p),y^{\mathbf{true}}; \theta)\big) \} Xn+1adv=ClipXϵ{Xnadv+α×sign(∇XL(T(Xnadv;p),ytrue;θ))}
其中函数T(Xnadv;p)T(X^{adv}_n; p)T(Xnadv;p)，以1-p的概率不做任何处理，直接输出原始的XnadvX^{adv}_nXnadv
T(Xnadv;p)={T(Xnadv)withprobabilityp;Xnadvwithprobability1−pT(X^{adv}_n; p) = \begin{cases} T(X^{adv}_n) \ \ \ \ \mathbf{with\ probability\ p}; \\ X^{adv}_n \ \ \ \ \ \ \ \ \ \ \mathbf{with\ probability\ 1-p} \end{cases} T(Xnadv;p)={T(Xnadv) with probability p;Xnadv with probability 1−p

该函数的Pytorch实现如下

import torch
import torch.nn.functional as Fdef input_diversity(x, diversity_prob=0.5, resize_rate=0.9):img_size = x.shape[-1]img_resize = int(img_size * resize_rate)if resize_rate < 1:img_size = img_resizeimg_resize = x.shape[-1]rnd = torch.randint(low=img_size, high=img_resize, size=(1,), dtype=torch.int32)rescaled = F.interpolate(x, size=[rnd, rnd], mode='bilinear', align_corners=False)h_rem = img_resize - rndw_rem = img_resize - rndpad_top = torch.randint(low=0, high=h_rem.item(), size=(1,), dtype=torch.int32)pad_bottom = h_rem - pad_toppad_left = torch.randint(low=0, high=w_rem.item(), size=(1,), dtype=torch.int32)pad_right = w_rem - pad_leftpadded = F.pad(rescaled, [pad_left.item(), pad_right.item(), pad_top.item(), pad_bottom.item()], value=0)return padded if torch.rand(1) < diversity_prob else x

5.TI-FGSM

针对防御模型的攻击，利用一个事先定义好的kernel对扰动参数的梯度进行卷积平滑，提升对抗效果的转移性
Xn+1adv=Xnreal+ϵ×sign(W∗∇XJ(Xnreal,y))X^{adv}_{n+1} = X^{real}_{n} + \epsilon \times \mathbf{sign}(\mathbf{W} * \nabla_X J(X^{real}_n, y)) Xn+1adv=Xnreal+ϵ×sign(W∗∇XJ(Xnreal,y))
其中WWW为卷积核，∗*∗表示卷积计算；