Author
Listed:
- Hongying Li
(Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China
These authors contributed equally to this work.)
- Miaomiao Yu
(Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China
These authors contributed equally to this work.)
- Xiaofei Li
(Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China
These authors contributed equally to this work.)
- Jun Zhang
(Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China)
- Shuohao Li
(Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China)
- Jun Lei
(Laboratory for Big Data and Decision, National University of Defense Technology, Changsha 410000, China)
- Hairong Huang
(Teacher Training School, Zhongxian, Chongqing 404300, China)
Abstract
In recent years, with the rapid development of technology, artificial intelligence (AI) security issues represented by adversarial sample attack have aroused widespread concern in society. Adversarial samples are often generated by surrogate models and then transfer to attack the target model, and most AI models in real-world scenarios belong to black boxes; thus, transferability becomes a key factor to measure the quality of adversarial samples. The traditional method relies on the decision boundary of the classifier and takes the boundary crossing as the only judgment metric without considering the probability distribution of the sample itself, which results in an irregular way of adding perturbations to the adversarial sample, an unclear path of generation, and a lack of transferability and interpretability. In the probabilistic generative model, after learning the probability distribution of the samples, a random term can be added to the sampling to gradually transform the noise into a new independent and identically distributed sample. Inspired by this idea, we believe that by removing the random term, the adversarial sample generation process can be regarded as the static sampling of the probabilistic generative model, which guides the adversarial samples out of the original probability distribution and into the target probability distribution and helps to boost transferability and interpretability. Therefore, we proposed a score-matching-based attack (SMBA) method to perform adversarial sample attacks by manipulating the probability distribution of the samples, which showed good transferability in the face of different datasets and models and provided reasonable explanations from the perspective of mathematical theory and feature space. Compared with the current best methods based on the decision boundary of the classifier, our method increased the attack success rate by 51.36% and 30.54% to the maximum extent in non-targeted and targeted attack scenarios, respectively. In conclusion, our research established a bridge between probabilistic generative models and adversarial samples, provided a new entry angle for the study of adversarial samples, and brought new thinking to AI security.
Suggested Citation
Hongying Li & Miaomiao Yu & Xiaofei Li & Jun Zhang & Shuohao Li & Jun Lei & Hairong Huang, 2023.
"Probability-Distribution-Guided Adversarial Sample Attacks for Boosting Transferability and Interpretability,"
Mathematics, MDPI, vol. 11(13), pages 1-22, July.
Handle:
RePEc:gam:jmathe:v:11:y:2023:i:13:p:3015-:d:1188600
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jmathe:v:11:y:2023:i:13:p:3015-:d:1188600. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.