对抗攻击算法总结论文集合(白盒、黑盒、目标检测、对抗训练等)
文章目录
- 前言
- 对抗攻击名词解释
- 一、白盒攻击
-
- 1.FGSM
- 2.JSMA:
- 3.DeepFool:
- 4.CW:
- 5.PGD:
- 二、黑盒攻击
-
- 1.单像素攻击
- 2.基于查询(query-based attack)
- 3.基于迁移
- 4.基于替代
- 5.其他
- 三、对抗攻击与目标检测
- 四、对抗训练&鲁棒性
前言
只是一个自己看过的论文小汇总,还不能当综述,但也包含了很多经典的对抗攻击算法,方便回顾和查询,自己看的第一篇综述是:
Advances in adversarial attacks and defenses in computer vision: A survey
论文这件事,真的只能多看,上学期看的,现在忘差不多了(估计还得从头再看亿遍),代码也得操练起来。
由于我没给论文链接(比较费时间),我就介绍几个搜索文献的网站
- Google Scholar(首推)
- arxiv
- x-mol
- scopus
- scihub
- 百度学术(国内有时比上面几个好用)
代码就看论文中有没有给链接吧,然后就 paperswitchcode,基本上每一篇都有。后面有时间会编辑个论文和代码链接吧,然后简单介绍每种算法的idea和method,比较经典的应该会单出论文笔记。
算法的分类没有那么严格,可能会有一些出入,新看的论文会再加入,持续更新。
对抗攻击名词解释
| 术语 | 含义 |
|---|---|
| white-box attack | 白盒攻击:知道模型的全部信息 |
| black-box attack | 黑盒攻击:无法获知模型的训练过程和参数 |
| query-based attack | 基于查询的攻击:攻击者能够查询目标模型并利用其输出来优化对抗性图像 |
| score-based attack | 基于分数的攻击:需要知道模型的输出的置信度 |
| decision-based attack | 基于决策的攻击:只需要知道目标模型的预测标签(top-1 label) |
| targeted attacks | 定向攻击,欺骗模型使模型预测为特定标签;相对于un-targeted attacks,没有特定标签,只求模型预测错误 |
| adversarial training | 对抗训练:在模型的训练数据中注入对抗性例子以使其具有对抗鲁棒性 |
首先:对抗攻击的最先提出:Intriguing properties of neural networks
一、白盒攻击
1.FGSM
(1)FGSM:EXPLAINING AND HARNESSING ADVERSARIAL EXAMPLES
(2)I-FGSM:ADVERSARIAL EXAMPLES IN THE PHYSICAL WORLD
(3)MI-FGSM:Boosting Adversarial Attacks with Momentum(白盒黑盒均适用)
(4)NI-FGSM,SIM:NESTEROV ACCELERATED GRADIENT AND SCALE INVARIANCE FOR ADVERSARIAL ATTACKS(增加迁移性)
2.JSMA:
The Limitations of Deep Learning in Adversarial Settings
3.DeepFool:
DeepFool: a simple and accurate method to fool deep neural networks
4.CW:
Towards Evaluating the Robustness of Neural Networks
5.PGD:
Towards Deep Learning Models Resistant to Adversarial Attacks
二、黑盒攻击
黑盒开篇:Practical Black-Box Attacks against Machine Learning
1.单像素攻击
(1)Simple Black-Box Adversarial Attacks on Deep Neural Networks
(2)One Pixel Attack for Fooling Deep Neural Networks
2.基于查询(query-based attack)
基于查询的又可分为基于分数的和基于决策的
socre-based attack
(1)SimBA:Simple Black-box Adversarial Attacks
(2)MetaSimulator:Simulating Unknown Target Models for Query-Efficient Black-box Attacks
decision-based attack
(1)开篇:Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine learning Models
(2)HSJA:HopSkipJumpAttack: A Query-Efficient Decision-Based Attack
(3)SurFree:SurFree: a fast surrogate-free black-box attack
(4)f-attack:Decision-Based Adversarial Attack With Frequency Mixup
3.基于迁移
(1)开篇:Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples
(2)Delving into Transferable Adversarial Examples and Black-box Attacks
(3)Enhancing the Transferability of Adversarial Attacks through Variance Tuning
(3)元学习:Meta Gradient Adversarial Attack
4.基于替代
(1)DaST:Data-free Substitute Training for Adversarial Attacks
(2)Delving into Data: Effectively Substitute Training for Black-box Attack
(3)Learning Transferable Adversarial Examples via Ghost Networks
5.其他
(1)通用黑盒攻击UAP:Universal adversarial perturbations
(2)AdvDrop: Adversarial Attack to DNNs by Dropping Information
(3)Practical No-box Adversarial Attacks against DNNs
(4)ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models
三、对抗攻击与目标检测
- Towards Adversarially Robust Object Detection
- DPATCH: An Adversarial Patch Attack on Object Detectors
四、对抗训练&鲁棒性
- Towards Deep Learning Models Resistant to Adversarial Attacks
- A Closer Look at Accuracy vs. Robustness
- ENSEMBLE ADVERSARIAL TRAINING ATTACKS AND DEFENSES
- Towards Evaluating the Robustness of Neural Networks