Differential Evolutionを用いたAdversarial Examplesの生成における複数解探索

抄録

Over the past few years, deep neural networks (DNNs) have shown outstanding performance in a wide range of domains. However, DNNs have been found to be vulnerable to adversarial examples (AE). AE are inputs that are designed to cause poor performance to a predictive machine learning model. Adversarial attacks are classified into two categories: targeted attacks and non-targeted attacks. In a targeted attack on multi-class classifiers, there will be multiple AEs that mislead models to a class other than the true class. As one of the black-box attacks on computer vision, a method of generating adversarial examples using Differential Evolution (DE) has been reported. This attack method named one pixel attack is very effective because the output of the model can be greatly changed by modifying a few pixels of the input image. However, in order to acquire multiple AEs in a targeted attack, it is necessary to repeatedly execute the targeted attack while changing the target class. In this case, multiple trials are required, and the number of accesses to the model increases in proportion to the number of classes. Therefore, we propose a new method to acquire multiple AEs with a single run of one pixel attack. In the proposed method, the objective function in a non-targeted attack is regarded as a multimodal landscape with multiple solutions. Then, a penalty is dynamically added to the objective function in this multimodal function to search for multiple solutions in order. Additionally, to improve the search efficiency of one pixel attack, Rank-based DE (RDE), which is an improved method of DE, is introduced. We conducted experiments using some typical machine learning models and showed that multiple AEs can be efficiently acquired by the proposed method.