面向迁移攻击的视频对抗样本生成方法研究

信息安全研究 ›› 2025, Vol. 11 ›› Issue (3): 249-.

面向迁移攻击的视频对抗样本生成方法研究

林哲伟1何春兰1刘兴伟1王奇2孙宏2

1(西华大学计算机与软件工程学院成都610039)
2(成都九洲电子信息系统股份有限公司成都610041)

出版日期:2025-03-18 发布日期:2025-03-31
通讯作者: 林哲伟硕士.主要研究方向为人工智能安全. linzhewei@stu.xhu.edu.cn
作者简介:林哲伟硕士.主要研究方向为人工智能安全. linzhewei@stu.xhu.edu.cn 何春兰硕士.主要研究方向为人工智能安全. hechunlan@stu.xhu.edu.cn 刘兴伟博士，教授.主要研究方向为人工智能安全. lxw@mail.xhu.edu.cn 王奇工程师.主要研究方向为信息安全. jzkrwangqi@126.com 孙宏工程师.主要研究方向为信息安全. 50112625@qq.com

Research on Video Adversarial Example Generation Methods for Transfer Attacks

Lin Zhewei1, He Chunlan1, Liu Xingwei1, Wang Qi2, and Sun Hong2

1(School of Computer and Software Engineering ,Xihua University, Chengdu 610039)
2(Chendu Jiuzhou Electronic Information System Co., Ltd., Chengdu 610041)

Online:2025-03-18 Published:2025-03-31

摘要/Abstract

摘要： 不同的视频识别模型具备不同的时间判别模式.在迁移攻击中，视频对抗样本生成时会对白盒模型的时间判别模式产生过拟合，从而导致对抗样本的迁移性较差.针对这一现象，提出了一种有效缓解该过拟合现象的算法.该算法通过抽帧的方式生成多个增广视频，放入白盒模型，反向传播得到增广梯度，然后对这些梯度进行归位并加权求和，获得最终的梯度信息,最终将梯度信息带入基于梯度的白盒攻击方法，如FGSM，BIM等，获得最终的对抗样本.对交叉熵损失函数进行了改进，交叉熵损失函数在指导对抗样本的生成时，优先目的是快速找到能够让模型分类错误的方向，而没有考虑分类结果与其他概率较高类别在语义空间的距离.针对这一现象，对经典的交叉熵损失函数进行了改进，增加了基于KL散度的正则项，基于该损失函数生成的对抗样本迁移性更强.在Kinetics400以及UCF101数据集上，以ResNet50和ResNet101为主干网络，分别训练了NonLocal，SlowFast以及TPN共计6个视频识别领域常用的模型.将上述模型中的一种作为白盒模型，对其余模型进行迁移攻击，实验证明了该方法的有效性.

关键词: 视频识别模型, 对抗样本, 损失函数, 迁移攻击, 交叉熵

Abstract: Different video recognition models possess distinct temporal discrimination patterns. In transfer attacks, the generation of video adversarial examples can lead to overfitting to the whitebox model’s temporal discrimination pattern, resulting in poor transferability of the adversarial examples. In view of this phenomenon, an effective algorithm is proposed to alleviate the overfitting phenomenon. The algorithm generates multiple augmented videos by frame extraction, inputs them into a whitebox model, and obtains augmented gradients through backpropagation. Then, it repositions these gradients and calculates a weighted sum to acquire the final gradient information. Finally, it introduces this gradient information into gradientbased whitebox attack methods, such as FGSM and BIM, to obtain the final adversarial samples. The crossentropy loss function was improved; while guiding the generation of adversarial examples, its primary goal was to quickly find a direction that causes the model to misclassify, without considering the semantic space distance between the classification result and other categories with higher probabilities. In response to this issue, a regularization term based on KL divergence was introduced. When combined with the crossentropy function, the adversarial examples generated based on this loss function have stronger transferability. On the Kinetics400 and UCF101 datasets, six commonly used models in the video recognition domain were trained, specifically NonLocal, SlowFast, and TPN, with ResNet50 and ResNet101 serving as the backbone networks. One of these models was selected as the whitebox model to conduct transfer attacks on the remaining models, and a large number of experiments demonstrated the effectiveness of the method.

Key words: video recognition model, adversarial example, loss function, transfer attack, crossentropy

中图分类号:

TP309

林哲伟, 何春兰, 刘兴伟, 王奇, 孙宏, . 面向迁移攻击的视频对抗样本生成方法研究[J]. 信息安全研究, 2025, 11(3): 249-.

参考文献

［1］徐金才, 任民, 李琦, 等. 图像对抗样本的安全性研究概述［J］. 信息安全研究, 2021, 7(4): 294309［2］Donahue J, Anne Hendricks L, Guadarrama S, et al. Longterm recurrent convolutional networks for visual recognition and description［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2015: 26252634［3］Sultani W, Chen Chen, Shah M. Realworld anomaly detection in surveillance videos［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2018: 64796488［4］Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks［J］. arXiv preprint, arXiv:1312.6199, 2013［5］Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples［J］. arXiv preprint, arXiv:1412.6572, 2014［6］Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world［M］ Artificial Intelligence Safety and Security. Toulon, France: Chapman and HallCRC, 2018: 99112［7］Wei Zhipeng, Chen Jingjing, Wu Zuxuan, et al. Boosting the transferability of video adversarial examples via temporal translation［C］ Proc of the AAAI Conf on Atificial Intelligence. Menlo Park, CA: AAAI, 2022: 26592667［8］Chen Chen, Wang Zhiguang, Fan Yongnian, et al. Nesterov adam iterative fast gradient method for adversarial attacks［C］ Proc of Int Conf on Artificial Neural Networks. Berlin: Springer, 2022: 586598［9］Wu Dongxian, Wang Yisen, Xia Shutao, et al. Skip connections matter: On the transferability of adversarial examples generated with resnets［J］. arXiv preprint, arXiv:2002.05990, 2020［10］Wu Weibin, Su Yuxin, Chen Xixian, et al. Boosting the transferability of adversarial samples via attention［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 11611170［11］Carreira J, Zisserman A. Quo vadis, action recognition? A new model and the kinetics dataset［C］ proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2017: 62996308［12］Wang Xiaolong, Girshick R, Gupta A, et al. Nonlocal neural networks［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2018: 77947803［13］Feichtenhofer C, Fan H, Malik J, et al. Slowfast networks for video recognition［C］ Proc of the IEEECVF Int Conf on Computer Vision. Piscataway, NJ: IEEE, 2019: 62026211［14］Yang Ceyuan, Xu Yinghao, Shi Jianping, et al. Temporal pyramid network for action recognition［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2020: 591600

[1]	李秀滢, 赵海淇, 陈雪松, 张健毅, 赵成, . 基于YOLOv8目标检测器的对抗攻击方案设计[J]. 信息安全研究, 2025, 11(3): 221-.
[2]	顾芳铭, 况博裕, 许亚倩, 付安民, . 面向自动驾驶感知系统的对抗样本攻击研究综述[J]. 信息安全研究, 2024, 10(9): 786-.
[3]	王永, 柳毅, . 一种多模型的调度优化对抗攻击算法[J]. 信息安全研究, 2024, 10(5): 403-.
[4]	钟家豪, 张新有, 冯力, 邢焕来, . 基于卷积注意力机制的恶意软件样本增强方案[J]. 信息安全研究, 2024, 10(5): 431-.
[5]	李荣, 李乐言, . 基于对抗样本的流量特征隐藏方法[J]. 信息安全研究, 2024, 10(12): 1137-.
[6]	王志强, 都迎迎, 林雨衡, 陈旭东, . 基于文本关键词的对抗样本生成技术研究[J]. 信息安全研究, 2023, 9(4): 338-.
[7]	桓琦, 谢小权, 郭敏, 曾颖明, . 针对深度强化学习导航的物理对抗攻击方法[J]. 信息安全研究, 2022, 8(3): 212-.
[8]	徐金才任民李琦孙哲南. 图像对抗样本的安全性研究概述[J]. 信息安全研究, 2021, 7(4): 294-309.
[9]	陈岳峰毛潇锋李裕宏何源薛晖. AI安全——对抗样本技术综述与应用[J]. 信息安全研究, 2019, 5(11): 1000-1007.