基于智能进化算法的可见水印对抗攻击

计算机工程与科学 ›› 2024, Vol. 46 ›› Issue (01): 63-71.

• 计算机网络与信息安全 • 上一篇下一篇

基于智能进化算法的可见水印对抗攻击

季俊豪1,张玉书1,赵若宇1,温文媖2,董理3

(1.南京航空航天大学计算机科学与技术学院，江苏南京 211106；
2.江西财经大学信息管理学院，江西南昌 330032；3.宁波大学信息科学与工程学院，浙江宁波 315000)

收稿日期:2023-04-11 修回日期:2023-06-02 接受日期:2024-01-25 出版日期:2024-01-25 发布日期:2024-01-15
基金资助:
国家自然科学基金(62072237);南京航空航天大学研究生科研与实践创新计划(xcxjh20231603)

Adversarial visible watermark attack based on intelligent evolutionary algorithm

JI Jun-hao1,ZHANG Yu-shu1,ZHAO Ruo-yu1,WEN Wen-ying2,DONG Li3

(1.College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106;
2.School of Information Management,Jiangxi University of Finance and Economics,Nanchang 330032;
3.Faculty of Electrical Engineering and Computer Science,Ningbo University,Ningbo 315000,China)

Received:2023-04-11 Revised:2023-06-02 Accepted:2024-01-25 Online:2024-01-25 Published:2024-01-15

摘要/Abstract

摘要： 随着公民版权意识的提高，越来越多含有水印的图像出现在生活中。然而，现有的研究表明，含有水印的图像会导致神经网络分类错误，这对神经网络的普及和应用构成了巨大的威胁。对抗训练是解决这类问题的防御方法之一，但是需要使用大量的水印对抗样本作为训练数据。为此，提出了一种基于智能进化算法的可见水印对抗攻击方法来生成高强度的水印对抗样本。该方法不仅能快速生成水印对抗样本，而且还能使其最大程度地攻击神经网络。此外，该方法还加入了图像质量评价指标来约束图像的视觉损失，从而使水印对抗样本更加美观。实验结果表明，所提方法相比于基准水印攻击方法时间复杂度更低，相比于基准黑盒攻击对神经网络攻击成功率更高。

关键词: 对抗攻击, 水印, 图像质量评价指标, 优化, 神经网络

Abstract: With the increasing awareness of citizen copyright, more and more images containing watermarks are appearing in daily life. However, existing research shows that images with watermarks can cause neural network misclassification, posing a significant threat to the popularization and application of neural networks. Adversarial training is one of the defensive methods to solve this problem, but it requires a large number of watermark adversarial samples as training data. To address this issue, this paper proposes a visible watermark adversarial attack method based on intelligent evolutionary algorithm to generate high-intensity watermark adversarial samples. This method can not only quickly generate watermark adversarial samples, but also maximize the attack on the neural network. In addition, this method incorporates image quality evaluation metrics to constrain the visual loss of the image, making the watermark adversarial samples more visually appealing. The comprehensive experimental results show that the proposed method has lower time complexity than the benchmark watermark attack method, and has a higher attack rate on neural networks compared to the benchmark black box attack.

Key words: adversarial attack, watermark, image quality evaluation, optimization, neural network

季俊豪, 张玉书, 赵若宇, 温文媖, 董理. 基于智能进化算法的可见水印对抗攻击[J]. 计算机工程与科学, 2024, 46(01): 63-71.

JI Jun-hao, ZHANG Yu-shu, ZHAO Ruo-yu, WEN Wen-ying, DONG Li. Adversarial visible watermark attack based on intelligent evolutionary algorithm[J]. Computer Engineering & Science, 2024, 46(01): 63-71.

参考文献［22］

［1］	Akhtar N,Mian A.Threat of adversarial attacks on deep learning in computer vision: A survey［J］.IEEE Access,2018,6: 14410-14430.
［2］	Szegedy C,Zaremba W,Sutskever I,et al.Intriguing properties of neural networks［J］.arXiv:1312.6199,2013.
［3］	Goodfellow I J,Shlens J,Szegedy C.Explaining and harnessing adversarial examples［J］.arXiv:1412.6572,2014.
［4］	Kurakin A,Goodfellow I,Bengio S.Adversarial examples in the physical world［J］.arXiv:1607.02533,2016.
［5］	Moosavi-Dezfooli S M, Fawzi A,Frossard P.DeepFool:A simple and accurate method to fool deep neural networks［C］∥Proc of the IEEE Conference on Computer Vision and Pattern Recognition,2016: 2574-2582.
［6］	Su J,Vargas D V,Sakurai K.One pixel attack for fooling deep neural networks［J］.IEEE Transactions on Evolutionary Computation,2019,23(5): 828-841.
［7］	Jia X,Wei X,Cao X,et al.Adv-watermark: A novel watermark perturbation for adversarial examples［C］∥Proc of the 28th ACM International Conference on Multimedia,2020: 1579-1587.
［8］	Jiang H,Yang J T,Hua G,et al.FAWA: Fast adversarial watermark attack［J］.IEEE Transactions on Computers,2021,1(1):1-14.
［9］	Xie C,Wang J,Zhang Z,et al.Adversarial examples for semantic segmentation and object detection［C］∥Proc of the IEEE International Conference on Computer Vision,2017: 1369-1378.
［10］	Papernot N,McDaniel P,Wu X,et al.Distillation as a defense to adversarial perturbations against deep neural networks［C］∥Proc of 2016 IEEE Symposium on Security and Privacy,2016: 582-597.
［11］	Wang Q, Guo W, Zhang K, et al. Learning adversary- resistant deep neural networks［J］.arXiv:1612.01401,2016.
［12］	Braudaway G W.Protecting publicly-available images with an invisible image watermark［C］∥Proc of International Conference on Image Processing,1997:524-527.
［13］	Kankanhalli M S,Ramakrishnan K R.Adaptive visible watermarking of images［C］∥Proc of IEEE International Conference on Multimedia Computing and Systems,1999:568-573.
［14］	Shen B,Sethi I K,Bhaskaran V.DCT domain alpha blending［C］∥Proc of 1998 International Conference on Image Processing,1998:857-861.
［15］	Duchi J,Hazan E,Singer Y.Adaptive subgradient methods for online learning and stochastic optimization［J］.Journal of Machine Learning Research,2011,12(7):2121-2159.
［16］	Kingma D P,Ba J.Adam: A method for stochastic optimization［J］.arXiv:1412.6980,2014.
［17］	Li S, Li D, Zhang Y. Incorporating Nesterov’s momentum into distributed adaptive gradient method for online optimization［C］∥Proc of 2021 China Automation Congress, 2021:7338-7343.
［18］	Colorni A,Dorigo M,Maniezzo V.Distributed optimization by ant colonies［C］∥Proc of the 1st European Conference on Artificial Life,1991:134-142.
［19］	Forrest S. Genetic algorithms［J］.ACM Computing Surveys, 1996,28(1): 77-80.
［20］	Kennedy J,Eberhart R.Particle swarm optimization［C］∥Proc of International Conference on Neural Networks,1995: 1942-1948.
［21］	严健武.使用Alpha-Blending技术实现图片水印效果［J］.现代计算机(专业版),2009(9):78-80.
	Yan Jian-wu.Implementation of watermark effect of picture with Alpha-Blending［J］.Modern Computer (Professional Edition),2009(9):78-80.
［22］	Brendel W,Rauber J,Bethge M.Decision-based adversarial attacks: Reliable attacks against black-box machine learning models［J］.arXiv:1712.04248,2017.

[1]	陈侨安1，李峰1，曹越1，龙明盛1,2. 基于运行数据分析的Spark任务参数优化[J]. J4, 20160101, 38(01): 11-19.
[2]	周兰凤1，赵鹏飞1，彭俊杰2. 基于云环境下一种小文件传输策略研究[J]. J4, 20160101, 38(01): 20-27.
[3]	李中华, 袁杰, 郭振宇. 基于信息启发的目标导向Bi-RRT机器人路径规划[J]. 计算机工程与科学, 2023, 45(12): 2237-2245.
[4]	许文俊, 王锡淮. 基于变尺度黑洞和种群迁徙的粒子群优化算法[J]. 计算机工程与科学, 2023, 45(11): 2036-2046.
[5]	张贝, 闵华松, 张新明. 差分变异和领地搜索的平衡优化算法及其机器人路径规划[J]. 计算机工程与科学, 2023, 45(11): 2078-2090.
[6]	周菊香, 周明涛, 甘健侯, 徐坚. 多阶段时序和语义信息增强的问题生成模型[J]. 计算机工程与科学, 2023, 45(10): 1847-1857.
[7]	刘通, 周宁宁. 基于Setwise排序的深度输入感知因子分解机[J]. 计算机工程与科学, 2023, 45(10): 1891-1900.
[8]	李飞, 郭绍忠, 周蓓, 宋广辉, 郝江伟, 许瑾晨. RISC-V基础数学库性能优化[J]. 计算机工程与科学, 2023, 45(09): 1532-1543.
[9]	张文宁, 周清雷, 焦重阳, 梅亮. 融入重心反向学习和单纯形搜索的粒子群优化算法[J]. 计算机工程与科学, 2023, 45(09): 1629-1638.
[10]	胡春安, 熊昱然. 多策略改进的混沌哈里斯鹰优化算法[J]. 计算机工程与科学, 2023, 45(09): 1648-1660.
[11]	李安东, 刘升, 苟茹茹. 基于邻域搜索的改进反向学习平衡优化器算法[J]. 计算机工程与科学, 2023, 45(09): 1679-1690.
[12]	刘俊奇, 涂文轩, 祝恩. 图卷积神经网络综述[J]. 计算机工程与科学, 2023, 45(08): 1472-1481.
[13]	罗仕杭, 何庆. 多策略融合改进的均衡优化算法及其应用[J]. 计算机工程与科学, 2023, 45(08): 1508-1520.
[14]	康宇晗, 时洋, 陈照云, 文梅. 面向迈创+MatrixZone异构系统的深度学习编程框架[J]. 计算机工程与科学, 2023, 45(07): 1149-1158.
[15]	何子贤, 方贤文. 基于字符串匹配算法的业务流程低频日志噪声过滤方法[J]. 计算机工程与科学, 2023, 45(07): 1209-1215.

基于智能进化算法的可见水印对抗攻击

Adversarial visible watermark attack based on intelligent evolutionary algorithm

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献［22］

相关文章 15

编辑推荐

Metrics

本文评价

基于智能进化算法的可见水印对抗攻击

Adversarial visible watermark attack based on intelligent evolutionary algorithm

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献 ［22］

相关文章 15

编辑推荐

Metrics

本文评价

参考文献［22］