基于矢量量化域相似码字替换的对抗嵌入方法

doi:10.13232/j.cnki.jnju.2023.04.011

南京大学学报(自然科学版) ›› 2023, Vol. 59 ›› Issue (4): 644–659.doi: 10.13232/j.cnki.jnju.2023.04.011

基于矢量量化域相似码字替换的对抗嵌入方法

范海菊¹^,²(), 秦小娜¹^,², 李名¹^,²

^1.河南师范大学计算机与信息工程学院, 新乡, 453007
^2.河南省教育人工智能与个性化学习重点实验室, 新乡, 453007

收稿日期:2023-06-13 出版日期:2023-07-31 发布日期:2023-08-18
通讯作者: 范海菊 E-mail:121064@htu.edu.cn
基金资助:
河南省科技攻关计划(222102210029);河南省高等学校重点科研项目(23A520009)

Similar codeword substitution adversarial embedding method based on vector quantization domain

Haiju Fan¹^,²(), Xiaona Qin¹^,², Ming Li¹^,²

^1.College of Computer and Information Engineering，Henan Normal University，Xinxiang，453007，China
^2.Key Laboratory of Artificial Intelligence and Personalized Learning in Education of Henan Province，Xinxiang，453007，China

Received:2023-06-13 Online:2023-07-31 Published:2023-08-18
Contact: Haiju Fan E-mail:121064@htu.edu.cn

摘要/Abstract

摘要：

为了整合对图像的隐私保护、版权保护、完整性保护，提出一种压缩域基于相似码字替换的对抗嵌入方法.该方法属于对抗攻击和信息隐藏的交叉新领域，将传统对抗攻击方法中人为添加的无意义噪声替换成有意义的秘密信息，使对抗嵌入图像错误分类，防止攻击者在云端海量数据库中通过神经网络分类模型捕获特定类别的图像，实现对图像的隐私保护；而且，可以从对抗嵌入图像中完整提取隐藏的秘密信息，实现对图像的版权保护.该对抗嵌入方法的攻击对象是图像的压缩形式?矢量量化索引，攻击中使用该索引的不同相似码字索引替换嵌入的秘密信息，可以实现在高压缩率情况下对图像的双重保护.使用遗传算法优化相似索引扰动，可以有效地降低真实类别的概率，误导分类模型的输出.实验结果证明，在CIFAR?10测试数据集上，使用三种经典的网络分类模型（Resnet，NIN，VGG16），提出的对抗嵌入方法使90.83%的图像以85.44%的平均置信度被错误分类，且嵌入容量可以达到0.75 bpp.

关键词: 对抗攻击, 神经网络, 矢量量化, 信息安全

Abstract:

To integrate the privacy protection，copyright protection and integrity protection aspects for images，this paper proposes the adversarial embedding method based similar codeword substitution for compressed domain. The proposed method belongs to the emerging field between adversarial attack and data hiding，adding meaningful secret information instead of the meaningless noise artificially in traditional adversarial attack methods. It makes the adversarial embedding image misclassified preventing attackers from capturing specific categories of images in the cloud massive database through neural network models，realizing privacy protection. It also extracts secret data completely，which realizes the copyright protection. The proposed adversarial embedding method targets the compressed form of the image - the vector quantization index. It uses different similar codeword indexes to embed secret information，which achieves double protection for images at a high compression ratio. In this paper，genetic algorithm is used to optimize the similar index perturbation，which effectively reduces the probability of true label，misleading the model output. Experimental results show that for the CIFAR?10 test dataset，on three common network models (Resnet，NIN，VGG16)，the adversarial embedding method results in 90.83% images being misclassified with 85.44% confidence on average，while the embedding capacity reaches 0.75 bpp.

Key words: adversarial attack, neural network, vector quantization, information security

中图分类号:

TP309.2

范海菊, 秦小娜, 李名. 基于矢量量化域相似码字替换的对抗嵌入方法[J]. 南京大学学报(自然科学版), 2023, 59(4): 644–659.

Haiju Fan, Xiaona Qin, Ming Li. Similar codeword substitution adversarial embedding method based on vector quantization domain[J]. Journal of Nanjing University(Natural Sciences), 2023, 59(4): 644–659.

图/表 21

图1

图2

图3

图4

图5

图6

图7

表1

图8

表2

图9

图10

图11

图12

表3

图13

表4

图14

图15

图16

表5

参考文献 31

1	Schmidhuber J. Deep learning in neural networks：An overview. Neural Networks，2015(61)：85-117.
2	Taigman Y， Yang M， Ranzato M，et al. DeepFace：Closing the gap to human?level performance in face verification∥Proceedings of 2014 IEEE Conference on Computer Vision and Pattern Recognition. Columbus，OH，USA：IEEE，2014：1701-1708.
3	Barreno M， Nelson B， Joseph A D，et al. The security of machine learning. Machine Learning，2010，81(2)：121-148.
4	Barreno M， Nelson B， Sears R，et al. Can machine learning be secure?∥Proceedings of 2006 ACM Symposium on Information，Computer and Communications Security. Taipei，China：Associa?tion for Computing Machinery，2006：16-25.
5	Szegedy C， Zaremba W， Sutskever I，et al. Intriguing properties of neural networks∥Proceedings of the 2nd International Conference on Learning Represen?tations. Banff，Canada：ICLR，DOI:10.48550/arXiv.1312.6199,2014.
6	Goodfellow I J， Shlens J， Szegedy C. Explaining and harnessing adversarial examples∥Proceedings of the 3rd International Conference on Learning Represen?tations. San Diego，CA，USA：ICLR，DOI：10.48550/arXiv.1412.6572，2015.
7	Kurakin A， Goodfellow I J， Bengio S. Adversarial examples in the physical world∥Yampolskiy R V. Artificial intelligence safety and security. New York，NY，USA：Chapman and Hall，2018：99-112.
8	Moosavi?Dezfooli S M， Fawzi A， Fawzi O，et al. Universal adversarial perturbations∥Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Honolulu，HI，USA：IEEE，2017：86-94.
9	Papernot N， McDaniel P， Jha S，et al. The limitations of deep learning in adversarial settings∥Proceedings of 2016 IEEE European Symposium on Security and Privacy. Saarbruecken，Germany：IEEE，2016：372-387.
10	Su J W， Vargas D V， Sakurai K. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation，2019，23(5)：828-841.
11	Aydemir A E， Temizel A， Temizel T T. The effects of JPEG and JPEG2000 compression on attacks using adversarial examples. 2018,arXiv:.
12	Shin R， Song D. JPEG?resistant adversarial images∥Proceedings of NIPS 2017 Workshop on Machine Learning and Computer Security. Long Beach，CA，USA：Neural Information Processing Systems，https:∥machine?learning?and?security.github.io/papers/mlsec17_paper_54.pdf，2017.
13	Swilem A. Fast vector quantization encoding algorithms for image compression. International Journal of Mobile Computing and Multimedia Communications，2009，1(1)：16-28.
14	Fahmy G F， Panchanathan S. A lifting based system for compression and classification trade off in the JPEG2000 framework. Journal of Visual Communication and Image Representation，2004，15(2)：145-162.
15	Yamatani K， Saito N. Improvement of DCT?based compression algorithms using poisson's equation. IEEE Transactions on Image Processing，2006，15(12)：3672-3689.
16	Liu M L， Song T T， Luo W Q，et al. Adversarial steganography embedding via stego generation and selection. IEEE Transactions on Dependable and Secure Computing，2023，20(3)：2375-2389.
17	Li L， Fan M Y， Liu D F. AdvSGAN：Adversarial image steganography with adversarial networks. Multimedia Tools and Applications，2021，80(17)：25539-25555.
18	Li L， Zhang W M， Qin C，et al. Adversarial batch image steganography against CNN?based pooled steganalysis. Signal Processing，2021(181)：107920.
19	Tang W X， Li B， Tan S Q，et al. CNN?based adversarial embedding for image steganography. IEEE Transactions on Information Forensics and Security，2019，14(8)：2074-2087.
20	Li S Y， Ye D P， Jiang S Z，et al. Anti?steganalysis for image on convolutional neural networks. Multimedia Tools and Applications，2020，79(7)：4315-4331.
21	Zhang Y W， Zhang W M， Chen K J，et al. Adversarial examples against deep neural network based steganalysis∥Proceedings of the 6^th ACM Workshop on Information Hiding and Multimedia Security. Innsbruck，Austria：Association for Computing Machinery，2018：67-72.
22	Zhou L C， Feng G R， Shen L Q，et al. On security enhancement of steganography via generative adversarial image. IEEE Signal Processing Letters，2019(27)：166-170.
23	Ghamizi S， Cordy M， Papadakis M，et al. Adversarial Embedding：A robust and elusive steganography and watermarking technique. 2019,arXiv:.
24	Jia X J， Wei X X， Cao X C，et al. Adv?watermark：A novel watermark perturbation for adversarial examples∥Proceedings of the 28th ACM Interna?tional Conference on Multimedia. Seattle，WA，USA：Association for Computing Machinery，2020：1579-1587.
25	Pu B Z， Wei X X， Zhao S J，et al. MedLocker：A transferable adversarial watermarking for preventing unauthorized analysis of medical image dataset. 2023,arXiv:.
26	Zhou S， Liu C， Ye D Y，et al. Adversarial attacks and defenses in deep learning：From a perspective of cybersecurity. ACM Computing Surveys，2022，55(8)：1-39.
27	Rosasco L， De Vito E， Caponnetto A，et al. Are loss functions all the same? Neural Computation，2004，16(5)：1063-1076.
28	Nasrabadi N M， King R A. Image coding using vector quantization：A review. IEEE Transactions on Communications，1988，36(8)：957-971.
29	Sivakumar P， Ravi S. Vector quantization based image compression. International Journal of Innovative Technology and Exploring Engineering，2012，1(1)：89-94.
30	Linde Y， Buzo A， Gray R. An algorithm for vector quantizer design. IEEE Transactions on Commu?nications，1980，28(1)：84-95.
31	杨启文，蒋静坪，张国宏. 遗传算法优化速度的改进. 软件学报，2001，12(2)：270-275.
	Yang Q W， Jiang J P， Zhang G H. Improving optimization speed for genetic algorithms. Journal of Software，2001，12(2)：270-275.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

模型	交叉因子ω	对抗图像的非真实类别的概率
模型	交叉因子ω	0.4	0.5	0.6	0.7	0.8	0.9
Resnet	986	94.50%	97.98%	93.78%	97.10%	98.46%	96.28%
Resnet	704	99.38%	99.84%	99.83%	99.94%	99.90%	99.66%
Resnet	626	94.46%	98.58%	97.77%	91.86%	89.67%	76.97%
Resnet	203	99.36%	99.63%	99.62%	99.56%	99.31%	98.50%
Resnet	814	87.03%	91.58%	81.72%	82.35%	93.67%	88.47%
Resnet	160	98.06%	99.29%	98.05%	99.33%	99.31%	99.46%
NIN	237	55.18%	56.91%	50.37%	55.80%	49.89%	47.11%
NIN	972	96.34%	96.54%	95.88%	96.01%	97.67%	97.31%
NIN	459	84.40%	79.16%	84.94%	88.56%	91.94%	90.15%
NIN	806	58.67%	55.48%	68.25%	63.88%	71.75%	60.35%
NIN	981	90.32%	86.66%	88.92%	94.94%	94.37%	93.84%
NIN	606	94.81%	94.82%	93.94%	96.97%	95.56%	96.41%
VGG16	940	64.29%	62.42%	68.96%	67.59%	73.84%	51.99%
VGG16	994	57.64%	63.56%	59.44%	68.50%	60.64%	68.99%
VGG16	396	64.05%	71.48%	59.99%	59.96%	74.23%	66.87%
VGG16	330	54.35%	74.36%	66.90%	84.42%	57.06%	58.56%
VGG16	225	98.71%	98.58%	98.87%	98.23%	99.39%	99.38%
VGG16	541	73.84%	74.98%	80.39%	87.29%	86.63%	89.72%

模型	变异因子φ	对抗图像的非真实类别的概率
模型	变异因子φ	0.001	0.002	0.003	0.004	0.005	0.006	0.007	0.008	0.009
Resnet	986	99.67%	99.25%	99.84%	99.29%	99.87%	99.93%	99.28%	99.82%	99.80%
Resnet	704	97.22%	95.29%	92.16%	96.02%	92.20%	98.36%	97.89%	95.70%	96.18%
Resnet	626	98.50%	96.90%	91.90%	94.61%	86.15%	79.47%	96.24%	97.53%	87.34%
Resnet	203	96.99%	98.01%	99.50%	99.10%	97.88%	99.22%	98.02%	99.25%	96.18%
Resnet	814	88.35%	95.13%	88.66%	87.56%	88.42%	85.34%	77.52%	83.73%	70.20%
Resnet	160	98.60%	99.32%	97.89%	98.84%	99.22%	98.77%	96.85%	98.71%	99.28%
NIN	237	40.66%	50.30%	44.71%	53.82%	56.30%	47.77%	45.18%	55.70%	59.03%
NIN	972	96.89%	96.19%	97.91%	97.37%	95.93%	97.37%	95.01%	97.75%	97.47%
NIN	459	79.50%	83.21%	92.32%	90.65%	86.59%	90.09%	90.46%	84.62%	91.48%
NIN	806	57.63%	63.57%	55.37%	52.71%	62.70%	58.71%	64.26%	55.52%	61.31%
NIN	981	86.36%	91.62%	87.07%	93.28%	85.03%	92.86%	89.05%	91.72%	86.29%
NIN	606	86.81%	79.51%	84.51%	87.36%	89.48%	93.72%	87.68%	89.75%	85.65%
VGG16	940	84.28%	63.49%	85.54%	55.15%	85.17%	58.96%	55.76%	66.62%	59.43%
VGG16	994	59.33%	59.32%	57.99%	63.46%	64.10%	64.65%	61.59%	63.38%	56.17%
VGG16	396	70.63%	71.17%	67.26%	66.42%	67.76%	75.75%	68.35%	74.53%	77.99%
VGG16	330	54.57%	79.55%	53.63%	66.94%	61.53%	69.06%	54.29%	78.61%	61.16%
VGG16	225	99.28%	99.26%	98.81%	99.25%	96.83%	98.60%	98.27%	98.94%	99.12%
VGG16	541	89.56%	82.63%	69.93%	82.25%	89.13%	80.28%	90.61%	88.68%	84.05%

模型	识别准确率	攻击成功率	置信度
Resnet	89.36%	97%	95.44%
NIN	89.21%	85%	77.60%
VGG16	83.06%	90.5%	83.29%

模型	图像编号	原图像类别	攻击后图像类别	置信度	PSNR (dB)
Resnet	a	飞机	鸟	99.36%	27.37
Resnet	b	狗	猫	99.99%	27.94
Resnet	c	汽车	卡车	99.99%	28.06
NIN	d	猫	马	96.96%	27.18
NIN	e	船	汽车	99.99%	27.28
NIN	f	鸟	狗	99.60%	28.18
VGG16	g	船	鸟	99.92%	28.21
VGG16	h	鹿	船	99.37%	27.88
VGG16	i	汽车	船	99.93%	25.98

攻击方案	模型	攻击成功率	嵌入容量	对抗目标	扰动不可感知	应用域
普遍对抗扰动^[8]	VGG16	90.3%	无	图像分类器	是	空域
单像素攻击^[10]	VGG16	63.53%	无	图像分类器	否	空域
可见对抗水印^[26]	Resnet	88%	无	图像分类器	否	空域
对抗隐写分析器^[16]	Deng⁃Net{HILL}	44.45%	0.4 bpp	隐写分析器	是	空域
对抗隐写分析器^[16]	Deng⁃Net{UERD}	45.93%	0.4 bpnzac	隐写分析器	是	JPEG域
本文提出的方案	Resnet	97%	0.75 bpp	图像分类器	是	VQ域
本文提出的方案	VGG16	90.5%	0.75 bpp	图像分类器	是	VQ域

基于矢量量化域相似码字替换的对抗嵌入方法

Similar codeword substitution adversarial embedding method based on vector quantization domain

RichHTML

PDF (PC)

摘要/Abstract

引用本文

使用本文

图/表 21

参考文献 31

相关文章 15

Metrics

本文评价

推荐阅读 0

[1]	孟元, 张轶哲, 张功萱, 宋辉. 基于特征类内紧凑性的不平衡医学图像分类方法[J]. 南京大学学报(自然科学版), 2023, 59(4): 580-589.
[2]	刘志中, 李林霞, 孟令强. 基于混合图神经网络的个性化POI推荐方法研究[J]. 南京大学学报(自然科学版), 2023, 59(3): 373-387.
[3]	杨京虎, 段亮, 岳昆, 李忠斌. 基于子事件的对话长文本情感分析[J]. 南京大学学报(自然科学版), 2023, 59(3): 483-493.
[4]	杨雨佳, 肖庆来, 陈健, 曾松伟. 融合空间和统计特征的CNN⁃GRU臭氧浓度预测模型研究[J]. 南京大学学报(自然科学版), 2023, 59(2): 322-332.
[5]	张蕾, 钱峰, 赵姝, 陈洁, 杨雪洁, 张燕平. 基于卷积图神经网络的多粒度表示学习框架[J]. 南京大学学报(自然科学版), 2023, 59(1): 43-54.
[6]	许睿, 刘相阳, 文益民, 沈世铭, 李建. 基于后向气团轨迹的大气污染特征时序混合模型研究[J]. 南京大学学报(自然科学版), 2022, 58(6): 1041-1049.
[7]	蔡国永, 兰天. 基于多头注意力和词共现关系的方面级情感分析[J]. 南京大学学报(自然科学版), 2022, 58(5): 884-893.
[8]	李灏天, 刘晓宙, 何爱军. 基于机器学习和超声成像的缺陷识别与分析[J]. 南京大学学报(自然科学版), 2022, 58(4): 670-679.
[9]	杜渊洋, 邓成伟, 张建. 基于深度卷积神经网络的RNA三维结构打分函数[J]. 南京大学学报(自然科学版), 2022, 58(3): 369-376.
[10]	王扬, 陈智斌, 杨笑笑, 吴兆蕊. 深度强化学习结合图注意力模型求解TSP问题[J]. 南京大学学报(自然科学版), 2022, 58(3): 420-429.
[11]	高菲, 杨柳, 李晖. 开放集识别研究综述[J]. 南京大学学报(自然科学版), 2022, 58(1): 115-134.
[12]	张玮, 赵永虹, 邱桃荣. 基于注意力机制和深度学习的运动想象脑电信号分类方法[J]. 南京大学学报(自然科学版), 2022, 58(1): 29-37.
[13]	邵世宽, 张宏钧, 肖钦锋, 王晶, 刘晓辉, 林友芳. 基于无监督对抗学习的时间序列异常检测[J]. 南京大学学报(自然科学版), 2021, 57(6): 1042-1052.
[14]	樊炎, 匡绍龙, 许重宝, 孙立宁, 张虹淼. 一种同步提取运动想象信号时⁃频⁃空特征的卷积神经网络算法[J]. 南京大学学报(自然科学版), 2021, 57(6): 1064-1074.
[15]	孟浩, 刘强. 基于FPGA的卷积神经网络训练加速器设计[J]. 南京大学学报(自然科学版), 2021, 57(6): 1075-1082.