一种基于攻击距离的对抗样本攻击组筛选方法

黑盒对抗样本生成过程中通常会指定1个攻击组，包括1个原始样本和1个目标样本，使得生成的对抗样本与原始样本范数差别不大，但被分类器识别为目标样本的分类。针对攻击组的攻击难度不同导致攻击不稳定的问题，以图像识别领域为例，设计了基于决策边界长度的攻击距离度量方法，为攻击组的攻击难易程度提供了度量方法。在此基础上，设计了基于攻击距离的对抗样本攻击组筛选方法，在攻击开始前就筛去难以攻击的攻击组，从而实现在不修改攻击算法的前提下，提升攻击效果。实验表明:相比于筛选前的攻击组，筛选后的攻击组的总体效果提升了42.07%，攻击效率提升了24.99%，方差降低了76.23%。利用攻击组的对抗样本生成方法在攻击前先进行攻击组筛选，可以稳定并提高攻击效果。 

A method for filtering the attack pairs of adversarial examples based on attack distance

During the generation of black-box adversarial examples, an attack pair is usually specified, including a source example and a target example. The purpose is to let the generated adversarial example only have little norm difference from the source example, but it is recognized by the classifier as the classification of the target sample. In order to solve the problem of the instability of adversarial attacks caused by different attack difficulty of attack pairs, taking the image recognition field as an example, this paper presented an attack distance measurement method based on the length of the decision boundary, which provided a measurement method for the attack difficulty of attack pairs. Then this paper designed a filtering method based on attack distance of the attack pairs, which filtered out attack pairs that were difficult to attack before the attack started, so this method can improve the attack performance without modifying the attack algorithm. Experiments show that, compared with the attack pairs before filtering, the filtered attack pairs improve the overall attack performance by 42.07%, improve the attack efficiency by 24.99%, and stabilize the variance by 76.23%. It is recommended that all methods of generating adversarial examples using attack pairs should filter attack pairs before attack to stabilize and improve the attack performance.