(浙江科技学院大数据学院, 杭州 中国 310023;广州大学网络空间先进技术研究院, 广州 中国 510006;杭州海康威视网络与信息安全实验室, 杭州 中国 310051)
关键词:  深度学习  对抗样本  二维码  补丁攻击
QR Code Based Patch Attacks in Physical World
QIAN Yaguan,LIU Xinwei,GU Zhaoquan,WANG Bin,PAN Jun,ZHANG Ximin
School of Sugon Big Date Science, Zhejiang University of Science and Technology, Hangzhou 310023, China;Cyberspace Institute of Advanced Technology (CIAT), Guangzhou University, Guangzhou 510006, China;Network and Information Security Laboratory of Hangzhou Hikvision Digital Technology Co, Ltd. Hangzhou 310051, China
Deep learning technology has been widely used in the field of image recognition, and the recognition accuracy is higher than the average level of human beings. However, recent studies have shown that the performance of deep neural network will be greatly reduced due to the presence of adversarial examples. The attacker misleads the classifier to make false prediction by adding a small disturbance to the image to be recognized. On the other hand, the disturbance generated in the digital space can also be transferred to the physical space and used for attack. For this reason, this paper proposes a physical patch attack method based on two-dimensional code antagonism samples, which pastes the generated QR code on the designated position of the road traffic sign surface, making the classifier output the wrong classification. The experimental results show the effectiveness of this method. At the same time, using the counter examples generated in digital space to attack traffic signs in physical space can still maintain a high success rate.
Key words:  deep learning  adversarial examples  QR code  patch attack