| 摘要: |
| 现有三维模型识别网络对特征分布和扰动特性的关注不到位,导致识别稳定性和灵活性差。因此,提出一种新的对抗样本生成算法,以探究深度网络模型容易受到攻击的原因。算法以点云为对象,首先利用生成网络有效地学习点云关键点的特征,兼顾原始点云分布及其对抗特性,以生成对抗点的特征表示。此外,生成器能够根据不同的输入点云调整对抗点的生成,以达到欺骗原始三维模型识别网络的目的,进而实现对三维模型深度识别网络稳定性的探究。不同于传统攻击模型的损失函数,算法引入误分类损失扩大攻击力学习的可见范围。同时,还在原有对抗损失函数的基础上提出了感知损失函数,通过对比原始输入与生成样本的相似度来提高对抗样本的质量,从而更加逼真地模拟可能出现的对抗样本。基于该设计,算法所生成的对抗样本不仅可以欺骗三维识别网络,甚至可以在视觉上欺骗人类,从而实现对三维模型识别网络对抗鲁棒性的测试,完成对深度网络模型脆弱性原因的探索。在ModelNet10和ModelNet40数据集上的对比实验及消融实验证明,生成式对抗网络和感知损失的有机结合使算法可以有效地生成高质量的对抗样本。 |
| 关键词: 对抗样本 生成式对抗网络 信息安全 三维模型识别 |
| DOI: |
| 投稿时间:2023-02-13修订日期:2023-04-05 |
| 基金项目: |
|
| The 3D Model Recognition Attack Algorithm based on Generative Adversarial Networks |
|
LIU JIA1, JIN ZHI GANG2, JIN SHI BO1
|
| (1.School of Software and Communication, Tianjin Sino-German University of Applied Sciences;2.School of Electrical and Information Engineering, Tianjin University) |
| Abstract: |
| The existing 3D model recognition network does not pay enough attention to the feature distribution and perturbation characteristics, which results in poor stability and flexibility of the network. In response to this problem, a novel adversarial sample generation algorithm is proposed to explore the reasons why the deep network model is vulnerable to attacks. The algorithm is based on point clouds and first uses the generation network to effectively learn the feature of the key points in the point cloud, taking into account the original point cloud distribution and the ad-versarial characteristics, in order to generate the feature representation of the adversarial points. Besides, The generator adjusts the generation of adversarial points according to different point cloud inputs. Therefore, the algorithm is able to achieve the purpose of deceiving the original 3D model recognition network and realize the investigation of the stability of the 3D model depth recognition network. Unlike the loss function of traditional attack models, the algorithm introduces misclassification loss to expand the visible range of attack learning. Meanwhile, the algorithm also proposes a perceptual loss function on the basis of the original adversarial loss function to improve the quality of the adversarial samples by comparing the similarity between the original input and the generated samples, so as to simulate the possible adversarial samples more realistically. Based on this design, the adversarial samples generated by the algorithm can not only deceive the 3D recognition network but can even visually deceive humans. Thus, the test of the adversarial robustness of the 3D model recognition network is realized and the exploration of the reasons for the vulnerability of the deep network model is completed. The comparison experiments and ablation experiments on ModelNet10 and ModelNet40 datasets demonstrate that the organic combination of generative adversarial networks and perceptual loss allows the algorithm to efficiently generate high-quality adversarial samples. |
| Key words: adversarial samples generative adversarial networks information security three-dimensional model identification |
