Abstract

深度学习在图像、文本、语音等多种数据类型的处理上取得了显著进展. 然而, 深度学习的不可解释性导致深度学习的输出缺乏可信性, 致使其在许多安全领域的应用受到了严重的制约. 研究人员发现通过对原始样本加入微小扰动所生成的对抗样本能够有效欺骗深度学习模型, 并将生成对抗样本的方式称之为对抗攻击. 对抗攻击能够使深度学习以高置信度的方式给出错误的输出, 实现针对深度学习检测服务的逃逸攻击. 本文首先介绍了对抗攻击的基本原理, 并从扰动范围、攻击者掌握目标模型知识的情况、攻击目标的针对性、攻击频次等4个方面对对抗攻击进行分类. 然后, 总结了近年来计算机视觉领域中对抗攻击研究的代表性成果, 对比分析各种攻击方案的特点. 特别针对对抗攻击在自然语言处理、语音识别、恶意软件检测和可解释性对抗样本等4种典型场景下的应用进行了详细介绍, 进一步揭示了对抗样本对深度学习服务的安全威胁. 最后, 通过回顾对抗攻击的发展历程, 探究该技术面临的主要挑战并指出其未来潜在的发展方向.

Alternate abstract:

Deep learning has made a significant progress in the processing of images, text, voice and other types of data. However, the uninterpretability of deep learning leads to the lack of credibility of its output, which severely limits its applications in security-sensitive systems. Researchers found that the adversarial sample generated by adding small perturbations to the original sample could effectively deceive the deep learning model. The way of generating the adversarial sample is called adversarial attack. Adversarial attacks can make the deep learning model give wrong output in a high confidence, and realize escape attacks on detection services based on deep learning. This paper first introduces the basic principle of adversarial attacks, and gives the taxonomy of attack schemes according to perturbation scope, adversary's knowledge, adversarial specificity and attack frequency. Then, the characteristics of various attack schemes in computer vision are compared and analyzed by summarizing the representative research achievements on adversarial attacks in recent years. In particular, the applications of adversarial attacks in natural language processing, speech recognition, malicious software detection and interpretable adversarial examples are introduced in detail, which further reveal the security threat of the adversarial example towards deep learning service. Finally, by reviewing the development of adversarial attacks, this paper discusses their major challenges and points out the potential development directions.