软件学报 ISSN 1000-9825, CODEN RUXUEW                                        E-mail: jos@iscas.ac.cn
         Journal of Software,2020,31(9):2785−2801 [doi: 10.13328/j.cnki.jos.005945]   http://www.jos.org.cn
         ©中国科学院软件研究所版权所有.                                                          Tel: +86-10-62562563


                                                                 ∗
         基于 PSO 的路牌识别模型黑盒对抗攻击方法

         陈晋音,   陈治清,   郑海斌,   沈诗婧,   苏蒙蒙


         (浙江工业大学  信息工程学院,浙江  杭州  310023)
         通讯作者:  陈晋音, E-mail: chenjinyin@zjut.edu.cn

         摘   要:  随着深度学习在计算机视觉领域的广泛应用,人脸认证、车牌识别、路牌识别等也随之呈现商业化应用
         趋势.因此,针对深度学习模型的安全性研究至关重要.已有的研究发现:深度学习模型易受精心制作的包含微小扰
         动的对抗样本攻击,输出完全错误的识别结果.针对深度模型的对抗攻击是致命的,但同时也能帮助研究人员发现模
         型漏洞,并采取进一步改进措施.基于该思想,针对自动驾驶场景中的基于深度学习的路牌识别模型,提出一种基于
         粒子群优化的黑盒物理攻击方法(black-box physical attack via PSO,简称 BPA-PSO).BPA-PSO 在未知模型结构的前
         提下,不仅可以实现对深度模型的黑盒攻击,还能使得实际物理场景中的路牌识别模型失效.通过在电子空间的数字
         图像场景、物理空间的实验室及户外路况等场景下的大量实验,验证了所提出的 BPA-PSO 算法的攻击有效性,可发
         现模型漏洞,进一步提高深度学习的应用安全性.最后,对 BPA-PSO 算法存在的问题进行分析,对未来的研究可能面
         临的挑战进行了展望.
         关键词:  自动驾驶;对抗性攻击;路牌识别;黑盒物理攻击;粒子群优化
         中图法分类号: TP18

         中文引用格式 :  陈晋 音 ,陈治清,郑海斌,沈诗婧,苏蒙蒙.基于 PSO 的路牌识别模型黑盒对抗攻击方法.软件学报 ,
         2020,31(9):2785−2801. http://www.jos.org.cn/1000-9825/5945.htm
         英文引用格式: Chen JY, Chen ZQ, Zheng HB, Shen SJ, Su MM. Black-box physical attack against road sign recognition model
         via PSO. Ruan Jian Xue Bao/Journal of Software, 2020,31(9):2785−2801 (in Chinese). http://www.jos.org.cn/1000-9825/5945.
         htm

         Black-box Adversarial Attack Against Road Sign Recognition Model via PSO

         CHEN Jin-Yin,   CHEN Zhi-Qing,    ZHENG Hai-Bin,  SHEN Shi-Jing,  SU Meng-Meng
         (School of Information Engineering, Zhejiang University of Technology, Hangzhou 310023, China)
         Abstract:    With the wider application of deep learning in the field of computer vision, face authentication, license plate recognition, and
         road sign recognition have also presented commercial application trends. Therefore, research on the security of deep learning models is of
         great importance. Previous studies  have  found that  deep  learning models are  vulnerable  to carefully crafted adversarial examples that
         contains small perturbations, leading completely incorrect recognition results. Adversarial attacks against deep learning models are fatal,
         but they can also help researchers find vulnerabilities of models and make further improvements. Motivated by that, this study proposes a
         black box physical attack  method based on particle swarm optimization (BPA-PSO) for deep learning  road sign recognition  model in
         scenario of autonomous vehicles. Under the premise of unknown model structure, BPA-PSO can not only realize the black box attack on

            ∗  基金项目:  浙江省自然科学基金(LY19F020025);  国家重点研发计划(2018AAA0100800);  宁波市“科技创新 2025”重大专项
         (2018B10063);  浙江省认知医疗工程技术研究中心(2018KFJJ07)
              Foundation item: Zhejiang Provincial  Natural Science Foundation of  China (LY19F020025);  National Key  Research  and
         Development Program of China (2018AAA0100800); Major Special Funding for “Science and Technology Innovation 2025” in Ningbo
         (2018B10063); Engineering Research Center of Cognitive Healthcare of Zhejiang Province (2018KFJJ07)
              本文由“智能嵌入式系统”专题特约编辑王泉教授、吴中海教授、陈仪香教授、苗启广教授推荐.
             收稿时间:   2019-07-03;  修改时间: 2019-08-18;  采用时间: 2019-11-02; jos 在线出版时间: 2020-01-13
             CNKI 网络优先出版: 2020-01-14 11:27:06, http://kns.cnki.net/kcms/detail/11.2560.TP.20200114.1126.025.html