| abstract |
The present invention discloses a method for generating an adversarial sample based on Bayesian optimization. The existing black-box attack method needs to query a large number of models to obtain optimization information. The present invention takes the original picture as input, and determines the position to be optimized by calculating the gradient of the structural similarity between the perturbed picture and the original picture; then uses Bayesian optimization to perform sampling optimization in the selected position, and obtains the The perturbation value added by the loss function; multiple positions are selected iteratively, and the perturbation value is optimized until the classification result of the perturbed image is changed, or the maximum number of iterations is reached, then stop. The present invention can effectively reduce the number of queries to the target DNN model, and the number of disturbed pixels is small. |