基于高斯增强和迭代攻击的对抗训练防御方法

doi:10.11896/jsjkx.200800081

摘要/Abstract

摘要： 近年来,现有的深度学习网络模型已经能在各种分类任务中达到很高的准确率,但它们仍然极易受到对抗样本的攻击。目前,对抗训练是防御对抗样本攻击的最好方法之一。但已知的单步攻击对抗训练方法仅对单步攻击有着良好的防御效果,对迭代攻击的防御性能却很差,而迭代攻击对抗训练方法只提升了对迭代攻击的防御性能,对单步攻击的防御效果却不够理想。为了同时提高深度学习网络模型对单步攻击与迭代攻击的鲁棒性,文中提出了一种综合高斯增强和迭代攻击ILLC(Ite-ration Least-Likely Class)的对抗训练防御方法GILLC(Gaussian Iteration Least-Likely Class)。首先,在干净样本中添加了一个高斯扰动,用于提高深度学习网络模型的泛化能力;然后,使用ILLC产生的对抗样本进行对抗训练,近似解决对抗训练的内部最大化问题。文中以CIFAR10为数据集进行了白盒攻击实验,结果表明,通过与基线、单步攻击对抗训练和迭代攻击对抗训练的方法相比,GILLC方法有效提高了深度学习网络模型对单步攻击和迭代攻击的鲁棒性,同时不会显著降低对干净样本的分类性能。

关键词: 单步攻击, 迭代攻击, 对抗训练, 对抗样本, 高斯增强, 深度学习

Abstract: In recent years,the existing deep learning network models have been able to achieve high accuracy in various classification tasks,but they are still extremely vulnerable to be attacked by adversarial samples.At present,adversarial training is one of the best methods to defend against adversarial sample attacks.However,the known single-step attack adversarial training me-thods only have a good defensive effect against single-step attacks,but have poor defense performance against iterative attacks.The iterative attack adversarial training methods only improve the defense performance against iterative attacks,but the defense effect of single-step attacks is not ideal.In order to improve the robustness of the deep learning network model against single-step attacks and iterative attacks at the same time,this paper proposes GILLC,an adversarial training defense method that combines Gaussian enhancement and ILLC iterative attacks.First,a Gaussian perturbation is added to the clean samples to improve thegene-ralization ability of the deep learning network model.Then,the adversarial samples generated by ILLC are used for adversarial training,which approximately solves the internal maximization problem of adversarial training.In this paper,a white box attack experiment is conducted with CIFAR10 as the data set.The results show that the GILLC method effectively improves the robustness of the deep learning network model against single-step attacks and iterative attacks by comparing with the baseline,single-step attack adversarial training and iterative attack adversarial training methods,without significantly reducing the classification performance of the clean samples.

Key words: Adversarial samples, Adversarial training, Deep learning, Gaussian enhancement, Iterative attacks, Single-step attacks

中图分类号:

TP391

王丹妮, 陈伟, 羊洋, 宋爽. 基于高斯增强和迭代攻击的对抗训练防御方法[J]. 计算机科学, 2021, 48(6A): 509-513. https://doi.org/10.11896/jsjkx.200800081

WANG Dan-ni, CHEN Wei, YANG Yang, SONG Shuang. Defense Method of Adversarial Training Based on Gaussian Enhancement and Iterative Attack[J]. Computer Science, 2021, 48(6A): 509-513. https://doi.org/10.11896/jsjkx.200800081

参考文献

[1] HE K,ZHANG X,REN S,et al.Deep Residual Learning for Image Recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:770-778.
[2] ZHANG Z,QIAO S,XIE C,et al.Single-shot Object Detection with Enriched Semantics[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2018:5813-5821.
[3] CHEN L,PAPANDREOU G,KOKKINOS I,et al.DeepLab:Semantic Image Segmentation with Deep Convolutional Nets,Atrous Convolution,and Fully Connected CRFs[J].IEEE Annals of the History of Computing,2018(4):834-848.
[4] SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing Properties of Neural Networks[C]//International Conference on Learning Representations.2014.
[5] AKHTAR N,MIAN A.Threat of Adversarial Attacks on Deep Learning in Computer Vision:A Survey[J].IEEE Access,2018:14410-14430.
[6] MADRY A,MAKELOV A,SCHMIDT L,et al.Towards Deep Learning Models Resistant to Adversarial Attacks[C]//International Conference on Learning Representations.2018.
[7] LI Y,LI L,WANG L,et al.NATTACK:Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks[C]//International Conference on Machine Learning.2019:3866-3876.
[8] KURAKIN A,GOODFELLOW I,BENGIO S,et al.Adversarial Machine Learning at Scale[C]//International Conference on Learning Representations.2017.
[9] SONG C,HE K,LIN J,et al.Robust Local Features for Improving the Generalization of Adversarial Training[C]//International Conference on Learning Representations.2020.
[10] SHAFAHI A,NAJIBI M,GHIASI M A,et al.Adversarialtraining for free[C]//Neural Information Processing Systems.2019:3358-3369.
[11] GOODFELLOW I,SHLENS J,SZEGEDY C,et al.Explaining and Harnessing Adversarial Examples[C]//International Conference on Learning Representations.2015.
[12] KURAKIN A,GOODFELLOW I,BENGIO S,et al.Adversarial examples in the physical world[C]//International Conference on Learning Representations.2017.
[13] MOOSAVI-DEZFOOLI S M,FAWZI A,FROSSARD P.Deepfool:A Simple and Accurate Method to Fool Deep Neural Networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.2016:2574-2582.
[14] CARLINI N,WAGNER D.Towards Evaluating the Robustness of Neural Networks[C]//IEEE Symposium on Security and Privacy.2017:39-57.
[15] MENG D,CHEN H.MagNet:A Two-Pronged Defense against Adversarial Examples[C]//Computer and Communications Security.2017:135-147.
[16] GU S,RIGAZIO L.Towards Deep Neural Network Architectures Robust to Adversarial Examples[J].arXiv:Learning,2014.
[17] PAPERNOT N,MCDANIEL P,WU X,et al.Distillation as aDefense to Adversarial Perturbations Against Deep Neural Networks[C]//IEEE Symposium on Security and Privacy.2016:582-597.
[18] XU W,EVANS D,QI Y,et al.Feature Squeezing Mitigates and Detects Carlini/Wagner Adversarial Examples[J].arXiv:Cryptography and Security,2017.
[19] XU W,EVANS D,QI Y,et al.Feature Squeezing:Detecting Adversarial Examples in Deep Neural Networks[C]//Network and Distributed System Security Symposium.2018.
[20] WONG E,RICE L,KOLTER J Z,et al.Fast is Better thanFree:Revisiting Adversarial Training[J].arXiv preprint arXiv:2001.03994,2020.
[21] XIAO C,ZHONG P,ZHENG C,et al.Enhancing Adversarial Defense by k-Winners-Take-All[J].arXiv preprint arXiv:1905.10510,2019.
[22] ZANTEDESCHI V,NICOLAE M,RAWAT A,et al.Efficient Defenses Against Adversarial Attacks[J].arXiv:Learning,2017.

相关文章 15

[1]	饶志双, 贾真, 张凡, 李天瑞. 基于Key-Value关联记忆网络的知识图谱问答方法 Key-Value Relational Memory Networks for Question Answering over Knowledge Graph 计算机科学, 2022, 49(9): 202-207. https://doi.org/10.11896/jsjkx.220300277
[2]	汤凌韬, 王迪, 张鲁飞, 刘盛云. 基于安全多方计算和差分隐私的联邦学习方案 Federated Learning Scheme Based on Secure Multi-party Computation and Differential Privacy 计算机科学, 2022, 49(9): 297-305. https://doi.org/10.11896/jsjkx.210800108
[3]	徐涌鑫, 赵俊峰, 王亚沙, 谢冰, 杨恺. 时序知识图谱表示学习 Temporal Knowledge Graph Representation Learning 计算机科学, 2022, 49(9): 162-171. https://doi.org/10.11896/jsjkx.220500204
[4]	王剑, 彭雨琦, 赵宇斐, 杨健. 基于深度学习的社交网络舆情信息抽取方法综述 Survey of Social Network Public Opinion Information Extraction Based on Deep Learning 计算机科学, 2022, 49(8): 279-293. https://doi.org/10.11896/jsjkx.220300099
[5]	郝志荣, 陈龙, 黄嘉成. 面向文本分类的类别区分式通用对抗攻击方法 Class Discriminative Universal Adversarial Attack for Text Classification 计算机科学, 2022, 49(8): 323-329. https://doi.org/10.11896/jsjkx.220200077
[6]	姜梦函, 李邵梅, 郑洪浩, 张建朋. 基于改进位置编码的谣言检测模型 Rumor Detection Model Based on Improved Position Embedding 计算机科学, 2022, 49(8): 330-335. https://doi.org/10.11896/jsjkx.210600046
[7]	孙奇, 吉根林, 张杰. 基于非局部注意力生成对抗网络的视频异常事件检测方法 Non-local Attention Based Generative Adversarial Network for Video Abnormal Event Detection 计算机科学, 2022, 49(8): 172-177. https://doi.org/10.11896/jsjkx.210600061
[8]	侯钰涛, 阿布都克力木·阿布力孜, 哈里旦木·阿布都克里木. 中文预训练模型研究进展 Advances in Chinese Pre-training Models 计算机科学, 2022, 49(7): 148-163. https://doi.org/10.11896/jsjkx.211200018
[9]	周慧, 施皓晨, 屠要峰, 黄圣君. 基于主动采样的深度鲁棒神经网络学习 Robust Deep Neural Network Learning Based on Active Sampling 计算机科学, 2022, 49(7): 164-169. https://doi.org/10.11896/jsjkx.210600044
[10]	苏丹宁, 曹桂涛, 王燕楠, 王宏, 任赫. 小样本雷达辐射源识别的深度学习方法综述 Survey of Deep Learning for Radar Emitter Identification Based on Small Sample 计算机科学, 2022, 49(7): 226-235. https://doi.org/10.11896/jsjkx.210600138
[11]	胡艳羽, 赵龙, 董祥军. 一种用于癌症分类的两阶段深度特征选择提取算法 Two-stage Deep Feature Selection Extraction Algorithm for Cancer Classification 计算机科学, 2022, 49(7): 73-78. https://doi.org/10.11896/jsjkx.210500092
[12]	程成, 降爱莲. 基于多路径特征提取的实时语义分割方法 Real-time Semantic Segmentation Method Based on Multi-path Feature Extraction 计算机科学, 2022, 49(7): 120-126. https://doi.org/10.11896/jsjkx.210500157
[13]	王君锋, 刘凡, 杨赛, 吕坦悦, 陈峙宇, 许峰. 基于多源迁移学习的大坝裂缝检测 Dam Crack Detection Based on Multi-source Transfer Learning 计算机科学, 2022, 49(6A): 319-324. https://doi.org/10.11896/jsjkx.210500124
[14]	楚玉春, 龚航, 王学芳, 刘培顺. 基于YOLOv4的目标检测知识蒸馏算法研究 Study on Knowledge Distillation of Target Detection Algorithm Based on YOLOv4 计算机科学, 2022, 49(6A): 337-344. https://doi.org/10.11896/jsjkx.210600204
[15]	周志豪, 陈磊, 伍翔, 丘东亮, 梁广升, 曾凡巧. 基于SMOTE-SDSAE-SVM的车载CAN总线入侵检测算法 SMOTE-SDSAE-SVM Based Vehicle CAN Bus Intrusion Detection Algorithm 计算机科学, 2022, 49(6A): 562-570. https://doi.org/10.11896/jsjkx.210700106

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed