计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (10): 362-368.doi: 10.11896/jsjkx.220800090

• 信息安全 • 上一篇    下一篇

基于SVD的深度学习模型对抗鲁棒性研究

赵子天, 詹文翰, 段翰聪, 吴跃   

  1. 电子科技大学计算机科学与工程学院 成都611731
  • 收稿日期:2022-08-09 修回日期:2022-11-28 出版日期:2023-10-10 发布日期:2023-10-10
  • 通讯作者: 詹文翰(zhanwenhan@uestc.edu.cn)
  • 作者简介:(zitianzhao_uestc@hotmail.com)

Study on Adversarial Robustness of Deep Learning Models Based on SVD

ZHAO Zitian, ZHAN Wenhan, DUAN Hancong, WU Yue   

  1. School of Computer Science and Engineering,University of Electronic Science and Technology of China,Chengdu 611731,China
  • Received:2022-08-09 Revised:2022-11-28 Online:2023-10-10 Published:2023-10-10
  • About author:ZHAO Zitian,born in 1993,Ph.D.His main research interests include AI security and voice print recognition.ZHAN Wenhan,born in 1987,Ph.D,senior experimentalist.His main research interests include cloud computing,edge computing,distributed systems and AI.

PDF (PC)

1622

摘要: 对抗攻击的出现对于深度神经网络(DNN)在现实场景中的大规模部署产生了巨大的威胁,尤其是在与安全相关的领域。目前已有的大多数防御方法都基于启发式假设,缺少对模型对抗鲁棒性的分析。如何提升DNN的对抗鲁棒性,并提升鲁棒性的可解释性和可信度,成为人工智能安全领域的重要一环。文中提出从奇异值分布的角度分析模型的对抗鲁棒性。研究发现,模型在对抗性环境下鲁棒性的提升伴随着更加平滑的奇异值分布。通过进一步分析表明,平滑的奇异值分布意味着模型的分类置信度来源更加多样,从而也具有更高的对抗鲁棒性。基于此分析,进一步提出了基于奇异值抑制SVS(Singular Value Suppress)的对抗训练方法。实验结果表明,该方法进一步提高了模型在对抗性环境下的鲁棒性,在面对强力白盒攻击方法PGD(Project Gradient Descent)时,在CIFAR10和SVHN数据集上分别能达到55.3%和54.51%的精度,超过了目前最具有代表性的对抗训练方法。

关键词: 深度学习, 对抗防御, 对抗训练, 对抗鲁棒性, 奇异值分解

Abstract: The emergence of adversarial attacks poses a substantial threat to the large-scale deployment of deep neural networks(DNNs) in real-world scenarios,especially in security-related domains.Most of the current defense methods are based on heuristic assumptions and lack analysis of model robustness.How to improve the robustness of DNN and improve the interpretability and credibility of the robustness has become an essential part of the field of artificial intelligence security.This paper proposes to analyze the robustness of the model from the perspective of singular values.In the adversarial environment,the improvement of model robustness is accompanied by a smoother distribution of singular values.Further analysis shows that the smooth distribution of singular values means that the model has more diverse classification confidence sources and thus has higher adversarial robustness.Based on the analysis,an adversarial training algorithm based on singular value suppress(SVS) is proposed.Experiments show that the algorithm improves the robustness of the model and can achieve accuracy of 55.3% and 54.51% respectively on CIFAR-10 and SVHN when facing the powerful white-box attack PGD(Project Gradient Descent) method,exceeding the most representative adversarial training methods at present.

Key words: Deep learning, Adversarial defense, Adversarial training, Adversarial robustness, Singular value decomposition

中图分类号: 

  • TP391
[1]GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining andHarnessing Adversarial Examples[C]//Proceedings of the International Conference on Learning Representations.OpenReview.net,2015:1-11.
[2]CHEN M X,ZHANG J Y,JI S L,et al.Survey of Research Progress on Adversarial Examples in Images[J].Computer Science,2022,49(2):92-106.
[3]WANG C,WEI X L,TIAN Q,et al.Feature Gradient-based Ad-versarial Attack on Modulation Recognition-oriented Deep Neural Networks[J].Computer Science,2021,48(7):25-32.
[4]CHERNIKOVA A,OPREA A.FENCE:Feasible Evasion At-tacks on Neural Networks in Constrained Environments[J].ACM Transactions on Privacy and Security,2022,25(4):1-34.
[5]CHEN J Y,ZHANG D J,HUANG G H,et al.Adversarial Attack and Defense on Graph Neural Networks:A Survey[J].Chinese Journal of Network and Information Security,2021(3):1-28.
[6]LIU X L,LUO Y H,SHAO L,et al.Survey of Generation,Attack and Defense of Adversarial Examples[J].Application Research of Computer,2020,37(11):3201-3205,3212.
[7]WANG Z,SONG M,ZHENG S,et al.Invisible Adversarial Attack against Deep Neural Networks:An Adaptive Penalization Approach[J].IEEE Transactions on Dependable and Secure Computing,2021,18(3):1474-1488.
[8]WANG Q,ZHENG B,LI Q,et al.Towards Query-Efficient Ad-versarial Attacks Against Automatic Speech Recognition Systems[J].IEEE Transaction on Information Forensics and Secu-rity,2021,16:896-908.
[9]WEI X,GUO Y,LI B.Black-box Adversarial Attacks by Mani-pulating Image Attributes[J].Information Sciences,2021,550:285-296.
[10]LIU Y,MA S,AAFER Y,et al.Trojaning Attack on Neural Networks[C]//Proceedings of the Network and Distributed System Security Symposium.Reston:Internet Society,2018:1-15.
[11]ZHONG Y,DENG W.Towards Transferable Adversarial At-tack Against Deep Face Recognition[J].IEEE Transaction on Information Forensics and Security,2021,16:1452-1466.
[12]JING H Y,ZHOU C,HE X.Security Evaluation Method for Risk of Adversarial Attack on Face Detection[J].Computer Science,2021,7(48):17-24.
[13]HAO Z Y,CHEN L,HUANG J C.Class Discriminative Universal Adversarial Attack for Text Classification[J].Computer Science,2022,49(8):323-329.
[14]WANG D N,CHEN W,YANG Y,et al.Defense Method of Adversarial Training based on Gaussian Enhancement and Iterative Attack[J].Computer Science,2021,48(6A):509-513,537.
[15]YAN H,ZHANG J,NIU G,et al.CIFS:Improving Adversarial Robustness of CNNs via Channel-wise Importance-based Feature Selection[C]//Proceedings of the International Conference on Machine Learning.New York:PMLR,2021:1-11.
[16]MADRY A,MAKELOV A,SCHMIDT L,et al.Towards Deep Learning Models Resistant to Adversarial Attacks[C]//Proceedings of the International Conference on Learning Representations.OpenReview.net,2018:1-28.
[17]WANG D,LI C,WEN S,et al.Defending Against Adversarial Attack towards Deep Neural Networks via Collaborative Multi-Task Training[J].IEEE Transactions on Dependable and Secure Computing,2022,19(2):953-965.
[18]CRECCHI F,MELIS M,SOTGIU A,et al.FADER:Fast Adversarial Example Rejection[J].Neurocomputing,2022,470:257-268.
[19]XU W,EVANS D,QI Y.Feature Squeezing:Detecting Adversarial Examples in Deep Neural Networks[C]//Proceedings of the Network and Distributed System Security Symposium.Reston:Internet Society.2018:1-15.
[20]WANG Y,SONG X,XU T,et al.From RGB to Depth:Domain Transfer Network for Face Anti-Spoofing[J].IEEE Transaction on Information Forensics and Security,2021,16:4280-4290.
[21]JIN K,ZHANG T,SHEN C,et al.Can We Mitigate Backdoor Attack Using Adversarial Detection Methods?[J].IEEE Transactions on Dependable and Secure Computing,2022,Early Access:1-15.
[22]WEI Z C,FENG H,ZHANG X Q et al.Research on Physical Adversarial Sample Detection Method based on Attention Mecha-nism[J].Application Research of Computer,2022,39(1):254-258.
[23]LI T,LIU A,LIU X,et al.Understanding Adversarial Robus-tness via Critical Attacking Route[J].Information Sciences,2021,547:568-578.
[24]WANG H,WANG Z,DU M,et al.Score-CAM:Score-weighted Visual Explanations for Convolutional Neural Networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops.New York:IEEE Press,2020:111-119.
[25]ZHANG C,LIU A,LIU X,et al.Interpreting and ImprovingAdversarial Robustness of Deep Neural Networks with Neuron Sensitivity[J].IEEE Transactions on Image Processing,2021,30:1291-1304.
[26]GAVRIKOV P,KEUPER J.Adversarial Robustness throughthe Lens of Convolutional Filters[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops.New York:IEEE Press,2022:1-9.
[27]ZHU C,CHENG Y,GAN Z,et al.FreeLB:Enhanced Adversa-rial Training for Natural Language Understanding[C]//Proceedings of the International Conference on Learning Representations.OpenReview.net,2020:1-12.
[28]ZHANG D,ZHANG T,LU Y,et al.You Only Propagate Once:Accelerating Adversarial Training via Maximal Principle[C]//Advances in Neural Information Processing Systems.New York:Curran Associates,Inc.,2019:1-12.
[29]KANNAN H,KURAKIN A,GOODFELLOW I.AdversarialLogit Pairing[J].arXiv:1803.06373,2018.
[30]MA S,LIU Y,TAO G,et al.NIC:Detecting Adversarial Samples with Neural Network Invariant Checking[C]//Proceedings of the Network and Distributed System Security Symposium.Reston:Internet Society,2019:1-15.
[31]LIAO F,LIANG M,DONG Y,et al.Defense Against Adversa-rial Attacks Using High-Level Representation Guided Denoiser[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.New York:IEEE Press,2018:1778-1787.
[32]SHAHAM U,YAMADA Y,NEGAHBAN S.UnderstandingAdversarial Training:Increasing Local Stability of Supervised Models through Robust Optimization[J].Neurocomputing,2018,307:195-204.
[33]DING G W,WANG L,JIN X.{AdverTorch} v0.1:An Adver-sarial Robustness Toolbox based on PyTorch[J].arXiv:1902.07623,2022.
[34]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing Properties of Neural Networks [C]//International Conference on Learning Representations.OpenReview.net,2014:1-10.
[35]CARLINI N,WAGNER D.Towards Evaluating the Robustness of Neural Networks[C]//Proceedings of the IEEE Symposium on Security and Privacy.New York:IEEE Press,2016:39-57.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发