基于高斯增强和迭代攻击的对抗训练防御方法  被引量：6

作　　者：王丹妮 陈伟[1] 羊洋 宋爽 WANG Dan-ni;CHEN Wei;YANG Yang;SONG Shuang(School of Information and Software Engineering(Software Engineering),University of Electronic Science and Technology of China,Chengdu 610054,China)

机构地区：[1]电子科技大学信息与软件工程学院(软件工程),成都610054

出　　处：《计算机科学》2021年第S01期509-513,537,共6页Computer Science

基　　金：国家自然科学基金国际(地区)合作与交流项目(61520106007)。

摘　　要：近年来,现有的深度学习网络模型已经能在各种分类任务中达到很高的准确率,但它们仍然极易受到对抗样本的攻击。目前,对抗训练是防御对抗样本攻击的最好方法之一。但已知的单步攻击对抗训练方法仅对单步攻击有着良好的防御效果,对迭代攻击的防御性能却很差,而迭代攻击对抗训练方法只提升了对迭代攻击的防御性能,对单步攻击的防御效果却不够理想。为了同时提高深度学习网络模型对单步攻击与迭代攻击的鲁棒性,文中提出了一种综合高斯增强和迭代攻击ILLC(Ite-ration Least-Likely Class)的对抗训练防御方法GILLC(Gaussian Iteration Least-Likely Class)。首先,在干净样本中添加了一个高斯扰动,用于提高深度学习网络模型的泛化能力;然后,使用ILLC产生的对抗样本进行对抗训练,近似解决对抗训练的内部最大化问题。文中以CIFAR10为数据集进行了白盒攻击实验,结果表明,通过与基线、单步攻击对抗训练和迭代攻击对抗训练的方法相比,GILLC方法有效提高了深度学习网络模型对单步攻击和迭代攻击的鲁棒性,同时不会显著降低对干净样本的分类性能。In recent years,the existing deep learning network models have been able to achieve high accuracy in various classification tasks,but they are still extremely vulnerable to be attacked by adversarial samples.At present,adversarial training is one of the best methods to defend against adversarial sample attacks.However,the known single-step attack adversarial training me-thods only have a good defensive effect against single-step attacks,but have poor defense performance against iterative attacks.The iterative attack adversarial training methods only improve the defense performance against iterative attacks,but the defense effect of single-step attacks is not ideal.In order to improve the robustness of the deep learning network model against single-step attacks and iterative attacks at the same time,this paper proposes GILLC,an adversarial training defense method that combines Gaussian enhancement and ILLC iterative attacks.First,a Gaussian perturbation is added to the clean samples to improve the gene-ralization ability of the deep learning network model.Then,the adversarial samples generated by ILLC are used for adversarial training,which approximately solves the internal maximization problem of adversarial training.In this paper,a white box attack experiment is conducted with CIFAR10 as the data set.The results show that the GILLC method effectively improves the robustness of the deep learning network model against single-step attacks and iterative attacks by comparing with the baseline,single-step attack adversarial training and iterative attack adversarial training methods,without significantly reducing the classification performance of the clean samples.

关 键 词：迭代攻击 高斯增强 单步攻击 对抗训练 对抗样本 深度学习 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]