面向深度学习的对抗样本差异性检测方法  被引量：1

作　　者：王曙燕[1] 侯则昱 孙家泽[1] WANG Shuyan;HOU Zeyu;SUN Jiaze(Trusted Software Laboratory,Xi’an University of Posts and Telecommunications,Xi’an Shaanxi 710121,China)

机构地区：[1]西安邮电大学可信软件实验室,西安710121

出　　处：《计算机应用》2021年第7期1849-1856,共8页journal of Computer Applications

基　　金：2020年陕西省重点研发计划项目(2020GY-010);2019年西安市科技计划项目(2019218114GXRC017CG018-GXYD17.10)。

摘　　要：深度神经网络(DNN)在许多深度学习关键系统如人脸识别、智能驾驶中被证明容易受到对抗样本攻击,而对多种类对抗样本的检测还存在着检测不充分以及检测效率低的问题,为此,提出一种面向深度学习模型的对抗样本差异性检测方法。首先,构建工业化生产中常用的残差神经网络模型作为对抗样本生成与检测系统的模型;然后,利用多种对抗攻击攻击深度学习模型以产生对抗样本组;最终,构建样本差异性检测系统,包含置信度检测、感知度检测及抗干扰度检测三个子检测系统共7项检测方法。在MNIST与Cifar-10数据集上的实验结果表明,属于不同对抗攻击的对抗样本在置信度、感知度、抗干扰度等各项性能检测上存在明显差异,如感知度各项指标优异的对抗样本在置信度以及抗干扰度的检测中,相较于其他类的对抗样本表现出明显不足;同时,证明了在两个数据集上呈现出差异的一致性。通过运用该检测方法,能有效提升模型对对抗样本检测的全面性与多样性。Deep Neural Network(DNN)is proved to be vulnerable to adversarial sample attacks in many key deep learning systems such as face recognition and intelligent driving.And the detection of various types of adversarial samples has problems of insufficient detection and low detection efficiency.Therefore,a deep learning model oriented adversarial sample difference detection method was proposed.Firstly,the residual neural network model commonly used in industrial production was constructed as the model of the adversarial sample generation and detection system.Then,multiple kinds of adversarial attacks were used to attack the deep learning model to generate adversarial sample groups.Finally,a sample difference detection system was constructed,containing total 7 adversarial sample difference detection methods in sample confidence detection,perception detection and anti-interference degree detection.Empirical research was carried out by the constructed method on the MNIST and Cifar-10 datasets.The results show that the adversarial samples belonging to different adversarial attacks have obvious differences in the performance detection on confidence,perception and anti-interference degrees,for example,in the detection of confidence and anti-interference,the adversarial samples with excellent performance indicators in perception show significant insufficiencies compared to other types of adversarial samples.At the same time,it is proved that there is consistency of the differences in the two datasets.By using this detection method,the comprehensiveness and diversity of the model’s detection of adversarial samples can be effectively improved.

关 键 词：深度神经网络 对抗攻击 对抗样本 残差神经网络 差异性检测 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程] TP183[自动化与计算机技术—控制科学与工程]