一种针对快速梯度下降对抗攻击的防御方法  被引量：4

作　　者：王晓鹏[1] 罗威[1] 秦克[1] 杨锦涛 王敏[1] WANG Xiaopeng;LUO Wei;QIN Ke;YANG Jintao;WANG Min(China Ship Development and Design Center,Wuhan 430064,China;School of Electronic Information,Wuhan University,Wuhan 430072,China)

机构地区：[1]中国舰船研究设计中心,武汉430064 [2]武汉大学电子信息学院,武汉430072

出　　处：《计算机工程》2021年第11期121-128,共8页Computer Engineering

基　　金：国家自然科学基金(61701471)。

摘　　要：智能舰船识别可有效提高舰船装备智能化水平,但存在安全识别问题,即使性能卓越的分类模型也会受到对抗样本的攻击。面对快速梯度下降法(FGSM)这类对抗攻击,传统的防御方法需要先推倒已经训练好的分类模型,再通过安全手段进行重新训练。为简化这一过程,提出防御FGSM对抗攻击的FGSM-Defense算法。获得分类器对对抗样本初次预测的类别排名后,按相应置信度大小排名取出指定数量的类别。在此基础上,通过暴力搜索将这些类别依次指定为攻击目标,分别对原对抗样本进行FGSM有目标攻击,并按相应规则分步缩小搜索范围,筛选出对抗样本真实的类别。实验结果表明,该算法能够准确区分对抗样本的真实类别,在ImageNet数据集上的防御成功率为53.1%。与传统防御方法相比,其无需改变原有神经网络结构和重新训练分类模型,可减少对硬件算力的依赖,降低防御成本。Intelligent ship recognition has been widely used in the military,but it also brings increasingly serious security issues.Even the high performance classification models are still vulnerable to the attacks from adversarial examples.For Fast Gradient Sign Method(FGSM)adversarial attacks,traditional defense methods need to knock down the trained classification model and then retrain through security means.To simplify the process,this paper proposes FGSM-Defense algorithm to defend against FGSM attacks.The algorithm obtains the classification ranking of the initial prediction of the adversarial examples by the classifier,and takes out a specified number of classes in the confidence level order.Then these classes are designated as attack targets by means of violent search to carry out FGSM targeted attacks on the original adversarial examples.Finally,the search scope is narrowed step by step according to the corresponding rules to find out the original real class of the adversarial examples.Experimental results show that the method can recognize the real class of the adversarial examples,and the success rate of defense is 53.1%on ImageNet dataset.Compared with the traditional defense methods,this method does not need to change the original neural network structure or to retrain the classification model,which relieves the dependence on the computing power of hardware and reduces the defense cost.

关 键 词：舰船识别 对抗样本 对抗攻击 快速梯度下降法 ImageNet数据集 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]