融合残差密集块自注意力机制和生成对抗网络的对抗攻击防御模型  被引量：5

作　　者：赵玉明 顾慎凯 ZHAO Yuming;GU Shenkai(School of Computer Science and Technology,Nanjing Tech University,Nanjing Jiangsu 211186,China)

机构地区：[1]南京工业大学计算机科学与技术学院,南京211816

出　　处：《计算机应用》2022年第3期921-929,共9页journal of Computer Applications

基　　金：江苏省自然科学基金资助项目(BK20180696)。

摘　　要：神经网络在图像分类任务上表现优异,但它极易受添加微小扰动的对抗样本的影响,输出错误的分类结果;而目前防御方法存在图像特征提取能力不足、对图像关键区域特征关注较少的问题。针对这些问题,提出了一种融合残差密集块(RDB)自注意力机制和生成对抗网络(GAN)的攻击防御模型——RD-SA-DefGAN。该模型将GAN和投影梯度下降(PGD)攻击算法相结合,吸收PGD攻击算法生成的对抗样本进入训练样本扩充训练集,辅以条件约束稳定模型的训练过程。该模型添加了残差密集块和自注意力机制,在充分提取特征的同时,增大了关键区域特征对分类任务的贡献度。在CIFAR10、STL10和ImageNet20数据集上的实验结果表明,RD-SA-DefGAN能对对抗攻击实施有效防御,在抵御PGD对抗攻击上优于Adv.Training、Adv-BNN、Rob-GAN等防御方法。相较于结构最近似的RobGAN,在CIFAR10数据集上,RD-SA-DefGAN在扰动阈值为0.015~0.070时,防御成功率提升了5.0~9.1个百分点。Neural network has outstanding performance on image classification tasks.However,it is vulnerable to adversarial examples generated by adding small perturbations,which makes it output incorrect classification results.The current defense methods have the problems of insufficient image feature extraction ability and less attention to the features of key areas of the image.To address these issues,a Defense model that fuses Residual Dense Block(RDB)Self-Attention mechanism and Generative Adversarial Network(GAN),namely RD-SA-DefGAN,was proposed.GAN was combined with Projected Gradient Descent(PGD)attacking algorithm.The adversarial samples generated by PGD attacking algorithm were input to the training sample set,and the training process of model was stabilized by conditional constraints.The model also introduced RDB and self-attention mechanism,fully extracted features from the image,and enhanced the contribution of features from the key areas of the image.Experimental results on CIFAR10,STL10,and ImageNet20 datasets show that RDSA-DefGAN can effectively defend from adversarial attacks,and outperforms Adv.Training,Adv-BNN,and Rob-GAN methods on defending PGD adversarial attacks.Compared to the most similar algorithm Rob-GAN,RD-SA-DefGAN improved the defense success rate by 5.0 percentage points to 9.1 percentage points on affected images in CIFAR10 dataset,with the disturbance threshold ranged from 0.015 to 0.070.

关 键 词：生成对抗网络 对抗攻击 残差密集块 自注意力机制 防御模型 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程]