基于压缩感知的神经网络实时综合防御策略  被引量：4

作　　者：王佳 张扬眉 苏武强 罗成文 吴超 林秋镇[1] 李坚强[1] WANG Jia;ZHANG Yang-Mei;SU Wu-Qiang;LUO Cheng-Wen;WU Chao;LIN Qiu-Zhen;LI Jian-Qiang(Colledge of Computer Science and Software Engineering,Shenzhen University,518060;University of Chinese Academy of Science,Beijing 100049;State Key Laboratory of Computer Architecture,Institute of Computing Technology,Chinese Academy of Science,Beijing 100190)

机构地区：[1]深圳大学计算机与软件学院,深圳518060 [2]中国科学院大学,北京100049 [3]中国科学院计算技术研究所计算机体系结构国家重点实验室,北京100190

出　　处：《计算机学报》2023年第1期1-16,共16页Chinese Journal of Computers

基　　金：国家自然科学基金联合基金重点项目(U1713212);国家重点研发项目(2020YFA0908700);国家自然科学基金(61806130,6197071246,62002338);广东省基础与应用基础研究基金项目(2021A1515011153);“珠江人才计划”引进创新创业团队项目(2019ZT08X603);深圳市科技创新委项目-稳定支持(面上项目20200805142159001);深圳市重点项目(R2020A045)资助.

摘　　要：近年来,基于深度神经网络的视觉识别模型因其在准确率、成本及效率等方面的优势而广泛应用于自动驾驶、工业检测及无人机导航等领域.而深度神经网络自身易受数字域或物理域对抗样本攻击导致模型误判,因此其在无人驾驶等具有强鲁棒性、高实时性要求的场景中部署和应用可能为系统引入新的风险.现有的防御方案在增强模型鲁棒性的同时往往造成准确率明显下降,且往往不能对像素攻击和补丁攻击均提供较强防御能力.因此,设计一种精度高且对多类对抗攻击均具有强鲁棒性的实时综合防御策略成为深度神经网络视觉方案落地应用的关键.本文提出一种基于压缩感知的神经网络实时综合防御策略ComDCT,首先构建图像压缩感知压缩域与其稀疏离散余弦系数之间的映射神经网络,并将网络输出的离散余弦系数通过离散余弦逆变换恢复为去除对抗性扰动的图像作为分类器输入,以降低对抗样本攻击成功率.其次,本文提出通过引入分类损失进一步提升防御策略的综合性能,并根据防御者是否掌握分类模型参数结构等信息分析讨论并验证了黑盒、白盒两种防御模式下引入分类损失的有效性.相比于ComDefend、MF、TVD、LRR等多种防御方法,本文提出的基于压缩感知的神经网络实时综合防御策略在白盒防御模式下防御性能综合指标PDA在LISA、SVHN数据集上分别提升11.88%、7.01%以上,黑盒防御模式下分别提升9.25%、6.7%以上.In recent years,Deep Neural Networks(DNN)have been widely applied in visual classification tasks in fields such as autonomous driving,industrial detection and drone navigation,mainly due to their advantages in accuracy,cost and efficiency.However,despite of these preponderance,deep neural networks are reported to be vulnerable to adversarial examples which could be generated either digitally or physically.Noise images with intentionally crafted adversarial invisible or visible but inconspicuous perturbations could fool the classifier to make incorrect yet confident misclassifications.Hence,the deployment of such models in scenarios where robustness is a critical demand would introduce the system potential security risk.Existing defense strategies usually lead to a drop in test accuracy.And these algorithms are typically designed for defending against either pixel adversarial attacks or patch adversarial attacks in a dedicated manner,and their defensive capability usually does not translate to the other.Furthermore,when it’s applied in real-time safety scenarios like autonomous driving,decision latency is required to be imperceptible,which makes many defensive algorithms far from a solution.Therefore,designing practical real-time comprehensive defense strategies for DNNs against a variety of adversarial attacks is of paramount of importance to its application,as well as represents a critical machine learning challenge.This paper attempts to address the problem of robustness of DNN-based visual classifiers against various adversarial examples by proposing a Compressive Sensing(CS)based defensive strategy combined with Discrete Cosine Transform(DCT),doomed ComDCT.ComDCT works in the compress-DCT-IDCT way to remove the adversarial perturbations from the input and then feed the denoised image to the classifier for inference.Specifically,to achieve this goal,ComDCT firstly train a neural network to learn the mapping from the measurements of the image to its sparse discrete cosine coefficients.And through inverse disc

关 键 词：深度神经网络 对抗防御 压缩感知 无人驾驶 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]