基于自适应像素去噪的对抗攻击防御方法  被引量：1

作　　者：张帅 张晓琳[1] 刘立新[1,2] 王永平 郝琨[3] 徐立 ZHANG Shuai;ZHANG Xiao-lin;LIU Li-xin;WANG Yong-ping;HAO Kun;XU Li(School of Information Engineering,Inner Mongolia University of Science and Technology,Baotou 014010,China;School of Information,Renmin University of China,Beijing 100872,China;College of Medicine and Biological Information Engineering,Northeastern University,Shenyang 110169,China;Department of Computer Science and Technology,Baotou Medical College,Baotou 014010,China)

机构地区：[1]内蒙古科技大学信息工程学院,内蒙古包头014010 [2]中国人民大学信息学院,北京100872 [3]东北大学医学与生物信息工程学院,辽宁沈阳110169 [4]包头医学院计算机科学与技术系,内蒙古包头014010

出　　处：《计算机工程与设计》2023年第5期1336-1344,共9页Computer Engineering and Design

基　　金：国家自然科学基金项目(61562065);内蒙古自然科学基金项目(2019MS06001、2019MS06036)。

摘　　要：针对深度神经网络容易遭到对抗样本攻击导致其分类错误的问题,提出一种基于自适应像素去噪的对抗攻击防御方法。通过基于前向导数的重要性计算方法获得像素重要性分数,根据像素重要性分数对多种对抗攻击进行鲁棒性分析,将其分为鲁棒或非鲁棒攻击,制定针对不同对抗攻击的降噪策略;按照降噪策略分别对重要性分数不同的图像像素进行自适应形态学降噪获得像素去噪图像;使用像素重要性分数、像素去噪图像等信息训练自适应像素去噪模型学习上述去噪过程,进行对抗防御。实验结果表明,该防御能在多个数据集与模型上快速且有效地防御各种对抗攻击,确保原始样本的精确分类。Aiming at the problem that deep neural networks are easy to be attacked by adversarial examples,causing their classification errors,an adversarial attack defense method based on adaptive pixel denoising was proposed.The pixel importance score was obtained using the forward derivative importance calculation method,and the robustness analysis of multiple adversarial attacks was performed based on the pixel importance scores,which were classified as robust or non-robust attacks,and the noise reduction strategies were formulated for different adversarial attacks.According to the noise reduction strategy,adaptive morphological noise reduction was performed on image pixels with different importance scores to obtain pixel denoising images.Adaptive pixel denoising models were trained using information such as pixel importance scores and pixel denoised images to learn the above denoising process for adversarial defense.Experimental results show that the defense can quickly and effectively defend against various adversarial attacks on multiple datasets and models,and ensure accurate classification of the original samples.

关 键 词：深度神经网络 图像分类 对抗样本 鲁棒性 自适应 像素去噪 对抗样本防御 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]