基于逆扰动融合生成对抗网络的对抗样本防御方法  被引量：4

作　　者：张世辉[1,2] 张晓微 宋丹丹 杨永亮 左东旭 ZHANG Shi-hui;ZHANG Xiao-wei;SONG Dan-dan;YANG Yong-iang;ZUO Dong-xu(School of Information Science and Technology,Yanshan University,Qinhuangdao,Hebei 066004,China;The Key Laboratory for Computer Virtual Technology and System Integration of Hebei Province,Qinhuangdao,Hebei 066004,China)

机构地区：[1]燕山大学信息科学与工程学院,河北秦皇岛066004 [2]河北省计算机虚拟技术与系统集成重点实验室,河北秦皇岛066004

出　　处：《电子学报》2023年第4期879-884,共6页Acta Electronica Sinica

基　　金：中央引导地方科技发展资金(No.216Z0301G);国家自然科学基金(No.61379065);河北省自然科学基金(No.F2019203285)。

摘　　要：为了有效抵御对抗样本误导深度神经网络模型,提出一种基于逆扰动融合生成对抗网络的对抗样本防御方法(Inverse Perturbation Fusing Generative Adversarial Network,IP-GAN).充分利用对抗样本中的对抗扰动信息,确定以逆扰动作为对抗样本防御方法的研究出发点,并从高维特征空间进行有效性分析.IP-GAN方法借鉴生成对抗网络思想,以生成器架构作为逆扰动构造模型,依据对抗样本构造相应的逆扰动用于获取重构样本,并引入深度神经网络模型指导逆扰动优化方向,最终将重构样本输入至深度神经网络模型获取正确分类结果.实验结果表明,所构造的逆扰动可有效消除对抗扰动,辅助DNN模型正确识别并分类对抗样本,与现有最新防御方法相比,IP-GAN方法在MNIST和ImageNet数据集上防御成功率分别平均提高了0.86%和2.96%.In order to effectively resist the misleading of the adversarial examples for deep neural network models,an inverse perturbation fusion generative adversarial network(IP-GAN)is proposed.This method makes full use of the adver-sarial perturbation information in adversarial examples,takes inverse perturbation as the starting point of the adversarial ex-ample defense method,and analyzes the effectiveness from the high-dimensional feature space.Drawing on the idea of the generative adversarial network,the generator architecture is used as a construction model to generate the corresponding in-verse perturbation based on adversarial examples to obtain the reconstructed examples.Then,the deep neural network mod-el is introduced to guide the direction of inverse perturbation optimization,and input the reconstruction examples into the deep neural network model to obtain the correct classification results.The experimental results show that the inverse pertur-bation constructed can eliminate adversarial perturbations effectively,and assist the DNN model to identify and classify ad-versarial examples correctly.Compared with the state-of-the-art defense methods,the defense success rates of the IP-GAN method on MNIST and ImageNet datasets are increased by 0.86%and 2.96%,respectively.

关 键 词：对抗样本 生成对抗网络 逆扰动 对抗扰动消除 防御方法 

分 类 号：TP391.4[自动化与计算机技术—计算机应用技术] TP183[自动化与计算机技术—计算机科学与技术]