基于特征图融合的对抗样本生成方法  

作　　者：张世辉[1,2] 张晓微 宋丹丹 路佳琪 ZHANG Shihui;ZHANG Xiaowei;SONG Dandan;LU Jiaqi(School of Information Science and Engineering,Yanshan University,Qinhuangdao,Hebei 066004,China;The Key Laboratory for Computer Virtual Technology and System Integration of Hebei Province,Qinhuangdao,Hebei 066004,China)

机构地区：[1]燕山大学信息科学与工程学院,河北秦皇岛066004 [2]燕山大学河北省计算机虚拟技术与系统集成重点实验室,河北秦皇岛066004

出　　处：《燕山大学学报》2023年第4期337-346,共10页Journal of Yanshan University

基　　金：国家自然科学基金资助项目(61379065);中央引导地方科技发展资金资助项目(216Z0301G);河北省自然科学基金资助项目(F2019203285)。

摘　　要：为检验现有深度学习算法的鲁棒性和安全性,提出一种基于特征图融合的对抗样本生成方法。首先,分析卷积神经网络在图像分类任务中所提取不同层次特征图的特点,提出利用多层次特征图进行对抗扰动构造的方法思想;其次,引入通道注意力模块对卷积层输出特征图进行权重分配,以此代表不同特征图对分类结果的影响程度;再次,构建基础网络用于选取高权重特征图,并对显著特征信息进行像素值修改来生成扰动特征图;最后,将不同扰动特征图融合为对抗扰动,并添加至原始输入样本中生成对抗样本。实验结果表明,所提对抗样本生成方法在CIFAR-10和MNIST数据集上兼顾了攻击成功率和样本视觉感知效果,与现有代表性对抗样本生成方法相比,在高难度的非交互式黑盒模型上取得了较好的攻击效果。To test the robustness and security of existing deep learning algorithms an adversarial example generation method based on feature maps fusion is proposed.Firstly the idea of adversarial example generation method based on feature maps fusion is proposed by analyzing the characteristics of different levels of feature maps extracted by convolutional neural networks in image classification tasks.Secondly the channel attention module is introduced to assign weights to the output feature maps of the convolutional layers to represent their degree of influence on the classification results.Thirdly the basic network is constructed for selecting high-weight feature maps and the perturbation feature maps are generated by modifying the pixels which are in the salient regions.Finally the different perturbation feature maps are fused into the adversarial perturbations and added to the original input example to generate the adversarial example.The experimental results show that the proposed adversarial example generation method balances the attack success rate and the visual effect on the CIFAR-10 and MNIST datasets.And the method achieves better attack results on the difficult Non-interactive blackBox models compared with the state-of-the-art methods.

关 键 词：对抗样本 特征图 通道注意力模块 卷积神经网络 图像分类 

分 类 号：TP391.41[自动化与计算机技术—计算机应用技术] TP18[自动化与计算机技术—计算机科学与技术]