基于SVD的深度学习模型对抗鲁棒性研究  被引量：1

作　　者：赵子天 詹文翰 段翰聪[1] 吴跃[1] ZHAO Zitian;ZHAN Wenhan;DUAN Hancong;WU Yue(School of Computer Science and Engineering,University of Electronic Science and Technology of China,Chengdu 611731,China)

机构地区：[1]电子科技大学计算机科学与工程学院,成都611731

出　　处：《计算机科学》2023年第10期362-368,共7页Computer Science

摘　　要：对抗攻击的出现对于深度神经网络(DNN)在现实场景中的大规模部署产生了巨大的威胁,尤其是在与安全相关的领域。目前已有的大多数防御方法都基于启发式假设,缺少对模型对抗鲁棒性的分析。如何提升DNN的对抗鲁棒性,并提升鲁棒性的可解释性和可信度,成为人工智能安全领域的重要一环。文中提出从奇异值分布的角度分析模型的对抗鲁棒性。研究发现,模型在对抗性环境下鲁棒性的提升伴随着更加平滑的奇异值分布。通过进一步分析表明,平滑的奇异值分布意味着模型的分类置信度来源更加多样,从而也具有更高的对抗鲁棒性。基于此分析,进一步提出了基于奇异值抑制SVS(Singular Value Suppress)的对抗训练方法。实验结果表明,该方法进一步提高了模型在对抗性环境下的鲁棒性,在面对强力白盒攻击方法PGD(Project Gradient Descent)时,在CIFAR10和SVHN数据集上分别能达到55.3%和54.51%的精度,超过了目前最具有代表性的对抗训练方法。The emergence of adversarial attacks poses a substantial threat to the large-scale deployment of deep neural networks(DNNs)in real-world scenarios,especially in security-related domains.Most of the current defense methods are based on heuristic assumptions and lack analysis of model robustness.How to improve the robustness of DNN and improve the interpretability and credibility of the robustness has become an essential part of the field of artificial intelligence security.This paper proposes to analyze the robustness of the model from the perspective of singular values.In the adversarial environment,the improvement of model robustness is accompanied by a smoother distribution of singular values.Further analysis shows that the smooth distribution of singular values means that the model has more diverse classification confidence sources and thus has higher adversarial robustness.Based on the analysis,an adversarial training algorithm based on singular value suppress(SVS)is proposed.Experiments show that the algorithm improves the robustness of the model and can achieve accuracy of 55.3%and 54.51%respectively on CIFAR-10 and SVHN when facing the powerful white-box attack PGD(Project Gradient Descent)method,exceeding the most representative adversarial training methods at present.

关 键 词：深度学习 对抗防御 对抗训练 对抗鲁棒性 奇异值分解 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]