基于宽度学习防御对抗攻击的图像分类  

作　　者：冼卓滢 陈国明[1] 罗家梁 梁伟堂 Xian Zhuoying;Chen Guoming;Luo Jialiang;Liang Weitang(School of Computer Science,Guangdong University of Education,Guangzhou 510303,China)

机构地区：[1]广东第二师范学院计算机学院,广州510303

出　　处：《现代计算机》2023年第17期49-56,共8页Modern Computer

基　　金：广东省自然科学基金项目(2018A0303130169);广东省大数据分析与处理重点实验室开放基金项目(201902)。

摘　　要：深度网络分类模型在对抗样本的攻击下存在着对机器学习应用的安全性问题。针对该问题,设计并运用宽度学习来抵御对抗攻击,旨在提高智能系统对对抗样本的分类准确率,从而提升系统的安全性。同时,为了验证上述方法对抵御对抗样本攻击的有效性,首先设计优化宽度学习网络,对标准公共对抗数据集DAmageNet进行验证,实验结果表明,该网络对于对抗样本的验证准确率最高可从57.33%提升到80.67%,提高了23.34个百分点。然后,运用该优化网络对混合了FGSM、C&W、JSMA、Deepfool四种攻击方法的乳腺摄影图数据集(Mammographic Image Analysis Society)进行训练。通过大量的实验证明,宽度网络能够有效提高对抗样本中攻击方法的分类准确率,验证准确率可从55.00%提升至80.75%,较加宽前网络结构提高了25.75个百分点。对抗样本目标图像选取的位平面不同时,宽度网络抵御攻击的能力不同,通过创新性提出切割位平面的可解释方法进行研究,选取其中一种攻击方法(FGSM)进行解释,对宽度学习模型抵御攻击方法的内部机理进行分析。The deep network classification model has security issues for machine learning applications under the attack of adversarial samples.To address this issue,broad learning is designed and applied to resist adversarial attacks,aiming to improve the classification accuracy of intelligent systems for adversarial samples and thereby enhance the security of the system.At the same time,in order to verify the effectiveness of the above methods in resisting adversarial sample attacks,an optimized broad learning network was first designed to validate the standard public adversarial dataset DAmageNet.The experimental results showed that the network’s validation accuracy for adversarial samples can be improved from 57.33%to 80.67%,with an increase of 23.34 percentage.Then,the optimized network is used to train the Mammographic Image Analysis Society,which combines four attack methods:FGSM,C&W,JSMA,and Deeppool.Through a large number of experiments,it has been proven that the width network can effectively improve the classification accuracy of attack methods in adversarial samples,and the verification accuracy can be improved from 55.00%to 80.75%,which is 25.75 percentage higher than the network structure before widening.When the bit planes selected for the target image of the adversarial sample are different,the ability of the width network to resist attacks varies.An innovative interpretable method for cutting bit planes is studied,and one of the attack methods(FGSM)is explained.The internal mechanism of the width learning model to resist attack methods is analyzed.

关 键 词：宽度学习 图像分类 对抗样本 卷积神经网络 位平面分解 可解释性 

分 类 号：TP391.41[自动化与计算机技术—计算机应用技术] TP18[自动化与计算机技术—计算机科学与技术]