基于GAN实现环境声音分类的组合对抗防御  

作　　者：张强 杨吉斌 张雄伟 曹铁勇 李毅豪 ZHANG Qiang;YANG Jibin;ZHANG Xiongwei;CAO Tieyong;LI Yihao(School of Command and Control Engineering,Army Engineering University,Nanjing 210007,China)

机构地区：[1]陆军工程大学指挥控制工程学院,南京210007

出　　处：《电子与信息学报》2023年第12期4399-4410,共12页Journal of Electronics & Information Technology

基　　金：国家自然科学基金(62071484)。

摘　　要：虽然深度神经网络可以有效改善环境声音分类(ESC)性能,但对对抗样本攻击依然具有脆弱性。已有对抗防御方法通常只对特定攻击有效,无法适应白盒、黑盒等不同攻击场景。为提高ESC模型在各种场景下对各种攻击的防御能力,该文提出一种结合对抗检测、对抗训练和判别性特征学习的ESC组合对抗防御方法。该方法使用对抗样本检测器(AED)对输入ESC模型的样本进行检测,基于生成对抗网络(GAN)同时对AED和ESC模型进行对抗训练,其中,AED作为GAN的判别器使用。同时,该方法将判别性损失函数引入ESC模型的对抗训练中,以驱使模型学习到的样本特征类内更加紧凑、类间更加远离,进一步提升模型的对抗鲁棒性。在两个典型ESC数据集,以及白盒、自适应白盒、黑盒攻击设置下,针对多种模型开展了防御对比实验。实验结果表明,该方法基于GAN实现多种防御方法的组合,可以有效提升ESC模型防御对抗样本攻击的能力,对应的ESC准确率比其他方法对应的ESC准确率提升超过10%。同时,实验验证了所提方法的有效性不是由混淆梯度引起的。Although deep neural networks can effectively improve Environmental Sound Classification(ESC)performance,they are still vulnerable to adversarial attacks.The existing adversarial defense methods are usually effective only for specific attacks and can not be adapted to different attack settings such as white-box and black-box.To improve the defense capability of ESC models in various attacking scenarios,an ESC adversarial defense method is proposed in this paper,which combines adversarial detection,adversarial training,and discriminative feature learning.This method uses an Adversarial Example Detector(AED)to detect samples input to the ESC model,and trains both the AED and ESC model simultaneously via Generative Adversarial Network(GAN),where the AED is used as the discriminator of GAN.Meanwhile,this method introduces discriminative loss functions into the adversarial training of the ESC model,so as to drive the model to learn deep features more compact within classes and more distant between classes,which helps to improve further the adversarial robustness of the model.Comparative experiments of multiple defense methods on two typical ESC datasets under white-box,adaptive white-box,and black-box attack settings are conducted.The experimental results show that by implementing a combination of multiple defense methods based on GAN,the proposed method can effectively improve the defense capability of ESC models against various attacks,and the corresponding ESC accuracy is at least 10%higher than that achieved by other defense methods.Meanwhile,it is verified that the effectiveness of the proposed method is not due to the obfuscated gradients.

关 键 词：环境声音 对抗防御 对抗训练 对抗检测 判别性特征学习 

分 类 号：TN912[电子电信—通信与信息系统]