基于动量增强特征图的对抗防御算法  

作　　者：胡军[1] 石艺杰 HU Jun;SHI Yijie(Chongqing Key Laboratory of Computational Intelligence,Chongqing University of Posts and Telecommunications,Chongqing 400065,China)

机构地区：[1]重庆邮电大学计算智能重庆市重点实验室,重庆400065

出　　处：《电子与信息学报》2023年第12期4548-4555,共8页Journal of Electronics & Information Technology

基　　金：国家自然科学基金(61936001,62276038);重庆市教委重点合作项目(HZ2021008);重庆市自然科学基金(cstc2019jcyj-cxttX0002,cstc2021ycjh-bgzxm0013)。

摘　　要：深度神经网络(DNN)因其优异的性能而被广泛应用,但易受对抗样本攻击的问题使其面临巨大的安全风险。通过对DNN的卷积过程进行可视化,发现随着卷积层数加深,对抗攻击对原始输入产生的扰动愈加明显。基于这一发现,采用动量法中前向结果修正后向结果的思想,该文提出一种基于动量增强特征图的防御算法(MEF)。MEF算法在DNN的卷积层上部署特征增强层构成特征增强块(FEB),FEB会结合原始输入以及浅层卷积层的特征图生成特征增强图,进而利用特征增强图来增强深层的特征图。同时,为了保证每层特征增强图的有效性,增强后的特征图还会对特征增强图进行进一步更新。为验证MEF算法的有效性,使用多种白盒与黑盒攻击对部署MEF算法的DNN模型进行攻击实验,结果表明在投影梯度下降法(PGD)以及快速梯度符号法(FGSM)的攻击实验中,MEF算法对对抗样本的识别精度比对抗训练(AT)高出3%~5%,且对干净样本的识别精度也有所提升。此外,使用比训练时更强的对抗攻击方法进行测试时,与目前先进的噪声注入算法(PNI)以及特征扰动算法(L2P)相比,MEF算法表现出更强的鲁棒性。Deep Neural Networks(DNN)are widely used due to their excellent performance,but the problem of being vulnerable to adversarial examples makes them face huge security risks.Through the visualization of the convolution process of DNN,it is found that with the deepening of the convolution layers,the disturbance of the original input caused by the adversarial attack becomes more obvious.Based on this finding,a defense algorithm based on Momentum Enhanced Feature maps(MEF)is proposed by adopting the idea of revising the backward results by the forward results in the momentum method.The MEF algorithm deploys a feature enhancement layer on the convolutional layer of the DNN to form a Feature Enhancement Block(FEB).The FEB combines the original input and the feature map of the shallow convolutional layer to generate a feature enhancement map,and then uses the feature enhancement map to enhance the deep features map.While,in order to ensure the effectiveness of the feature enhancement map of each layer,the enhanced feature map will further update the feature enhancement map.In order to verify the effectiveness of the MEF algorithm,various white-box and black-box attacks are used to attack the DNN model deployed with the MEF algorithm,the results show that in the Project Gradient Descent(PGD)and Fast Gradient Sign Method(FGSM)attack experiment,the recognition accuracy of MEF algorithm for adversarial samples is 3%~5%higher than that of Adversarial Training(AT),and the recognition accuracy of clean samples is also improved.Furthermore,when tested with stronger adversarial attack methods than training,the MEF algorithm exhibits stronger robustness compared with the currently advanced Parametric Noise Injection algorithm(PNI)and Learn2Perturb algorithm(L2P).

关 键 词：深度神经网络 对抗样本 对抗防御 动量方法 特征增强 

分 类 号：TN915.08[电子电信—通信与信息系统] TP309.2[电子电信—信息与通信工程]