结合对抗训练和特征混合的孪生网络防御模型  被引量：2

作　　者：张新君[1] 程雨晴 Zhang Xinjun;Cheng Yuqing(School of Electronic&Information Engineering,Liaoning Technical University,Huludao Liaoning 125105,China)

机构地区：[1]辽宁工程技术大学电子与信息工程学院,辽宁葫芦岛125105

出　　处：《计算机应用研究》2024年第3期905-910,共6页Application Research of Computers

基　　金：2022年辽宁省教育厅基本科研项目(LJKMZ20220678);辽宁省教育厅科学研究经费项目(LJ2020JCL007);辽宁工程技术大学博士启动基金资助项目(20-1020)。

摘　　要：神经网络模型容易受到对抗样本攻击。针对当前防御方法侧重改进模型结构或模型仅使用对抗训练方法导致防御类型单一且损害模型分类能力、效率低下的问题,提出结合对抗训练和特征混合训练孪生神经网络模型(SS-ResNet18)的方法。该方法通过线性插值混合训练集样本数据,使用残差注意力模块搭建孪生网络模型,将PGD对抗样本和正常样本输入不同分支网络进行训练。在特征空间互换相邻样本部分输入特征以增强网络抗干扰能力,结合对抗损失和分类损失作为网络整体损失函数并对其进行标签平滑。在CIFAR-10和SVHN数据集上进行实验,该方法在白盒攻击下表现出优异的防御性能,黑盒攻击下模型对PGD、JSMA等对抗样本的防御成功率均在80%以上;同时,SS-ResNet18模型时间花销仅为子空间对抗训练方法的二分之一。实验结果表明,SS-ResNet18模型能防御多种对抗样本攻击,与现有防御方法相比,其鲁棒性强且训练耗时较短。Neural network models are vulnerable to adversarial sample attacks.Aiming at the problem that current defense methods focus on improving the model structure or the model only uses the adversarial training method which leads to a single type of defense and impairs the model s classification ability and inefficiency,this paper proposed the method of combining the adversarial training and the feature mixture to train the siamese neural network model(SS-ResNet18).The method mixed the training set sample data by linear interpolation,built a siamese network model using the residual attention module,and inputted PGD antagonistic samples and normal samples into different branches of the network for training.It interchanged the input features in the feature space between neighboring sample parts to enhance the network s immunity to interference,combining the adversarial loss and the classification loss as the overall loss function of the network and smoothing it with labels.Experimented on CIFAR-10 and SVHN datasets,the method shows excellent defense performance under white-box attack,and the success rate of the model s defense against anta-gonistic samples,such as PGD,JSMA,etc.,under black-box attack is more than 80%.At the same time,the SS-ResNet18 model time spent is only one-half of the one-half of the subspace antagonistic training method.The experimental results show that the SS-ResNet18 model can defend against a variety of adversarial sample attacks,and is robust and less time-consuming to train compared to existing defense methods.

关 键 词：孪生神经网络 图像分类 对抗样本 对抗训练 注意力机制 特征混合 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]