基于样本预处理的低成本对抗样本防御算法  

作　　者：陈虓 昌燕 王丹琛[3] 张仕斌 CHEN Xiao;CHANG Yan;WANG Danchen;ZHANG Shibin(School of Cybersecurity,Chengdu University of Information Technology,Chengdu Sichuan 610225,China;Advanced Cryptography System Security Key Laboratory of Sichuan Province(Chengdu University of Information Technology),Chengdu Sichuan 610225,China;Sichuan Digital Economy Research Center,Chengdu Sichuan 610021,China)

机构地区：[1]成都信息工程大学网络空间安全学院,成都610225 [2]先进密码技术与系统安全四川省重点实验室(成都信息工程大学),成都610225 [3]四川省数字经济研究中心,成都610021

出　　处：《计算机应用》2024年第9期2756-2762,共7页journal of Computer Applications

基　　金：国家自然科学基金资助项目(62272068);成都市重点研发支撑计划项目(2021-YF09-00114-GX)。

摘　　要：为尽可能防御现有的各种针对人工智能算法(特别是人工神经网络)的攻击方法,同时降低由此带来的额外开销,提出基于样本预处理的藤牌算法。通过切割图像非重要信息部分、邻近像素值统一化和图像放缩3种方法对样本进行预处理,破坏对抗扰动,生成对模型威胁更小的新样本,以确保模型识别的高准确率。实验结果表明,藤牌算法可以在比同类算法开销更小的情况下,防御针对MNIST、CIFAR10数据集和squeezenet1_1、mnasnet1_3、mobilenet_v3_large神经网络模型的对抗攻击,防御后的样本准确率最低可达88.50%;同时在处理干净样本时也不会过多降低样本准确率,防御效果和防御成本都优于FGSM(Fast Gradient Sign Method)和MIM(Momentum Iterative Method)等对比算法。In order to defend against existing attacks on artificial intelligence algorithms(especially artificial neural networks)as much as possible,and reduce the additional costs,the rattan algorithm based on example preprocessing was proposed.By cutting the unimportant information part of the image,normalizing the neighboring pixel values and scaling image,the examples were preprocessed to destroy the adversarial disturbance and generate new examples with less threat to the model,ensuring high accuracy of model recognition.Experimental results show that the rattan algorithm can defend against some adversarial attacks against MNIST,CIFAR10 datasets and neural network models such as squeezenet1_1,mnasnet1_3 and mobilenet_v3_large with less overhead than similar algorithms,and the minimum example accuracy after defense can reach 88.50%;meanwhile,it does not reduce the example accuracy too much while processing clean examples,and the defense effect and defense cost are better than those of the comparison algorithms such as Fast Gradient Sign Method(FGSM)and Momentum Iterative Method(MIM).

关 键 词：攻击 防御 图像放缩 图像切割 像素值统一化 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]