面向深度模型的对抗攻击与对抗防御技术综述  被引量：1

作　　者：王文萱[1,3] 汪成磊 齐慧慧 叶梦昊 张艳宁 WANG Wenxuan;WANG Chenglei;QI Huihui;YE Menghao;ZHANG Yanning(School of Computer Science,Northwestern Polytechnical University,Xi’an,Shaanxi 710129,China;National Elite Institute of Engineering,Northwestern Polytechnical University,Xi’an,Shaanxi 710072,China;National Engineering Laboratory for Integrated Aero-Space-Ground-Ocean Big Data Application Technology,Xi’an,Shaanxi 710129,China)

机构地区：[1]西北工业大学计算机学院,陕西西安710129 [2]西北工业大学国家卓越工程师学院,陕西西安710072 [3]空天地海一体化大数据应用技术国家工程实验室,陕西西安710129

出　　处：《信号处理》2025年第2期198-223,共26页Journal of Signal Processing

摘　　要：深度学习技术已广泛应用于图像分类和目标检测等计算机视觉核心任务,并取得了瞩目的进展。然而,深度学习模型因其高度的复杂性与内在的不确定性,极易成为对抗样本攻击的靶标。攻击者巧妙地利用数据中细微的、精心设计的扰动,诱导模型以极高的置信度输出错误结果,此类对抗样本对实际应用场景中模型的可靠性及安全性构成了严峻的挑战与潜在威胁。例如,攻击者可利用对抗眼镜误导人脸识别系统,导致身份误判,进而实施非法入侵、身份冒用等威胁公共安全和个人隐私的行为;也可对自动驾驶系统的监控数据添加对抗噪声,虽不破坏交通工具本身特征,却可能导致漏检重要交通工具,引发交通混乱甚至事故,造成严重后果。本文旨在梳理当前对抗攻击与对抗防御技术的研究现状。具体而言,内容涵盖以下三个方面:1)在概述对抗样本基本概念和分类的基础上,剖析了多种对抗攻击的形式和策略,并举例介绍了具有代表性的经典对抗样本生成方法;2)阐述对抗样本的防御方法,从模型优化、数据优化和附加网络三个方向系统梳理了当前提高模型对抗鲁棒性的各类算法,分析了各类防御方法的创新性和有效性;3)介绍对抗攻击和对抗防御的应用实例,阐述了大模型时代对抗攻击和防御的发展现状,分析了在实际应用中遇到的挑战及解决方案。最后本文对当前对抗攻击与防御方法进行了总结分析,并展望了该领域内未来的研究方向。Deep learning techniques have been widely applied in core tasks of computer vision,such as image classification and object detection,achieving remarkable progress.However,owing to the complexity and inherent uncertainty of deep learning models,they are highly vulnerable to adversarial attacks.In these attacks,attackers subtly manipulate data by adding carefully designed perturbations that cause the model to make incorrect predictions with high confidence.Such adversarial examples pose significant challenges and potential threats to the reliability and security of models in real-world applications.For example,attackers can use adversarial glasses to mislead facial recognition systems,causing identity misclassification,which could lead to illegal access or identity fraud,threatening public safety and personal privacy.Similarly,adversarial noise added to the monitoring data of autonomous driving systems,while not altering the characteristics of vehicles,may cause the system to miss detecting important vehicles,leading to traffic disruptions or even accidents with severe consequences.This paper reviews the current research on adversarial attacks and defense techniques.Specifically,it covers the following three aspects:1) It introduces the basic concepts and classifications of adversarial examples,analyzes various forms and strategies of adversarial attacks,and provides examples of classic adversarial example generation methods.2) It describes the defense methods against adversarial examples,systematically categorizing algorithms that enhance model robustness from three directions,namely,model optimization,data optimization,and additional network structures.The innovation and effectiveness of each defense method are discussed.3) It presents application cases of adversarial attacks and defenses,expounding on the development status of adversarial attack and defense in the era of large model and analyzing the challenges encountered in real-world applications and possible solutions.Finally,the paper summarizes and analyze

关 键 词：对抗攻击 对抗防御 深度学习 计算机视觉 可信人工智能 

分 类 号：TN911.73[电子电信—通信与信息系统]