面向自动驾驶系统图像分类模型的对抗攻击及防御性能研究  

作　　者：唐军 黄文静 李爽 吴自力 TANG Jun;HUANG Wenjing;LI Shuang;WU Zili(CRRC Zhuzhou Institute Co.,Ltd.,Zhuzhou,Hunan 412001,China)

机构地区：[1]中车株洲电力机车研究所有限公司,湖南株洲412001

出　　处：《机车电传动》2025年第1期25-34,共10页Electric Drive for Locomotives

基　　金：国家重点研发计划项目(2022YFB4300604)。

摘　　要：图像分类模型被广泛应用于城市轨道交通、汽车、智轨等众多交通运输系统的自动驾驶系统,以实现自主感知、自主定位等功能,然而对抗样本会使模型产生错误的输出与判断,对图像分类模型在自动驾驶系统的应用安全性产生较大影响。文章通过针对典型的图像分类模型ResNet,采用基于敏感性分析的噪声叠加攻击策略开展白盒对抗攻击,并对攻击效果和防御性能进行研究。该研究选取FGSM、BIM、PGD等算法生成对抗样本,通过调整扰动系数实现微小扰动下的攻击成功率测试;采用LRP、Grad-CAM和LIME三种对抗解释算法对不同样本不同区域的敏感程度进行攻击原理分析,并在基于对抗攻击效果和原理分析的基础上,采用群智化防御、对抗训练等优化算法,验证对抗训练后模型的分类性能,同时通过博弈算法对弈获得攻守收益矩阵,从而确定最佳防御策略。文章通过对抗攻击和攻防策略的研究,提出高级辅助驾驶系统图像分类模型在运用过程中保障安全性的解决方案。Image classification models have been widely applied to facilitate functions such as autonomous perception and positioning for automated driving in many transportation systems,including automobiles,autonomous rail and urban rail transit systems.However,output and judgment errors generated by these models due to the presence of adversarial examples,impose a great impact on the security and safety associated with their applications in automated driving systems.A sensitivity analysis-based noise superposition attack strategy was employed to perform white-box adversarial attacks against ResNet,a typical image classification model.Subsequent studies evaluated the attack effects and defense performance.Firstly,algorithms such as FGSM,BIM,and PGD were selected to generate adversarial examples and tests were conducted through adjusting perturbation coefficients to determine attack success rates under small perturbations.Then,sensitivity analyses were carried out across different regions and examples to identify attack mechanisms using three adversarial interpretation algorithms:LRP,Grad-CAM,and LIME.Based on these analysis results,optimization algorithms such as swarm intelligence defense and adversarial training were adopted to verify the classification performance of the model following adversarial training.A benefit matrix for attack and defense was established using a game algorithm,leading to the development of an optimal defense strategy.Finally,a solution was proposed to ensure security and safety associated with the application of image classification models in advanced driver assistance systems,based on the study findings of adversarial attacks and attack-defense strategies.

关 键 词：交通运输 自动驾驶 网络安全 功能安全 图像分类 对抗样本 防御性能 

分 类 号：U268.4[机械工程—车辆工程] TP183[交通运输工程—载运工具运用工程]