基于决策路径的DNN模型鲁棒性测试样本扰动生成方法  

作　　者：吴际[1] 聂彦凯 曹鸿宇 樊湘钰 孙青[1] 杨海燕[1] WU Ji;NIE Yankai;CAO Hongyu;FAN Xiangyu;SUN Qing;YANG Haiyan(School of Computer Science,Beihang University,Beijing 102206,China)

机构地区：[1]北京航空航天大学计算机学院,北京102206

出　　处：《宇航计测技术》2025年第2期72-82,共11页Journal of Astronautic Metrology and Measurement

摘　　要：随着深度神经网络(DNN)内部结构日益复杂化,人们对其内部运行机理很难有直观的了解,模型出错的概率也大大增加,因此需要一种有效的DNN鲁棒性测试方法来解决模型的信任危机,以保证软件系统的可靠性和安全性。现有DNN鲁棒性测试方法多以神经元覆盖率为目标进行扰动样本的生成,并没有引入更多有关模型内部的信息,导致扰动程度过高,且生成的扰动样本存在大量冗余,对模型鲁棒性的提升能力十分有限。为此,提出了基于DNN决策路径的鲁棒性测试样本扰动生成方法(DEPIPE),用待测模型最后一层卷积层构造决策树,对决策树中决策路径涉及的滤波器进行归因分析并求出影响因子,最后利用决策路径和影响因子来指导扰动样本的生成。试验结果表明,所生成的扰动样本在扰动程度上平均比现有更先进的模糊测试方法DLFuzz降低了78%,在扰动的原始样本数量上平均增加27.7%。With the increasing complexity of the internal structure of deep neural network(DNN),it is difficult for people to have an intuitive understanding of its internal operation mechanism, so the probability of model errors is greatly increased.Therefore, an effective DNN robustness test method is needed to solve the trust crisis of the model to ensure the reliability and security of the software system.The existing DNN robustness test methods mostly target the coverage of neurons for generating perturbation samples, without introducing more information about the internal model, resulting in a high degree of perturbation and a large amount of redundancy in the generated perturbation samples, which greatly limits the ability to improve model robustness.A new adversarial example generation method is proposed.Firstly, a decision tree is constructed by the last convolutional layer of the model.The judgment path in the decision tree is regarded as the decision path, and each filter in the path is analyzed to find out the impact factor.Finally, the perturbed samples were generated according to the decision path and impact factors.The test results show that the test samples generated are 78% less than the existing state-of-the-art fuzzing method DLFuzz in terms of perturbation degree on average, and the number of original samples perturbed by our method is 27.7% more on average.

关 键 词：深度神经网络 鲁棒性测试 决策树 特征归因 扰动样本 

分 类 号：TP311.5[自动化与计算机技术—计算机软件与理论]