| 丁伟杰* **,郑文浩* ***,方怡* ***,王琦晖****,李小薪* ***.基于沙漏状数据处理单元和分组RBF单元的对抗性免疫防御方法[J].高技术通讯(中文),2024,34(9):935~944 |
| 基于沙漏状数据处理单元和分组RBF单元的对抗性免疫防御方法 |
| Immune defense against adversarial attacks via hourglass data-processing units and group RBF units |
| |
| DOI:10. 3772 / j. issn. 1002-0470. 2024. 09. 003 |
| 中文关键词: 免疫防御; 精度注入; 分组径向基函数(RBF); 权重衰减 |
| 英文关键词: immune defense, precision injection, group radial basis function (RBF), weight decay |
| 基金项目: |
| 作者 | 单位 | | 丁伟杰* ** | (*浙江工业大学计算机科学与技术学院杭州 310023)
(**浙江警察学院计算机与信息安全系杭州 310053)
(***浙江省可视媒体智能处理技术研究重点实验室杭州 310023)
(****杭州师范大学钱江学院杭州 311121) | | 郑文浩* *** | | | 方怡* *** | | | 王琦晖**** | | | 李小薪* *** | |
|
| 摘要点击次数: 329 |
| 全文下载次数: 237 |
| 中文摘要: |
| 针对深度神经网络(DNN)容易受到对抗样本攻击的问题,研究人员提出了许多防御方法,可分为外部防御方法(EDM)和免疫防御方法(IDM)。外部防御方法试图在将对抗性样本输入DNN之前去除其中存在的对抗干扰,而免疫防御方法则致力于提升DNN本身的鲁棒性,本文重点研究免疫防御方法。现有的免疫防御方法主要基于鲁棒优化策略来提升DNN的鲁棒性,为DNN构建鲁棒模块的工作较少。本文在DNN中引入了2个新的鲁棒单元:基于特征压缩和精度注入的沙漏状数据处理单元,用以减小对抗性扰动的干扰;分组径向基函数单元,用于增强DNN的非线性和适应类内变化的能力。在优化过程中使用标签平滑、退火策略和权值衰减来进一步提高鲁棒性。在2个数据集(MNIST和CIFAR-10)以及2个流行的DNN模型(LeNet5和VGG16)上的实验表明,将所提出的鲁棒单元集成到DNN中可以大幅提高其对对抗性攻击的免疫能力,同时保持其在干净样本上的识别性能。 |
| 英文摘要: |
| Deep neural network (DNN) is vulnerable to adversarial examples with imperceptible perturbation to clean images. To counter this issue, researchers proposed many powerful defensive methods, which can be categorized into external defense methods (EDMs) and immune defense methods (IDMs). EDMs try to purify the adversarial examples before they are fed into DNNs, while IDMs try to robustify the DNNs per se. This work focuses on IDMs. Most of the existing IDMs boost robustness mainly via using robust optimization strategies rather than building robust modules for DNNs. This work introduces two new robust units into DNNs: the hourglass data-processing units, based on feature squeezing and precision injection, for reducing adversarial perturbations, and the group RBF units for enhancing nonlinearity and handling intra-class variations. This work also uses label smoothing, annealing strategy and weight decay during optimization to further boost robustness. Extensive experiments on two public datasets, MNIST and CIFAR-10, and two popular DNNs, LeNet5 and VGG16, demonstrate that integrating the proposed robust units into DNNs could greatly improve their immune abilities against adversarial attacks while keeping their original recognition performance on clean samples. |
|
查看全文
查看/发表评论 下载PDF阅读器 |
| 关闭 |
|
|
|
