一种提高图像识别模型鲁棒性的弱化强化方法

doi:10.3969/j.issn.1006-2475.2023.10.011

摘要/Abstract

摘要： 如何增强模型在对抗样本攻击下的鲁棒性是一个重要研究方向。本文提出一种提高图像识别模型鲁棒性的方法。该方法由弱化操作和强化操作组成。弱化操作弱化原生输入的像素值，破坏对抗扰动的结构，这个过程减少了图片中的对抗扰动但也丢失了一些空间语义信息，这部分丢失的语义信息由强化操作补全。强化操作由特征提取器和特征选择器构成，特征提取器用于提取合适的图像特征图。为了从这些特征图中选择鲁棒的部分，设计一个特征选择器用于融合特征图的内容并输出扰动较小且富含空间语义信息的特征图。通过大量的对比实验证实了方法抵御对抗样本的有效性并揭示了对抗扰动的误差积累现象。

关键词: 关键词：深度学习, 神经网络, 对抗样本, 图像识别

Abstract: How to enhance the robustness of the model against adversarial examples attacks is an important research direction. In this paper， a method to improve the robustness of image recognition models is proposed. The method consists of a weakening operation and a strengthening operation. The weakening operation weakens the pixel values of the native input and destroys the structure of the adversarial perturbation. This process reduces the adversarial perturbation in the image but also loses some spatial semantic information， and this lost semantic information is supplemented by the reinforcement operation. The reinforcement operation consists of a feature extractor and a feature selector. The feature extractor is used to extract suitable image feature maps， and in order to select robust parts from these feature maps， a feature selector is designed to fuse the content of the feature maps and output feature maps with less perturbation and rich spatial semantic information. In this paper， the effectiveness of the method against adversarial examples is confirmed by extensive comparison experiments and the error accumulation phenomenon of adversarial perturbation is revealed.

Key words: Key words: deep learning, neural networks, adversarial example, image recognition

中图分类号:

TP391

黎世达, 项剑文. 一种提高图像识别模型鲁棒性的弱化强化方法[J]. 计算机与现代化, 2023, 0(10): 70-76.

LI Shi-da, XIANG Jian-wen. A Weakened Joint Reinforcement Method to Improve Robustness of Image Recognition Models[J]. Computer and Modernization, 2023, 0(10): 70-76.

参考文献［27］

［1］	HE K M， ZHANG X Y， REN S Q， et al. Deep residual learning for image recognition［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. 2016:770-778.
［2］	SIMONYAN K， ZISSERMAN A. Very deep convolutional networks for large-scale image recognition［J］. arXiv preprint arXiv:1409.1556， 2014.
［3］	SZEGEDY C， IOFFE S， VANHOUCKE V， et al. Inception-v4， inception-ResNet and the impact of residual connections on learning［C］// Proceedings of the 31st AAAI Conference on Artificial Intelligence. 2017:4278-4284.
［4］	VASWANI A， SHAZEER N， PARMAR N， et al. Attention is all you need［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017:6000-6010.
［5］	XIE S N， GIRSHICK R， DOLLAR P， et al. Aggregated residual transformations for deep neural networks［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. 2017:5987-5995.
［6］	LONG J， SHELHAMER E， DARRELL T. Fully convolutional networks for semantic segmentation［C］// Proceedings of the 2015 IEEE Conference on Computer Vision and Pattern Recognition. 2015:3431-3440.
［7］	YAN Z W， ZHENG H C， LI Y， et al. Detection-oriented backbone trained from near scratch and local feature refinement for small object detection［J］. Neural Processing Letters， 2021，53（3）:1921-1943.
［8］	BAHDANAU D， CHO K， BENGIO Y. Neural machine translation by jointly learning to align and translate［J］. arXiv preprint arXiv:1409.0473， 2014.
［9］	ZHU Z， HUANG G， DENG J K， et al. WebFace260M: A benchmark unveiling the power of million-scale deep face recognition［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2021:10487-10497.
［10］	MELIS M， DEMONTIS A， BIGGIO B， et al. Is deep learning safe for robot vision? Adversarial examples against the iCub humanoid［C］// Proceedings of the 2017 IEEE International Conference on Computer Vision Workshops. 2017:751-759.
［11］	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572， 2014.
［12］	VARGAS D V， SU J W. Understanding the one-pixel attack: Propagation maps and locality analysis［J］. arXiv preprint arXiv:1902.02947， 2019.
［13］	GAO J， WANG B L， LIN Z M， et al. DeepCloak: Masking deep neural network models for robustness against adversarial samples［J］. arXiv preprint arXiv:1702.06763， 2017.
［14］	LIAO F Z， LIANG M， DONG Y P， et al. Defense against adversarial attacks using high-level representation guided denoiser［C］// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018:1778-1787.
［15］	HANNUN A， CASE C， CASPER J， et al. Deep speech: Scaling up end-to-end speech recognition［J］. arXiv preprint arXiv:1412.5567， 2014.
［16］	MNIH V， KAVUKCUOGLU K， SILVER D， et al. Human-level control through deep reinforcement learning［J］. Nature， 2015，518（7540）:529-533.
［17］	KURAKIN A， GOODFELLOW I J， BENGIO S. Adversarial examples in the physical world［M］// Artificial Intelligence Safety and Security. Chapman and Hall/CRC， 2018:99-112.
［18］	MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks［J］. arXiv preprint arXiv:1706.06083， 2017.
［19］	MOOSAVI-DEZFOOLI S M， FAWZI A， FROSSARD P. DeepFool: A simple and accurate method to fool deep neural networks［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. 2016:2574-2582.
［20］	CARLINI N， WAGNER D. Adversarial examples are not easily detected: Bypassing ten detection methods［C］// Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. 2017:3-14.
［21］	胡卫，赵文龙，陈璐，等. 基于Logits向量的JSMA对抗样本攻击改进算法［J］. 信息网络安全， 2022，22（3）:62-69.
［22］	李哲铭，张恒巍，马军强，等. 基于平移随机变换的对抗样本攻击算法研究［J/OL］. 计算机工程:1-12（2022-01-20）［2022-07-23］. https://kns.cnki.net/kcms/detail/31.1289.
	TP.20220119.1505.007.html.
［23］	李帅. 基于图像隐空间的黑盒攻击方法［D］. 北京:北京邮电大学， 2021.
［24］	AGARAP A F. Deep learning using rectified linear units （ReLU）［J］. arXiv preprint arXiv:1803.08375， 2018.
［25］	IOFFE S， SZEGEDY C. Batch normalization: Accelerating deep network training by reducing internal covariate shift［C］// Proceedings of the 32nd International Conference on Machine Learning. 2015:448-456.
［26］	KRIZHEVSKY A. Learning multiple layers of features from tiny images［R］. Technical Report TR-2009， University of Toronto， 2009.
［27］	DENG J， DONG W， SOCHER R， et al. ImageNet: A large-scale hierarchical image database［C］// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition. 2009:248-255.

[1]	宋涛涛, 李艳萍, 李洪港, 韩春雪. 基于改进变结构趋近律的机械臂滑模控制系统[J]. 计算机与现代化, 2023, 0(12): 14-18.
[2]	周成诚, 曾庆军, 杨康, 胡家铭, 韩春伟. 基于高效通道注意力模块的运动想象脑电识别[J]. 计算机与现代化, 2023, 0(12): 19-23.
[3]	王宇航, 董宝良, 公超, 尚真真, 姚康宁. 基于意图识别的空中群目标动态威胁评估[J]. 计算机与现代化, 2023, 0(12): 100-104.
[4]	谷明轩, 范冰冰. 基于多模态特征融合的抑郁症识别[J]. 计算机与现代化, 2023, 0(10): 17-22.
[5]	陈俊义. 基于图节点动静态特征的健康事件预测模型[J]. 计算机与现代化, 2023, 0(10): 39-44.
[6]	李延满, 王必恒, 赵羚焱. 基于轻量化YOLOv5的安全帽检测[J]. 计算机与现代化, 2023, 0(10): 59-64.
[7]	陈子健, 段春红. 面向在线学习情境的认知情绪面部表情识别[J]. 计算机与现代化, 2023, 0(10): 92-98.
[8]	王鑫, 肖韬睿. 基于生成对抗网络的人脸识别对抗攻击[J]. 计算机与现代化, 2023, 0(10): 115-120.
[9]	刘付琪, 张达, 宋建华, 王海东. 基于CNN-BiLSTM的液压系统故障诊断[J]. 计算机与现代化, 2023, 0(09): 10-19.
[10]	吴甜, 刘海华, 童顺延. 基于深度反馈的卷积神经网络的图像分类[J]. 计算机与现代化, 2023, 0(09): 82-86.
[11]	毛明扬, 徐胜超. 面向粒子群优化BP神经网络的粗糙集连续属性离散化算法[J]. 计算机与现代化, 2023, 0(09): 115-119.
[12]	孙子雨, 任燃, 魏曦哲. 基于DTW-TCN的股票分类及预测研究[J]. 计算机与现代化, 2023, 0(08): 31-37.
[13]	曾丽丽, 汤华贝, 牛艺晓, 孟凡月. 基于LSTM堆叠残差网络的岩相识别方法[J]. 计算机与现代化, 2023, 0(08): 38-43.
[14]	江蕾, 唐建, 杨超越, 吕婷婷. 基于CWGAN-GP与CNN的轴承故障诊断方法[J]. 计算机与现代化, 2023, 0(07): 1-6.
[15]	崔少国, 张岗, 王奥迪. 基于感知注意力的深度交叉网络推荐模型[J]. 计算机与现代化, 2023, 0(07): 54-60.