基于条件对抗生成网络的对抗样本防御方法

计算机与现代化 ›› 2021, Vol. 0 ›› Issue (07): 65-70.

基于条件对抗生成网络的对抗样本防御方法

(1.中国石油大学（华东）海洋与空间信息学院,山东青岛266580;
2.中国石油大学（华东）计算机科学与技术学院,山东青岛266580)

出版日期:2021-08-02 发布日期:2021-08-02
作者简介:李世宝(1978—),男,山东潍坊人,副教授,硕士生导师,硕士,研究方向：移动计算,干扰对齐,E-mail: lishibao@upc.edu.cn; 曹大鹏(1996—),男,山东潍坊人,硕士研究生,研究方向：对抗样本,E-mail: 329042713@qq.com; 刘建航(1978—),男,辽宁锦州人,副教授,硕士生导师,博士,研究方向:车联网,无线传感器网络,E-mail: liujianhang@upc.edu.cn。
基金资助:
国家自然科学基金资助项目(61972417); 中央高校基本科研业务费专项资金资助项目（18CX02134A, 19CX05003A-4, 18CX02137A）; 山东省研究生导师指导能力提升项目（SDYY18025）

CGAN-based Adversarial Example Defense Method

(1. College of Oceanography and Space Informatics, China University of Petroleum(East China), Qingdao 266580, China;
2. College of Computer Science and Technology, China University of Petroleum(East China), Qingdao 266580, China)

Online:2021-08-02 Published:2021-08-02

摘要/Abstract

摘要： 人工智能目前在诸多领域均得到较好应用，然而通过对抗样本会使神经网络模型输出错误的分类。研究提升神经网络模型鲁棒性的同时如何兼顾算法运行效率，对于深度学习在现实中的落地使用意义重大。针对上述问题，本文提出一种基于条件对抗生成网络的对抗样本防御方法Defense-CGAN。首先使用对抗生成网络生成器根据输入噪声与标签信息生成重构图像，然后计算重构前后图像均方误差，对比选取重构图像馈送到分类器进行分类从而去除对抗性扰动，实现对抗样本防御，最后，在MNIST数据集上进行大量实验。实验结果表明本文提出的防御方法更加具备通用性，能够防御多种对抗攻击，且时间消耗低，可应用于对时间要求极其苛刻的实际场景中。

关键词: 对抗样本, 神经网络, 对抗样本防御, 条件对抗生成网络, 深度学习

Abstract: Artificial Intelligence has been well applied in many fields at present. However, the classification of neural network model output errors can be achieved by adversarial example. It is of great significance to study how to improve the robustness of the neural network model while taking into account the efficiency of the algorithm operation. To solve the above problems, this paper proposes a defense method Defense-CGAN based on conditional countermeasure generation network. Firstly, the generator of CGAN is used to generate the reconstructed image according to the input noise and label information, and then the MSE is used to extract the image features before and after the reconstruction. The reconstructed image is selected and fed to the classifier for classification, so as to remove the antagonistic perturbation and realize defense of the adversarial example. Finally, a large number of experiments are carried out on the MNIST data set. The experimental results show that the proposed defense method is more versatile, can defend against various kinds of adversarial attacks, and the time consumption is low at the same time. Therefore, this method can be applied to the real scene with extremely strict time requirement.

Key words: adversarial examples, neural network, adversarial example defense, conditional generative adversarial network, deep learning

李世宝, 曹大鹏, 刘建航. 基于条件对抗生成网络的对抗样本防御方法[J]. 计算机与现代化, 2021, 0(07): 65-70.

LI Shi-bao, CAO Da-peng, LIU Jian-hang. CGAN-based Adversarial Example Defense Method[J]. Computer and Modernization, 2021, 0(07): 65-70.

参考文献［23］

［1］	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks［J］. arXiv preprint arXiv:1312.6199, 2013.
［2］	KINGMA D, BA J. Adam: A method for stochastic optimization［J］. arXiv preprint arXiv:1412.6980, 2014.
［3］	PAPERNOT N, MCDANIEL P, GOODFELLOW I. Transferability in machine learning: From phenomena to black-box attacks using adversarial samples［J］. arXiv preprint arXiv:1605.07277, 2016.
［4］	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572, 2014.
［5］	HINTON G, VINYALS O, DEAN J. Distilling the knowledge in a neural network［J］. arXiv preprint arXiv:1503.02531, 2015.
［6］	PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a defense to adversarial perturbations against deep neural networks［C］// 2016 IEEE Symposium on Security and Privacy (SP). 2016:582-597.
［7］	杨浚宇. 基于迭代自编码器的深度学习对抗样本防御方案［J］. 信息安全学报, 2019,4(6):34-44.
［8］	GONG Z T, WANG W L, KU W S. Adversarial and clean data are not twins［J］. arXiv preprint arXiv:1704.04960, 2017.
［9］	HENDRYCKS D, GIMPEL K. Early methods for detecting adversarial images［J］. arXiv preprint arXiv:1608.00530, 2016.
［10］	WEI W Q, LIU L, LOPER M, et al. Cross-layer strategic ensemble defense against adversarial examples［C］// 2020 International Conference on Computing, Networking and Communications (ICNC). 2020:456-460.
［11］	CHOW K H, WEI W Q, WU Y Z, et al. Denoising and verification cross-layer ensemble against black-box adversarial attacks［C］// 2019 IEEE International Conference on Big Data. 2019:1282-1291.
［12］	SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN: Protecting classifiers against adversarial attacks using generative models［J］. arXiv preprint arXiv:1805.06605, 2018.
［13］	TRAMR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: Attacks and defenses［J］. arXiv preprint arXiv:1705.07204, 2017.
［14］	TANAY T, GRIFFIN L. A boundary tilting persepective on the phenomenon of adversarial examples［J］. arXiv preprint arXiv:1608.07690, 2016.
［15］	GOODFELLOW I J, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets［C］// Proceedings of the 27th International Conference on Neural Information Processing Systems. 2014:2672-2680.
［16］	MIRZA M, OSINDERO S. Conditional generative adversarial nets［J］. arXiv preprint arXiv:1411.1784, 2014.
［17］	LIU L, WEI W Q, CHOW K H, et al. Deep neural network ensembles against deception: Ensemble diversity, accuracy and robustness［C］// Proceedings of the 2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems (MASS). 2019:274-282.
［18］	JANDIAL S, MANGLA P, VARSHNEY S, et al. AdvGAN++: Harnessing latent layers for adversary generation［C］// 2019 IEEE/CVF International Conference on Computer Vision Workshop (ICCVW). 2019:2045-2048.
［19］	CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks［C］// 2017 IEEE Symposium on Security and Privacy. 2017:39-57.
［20］	TAORI R, KAMSETTY A, CHU B, et al. Targeted adversarial examples for black box audio systems［C］// 2019 IEEE Security and Privacy Workshops. 2019:15-20.
［21］	PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against machine learning［C］// Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 2017:506-519.
［22］	SZELISKI R. Computer Vision: Algorithms and Applications［M］. Springer Science & Business Media, 2010.
［23］	LECUN Y, BOTTOU L, BENGIO Y, et al. Gradient-based learning applied to document recognition［J］. Proceedings of the IEEE, 1998,86(11):2278-2324.

[1]	胡崇佳, 刘金洲, 方立. 基于无监督域适应的室外点云语义分割[J]. 计算机与现代化, 2024, 0(01): 74-79.
[2]	林威. 基于自监督学习和数据回放的新闻推荐模型增量学习方法[J]. 计算机与现代化, 2023, 0(12): 1-6.
[3]	宋涛涛, 李艳萍, 李洪港, 韩春雪. 基于改进变结构趋近律的机械臂滑模控制系统[J]. 计算机与现代化, 2023, 0(12): 14-18.
[4]	周成诚, 曾庆军, 杨康, 胡家铭, 韩春伟. 基于高效通道注意力模块的运动想象脑电识别[J]. 计算机与现代化, 2023, 0(12): 19-23.
[5]	梁天恺, 黄康华, 刘凯航, 兰岚, 曾碧. 基于双向同态加密的深度联邦图片分类方法[J]. 计算机与现代化, 2023, 0(12): 36-40.
[6]	邱凯星, 冯广. 基于双重特征注意力的多标签图像分类模型[J]. 计算机与现代化, 2023, 0(12): 41-47.
[7]	张伯泉, 麦海鹏, 陈嘉敏, 逄锦聚. 基于高灰度值注意力机制的脑白质高信号分割[J]. 计算机与现代化, 2023, 0(12): 67-75.
[8]	王宇航, 董宝良, 公超, 尚真真, 姚康宁. 基于意图识别的空中群目标动态威胁评估[J]. 计算机与现代化, 2023, 0(12): 100-104.
[9]	马泽宇, 叶宁, 徐康, 王甦, 王汝传, . 基于FMCW雷达和ResNeSt-GRU的行为识别方法[J]. 计算机与现代化, 2023, 0(11): 101-107.
[10]	谷明轩, 范冰冰. 基于多模态特征融合的抑郁症识别[J]. 计算机与现代化, 2023, 0(10): 17-22.
[11]	陈俊义. 基于图节点动静态特征的健康事件预测模型[J]. 计算机与现代化, 2023, 0(10): 39-44.
[12]	李延满, 王必恒, 赵羚焱. 基于轻量化YOLOv5的安全帽检测[J]. 计算机与现代化, 2023, 0(10): 59-64.
[13]	黎世达, 项剑文. 一种提高图像识别模型鲁棒性的弱化强化方法[J]. 计算机与现代化, 2023, 0(10): 70-76.
[14]	陈子健, 段春红. 面向在线学习情境的认知情绪面部表情识别[J]. 计算机与现代化, 2023, 0(10): 92-98.
[15]	王鑫, 肖韬睿. 基于生成对抗网络的人脸识别对抗攻击[J]. 计算机与现代化, 2023, 0(10): 115-120.