基于条件对抗生成网络的对抗样本防御方法

计算机与现代化 ›› 2021, Vol. 0 ›› Issue (07): 65-70.

基于条件对抗生成网络的对抗样本防御方法

(1.中国石油大学（华东）海洋与空间信息学院,山东青岛266580;
2.中国石油大学（华东）计算机科学与技术学院,山东青岛266580)

出版日期:2021-08-02 发布日期:2021-08-02
作者简介:李世宝(1978—),男,山东潍坊人,副教授,硕士生导师,硕士,研究方向：移动计算,干扰对齐,E-mail: lishibao@upc.edu.cn; 曹大鹏(1996—),男,山东潍坊人,硕士研究生,研究方向：对抗样本,E-mail: 329042713@qq.com; 刘建航(1978—),男,辽宁锦州人,副教授,硕士生导师,博士,研究方向:车联网,无线传感器网络,E-mail: liujianhang@upc.edu.cn。
基金资助:
国家自然科学基金资助项目(61972417); 中央高校基本科研业务费专项资金资助项目（18CX02134A, 19CX05003A-4, 18CX02137A）; 山东省研究生导师指导能力提升项目（SDYY18025）

CGAN-based Adversarial Example Defense Method

(1. College of Oceanography and Space Informatics, China University of Petroleum(East China), Qingdao 266580, China;
2. College of Computer Science and Technology, China University of Petroleum(East China), Qingdao 266580, China)

Online:2021-08-02 Published:2021-08-02

摘要/Abstract

摘要： 人工智能目前在诸多领域均得到较好应用，然而通过对抗样本会使神经网络模型输出错误的分类。研究提升神经网络模型鲁棒性的同时如何兼顾算法运行效率，对于深度学习在现实中的落地使用意义重大。针对上述问题，本文提出一种基于条件对抗生成网络的对抗样本防御方法Defense-CGAN。首先使用对抗生成网络生成器根据输入噪声与标签信息生成重构图像，然后计算重构前后图像均方误差，对比选取重构图像馈送到分类器进行分类从而去除对抗性扰动，实现对抗样本防御，最后，在MNIST数据集上进行大量实验。实验结果表明本文提出的防御方法更加具备通用性，能够防御多种对抗攻击，且时间消耗低，可应用于对时间要求极其苛刻的实际场景中。

关键词: 对抗样本, 神经网络, 对抗样本防御, 条件对抗生成网络, 深度学习

Abstract: Artificial Intelligence has been well applied in many fields at present. However, the classification of neural network model output errors can be achieved by adversarial example. It is of great significance to study how to improve the robustness of the neural network model while taking into account the efficiency of the algorithm operation. To solve the above problems, this paper proposes a defense method Defense-CGAN based on conditional countermeasure generation network. Firstly, the generator of CGAN is used to generate the reconstructed image according to the input noise and label information, and then the MSE is used to extract the image features before and after the reconstruction. The reconstructed image is selected and fed to the classifier for classification, so as to remove the antagonistic perturbation and realize defense of the adversarial example. Finally, a large number of experiments are carried out on the MNIST data set. The experimental results show that the proposed defense method is more versatile, can defend against various kinds of adversarial attacks, and the time consumption is low at the same time. Therefore, this method can be applied to the real scene with extremely strict time requirement.

Key words: adversarial examples, neural network, adversarial example defense, conditional generative adversarial network, deep learning

李世宝, 曹大鹏, 刘建航. 基于条件对抗生成网络的对抗样本防御方法[J]. 计算机与现代化, 2021, 0(07): 65-70.

LI Shi-bao, CAO Da-peng, LIU Jian-hang. CGAN-based Adversarial Example Defense Method[J]. Computer and Modernization, 2021, 0(07): 65-70.

参考文献

［1］ SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks［J］. arXiv preprint arXiv:1312.6199, 2013.
［2］ KINGMA D, BA J. Adam: A method for stochastic optimization［J］. arXiv preprint arXiv:1412.6980, 2014.
［3］ PAPERNOT N, MCDANIEL P, GOODFELLOW I. Transferability in machine learning: From phenomena to black-box attacks using adversarial samples［J］. arXiv preprint arXiv:1605.07277, 2016.
［4］ GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572, 2014.
［5］ HINTON G, VINYALS O, DEAN J. Distilling the knowledge in a neural network［J］. arXiv preprint arXiv:1503.02531, 2015.
［6］ PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a defense to adversarial perturbations against deep neural networks［C］// 2016 IEEE Symposium on Security and Privacy (SP). 2016:582-597.
［7］杨浚宇. 基于迭代自编码器的深度学习对抗样本防御方案［J］. 信息安全学报, 2019,4(6):34-44.
［8］ GONG Z T, WANG W L, KU W S. Adversarial and clean data are not twins［J］. arXiv preprint arXiv:1704.04960, 2017.
［9］ HENDRYCKS D, GIMPEL K. Early methods for detecting adversarial images［J］. arXiv preprint arXiv:1608.00530, 2016.
［10］WEI W Q, LIU L, LOPER M, et al. Cross-layer strategic ensemble defense against adversarial examples［C］// 2020 International Conference on Computing, Networking and Communications (ICNC). 2020:456-460.
［11］CHOW K H, WEI W Q, WU Y Z, et al. Denoising and verification cross-layer ensemble against black-box adversarial attacks［C］// 2019 IEEE International Conference on Big Data. 2019:1282-1291.
［12］SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN: Protecting classifiers against adversarial attacks using generative models［J］. arXiv preprint arXiv:1805.06605, 2018.
［13］TRAMR F, KURAKIN A, PAPERNOT N, et al. Ensemble adversarial training: Attacks and defenses［J］. arXiv preprint arXiv:1705.07204, 2017.
［14］TANAY T, GRIFFIN L. A boundary tilting persepective on the phenomenon of adversarial examples［J］. arXiv preprint arXiv:1608.07690, 2016.
［15］GOODFELLOW I J, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets［C］// Proceedings of the 27th International Conference on Neural Information Processing Systems. 2014:2672-2680.
［16］MIRZA M, OSINDERO S. Conditional generative adversarial nets［J］. arXiv preprint arXiv:1411.1784, 2014.
［17］LIU L, WEI W Q, CHOW K H, et al. Deep neural network ensembles against deception: Ensemble diversity, accuracy and robustness［C］// Proceedings of the 2019 IEEE 16th International Conference on Mobile Ad Hoc and Sensor Systems (MASS). 2019:274-282.
［18］JANDIAL S, MANGLA P, VARSHNEY S, et al. AdvGAN++: Harnessing latent layers for adversary generation［C］// 2019 IEEE/CVF International Conference on Computer Vision Workshop (ICCVW). 2019:2045-2048.
［19］CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks［C］// 2017 IEEE Symposium on Security and Privacy. 2017:39-57.
［20］TAORI R, KAMSETTY A, CHU B, et al. Targeted adversarial examples for black box audio systems［C］// 2019 IEEE Security and Privacy Workshops. 2019:15-20.
［21］PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against machine learning［C］// Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 2017:506-519.
［22］SZELISKI R. Computer Vision: Algorithms and Applications［M］. Springer Science & Business Media, 2010.
［23］LECUN Y, BOTTOU L, BENGIO Y, et al. Gradient-based learning applied to document recognition［J］. Proceedings of the IEEE, 1998,86(11):2278-2324.

[1]	何思达, 陈平华. 基于意图的轻量级自注意力序列推荐模型[J]. 计算机与现代化, 2024, 0(12): 1-9.
[2]	张晓东1, 白广芝1, 李敏1, 李昊洋2. 基于经验小波变换的油气井产量预测模型 [J]. 计算机与现代化, 2024, 0(12): 53-58.
[3]	刘宝宝, 杨菁菁, 陶露, 王贺应. 基于注意力的DSMSC的遥感图像场景分类[J]. 计算机与现代化, 2024, 0(12): 72-77.
[4]	陈亮, 李诚, 易伟, 熊伟, 汪晓帆, 唐海东. 基于毫米波雷达与视觉融合的电力现场安全帽佩戴检测[J]. 计算机与现代化, 2024, 0(12): 100-107.
[5]	祁贤, 刘大铭, 常佳鑫. 基于改进自注意力机制的多视图三维重建[J]. 计算机与现代化, 2024, 0(11): 106-112.
[6]	陈凯1, 李宜汀1, 2, 全华凤1 . 基于改进YOLOv8的河道废弃瓶检测方法[J]. 计算机与现代化, 2024, 0(11): 113-120.
[7]	杨骏1, 胡为1, 朱文福2. 基于改进MobileNetV3的视觉SLAM回环检测算法[J]. 计算机与现代化, 2024, 0(10): 21-26.
[8]	王莹莹, 郝潇. 基于Res2Net和递归门控卷积的细粒度图像分类[J]. 计算机与现代化, 2024, 0(10): 74-79.
[9]	史星宇1, 李强2, 庄莉3, 梁懿3, 王秋琳3, 陈锴3, 伍臣周3, 常胜1. 一种面向工业部署的目标检测模型蒸馏技术[J]. 计算机与现代化, 2024, 0(10): 93-99.
[10]	马钰, 杨勇, 任鸽, 帕力旦·吐尔逊. 基于GCN和微调BERT的作文自动评分方法[J]. 计算机与现代化, 2024, 0(09): 33-37.
[11]	陈雪松1, 李衡1, 王浩畅2. 结合注意力机制和Mengzi模型的短文本分类[J]. 计算机与现代化, 2024, 0(09): 101-106.
[12]	张泽1, 张建权2, 3, 周国鹏2, 3. 基于改进YOLOv8s的摄像头模组缺陷检测[J]. 计算机与现代化, 2024, 0(09): 107-113.
[13]	程亚子1, 雷亮1, 2, 陈瀚1, 赵毅然1. 基于转置注意力的多尺度深度融合单目深度估计[J]. 计算机与现代化, 2024, 0(09): 121-126.
[14]	程萌, 李浩. 改进YOLOv5s的落叶树鸟巢检测方法[J]. 计算机与现代化, 2024, 0(08): 24-29.
[15]	王梦溪, 李峻. 老年人跌倒检测技术研究综述[J]. 计算机与现代化, 2024, 0(08): 30-36.