利用GAN和特征金字塔的模型鲁棒性优化方法

doi:10.3778/j.issn.1673-9418.2106063

摘要/Abstract

摘要： 人工智能对抗环境下，深度神经网络对于对抗样本有明显的脆弱性，为提高对抗环境下的模型鲁棒性提出一种深度神经网络模型鲁棒性优化方法AdvRob。首先将目标模型改造为特征金字塔结构，然后利用潜在特征先验知识生成攻击力更强的对抗样本进行对抗训练。在MNIST和CIFAR-10数据集上进行的实验表明，利用潜在特征生成的对抗样本相较于AdvGAN方法攻击成功率高，更具多样性且可迁移性强；在高扰动下，MNIST数据集上AdvRob模型相比原模型对FGSM和JSMA攻击的防御能力提升了至少4倍，对PGD、BIM、C&W攻击的防御能力提升了至少10倍；CIFAR-10数据集上AdvRob模型对FGSM、PGD、C&W、BIM和JSMA攻击的防御能力相较于原模型提升了至少5倍，防御效果明显。在SVHN数据集上，与FGSM对抗训练、PGD对抗训练、防御性蒸馏和增加外部模块的模型鲁棒性优化方法相比，AdvRob方法对白盒攻击的防御效果最显著。为对抗环境下DNN模型提供了一个高效的鲁棒性优化方法。

关键词: 生成对抗网络（GAN）, 深度神经网络, 对抗样本, 特征金字塔, 模型鲁棒性

Abstract: Under the artificial intelligence adversarial environment, deep neural networks have an obvious vulnerability to adversarial samples. To improve the robustness of the model in the adversarial environment, a deep neural network model robustness optimization method AdvRob is proposed. Firstly, the target model is transformed into a feature pyramid structure, and then the prior knowledge of latent features is used to generate more aggressive adversarial samples for adversarial training. Experiments on the MNIST and CIFAR-10 datasets show that the adversarial samples generated by using latent features have a higher attack success rate, more diversity and stronger transferability than the AdvGAN method. Under high disturbances, on the MNIST dataset, compared with original model, the defensive ability of the AdvRob method against FGSM and JSMA attacks has been improved by at least 4 times, and the defensive ability against PGD, BIM, and C&W attacks has been improved by at least 10 times. Compared with original model, the defensive ability against FGSM, PGD, C&W, BIM and JSMA attacks is improved by at least 5 times, and the defensive effect is obvious on the CIFAR-10 dataset. On the SVHN dataset, compared with FGSM adversarial training, PGD adversarial training, defensive distillation, and model robustness optimization methods adding external modules, the AdvRob method has the most significant defensive effect against white-box attacks. It provides an efficient and robust optimization method for the DNN model in the adversarial environment.

Key words: generative adversarial network (GAN), deep neural networks, adversarial sample, feature pyramid, model robustness

孙家泽, 唐彦梅, 王曙燕. 利用GAN和特征金字塔的模型鲁棒性优化方法[J]. 计算机科学与探索, 2023, 17(5): 1139-1146.

SUN Jiaze+, TANG Yanmei, WANG Shuyan. Model Robustness Optimization Method Using GAN and Feature Pyramid[J]. Journal of Frontiers of Computer Science and Technology, 2023, 17(5): 1139-1146.

参考文献

[1] CORNEANU C A, MADADI M, ESCALERA S, et al. What does it mean to learn in deep networks? And, how does one detect adversarial attacks?[C]//Proceedings of the 2019 IEEE/ CVF Conference on Computer Vision and Pattern Recognition, Long Beach, Jun 15-16, 2019. Piscataway: IEEE, 2019: 4757-4766.
[2] 张庆林, 杜嘉晨, 徐睿峰. 基于对抗学习的讽刺识别研究[J]. 北京大学学报 (自然科学版), 2019, 55(1): 29-36.
ZAHNG Q L, DU J C, XU R F. Sarcasm detection based on adversarial learning[J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2019, 55(1): 29-36.
[3] PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against deep learning systems using adversarial examples[J]. arXiv:1602.02697, 2016.
[4] XIE C H, ZHANG Z S, ZHOU Y Y, et al. Improving trans-ferability of adversarial examples with input diversity[C]//Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition, Long Beach, Jun 16-20, 2019. Piscataway: IEEE, 2019: 2730-2739.
[5] 易平, 王科迪, 黄程, 等. 人工智能对抗攻击研究综述[J]. 上海交通大学学报, 2018, 52(10): 1298-1306.
YI P, WANG K D, HUANG C, et al. Adversarial attacks in artificial intelligence: a survey[J]. Journal of Shanghai Jiao Tong University, 2018, 52(10): 1298-1306.
[6] GOODFELLOW I, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[J]. arXiv:1412.6572,2014.
[7] XIE C H, WU Y X, VAN DER MAATEN L, et al. Feature denoising for improving adversarial robustness[C]//Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition, Long Beach, Jun 16-20, 2019. Piscataway: IEEE, 2019: 501-509.
[8] GOODFELLOW I J, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets[C]//Proceedings of the Annual Conference on Neural Information Processing Systems 2014, Montreal, Dec 8-13, 2014. Red Hook: Curran Associates, 2014: 2672-2680.
[9] XIAO C W, LI B, ZHU J Y, et al. Generating adversarial examples with adversarial networks[C]//Proceedings of the 27th International Joint Conference on Artificial Intelligence, Stockholm, Jul 13-19, 2018. Menlo Park: AAAI, 2018: 3905-3911.
[10] 王曙燕, 金航, 孙家泽. GAN图像对抗样本生成方法[J]. 计算机科学与探索, 2021, 15(4): 702-711.
WANG S Y, JIN H, SUN J Z. Method for image adversarial samples generating based on GAN[J]. Journal of Frontiers of Computer Science and Technology, 2021, 15(4): 702-711.
[11] PAPERNOT N, MCDANIEL P, WU X, et al. Distillation as a defense to adversarial perturbations against deep neural networks[C]//Proceedings of the 2016 IEEE Symposium on Security and Privacy, San Jose, May 22-26, 2016. Washington: IEEE Computer Society, 2016: 582-597.
[12] CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proceedings of the 2017 IEEE Symposium on Security and Privacy, San Jose, May 22-24, 2017. Washington: IEEE Computer Society, 2017: 39-57.
[13] AKHTAR N, LIU J, MIAN A. Defense against universal adversarial perturbations[C]//Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition,Salt Lake City, Jun 18-23, 2018. Washington: IEEE Computer Society, 2018: 3389-3398.
[14] MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal adversarial perturbations[C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, Jul 21-26, 2017. Washington: IEEE Computer Society, 2017: 86-94.
[15] KUMARI N, SINGH M, SINHA A, et al. Harnessing the vulnerability of latent layers in adversarially trained models[C]//Proceedings of the 28th International Joint Conference on Artificial Intelligence, Macao, China, Aug 10-16, 2019: 2779-2785.
[16] LIN T Y, DOLLáR P, GIRSHICK R B, et al. Feature pyramid networks for object detection[C]//Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, Jul 21-26, 2017. Washington: IEEE Computer Society, 2017: 936-944.
[17] KURAKIN A, GOODFELLOW I, BENGIO S. Adversarial examples in the physical world[J]. arXiv:1607.02533, 2016.
[18] PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]//Proceedings of the 2016 IEEE European Symposium on Security and Privacy, Saarbrücken, Mar 21-24, 2016. Piscataway: IEEE, 2016: 372-387.