| 35 | 0 | 133 |
| 下载次数 | 被引频次 | 阅读次数 |
为解决深度神经网络(Deep Neural Network,DNN)对抗防御方法在提升防御效力的同时牺牲干净样本分类精度的问题,提出一种基于随机多分布噪声与多目标梯度的对抗防御(Random Noise-Defense,RN-Defense)方法。该方法的核心思想是在模型的每一层引入可训练的多分布噪声,且噪声的强度和分布可通过梯度信息动态调整,以增强模型对多样化输入的适应能力。此外,结合多目标梯度对抗训练,控制每个像素点在梯度方向上进行低阶灰度扰动,以生成对抗样本用于对抗训练。实验结果表明,在CIFAR-10(Canadian Institute for Advanced Research-10)和MNIST(Modified National Institute of Standards and Technology)数据集上,与投影梯度下降(Projected Gradient Descent,PGD)对抗训练相比,RN-Defense方法在PGD攻击下的分类精度分别提升6.4%和7.7%,干净样本的分类精度分别提高6.4%和6.9%,有效提升了模型对抗样本的防御能力,同时保证了干净样本的分类精度。
Abstract:To address the issue that existing deep neural network(DNN)adversarial defense methods improve defense effectiveness at the cost of classification accuracy on clean samples,an adversarial defense method based on random multi-distribution noise and multi-objective gradients(RN-Defense)is proposed.The core idea of the proposed method is to introduce trainable multidistribution noise at each layer of the model,where the intensity and distribution of the noise can be dynamically adjusted based on gradient information,thereby enhancing the model's adaptability to diverse inputs.Additionally,it incorporates multi-objective gradient adversarial training,which controls low-order grayscale perturbations in the gradient direction of each pixel to generate adversarial samples for adversarial training.Experimental results show that on the canadian institute for advanced research-10(CIFAR-10)and modified national institute of standards and technology(MNIST)datasets,compared to the projected gradient descent(PGD)adversarial training,RN-Defense method improves the classification accuracy under PGD attacks by 6.4%and 7.7%,respectively,while the classification accuracy on clean samples increases by 6.4%and6.9%,which effectively enhances the model's defense against adversarial samples while maintaining the classification accuracy on clean samples.
[1]AVOLA D,CINQUE L,FAGIOLI A,et al.3Dhand pose and shape estimation from RGB images for keypoint-based hand gesture recognition[J].Pattern Recognition,2022,129:108762.
[2]MIAO Y L,LIANG L,JI Y C,et al.Research on Chinese ancient characters image recognition method based on adaptive receptive field[J].Soft Computing,2022,26(17):8273-8282.
[3]邬龙,黎塔,王丽,等.基于知识蒸馏和生成对抗网络的远场语音识别[J].软件学报,2019,30(S2):25-34.WU L,LI T,WANG L,et al.Distant speech recognition based on knowledge distillation and generative adversarial network[J].Journal of Software,2019,30(S2):25-34.(in Chinese)
[4]肖韬睿,童鑫.结合梯度引导的语音识别对抗防御[J].电子设计工程,2025,33(12):31-35.XIAO T R,TONG X.Adversarial defense combined gradient guidance for speech recognition[J].Electronic Design Engineering,2025,33(12):31-35.(in Chinese)
[5]张燕咏,张莎,张昱,等.基于多模态融合的自动驾驶感知及计算[J].计算机研究与发展,2020,57(9):1781-1799.ZHANG Y Y,ZHANG S,ZHANG Y,et al.Multimodality fusion perception and computing in autonomous driving[J].Journal of Computer Research and Development,2020,57(9):1781-1799.(in Chinese)
[6]王延年,阮佩,廉继红,等.用于自动驾驶的双注意力机制语义分割方法[J].西安工程大学学报,2023,37(6):114-120.WANG Y N,RUAN P,LIAN J H,et al.A dual attention mechanism semantic segmentation method for autonomous driving[J].Journal of Xi’an Polytechnic University,2023,37(6):114-120.(in Chinese)
[7]SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks[EB/OL].[2024-12-29]//2nd International Conference on Learning Representations(ICLR).2014:211-220.
[8]蔡秀霞,杜慧敏.对抗攻击及对抗样本生成方法综述[J].西安邮电大学学报,2021,26(1):67-75.CAI X X,DU H M.Survey on adversarial example generation and adversarial attack method[J].Journal of Xi’an University of Posts and Telecommunications,2021,26(1):67-75.(in Chinese)
[9]GOODFELLOW I,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[C]//3rd International Conference on Learning Representations(ICLR).San Diego:OpenReview,2015:202-210.
[10]CHEN E C,LEE C R.Towards fast and robust adversarial training for image classification[M]//Computer Vision-ACCV 2020.Cham:Springer International Publishing,2021:576-591.
[11]TRAMèR F,KURAKIN A,PAPERNOT N,et al.Ensemble adversarial training:Attacks and defenses[C]//6th International Conference on Learning Representations(ICLR).Vancouver:OpenReview,2018:23-33.
[12]PAPERNOT N,MCDANIEL P,GOODFELLOW I,et al.Practical black-box attacks against machine learning[C]//2017ACM on Asia Conference on Computer and Communications Security, Abu Dhabi:ACM,2017:506-519.
[13]GARDELLA M,NIKOUKHAH T,LI Y H,et al.The impact of JPEG compression on prior image noise[C]//ICASSP 2022-2022IEEE International Conference on Acoustics,Speech and Signal Processing.Singapore:IEEE,2022:2689-2693.
[14]DAS N,SHANBHOGUE M,CHEN S T,et al.Keeping the bad guys out:Protecting and vaccinating deep learning with jpeg compression[EB/OL].[2024-12-15].https://arxiv.org/abs/1705.02900.
[15]XIE C H,WANG J Y,ZHANG Z S,et al.Adversarial examples for semantic segmentation and object detection[C]//2017IEEE International Conference on Computer Vision.Venice:IEEE,2017:1378-1387.
[16]WANG Q,GUO W,ZHANG K,et al.Learning adversary-resistant deep neural networks[EB/OL].[2024-12-15].https://arxiv.org/abs/1612.01401.
[17]PAPERNOT N,MCDANIEL P,WU X,et al.Distillation as a defense to adversarial perturbations against deep neural networks[C]//2016IEEE Symposium on Security and Privacy. San Jose:IEEE, 2016:582-597.
[18]PAPERNOT N,MCDANIEL P.Extending defensive distillation[EB/OL].[2024-12-15].https://arxiv.org/abs/1705.05264.
[19]XU W L,EVANS D,QI Y J.Feature squeezing:Detecting adversarial examples in deep neural networks[C]//2018 Network and Distributed System Security Symposium. San Diego:Internet Society, 2018:15-26.
[20]GU S,RIGAZIO L.Towards deep neural network architectures robust to adversarial examples[C]//3rd International Conference on Learning Representations(ICLR).San Diego:OpenReview,2015:106-113.
[21]SAMANGOUEI P,KABKAB M,CHELLAPPA R.Defense-gan:Protecting classifiers against adversarial attacks using generative models[C]//6th International Conference on Learning Representations(ICLR).Vancouver:OpenReview,2018:47-53.
[22]刘建伟,谢浩杰,罗雄麟.生成对抗网络在各领域应用研究进展[J].自动化学报,2020,46(12):2500-2536.LIU J W,XIE H J,LUO X L.Research progress on application of generative adversarial networks in various fields[J].Acta Automatica Sinica,2020,46(12):2500-2536.(in Chinese)
[23]MENG D Y,CHEN H.MagNet:A two-pronged defense against adversarial examples[C]//2017 ACM SIGSAC Conference on Computer and Communications Security.Dallas Texas:ACM,2017:135-147.
[24]MADRY A,MAKELOV A,SCHMIDT L,et al.Towards deep learning models resistant to adversarial attacks[C]//6td International Conference on Learning Representations(ICLR). Vancouver:OpenReview,2018:125-134.
[25]KRIZHEVSKY A,HINTON G.Learning multiple layers of features from tiny images[EB/OL].[2024-12-15].https://www.cs.toronto.edu/~kriz/cifar.html
[26]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-based learning applied to document recognition[J].Proceedings of the IEEE,1998,86(11)2278-2324.
基本信息:
DOI:10.13682/j.issn.2095-6533.2026.01.012
中图分类号:TP183
引用信息:
[1]孙家泽,余海渊.基于随机多分布噪声与多目标梯度的对抗防御方法[J].西安邮电大学学报,2026,31(01):112-119.DOI:10.13682/j.issn.2095-6533.2026.01.012.
基金信息:
国家自然科学基金项目(62272387)
2024-10-09
2024
2026-01-06
2026
3
2026-01-10
2026-01-10