《计算机应用》唯一官方网站 ›› 2022, Vol. 42 ›› Issue (3): 921-929.DOI: 10.11772/j.issn.1001-9081.2021030431

• 网络空间安全 • 上一篇    

融合残差密集块自注意力机制和生成对抗网络的对抗攻击防御模型

赵玉明, 顾慎凯()   

  1. 南京工业大学 计算机科学与技术学院,南京 211816
  • 收稿日期:2021-03-22 修回日期:2021-07-27 接受日期:2021-07-29 发布日期:2022-04-09 出版日期:2022-03-10
  • 通讯作者: 顾慎凯
  • 作者简介:赵玉明(1996—),男,江苏盐城人,硕士研究生,主要研究方向:深度学习、对抗攻击防御;
  • 基金资助:
    江苏省自然科学基金资助项目(BK20180696)

Adversarial attack defense model with residual dense block self-attention mechanism and generative adversarial network

Yuming ZHAO, Shenkai GU()   

  1. School of Computer Science and Technology,Nanjing Tech University,Nanjing Jiangsu 211186,China
  • Received:2021-03-22 Revised:2021-07-27 Accepted:2021-07-29 Online:2022-04-09 Published:2022-03-10
  • Contact: Shenkai GU
  • About author:ZHAO Yuming, born in 1996, M. S. candidate. His research interests include deep learning, defense of adversarial attacks.
  • Supported by:
    Natural Science Foundation of Jiangsu Province(BK20180696)

摘要:

神经网络在图像分类任务上表现优异,但它极易受添加微小扰动的对抗样本的影响,输出错误的分类结果;而目前防御方法存在图像特征提取能力不足、对图像关键区域特征关注较少的问题。针对这些问题,提出了一种融合残差密集块(RDB)自注意力机制和生成对抗网络(GAN)的攻击防御模型——RD-SA-DefGAN。该模型将GAN和投影梯度下降(PGD)攻击算法相结合,吸收PGD攻击算法生成的对抗样本进入训练样本扩充训练集,辅以条件约束稳定模型的训练过程。该模型添加了残差密集块和自注意力机制,在充分提取特征的同时,增大了关键区域特征对分类任务的贡献度。在CIFAR10、STL10和ImageNet20数据集上的实验结果表明,RD-SA-DefGAN能对对抗攻击实施有效防御,在抵御PGD对抗攻击上优于Adv.Training、Adv-BNN、Rob-GAN等防御方法。相较于结构最近似的Rob-GAN,在CIFAR10数据集上,RD-SA-DefGAN在扰动阈值为0.015~0.070时,防御成功率提升了5.0~9.1个百分点。

关键词: 生成对抗网络, 对抗攻击, 残差密集块, 自注意力机制, 防御模型

Abstract:

Neural network has outstanding performance on image classification tasks. However, it is vulnerable to adversarial examples generated by adding small perturbations, which makes it output incorrect classification results. The current defense methods have the problems of insufficient image feature extraction ability and less attention to the features of key areas of the image. To address these issues, a Defense model that fuses Residual Dense Block (RDB) Self-Attention mechanism and Generative Adversarial Network (GAN), namely RD-SA-DefGAN, was proposed. GAN was combined with Projected Gradient Descent (PGD) attacking algorithm. The adversarial samples generated by PGD attacking algorithm were input to the training sample set, and the training process of model was stabilized by conditional constraints. The model also introduced RDB and self-attention mechanism, fully extracted features from the image, and enhanced the contribution of features from the key areas of the image. Experimental results on CIFAR10, STL10, and ImageNet20 datasets show that RD-SA-DefGAN can effectively defend from adversarial attacks, and outperforms Adv.Training, Adv-BNN, and Rob-GAN methods on defending PGD adversarial attacks. Compared to the most similar algorithm Rob-GAN, RD-SA-DefGAN improved the defense success rate by 5.0 percentage points to 9.1 percentage points on affected images in CIFAR10 dataset, with the disturbance threshold ranged from 0.015 to 0.070.

Key words: Generative Adversarial Network (GAN), adversarial attack, Residual Dense Block (RDB), self-attention mechanism, defense model

中图分类号: