Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (1): 94-100.DOI: 10.11772/j.issn.1001-9081.2023060854
• Artificial intelligence • Previous Articles Next Articles
Tong CHEN, Jiwei WEI(), Shiyuan HE, Jingkuan SONG, Yang YANG
Received:
2023-07-01
Revised:
2023-08-24
Accepted:
2023-08-28
Online:
2023-09-14
Published:
2024-01-10
Contact:
Jiwei WEI
About author:
CHEN Tong, born in 2000, M. S. candidate. His research interests include deep learning, adversarial attack and defense.Supported by:
通讯作者:
位纪伟
作者简介:
陈彤(2000—),男,江苏盐城人,硕士研究生,主要研究方向:深度学习、对抗攻击与防御;基金资助:
CLC Number:
Tong CHEN, Jiwei WEI, Shiyuan HE, Jingkuan SONG, Yang YANG. Adversarial training method with adaptive attack strength[J]. Journal of Computer Applications, 2024, 44(1): 94-100.
陈彤, 位纪伟, 何仕远, 宋井宽, 杨阳. 基于自适应攻击强度的对抗训练方法[J]. 《计算机应用》唯一官方网站, 2024, 44(1): 94-100.
Add to citation manager EndNote|Ris|BibTeX
URL: http://www.joca.cn/EN/10.11772/j.issn.1001-9081.2023060854
数据集 | 方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||||
---|---|---|---|---|---|---|---|
Clean | PGD-10 | PGD-20 | PGD-50 | C&W | AA | ||
CIFAR-10 | PGD-AT | 85.17 | 56.07 | 55.08 | 54.88 | 53.91 | 51.69 |
Trades | 85.72 | 56.75 | 56.10 | 55.9 | 53.87 | 53.40 | |
MART | 84.17 | 58.98 | 58.56 | 58.06 | 54.58 | 51.10 | |
FAT | 87.97 | 50.31 | 49.86 | 48.79 | 48.65 | 47.48 | |
GAIRAT | 86.30 | 60.64 | 59.54 | 58.74 | 45.57 | 40.30 | |
LAS-AT | 86.23 | 57.64 | 56.49 | 56.12 | 55.73 | 53.58 | |
本文 方法 | 85.82 | 57.51 | 56.58 | 56.07 | 55.85 | 53.61 | |
CIFAR-100 | PGD-AT | 60.89 | 32.19 | 31.69 | 31.45 | 30.10 | 27.86 |
Trades | 58.61 | 29.20 | 28.66 | 28.56 | 27.05 | 25.94 | |
SAT | 62.82 | 28.10 | 27.17 | 26.76 | 27.32 | 24.57 | |
LAS-AT | 61.80 | 33.45 | 32.77 | 32.54 | 31.12 | 29.03 | |
本文 方法 | 61.70 | 33.98 | 33.38 | 33.10 | 31.56 | 29.36 |
Tab. 1 Robustness test results using WideResNet34-10 on CIFAR-10 and CIFAR-100
数据集 | 方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||||
---|---|---|---|---|---|---|---|
Clean | PGD-10 | PGD-20 | PGD-50 | C&W | AA | ||
CIFAR-10 | PGD-AT | 85.17 | 56.07 | 55.08 | 54.88 | 53.91 | 51.69 |
Trades | 85.72 | 56.75 | 56.10 | 55.9 | 53.87 | 53.40 | |
MART | 84.17 | 58.98 | 58.56 | 58.06 | 54.58 | 51.10 | |
FAT | 87.97 | 50.31 | 49.86 | 48.79 | 48.65 | 47.48 | |
GAIRAT | 86.30 | 60.64 | 59.54 | 58.74 | 45.57 | 40.30 | |
LAS-AT | 86.23 | 57.64 | 56.49 | 56.12 | 55.73 | 53.58 | |
本文 方法 | 85.82 | 57.51 | 56.58 | 56.07 | 55.85 | 53.61 | |
CIFAR-100 | PGD-AT | 60.89 | 32.19 | 31.69 | 31.45 | 30.10 | 27.86 |
Trades | 58.61 | 29.20 | 28.66 | 28.56 | 27.05 | 25.94 | |
SAT | 62.82 | 28.10 | 27.17 | 26.76 | 27.32 | 24.57 | |
LAS-AT | 61.80 | 33.45 | 32.77 | 32.54 | 31.12 | 29.03 | |
本文 方法 | 61.70 | 33.98 | 33.38 | 33.10 | 31.56 | 29.36 |
方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|
Clean | PGD-50 | C&W | AA | |
PGD-AT | 43.98 | 19.98 | 17.60 | 13.78 |
Trades | 39.16 | 15.74 | 12.92 | 12.32 |
LAS-AT | 44.86 | 22.16 | 18.54 | 16.74 |
本文方法 | 44.86 | 23.25 | 18.67 | 17.13 |
Tab. 2 Robustness test results using PreActResNet18 on Tiny ImageNet
方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|
Clean | PGD-50 | C&W | AA | |
PGD-AT | 43.98 | 19.98 | 17.60 | 13.78 |
Trades | 39.16 | 15.74 | 12.92 | 12.32 |
LAS-AT | 44.86 | 22.16 | 18.54 | 16.74 |
本文方法 | 44.86 | 23.25 | 18.67 | 17.13 |
方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|
Clean | FGSM | PGD-20 | C&W | |
Madry-AT | 87.3 | 56.10 | 45.80 | 46.80 |
CAT | 77.43 | 57.17 | 46.06 | 42.28 |
DART | 85.03 | 63.53 | 48.70 | 47.27 |
FAT | 87.97 | 65.94 | 49.86 | 48.65 |
LAS-Madry-AT | 84.95 | 67.16 | 55.61 | 54.31 |
本文方法 | 85.33 | 67.65 | 56.09 | 54.62 |
Tab. 3 Robustness test results of proposed method and Madry-AT, CAT, DART, FAT, LAS-Madry-AT when using WideResNet34-10 on CIFAR-10
方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|
Clean | FGSM | PGD-20 | C&W | |
Madry-AT | 87.3 | 56.10 | 45.80 | 46.80 |
CAT | 77.43 | 57.17 | 46.06 | 42.28 |
DART | 85.03 | 63.53 | 48.70 | 47.27 |
FAT | 87.97 | 65.94 | 49.86 | 48.65 |
LAS-Madry-AT | 84.95 | 67.16 | 55.61 | 54.31 |
本文方法 | 85.33 | 67.65 | 56.09 | 54.62 |
阈值 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|
Clean | PGD-50 | C&W | AA | |
3×10-3 | 43.35 | 22.53 | 18.23 | 16.63 |
4×10-3 | 44.86 | 23.25 | 18.67 | 17.13 |
5×10-3 | 44.06 | 23.18 | 18.56 | 16.95 |
6×10-3 | 43.6 | 23.13 | 18.46 | 16.72 |
7×10-3 | 43.61 | 22.68 | 18.1 | 16.58 |
Tab. 4 Robustness test results of proposed method under different thresholds when using PreActResNet18 on Tiny ImageNet
阈值 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|
Clean | PGD-50 | C&W | AA | |
3×10-3 | 43.35 | 22.53 | 18.23 | 16.63 |
4×10-3 | 44.86 | 23.25 | 18.67 | 17.13 |
5×10-3 | 44.06 | 23.18 | 18.56 | 16.95 |
6×10-3 | 43.6 | 23.13 | 18.46 | 16.72 |
7×10-3 | 43.61 | 22.68 | 18.1 | 16.58 |
Backbone | 方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|---|
Clean | PGD-50 | C&W | AA | ||
VGG19 | PGD-AT | 70.86 | 46.65 | 44.33 | 42.92 |
本文方法 | 78.44 | 50.31 | 47.71 | 45.30 | |
Res18 | PGD-AT | 82.44 | 52.76 | 51.17 | 49.03 |
本文方法 | 84.12 | 54.64 | 52.92 | 50.55 | |
PARes18 | PGD-AT | 81.64 | 50.7 | 49.03 | 46.54 |
本文方法 | 82.93 | 52.78 | 50.77 | 48.79 | |
WRN28-10 | PGD-AT | 85.48 | 54.21 | 53.71 | 51.25 |
本文方法 | 86.28 | 55.68 | 55.45 | 53.24 | |
WRN34-10 | PGD-AT | 85.17 | 54.88 | 53.91 | 51.69 |
本文方法 | 85.82 | 56.07 | 55.85 | 53.61 |
Tab. 5 Robustness test results of proposed method with different backbones on CIFAR-10
Backbone | 方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|---|
Clean | PGD-50 | C&W | AA | ||
VGG19 | PGD-AT | 70.86 | 46.65 | 44.33 | 42.92 |
本文方法 | 78.44 | 50.31 | 47.71 | 45.30 | |
Res18 | PGD-AT | 82.44 | 52.76 | 51.17 | 49.03 |
本文方法 | 84.12 | 54.64 | 52.92 | 50.55 | |
PARes18 | PGD-AT | 81.64 | 50.7 | 49.03 | 46.54 |
本文方法 | 82.93 | 52.78 | 50.77 | 48.79 | |
WRN28-10 | PGD-AT | 85.48 | 54.21 | 53.71 | 51.25 |
本文方法 | 86.28 | 55.68 | 55.45 | 53.24 | |
WRN34-10 | PGD-AT | 85.17 | 54.88 | 53.91 | 51.69 |
本文方法 | 85.82 | 56.07 | 55.85 | 53.61 |
PGD预算I | 方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|---|
Clean | PGD-50 | C&W | AA | ||
6 | PGD-AT | 43.34 | 19.11 | 16.82 | 13.32 |
本文方法 | 45.28 | 22.88 | 18.16 | 16.59 | |
8 | PGD-AT | 43.4 | 19.49 | 17.00 | 13.57 |
本文方法 | 43.59 | 22.67 | 18.44 | 16.90 | |
10 | PGD-AT | 43.98 | 19.98 | 17.60 | 13.78 |
本文方法 | 44.86 | 23.25 | 18.67 | 17.13 |
Tab. 6 Robust test results of proposed method under different PGD budgets when using PreActResNet18 on Tiny ImageNet
PGD预算I | 方法 | 干净样本和不同攻击下的对抗鲁棒精度/% | |||
---|---|---|---|---|---|
Clean | PGD-50 | C&W | AA | ||
6 | PGD-AT | 43.34 | 19.11 | 16.82 | 13.32 |
本文方法 | 45.28 | 22.88 | 18.16 | 16.59 | |
8 | PGD-AT | 43.4 | 19.49 | 17.00 | 13.57 |
本文方法 | 43.59 | 22.67 | 18.44 | 16.90 | |
10 | PGD-AT | 43.98 | 19.98 | 17.60 | 13.78 |
本文方法 | 44.86 | 23.25 | 18.67 | 17.13 |
1 | 白丽贇,胡学敏,宋昇,等.基于深度级联神经网络的自动驾驶运动规划模型[J].计算机应用, 2019, 39(10): 2870-2875. |
BAI L Y, HU X M, SONG S, et al. Motion planning model based on deep cascaded neural network for autonomous driving [J]. Journal of Computer Applications, 2019, 39(10): 2870-2875. | |
2 | ZOU Z, CHEN K, SHI Z, et al. Object detection in 20 years: A survey [J]. Proceedings of the IEEE, 2023, 111(3): 257-276. 10.1109/jproc.2023.3238524 |
3 | TAN M X, PANG R, LE Q V. EfficientDet: Scalable and efficient object detection [C]// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2020: 10778-10787. 10.1109/cvpr42600.2020.01079 |
4 | MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks [EB/OL]. (2019-09-04) [2023-08-10]. . 10.48550/arXiv.1706.06083 |
5 | RICE L, WONG E, KOLTER J Z. Overfitting in adversarially robust deep learning [C]// Proceedings of the 37th International Conference on Machine Learning. New York: JMLR.org, 2020: 8093-8104. |
6 | ZHANG H, YU Y, JIAO J, et al. Theoretically principled trade-off between robustness and accuracy [C]// Proceedings of the 36th International Conference on Machine Learning. New York: JMLR.org, 2019: 7472-7482. |
7 | CAI Q-Z, LIU C, SONG D. Curriculum adversarial training [C]// Proceedings of the 27th International Joint Conference on Artificial Intelligence. Red Hook: AAAI Press, 2018: 3740-3747. 10.24963/ijcai.2018/520 |
8 | WANG Y, MA X, BAILEY J, et al. On the convergence and robustness of adversarial training [EB/OL]. (2022-04-23) [2023-08-06]. . |
9 | ZHANG J, XU X, HAN B, et al. Attacks which do not kill training make adversarial learning stronger [C]// Proceedings of the 37th International Conference on Machine Learning. New York: JMLR.org, 2020: 11258-11287. |
10 | JIA X, ZHANG Y, WU B, et al. LAS-AT: Adversarial training with learnable attack strategy [C]// Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2022: 13388-13398. 10.1109/cvpr52688.2022.01304 |
11 | GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples [EB/OL]. (2015-03-20) [2023-08-10]. . |
12 | CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks [C]// Proceedings of the 2017 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2017: 39-57. 10.1109/sp.2017.49 |
13 | CROCE F, HEIN M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks [C]// Proceedings of the 37th International Conference on Machine Learning. New York: JMLR.org, 2020: 2206-2216. 10.1007/s11263-019-01213-0 |
14 | ZOU J, PAN Z, QIU J, et al. Improving the transferability of adversarial examples with resized-diverse-inputs, diversity-ensemble and region fitting [C]// Proceedings of the 2020 European Conference on Computer Vision. Cham: Springer, 2020: 563-579. 10.1007/978-3-030-58542-6_34 |
15 | ILYAS A, ENGSTROM L, ATHALYE A, et al. Black-box adversarial attacks with limited queries and information [C]// Proceedings of the 35th International Conference on Machine Learning. New York: JMLR.org, 2018: 2137-2146. |
16 | CUI J, LIU S, WANG L, et al. Learnable boundary guided adversarial training [C]// Proceedings of the 2021 IEEE/CVF International Conference on Computer Vision. Piscataway: IEEE, 2021: 15701-15710. 10.1109/iccv48922.2021.01543 |
17 | KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images [EB/OL]. (2009-04-08) [2023-08-06]. . 10.1016/j.tics.2007.09.004 |
18 | DENG J, DONG W, SOCHER R, et al. ImageNet: A large-scale hierarchical image database [C]// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2009: 248-255. 10.1109/cvpr.2009.5206848 |
19 | WANG Y, ZOU D, YI J, et al. Improving adversarial robustness requires revisiting misclassified examples [EB/OL]. (2023-05-06) [2023-08-11]. . |
20 | ZHANG J, ZHU J, NIU G, et al. Geometry-aware instance-reweighted adversarial training [EB/OL]. (2021-05-31) [2023-08-11]. . |
21 | SITAWARIN C, CHAKRABORTY S, WAGNER D. SAT: improving adversarial training via curriculum-based loss smoothing [C]// Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2021: 25-36. 10.1145/3474369.3486878 |
22 | ZAGORUYKO S, KOMODAKIS N. Wide residual networks [EB/OL]. (2017-06-14) [2023-08-11]. . 10.5244/c.30.87 |
23 | HE K, ZHANG X, REN S, et al. Identity mappings in deep residual networks [C]// Proceedings of the 2016 European Conference on Computer Vision. Cham: Springer, 2016: 630-645. 10.1007/978-3-319-46493-0_38 |
24 | SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition [EB/OL]. (2015-04-10) [2023-08-11]. . |
25 | HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition [C]// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2016: 770-778. 10.1109/cvpr.2016.90 |
[1] | Yuning ZHANG, Abudukelimu ABULIZI, Tisheng MEI, Chun XU, Maierdana MAIMAITIREYIMU, Halidanmu ABUDUKELIMU, Yutao HOU. Anomaly detection method for skeletal X-ray images based on self-supervised feature extraction [J]. Journal of Computer Applications, 2024, 44(1): 175-181. |
[2] | Hao CHEN, Zhenping XIA, Cheng CHENG, Xing LIN-LI, Bowen ZHANG. Lightweight image super-resolution reconstruction network based on Transformer-CNN [J]. Journal of Computer Applications, 2024, 44(1): 292-299. |
[3] | Junhong ZHU, Junyu LAI, Lianqiang GAN, Zhiyong CHEN, Huashuo LIU, Guoyao XU. Video prediction model combining involution and convolution operators [J]. Journal of Computer Applications, 2024, 44(1): 113-122. |
[4] | Ziyi HE, Yan YANG, Yiling ZHANG. Multi-view clustering network with deep fusion [J]. Journal of Computer Applications, 2023, 43(9): 2651-2656. |
[5] | Juntao CHEN, Ziqi ZHU. Image copy-move forgery detection based on multi-scale feature extraction and fusion [J]. Journal of Computer Applications, 2023, 43(9): 2919-2924. |
[6] | Xiaolin LI, Songjia YANG. Hybrid beamforming for multi-user mmWave relay networks using deep learning [J]. Journal of Computer Applications, 2023, 43(8): 2511-2516. |
[7] | Yi WANG, Jie XIE, Jia CHENG, Liwei DOU. Review of object pose estimation in RGB images based on deep learning [J]. Journal of Computer Applications, 2023, 43(8): 2546-2555. |
[8] | Xiang GUO, Wengang JIANG, Yuhang WANG. Encrypted traffic classification method based on improved Inception-ResNet [J]. Journal of Computer Applications, 2023, 43(8): 2471-2476. |
[9] | Yumeng CUI, Jingya WANG, Xiaowen LIU, Shangyi YAN, Zhizhong TAO. General text classification model combining attention and cropping mechanism [J]. Journal of Computer Applications, 2023, 43(8): 2396-2405. |
[10] | Xiaoyan ZHANG, Zhengyu DUAN. Cross-lingual zero-resource named entity recognition model based on sentence-level generative adversarial network [J]. Journal of Computer Applications, 2023, 43(8): 2406-2411. |
[11] | Kun ZHANG, Fengyu YANG, Fa ZHONG, Guangdong ZENG, Shijian ZHOU. Source code vulnerability detection based on hybrid code representation [J]. Journal of Computer Applications, 2023, 43(8): 2517-2526. |
[12] | Yuxin TUO, Tao XUE. Joint triple extraction model combining pointer network and relational embedding [J]. Journal of Computer Applications, 2023, 43(7): 2116-2124. |
[13] | Libin CEN, Jingdong LI, Chunbo LIN, Xiaoling WANG. Approximate query processing approach based on deep autoregressive model [J]. Journal of Computer Applications, 2023, 43(7): 2034-2039. |
[14] | Shuai ZHENG, Xiaolong ZHANG, He DENG, Hongwei REN. 3D liver image segmentation method based on multi-scale feature fusion and grid attention mechanism [J]. Journal of Computer Applications, 2023, 43(7): 2303-2310. |
[15] | Min LIANG, Jiayi LIU, Jie LI. Image super-resolution reconstruction method based on iterative feedback and attention mechanism [J]. Journal of Computer Applications, 2023, 43(7): 2280-2287. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||