Adversarial attack defense model with residual dense block self-attention mechanism and generative adversarial network

doi:10.11772/j.issn.1001-9081.2021030431

Abstract

Abstract:

Neural network has outstanding performance on image classification tasks. However， it is vulnerable to adversarial examples generated by adding small perturbations， which makes it output incorrect classification results. The current defense methods have the problems of insufficient image feature extraction ability and less attention to the features of key areas of the image. To address these issues， a Defense model that fuses Residual Dense Block （RDB） Self-Attention mechanism and Generative Adversarial Network （GAN）， namely RD-SA-DefGAN， was proposed. GAN was combined with Projected Gradient Descent （PGD） attacking algorithm. The adversarial samples generated by PGD attacking algorithm were input to the training sample set， and the training process of model was stabilized by conditional constraints. The model also introduced RDB and self-attention mechanism， fully extracted features from the image， and enhanced the contribution of features from the key areas of the image. Experimental results on CIFAR10， STL10， and ImageNet20 datasets show that RD-SA-DefGAN can effectively defend from adversarial attacks， and outperforms Adv.Training， Adv-BNN， and Rob-GAN methods on defending PGD adversarial attacks. Compared to the most similar algorithm Rob-GAN， RD-SA-DefGAN improved the defense success rate by 5.0 percentage points to 9.1 percentage points on affected images in CIFAR10 dataset， with the disturbance threshold ranged from 0.015 to 0.070.

Key words: Generative Adversarial Network (GAN), adversarial attack, Residual Dense Block (RDB), self-attention mechanism, defense model

摘要：

神经网络在图像分类任务上表现优异，但它极易受添加微小扰动的对抗样本的影响，输出错误的分类结果；而目前防御方法存在图像特征提取能力不足、对图像关键区域特征关注较少的问题。针对这些问题，提出了一种融合残差密集块（RDB）自注意力机制和生成对抗网络（GAN）的攻击防御模型——RD-SA-DefGAN。该模型将GAN和投影梯度下降（PGD）攻击算法相结合，吸收PGD攻击算法生成的对抗样本进入训练样本扩充训练集，辅以条件约束稳定模型的训练过程。该模型添加了残差密集块和自注意力机制，在充分提取特征的同时，增大了关键区域特征对分类任务的贡献度。在CIFAR10、STL10和ImageNet20数据集上的实验结果表明，RD-SA-DefGAN能对对抗攻击实施有效防御，在抵御PGD对抗攻击上优于Adv.Training、Adv-BNN、Rob-GAN等防御方法。相较于结构最近似的Rob-GAN，在CIFAR10数据集上，RD-SA-DefGAN在扰动阈值为0.015~0.070时，防御成功率提升了5.0~9.1个百分点。

关键词: 生成对抗网络, 对抗攻击, 残差密集块, 自注意力机制, 防御模型

CLC Number:

TP181

Yuming ZHAO, Shenkai GU. Adversarial attack defense model with residual dense block self-attention mechanism and generative adversarial network[J]. Journal of Computer Applications, 2022, 42(3): 921-929.

赵玉明, 顾慎凯. 融合残差密集块自注意力机制和生成对抗网络的对抗攻击防御模型[J]. 《计算机应用》唯一官方网站, 2022, 42(3): 921-929.

Figures/Tables 12

Fig. 1 Self-attention mechanism

Fig. 2 Architecture of RD-SA-DefGAN model

Fig. 3 Generator structure

Fig. 4 Discriminator structure

Fig. 5 Structure of residual dense block

Tab. 1 Hyperparameters settings

超参数	设置
Batch-size	64
Epoch	250
判别器与生成器迭代参数更新比例	2∶1
Adam优化器	lr=0.000 2， β₁=0， β₂=0.9
损失函数损失项α、β	α=0.5， β=0.5
迭代周期 $h$	50

Tab. 1 Hyperparameters settings

超参数	设置
Batch-size	64
Epoch	250
判别器与生成器迭代参数更新比例	2∶1
Adam优化器	lr=0.000 2， β₁=0， β₂=0.9
损失函数损失项α、β	α=0.5， β=0.5
迭代周期 $h$	50

Fig. 6 Training accuracies with different perturbation thresholds

Tab. 2 Influence of disturbance threshold on rate of successful defense

训练扰动阈值	测试扰动阈值 $ε$
训练扰动阈值	0.000	0.015	0.035	0.055	0.070
0.01	75.76	66.67	46.07	30.09	20.71
0.02	75.98	67.56	47.30	32.69	21.89
0.03	75.34	65.75	45.73	29.89	19.37
0.04	74.56	65.26	45.32	29.77	20.29
0.05	75.11	65.88	43.03	27.33	19.67

Tab. 2 Influence of disturbance threshold on rate of successful defense

训练扰动阈值	测试扰动阈值 $ε$
训练扰动阈值	0.000	0.015	0.035	0.055	0.070
0.01	75.76	66.67	46.07	30.09	20.71
0.02	75.98	67.56	47.30	32.69	21.89
0.03	75.34	65.75	45.73	29.89	19.37
0.04	74.56	65.26	45.32	29.77	20.29
0.05	75.11	65.88	43.03	27.33	19.67

Fig. 7 Training accuracy over iterations

Fig. 8 Value of discriminator’s loss function over iterations

Tab. 3 Rates of successful defense under different attack algorithms

攻击算法	防御模型	不同扰动阈值 $ε$
攻击算法	防御模型	0.015	0.035	0.055	0.070
FGSM	RD-DefGAN	75.4	56.1	39.7	31.6
FGSM	RD-SA-DefGAN	78.3	58.7	44.0	35.3
BIM	RD-DefGAN	72.9	50.5	35.4	26.9
BIM	RD-SA-DefGAN	74.1	53.7	39.4	29.3
PGD	RD-DefGAN	67.5	47.3	32.7	21.9
PGD	RD-SA-DefGAN	69.4	49.5	34.8	24.4

Tab. 3 Rates of successful defense under different attack algorithms

攻击算法	防御模型	不同扰动阈值 $ε$
攻击算法	防御模型	0.015	0.035	0.055	0.070
FGSM	RD-DefGAN	75.4	56.1	39.7	31.6
FGSM	RD-SA-DefGAN	78.3	58.7	44.0	35.3
BIM	RD-DefGAN	72.9	50.5	35.4	26.9
BIM	RD-SA-DefGAN	74.1	53.7	39.4	29.3
PGD	RD-DefGAN	67.5	47.3	32.7	21.9
PGD	RD-SA-DefGAN	69.4	49.5	34.8	24.4

Tab. 4 Rates of successful defense under PGD attack by various defense models

数据集	防御模型	不同扰动阈值 $ε$
数据集	防御模型	0.000	0.015	0.035	0.055	0.070
CIFAR10	Adv.Training	80.3	58.3	31.1	15.5	10.3
	Adv-BNN	79.7	68.7	45.4	26.9	18.6
	Rob-GAN	71.6	60.3	43.8	28.6	19.4
	RD-DefGAN	75.8	67.5	47.3	32.1	22.7
	RD-SA-DefGAN	76.1	69.4	49.5	34.8	24.4
STL10	Adv.Training	63.2	46.7	27.4	12.8	7.0
	Adv-BNN	59.9	51.8	37.6	27.4	21.1
	Rob-GAN	62.1	52.3	41.8	32.3	23.2
	RD-DefGAN	69.3	53.6	40.2	30.7	26.0
	RD-SA-DefGAN	70.1	55.5	43.9	33.1	26.3
ImageNet20	Adv.Training	62.1	40.6	27.1	16.4	14.6
	Adv-BNN	60.9	44.3	31.2	22.5	17.3
	Rob-GAN	50.7	40.4	27.8	18.0	16.3
	RD-DefGAN	51.3	40.2	28.1	20.5	17.8
	RD-SA-DefGAN	55.4	45.1	31.5	23.3	18.1

Tab. 4 Rates of successful defense under PGD attack by various defense models

数据集	防御模型	不同扰动阈值 $ε$
数据集	防御模型	0.000	0.015	0.035	0.055	0.070
CIFAR10	Adv.Training	80.3	58.3	31.1	15.5	10.3
	Adv-BNN	79.7	68.7	45.4	26.9	18.6
	Rob-GAN	71.6	60.3	43.8	28.6	19.4
	RD-DefGAN	75.8	67.5	47.3	32.1	22.7
	RD-SA-DefGAN	76.1	69.4	49.5	34.8	24.4
STL10	Adv.Training	63.2	46.7	27.4	12.8	7.0
	Adv-BNN	59.9	51.8	37.6	27.4	21.1
	Rob-GAN	62.1	52.3	41.8	32.3	23.2
	RD-DefGAN	69.3	53.6	40.2	30.7	26.0
	RD-SA-DefGAN	70.1	55.5	43.9	33.1	26.3
ImageNet20	Adv.Training	62.1	40.6	27.1	16.4	14.6
	Adv-BNN	60.9	44.3	31.2	22.5	17.3
	Rob-GAN	50.7	40.4	27.8	18.0	16.3
	RD-DefGAN	51.3	40.2	28.1	20.5	17.8
	RD-SA-DefGAN	55.4	45.1	31.5	23.3	18.1

References 40

1	DONG S， WANG P， ABBAS K. A survey on deep learning and its applications ［J］. Computer Science Review， 2021， 40： 100379. 10.1016/j.cosrev.2021.100379
2	CHAKRABORTY A， ALAM M， DEY V， et al. Adversarial attacks and defences： a survey ［EB/OL］. ［2018-10-28］. . 10.1049/cit2.12028
3	SZEGEDY C， ZAREMBA W， SUTSKEVER I， et al. Intriguing properties of neural networks ［EB/OL］. ［2020-06-22］. .
4	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples ［EB/OL］. ［2020-06-22］. .
5	MADRY A， MAKELOV A， SCHMIDT L， et al. Towards deep learning models resistant to adversarial attacks ［EB/OL］. ［2017-06-19］. .
6	MOOSAVI-DEZFOOLI S M， FAWZI A， FROSSARD P. DeepFool： a simple and accurate method to fool deep neural networks ［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 2574-2582. 10.1109/cvpr.2016.282
7	HE Z， RAKIN A S， FAN D. Parametric noise injection： trainable randomness to improve deep neural network robustness against adversarial attack ［C］// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2019： 588-597. 10.1109/cvpr.2019.00068
8	JEDDI A， SHAFIEE M J， KARG M， et al. Learn2Perturb： an end-to-end feature perturbation learning to improve adversarial robustness ［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2020： 1241-1250. 10.1109/cvpr42600.2020.00132
9	KHONG T T T， NAKADA T， NAKASHIMA Y. Bayes without Bayesian learning for resisting adversarial attacks ［C］// Proceedings of the 2020 8th International Symposium on Computing and Networking. Piscataway： IEEE， 2020： 221-227. 10.1109/candar51075.2020.00038
10	WICKER M， LAURENTI L， PATANE A， et al. Bayesian inference with certifiable adversarial robustness ［EB/OL］. ［2020-06-22］..
11	GOODFELLOW I， POUGET-ABADIE J， MIRZA M， et al. Generative adversarial nets ［C］// Proceedings of the 27th International Conference on Neural Information Processing Systems. Cambridge， MA： MIT Press， 2014： 2672-2680.
12	GUI J， SUN Z， WEN Y， et al. A review on generative adversarial networks： algorithms， theory， and applications ［EB/OL］. ［2020-01-20］. . 10.1109/tkde.2021.3130191
13	MIRZA M， OSINDERO S. Conditional generative adversarial nets ［EB/OL］. ［2014-11-06］. .
14	RADFORD A， METZ L， CHINTALA S. Unsupervised representation learning with deep convolutional generative adversarial networks ［EB/OL］. ［2020-06-22］. .
15	ARJOVSKY M， CHINTALA S， BOTTOU L， et al. Wasserstein generative adversarial networks ［C］// Proceedings of the 34th International Conference on Machine Learning. New York： JMLR， 2017： 214-223.
16	MIYATO T， KATAOKA T， KOYAMA M， et al. Spectral normalization for generative adversarial networks ［EB/OL］. ［2018-02-16］. . 10.1007/978-3-030-03243-2_860-1
17	PAN Z， YU W， YI X， et al. Recent progress on Generative Adversarial Networks （GANs）： a survey ［J］. IEEE Access， 2019， 7： 36322-36333. 10.1109/access.2019.2905015
18	ODENA A， OLAH C， SHLENS J. Conditional image synthesis with auxiliary classifier GAN ［C］// Proceedings of the 34th International Conference on Machine Learning. New York： JMLR， 2017： 2642-2651.
19	唐贤伦，杜一铭，刘雨微，等. 基于条件深度卷积生成对抗网络的图像识别方法. 自动化学报， 2018， 44（5）： 855-864.（TANG X L， DU Y M， LIU Y W，et al. Image recognition with conditional deep convolutional generative adversarial networks ［J］. Acta Automatica Sinica， 2018， 44（5）： 855-864.）
20	SIMONYAN K， ZISSERMAN A. Very deep convolutional networks for large ［EB/OL］. ［2014-09-04］. .
21	ZHU L， CHEN Y， GHAMISI P， et al. Generative adversarial networks for hyperspectral image classification ［J］. IEEE Transactions on Geoscience and Remote Sensing， 2018， 56（9）： 5046-5063. 10.1109/tgrs.2018.2805286
22	LIU X， HSIEH C J. Rob-GAN： Generator， discriminator， and adversarial attacker ［C］// Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2019： 11234-11243. 10.1109/cvpr.2019.01149
23	ZHANG Y， TIAN Y， KONG Y， et al. Residual dense network for image super-resolution ［C］// Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 2472-2481. 10.1109/cvpr.2018.00262
24	ZHANG H， GOODFELLOW I， METAXAS D， et al. Self-attention generative adversarial networks ［C］// Proceedings of the 2019 International Conference on Machine Learning. New York： JMLR， 2019： 7354-7363.
25	KURAKIN A， GOODFELLOW I， BENGIO S. Adversarial examples in the physical world ［EB/OL］. ［2016-07-08］. . 10.1201/9781351251389-8
26	TRAMER F， KURAKIN A， PAPERNOT N， et al. Ensemble adversarial training： attacks and defenses ［EB/OL］. ［2017-05-19］. .
27	KABILAN V M， MORRIS B， NGUYEN H P， et al. VectorDefense： vectorization as a defense to adversarial examples ［J］. Soft Computing for Biomedical Applications and Related Topics， 2020， 899（13）： 19. 10.1007/978-3-030-49536-7_3
28	CHENG Y， WEI X， FU H， et al. Defense for adversarial videos by self-adaptive JPEG compression and optical texture ［C］// Proceedings of the 2nd ACM International Conference on Multimedia in Asia. New York： ACM， 2021： 1-7. 10.1145/3444685.3446308
29	DAS N， SHANBHOGUE M， CHEN S， et al. Keeping the bad guys out： protecting and vaccinating deep learning with JPEG compression ［EB/OL］. ［2017-05-08］. . 10.1145/3219819.3219910
30	GUO C， RANA M， CISSE M， et al. Coutering adbersarial images using input transformation ［EB/OL］. ［2018-01-25］. .
31	HINTON G E， VINYALS O， DEAN J， et al. Distilling the knowledge in a neural network ［EB/OL］. ［2015-03-09］. .
32	LIN Y K， WANG C F， CHANG C Y， et al. An efficient framework for counting pedestrians crossing a line using low-cost devices： the benefits of distilling the knowledge in a neural network ［J］. Multimedia Tools and Applications， 2021， 80（3）： 4037-4051. 10.1007/s11042-020-09276-9
33	LEE H， HAN S， LEE J， et al. Generative adversarial trainer： defense to adversarial perturbations with GAN ［EB/OL］. ［2017-05-09］. .
34	ZHOU J， LIANG C， CHEN J. Manifold projection for adversarial defense on face recognition［C］// Proceedings of the 2020 European Conference on Computer Vision. Cham： Springer， 2020： 288-305. 10.1007/978-3-030-58577-8_18
35	LIU X， LI Y， WU C， et al. Adv-BNN： improved adversarial defense through robust Bayesian neural network ［EB/OL］. ［2018-10-01］. .
36	WANG F， JIANG M， QIAN C， et al. Residual attention network for image classification ［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2017： 3156-3164. 10.1109/cvpr.2017.683
37	WANG F， JIANG M， QIAN C， et al. Residual attention network for image classification ［C］// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2017： 3156-3164. 10.1109/cvpr.2017.683
38	WANG X， GIRSHICK R， GUPTA A， et al. Non-local neural networks ［C］// Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2018： 7794-7803. 10.1109/cvpr.2018.00813
39	DENG J， DONG W， SOCHER R， et al. ImageNet： a large-scale hierarchical image database ［C］// Proceedings of the 2009 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2009： 248-255. 10.1109/cvpr.2009.5206848
40	KINGMA D， BA J. ADAM： a method for stochastic optimization ［EB/OL］. ［2014-12-01］. .

[1]	Jing QIN, Zhiguang QIN, Fali LI, Yueheng PENG. Diagnosis of major depressive disorder based on probabilistic sparse self-attention neural network [J]. Journal of Computer Applications, 2024, 44(9): 2970-2974.
[2]	Liting LI, Bei HUA, Ruozhou HE, Kuang XU. Multivariate time series prediction model based on decoupled attention mechanism [J]. Journal of Computer Applications, 2024, 44(9): 2732-2738.
[3]	Li LIU, Haijin HOU, Anhong WANG, Tao ZHANG. Generative data hiding algorithm based on multi-scale attention [J]. Journal of Computer Applications, 2024, 44(7): 2102-2109.
[4]	Yue LIU, Fang LIU, Aoyun WU, Qiuyue CHAI, Tianxiao WANG. 3D object detection network based on self-attention mechanism and graph convolution [J]. Journal of Computer Applications, 2024, 44(6): 1972-1977.
[5]	Zexin XU, Lei YANG, Kangshun LI. Shorter long-sequence time series forecasting model [J]. Journal of Computer Applications, 2024, 44(6): 1824-1831.
[6]	Rong HUANG, Junjie SONG, Shubo ZHOU, Hao LIU. Image aesthetic quality evaluation method based on self-supervised vision Transformer [J]. Journal of Computer Applications, 2024, 44(4): 1269-1276.
[7]	Yang LIU, Rong LIU, Ke FANG, Xinyue ZHANG, Guangxu WANG. Video super-resolution reconstruction network based on frame straddling optical flow [J]. Journal of Computer Applications, 2024, 44(4): 1277-1284.
[8]	Haoran WANG, Dan YU, Yuli YANG, Yao MA, Yongle CHEN. Domain transfer intrusion detection method for unknown attacks on industrial control systems [J]. Journal of Computer Applications, 2024, 44(4): 1158-1165.
[9]	Jie WANG, Hua MENG. Image classification algorithm based on overall topological structure of point cloud [J]. Journal of Computer Applications, 2024, 44(4): 1107-1113.
[10]	Sunjie YU, Hui ZENG, Shiyu XIONG, Hongzhou SHI. Incentive mechanism for federated learning based on generative adversarial network [J]. Journal of Computer Applications, 2024, 44(2): 344-352.
[11]	Ziqi HUANG, Jianpeng HU. Entity category enhanced nested named entity recognition in automotive domain [J]. Journal of Computer Applications, 2024, 44(2): 377-384.
[12]	Xinran LUO, Tianrui LI, Zhen JIA. Chinese medical named entity recognition based on self-attention mechanism and lexicon enhancement [J]. Journal of Computer Applications, 2024, 44(2): 385-392.
[13]	Liqing QIU, Xiaopan SU. Personalized multi-layer interest extraction click-through rate prediction model [J]. Journal of Computer Applications, 2024, 44(11): 3411-3418.
[14]	Xingyao YANG, Hongtao SHEN, Zulian ZHANG, Jiong YU, Jiaying CHEN, Dongxiao WANG. Sequential recommendation based on hierarchical filter and temporal convolution enhanced self-attention network [J]. Journal of Computer Applications, 2024, 44(10): 3090-3096.
[15]	Yanbo LI, Qing HE, Shunyi LU. Aspect sentiment triplet extraction integrating semantic and syntactic information [J]. Journal of Computer Applications, 2024, 44(10): 3275-3280.