基于逆扰动融合生成对抗网络的对抗样本防御方法

张世辉; 张晓微; 宋丹丹; 杨永亮; 左东旭

doi:10.12263/DZXB.20220038

您当前的位置：

首页 >

文章列表页 >

基于逆扰动融合生成对抗网络的对抗样本防御方法

学术论文 | 更新时间：2025-12-08

- 基于逆扰动融合生成对抗网络的对抗样本防御方法
- Adversarial Example Defense Method Based on Inverse Perturbation Fusing Generative Adversarial Network
- 电子学报 2023年51卷第4期页码：879-884
- 作者机构：
  
  1.燕山大学信息科学与工程学院，河北秦皇岛066004
  2.河北省计算机虚拟技术与系统集成重点实验室，河北秦皇岛066004
- 作者简介：
  
  [ "张世辉男，1973年12月生，河北赞皇人，燕山大学信息科学与工程学院教授，博士生导师.主要研究方向为视觉信息处理、模式识别." ]
  [ "张晓微 (通讯作者) 男，1997年8月生，河北邢台人，燕山大学硕士研究生.主要研究方向为对抗样本攻防和计算机视觉. Email: xwzhang0724@163.com" ]
- 基金信息：
  
  中央引导地方科技发展资金(216Z0301G);国家自然科学基金(61379065);河北省自然科学基金(F2019203285)
- DOI：10.12263/DZXB.20220038
  中图分类号： TP391.4;TP183
- 收稿：2022-01-05，
  
  修回：2022-09-06，
  
  纸质出版：2023-04-25
- 稿件说明：
移动端阅览
张世辉,张晓微,宋丹丹等.基于逆扰动融合生成对抗网络的对抗样本防御方法[J].电子学报,2023,51(04):879-884.

ZHANG Shi-hui,ZHANG Xiao-wei,SONG Dan-dan,et al.Adversarial Example Defense Method Based on Inverse Perturbation Fusing Generative Adversarial Network[J].ACTA ELECTRONICA SINICA,2023,51(04):879-884.
张世辉,张晓微,宋丹丹等.基于逆扰动融合生成对抗网络的对抗样本防御方法[J].电子学报,2023,51(04):879-884. DOI： 10.12263/DZXB.20220038.

ZHANG Shi-hui,ZHANG Xiao-wei,SONG Dan-dan,et al.Adversarial Example Defense Method Based on Inverse Perturbation Fusing Generative Adversarial Network[J].ACTA ELECTRONICA SINICA,2023,51(04):879-884. DOI： 10.12263/DZXB.20220038.

摘要

为了有效抵御对抗样本误导深度神经网络模型，提出一种基于逆扰动融合生成对抗网络的对抗样本防御方法（Inverse Perturbation Fusing Generative Adversarial Network，IP-GAN）.充分利用对抗样本中的对抗扰动信息，确定以逆扰动作为对抗样本防御方法的研究出发点，并从高维特征空间进行有效性分析.IP-GAN方法借鉴生成对抗网络思想，以生成器架构作为逆扰动构造模型，依据对抗样本构造相应的逆扰动用于获取重构样本，并引入深度神经网络模型指导逆扰动优化方向，最终将重构样本输入至深度神经网络模型获取正确分类结果.实验结果表明，所构造的逆扰动可有效消除对抗扰动，辅助DNN模型正确识别并分类对抗样本，与现有最新防御方法相比，IP-GAN方法在MNIST和ImageNet数据集上防御成功率分别平均提高了0.86%和2.96%.

Abstract

In order to effectively resist the misleading of the adversarial examples for deep neural network models

an inverse perturbation fusion generative adversarial network (IP-GAN) is proposed. This method makes full use of the adversarial perturbation information in adversarial examples

takes inverse perturbation as the starting point of the adversarial example defense method

and analyzes the effectiveness from the high-dimensional feature space. Drawing on the idea of the generative adversarial network

the generator architecture is used as a construction model to generate the corresponding inverse perturbation based on adversarial examples to obtain the reconstructed examples. Then

the deep neural network model is introduced to guide the direction of inverse perturbation optimization

and input the reconstruction examples into the deep neural network model to obtain the correct classification results. The experimental results show that the inverse perturbation constructed can eliminate adversarial perturbations effectively

and assist the DNN model to identify and classify adversarial examples correctly. Compared with the state-of-the-art defense methods

the defense success rates of the IP-GAN method on MNIST and ImageNet datasets are increased by 0.86% and 2.96%

respectively.

关键词

Keywords

references

SZEGEDY C , ZAREMBA W , SUTSKEVER I , et al . Intriguing properties of neural networks [C ] // Proceedings of the International Conference on Learning Representations . Banff : ICLR , 2014 : 1 - 10 .

IRFAN M M , ALI S , YAQOOB I , et al . Towards deep learning: A review on adversarial attacks [C ] // 2021 International Conference on Artificial Intelligence . Islamabad : IEEE , 2021 : 91 - 96 .

邹军华 , 段晔鑫 , 任传伦 , 等 . 基于噪声初始化、Adam-Nesterov方法和准双曲动量方法的对抗样本生成方法 [J ] . 电子学报 , 2022 , 50 ( 1 ): 207 - 216 .

ZOU Jun-hua , DUAN Ye-xin , REN Chuan-lun , et al . Perturbation initialization, Adam-Nesterov and quasi-hyperbolic momentum for adversarial examples [J ] . Acta Electronica Sinica , 2022 , 50 ( 1 ): 207 - 216 . (in Chinese)

ZHANG J L , LI C . Adversarial examples: Opportunities and challenges [J ] . IEEE Transactions on Neural Networks and Learning Systems , 2020 , 31 ( 7 ): 2578 - 2593 .

SAMANGOUEI P , KABKAB M , CHELLAPA R . Defense-GAN: Protecting classifiers against adversarial attacks using generative models [C ] // Proceedings of the International Conference on Learning Representations . Vancouver : ICLR , 2018 : 1 - 12 .

GOODFELLOW I , POUGET-ABADIE J , MIRZA M , et al . Generative adversarial nets [J ] . Advances in Neural Information Processing Systems , 2014 , 3 : 2672 - 2680 .

JIN G Q , SHEN S W , ZHANG D M , et al . APE-GAN: Adversarial perturbation elimination with GAN [C ] // Proceedings of the IEEE Conference on International Conference on Acoustics, Speech, and Signal Processing . Brighton : IEEE , 2019 : 3842 - 3846 .

HLIHOR P , VOLPI R , MALAGÒ L . Evaluating the robustness of defense mechanisms based on autoencoder reconstructions against Carlini-Wagner adversarial attacks [C ] // Proceedings of the Northern Lights Deep Learning Workshop . UiT The Arctic University of Norway : Septentrio Academic Publishing , 2020 : 1 - 6 .

陈晋音 , 吴长安 , 郑海斌 , 等 . 基于通用逆扰动的对抗攻击防御方法 [J/OL ] . 自动化学报 , 2021 : 1 - 20 . DOI: 10.16383/j.aas.c201077 http://dx.doi.org/10.16383/j.aas.c201077 .

CHEN JIN-YIN , WU CHANG-AN , ZHENG HAI-BIN , et al . Universal inverse perturbation defense against adversarial attacks [J/OL ] . Acta Automatica Sinica , 2021 : 1 - 20 . DOI: 10.16383/j.aas.c201077. http://dx.doi.org/10.16383/j.aas.c201077. (in Chinese)

ZHENG H B , CHEN J Y , HANG D , et al . GRIP-GAN: An attack-free defense through general robust inverse perturbation [J/OL ] . IEEE Transactions on Dependable and Secure Computing , 2021 : 1 - 18 . DOI: 10.1109/TDSC.2021.3124337 http://dx.doi.org/10.1109/TDSC.2021.3124337 .

KURAKIN A , GOODFELLOW I J , BENGIO S . Adversarial examples in the physical world [C ] // Proceeding of the International Conference on Learning Representations . Toulon : ICLR , 2019 : 1 - 13 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于注意力机制优化的生成对抗网络及其在海杂波模拟中的应用

基于鲁棒对抗防御边界的语音伪造方法识别

天波超视距雷达地海杂波图像增强与检测器设计

基于最小熵准则与生成对抗网络的SAR三维转动舰船目标重聚焦方法

针对图像分类的鲁棒物理域对抗伪装