基于图像降噪的集成对抗防御模型研究
网络安全与数据治理 8期
薛晨浩,杜金浩,刘泳锐,杨婧
(1. 国家计算机网络应急技术处理协调中心山西分中心,山西太原030002; 2.国家计算机网络应急技术处理协调中心,北京100083)
摘要: 深度学习的快速发展使其在图像识别、自然语言处理等诸多领域广泛应用。但是,学者发现深度神经网络容易受到对抗样本的欺骗,使其以较高置信度输出错误结果。对抗样本的出现给对安全性要求严格的系统带来很大威胁。研究了在低层特征(LowLevel Feature)和高层特征(HighLevel Feature)对图像进行降噪以提升模型防御性能。在低层训练一个降噪自动编码器,并采用集成学习的思路将自动编码器、高斯扰动和图像掩码重构等多种方式结合;高层对ResNet18作微小改动加入均值滤波。实验显示,所提出的方法在多个数据集的分类任务上有较好的防御性能。
中图分类号:TP391
文献标识码:A
DOI:10.19358/j.issn.2097-1788.2023.08.011
引用格式:薛晨浩,杜金浩,刘泳锐,等.基于图像降噪的集成对抗防御模型研究[J].网络安全与数据治理,2023,42(8):66-71.
文献标识码:A
DOI:10.19358/j.issn.2097-1788.2023.08.011
引用格式:薛晨浩,杜金浩,刘泳锐,等.基于图像降噪的集成对抗防御模型研究[J].网络安全与数据治理,2023,42(8):66-71.
Research on integrated adversarial defense model based on image noise reduction
Xue Chenhao1,Du Jinhao2,Liu Yongrui1,Yang Jing1
(1National Computer Network Emergency Response Technical Team/Coordination Center of China(Shanxi), Taiyuan 030002, China; 2National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100083, China)
Abstract: The rapid development of deep learning makes it widely used in many fields such as image recognition and natural language processing. However, scholars have found that deep neural networks are easily deceived by adversarial examples, making them output wrong results with a high degree of confidence. The emergence of adversarial examples poses a great threat to systems with strict security requirements. This paper denoises the image at the lowlevel (LowLevel Feature) and highlevel features (HighLevel Feature) to improve the defense performance of the model. At the lower layer, a denoising autoencoder is trained, and the idea of integrated learning is used to combine autoencoder, Gaussian perturbation, and image mask reconstruction; the upper layer makes minor changes to ResNet18 and adds mean filtering. Experimental results show that the method proposed in this paper has better performance on the classification task of multiple data sets.
Key words : adversarial examples; integrated learning; denoising autoencoders; highlevel features
0 引言
近年来随着计算机硬件发展带来的算力提升和数据量的爆炸性增长,深度学习在很多任务中如图像分类、自然语言处理等方面表现十分出色。深度学习正以前所未有的规模被用于解决一些棘手的科学问题,例如DNA分析、脑回路重建、自动驾驶、药物分析等。
但是随着对深度学习研究的不断深入,学者发现在深度学习强大的表现下也隐藏着巨大的安全隐患。2014年,Szegedy等人在研究中发现,通过添加微小的扰动,在人眼难以察觉到的情况下,可使深度学习模型以高置信度做出错误判断。如图1所示在给“山脉”加上扰动之后,DNN分类器以9439%的置信度将其识别为“狗”,给“河豚”添加扰动后,DNN分类器以100%置信度将其识别为“螃蟹”。这种通过在原始图像上增加一些人眼难以察觉的轻微扰动使得深度学习模型产生错误判断的样本,称为对抗样本。
本文详细内容请下载:https://www.chinaaet.com/resource/share/2000005469
作者信息:
薛晨浩1,杜金浩2,刘泳锐1,杨婧1
(1. 国家计算机网络应急技术处理协调中心山西分中心,山西太原030002;2.国家计算机网络应急技术处理协调中心,北京100083)
此内容为AET网站原创,未经授权禁止转载。