###
工程科学与技术:2022,54(2):56-64
←前一篇   |   后一篇→
本文二维码信息
码上扫一扫!
基于生成对抗网络的对抗样本集成防御
(1.中国矿业大学 教育部矿山数字化工程研究中心, 江苏 徐州 221116;2.中国矿业大学 计算机科学与技术学院, 江苏 徐州 221116;3.徐州医科大学 医学信息与工程学院, 江苏 徐州 221004)
Ensemble Adversarial Example Defense Based on Generative Adversarial Network
(1.Mine Digitization Eng. Research Center of Ministry of Education, China Univ. of Mining and Technol., Xuzhou 221116, China;2.School of Computer Sci. and Technol., China Univ. of Mining and Technol., Xuzhou 221116, China;3.School of Medicine Info. and Eng., Xuzhou Medical Univ., Xuzhou 221004, China)
摘要
图/表
参考文献
相似文献
本文已被:浏览 334次   下载 101
投稿时间:2021-02-26    修订日期:2021-10-08
中文摘要: 针对现有对抗样本防御方法防御能力不足、时间消耗过高等问题,参考生成对抗网络与集成学习在对抗样本研究中的优势,本文提出一种基于生成对抗网络的对抗样本集成防御方法。该方法使用生成对抗网络训练多个能够消除对抗样本表面对抗扰动的生成器,使用集成学习方法将多个生成器进行集成作为最终的防御。该方法的生成对抗网络由生成器和判别器组成。生成器以对抗样本作为输入,其目的是消除对抗样本表面的对抗扰动;判别器以良性样本与消除对抗扰动后的样本作为输入,其目的是区分输入的样本;生成器与判别器交替训练,当判别器无法对输入的样本做出区分时,生成器达到最佳状态。集成防御使用平均法作为集成策略,通过平均多个生成器的防御结果,取长补短,提升单个防御的能力;通过预训练生成器来降低防御的时间消耗,通过集成多个生成器来提升单个生成器的防御能力。分别在MNIST数据集与CIFAR10数据集上,用本文的集成防御方法与其他防御方法对常见的对抗样本进行防御,以分类准确率作为评价防御能力的指标,并记录防御的时间消耗。实验结果表明,本文方法能以较低的时间消耗防御多种对抗样本,并且防御能力比已有的防御方法更好。
Abstract:Given the bottlenecks of existing adversarial example defense schemes, such as insufficient defense capability and high time consumption, an ensemble adversarial example defense scheme based on the generative adversarial network was proposed in this paper, by taking the advantages of the generative adversarial network and the ensemble learning in adversarial example research. In the scheme, a generative adversarial network was used to train multiple generators that can eliminate adversarial perturbations on the surfaces of adversarial examples, and the ensemble learning was used to integrate multiple generators as the final defense. The generative adversarial network was composed of generator and discriminator. While the generator takes adversarial examples as inputs and its purpose is to eliminate adversarial perturbations on the surface of adversarial examples, the discriminator takes benign examples and examples after eliminating the adversarial perturbations as inputs and its purpose is to distinguish them. The generator and discriminator were trained alternately, and the generator reaches to its best when the discriminator cannot distinguish them. The averaging method was adopted by the integration defense adopts as the integration strategy to learn from each other. Furthermore, the ability of a single defense is improved by averaging the defense results of multiple generators. The time consumption of defense was reduced by pre-training generators and the defense ability was improved by integrating multiple generators. Finally, the time consumption and defense ability of the proposed scheme was verified on the MNIST and CIFAR10 dataset. With the classification accuracy as the evaluation index, the defense ability of the proposed scheme on six kinds of adversarial examples was verified, and compared with seven existing defense schemes. Results showed that the proposed scheme can defend against multiple adversarial examples with very low time consumption, and its defense ability is better than the existing defense schemes.
文章编号:202100165     中图分类号:TP391.4    文献标志码:
基金项目:中国博士后科学基金项目(2020T130098ZX);江苏省博士后科研计划项目(1701061B);国家自然科学基金项目(61972400)
作者简介:第一作者:曹天杰(1967-),男,教授.研究方向:人工智能安全.E-mail:tjcao@cumt.edu.cn;通信作者:杨睿,E-mail:2119344620@qq.com
引用文本:
曹天杰,余志坤,祁韵妍,杨睿,张凤荣,陈秀清.基于生成对抗网络的对抗样本集成防御[J].工程科学与技术,2022,54(2):56-64.
CAO Tianjie,YU Zhikun,QI Yunyan,YANG Rui,ZHANG Fengrong,CHEN Xiuqing.Ensemble Adversarial Example Defense Based on Generative Adversarial Network[J].Advanced Engineering Sciences,2022,54(2):56-64.