作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2021, Vol. 47 ›› Issue (11): 121-128. doi: 10.19678/j.issn.1000-3428.0059367

• 网络空间安全 • 上一篇    下一篇

一种针对快速梯度下降对抗攻击的防御方法

王晓鹏1, 罗威1, 秦克1, 杨锦涛2, 王敏1   

  1. 1. 中国舰船研究设计中心, 武汉 430064;
    2. 武汉大学 电子信息学院, 武汉 430072
  • 收稿日期:2020-08-26 修回日期:2020-11-01 发布日期:2020-11-10
  • 作者简介:王晓鹏(1990-),男,硕士研究生,主研方向为舰船电子信息系统;罗威,高级工程师、博士;秦克,研究员;杨锦涛,博士研究生;王敏,硕士研究生。
  • 基金资助:
    国家自然科学基金(61701471)。

A Defense Method Against FGSM Adversarial Attack

WANG Xiaopeng1, LUO Wei1, QIN Ke1, YANG Jintao2, WANG Min1   

  1. 1. China Ship Development and Design Center, Wuhan 430064, China;
    2. School of Electronic Information, Wuhan University, Wuhan 430072, China
  • Received:2020-08-26 Revised:2020-11-01 Published:2020-11-10

摘要: 智能舰船识别可有效提高舰船装备智能化水平,但存在安全识别问题,即使性能卓越的分类模型也会受到对抗样本的攻击。面对快速梯度下降法(FGSM)这类对抗攻击,传统的防御方法需要先推倒已经训练好的分类模型,再通过安全手段进行重新训练。为简化这一过程,提出防御FGSM对抗攻击的FGSM-Defense算法。获得分类器对对抗样本初次预测的类别排名后,按相应置信度大小排名取出指定数量的类别。在此基础上,通过暴力搜索将这些类别依次指定为攻击目标,分别对原对抗样本进行FGSM有目标攻击,并按相应规则分步缩小搜索范围,筛选出对抗样本真实的类别。实验结果表明,该算法能够准确区分对抗样本的真实类别,在ImageNet数据集上的防御成功率为53.1%。与传统防御方法相比,其无需改变原有神经网络结构和重新训练分类模型,可减少对硬件算力的依赖,降低防御成本。

关键词: 舰船识别, 对抗样本, 对抗攻击, 快速梯度下降法, ImageNet数据集

Abstract: Intelligent ship recognition has been widely used in the military,but it also brings increasingly serious security issues.Even the high performance classification models are still vulnerable to the attacks from adversarial examples.For Fast Gradient Sign Method(FGSM) adversarial attacks,traditional defense methods need to knock down the trained classification model and then retrain through security means.To simplify the process,this paper proposes FGSM-Defense algorithm to defend against FGSM attacks.The algorithm obtains the classification ranking of the initial prediction of the adversarial examples by the classifier,and takes out a specified number of classes in the confidence level order.Then these classes are designated as attack targets by means of violent search to carry out FGSM targeted attacks on the original adversarial examples.Finally,the search scope is narrowed step by step according to the corresponding rules to find out the original real class of the adversarial examples.Experimental results show that the method can recognize the real class of the adversarial examples,and the success rate of defense is 53.1% on ImageNet dataset.Compared with the traditional defense methods,this method does not need to change the original neural network structure or to retrain the classification model,which relieves the dependence on the computing power of hardware and reduces the defense cost.

Key words: ship recognition, adversarial example, adversarial attack, Fast Gradient Sign Method(FGSM), ImageNet dataset

中图分类号: