基于条件扩散模型的图像分类对抗样本防御方法

doi:10.19678/j.issn.1000-3428.0068512

摘要/Abstract

摘要：

深度学习模型在图像分类等领域取得了较好的结果, 但是深度学习模型容易受到对抗样本的干扰威胁, 攻击者通过对抗样本制作算法, 精心设计微小扰动, 构造肉眼难以分辨却能引发模型误分类的对抗样本, 给图像分类等深度学习应用带来严重的安全隐患。为提升图像分类模型的鲁棒性, 利用条件扩散模型, 提出一种综合对抗样本检测和对抗样本净化的对抗样本防御方法。在不修改目标模型的基础上, 检测并净化对抗样本, 提升目标模型鲁棒性。所提方法包括对抗样本检测和对抗样本净化2个模块。对于对抗样本检测, 采用不一致性增强, 通过训练一个融入目标模型高维特征和图片基本特征的图像修复模型, 比较初始输入和修复结果的不一致性, 检测对抗样本; 对于对抗样本净化, 采用端到端的对抗样本净化方式, 在去噪模型执行过程中加入图片伪影, 实现对抗样本净化。在保证目标模型精度的前提下, 在目标模型前增加对抗样本检测和净化模块, 根据检测结果, 选取相应的净化策略, 从而消除对抗样本, 提升目标模型的鲁棒性。在CIFAR10数据集和CIFAR100数据集上与5种现有方法进行对比实验, 实验结果表明: 对于扰动较小的对抗样本, 所提方法的检测精度较Argos方法提升了5~9个百分点; 相比于ADP方法, 所提方法在面对不同种类对抗样本时防御效果更稳定, 且在BPDA攻击下, 其对抗样本净化效果较ADP方法提升了1.3个百分点。

关键词: 对抗防御, 对抗样本检测, 对抗样本净化, 扩散模型, 图像去噪

Abstract:

Deep-learning models have achieved impressive results in fields such as image classification; however, they remain vulnerable to interference and threats from adversarial examples. Attackers can craft small perturbations using various attack algorithms to create adversarial examples that are visually indistinguishable yet can lead to misclassification in deep neural networks, posing significant security risks to image classification tasks. To improve the robustness of these models, we propose an adversarial-example defense method that combines adversarial detection and purification using a conditional diffusion model, while preserving the structure and parameters of the target model during detection and purification. This approach features two key modules: adversarial detection and adversarial purification. For adversarial detection, we employ an inconsistency enhancement technique, training an image restoration model that integrates both the high-dimensional features of the target model and basic image features. By comparing the inconsistencies between the initial input and the restored output, adversarial examples can be detected. An end-to-end adversarial purification method is then applied, introducing image artifacts during the denoising process. An adversarial detection and purification module is placed before the target model to ensure its accuracy. Based on detection outcomes, appropriate purification strategies are implemented to remove adversarial examples and improve model robustness. The method was compared with recent adversarial detection and purification approaches on the CIFAR10 and CIFAR100 datasets, using five adversarial attack algorithms to generate adversarial examples. It demonstrated a 5-9 percentage points improvement in detection accuracy over Argos on both datasets in a low-purification setting. Additionally, it exhibited a more stable defense performance than Adaptive Denoising Purification(ADP), with a 1.3 percentage points higher accuracy under Backwards Pass Differentiable Approximation(BPDA) attacks.

Key words: adversarial defense, adversarial example detection, adversarial purification, diffusion model, image denoising

陈子民, 关志涛. 基于条件扩散模型的图像分类对抗样本防御方法[J]. 计算机工程, 2024, 50(12): 296-305.

CHEN Zimin, GUAN Zhitao. Image Classification Adversarial Example Defense Method Based on Conditional Diffusion Model[J]. Computer Engineering, 2024, 50(12): 296-305.

https://www.ecice06.com/CN/Y2024/V50/I12/296

图/表 13

图1 对抗防御模型流程

Fig.1 Process of adversarial defense model

图2 基于图片去噪的对抗样本净化方法

Fig.2 Image denoising based adversarial example purification method

图3 条件扩散模型

Fig.3 Conditional diffusion model

图4 CIFAR10不同类别防御效果

Fig.4 Defense effect by different categories on CIFAR10

图5 检测次数对于对抗样本检测的影响

Fig.5 Effect of detection times on adversarial example detection

图6 条件系数对于对抗样本检测的影响

Fig.6 Effect of conditional coefficient on adversarial example detection

图7 迭代次数对于对抗样本净化效果的影响

Fig.7 Effect of iteration times on adversarial example purification

图8 噪声强度对于对抗样本净化的影响

Fig.8 Effect of noise intensity on adversarial example purification

参考文献 32

1	王志波, 王雪, 马菁菁, 等. 面向计算机视觉系统的对抗样本攻击综述. 计算机学报, 2023, 46 (2): 436- 468. doi: 10.11897/SP.J.1016.2023.00436
	WANG Z B , WANG X , MA J J , et al. Survey on adversarial example attack for computer vision systems. Chinese Journal of Computers, 2023, 46 (2): 436- 468. doi: 10.11897/SP.J.1016.2023.00436
2	纪守领, 杜天宇, 李进锋, 等. 机器学习模型安全与隐私研究综述. 软件学报, 2021, 32 (1): 41- 67. doi: 10.13328/j.cnki.jos.006131
	JI S L , DU T Y , LI J F , et al. Security and privacy of machine learning models: a survey. Journal of Software, 2021, 32 (1): 41- 67. doi: 10.13328/j.cnki.jos.006131
3	ATHALYE A, CARLINI N, WAGNER D. Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples[C]//Proceedings of International Conference on Machine Learning. [S. l. ]: PMLR, 2018: 274-283. URL
4	LI H C, XU X J, ZHANG X L, et al. QEBA: query-efficient boundary-based blackbox attack[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2020: 1221-1230. URL
5	ANDRIUSHCHENKO M, CROCE F, FLAMMARION N, et al. Square attack: a query-efficient black-box adversarial attack via random search[C]//Proceedings of European Conference on Computer Vision. Berlin, Germany: Springer, 2020: 484-501. URL
6	PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against machine learning[C]//Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security. New York, USA: ACM Press, 2017: 506-519.
7	白祉旭, 王衡军. 基于改进遗传算法的对抗样本生成方法. 计算机工程, 2023, 49 (5): 139- 149. doi: 10.19678/j.issn.1000-3428.0065260
	BAI Z X , WANG H J . Adversarial example generation method based on improved genetic algorithm. Computer Engineering, 2023, 49 (5): 139- 149. doi: 10.19678/j.issn.1000-3428.0065260
8	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL]. [2023-05-20]. https://arxiv.org/pdf/1412.6572.
9	MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2016: 2574-2582. URL
10	CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proceedings of the IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2017: 39-57.
11	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[EB/OL]. [2023-05-20]. https://arxiv.org/pdf/1412.6572.
12	CROCE F, HEIN M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks[C]//Proceedings of International Conference on Machine Learning. [S. l. ]: PMLR, 2020: 2206-2216. URL
13	LI T, WU Y W, CHEN S Z, et al. Subspace adversarial training[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2022: 13409-13418.
14	JIA X J, ZHANG Y, WU B Y, et al. LAS-AT: adversarial training with learnable attack strategy[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D. C., USA: IEEE Press, 2022: 13398-13408. URL
15	GROSSE K, MANOHARAN P, PAPERNOT N, et al. On the (statistical) detection of adversarial examples[EB/OL]. [2023-05-20]. https://arxiv.org/pdf/1702.06280.
16	FEINMAN R, CURTIN R R, SHINTRE S, et al. Detecting adversarial samples from artifacts[EB/OL]. [2023-05-20]. https://arxiv.org/pdf/1703.00410.
17	METZEN J H, GENEWEIN T, FISCHER V, et al. On detecting adversarial perturbations[EB/OL]. [2023-05-20]. https://arxiv.org/abs/1702.04267.
18	KIANI S, AWAN S N, LAN C, et al. Two Souls in an Adversarial Image: towards Universal Adversarial Example Detection using Multi-view Inconsistency[C]//Proceedings of the Annual Computer Security Applications Conference. New York, USA: ACM Press, 2021: 31-44. URL
19	SAMANGOUEI P, KABKAB M, CHELLAPPA R. Defense-GAN: protecting classifiers against adversarial attacks using generative models[EB/OL]. [2023-05-20]. https://arxiv.org/abs/1805.06605.
20	GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets[C]//Proceedings of the 27th International Conference on Neural Information Processing Systems. New York, USA: ACM Press, 2014: 2672-2680.
21	SONG Y, KIM T, NOWOZIN S, et al. PixelDefend: leveraging generative models to understand and defend against adversarial examples[EB/OL]. [2023-05-20]. https://arxiv.org/abs/1710.10766v3.
22	SALIMANS T, KARPATHY A, CHEN X, et al. PixelCNN++: improving the PixelCNN with discretized logistic mixture likelihood and other modifications[C]//Proceedings of International Conference on Learning Representations. Berlin, Germany: Springer, 2016: 1-10. URL
23	SINGH H, SUBRAMANYAM A V. Language guided adversarial purification[EB/OL]. [2023-05-20]. https://arxiv.org/pdf/2309.10348.
24	SHI C, HOLTZ C, MISHNE G. Online adversarial purification based on self-supervised learning[C]//Proceedings of International Conference on Learning Representations. Berlin, Germany: Springer, 2020: 1-10. URL
25	YOON J, HWANG S J, LEE J. Adversarial purification with score-based generative models[C]//Proceedings of International Conference on Machine Learning. [S. l. ]: PMLR, 2021: 12062-12072. URL
26	SINHA A , DASH S P , PUHAN N B . NOMARO: defending against adversarial attacks by NOMA-inspired reconstruction operation. IEEE Sensors Letters, 2022, 6 (1): 1- 4. doi: 10.1109/LSENS.2021.3135433
27	LI J, LI D, XIONG C, et al. BLIP: bootstrapping language-image pre-training for unified vision-language understanding and generation[C]//Proceedings of International Conference on Machine Learning. [S. l. ]: PMLR, 2022: 12888-12900. URL
28	HO J , JAIN A , ABBEEL P . Denoising diffusion probabilistic models. Advances in Neural Information Processing Systems, 2020, 33, 6840- 6851. URL
29	HO J, SALIMANS T. Classifier-free diffusion guidance[EB/OL]. [2023-05-20]. https://arxiv.org/pdf/2207.12598.
30	DHARIWAL P , NICHOL A . Diffusion models beat GANs on image synthesis. Advances in Neural Information Processing Systems, 2021, 34, 8780- 8794. URL
31	SAHARIA C , HO J , CHAN W , et al. Image super-resolution via iterative refinement. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 1- 14. URL
32	SAHARIA C, CHAN W, CHANG H W, et al. Palette: image-to-image diffusion models[C]//Proceedings of the Special Interest Group on Computer Graphics and Interactive Techniques Conference Proceedings. New York, USA: ACM Press, 2022: 1-10. URL

[1]	张鲁, 田春伟, 宋焕生, 刘侍刚. 用于低剂量CT图像去噪的多级双树复小波网络[J]. 计算机工程, 2024, 50(9): 266-275.
[2]	高煜宝, 文志诚. 基于注意力机制的双路解码器图像去噪方法[J]. 计算机工程, 2024, 50(9): 324-332.
[3]	冯妍舟, 刘建霞, 王海翼, 冯国昊, 白宇. 基于多级残差信息蒸馏的真实图像去噪方法[J]. 计算机工程, 2024, 50(3): 216-223.
[4]	杨晶晶, 谢海燕, 薛妮妮, 张傲明. 基于双通道残差网络的水下图像去噪研究[J]. 计算机工程, 2023, 49(4): 188-198.
[5]	王飞宇, 张帆, 杜加玉, 类红乐, 祁晓峰. 基于图像降噪与压缩的对抗样本检测方法[J]. 计算机工程, 2023, 49(10): 230-238.
[6]	周博超, 韩雨男, 桂志国, 李郁峰, 张权. 基于VGG网络与深层字典的低剂量CT图像去噪算法[J]. 计算机工程, 2022, 48(4): 191-196,205.
[7]	唐超, 左文涛, 李小飞. 结合修剪均值与高斯加权中值滤波的图像去噪算法[J]. 计算机工程, 2021, 47(9): 210-216.
[8]	张墨华, 彭建华. 面向图像先验建模的可扩展高斯混合模型[J]. 计算机工程, 2020, 46(4): 220-227.
[9]	付芸,白银浩,李展,万楚琦. 快速去除椒盐噪声的蛇形扫描滤波算法[J]. 计算机工程, 2017, 43(7): 229-233.
[10]	秦冬冬,陈志军,闫学勤. 多层阈值函数下的小波图像去噪[J]. 计算机工程, 2017, 43(6): 202-206.
[11]	许光宇,林玉娥,石文兵. 基于局部结构张量的图像三边滤波器[J]. 计算机工程, 2017, 43(4): 269-276.
[12]	李传朋,秦品乐,张晋京. 基于深度卷积神经网络的图像去噪研究[J]. 计算机工程, 2017, 43(3): 253-260.
[13]	陈鹏旭,林茂松,梁艳阳,刘宏伟. 基于编码稀疏表示的柔索机器人监测图像去噪算法[J]. 计算机工程, 2017, 43(3): 261-265,270.
[14]	白云蛟,张权,尚禹,张鹏程,刘祎,桂志国. 耦合冲击滤波器的片相似性各向异性扩散模型[J]. 计算机工程, 2017, 43(3): 271-276,281.
[15]	彭宏,赵鹏博. 边缘检测中的改进型均值滤波算法[J]. 计算机工程, 2017, 43(10): 172-178.

选择文件类型/文献管理软件名称

选择包含的内容