期刊文献+

基于PatchTracker的对抗补丁防御算法 被引量:1

Adversarial patch defense algorithm based on PatchTracker
下载PDF
导出
摘要 基于深度神经网络的目标检测技术已经广泛应用于各领域,然而,通过对抗补丁攻击在图像中添加局部扰动,以此来误导深度神经网络,对基于目标检测技术的视觉系统构成了严重威胁。针对这一问题,利用对抗补丁和图像背景的语义差异性,提出了一种基于PatchTracker的对抗补丁防御算法,该算法由上游补丁检测器与下游数据增强模块组成。上游补丁检测器使用带有注意力机制的YOLOV5(you only look once-v5)确定对抗补丁所在位置,有助于提高对小尺度对抗补丁的检测精度;将检测区域用合适的像素值覆盖以抹除对抗补丁,上游补丁检测器不仅能够有效降低对抗样本的攻击性,而且不依赖大规模的训练数据;下游数据增强模块通过改进模型训练范式,提高下游目标检测器的鲁棒性;将抹除补丁后的图像输入经过数据增强的下游YOLOV5目标检测模型。在公开的TT100K交通标志数据集上进行了交叉验证,实验表明,与未采取防御措施相比,所提算法能够有效防御多种类型的通用对抗补丁攻击,在检测对抗补丁图像时的mAP(mean average precision)提高65%左右,有效地改善了小尺度对抗补丁的漏检情况。与现有算法比较,所提算法有效提高了神经网络在检测对抗样本时的准确率。此外,所提算法不涉及下游模型结构的修改,具有良好的兼容性。 The application of deep neural networks in target detection has been widely adopted in various fields.However,the introduction of adversarial patch attacks,which add local perturbations to images to mislead deep neural networks,poses a significant threat to target detection systems based on vision techniques.To tackle this issue,an adversarial patch defense algorithm based on PatchTracker was proposed,leveraging the semantic differences between adversarial patches and image backgrounds.This algorithm comprised an upstream patch detector and a downstream data enhancement module.The upstream patch detector employed a YOLOV5(you only look once-v5)model with attention mechanism to determine the locations of adversarial patches,thereby improving the detection accuracy of small-scale adversarial patches.Subsequently,the detected regions were covered with appropriate pixel values to remove the adversarial patches.This module effectively reduced the impact of adversarial examples without relying on extensive training data.The downstream data enhancement module enhanced the robustness of the target detector by modifying the model training paradigm.Finally,the image with removed patches was input into the downstream YOLOV5 target detection model,which had been enhanced through data augmentation.Cross-validation was performed on the public TT100K traffic sign dataset.Experimental results demonstrated that the proposed algorithm effectively defended against various types of generic adversarial patch attacks when compared to situations without defense measures.The algorithm improves the mean average precision(mAP)by approximately 65% when detecting adversarial patch images,effectively reducing the false negative rate of small-scale adversarial patches.Moreover,compared to existing algorithms,this approach significantly enhances the accuracy of neural networks in detecting adversarial samples.Additionally,the method exhibited excellent compatibility as it does not require modification of the downstream model structure.
作者 肖镇杰 黄诗瑀 叶锋 黄丽清 黄添强 XIAO Zhenjie;HUANG Shiyu;YE Feng;HUANG Liqing;HUANG Tianqiang(College of Computer and Cyber Security,Fujian Normal University,Fuzhou 350117,China;Digital Fujian Institute of Big Data Security Technology,Fuzhou 350117,China)
出处 《网络与信息安全学报》 2024年第1期169-180,共12页 Chinese Journal of Network and Information Security
基金 国家自然科学基金(62072106) 福建省创新战略研究计划项目(2023R0156)。
关键词 深度学习安全 对抗攻击与防御 对抗补丁 目标检测 deep learning security adversarial attack and defense adversarial patch object detection
  • 相关文献

同被引文献9

引证文献1

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部