摘要
近年来,研究者们发现基于神经网络的深度学习系统存在安全隐患,添加了细微扰动的输入样本,可能会使模型失效,这类样本被称为对抗样本。文章提出了冗余信息压缩方案,可以有效地抵御对抗样本攻击。该方案将图像随机压缩与多尺寸缩放集成策略相结合,对图像信息进行选择性压缩处理,有效减少冗余信息,消除了附加扰动。方案的优势体现在三个方面:(1)针对预处理环节,易于实施;(2)实现了随机化和集成策略;(3)与其他对抗样本防御方法兼容。实验结果表明,面对多种先进的对抗样本攻击,与其他预处理防御方案相比,冗余信息压缩防御方案在多个基础模型上都有更出色的防御表现,同时对模型在干净图像上的分类能力影响较小。
In recent years,neural networks have been found vulnerable to subtle input perturbations which lead to completely preposterous outputs.These samples which make model invalidate are called adversarial samples.This paper proposes Information Redundant Compression(IRC)to counter the adversarial attacks.IRC combines random image compression with integrated multi-scale scaling to selectively compress image information.IRC effectively reduces redundant information and eliminates additional perturbations in image.The advantages of IRC:(1)Pre-processing aspect of deep learning system.(2)Combining randomization and integration strategy.(3)Compatible with other defense methods.Evaluated by many advanced adversarial attacks,IRC has the best defense performance compared to other pre-processing defense schemes,while having little impact on the classification ability of model.
作者
许笑
陈奕君
冯诗羽
谢理哲
曹玖新
胡轶宁
Xu Xiao;Chen Yijun;Feng Shiyu;Xie Lizhe;Cao jiuxin;Hu Yining(School of Cyber Science and Engineering,Southeast University,Jiangsu Nanjing 211189;School of Computer Science and Engineering,Southeast University,Jiangsu Nanjing 211189;Institute of Stomatology,Nanjing Medical University,Jiangsu Nanjing 210029;Jiangsu Key Laboratory of Oral Diseases Research,Jiangsu Nanjing 210029;Jiangsu Key Laboratory of Computer Networking Technology,Jiangsu Nanjing 211189;Cyberspace International Governance Research Institute(Southeast University),Jiangsu Nanjing 211189)
出处
《网络空间安全》
2020年第8期11-16,共6页
Cyberspace Security
关键词
对抗样本防御
神经网络安全
图像信息压缩
adversarial defense
neural network security
image information compression
