基于图像重构的 MNIST 对抗样本防御算法

Adversarial example defense algorithm for MNIST based on image reconstruction

随着深度学习的应用普及,其安全问题越来越受重视,对抗样本是在原有图像中添加较小的扰动,即可造成深度学习模型对图像进行错误分类,这严重影响深度学习技术的发展。针对该问题,分析现有对抗样本的攻击形式和危害,由于现有防御算法存在缺点,提出一种基于图像重构的对抗样本防御方法,以达到有效防御对抗样本的目的。该防御方法以MNIST为测试数据集,核心思路是图像重构,包括中心方差最小化和图像缝合优化,中心方差最小化只针对图像中心区域进行处理;图像缝合优化将重叠区域纳入补丁块选取的考量,并以补丁块的1/2大小作为重叠区域。使用FGSM、BIM、DeepFool以及C&W攻击方式生成对抗样本来测试两种方式的防御性能,并与现有的3种图像重构防御方式(裁剪与缩放、位深度压缩和JPEG压缩)效果对比。实验结果表明,所提中心方差最小化和图像缝合优化算法,对现有常见对抗样本的攻击起到了较好的防御效果。图像缝合优化对4种攻击算法生成的样本分类正确率都达到了75%以上,中心方差最小化的防御效果在70%左右。而用作对比的3种图像重构算法则对不同攻击算法的防御效果不稳定,整体分类正确率不足60%。所提中心方差最小化和图像缝合优化两种图像重构防御算法达到了有效防御对抗样本的目的,通过实验说明了所提防御算法在不同对抗样本攻击算法中的防御效果,另外,将其他图像重构算法与所提算法进行比较,说明了所提算法具有良好的防御性能。

With the popularization of deep learning,more and more attention has been paid to its security issues.The adversarial sample is to add a small disturbance to the original image,which can cause the deep learning model to misclassify the image,which seriously affects the performance of deep learning technology.To address this challenge,the attack form and harm of the existing adversarial samples were analyzed.An adversarial examples defense method based on image reconstruction was proposed to effectively detect adversarial examples.The defense method used MNIST as the test data set.The core idea was image reconstruction,including central variance minimization and image quilting optimization.The central variance minimization was only processed for the central area of the image.The image quilting optimization incorporated the overlapping area into the patch block selection.Considered and took half the size of the patch as the overlap area.Using FGSM,BIM,DeepFool and C&W attack methods to generate adversarial samples to test the defense performance of the two methods,and compare with the existing three image reconstruction defense methods(cropping and scaling,bit depth compression and JPEG compression).The experimental results show that the central variance minimization and image quilting optimization algorithms proposed have a satisfied defense effect against the attacks of existing common adversarial samples.Image quilting optimization achieves over 75%classification accuracy for samples generated by the four attack algorithms,and the defense effect of minimizing central variance is around 70%.The three image reconstruction algorithms used for comparison have unstable defense effects on different attack algorithms,and the overall classification accuracy rate is less than 60%.The central variance minimization and image quilting optimization proposed achieve the purpose of effectively defending against adversarial samples.The experiments illustrate the defense effect of the proposed defense algorithm in different adversarial sample attack algorithms.The comparison between the reconstruction algorithm and the algorithm shows that the proposed scheme has good defense performance.