基于压缩感知的神经网络实时综合防御策略

Compressive Sensing Based Real-Time Comprehensive Defense Strategy for Neural Networks

近年来,基于深度神经网络的视觉识别模型因其在准确率、成本及效率等方面的优势而广泛应用于自动驾驶、工业检测及无人机导航等领域.而深度神经网络自身易受数字域或物理域对抗样本攻击导致模型误判,因此其在无人驾驶等具有强鲁棒性、高实时性要求的场景中部署和应用可能为系统引入新的风险.现有的防御方案在增强模型鲁棒性的同时往往造成准确率明显下降,且往往不能对像素攻击和补丁攻击均提供较强防御能力.因此,设计一种精度高且对多类对抗攻击均具有强鲁棒性的实时综合防御策略成为深度神经网络视觉方案落地应用的关键.本文提出一种基于压缩感知的神经网络实时综合防御策略ComDCT,首先构建图像压缩感知压缩域与其稀疏离散余弦系数之间的映射神经网络,并将网络输出的离散余弦系数通过离散余弦逆变换恢复为去除对抗性扰动的图像作为分类器输入,以降低对抗样本攻击成功率.其次,本文提出通过引入分类损失进一步提升防御策略的综合性能,并根据防御者是否掌握分类模型参数结构等信息分析讨论并验证了黑盒、白盒两种防御模式下引入分类损失的有效性.相比于ComDefend、MF、TVD、LRR等多种防御方法,本文提出的基于压缩感知的神经网络实时综合防御策略在白盒防御模式下防御性能综合指标PDA在LISA、SVHN数据集上分别提升11.88%、7.01%以上,黑盒防御模式下分别提升9.25%、6.7%以上.

In recent years,Deep Neural Networks(DNN)have been widely applied in visual classification tasks in fields such as autonomous driving,industrial detection and drone navigation,mainly due to their advantages in accuracy,cost and efficiency.However,despite of these preponderance,deep neural networks are reported to be vulnerable to adversarial examples which could be generated either digitally or physically.Noise images with intentionally crafted adversarial invisible or visible but inconspicuous perturbations could fool the classifier to make incorrect yet confident misclassifications.Hence,the deployment of such models in scenarios where robustness is a critical demand would introduce the system potential security risk.Existing defense strategies usually lead to a drop in test accuracy.And these algorithms are typically designed for defending against either pixel adversarial attacks or patch adversarial attacks in a dedicated manner,and their defensive capability usually does not translate to the other.Furthermore,when it’s applied in real-time safety scenarios like autonomous driving,decision latency is required to be imperceptible,which makes many defensive algorithms far from a solution.Therefore,designing practical real-time comprehensive defense strategies for DNNs against a variety of adversarial attacks is of paramount of importance to its application,as well as represents a critical machine learning challenge.This paper attempts to address the problem of robustness of DNN-based visual classifiers against various adversarial examples by proposing a Compressive Sensing(CS)based defensive strategy combined with Discrete Cosine Transform(DCT),doomed ComDCT.ComDCT works in the compress-DCT-IDCT way to remove the adversarial perturbations from the input and then feed the denoised image to the classifier for inference.Specifically,to achieve this goal,ComDCT firstly train a neural network to learn the mapping from the measurements of the image to its sparse discrete cosine coefficients.And through inverse discrete cosine transform,cleaned images could be conveniently restored from the obtained DCT coefficients.To further improve the comprehensive performance of the defense scheme,we also suggest the introduction of the classification loss to optimize the compress-restore network.Finally,to demonstrate the efficacy of the proposed defensive strategy,intensive experiments have been conducted on two commonly used datasets,LISA and SVHN.For the purpose of achieving a comprehensive assessment,the adversarial examples used are generated using multiple attacks,including Fast Gradient Sign Method(FGSM),Carlini Wagner(CW-L2),Localized and Visible Adversarial Noise(LaVAN)as well as sticker attacks.And considering the difference of the adversaries’knowledge on the classification models,we give the performance evaluation,comparison as well as analysis in both white-box and black-box settings.Empirical results showed that,compared with other state-of-the-art defensive strategies in terms of ComDefend,MF,TVD,LRR and so on.Specifically,under white-box setting,ComDCT obtains at least 11.88%superiority in comprehensive performance indicator for LISA and 7.01%for SVHN.With the introduction of the classification loss in optimization,even under the black-box setting,the proposed scheme ComDCT still achieves at least 9.25%higher on the LISA dataset and 6.7%higher on the SVHN,which further confirms its advantages in alleviate the adversarial effects and improving the robustness of visual classifiers constructed on neural networks.