摘要
深度学习模型可以从原始数据中自动学习到数据的纹理特征和形态特征,使得其在安全验证、识别分类、语音人脸识别等不同领域取得远远超过人工特征方法的性能。虽然深度学习在图像分类和目标检测等方向上取得了较好成效,但是通过在输入上添加难以察觉的微小扰动形成的对抗样本导致深度学习模型在实际使用中存在巨大的风险。因此,提高单个模型的鲁棒性是重要的研究方向。前人在时序数据分类模型的鲁棒性研究中,对抗样本的解释性研究较为欠缺。目前较为常见的防御对抗样本的方法是对抗训练,但是对抗训练有着非常高的训练代价。本文以时序数据分类模型为研究对象,定义了时序数据的纹理特征和形态特征,并基于理论证明和可视化特征层方式,说明了纹理特征是被攻击的关键因素。同时,提出了一种基于特征约束的模型鲁棒性提升方法。该方法结合多任务学习,通过在误差函数中增加特征的平滑约束项,引导模型在分类的同时尽可能学习到原始数据的形态特征。在保证分类精度的同时,降低对抗样本存在的空间,从而训练出更加鲁棒的模型。算法在经典分类模型和多个时序数据集进行了大量的实验,实验结果表明了本文方法的有效性,在多种对抗攻击下,能较好的提高单个模型的鲁棒性。
Deep learning model can automatically learn the texture and morphological features from original data, which makes it achieve far better performance than the manual features based method in many fields such as security verification,recognition and classification, voice and face recognition, etc. Although deep learning has achieved good performance in image classification and object detection, the existence of adversarial examples formed by adding imperceptibly small perturbations to the input leads to huge risks in the practical use of deep learning models. Among them, the improvement of the robustness of a single model is an important research field. In the previous research on the robustness of time-series data classification model, the explanatory research against samples is relatively lacking. At present, the most common method to defend against adversarial samples is adversarial training, but adversarial training has a very high training cost.Take the time-series data classification model for example, we define the texture features and morphological features of the time series data. Additionally, based on the theoretical proof and feature visualize method, we explain that the texture feature is the key factor to be attacked. At the same time, a method for improving model robustness based on feature constraints is proposed. This method combines multi-task learning to guide the model to learn the morphological features of the original data as much as possible. While ensuring the classification accuracy, the space of adversarial samples is reduced, so as to train a more robust model. A large number of experiments on classical classification models and multiple time-series datasets were conducted, and the experimental results show the effectiveness of the method. Moreover, it can better improve the robustness of a single model under a variety of adversarial attacks.
作者
杨中国
张镌
王丽君
YANG Zhongguo;ZHANG Juan;WANG Lijun(School of Information Science and Technology,North China University of Technology,Beijing 100144,China;Beijing Key Laboratory on Integration and Analysis of Large-scale Stream Data,Beijing 100144,China)
出处
《信息安全学报》
CSCD
2023年第1期26-39,共14页
Journal of Cyber Security
基金
“融合业务过程和物联大数据的服务抽象与编程机制研究”国家自然科学基金委重点国际(地区)合作研究项目(No.62061136006)
北京市自然科学基金项目(No.4202021)资助。
关键词
时序数据分类
对抗样本
纹理特征
鲁棒性
time-series classification
adversarial attack
textural features
robustness
