摘要
针对当前对抗训练(AT)中存在的鲁棒过拟合问题,即在对抗训练超过一定轮次后,网络模型对抗防御能力出现不升反降的现象,本文提出了一种基于结构相异性非范数约束增强的对抗训练方法(DSSIM-AT)。该方法将非范数约束引入到对抗训练过程中用于对抗样本生成,根据样本间的结构相异度剔除对抗样本中的无语义特征,使得生成的对抗样本更适合于对抗训练。该方法进一步设计了梯度异步更新机制,优化对抗样本生成与模型参数更新耗时问题。实验结果表明,该方法可有效缓解对抗训练鲁棒过拟合情况,相比于已有对抗训练方法,可以将CIFAR-10数据集上的干净样本识别准确率提高约3%,同时对抗样本识别准确率提高约4%~8%。
Aiming at the robust overfitting problem in the process of adversarial training(AT),i.e.,the adversarial defense performance of the network model will not rise gradually but inversely fall to some extent with the increase of adversarial training rounds,this work proposes a novel adversarial training method that leverages a non-norm constraint based on structural dissimilarity,named DSSIM-AT.For the first time,non-norm constraints are introduced to remove non-semantic features of generated adversarial examples from the structural dissimilarity perspective,making them more suitable for AT.The proposed method further designs a gradient asynchronous update mechanism,which optimizes the time-consuming of adversarial examples generation and model parameters update.The experimental results show that DSSIM-AT can effectively alleviate the robust overfitting problem.Compared with the existing baseline methods,the proposed DSSIM-AT can improve the recognition accuracy of clean examples on dataset CIFAR-10 by 3%approximately,while the recognition accuracy for adversarial examples can be improved by 4%-8%.
作者
王保利
范鑫鑫
景全亮
毕经平
WANG Baoli;FAN Xinxin;JING Quanliang;BI Jingping(School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 100049;Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190)
出处
《高技术通讯》
CAS
2023年第4期339-351,共13页
Chinese High Technology Letters
基金
国家自然科学基金(62077044,61702470,62002343)资助项目。
关键词
对抗攻击
对抗防御
对抗训练(AT)
非范数约束
adversarial attack
adversarial defense
adversarial training(AT)
non-norm constraint