摘要
基于深度神经网络的多源遥感影像目标识别系统已逐步在空天遥感情报侦察、无人作战自主环境认知、多模复合末制导等多个军事场景中广泛应用。然而,由于深度学习理论上的不完备性、深度神经网络结构设计工程上的强复用性、以及多源成像识别系统在复杂电磁环境中易受到各类干扰等多因素的影响,使得现有识别系统在对抗攻击鲁棒性方面评估不足,存在极大安全隐患。本文首先从深度学习理论不完备性和识别系统攻击样式两个方面分析了潜在安全风险,并重点介绍了深度识别模型对抗样本攻击基本原理和典型方法。其次,针对光学遥感影像和SAR遥感影像两类典型数据形式,从鲁棒正确识别率和对抗攻击可解释性两个方面开展多源遥感影像深度识别模型对抗攻击鲁棒性评估,覆盖了9类常见深度识别网络架构和7类典型对抗样本攻击方法,验证了现有深度识别模型对抗攻击鲁棒性普遍不足的问题,分析了对抗样本与正常样本的多隐层特征激活差异,为下一步设计对抗样本检测算法和提升模型对抗鲁棒性提供参考。
Deep-neural-network-based multiple-source remote sensing image recognition systems have been widely used in many military scenarios,such as in aerospace intelligence reconnaissance,unmanned aerial vehicles for autonomous environmental cognition,and multimode automatic target recognition systems.Deep learning models rely on the assumption that the training and testing data are from the same distribution.However,these models show poor performance under common corruption or adversarial attacks.In the remote sensing community,the adversarial robustness of deep-neural-network-based recognition models have not received much attention,thence increasing the risk for many security-sensitive applications.This article evaluates the adversarial robustness of deep-neural-network-based recognition models for multiple-source remote sensing images.First,we discuss the incompleteness of deep learning theory and reveal the presence of great security risks.The independent identical distribution assumption is often violated,and the system performance cannot be guaranteed under adversarial scenarios.The whole process chain of a deep-neural-network-based image recognition system is then analyzed for its vulnerabilities.Second,we introduce several representative algorithms for adversarial example generation under both the white-and black-box settings.The gradient-propagation-based visualization method is also proposed for analyzing adversarial attacks.We perform a detailed evaluation of nine deep neural networks across two publicly available remote sensing image datasets.Both optical remote sensing and SAR remote sensing images are used in our experiments.For each model,we generate seven perturbations,ranging from gradient-based optimization to unsupervised feature distortion,for each testing image.In all cases,we observe a significant reduction in average classification accuracy between the original clean data and their adversarial images.Apart from adversarial average recognition accuracy,feature attribution techniques have also been adopted to analyze the feature diffusion effect of adversarial attacks,hence contributing to the present understanding of the vulnerability of deep learning models.Experimental results demonstrate that all deep neural networks have suffered great losses in classification accuracy when the testing images are adversarial examples.Understanding such adversarial phenomena improves our understanding of the inner workings of deep learning models.Additional efforts are needed to enhance the adversarial robustness of deep learning models.
作者
孙浩
徐延杰
陈进
雷琳
计科峰
匡纲要
SUN Hao;XU Yanjie;CHEN Jin;LEI Lin;JI Kefeng;KUANG Gangyao(College of Electronic Science,National University of Defense Technology,Changsha 410073,China;Beijing Institute of Remote Sensing Information,Beijing 100192,China)
出处
《遥感学报》
EI
CSCD
北大核心
2023年第8期1951-1963,共13页
NATIONAL REMOTE SENSING BULLETIN
基金
国家自然科学基金(编号:61971426)。
关键词
多源遥感影像目标识别
深度神经网络
对抗攻击
特征可视化
对抗鲁棒性评估
multiple source remote sensing images
deep neural networks
adversarial attack
feature visualization
adversarial robustness evaluation
