基于残差网络结构的对抗图像分类模型

Classification model of adversarial images based on RC-Net structure

[目的]对抗样本的出现,导致深度神经网络以高置信度输出错误结果,为了提高深度神经网络的安全性,需对对抗样本进行区分.[方法]基于残差网络结构提出一种用于正确分类对抗攻击样本的分类模型,命名为RC-Net.RC-Net分类模型包含残差网络特征提取模块和分类模块.使用对抗训练方式对RC-Net分类模型进行迭代训练,改进当前流行的三种对抗攻击方法,对Mini-ImageNet数据集进行对抗处理,生成相应对抗样本.随后,用处理过的样本攻击EfficientNet分类模型和RC-Net分类模型,并对攻击效果进行对比.[结果]从攻击结果上可以得知,本文所提出的RC-Net分类模型在Mini-ImageNet对抗样本上具有较高的分类准确率.[结论]对深度神经网络进行对抗训练,可有效增强深度神经网络模型的鲁棒性.

[Objective]In this paper,we have developed RC-Net,namely a resilient image classification model under the ResNet architecture.It is specifically engineered to effectively discern adversarial examples in image recognition tasks and to address challenges posed by adversarial attacks in machine learning systems.With a focus on enhancing security and accuracy,particularly in critical applications such as autonomous vehicles,digital security systems,and financial fraud detection,RC-Net is tailored to fortify existing image recognition systems against sophisticated adversarial manipulations,thereby advancing the reliability of machine learning technologies.[Methods]As a classification system rooted in the residual network architecture,RC-Net strengthens its ability to identify adversarial examples in image recognition tasks through a blend of advanced feature extraction and classification techniques.Comprising two key modules,i.e.a feature extraction module utilizing the residual network and a classification rule definition module,it is iteratively trained using an adversarial training approach.Finally,three popular adversarial attack methods are improved,thus generating adversarial samples using the Mini-ImageNet dataset.[Results]The proposed model demonstrates a high recognition accuracy of 92.3%,96.1%,and 84.5%,surpassing the model recognition accuracy of the EfficientNet classification network in classifying both adversarial and non-adversarial samples.Additionally,it exhibits the highest recall rate of 95.4%in identifying model categories,showcasing its proficiency in distinguishing between adversarial and non-adversarial samples.Key developments highlighted in the paper include advancements in adversarial sample generation,the RC-Net model structure,data processing,loss function optimization,and optimizer selection and are summarized below.Advancements in Adversarial Sample Generation:The study introduces modifications to AdvGAN,FGSM,and G-ATN adversarial attack algorithms,involving changes in the feedforward network structure,normalization of input images,and adjustments in the network structure to minimize subsequent classification impact.RC-Net Model Structure:Utilizing the ResNet50 pre-trained model for feature extraction,RC-Net defines classification rules for both adversarial and non-adversarial images.Techniques such as average pooling,BN layer normalization,and leakyReLU activation function enhance the stability and the predictive accuracy.Data Processing and Loss Function Optimization:The paper underscores the significance of initial data processing and loss function optimization in improving model performance.Various data processing techniques and the use of sigmoid functions for binary classification(adversarial vs.non-adversarial samples)are explored.Optimizer Selection:The study compares the performance of different optimizers(Adam,LAMB,SGD)for RC-Net,and exhibits varying degrees of effectiveness based on the adversarial attack method employed.Experimental Results and Analysis:The feasibility of the RC-Net structure is validated through ablation experiments,while comparative experiments highlight the effectiveness of RC-Net in identifying adversarial samples.[Conclusions]The proposed model,grounded in the residual network structure,demonstrates its effectiveness in distinguishing adversarial examples in image classification.These examples,posing a security threat,are effectively addressed by RC-Net,which consists of two modules:residual network-based feature extraction and defined classification rules.Through iterative adversarial training and testing against popular adversarial attack techniques,RC-Net significantly outperforms the EfficientNet model in identifying adversarial samples,showcasing its superior ability to differentiate effectively.This research contributes a practical solution to mitigate the impact of adversarial samples in image recognition,particularly in applications with stringent security requirements.The emphasis on developing robust models against adversarial attacks lays the foundation for future research,enhancing the security and reliability of AI systems in practical applications.