网络与信息安全学报 ›› 2020, Vol. 6 ›› Issue (1): 38-45.doi: 10.11959/j.issn.2096-109x.2020012

• 学术论文 • 上一篇    下一篇

基于边界值不变量的对抗样本检测方法

严飞,张铭伦,张立强()   

  1. 武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室,湖北 武汉 430072
  • 修回日期:2020-02-02 出版日期:2020-02-15 发布日期:2020-03-23
  • 作者简介:严飞(1980- ),男,湖北武汉人,武汉大学副教授、硕士生导师,主要研究方向为系统安全、可信计算、系统安全验证与形式化分析和移动目标防御|张铭伦(1995- ),男,江苏连云港人,武汉大学硕士生,主要研究方向为人工智能系统本身的安全防护问题|张立强(1979- ),男,黑龙江哈尔滨人,武汉大学讲师,主要研究方向为系统安全、可信计算和安全测评
  • 基金资助:
    国家重点基础研究发展计划(“973”计划)基金资助项目(2014CB340601);国家自然科学基金资助项目(61272452)

Adversarial examples detection method based on boundary values invariants

Fei YAN,Minglun ZHANG,Liqiang ZHANG()   

  1. Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China
  • Revised:2020-02-02 Online:2020-02-15 Published:2020-03-23
  • Supported by:
    The National Basic Research Program of China (973 Program)(2014CB340601);The National Natural Science Foundation of China(61272452)

摘要:

目前,深度学习成为计算机领域研究与应用最广泛的技术之一,在图像识别、语音、自动驾驶、文本翻译等方面都取得良好的应用成果。但人们逐渐发现深度神经网络容易受到微小扰动图片的影响,导致分类出现错误,这类攻击手段被称为对抗样本。对抗样本的出现可能会给安全敏感的应用领域带来灾难性的后果。现有的防御手段大多需要对抗样本本身作为训练集,这种对抗样本相关的防御手段是无法应对未知对抗样本攻击的。借鉴传统软件安全中的边界检查思想,提出了一种基于边界值不变量的对抗样本检测防御方法,该方法通过拟合分布来寻找深度神经网络中的不变量,且训练集的选取与对抗样本无关。实验结果表明,在 LeNet、vgg19 模型和 Mnist、Cifar10 数据集上,与其他对抗检测方法相比,提出的方法可有效检测目前的常见对抗样本攻击,并且具有低误报率。

关键词: 深度神经网络, 边界检查, 不变量, 对抗样本检测

Abstract:

Nowadays,deep learning has become one of the most widely studied and applied technologies in the computer field.Deep neural networks(DNNs) have achieved greatly noticeable success in many applications such as image recognition,speech,self-driving and text translation.However,deep neural networks are vulnerable to adversarial examples that are generated by perturbing correctly classified inputs to cause DNN modes to misbehave.A boundary check method based on traditional programs by fitting the distribution to find the invariants in the deep neural network was proposed and it use the invariants to detect adversarial examples.The selection of training sets was irrelevant to adversarial examples.The experiment results show that proposed method can effectively detect the current adversarial example attacks on LeNet,vgg19 model,Mnist,Cifar10 dataset,and has a low false positive rate.

Key words: deep neuron network, boundary checking, invariant, adversarial examples detecting

中图分类号: 

No Suggested Reading articles found!