Qin Ruoxi, Wang Linyuan, Du Xuehui, Xie Pengfei, Chen Xingyuan, Yan Bin
Henan Key Laboratory of Imaging and Intelligent Processing, PLA Strategy Support Force Information Engineering University, Zhengzhou, Henan, China.
PLA Strategy Support Force Information Engineering University, Zhengzhou, Henan, China.
Front Neurorobot. 2023 Aug 8;17:1205370. doi: 10.3389/fnbot.2023.1205370. eCollection 2023.
Deep neural networks (DNNs) have been shown to be susceptible to critical vulnerabilities when attacked by adversarial samples. This has prompted the development of attack and defense strategies similar to those used in cyberspace security. The dependence of such strategies on attack and defense mechanisms makes the associated algorithms on both sides appear as closely processes, with the defense method being particularly passive in these processes. Inspired by the dynamic defense approach proposed in cyberspace to address endless arm races, this article defines ensemble quantity, network structure, and smoothing parameters as variable ensemble attributes and proposes a stochastic ensemble strategy based on heterogeneous and redundant sub-models. The proposed method introduces the diversity and randomness characteristic of deep neural networks to alter the fixed correspondence gradient between input and output. The unpredictability and diversity of the gradients make it more difficult for attackers to directly implement white-box attacks, helping to address the extreme transferability and vulnerability of ensemble models under white-box attacks. Experimental comparison of with different attack scenarios under CIFAR10 preliminarily demonstrates the effectiveness of the proposed method that even the highest-capacity attacker cannot easily outperform the attack success rate associated with the ensemble smoothed model, especially for untargeted attacks.
深度神经网络(DNN)已被证明在受到对抗样本攻击时容易受到关键漏洞的影响。这促使了类似于网络空间安全中使用的攻击和防御策略的发展。此类策略对攻击和防御机制的依赖使得双方的相关算法看起来像是紧密相关的过程,其中防御方法在这些过程中尤为被动。受网络空间中为应对无休止的军备竞赛而提出的动态防御方法的启发,本文将集成数量、网络结构和平滑参数定义为可变的集成属性,并提出了一种基于异构和冗余子模型的随机集成策略。所提出的方法引入了深度神经网络的多样性和随机性特征,以改变输入与输出之间固定的对应梯度。梯度的不可预测性和多样性使得攻击者更难直接实施白盒攻击,有助于解决集成模型在白盒攻击下的极端可转移性和脆弱性问题。在CIFAR10上针对不同攻击场景进行的实验比较初步证明了所提出方法的有效性,即即使是能力最强的攻击者也难以轻易超越与集成平滑模型相关的攻击成功率,尤其是对于无目标攻击。