Please wait a minute...
浙江大学学报(工学版)
浙江大学学报(工学版)  2024, Vol. 58 Issue (11): 2230-2238    DOI: 10.3785/j.issn.1008-973X.2024.11.004
计算机技术、控制工程     
基于离散余弦变换的快速对抗训练方法
王晓淼1(),张玉金1,*(),张涛2,田瑾1,吴飞1
1. 上海工程技术大学 电子电气工程学院,上海 201620
2. 常熟理工学院 计算机科学与工程学院,江苏 常熟 215500
Fast adversarial training method based on discrete cosine transform
Xiaomiao WANG1(),Yujin ZHANG1,*(),Tao ZHANG2,Jin TIAN1,Fei WU1
1. School of Electronic and Electrical Engineering, Shanghai University of Engineering Science, Shanghai 201620, China
2. School of Computer Science and Engineering, Changshu Institute of Technology, Changshu 215500, China
 全文: PDF(1747 KB)   HTML
摘要:

为了提升深度神经网络的鲁棒性,从频域的角度提出基于离散余弦变换(DCT)的快速对抗训练方法. 引入对抗初始化生成模块,根据系统的鲁棒性自适应地生成初始化信息,可以更精准地捕捉到图像特征,有效避免灾难性过拟合. 对样本进行随机谱变换,将样本从空间域变换至频谱域,通过控制频谱显著性提高模型的迁移与泛化能力. 在CIFAR-10与CIFAR-100数据集上验证提出方法的有效性. 实验结果表明,在以ResNet18为目标网络,面对PGD-10攻击时,本文方法在CIFAR-10上的鲁棒精度较现有方法提升了2%~9%,在CIFAR-100上提升了1%~9%. 在面对PGD-20、PGD-50、C&W等其他攻击以及架构更复杂的模型时,均取得了类似的效果. 提出方法在避免灾难性过拟合现象的同时,有效提高了系统的鲁棒性.
关键词: 对抗样本快速对抗训练离散余弦变换(DCT)鲁棒性样本初始化    
Abstract:

A fast adversarial training method based on discrete cosine transform (DCT) was proposed from the perspective of the frequency domain in order to enhance the robustness of deep neural network. An adversarial initialization generation module was introduced, which adaptively generated initialization information based on the system’s robustness, allowing for more accurate capture of image features and effectively avoiding catastrophic overfitting. Random spectral transformations were applied to the samples, transforming them from the spatial domain to the frequency domain, which improved the model’s transferability and generalization ability by controlling spectral saliency. The effectiveness of the proposed method was validated on the CIFAR-10 and CIFAR-100 datasets. The experimental results show that the robust accuracy of the proposed method on CIFAR-10 improved by 2% to 9% compared to existing methods, and improved by 1% to 9% on CIFAR-100 by using ResNet18 as the target network and facing PGD-10 attacks. Similar effects were achieved when facing PGD-20, PGD-50, C&W and other attacks, as well as when applied to more complex model architectures. The proposed method not only avoids catastrophic overfitting but also effectively enhances system robustness.
Key words: adversarial example    fast adversarial training    discrete cosine transform (DCT)    robustness    example initialization
收稿日期: 2023-07-03 出版日期: 2024-10-23
CLC:  TP 391  
基金资助: 国家自然科学基金资助项目(62072057);上海市自然科学基金资助项目(17ZR1411900);中国高校产学研创新基金资助项目(2021ZYB01003).
通讯作者: 张玉金     E-mail: m320121342@sues.edu.cn;yjzhang@sues.edu.cn
作者简介: 王晓淼(1999—),女,硕士生,从事对抗攻防的研究. orcid.org/0009-0003-0561-5610. E-mail:m320121342@sues.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
王晓淼
张玉金
张涛
田瑾
吴飞

引用本文:

王晓淼,张玉金,张涛,田瑾,吴飞. 基于离散余弦变换的快速对抗训练方法[J]. 浙江大学学报(工学版), 2024, 58(11): 2230-2238.

Xiaomiao WANG,Yujin ZHANG,Tao ZHANG,Jin TIAN,Fei WU. Fast adversarial training method based on discrete cosine transform. Journal of ZheJiang University (Engineering Science), 2024, 58(11): 2230-2238.

链接本文:

https://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2024.11.004        https://www.zjujournals.com/eng/CN/Y2024/V58/I11/2230

图 1  基于离散余弦变换的快速对抗训练方法的整体框架图
图 2  初始化生成网络的架构图
图 3  ResNet18、WideResNet、VGG、PreActResNet18的频谱显著性图
图 4  整块DCT和随机谱变换生成的频谱图及其热力图对比
算法1 基于离散余弦变换的快速对抗训练
输入: 训练次数$ M $、随机谱变换的次数$N$、最大扰动因子$\varepsilon $、步长$\alpha $、干净样本$ {\boldsymbol{x}} $及对应标签$ {\boldsymbol{y}} $、由${{\boldsymbol{w}}}$参数化的目标网络$f( \cdot )$、由${{\boldsymbol{m}}}$参数化的初始化生成网络$I( \cdot )$、随机谱变换函数$R( \cdot )$、离散余弦变换$D( \cdot )$及逆变换${D_{\mathrm{I}}}( \cdot )$、随机变量${\boldsymbol{\eta}} $(服从高斯分布)、随机变量${\boldsymbol{U}}$(服从均匀分布). ${\mathrm{Fo}}{{\mathrm{r}}_{}}\,i = 1,2,\cdots ,{M_{}}\;{\mathrm{do}}$${\boldsymbol{t}} = {\mathrm{sgn}}{\nabla _{\boldsymbol{x}}}( l (f({\boldsymbol{x}}),{\boldsymbol{y}}))$${\boldsymbol{b}} = I({\boldsymbol{x}},{\boldsymbol{t}})$${{\boldsymbol{x}}_{\boldsymbol{b}}} = {\boldsymbol{x}}+{\boldsymbol{b}}$${\boldsymbol{x}} = R({{\boldsymbol{x}}_{\boldsymbol{b}}}) = {D_{\mathrm{I}}}(D({{\boldsymbol{x}}_{\boldsymbol{b}}}+{\boldsymbol{\eta}} ) \odot {\boldsymbol{U}})$${\boldsymbol{\delta}} = \prod\limits_{{{[ - \varepsilon ,\varepsilon ]}^d}} {{\boldsymbol{b}}+\alpha {\mathrm{sgn}}({N}^{-1} \sum\limits_{i = 1}^N {{\nabla _x} l (f({\boldsymbol{x}}+{\boldsymbol{\delta}} ))} )} $$ {{\boldsymbol{m}}} \leftarrow {{\boldsymbol{m}}}+\nabla l (f({\boldsymbol{x}}+{\boldsymbol{\delta}} ),{\boldsymbol{y}}) $${{\boldsymbol{w}}} \leftarrow {{\boldsymbol{w}}} - \nabla l (f({\boldsymbol{x}}+{\boldsymbol{\delta}} ),{\boldsymbol{y}})$${\mathrm{End}}\;{\mathrm{For}}$
  
方法模型PcleanProbust
PGD-10PGD-20PGD-50C&WAuto-Attack
FGSM-RS[10]最好73.8142.3141.5541.2639.8437.07
FGSM-RS[10]最后83.820.090.040.020.000.00
FGSM-CKPT[12]最好90.2941.9639.8439.1541.1337.15
FGSM-CKPT[12]最后90.2941.9639.8439.1541.1337.15
FGSM-GA[11]最好83.9649.2347.5746.8947.4643.45
FGSM-GA[11]最后84.4348.6746.6646.0846.7542.63
Free-AT[12]最好80.3847.1045.8545.6244.4242.17
Free-AT[12]最后80.7545.8244.8244.4843.7341.17
本文方法最好83.3051.8650.6150.1549.6546.42
本文方法最后83.7651.5550.1649.8449.6846.21
表 1  使用ResNet18对CIFAR-10进行测试时的模型鲁棒精度
图 5  在不同攻击方式下ResNet18在CIFAR-10上的鲁棒精度对比
方法PcleanProbust
PGD-10PGD-20PGD-50C&WAuto-Attack
FGSM-RS[10]74.2941.2440.2139.9839.2736.40
FGSM-CKPT[12]91.8444.7042.7242.2242.2540.46
FGSM-GA[11]81.8048.2047.9746.6046.8745.19
Free-AT[12]81.8349.0748.1747.8347.2544.77
本文方法83.5451.0549.6649.2149.0644.76
表 2  使用WideResNet34-10对CIFAR-10进行测试时的模型鲁棒精度
图 6  WideResNet34-10框架下不同攻击方法在训练过程中的鲁棒精度变化趋势
图 7  PreActResNet18框架下不同攻击方法在训练过程中的鲁棒精度变化趋势
方法模型PcleanProbust
PGD-10PGD-20PGD-50C&WAuto-Attack
FGSM-RS[10]最好49.8522.4722.0121.8220.5518.29
FGSM-RS[10]最后60.550.250.190.250.000.00
FGSM-CKPT[12]最好60.9316.5815.4715.1916.4014.17
FGSM-CKPT[12]最后60.9316.6915.6115.2416.6014.34
FGSM-GA[11]最好54.3522.9322.3622.2021.2018.80
FGSM-GA[11]最后55.1020.0419.1318.8418.9616.45
Free-AT[12]最好52.4924.0723.5223.3621.6619.47
Free-AT[12]最后52.6322.8622.3222.1620.6818.57
本文方法最好53.7725.9225.2224.8224.0719.28
本文方法最后54.0825.9125.0024.6723.8219.16
表 3  使用ResNet18对CIFAR-100进行测试时的模型鲁棒精度
图 8  在不同攻击方式下ResNet18在CIFAR-100上的鲁棒精度对比
图 9  ResNet18框架下不同攻击方法在训练过程中的鲁棒精度变化趋势
图 10  FGSM-CKPT、FGSM-RS和所提方法的交叉熵损失景观图对比
1 金鑫, 庄建军, 徐子恒 轻量化YOLOv5s网络车底危险物识别算法[J]. 浙江大学学报: 工学版, 2023, 57 (8): 1516- 1526
JIN Xin, ZHUANG Jianjun, XU Ziheng Lightweight YOLOv5s network-based algorithm for identifying hazardous objects under vehicles[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (8): 1516- 1526
2 熊帆, 陈田, 卞佰成, 等 基于卷积循环神经网络的芯片表面字符识别[J]. 浙江大学学报: 工学版, 2023, 57 (5): 948- 956
XIONG Fan, CHEN Tian, BIAN Baicheng, et al Chip surface character recognition based on convolutional recurrent neural network[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (5): 948- 956
3 刘春娟, 乔泽, 闫浩文, 等 基于多尺度互注意力的遥感图像语义分割网络[J]. 浙江大学学报: 工学版, 2023, 57 (7): 1335- 1344
LIU Chunjuan, QIAO Ze, YAN Haowen, et al Semantic segmentation network for remote sensing image based on multi-scale mutual attention[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (7): 1335- 1344
4 杨长春, 叶赞挺, 刘半藤, 等 基于多源信息融合的医学图像分割方法[J]. 浙江大学学报: 工学版, 2023, 57 (2): 226- 234
YANG Changchun, YE Zanting, LIU Banteng, et al Medical image segmentation method based on multi-source information fusion[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (2): 226- 234
5 宋秀兰, 董兆航, 单杭冠, 等 基于时空融合的多头注意力车辆轨迹预测[J]. 浙江大学学报: 工学版, 2023, 57 (8): 1636- 1643
SONG Xiulan, DONG Zhaohang, SHAN Hangguan, et al Vehicle trajectory prediction based on temporal-spatial multi-head attention mechanism[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (8): 1636- 1643
6 SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks [C]// 2nd International Conference on Learning Representations. Banff: [s. n. ], 2014.
7 MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks [C]// International Conference on Learning Representations. Vancouver: [s. n.], 2018.
8 WANG Y, MA X, BAILEY J, et al. On the convergence and robustness of adversarial training [C]// International Conference on Machine Learning . Long Beach: International Machine Learning Society, 2019: 6586-6595.
9 GOODFELLOW J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples [C]// International Conference on Learning Representation . San Diego: [s. n.], 2015.
10 WONG E, RICE L, KOLTER J. Z. Fast is better than free: revisiting adversarial training [C]// International Conference on Learning Representations . Addis Ababa, Ethiopia: [s. n.], 2020.
11 ANDRIUSHCHENKO M, FLAMMARION N. Understanding and improving fast adversarial training [C]// Neural Information Processing Systems . [S. l. ]: Curran Associates, Inc, 2020: 16048-16059.
12 KIM H, LEE W, LEE J. Understanding catastrophic overfitting in single-step adversarial training [C]// Proceedings of the AAAI Conference on Artificial Intelligence . Vancouver: AAAI Press, 2021: 8119-8127.
13 SHAFAHI A, NAJIBI M, GHIASI A, et al. Adversarial training for free! [C]// Neural Information Processing Systems . Vancouver: Curran Associates, Inc. , 2019: 3353-3364.
14 SRIRAMANAN G, ADDEPALLI S, BABURAJ A, et al. Towards efficient and effective adversarial training [C]// Neural Information Processing Systems . [S. l. ]: Curran Associates, Inc. , 2021: 11821-11833.
15 IOFFE S, SZEGEDY C. Batch normalization: accelerating deep network training by reducing internal covariate shift [C]// International Conference on Machine Learning . Lille: MIT Press, 2015: 448-456.
16 AGARAP F. Deep learning using rectified linear units (ReLU) [EB/OL]. [2023-06-20]. https://arxiv.org/abs/1803.08375.
17 MIYATO T, KATAOKA T, KOYAMAM M, et al. Spectral normalization for generative adversarial networks [C]// International Conference on Learning Representations . Vancouver: [s. n. ], 2018.
18 WANG H, WU X, HUANG Z, et al. High-frequency component helps explain the generalization of convolutional neural networks [C]// IEEE Conference on Computer Vision and Pattern Recognition . Seattle: IEEE, 2020: 8681–8691.
19 AHMED N, NATARAJAN T, RAO K R. Discrete cosine transform[J]. IEEE Transactions on Computers, 1974, 23 (1): 90- 93
20 SELVARAJU R. R. COGSWELL M, DAS A, et al. Grad-CAM: visual explanations from deep networks via gradient-based localization [C]// IEEE International Conference on Computer Vision. Venice: IEEE, 2017: 618-626.
21 KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images [D]. Toronto: University of Toronto, 2009.
22 CARLINI N, WAGNER D. A. Towards evaluating the robustness of neural networks [C]// IEEE Symposium on Security and Privacy . San Jose: IEEE, 2017: 39–57.
23 REBUFFI S A, GOWAL S, CALIAN D A, et al. Fixing data augmentation to improve adversarial robustness [EB/OL]. [2023-06-20]. https://arxiv.org/abs/2103.01946.
24 HO J, JAIN A, ABBEEL P. Denoising diffusion probabilistic models [C]// Advances in Neural Information Processing Systems . [S. l. ]: Curran Associates, Inc. , 2020: 6840-6851.
25 ZAGORUYKO S, KOMODAKIS N. Wide residual networks [C]// Proceedings of the British Machine Vision Conference . York: BMVA Press, 2016: 87.1-87.12.
26 HE K, ZHANG X, REN S, et al. Deep residual learning for image recognition [C]// IEEE Conference on Computer Vision and Pattern Recognition . Las Vegas: IEEE Computer Society, 2016: 770–778.
27 HE K, ZHANG X, REN S, et al. Identity mappings in deep residual networks [C]// European Conference on Computer Vision . Amsterdam: Springer Verlag, 2016: 630–645.
[1] 马飞,委笑琳,孙启鹏,刘擎,苟慧艳. 考虑互补效应的城市群多模式客运网络鲁棒性[J]. 浙江大学学报(工学版), 2024, 58(2): 388-398.
[2] 陈俊煜,孙斌,黄晓峰,盛庆华,赖昌材,金心宇. H.266/VVC二维变换的统一硬件结构[J]. 浙江大学学报(工学版), 2023, 57(9): 1894-1902.
[3] 郭策,曾志文,朱鹏铭,周智千,卢惠民. 基于图卷积模仿学习的分布式群集控制[J]. 浙江大学学报(工学版), 2022, 56(6): 1055-1061.
[4] 陈小波,陈玲,梁书荣,胡煜. 重尾非高斯定位噪声下鲁棒协同目标跟踪[J]. 浙江大学学报(工学版), 2022, 56(5): 967-976.
[5] 沈麒,赵琰,周晓炜,袁晓冉. 结合结构与梯度的图像哈希算法[J]. 浙江大学学报(工学版), 2020, 54(8): 1525-1533.
[6] 隋昊,覃高峰,崔祥波,陆新江. 基于误差均值与方差最小化的鲁棒T-S模糊建模方法[J]. 浙江大学学报(工学版), 2019, 53(2): 382-387.
[7] 杨春宁, 方家为, 李春, 葛晖. 基于稳定性判据的高超声速复合控制方法[J]. 浙江大学学报(工学版), 2017, 51(2): 422-428.
[8] 李滔, 王士同. 增量式0阶TSK模糊分类器及鲁棒改进[J]. 浙江大学学报(工学版), 2017, 51(10): 1901-1911.
[9] 杨慧琳, 黄智刚, 刘久文, 杜元锋. 基于核模糊C均值指纹库管理的WIFI室内定位方法[J]. 浙江大学学报(工学版), 2016, 50(6): 1126-1133.
[10] 赵婵媛, 陆志强, 崔维伟. 考虑随机故障的流水线调度问题前摄优化方法[J]. 浙江大学学报(工学版), 2016, 50(4): 641-649.
[11] 朱光明, 蒋荣欣, 周凡, 田翔, 陈耀武. 带测量偏置估计的鲁棒卡尔曼滤波算法[J]. 浙江大学学报(工学版), 2015, 49(7): 1343-1349.
[12] 马腾, 赵兴忠, 高博青, 吴慧. 自由曲面形状和拓扑联合优化研究[J]. 浙江大学学报(工学版), 2015, 49(10): 1946-1951.
[13] 张成,李志安,高博青,董石麟. 基于H∞理论的网壳结构鲁棒性分析[J]. J4, 2013, 47(5): 818-823.
[14] 单艳玲, 高博青. 基于连续体拓扑优化的网壳结构鲁棒构型分析[J]. J4, 2013, 47(12): 2118-2124.
[15] 王秀君, 胡协和. 一种改进的单神经元PID控制策略[J]. J4, 2011, 45(8): 1498-1501.