Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2024, Vol. 58 Issue (11): 2230-2238    DOI: 10.3785/j.issn.1008-973X.2024.11.004
    
Fast adversarial training method based on discrete cosine transform
Xiaomiao WANG1(),Yujin ZHANG1,*(),Tao ZHANG2,Jin TIAN1,Fei WU1
1. School of Electronic and Electrical Engineering, Shanghai University of Engineering Science, Shanghai 201620, China
2. School of Computer Science and Engineering, Changshu Institute of Technology, Changshu 215500, China
Download: HTML     PDF(1747KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

A fast adversarial training method based on discrete cosine transform (DCT) was proposed from the perspective of the frequency domain in order to enhance the robustness of deep neural network. An adversarial initialization generation module was introduced, which adaptively generated initialization information based on the system’s robustness, allowing for more accurate capture of image features and effectively avoiding catastrophic overfitting. Random spectral transformations were applied to the samples, transforming them from the spatial domain to the frequency domain, which improved the model’s transferability and generalization ability by controlling spectral saliency. The effectiveness of the proposed method was validated on the CIFAR-10 and CIFAR-100 datasets. The experimental results show that the robust accuracy of the proposed method on CIFAR-10 improved by 2% to 9% compared to existing methods, and improved by 1% to 9% on CIFAR-100 by using ResNet18 as the target network and facing PGD-10 attacks. Similar effects were achieved when facing PGD-20, PGD-50, C&W and other attacks, as well as when applied to more complex model architectures. The proposed method not only avoids catastrophic overfitting but also effectively enhances system robustness.

Key wordsadversarial example      fast adversarial training      discrete cosine transform (DCT)      robustness      example initialization     
Received: 03 July 2023      Published: 23 October 2024
CLC:  TP 391  
  TP 183  
Fund:  国家自然科学基金资助项目(62072057);上海市自然科学基金资助项目(17ZR1411900);中国高校产学研创新基金资助项目(2021ZYB01003).
Corresponding Authors: Yujin ZHANG     E-mail: m320121342@sues.edu.cn;yjzhang@sues.edu.cn
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Xiaomiao WANG
Yujin ZHANG
Tao ZHANG
Jin TIAN
Fei WU
Cite this article:

Xiaomiao WANG,Yujin ZHANG,Tao ZHANG,Jin TIAN,Fei WU. Fast adversarial training method based on discrete cosine transform. Journal of ZheJiang University (Engineering Science), 2024, 58(11): 2230-2238.

URL:

https://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2024.11.004     OR     https://www.zjujournals.com/eng/Y2024/V58/I11/2230


基于离散余弦变换的快速对抗训练方法

为了提升深度神经网络的鲁棒性,从频域的角度提出基于离散余弦变换(DCT)的快速对抗训练方法. 引入对抗初始化生成模块,根据系统的鲁棒性自适应地生成初始化信息,可以更精准地捕捉到图像特征,有效避免灾难性过拟合. 对样本进行随机谱变换,将样本从空间域变换至频谱域,通过控制频谱显著性提高模型的迁移与泛化能力. 在CIFAR-10与CIFAR-100数据集上验证提出方法的有效性. 实验结果表明,在以ResNet18为目标网络,面对PGD-10攻击时,本文方法在CIFAR-10上的鲁棒精度较现有方法提升了2%~9%,在CIFAR-100上提升了1%~9%. 在面对PGD-20、PGD-50、C&W等其他攻击以及架构更复杂的模型时,均取得了类似的效果. 提出方法在避免灾难性过拟合现象的同时,有效提高了系统的鲁棒性.


关键词: 对抗样本,  快速对抗训练,  离散余弦变换(DCT),  鲁棒性,  样本初始化 
Fig.1 Framework of fast adversarial training method based on discrete cosine transform
Fig.2 Detailed structure of initialization generator
Fig.3 Spectrum saliency maps of ResNet18, WideResNet, VGG, PreActResNet18
Fig.4 Comparison of whole DCT and random spectrum transformation to generate spectra and their heatmap
算法1 基于离散余弦变换的快速对抗训练
输入: 训练次数$ M $、随机谱变换的次数$N$、最大扰动因子$\varepsilon $、步长$\alpha $、干净样本$ {\boldsymbol{x}} $及对应标签$ {\boldsymbol{y}} $、由${{\boldsymbol{w}}}$参数化的目标网络$f( \cdot )$、由${{\boldsymbol{m}}}$参数化的初始化生成网络$I( \cdot )$、随机谱变换函数$R( \cdot )$、离散余弦变换$D( \cdot )$及逆变换${D_{\mathrm{I}}}( \cdot )$、随机变量${\boldsymbol{\eta}} $(服从高斯分布)、随机变量${\boldsymbol{U}}$(服从均匀分布). ${\mathrm{Fo}}{{\mathrm{r}}_{}}\,i = 1,2,\cdots ,{M_{}}\;{\mathrm{do}}$${\boldsymbol{t}} = {\mathrm{sgn}}{\nabla _{\boldsymbol{x}}}( l (f({\boldsymbol{x}}),{\boldsymbol{y}}))$${\boldsymbol{b}} = I({\boldsymbol{x}},{\boldsymbol{t}})$${{\boldsymbol{x}}_{\boldsymbol{b}}} = {\boldsymbol{x}}+{\boldsymbol{b}}$${\boldsymbol{x}} = R({{\boldsymbol{x}}_{\boldsymbol{b}}}) = {D_{\mathrm{I}}}(D({{\boldsymbol{x}}_{\boldsymbol{b}}}+{\boldsymbol{\eta}} ) \odot {\boldsymbol{U}})$${\boldsymbol{\delta}} = \prod\limits_{{{[ - \varepsilon ,\varepsilon ]}^d}} {{\boldsymbol{b}}+\alpha {\mathrm{sgn}}({N}^{-1} \sum\limits_{i = 1}^N {{\nabla _x} l (f({\boldsymbol{x}}+{\boldsymbol{\delta}} ))} )} $$ {{\boldsymbol{m}}} \leftarrow {{\boldsymbol{m}}}+\nabla l (f({\boldsymbol{x}}+{\boldsymbol{\delta}} ),{\boldsymbol{y}}) $${{\boldsymbol{w}}} \leftarrow {{\boldsymbol{w}}} - \nabla l (f({\boldsymbol{x}}+{\boldsymbol{\delta}} ),{\boldsymbol{y}})$${\mathrm{End}}\;{\mathrm{For}}$
 
方法模型PcleanProbust
PGD-10PGD-20PGD-50C&WAuto-Attack
FGSM-RS[10]最好73.8142.3141.5541.2639.8437.07
FGSM-RS[10]最后83.820.090.040.020.000.00
FGSM-CKPT[12]最好90.2941.9639.8439.1541.1337.15
FGSM-CKPT[12]最后90.2941.9639.8439.1541.1337.15
FGSM-GA[11]最好83.9649.2347.5746.8947.4643.45
FGSM-GA[11]最后84.4348.6746.6646.0846.7542.63
Free-AT[12]最好80.3847.1045.8545.6244.4242.17
Free-AT[12]最后80.7545.8244.8244.4843.7341.17
本文方法最好83.3051.8650.6150.1549.6546.42
本文方法最后83.7651.5550.1649.8449.6846.21
Tab.1 Test robustness on CIFAR-10 database using ResNet18 %
Fig.5 Comparison of robustness accuracy of ResNet18 on CIFAR-10 under different attack method
方法PcleanProbust
PGD-10PGD-20PGD-50C&WAuto-Attack
FGSM-RS[10]74.2941.2440.2139.9839.2736.40
FGSM-CKPT[12]91.8444.7042.7242.2242.2540.46
FGSM-GA[11]81.8048.2047.9746.6046.8745.19
Free-AT[12]81.8349.0748.1747.8347.2544.77
本文方法83.5451.0549.6649.2149.0644.76
Tab.2 Test robustness on CIFAR-10 database using WideResNet34-10 %
Fig.6 Robustness trend of different attack method during training in WideResNet34-10 framework
Fig.7 Robustness trend of different attack method during training in PreActResNet18
方法模型PcleanProbust
PGD-10PGD-20PGD-50C&WAuto-Attack
FGSM-RS[10]最好49.8522.4722.0121.8220.5518.29
FGSM-RS[10]最后60.550.250.190.250.000.00
FGSM-CKPT[12]最好60.9316.5815.4715.1916.4014.17
FGSM-CKPT[12]最后60.9316.6915.6115.2416.6014.34
FGSM-GA[11]最好54.3522.9322.3622.2021.2018.80
FGSM-GA[11]最后55.1020.0419.1318.8418.9616.45
Free-AT[12]最好52.4924.0723.5223.3621.6619.47
Free-AT[12]最后52.6322.8622.3222.1620.6818.57
本文方法最好53.7725.9225.2224.8224.0719.28
本文方法最后54.0825.9125.0024.6723.8219.16
Tab.3 Test robustness on CIFAR-100 database using ResNet18 %
Fig.8 Comparison of robustness accuracy of ResNet18 on CIFAR-100 under different attack method
Fig.9 Robustness trends of different attack methods during training in ResNet18 framework
Fig.10 Comparison of cross-entropy loss landscape of FGSM-CKPT, FGSM-RS and proposed method
[1]   金鑫, 庄建军, 徐子恒 轻量化YOLOv5s网络车底危险物识别算法[J]. 浙江大学学报: 工学版, 2023, 57 (8): 1516- 1526
JIN Xin, ZHUANG Jianjun, XU Ziheng Lightweight YOLOv5s network-based algorithm for identifying hazardous objects under vehicles[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (8): 1516- 1526
[2]   熊帆, 陈田, 卞佰成, 等 基于卷积循环神经网络的芯片表面字符识别[J]. 浙江大学学报: 工学版, 2023, 57 (5): 948- 956
XIONG Fan, CHEN Tian, BIAN Baicheng, et al Chip surface character recognition based on convolutional recurrent neural network[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (5): 948- 956
[3]   刘春娟, 乔泽, 闫浩文, 等 基于多尺度互注意力的遥感图像语义分割网络[J]. 浙江大学学报: 工学版, 2023, 57 (7): 1335- 1344
LIU Chunjuan, QIAO Ze, YAN Haowen, et al Semantic segmentation network for remote sensing image based on multi-scale mutual attention[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (7): 1335- 1344
[4]   杨长春, 叶赞挺, 刘半藤, 等 基于多源信息融合的医学图像分割方法[J]. 浙江大学学报: 工学版, 2023, 57 (2): 226- 234
YANG Changchun, YE Zanting, LIU Banteng, et al Medical image segmentation method based on multi-source information fusion[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (2): 226- 234
[5]   宋秀兰, 董兆航, 单杭冠, 等 基于时空融合的多头注意力车辆轨迹预测[J]. 浙江大学学报: 工学版, 2023, 57 (8): 1636- 1643
SONG Xiulan, DONG Zhaohang, SHAN Hangguan, et al Vehicle trajectory prediction based on temporal-spatial multi-head attention mechanism[J]. Journal of Zhejiang University: Engineering Science, 2023, 57 (8): 1636- 1643
[6]   SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks [C]// 2nd International Conference on Learning Representations. Banff: [s. n. ], 2014.
[7]   MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks [C]// International Conference on Learning Representations. Vancouver: [s. n.], 2018.
[8]   WANG Y, MA X, BAILEY J, et al. On the convergence and robustness of adversarial training [C]// International Conference on Machine Learning . Long Beach: International Machine Learning Society, 2019: 6586-6595.
[9]   GOODFELLOW J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples [C]// International Conference on Learning Representation . San Diego: [s. n.], 2015.
[10]   WONG E, RICE L, KOLTER J. Z. Fast is better than free: revisiting adversarial training [C]// International Conference on Learning Representations . Addis Ababa, Ethiopia: [s. n.], 2020.
[11]   ANDRIUSHCHENKO M, FLAMMARION N. Understanding and improving fast adversarial training [C]// Neural Information Processing Systems . [S. l. ]: Curran Associates, Inc, 2020: 16048-16059.
[12]   KIM H, LEE W, LEE J. Understanding catastrophic overfitting in single-step adversarial training [C]// Proceedings of the AAAI Conference on Artificial Intelligence . Vancouver: AAAI Press, 2021: 8119-8127.
[13]   SHAFAHI A, NAJIBI M, GHIASI A, et al. Adversarial training for free! [C]// Neural Information Processing Systems . Vancouver: Curran Associates, Inc. , 2019: 3353-3364.
[14]   SRIRAMANAN G, ADDEPALLI S, BABURAJ A, et al. Towards efficient and effective adversarial training [C]// Neural Information Processing Systems . [S. l. ]: Curran Associates, Inc. , 2021: 11821-11833.
[15]   IOFFE S, SZEGEDY C. Batch normalization: accelerating deep network training by reducing internal covariate shift [C]// International Conference on Machine Learning . Lille: MIT Press, 2015: 448-456.
[16]   AGARAP F. Deep learning using rectified linear units (ReLU) [EB/OL]. [2023-06-20]. https://arxiv.org/abs/1803.08375.
[17]   MIYATO T, KATAOKA T, KOYAMAM M, et al. Spectral normalization for generative adversarial networks [C]// International Conference on Learning Representations . Vancouver: [s. n. ], 2018.
[18]   WANG H, WU X, HUANG Z, et al. High-frequency component helps explain the generalization of convolutional neural networks [C]// IEEE Conference on Computer Vision and Pattern Recognition . Seattle: IEEE, 2020: 8681–8691.
[19]   AHMED N, NATARAJAN T, RAO K R. Discrete cosine transform[J]. IEEE Transactions on Computers, 1974, 23 (1): 90- 93
[20]   SELVARAJU R. R. COGSWELL M, DAS A, et al. Grad-CAM: visual explanations from deep networks via gradient-based localization [C]// IEEE International Conference on Computer Vision. Venice: IEEE, 2017: 618-626.
[21]   KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images [D]. Toronto: University of Toronto, 2009.
[22]   CARLINI N, WAGNER D. A. Towards evaluating the robustness of neural networks [C]// IEEE Symposium on Security and Privacy . San Jose: IEEE, 2017: 39–57.
[23]   REBUFFI S A, GOWAL S, CALIAN D A, et al. Fixing data augmentation to improve adversarial robustness [EB/OL]. [2023-06-20]. https://arxiv.org/abs/2103.01946.
[24]   HO J, JAIN A, ABBEEL P. Denoising diffusion probabilistic models [C]// Advances in Neural Information Processing Systems . [S. l. ]: Curran Associates, Inc. , 2020: 6840-6851.
[25]   ZAGORUYKO S, KOMODAKIS N. Wide residual networks [C]// Proceedings of the British Machine Vision Conference . York: BMVA Press, 2016: 87.1-87.12.
[26]   HE K, ZHANG X, REN S, et al. Deep residual learning for image recognition [C]// IEEE Conference on Computer Vision and Pattern Recognition . Las Vegas: IEEE Computer Society, 2016: 770–778.
[27]   HE K, ZHANG X, REN S, et al. Identity mappings in deep residual networks [C]// European Conference on Computer Vision . Amsterdam: Springer Verlag, 2016: 630–645.
[1] Fei MA,Xiaolin WEI,Qipeng SUN,Qing LIU,Huiyan GOU. Robustness of multimodal passenger transport network in urban agglomeration considering complementary effect[J]. Journal of ZheJiang University (Engineering Science), 2024, 58(2): 388-398.
[2] Jun-yu CHEN,Bin SUN,Xiao-feng HUANG,Qing-hua SHENG,Chang-cai LAI,Xin-yu JIN. Unified hardware architecture for 2D transform in H.266/VVC[J]. Journal of ZheJiang University (Engineering Science), 2023, 57(9): 1894-1902.
[3] Ce GUO,Zhi-wen ZENG,Peng-ming ZHU,Zhi-qian ZHOU,Hui-min LU. Decentralized swarm control based on graph convolutional imitation learning[J]. Journal of ZheJiang University (Engineering Science), 2022, 56(6): 1055-1061.
[4] Xiao-bo CHEN,Ling CHEN,Shu-rong LIANG,Yu HU. Robust cooperative target tracking under heavy-tailed non-Gaussian localization noise[J]. Journal of ZheJiang University (Engineering Science), 2022, 56(5): 967-976.
[5] Qi SHEN,Yan ZHAO,Xiao-wei ZHOU,Xiao-ran YUAN. Image Hashing algorithm based on structure and gradient[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(8): 1525-1533.
[6] Na LV,Chuang LIU,Ke-fan CHEN,Fang-bo CAO. Software defined airborne network election algorithm considering controller failure[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(4): 785-793.
[7] Hao SUI,Gao-feng QIN,Xiang-bo CUI,Xin-jiang LU. Robust fuzzy T-S modeling method based on minimizing mean and variance of modeling error[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(2): 382-387.
[8] YANG Chun ning, FANG Jia wei, LI Chun, GE Hui. Hypersonic vehicle blended control methodology based on stability criterion[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(2): 422-428.
[9] LI Tao, WANG Shi-tong. Incremental zero-order TSK fuzzy classifier and its robust version[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(10): 1901-1911.
[10] YANG Hui lin, HUANG Zhi gang, LIU Jiu wen, DU Yuan feng. WIFI fingerprinting localization based on Kernel Fuzzy C means II Clustering[J]. Journal of ZheJiang University (Engineering Science), 2016, 50(6): 1126-1133.
[11] ZHAO Chan yuan, LU Zhi qiang, CUI Wei wei. Proactive scheduling optimization on flow shops with random machine breakdowns[J]. Journal of ZheJiang University (Engineering Science), 2016, 50(4): 641-649.
[12] ZHU Guang-ming, JIANG Rong-xin, ZHOU Fan, TIAN Xiang, CHEN Yao-wu. Robust Kalman filtering algorithm with estimation of measurement biases[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(7): 1343-1349.
[13] MA Teng, ZHAO Xing zhong, GAO Bo qing, WU Hui. Combined shape and topology optimization of free form structure[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(10): 1946-1951.
[14] ZHANG Cheng, LI Zhi-an, GAO Bo-qing, Dong Shi-lin. Robustness analysis of reticular shells based on H∞ theory[J]. Journal of ZheJiang University (Engineering Science), 2013, 47(5): 818-823.
[15] SHAN Yan-ling, GAO Bo-qing. Analysis of latticed shell structure’s robust configurations based on continuum topology optimization[J]. Journal of ZheJiang University (Engineering Science), 2013, 47(12): 2118-2124.