|
|
论文:2023,Vol:41,Issue(6):1170-1178 |
|
|
引用本文: |
|
|
金夏颖, 李扬, 潘泉. DE-JSMA:面向SAR-ATR模型的稀疏对抗攻击算法[J]. 西北工业大学学报 |
|
|
JIN Xiaying, LI Yang, PAN Quan. DE-JSMA: a sparse adversarial attack algorithm for SAR-ATR models[J]. Journal of Northwestern Polytechnical University |
|
|
|
|
|
|
|
| DE-JSMA:面向SAR-ATR模型的稀疏对抗攻击算法 |
|
| 金夏颖1, 李扬2, 潘泉2 |
|
1. 西北工业大学 网络空间安全学院, 陕西 西安 710072;
2. 西北工业大学 自动化学院, 陕西 西安 710072 |
| 摘要: |
| DNN易受攻击的特点使得以智能算法为识别手段的SAR-ATR系统也存在一定脆弱性。为验证其脆弱性,结合SAR图像特征稀疏的特点,在显著图对抗攻击算法和差分进化算法基础上提出了DE-JSMA稀疏攻击算法,精确筛选出对模型推理结果影响较大的显著特征后,为显著特征优化出合适的特征值。为了更全面地验证攻击的有效性,构建了一种结合攻击成功率和对抗样本平均置信度的新指标Fc值。实验结果表明,在没有增加过多耗时,且保证高攻击成功率情况下,DE-JSMA将只能定向攻击的JSMA扩展到了非定向攻击场景,且在2种攻击场景下均实现了可靠性更高、稀疏性更优的稀疏对抗攻击,仅扰动0.31%与0.85%的像素即可达到100%与78.79%以上的非定向与定向攻击成功率。 |
| 关键词:
合成孔径雷达
自动目标识别
深度学习
对抗攻击
稀疏攻击
|
|
| DE-JSMA: a sparse adversarial attack algorithm for SAR-ATR models |
|
| JIN Xiaying1, LI Yang2, PAN Quan2 |
|
1. School of Cyberspace Security, Northwestern Polytechnical University, Xi'an 710072, China;
2. School of Automation, Northwestern Polytechnical University, Xi'an 710072, China |
| Abstract: |
| The vulnerability of DNN makes the SAR-ATR system that uses an intelligent algorithm for recognition also somewhat vulnerable. In order to verify the vulnerability, this paper proposes DE-JSMA, a novel sparse adversarial attack algorithm based on a salient map's adversarial attack algorithm and differential evolution algorithm, with the synthetic aperture radar (SAR) image feature sparsity considered. After accurately screening out the salient features that have a great impact on the model inference results, the DE-JSMA algorithm optimizes the appropriate feature values for the salient features. In order to verify its effectiveness more comprehensively, a new metric that combines the attack success rate with the average confidence interval of adversarial examples is proposed. The experimental results show that DE-JSMA extends JSMA, which can be used only for targeted attack scenario, to untargeted attack scenario without increasing too much time consumption but ensuring a high attack success rate, thus achieving sparse adversarial attack with higher reliability and better sparsity in both attack scenarios. The pixel perturbations of only 0.31% and 0.85% can achieve the untargeted and targeted attack success rates up to 100% and 78.79% respectively. |
| Key words:
synthetic aperture radar
automatic target recognition
deep learning
adversarial attack
sparse attack
|
|
| 收稿日期: 2022-12-27
修回日期:
|
| DOI: 10.1051/jnwpu/20234161170 |
| 基金项目: 国家自然科学基金(62103330,62233014)资助 |
| 通讯作者: 李扬(1990-),西北工业大学副教授,主要从事人工智能安全研究。e-mail:liyangnpu@nwpu.edu.cn
Email:liyangnpu@nwpu.edu.cn |
| 作者简介: 金夏颖(2000-),西北工业大学硕士研究生,主要从事面向SAR图像的对抗攻击研究。
|
|
| 相关功能 |
|
|
|
|
| 作者相关文章 |
|
| 金夏颖 在本刊中的所有文章 |
| 李扬 在本刊中的所有文章 |
| 潘泉 在本刊中的所有文章 |
|
|
|
|
|
|
|
|
参考文献: |
|
|
[1] CHEN S, WANG H, XU F, et al. Target classification using the deep convolutional networks for SAR images[J]. IEEE Trans on Geoscience and Remote Sensing, 2016, 54(8): 4806-4817
[2] SHARIFZADEH F, AKBARIZADEH G, SEIFI K Y. Ship classification in SAR images using a new hybrid CNN-MLP classifier[J]. Journal of the Indian Society of Remote Sensing, 2019, 47(4): 551-562
[3] VINT D, ANDERSON M, YANG Y, et al. Automatic target recognition for low resolution foliage penetrating SAR images using CNNs and GANs[J]. Remote Sensing, 2021, 13(4): 596
[4] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[C]//International Conference on Learning Representations, 2015
[5] MOOSAVI-DEZFOOLI S M, FAWZI A, FROSSARD P. DeepFool: a simple and accurate method to fool deep neural networks[C]//Computer Vision and Pattern Recognition, 2016: 2574-2582
[6] CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//2017 IEEE Symposium on Security and Privacy, 2017: 39-57
[7] PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]//European Symposium on Security and Privacy, 2016: 372-387
[8] SU J, VARGAS D V, SAKURAI K. One pixel attack for fooling deep neural networks[J]. IEEE Trans on Evolutionary Computation, 2019, 23(5): 828-841
[9] MODAS A, MOOSAVI-DEZFOOLI S M, FROSSARD P. SparseFool: a few pixels make a big difference[C]//2019 IEEE Conference on Computer Vision and Pattern Recognition, 2019: 9079-9088
[10] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[C]//International Conference on Learning Representations, 2014
[11] STORN R, PRICE K. Differential Evolution-a simple and efficient heuristic for global optimization over continuous spaces[J]. Journal of Global Optimization, 1997, 11(4): 341-359
[12] HUANG T, ZHANG Q, LIU J, et al. Adversarial attacks on deep-learning-based SAR image target recognition[J]. Journal of Network and Computer Applications, 2020, 162: 102632
[13] DU C, HUO C, ZHANG L, et al. Fast C&W: a fast adversarial attack algorithm to fool SAR target recognition with deep convolutional neural networks[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4010005
[14] PENG B, PENG B, ZHOU J, et al. Speckle-variant attack: toward transferable adversarial attack to SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4509805
[15] 周隽凡, 孙浩, 雷琳, 等. SAR图像稀疏对抗攻击[J]. 信号处理, 2021, 37(9): 1633-1643 ZHOU Juanfan, SUN Hao, LEI Lin, et al. Sparse adversarial attack of SAR image[J]. Journal of Signal Processing, 2021, 37(9): 1633-1643 (in Chinese) |
|
|
|
|
|
|
|
