Research On Adversarial Defense Robustness Of Deep Model

In recent years,deep learning technologies have achieved astonishing results in fields such as computer vision and natural language processing.However,despite their exceptional performance on clean samples,deep learning models are vulnerable to maliciously crafted adversarial examples,leading to erroneous decisions.This hinders the practical application of deep learning technologies,particularly in domains with heightened security requirements,where the threat posed by adversarial examples is especially severe.Consequently,the study of adversarial sample defense techniques is crucial for ensuring the safe and reliable application of deep learning technologies across various fields and has become one of the prominent research directions in the artificial intelligence domain in recent years.Adversarial training is among the most widely applicable and effective defense methods in adversarial defense techniques,substantially enhancing a model’s robustness against adversarial attacks by incorporating adversarial examples into the training process.The key of adversarial training lies in the data:only a diverse and potent collection of adversarial training samples can enable models to learn generalized adversarial defense robustness during the training process.Consequently,this dissertation approaches the issue from the perspective of adversarial training data,endeavoring to construct powerful adversarial training samples with varying properties and distributions,thereby bolstering the model’s generalized defensive robustness against different kinds of attacks.In addition to data,the robustness of an adversarially trained model is influenced by parameter initialization strategies and model architecture design.To this end,this dissertation further studies the model pretraining strategy and architecture design,seeking a more robust adversarial defense model.Within the adversarial training defense framework,this dissertation delves into enhancing the defensive robustness of adversarial training models for both image and point cloud,addressing the issue from three aspects:training data,model pretraining,and model architecture.The main contributions and innovations of this dissertation are as follows:1.Proposed Efficient Adversarial Training Sample Generation Method Based on Generative ModelsPrevious adversarial training samples suffer from the trade-off between attack performance and generation efficiency,constraining the effectiveness and defensive performance of the resulting adversarial training models.To address this critical issue,this dissertation focuses on the model architecture design of generation-based adversarial training samples,improving the architecture of the generative model,and introducing two target-label injection modules.Extensive experiment shows that the proposed method could attack any category with a single model while preserving the adversarial attack performance,facilitating enhanced performance and efficiency during the adversarial training process.2.Proposed Attention-Guided Robust Superpxiel Adversarial Training Sample Generation MethodThe robustness and attack performance of existing adversarial training samples is relatively weak,resulting in adversarial training models that lack generalized defense ability against robust and powerful adversarial attack methods.To address this key issue,this dissertation proposes an attention-guided robust superpixel adversarial training sample generation method,extending the generation of adversarial perturbations from"pixel-lever" to"superpixel-level" and constraining the modification range of adversarial perturbations to the foreground region of objects based on attention maps.The experiment shows that the proposed adversarial training samples design are more robust,exhibit statistical characteristics closer to natural images,and has better attack performance,effectively enhancing the defensive generalization of adversarial training.3.Proposed Distortion-Guided Sparse Adversarial Training Sample Generation MethodExisting adversarial training models lack generalized robustness against sparse adversarial attacks.However,due to the problem of generation efficiency and invisibility,current sparse adversarial sample generation methods are difficult to apply to adversarial training.To address this critical issue,this dissertation proposes a distortion-guided sparse adversarial training sample generation method.The proposed method efficiently generates sparse adversarial perturbations through a greedy-based two-stage strategy and guides the selection of perturbed pixels based on a distortion map,further enhancing the invisibility of adversarial perturbations.The experiment shows that the proposed adversarial training samples designed outperform previous methods in sparsity,generation efficiency,and invisibility,effectively enhancing the defensive generalization of adversarial training against sparse adversarial attacks.4.Proposed Perceptual Codebook Guided Mask Image Modeling for Robust Feature PretrainingThe performance of existing robust feature pretraining methods is limited by their low-level loss function design,resulting in relatively limited improvements in clean sample accuracy and adversarial defense robustness after adversarial fine-tuning.To address this issue,this dissertation proposes a robust feature pretraining algorithm based on perceptual codebook guided mask image modeling.By incorporating multi-layer perceptual loss into the codebook training for mask image modeling prediction targets,a richly semantic codebook is obtained,enabling the model to learn more accurate and robust features during the pretraining process.This results in significant performance improvements in both clean sample fine-tuning and adversarial fine-tuning scenarios.5.Proposed Cross-Shaped Window Self-Attention Robust Vision ModelThe adversarial robustness of current vision transformers is limited by their selfattention mechanism design.To solve this problem,this dissertation proposes a crossshaped window self-attention robust vision model.By replacing the global self-attention with the parallel cross-shaped window self-attention,the model gets better model capability with limited computation cost increases.Besides,this dissertation proposes locally-enhanced positional encoding to introduce more inductive bias to the model.Extensive experiments shows that the model outperforms previous methods by a large margin on both clean samples and adversarial examples.6.Proposed Gather-Vector Guided Point Cloud Adaptive Defense ModelTo the relative scarcity of adversarial defense research on the point cloud,this dissertation analyzes the local-global positional relationships and structural properties of point clouds,proposing a gather-vector guided point cloud adaptive defense model.By calculating the gather-vectors corresponding to local point cloud features,the model achieves adaptive feature selection.Experiments show that the proposed method substantially enhances the model’s adversarial defense robustness without sacrificing clean sample performance,and further improves the model’s robustness when combined with adversarial training.