Robustness Analysis And Improvement Of Convolutional Neural Networks Based On Frequency And Spatial Features

Deep learning has a powerful and effective network structure,which can efficiently process complex learning problems that cannot be solved by traditional machine learning.The rapid development of deep learning has made it widely used in target detection,image classification,speech recognition,and other fields.The performance of the neural network in some specific tasks even surpasses humans.Convolutional Neural Networks(CNN)get high generalization performance,but they are vulnerable to trivial perturbations.It is by now well known that intentional and imperceptible perturbations of the input data causes model misclassify images,which are called adversarial examples.As another example,even aside from such worst-case adversarial examples,neural networks are also vulnerable to simple and naturally occurring transformations,called common corruptions.Small Gaussian noise or motion blur alone(i.e.,without adversarial perturbation)can cause a significant drop in model performance.Such vulnerability raises concerns about the use of neural networks in contexts where reliability,dependability,and security are important desiderata.To analyze and improve the robustness of CNN,this thesis proposed several techniques from interpretability methods and the perspective of frequency domain,as follows.(1)Robustness study of CNN based on spatial interpretable methods.CNN have complex procession during training and inference,which makes the detection and improvement of robustness difficult.The attribution analysis of interpretable methods makes the network decision transparent to some extent.Based on the interpretation algorithm of saliency map,this thsis proposed two methods.First,a decision feature consistency metric is proposed to quantify the robustness performance of the model by measuring the utilization of decision features in model prediction.Comparative experiments on the Flower17、CIFAR-10 and MNIST dataset demonstrate the advantages of this evaluation method in terms of high transparency and low computational cost.Second,a training method with decision feature constraints is proposed to reduce the utilization of target-independent features during network training and improve the robustness of deep neural networks.Unlike traditional defense methods,this method does not rely on the adversarial examples and thus has wider adaptability,less consumption of computational resources,and faster network convergence.Experiments on the CIFAR-10 dataset further demonstrate that the method can improve the robustness under a variety of adversarial attacks.(2)Robustness study of CNN based on Frequency features utilization.First,the adversarial examples and common corruptions are analyzed by spectral visualization.Second,to better utilization of useful features in full-spectrum frequency components to improve model performance.In this thesis,we notice a distribution shift from clean data to their frequency reconstructed images,represented by Batch Normalization(BN)statistics and limited model learning in frequency features.To address this issue,we propose Freq DA-BN by using separate BN layers for disentangled frequency compositions,improving CNN learning capacities in both spatial and spectral features.Extensive experiments show that the proposed method significantly improved robustness against different types of common corruptions while maintaining the high-performance generalization of clean data.It is also noteworthy that Freq DA-BN can narrow the gap between generalization performance and adversarial robustness,shedding light on the future study of addressing the trade-off between generalization and robustness by learning full-spectrum frequency components.