| In recent years,thanks to developments in the field of deep learning and artificial intelligence,autonomous driving technology has made great progress.However,the emergence of adversarial examples exposes the vulnerability of deep neural networks and poses serious security threats to deep learning applications such as autonomous driving and face recognition.In the image classification task,adversarial training is considered to be one of the most effective method to defend against adversarial examples,but adversarial training will cause the model to decline in the recognition accuracy of clean examples.Therefore,how to improve the robustness of the model without reducing the recognition effect of clean examples is an important problem in the study of adversarial examples defense method.This paper studies the two stages of adversarial training,adversarial examples generation and defense model training,and proposes weighted adaptive perturbation adversarial training algorithm and adversarial examples defense method based on example difference adversarial training,which reduce the model’s loss of recognition accuracy of clean examples,and improve the defense against adversarial examples.The main work of this paper is as follows:(1)The paper proposes a weighted adaptive perturbation adversarial training algorithm.For the adversarial example generation stage of adversarial training,this paper weights the step of adversarial perturbations of different example features in iterative attack and generates a kind of novel adversarial example.The algorithm pays attention to the importance of different area features to generate adversarial examples with well adversarial and retain more features of clean examples.This kind of adversarial example makes the model more robust under the adversarial training framework and reduces the loss of the model’s recognition accuracy of clean examples.The experimental results show that the expected effect is achieved on 3 types of 5 kinds of adversarial attacks on two general datasets,and realize the defense of adversarial examples while reducing the loss of recognition effect of clean examples.(2)The paper suggests an adversarial example defense method based on example difference adversarial training.For the defense model training stage of adversarial training,the method uses the Euclidean paradigm difference between different adversarial examples and clean examples to weight the loss function of the examples,and get the defense model through adversarial training.This method uses the adversarial examples generated by the weighted adaptive perturbation algorithm,and evaluates the adversarial of different adversarial examples,and distinguishes the adversarial examples at the example level.In the process of model training,we reduce the loss weight for long-distance adversarial examples,and increase the loss weight for short-distance adversarial examples.Experimental results prove that the method can improve the defense effect of adversarial examples.(3)Based on the adversarial example defense method in image classification proposed above,the author designes and implements an adversarial traffic sign defense recognition system.The author analyzes the functional requirements of the traffic sign defense recognition system,and proposes the layered architecture design scheme of the system.The author designs and implements the functional modules of each layer,including user login,function display,data management,generation of adversarial traffic signs,defense against adversarial traffic signs,overall evaluation of dataset,and driving simulation modules.The system helps to improve the robustness of the model and enhance the defense against adversarial traffic signs to deal with potential adversarial risks during the operation of the automatic driving system. |
PDF Full Text Request