Adversarial attacks can easily fool object recognition systems based on deep neural networks (DNNs). Although many defense methods have been proposed in recent years, most of them can still be adaptively evaded. One reason for the weak adversarial robustness may be that DNNs are only supervised by category labels and do not have part-based inductive bias like the recognition process of humans. Inspired by a well-known theory in cognitive psychology -- recognition-by-components, we propose a novel object recognition model ROCK (Recognizing Object by Components with human prior Knowledge). It first segments parts of objects from images, then scores part segmentation results with predefined human prior knowledge, and finally outputs prediction based on the scores. The first stage of ROCK corresponds to the process of decomposing objects into parts in human vision. The second stage corresponds to the decision process of the human brain. ROCK shows better robustness than classical recognition models across various attack settings. These results encourage researchers to rethink the rationality of currently widely-used DNN-based object recognition models and explore the potential of part-based models, once important but recently ignored, for improving robustness.
翻译:反向攻击很容易愚弄基于深层神经网络(DNNs)的物体识别系统。 尽管近年来提出了许多防御方法,但大多数防御方法仍然可以适应性地回避。 弱对抗性强力的一个原因可能是DNS只受到分类标签的监督,没有像人类认知过程那样的基于部分的诱导性诱导性偏见。在认知心理学中众所周知的理论 -- -- 逐项识别的理论的启发下,我们提出了一个新颖的物体识别模型ROCK(由具有人类先前知识的组成部分识别目标)。它首先从图像中分出部分,然后分出部分结果,预先界定人类先前的知识,最后根据分数预测结果。ROCK的第一阶段与将物体分解成人类视觉部分的过程相对应。第二个阶段与人类大脑的决策过程相对应。 ROCK在各种攻击环境的典型识别模型中显示出比典型的识别模型更牢固的力度。这些结果鼓励研究人员重新思考目前广泛使用的DNN的物体识别模型的合理性,并探索了部分模型的潜力,这些模型曾经重要但最近被忽略过,用来改进坚固性。