Deep Neural Networks have been widely used in many fields. However, studies have shown that DNNs are easily attacked by adversarial examples, which have tiny perturbations and greatly mislead the correct judgment of DNNs. Furthermore, even if malicious attackers cannot obtain all the underlying model parameters, they can use adversarial examples to attack various DNN-based task systems. Researchers have proposed various defense methods to protect DNNs, such as reducing the aggressiveness of adversarial examples by preprocessing or improving the robustness of the model by adding modules. However, some defense methods are only effective for small-scale examples or small perturbations but have limited defense effects for adversarial examples with large perturbations. This paper assigns different defense strategies to adversarial perturbations of different strengths by grading the perturbations on the input examples. Experimental results show that the proposed method effectively improves defense performance. In addition, the proposed method does not modify any task model, which can be used as a preprocessing module, which significantly reduces the deployment cost in practical applications.
翻译:深神经网络在许多领域被广泛使用,但研究表明,DNN很容易受到对抗性例子的攻击,这些例子对DNN的正确判断作用很小,而且大大误导了DNN的正确判断。此外,即使恶意攻击者不能获得所有基本模型参数,他们也可以使用对抗性例子攻击以DNN为基础的各种任务系统。研究人员提出了各种防御方法来保护DNN,例如通过预处理来降低对抗性例子的侵略性,或通过增加模块来提高模型的稳健性。然而,有些国防方法只对小型例子或小扰动有效,但对大扰动的对抗性例子的防御效果有限。本文将不同的防御战略指定为对不同强力的对抗性干扰,办法是根据输入实例对干扰进行分级。实验结果表明,拟议的方法有效地改进了国防绩效。此外,拟议的方法没有修改任何任务模式,这些模式可以用作预处理模块,大大降低了实际应用的部署费用。