CN111598805A - Confrontation sample defense method and system based on VAE-GAN - Google Patents

Abstract

The invention belongs to the technical field of adversarial sample defense, and discloses a VAE-GAN-based adversarial sample defense method and system. The variational auto-encoder VAE and the generative adversarial network GAN are used to denoise the adversarial samples, and the VAE is used as a classifier to predict The processing model denoises the adversarial samples, and GAN is used to assist the training of the VAE, so that the image output of the VAE is closer to the original noise-free image. The VAE-GAN-based adversarial sample defense method provided by the present invention belongs to input preprocessing, and can learn and transfer between different classification models; it does not need to retrain the original classification network, and the training cost is low; it hardly affects the original noise-free sample classification accuracy ; Do not need to use adversarial samples, so there is no need to train adversarial samples; the defense effect against adversarial samples with less noise is also good; the preprocessing speed is fast and the output image quality is close to the original noise-free image.

Description

An adversarial sample defense method and system based on VAE-GAN

technical field

The invention belongs to the technical field of adversarial sample defense, and in particular relates to a VAE-GAN-based adversarial sample defense method and system.

Background technique

At present, deep neural networks have excellent performance on many problems that are difficult to solve by traditional machine learning. With the continuous improvement of deep neural network models, more and more deep learning solutions are slowly entering people's daily lives, such as: pattern recognition, face recognition, automatic driving, voice command recognition, etc. Despite the excellent performance of deep neural networks in various fields, Szegedy et al. have demonstrated that modern deep neural networks are very vulnerable to adversarial examples, which simply add subtle perturbations to the original image (undetectable by human vision) and can This results in the misclassification of images by the deep neural network model (as shown in Figure 5). At present, there are more and more methods for deep neural networks to resist attacks, and the disturbance required for attacks is getting smaller and smaller. Traditional methods of denoising images and reducing the degree of overfitting of deep neural networks have been unable to defend against these adversarial sample attacks. And the current defense scheme has the disadvantages of high training cost and poor defense transfer ability.

The existing defense schemes are divided into three directions: input preprocessing, improving neural network models, and only identifying whether they are adversarial samples without processing. The current defense plan is as follows:

(1) Input preprocessing: compress and reconstruct the image, scale the image, reduce the image resolution, and denoise the image;

(2) Improve the neural network model: limit the output of neurons, add non-differentiable parts to the neural network model, reduce the overfitting of the neural network, and add adversarial samples in the training set to improve the robustness of the neural network model.

(3) Only identify whether it is an adversarial sample without processing: use svm to distinguish whether the input data is an adversarial sample, and use a capsule network to distinguish whether the input data is an adversarial sample.

However, in the current defense scheme, the input preprocessing will lead to the degradation of the quality of the input image and the classification accuracy of the original noise-free image. At the same time, most of the defense schemes have a better defense effect on the adversarial samples with large disturbance, and the smaller the disturbance The defense is less effective.

Improving the neural network model will reduce the classification accuracy of the neural network model to a certain extent, but its greater disadvantage is that the network model needs to be retrained. At the same time, it only has a defensive effect under the current neural network model, and the defense strategy cannot be transferred to other network models. , and as the adversarial attack is upgraded, the defense strategy must also be upgraded (otherwise, the updated adversarial attack cannot be defended), which results in a very high network training cost for this defense.

Only identify whether it is an adversarial example without processing: Adversarial examples cannot be identified, and input data that is affected by slight random noise is sometimes misidentified.

At present, most defense strategies are trained using adversarial samples, resulting in additional training costs.

To sum up, the problems existing in the existing technology are: (1) The traditional denoising of images and reducing the degree of overfitting of deep neural networks have been unable to defend against these adversarial sample attacks, and the current defense scheme has high training costs, The disadvantage of poor defense migration ability.

(2) In the current defense scheme, the input preprocessing will lead to the degradation of the quality of the input image and the classification accuracy of the original noise-free image. At the same time, most of the defense schemes have a better defense effect on the adversarial samples with larger disturbances. The smaller the defense effect, the worse.

(3) The method of improving the neural network model needs to retrain the network model. At the same time, it only has a defensive effect under the current neural network model, and the defense strategy cannot be transferred to other network models. With the upgrade of the confrontation attack, the defense strategy should also be upgraded. (Otherwise, the updated adversarial attack cannot be defended), which results in a very high network training cost for this defense.

(4) Only identify whether it is an adversarial sample without processing: The adversarial sample cannot be identified, and sometimes the input data affected by slight random noise is misidentified. At present, most defense strategies use adversarial samples for training, resulting in high training costs.

The difficulty of solving the above technical problems: due to the continuous improvement of the algorithm of paired adversarial samples, resulting in:

The cost of generating adversarial examples is also getting lower and lower, and it is easier to generate adversarial examples for attack.

The adversarial sample attack capability is also getting stronger and stronger.

(3) The attack method also changes from pure white box attack to black box attack.

The significance of solving the above technical problems: At present, many deep learning solutions have entered people's daily life, such as face recognition, automatic driving, video detection, etc. The existence of adversarial samples brings huge risks to the use of these solutions. For example, in the face recognition system, criminals can use adversarial samples to impersonate the identity of others, invade the internal systems of governments or companies, and steal confidential information. Or, in the process of automatic driving, using adversarial samples to cover the real road signs, the vehicle automatic driving system will not be able to make correct decisions on the road signs, resulting in serious traffic accidents. Therefore, when designing a security-critical deep learning solution, it is necessary to consider how to defend against adversarial attacks. The existence of adversarial examples greatly limits the use of deep learning solutions, so it is of great practical significance to study how to effectively defend against adversarial examples.

SUMMARY OF THE INVENTION

In view of the problems existing in the prior art, the present invention provides an adversarial sample defense method based on VAE-GAN, which aims to solve the existing adversarial sample defense schemes such as high defense training cost, poor generality of the defense scheme, and the possibility that the defense scheme may lead to the original The classification accuracy of the classifier decreases and so on.

The present invention is implemented by a VAE-GAN-based adversarial sample defense method, which uses a variational autoencoder (VAE) and a generative adversarial network (GAN) to perform adversarial samples on adversarial samples. Denoising, VAE is used as the preprocessing model of the classifier to denoise the adversarial samples, and GAN is used to assist the training of VAE, so that the image output of VAE is closer to the original noise-free image.

Further, the VAE-GAN-based adversarial sample defense method includes the following steps:

Step 1, select the appropriate network structure to construct the VAE-GAN training network.

The second step is to train the VAE-GAN network.

Step 3, use the VAE-GAN module as a classifier preprocessing module to defend against adversarial sample attacks.

The fusion VAE-GAN model of VAE and GAN is used to defend against adversarial sample attacks. The model is shown in Figure 6. Through step 2, a VAE-GAN noise reduction model specially designed for adversarial samples is trained as the preprocessing block of the classifier. Any input The samples to the classifier need to be denoised by the VAE-GAN model first, and then sent to the classifier model for classification, so that the classifier can correctly identify the adversarial samples.

Further, in step 1, the method for selecting an appropriate network structure to construct a VAE-GAN training network is as follows:

Select the appropriate network structure to build the VAE-GAN training network. The neural network structure selected for different VAEs and GANs of the classifier is also different. For small data sets VAE and GAN choose to use DNN structure. For large data sets VAE and GAN are used. Need to choose a deeper neural network or a convolutional neural network.

Further, in step 1, the VAE-GAN includes two parts: a VAE part and a GAN part. The main function of VAE is to denoise the input image, and then use GAN to make the distribution of the VAE reconstructed image as close to the original image distribution as possible to ensure that the image quality after noise removal is close to the original noise-free image.

VAE can be divided into Encoder encoding part and Decoder decoding part. The Encoder mainly maps the input image samples into two sets of n-dimensional vectors (mean vector and standard deviation vector). The Decoder mainly restores these two sets of n-dimensional vectors to the original image samples after adding noise. The present invention uses GAN to assist in training the Decoder of the variational auto-encoder, thereby improving the quality of the image generated by the variational auto-encoder (VAE). GAN consists of two parts: the generator (Generator) converts the one-dimensional vector z into an image, and the discriminator (Discriminator) is used to identify whether the input image is a real image or a generator-generated image. In the decoding/generating network, the decoding network of VAE and the generating network of GAN share this part of the network parameters. For the convenience of description, it will be collectively referred to as the decoding network.

Further, in step 2, the method for training the VAE-GAN network is as follows:

After completing the network construction of VAE-GAN, the optimization goal of the entire network needs to be determined first. The VAE-GAN defense model includes three networks, namely the encoding network, the decoding network and the discriminant network. The optimization goals of the three networks are different. same.

The overall optimization objective function of the model is defined as follows:

表示解码网络的输出，D表示判别网络，G表示生成网络(解码网络)，γ为引入的超参数，一般取值为0.2。where σ and μ represent the mean and variance of the posterior distribution of the latent variable z, and x represents the original image (not necessarily the input image),

Represents the output of the decoding network, D represents the discriminative network, G represents the generation network (decoding network), γ is the introduced hyperparameter, and the general value is 0.2.

The corresponding model overall loss function is:

After defining the objective function, the model can be trained directly by gradient descent (SGD) or other optimization algorithms.

Another object of the present invention is to provide a VAE-GAN based adversarial example defense control system implementing the VAE-GAN based adversarial example defense method.

Another object of the present invention is to provide a computer program product stored on a computer-readable medium, including a computer-readable program that, when executed on an electronic device, provides a user input interface to implement the VAE-GAN-based countermeasures Sample defense methods.

Another object of the present invention is to provide a computer-readable storage medium storing instructions that, when the instructions are executed on a computer, cause the computer to execute the VAE-GAN-based adversarial sample defense method.

To sum up, the advantages and positive effects of the present invention are as follows: the VAE-GAN-based adversarial sample defense method provided by the present invention belongs to input preprocessing, and can learn and transfer between different classification models; no need to retrain the original classification network, The training cost is low; the classification accuracy of the original noise-free samples is hardly affected; the adversarial samples are not required, so there is no need to train the adversarial samples; the defense effect of the adversarial samples with less noise is also very good; the preprocessing speed is fast and the output image The quality is close to the original noise-free image. Experiments show that the classification accuracy of ordinary samples after noise reduction by the VAE-GAN model is only reduced by 1 to 4%, indicating that the defense model hardly affects the classifier's recognition of ordinary samples; under the condition of black and white boxes, after VAE-GAN The classification accuracy of the adversarial samples after model noise reduction is 2-24% lower than that of the original samples.

It is proved that the present invention can indeed defend against the attack of adversarial samples, and basically has little effect on the classification accuracy of the classifier.

Description of drawings

FIG. 1 is a flowchart of a method for adversarial sample defense based on VAE-GAN provided by an embodiment of the present invention.

FIG. 2 is a structural diagram of a VAE-GAN provided by an embodiment of the present invention.

FIG. 3 is a schematic diagram of a VAE as a preprocessing module of a classifier to defend against an adversarial sample attack provided by an embodiment of the present invention.

FIG. 4 is a noise reduction effect diagram of a VAE after 209 times of training provided by an embodiment of the present invention.

FIG. 5 is a schematic diagram of a deep neural network against an attack provided by an embodiment of the present invention.

FIG. 6 is a model diagram of an adversarial sample attack defense model provided by an embodiment of the present invention using a fusion VAE-GAN model of VAE and GAN.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

Traditional denoising of images and reducing the degree of overfitting of deep neural networks have been unable to defend against these adversarial sample attacks, and the current defense schemes have the disadvantages of high training cost and poor defense transfer ability.

In the current defense scheme, the input preprocessing will lead to the degradation of the quality of the input image and the classification accuracy of the original noise-free image. At the same time, most of the defense schemes have a better defense effect on the adversarial samples with larger disturbance, and the smaller the disturbance, the better the defense effect. the worse.

The method of improving the neural network model requires retraining the network model, and at the same time, it only has a defensive effect under the current neural network model, and the defense strategy cannot be transferred to other network models. defense against updated adversarial attacks), which results in an extremely high network training cost for this defense.

Only identify whether it is an adversarial example without processing: Adversarial examples cannot be identified, and input data that is affected by slight random noise is sometimes misidentified. At present, most defense strategies use adversarial samples for training, resulting in extra training costs.

In view of the problems existing in the prior art, the present invention provides a method and system for adversarial sample defense based on VAE-GAN. The present invention is described in detail below with reference to the accompanying drawings.

The VAE-GAN-based adversarial sample defense method provided by the embodiment of the present invention uses a variational autoencoder (VAE) and a generative adversarial network (GAN) to denoise the adversarial samples, and the VAE-GAN module is used as a preprocessing model for the classifier. The adversarial samples are denoised, and the GAN is used to assist the training of the VAE, so that the image output by the VAE is closer to the original noise-free image.

As shown in FIG. 1 , the VAE-GAN-based adversarial sample defense method provided by the embodiment of the present invention includes the following steps: 2

S101, select an appropriate network structure to construct a VAE-GAN training network.

S102, train the VAE-GAN network.

S103, use the trained VAE-GAN model as a preprocessing module of the classifier to defend against adversarial sample attacks.

In step S103, the fusion VAE-GAN model of VAE and GAN is used to defend against adversarial sample attacks. The model is shown in Figure 6. Step S102 is used to train a VAE-GAN noise reduction model specifically for adversarial samples as the preprocessing of the classifier. Block, any sample input to the classifier needs to be denoised by the VAE-GAN model first, and then sent to the classifier model for classification, so that the classifier can correctly identify the adversarial samples.

The present invention will be further described below in conjunction with specific analysis.

Adversarial samples: Adversarial samples, proposed by Christian Szegedy et al., refer to input samples formed by deliberately adding subtle disturbances to a dataset, causing the model to give an incorrect output with high confidence.

Generative Adversarial Network (GAN): Generative Adversarial Networks (GAN) is a deep learning model and one of the most promising approaches for unsupervised learning on complex distributions in recent years. The model produces fairly good outputs through mutual game learning of (at least) two modules in the framework: Generative Model and Discriminative Model.

Variational Autoencoder (VAE): A variational autoencoder consists of a pair of interconnected neural networks, where the input neural network is the encoder and the output neural network is the decoder. The encoder converts the input data into two sets of n-dimensional vectors: the mean vector μ and the standard deviation vector σ. The decoder restores these two sets of n-dimensional vectors to the original input data.

The present invention will be further described below in conjunction with specific embodiments.

There are three main problems in the existing adversarial sample defense schemes: high cost of defense training, poor generality of defense schemes, and a decrease in the classification accuracy of the original classifier due to the defense scheme. In view of the above problems, the solution of the present invention proposes an adversarial sample defense scheme that uses variational autoencoder (VAE) and generative adversarial network (GAN) to denoise adversarial samples. VAE is used as the preprocessing model of the classifier to denoise the adversarial samples, and GAN is used to assist the training of the VAE, so that the image output of the VAE is closer to the original noise-free image. Due to the different classifier performance and datasets that need to be defended, the neural network structure used by VAE and GAN is also different (select the appropriate network structure according to the needs of the classifier to reduce training costs). This defense scheme is divided into three steps: select an appropriate network structure to build a VAE-GAN training network, train the VAE-GAN network, and use the VAE module as a classifier preprocessing module to defend against adversarial sample attacks.

(1) Select the appropriate network structure to build the VAE-GAN training network. For different classifiers, the neural network structure selected by VAE and GAN is also different. For small data sets VAE and GAN can choose to use DNN structure, for large data. To set VAE and GAN, it is necessary to choose a deeper neural network or a convolutional neural network. The structure of the constructed VAE-GAN is shown in Figure 2.

The VAE-GAN shown in Figure 2 consists of two parts: the VAE part and the GAN part. The main function of VAE is to denoise the input image, and then use GAN to make the distribution of the VAE reconstructed image as close to the original image distribution as possible to ensure that the image quality after noise removal is close to the original noise-free image. VAE can be divided into Encoder encoding part and Decoder decoding part. The Encoder mainly maps the input image samples into two sets of n-dimensional vectors (mean vector and standard deviation vector). The Decoder mainly restores these two sets of n-dimensional vectors to the original image samples after adding noise. The image generated by traditional VAE is relatively blurry, and the image quality after denoising the image with VAE is much lower than the original image quality. The present invention uses GAN to assist in training the Decoder of the variational auto-encoder, thereby improving the quality of the image generated by the variational auto-encoder (VAE). GAN consists of two parts: the generator (Generator) converts the one-dimensional vector z into an image, and the discriminator (Discriminator) is used to identify whether the input image is a real image or a generator-generated image.

(2) The training of the VAE-GAN model. After completing the network construction of the VAE-GAN, the optimization goal of the network needs to be determined first. The VAE-GAN in the present invention has three optimization goals, which correspond to the VAE-GAN defense. The three networks included in the model, the optimization objective function is defined as follows:

The three networks (encoder network, decoding network and discriminator network) included in the VAE-GAN defense model proposed by the present invention have different optimization objectives.

For the encoder, due to the change of the application scenario, the input image is divided into the original image and the tampered image containing attack information (noise). The optimization target is the same as that of the ordinary VAE encoder, but the meaning of each variable has changed greatly. The encoder optimization objective defined by the present invention is as follows:

表示解码器的输出。相应的编码器损失函数可以表示为：where σ and μ represent the mean and variance of the posterior distribution of the latent variable z, and x represents the original image (not necessarily the input image),

represents the output of the decoder. The corresponding encoder loss function can be expressed as:

For the decoder, its optimization objective consists of two parts: the reconstruction loss of VAE and the loss of the generator (decoder) of GAN. The decoder optimization target defined by the present invention is as follows:

where D represents the discriminator and G represents the generator (decoder). Since the reconstruction error of the decoder network at the beginning of training will be much larger than the loss of the GAN generator, the decoder network will not be able to learn the distribution features provided by the GAN, and the hyperparameter γ is introduced to characterize the two parts of the loss, and the hyperparameter is introduced. The post-decoder optimization objective is as follows:

The hyperparameter γ is only used when updating the decoder network, and γ generally takes a value of 0.2. The corresponding decoder network can be expressed as:

For the discriminator network, the optimization objective is the same as that of the ordinary GAN discriminator network:

The loss function of the corresponding discriminator network can be expressed as:

The overall optimization objective of the model is:

The corresponding model overall loss function is:

After defining the objective function, you can directly train the model through gradient descent (SGD) or other optimization algorithms. The training process is as follows:

；计算VAE编码器网络的损失函数；计算解码器网络的损失函数；计算判别器网络的损失函数；按顺序更新三个网络中的参数。The steps involved: select a batch of image samples x _r from the training set; randomly add adversarial perturbations to the image samples x _r to obtain x ^* ; calculate the mean and variance μ and σ of the posterior probability distribution of the latent variable z through the encoder network; The latent variable z is obtained by sampling the posterior distribution of the hidden variable z; the hidden variable z is restored to a noise-free image through the decoding network

; Calculate the loss function of the VAE encoder network; calculate the loss function of the decoder network; calculate the loss function of the discriminator network; update the parameters in the three networks in order.

(3) After the VAE-GAN model training is completed, the VAE-GAN module can be used to complete the defense against the sample, and the defense deployment is shown in Figure 3.

The present invention will be further described below in conjunction with specific experiments.

The experimental hardware environment is: Intel Xeon E-5-2678v3 processor, 64G memory, GPU model is NVIDIA RTX2080, and the video memory size is 8G. The software environment used in the experiment is: Ubuntu16.04 operating system, the programming language is python3, the development environment is PyCharm, and the machine learning framework used is TensorFlow1.15.1. This example uses the MNIST data set. In order to verify the effectiveness of the strategy based on VAE-GAN to defend against adversarial samples under white-box attacks, the MNIST data set is used to train two classifiers, MNIST_A and MNIST_B.

As shown in Table 1-1, MNIST_A has a total of 6 layers of networks, of which the first three convolution layers have 64, 128, and 128 convolution kernels, respectively, and the size of the convolution kernel is 2; the first two layers of convolution kernel step size is 2 , the last layer of convolution kernel has a stride of 1; the activation functions are all ReLU functions. The fourth layer is a flattening layer used to convert multi-dimensional input into one-dimensional output; the fifth fully connected layer contains a total of 100 neurons, and the activation function is the ReLU function; the last layer is the Softmax layer to output the classification result.

Table 1-1 MNIST dataset classifier model MNIST_A network structure

Table 1-2 MNIST dataset classifier model MNIST_B network structure

As shown in Table 1-2, MNIST_B has a total of 10 layers of network. The first and second convolutional layers have 64 convolution kernels. The size of the convolution kernel is 3x3. The filling mode is SAME; the third layer is the pooling layer, the pooling method is the maximum pooling method, and the pooling kernel size is 2x2; the fourth and fifth layers are both convolutional layers with 128 convolution kernels. The size of the convolution kernel is 3x3, the moving step size of the convolution kernel is 1, and the edge filling mode is VALID; the seventh layer is the pooling layer, the pooling method is the maximum pooling method, and the size of the pooling kernel is; The eighth and ninth layers are fully connected layers containing 100 neurons and 100 neurons respectively, and the activation functions are all ReLU functions; the last layer is the Softmax layer, which is used to output the classification results.

The training parameters of the classifier are set as follows: for both MNIST_A and MNIST_B models, the learning rate is set to 0.001 during training, and each batch is trained in parallel on 100 images, with training periods of 20 and 25, respectively.

Then it is necessary to generate adversarial samples for attacking the deep learning system, and use the FGSM algorithm and the BIM algorithm to conduct random targeted attacks and untargeted attacks on the four attack and defense target models, and generate the confrontation with L _∞ norm distances of 0.03, 0.05 and 0.1 There are 10,000 samples each (10,000 samples are generated for each distance of each model) as the attack and confrontation samples of the FGSM algorithm and the BIM algorithm; the Deepfool algorithm is used to conduct untargeted attacks on the 4 attack and defense target models, and the generated L ₂ norm distance is 0.03 , 0.05, and 0.1 adversarial samples, each with 10,000 adversarial samples, as the attack adversarial samples of the Deepfool algorithm; using the C&W algorithm to conduct random targeted attacks and non-targeted attacks on the four attack and defense target models, the generated L _∞ norm distances are 0.03, 0.05 and There are 10,000 adversarial samples of 0.1 each, as the attacking adversarial samples of the C&W algorithm. The adversarial samples generated above are used to train the defense model of the embodiment to obtain a defense model. Two defense models, VGMA and VGMB, are obtained by training on the MNIST dataset. VGMA represents the defense model obtained from the adversarial samples generated by the MNIST_A model, and VGMB represents the defense model obtained from the adversarial samples generated by the MNIST_B model.

Then the experimental results of the white-box attack are obtained. In order to test and objectively evaluate the performance of the defense model proposed in the present invention against adversarial sample attacks, in this embodiment, four defense methods with good effects are selected as reference, and a comparison experiment is carried out with the proposed strategy. The four defense methods are: Adversarial FGSM based on FGSM adversarial training, Adversarial BIM based on BIM adversarial training, Distillation Defend and image compression and reconstruction based adversarial Sample Defense Method (ComDefend). The results of defense models against white-box attacks in the MNIST dataset are shown in Table 1-5 and Table 1-6.

Each row represents a defense model, and each column represents an attack algorithm. Considering that the attack algorithm can generate adversarial samples of different scales, each data item includes three sub-items, representing the size of the attack algorithm perturbation (L _∞ for FGSM and BIM metrics, L ₂ for Deepfool and C&W metrics) is 0.03 , 0.05, and classification accuracy under 0.1.

Table 1-5 shows the test results of defending against white-box attacks on the MINIST_A model. Among them, Clean means that no processing is performed on the input image, which is to compare the impact of the defense model on the original classification effect. It can be seen that the classification accuracy of the MNIST_A classifier is 94%. After the introduction of the defense strategy, the classification accuracy is reduced. However, the VGMA model and the VGMB model of the present invention are less affected and still have an accuracy of 93%. . This shows that the model of the present invention hardly affects the performance of the classifier under the premise of ensuring safety. Further observation shows that for FGSM attacks, the top three models with the best defense effects are Adversarial FGSM, VGMA, and ComDefend; for BIM attacks, the top three models with the best defense effects are VGMA, VGMB, and Adversarial BIM; Deepfool attack, the top three models with the best defense effect are VGMA, ComDefend, and VGMB; for the C&W model, the top three models with the best defense effect are VGMB, VGMA, and ComDefend. It can be found that the VGM model of the present invention can effectively defend against various attack methods, and the classification accuracy rate in the worst case is 71%. Adversarial FGSM, Adversarial BIM, and Distillation Defend defense models all have obvious shortcomings. Although ComDefend has no obvious shortcomings, its performance index is slightly inferior to the VGMA and VGMB models of the present invention. Considering that VGMB uses the MINIST_B classifier for training, but still has a good effect, this shows that the model of the present invention has a certain transfer ability.

Table 1-5 Classification accuracy (%) of defense against white-box attacks on the MNIST_A model

Table 1-6 uses the MNIST_B model for classification. Compared with MNIST_A, MNIST_B has a better classification effect on the dataset, and the classification accuracy rate reaches 98%. In the absence of attacks, the VGMA and VGMB of the present invention still have a classification accuracy of 95%. Similarly, it can be found that Adversarial FGSM, Adversarial BIM, DistillationDefend, ComDefend defense models have obvious shortcomings, and the worst case of the model of the present invention is that the classification accuracy is 75%.

Table 1-6 Classification accuracy (%) of defense against white-box attacks on the MNIST_B model

MNIST_A and MNIST_B were tested on the same dataset with different classifiers and reached similar conclusions. The above experiments prove that under different classifiers, the adversarial sample defense method based on VAE-GAN proposed by the present invention has little impact on the classification of normal samples, and has a good defense effect on different white-box attack methods, and has no obvious short-term defense. plate.

After 209 times of training, the VAE denoising effect is shown in Figure 4. It can be seen from the figure that the implantation of the adversarial sample makes a certain program of "noise" appear on the original image, and the image restored after the noise reduction of the VAE-GAN model is similar to the original image. This shows that the VAE-GAN model can better restore the adversarial samples to the original samples, which is also an important reason why the VAE-GAN model can defend against adversarial samples.

The above descriptions are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included in the protection of the present invention. within the range.

Claims (8)

1. An adversarial sample defense method based on VAE-GAN is characterized in that, the adversarial sample defense method based on VAE-GAN uses variational autoencoder VAE and generative adversarial network GAN to denoise the adversarial sample, and utilizes GAN assists the training of the variational autoencoder VAE, so that the image results output by the variational autoencoder VAE are close to the original noise-free image. 2. The method for defending against samples based on VAE-GAN as claimed in claim 1, wherein the method for defending against samples based on VAE-GAN comprises the following steps: Step 1, select the appropriate network structure to build the VAE-GAN training network; Step 2, train the VAE-GAN network; Step 3, use the VAE-GAN module as a classifier preprocessing module to defend against adversarial sample attacks. 3. The adversarial sample defense method based on VAE-GAN as claimed in claim 1, is characterized in that, in step 1, described selecting suitable network structure constructs the method for VAE-GAN training network as follows: Select the appropriate network structure to build the VAE-GAN training network. The neural network structure selected for different VAEs and GANs of the classifier is also different. For small data sets VAE and GAN choose to use DNN structure. For large data sets VAE and GAN are used. Need to choose a deeper neural network or a convolutional neural network. 4. The method for adversarial sample defense based on VAE-GAN as claimed in claim 1, wherein in step 1, the VAE-GAN comprises two parts: a VAE part and a GAN part; the main function of the VAE is to convert the input The image is denoised, and then the GAN is used to make the VAE reconstructed image distribution as close to the original image distribution as possible; VAE can be divided into Encoder encoding part and Decoder decoding part; Encoder mainly maps the input image samples into two sets of n-dimensional vectors, mean vector and standard deviation vector; Decoder mainly adds noise to these two sets of n-dimensional vectors and restores them as The original image sample is assisted by GAN to train the Decoder of the variational auto-encoder; GAN consists of two parts: the generator Generator converts the one-dimensional vector z into an image, and the discriminator Discriminator is used to identify whether the input image is a real image or generated by a generator Image, the decoding network of VAE and the generation network of GAN share network parameters. 5. The method for adversarial sample defense based on VAE-GAN as claimed in claim 1, wherein in step 2, the method for training the VAE-GAN network is as follows: After completing the network construction of VAE-GAN, the optimization objective of the entire network needs to be determined first. The overall optimization objective function of the model is:

where σ and μ represent the mean and variance of the posterior distribution of the latent variable z, x represents the original image,

represents the output of the decoding network, D represents the discriminative network, G represents the generation network, γ is the introduced hyperparameter, and the value is 0.2; The corresponding model overall loss function is:

After defining the objective function, the model is trained by gradient descent or other optimization algorithms. 6. A VAE-GAN-based adversarial sample defense control system implementing the VAE-GAN-based adversarial sample defense method according to any one of claims 1 to 5. 7. A computer program product stored on a computer-readable medium, comprising a computer-readable program, when executed on an electronic device, providing a user input interface to implement the VAE-based system according to any one of claims 1 to 5 Adversarial example defense methods for GANs. 8 . A computer-readable storage medium storing instructions, which when executed on a computer, cause the computer to execute the VAE-GAN-based adversarial sample defense method according to any one of claims 1 to 5 .

Images