软件学报 ISSN 1000-9825, CODEN RUXUEW                                        E-mail: jos@iscas.ac.cn
         Journal of Software,2020,31(9):2756−2769 [doi: 10.13328/j.cnki.jos.005943]   http://www.jos.org.cn
         ©中国科学院软件研究所版权所有.                                                          Tel: +86-10-62562563


                                                                  ∗
         利用特征融合和整体多样性提升单模型鲁棒性

         韦   璠,   宋云飞,   邵明莉,   刘   天,   陈小红,   王祥丰,   陈铭松


         (上海市高可信计算重点实验室(华东师范大学),上海  200062)
         通讯作者:  陈铭松, E-mail: mschen@sei.ecnu.edu.cn

         摘   要:  使用深度神经网络处理物联网设备的急剧增加产生的海量图像数据是大势所趋,但由于深度神经网络对
         于对抗样本的脆弱性,它容易受到攻击而危及物联网的安全.所以,如何提高模型的鲁棒性,就成了一个非常重要的
         课题.通常情况下,组合模型的防御表现要优于单模型防御方法,但物联网设备有限的计算能力使得组合模型难以应
         用.为此,提出一种在单模型上实现组合模型防御效果的模型改造及训练方法:在基础模型上添加额外的分支;使用
         特征金字塔对分支进行特征融合;引入整体多样性计算辅助训练.通过在 MNIST 和 CIFAR-10 这两个图像分类领域
         最常用的数据集上的实验表明,该方法能够显著提高模型的鲁棒性.在 FGSM 等 4 种基于梯度的攻击下的分类正确
         率有 5 倍以上的提高,在 JSMA,C&W 以及 EAD 攻击下的分类正确率可达到原模型的 10 倍.同时,不干扰模型对干
         净样本的分类精度,也可与对抗训练方法联合使用获得更好的防御效果.
         关键词:  物联网;特征融合;整体多样性;模型防御;鲁棒性;对抗样本
         中图法分类号: TP183

         中文引用格式:  韦璠,宋云飞,邵明莉,刘天,陈小红,王祥丰,陈铭松.利用特征融合和整体多样性提升单模型鲁棒性.软件学报,
         2020,31(9):2756−2769. http://www.jos.org.cn/1000-9825/5943.htm
         英文引用格式: Wei F, Song YF, Shao ML, Liu T, Chen XH, Wang XF, Chen MS. Improving adversarial robustness on single
         model via feature fusion and ensemble diversity. Ruan Jian Xue Bao/Journal of Software, 2020,31(9):2756−2769 (in Chinese).
         http://www.jos.org.cn/1000-9825/5943.htm

         Improving Adversarial Robustness  on Single Model  via Feature Fusion  and  Ensemble
         Diversity


         WEI Fan,   SONG Yun-Fei,  SHAO Ming-Li,    LIU Tian,   CHEN Xiao-Hong,  WANG Xiang-Feng,
         CHEN Ming-Song
         (Shanghai Key Laboratory of Trustworthy Computing (East China Normal University), Shanghai 200062, China)

         Abstract:    It is  an inevitable trend  to use deep neural network to process the  massive image data generated  by  the rapid increase of
         Internet of Things (IoT) devices. However, as the DNN is vulnerable to adversarial examples, it is easy to be attacked and would endanger
         the security of the IoT. So how to improve the robustness of the model has become an important topic. Usually, the defensive performance
         of the ensemble model is better than the single model, but the limited computing power of the IoT device makes the ensemble model
         difficult to apply. Therefore, this study proposes a novel model transformation and training method on a single model to achieve similar
         defense  effect  like  ensemble  model:  adding  additional branches  to the base  model; using feature pyramids to fuse features;  and
         introducing ensemble diversity for training. Experiments on the common datasets, like MNIST and CIFAR-10, show that this method can
         significantly improve the robustness. The accuracy increases more than fivefold against four gradient-based attacks such as FGSM, and

            ∗  基金项目:  国家重点研发计划(2018YFB2101300);  国家自然科学基金(61872147)
             Foundation item: National Key Research and Development  Program of China  (2018YFB2101300); National Natural  Science
         Foundation of China (61872147)
              本文由“智能嵌入式系统”专题特约编辑王泉教授、吴中海教授、陈仪香教授、苗启广教授推荐.
             收稿时间:   2019-07-01;  修改时间: 2019-08-18;  采用时间: 2019-11-02; jos 在线出版时间: 2020-01-13
             CNKI 网络优先出版: 2020-01-14 11:27:05, http://kns.cnki.net/kcms/detail/11.2560.TP.20200114.1126.024.html