软件学报 ISSN 1000-9825, CODEN RUXUEW                                        E-mail: jos@iscas.ac.cn
                 2025,36(5):2114−2129 [doi: 10.13328/j.cnki.jos.007188] [CSTR: 32375.14.jos.007188]  http://www.jos.org.cn
                 ©中国科学院软件研究所版权所有.                                                          Tel: +86-10-62562563



                                                                                    *
                 面向卷积神经网络泛化性和健壮性权衡的标签筛选方法

                 王益民,    龙显忠,    李    云,    熊    健


                 (南京邮电大学 计算机学院、软件学院、网络空间安全学院, 江苏 南京 210023)
                 通信作者: 龙显忠, E-mail: lxz@njupt.edu.cn

                 摘 要: 虽然卷积神经网络凭借优异的泛化性能被广泛应用在图像识别领域中, 但被噪声污染的对抗样本可以轻
                 松欺骗训练完全的网络模型, 带来安全性的隐患. 现有的许多防御方法虽然提高了模型的健壮性, 但大多数不可避
                 免地牺牲了模型的泛化性. 为了缓解这一问题, 提出了标签筛选权重参数正则化方法, 在模型训练过程中利用样本
                 的标签信息权衡模型的泛化性和健壮性. 先前的许多健壮模型训练方法存在下面两个问题: 1) 大多通过增加训练
                 集样本的数量或复杂度来提高模型的健壮性, 这不仅弱化了干净样本在模型训练过程中的主导作用, 也使得训练
                 任务的工作量大大提高; 2) 样本的标签信息除了被用于与模型预测结果对比来控制模型参数的更新方向以外, 在
                 模型训练中几乎不被另作使用, 这无疑忽视了隐藏于样本标签中的更多信息. 所提方法通过样本的正确标签和对
                 抗样本的分类标签筛选出模型在分类该样本时起决定性作用的权重参数, 对这些参数进行正则优化, 达到模型泛
                 化性和健壮性权衡的效果. 在         MNIST、CIFAR-10  和  CIFAR-100  数据集上的实验和分析表明, 提出的方法能够取
                 得很好的训练效果.
                 关键词: 卷积神经网络; 对抗学习; 标签信息; 正则化
                 中图法分类号: TP18

                 中文引用格式  王益民,   龙显忠,   李云,   熊健.   面向卷积神经网络泛化性和健壮性权衡的标签筛选方法.   软件学报,   2025,
                 36(5): 2114–2129. http://www.jos.org.cn/1000-9825/7188.htm
                 英文引用格式: Wang YM, Long XZ, Li Y, Xiong J. Label Screening Method for Generalization and Robustness Trade-off in
                 Convolutional Neural Network. Ruan Jian Xue Bao/Journal of Software, 2025, 36(5): 2114–2129 (in Chinese). http://www.jos.org.cn/
                 1000-9825/7188.htm

                 Label Screening Method for Generalization and Robustness Trade-off in Convolutional Neural
                 Network

                 WANG Yi-Min, LONG Xian-Zhong, LI Yun, XIONG Jian
                 (School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China)

                 Abstract:  Although  convolutional  neural  networks  (CNNs)  are  widely  used  in  image  recognition  due  to  their  excellent  generalization
                 performance,  adversarial  samples  contaminated  by  noise  can  easily  deceive  fully  trained  network  models,  posing  security  risks.  Many
                 existing  defense  methods  improve  the  robustness  of  models,  but  most  inevitably  sacrifice  model  generalization.  To  alleviate  this  issue,  a
                 label-filtered  weight  parameter  regularization  method  is  proposed  to  balance  the  generalization  and  robustness  of  models  using  the  label
                 information  of  samples  during  model  training.  Many  previous  robust  model  training  methods  suffer  from  two  main  issues:  1)  The
                 robustness  of  models  is  mainly  enhanced  by  increasing  the  quantity  or  complexity  of  training  set  samples,  which  not  only  diminishes  the
                 dominant  role  of  clean  samples  in  model  training  but  also  significantly  increases  the  workload  of  training  tasks.  2)  The  label  information
                 of  samples  is  used  only  to  compare  with  model  predictions  to  control  the  direction  of  model  parameter  updates,  neglecting  the  additional
                 information  hidden  in  sample  labels.  The  proposed  method  selects  weight  parameters  that  play  a  decisive  role  in  classifying  samples  by
                 filtering  the  correct  labels  of  samples  and  the  classification  labels  of  adversarial  samples  and  optimizes  these  parameters  regularly  to


                 *    基金项目: 国家自然科学基金  (62371254, 61906098)
                  收稿时间: 2023-11-07; 修改时间: 2023-12-24, 2024-02-18; 采用时间: 2024-03-15; jos 在线出版时间: 2024-06-14
                  CNKI 网络首发时间: 2024-06-17