利用特征融合和整体多样性提升单模型鲁棒性

使用深度神经网络处理物联网设备的急剧增加产生的海量图像数据是大势所趋.但由于深度神经网络对于对抗样本的脆弱性，它容易受到攻击而危及物联网的安全，所以如何提高模型的鲁棒性就成了一个非常重要的课题.通常情况下组合模型的防御表现要优于单模型防御方法，但物联网设备有限的计算能力使得组合模型难以应用.为此本文提出一种在单模型上实现组合模型防御效果的模型改造及训练方法：在基础模型上添加额外的分支；使用特征金字塔对分支进行特征融合；引入整体多样性计算辅助训练.通过在MNIST和CIFAR-10这两个图像分类领域最常用的数据集上的实验表明，本方法能够显著提高模型的鲁棒性，在FGSM等四种基于梯度的攻击下的分类正确率有5倍以上提高，在JSMA、C&W以及EAD攻击下的分类正确率可达到原模型的10倍，同时不干扰模型对干净样本的分类精度，也可与对抗训练方法联合使用获得更好的防御效果.

Improving Adversarial Robustness on Single Model via Feature Fusion and Ensemble Diversity

It is an inevitable trend to use deep neural network to process the massive image data generated by the rapid increase of IoT devices. However, as the DNN is vulnerable to adversarial examples, it is easy to be attacked and would endanger the security of the Internet of Things. So how to improve the robustness of the model has become a important topic. Usually, the defensive performance of the ensemble model is better than the single model, but the limited computing power of the IoT device makes the ensemble model difficult to apply. Therefore, this paper proposes a novel model transformation and training method on a single model to achieve similar defense effect like ensemble model:adding additional branches to the base model; using feature pyramids to fuse features; introducing ensemble diversity for training. Experiments on the common datasets, like MNIST and CIFAR-10, show that this method can significantly improve the robustness. The accuracy increases more than fivefold against four gradient-based attacks such as FGSM, and can be up to 10 times while against JSMA, C&W and EAD. This method does not disturb the classification of clean examples, and could obtain better performance while conbining adversarial training.