基于复合生成对抗网络的对抗样本生成算法研究

对抗样本能够作为训练数据辅助提高模型的表达能力,还能够评估深度学习模型的稳健性.然而,通过在一个小的矩阵范数内扰乱原始数据点的生成方式,使得对抗样本的规模受限于原始数据.为了更高效地获得任意数量的对抗样本,探索一种不受原始数据限制的对抗样本生成方式具有重要意义.鉴于此,提出一种基于生成对抗网络的对抗样本生成模型(multiple attack generative adversarial networks, M-AttGAN).首先,将模型设计为同时训练2组生成对抗网络,分别对原始数据样本分布和模型潜在空间下的扰动分布进行建模;然后,训练完成的M-AttGAN能够不受限制地高效生成带有扰动的对抗样本,为对抗训练和提高深度神经网络的稳健性提供更多可能性;最后,通过MNIST和CIFAT-10数据集上的多组实验,验证利用生成对抗网络对数据分布良好的学习能力进行对抗样本生成是可行的.实验结果表明,相较于常规攻击方法,M-AttGAN不仅能够脱离原始数据的限制生成高质量的对抗样本,而且样本具备良好的攻击性和攻击迁移能力.

Research on generative adversarial example algorithm based on multiple GANs

Attack examples can not only be used as training data to improve the expressive ability of the model but also can be used to evaluate the robustness of the deep learning model. However, the size of the attack examples is limited to the original data by perturbing an existing data point within a small matrix norm. In order to obtain attack examples more efficiently, a multiple attack generative adversarial networks(M-AttGAN) is proposed, where the attackers are not restricted to original data. The proposed network is designed to train two pairs of GANs simultaneously to fit for the distribution of original data and the distribution of the perturbation in the GANs latent space. The trained model, can generate attack examples efficiently without restrictions, and provide more data for adversarial training and improve the robustness of neural networks. We adopt human evaluation and contrastive analysis with other state-of-the-art algorithms to prove that it is feasible to utilize GANs to attack example generation. Experimental results on the MNIST and CIFAR-10 dataset show that the proposed model not only generates high-quality attack examples breaking the limits of the original data, but also has good aggression and attack migration competence.