对抗鲁棒性评估的指标体系及其完备性
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

TP309

基金项目:

国家自然科学基金(62376186, 61932009)


Metric System and Its Completeness of Adversarial Robustness Evaluation
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    对抗鲁棒性评估需要结合对抗样本攻击能力与噪声幅度形成对深度学习模型噪声抵御能力的完整、准确的评测. 然而, 对抗鲁棒性评估评价指标缺乏完备性是现有对抗攻防方法的一个关键问题. 现有的对抗鲁棒性评估相关工作缺少对评价指标体系的分析与比较, 忽视了攻击成功率和不同范数对鲁棒性评估指标体系完备性的影响以及对攻防方法设计的限制. 本文从范数选择和度量指标两个维度展开对抗鲁棒性评价指标体系的讨论, 分别从评价指标定义域的包含关系, 鲁棒性描述粒度, 以及鲁棒性评估序关系三个方面对鲁棒性评估指标体系完备性进行理论分析, 并得出以下结论: 使用均值等噪声统计量比使用攻击成功率等评价指标定义域更大且更全面, 同时能够保证任意两个对抗样本集合都能够进行比较; 使用2范数比使用其他范数在鲁棒性评估的描述上更具完备性. 在6个数据集上对23种模型及20种对抗攻击方法的大量实验验证了这些结论.

    Abstract:

    The assessment of adversarial robustness requires a complete and accurate evaluation of deep learning models’ noise resistance by combining the attack ability and noise magnitude of adversarial samples. However, the lack of completeness in the adversarial robustness evaluation metric system is a key problem with the existing adversarial attack and defense methods. The existing work on adversarial robustness evaluation lacks analysis and comparison of the evaluation metric system. The impact of attack success rate and different norms on the completeness of the robustness evaluation metric system and the restrictions on designing attack and defense methods are neglected. In this study, the adversarial robustness evaluation metric system is discussed in two dimensions: norm selection and metric indicators. The theoretical analysis of robustness evaluation completeness is carried out from three aspects: the inclusion relation of the evaluation metric domain, robustness description granularity, and the order relationship of the robustness evaluation metric system. The following conclusions are drawn: using noise statistical quantities such as the mean results in a larger and more comprehensive definition domain of evaluation indicators compared to using attack success rates, while also ensuring that any two adversarial sample sets can be compared. Using the L2 norm is more complete in the description of adversarial robustness evaluation compared to using other norms. Extensive experiments on 23 models and 20 adversarial attacks across 6 datasets validate these conclusions.

    参考文献
    相似文献
    引证文献
引用本文

石育澄,韩亚洪.对抗鲁棒性评估的指标体系及其完备性.软件学报,,():1-23

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2023-09-09
  • 最后修改日期:2023-11-08
  • 录用日期:
  • 在线发布日期: 2024-06-14
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号