面向卷积神经网络泛化性和健壮性权衡的标签筛选方法

doi:10.13328/j.cnki.jos.007188

微信服务号

微信订阅号

2025年8月4日 21:59 星期一

首页 > 过刊浏览>2025年第36卷第5期 >2114-2129. DOI:10.13328/j.cnki.jos.007188

PDF HTML阅读 XML下载导出引用引用提醒

面向卷积神经网络泛化性和健壮性权衡的标签筛选方法
DOI:
                        10.13328/j.cnki.jos.007188
                    
CSTR:
                        32375.14.jos.007188
                    
作者:
                        王益民王益民
南京邮电大学 计算机学院、软件学院、网络空间安全学院, 江苏 南京 210023
在期刊界中查找
在百度中查找
在本站中查找
龙显忠龙显忠
南京邮电大学 计算机学院、软件学院、网络空间安全学院, 江苏 南京 210023
在期刊界中查找
在百度中查找
在本站中查找
李云李云
南京邮电大学 计算机学院、软件学院、网络空间安全学院, 江苏 南京 210023
在期刊界中查找
在百度中查找
在本站中查找
熊健熊健
南京邮电大学 计算机学院、软件学院、网络空间安全学院, 江苏 南京 210023
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:TP18
基金项目:国家自然科学基金(62371254, 61906098)

Label Screening Method for Generalization and Robustness Trade-off in Convolutional Neural Network

Author:

WANG Yi-Min
WANG Yi-Min
School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
在期刊界中查找
在百度中查找
在本站中查找
LONG Xian-Zhong
LONG Xian-Zhong
School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
在期刊界中查找
在百度中查找
在本站中查找
LI Yun
LI Yun
School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
在期刊界中查找
在百度中查找
在本站中查找
XIONG Jian
XIONG Jian
School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [39]

相似文献

引证文献

资源附件

文章评论

摘要:

虽然卷积神经网络凭借优异的泛化性能被广泛应用在图像识别领域中, 但被噪声污染的对抗样本可以轻松欺骗训练完全的网络模型, 带来安全性的隐患. 现有的许多防御方法虽然提高了模型的健壮性, 但大多数不可避免地牺牲了模型的泛化性. 为了缓解这一问题, 提出了标签筛选权重参数正则化方法, 在模型训练过程中利用样本的标签信息权衡模型的泛化性和健壮性. 先前的许多健壮模型训练方法存在下面两个问题: 1)大多通过增加训练集样本的数量或复杂度来提高模型的健壮性, 这不仅弱化了干净样本在模型训练过程中的主导作用, 也使得训练任务的工作量大大提高; 2)样本的标签信息除了被用于与模型预测结果对比来控制模型参数的更新方向以外, 在模型训练中几乎不被另作使用, 这无疑忽视了隐藏于样本标签中的更多信息. 所提方法通过样本的正确标签和对抗样本的分类标签筛选出模型在分类该样本时起决定性作用的权重参数, 对这些参数进行正则优化, 达到模型泛化性和健壮性权衡的效果. 在MNIST、CIFAR-10和CIFAR-100数据集上的实验和分析表明, 提出的方法能够取得很好的训练效果.

关键词:卷积神经网络;对抗学习;标签信息;正则化

Abstract:

Although convolutional neural networks (CNNs) are widely used in image recognition due to their excellent generalization performance, adversarial samples contaminated by noise can easily deceive fully trained network models, posing security risks. Many existing defense methods improve the robustness of models, but most inevitably sacrifice model generalization. To alleviate this issue, a label-filtered weight parameter regularization method is proposed to balance the generalization and robustness of models using the label information of samples during model training. Many previous robust model training methods suffer from two main issues: 1) The robustness of models is mainly enhanced by increasing the quantity or complexity of training set samples, which not only diminishes the dominant role of clean samples in model training but also significantly increases the workload of training tasks. 2) The label information of samples is used only to compare with model predictions to control the direction of model parameter updates, neglecting the additional information hidden in sample labels. The proposed method selects weight parameters that play a decisive role in classifying samples by filtering the correct labels of samples and the classification labels of adversarial samples and optimizes these parameters regularly to achieve a balance between model generalization and robustness. Experiments and analysis on the MNIST, CIFAR-10, and CIFAR-100 datasets demonstrate that the proposed method achieves good training results.

Key words:convolutional neural network (CNN);adversarial learning;label information;regularization

参考文献

[1] Lecun Y, Bottou L, Bengio Y, Haffner P. Gradient-based learning applied to document recognition. Proc. of the IEEE, 1998, 86(11): 2278–2324.

[2] Krizhevsky A, Sutskever I, Hinton GE. ImageNet classification with deep convolutional neural networks. Communications of the ACM, 2017, 60(6): 84–90.

[3] Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition. In: Proc. of the 3rd Int’l Conf. on Learning Representation. San Diego, 2015. 1–14.

[4] He KM, Zhang XY, Ren SQ, Sun J. Deep residual learning for image recognition. In: Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas: IEEE, 2016. 770–778. [doi: 10.1109/CVPR.2016.90]

[5] 卢泓宇, 张敏, 刘奕群, 马少平. 卷积神经网络特征重要性分析及增强特征选择模型. 软件学报, 2017, 28(11): 2879–2890. http://www.jos.org.cn/1000-9825/5349.htm

Lu HY, Zhang M, Liu YQ, Ma SP. Convolution neural network feature importance analysis and feature selection enhanced model. Ruan Jian Xue Bao/Journal of Software, 2017, 28(11): 2879–2890 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5349.htm

[6] 白琮, 黄玲, 陈佳楠, 潘翔, 陈胜勇. 面向大规模图像分类的深度卷积神经网络优化. 软件学报, 2018, 29(4): 1029–1038. http://www.jos.org.cn/1000-9825/5404.htm

Bai C, Huang L, Chen JN, Pan X, Chen SY. Optimization of deep convolutional neural network for large scale image classification. Ruan Jian Xue Bao/Journal of Software, 2018, 29(4): 1029–1038 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5404.htm

[7] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow IJ, Fergus R. Intriguing properties of neural networks. In: Proc. of the 2nd Int’l Conf. on Learning Representations. Banff, 2014. 1–10.

[8] Nguyen A, Yosinski J, Clune J. Deep neural networks are easily fooled: High confidence predictions for unrecognizable images. In: Proc. of the 2015 IEEE Conf. on Computer Vision and Pattern Recognition. Boston: IEEE, 2015. 427–436.

[9] 潘文雯, 王新宇, 宋明黎, 陈纯. 对抗样本生成技术综述. 软件学报, 2020, 31(1): 67–81. http://www.jos.org.cn/1000-9825/5884.htm

Pan WW, Wang XY, Song ML, Chen C. Survey on generating adversarial examples. Ruan Jian Xue Bao/Journal of Software, 2020, 31(1): 67–81 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5884.htm

[10] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: Proc. of the 3rd Int’l Conf. on Learning Representations. San Diego, 2015. 1–11.

[11] Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: Proc. of the 6th Int’l Conf. on Learning Representations. Vancouver: OpenReview.net, 2018. 1–28.

[12] Moosavi-Dezfooli SM, Fawzi A, Frossard P. DeepFool: A simple and accurate method to fool deep neural networks. In: Proc. of the 2016 IEEE Conf. on Computer Vision and Pattern Recognition. Las Vegas: IEEE, 2016. 2574–2582. [doi: 10.1109/CVPR.2016.282]

[13] Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: Proc. of the 2017 IEEE Symp. on Security and Privacy. San Jose: IEEE, 2017. 39–57. [doi: 10.1109/SP.2017.49]

[14] Wei XX, Guo Y, Yu J. Adversarial sticker: A stealthy attack method in the physical world. IEEE Trans. on Pattern Analysis and Machine Intelligence, 2023, 45(3): 2711–2725.

[15] Wu T, Tong L, Vorobeychik Y. Defending against physically realizable attacks on image classification. In: Proc. of the 8th Int’l Conf. on Learning Representation. Addis Ababa: OpenReview.net, 2020. 1–10.

[16] Lyu C, Huang KZ, Liang HN. A unified gradient regularization family for adversarial examples. In: Proc. of the 2015 IEEE Int’l Conf. on Data Mining. Atlantic City: IEEE, 2015. 301–309. [doi: 10.1109/ICDM.2015.84]

[17] Jakubovitz D, Giryes R. Improving DNN robustness to adversarial attacks using Jacobian regularization. In: Proc. of the 15th European Conf. on Computer Vision. Munich: Springer, 2018. 525–541. [doi: 10.1007/978-3-030-01258-8_32]

[18] Chan A, Tay Y, Ong YS, Fu J. Jacobian adversarially regularized networks for robustness. In: Proc. of the 8th Int’l Conf. on Learning Representation. Addis Ababa: OpenReview.net, 2020. 1–13.

[19] Moosavi-Dezfooli SM, Fawzi A, Uesato J, Frossard P. Robustness via curvature regularization, and vice versa. In: Proc. of the 2019 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Long Beach: IEEE, 2019. 9070–9078. [doi: 10.1109/CVPR.2019.00929]

[20] Guo C, Rana M, Cissé M, van der Maaten L. Countering adversarial images using input transformations. In: Proc. of the 6th Int’l Conf. on Learning Representations. Vancouver: OpenReview.net, 2018. 1–12.

[21] Rebuffi SA, Gowal S, Calian DA, Stimberg F, Wiles O, Mann TA. Data augmentation can improve robustness. In: Proc. of the 35th Conf. on Neural Information Processing Systems. 2021. 29935–29948.

[22] Wang YS, Zou DF, Yi JF, Bailey J, Ma XJ, Gu QQ. Improving adversarial robustness requires revisiting misclassified examples. In: Proc. of the 8th Int’l Conf. on Learning Representations. Addis Ababa: OpenReview.net, 2020. 1–13.

[23] Chen ZM, Xue W, Tian WW, Wu YH, Hua B. Toward deep neural networks robust to adversarial examples, using augmented data importance perception. Journal of Electronic Imaging, 2022, 31(6): 063046.

[24] Jin GJ, Yi XP, Wu DY, Mu RH, Huang XW. Randomized adversarial training via Taylor expansion. In: Proc. of the 2023 IEEE/CVF Conf. on Computer Vision and Pattern Recognition. Vancouver: IEEE, 2023. 16447–16457. [doi: 10.1109/CVPR52729.2023.01578]

[25] Tsipras D, Santurkar S, Engstrom LG, Turner AM, Madry A. Robustness may be at odds with accuracy. In: Proc. of the 7th Int’l Conf. on Learning Representations. New Orleans, 2019. 1–24.

[26] Zhang HY, Yu YD, Jiao JT, Xing E, El Ghaoui L, Jordan M. Theoretically principled trade-off between robustness and accuracy. In: Proc. of the 36th Int’l Conf. on Machine Learning. Long Beach: PMLR, 2019. 12907–12929.

[27] Co KT, Martinez-Rego D, Hau Z, Lupu EC. Jacobian ensembles improve robustness trade-offs to adversarial attacks. In: Proc. of the 31st Int’l Conf. on Artificial Neural Networks. Bristol: Springer, 2022. 680–691. [doi: 10.1007/978-3-031-15934-3_56]

[28] Grabinski J, Gavrikov P, Keuper J, Keuper M. Robust models are less over-confident. In: Proc. of the 36th Int’l Conf. on Neural Information Processing Systems. New Orleans: Curran Associates Inc., 2022. 2831.

[29] Zhang JF, Xu XL, Han B, Niu G, Cui LZ, Sugiyama M, Kankanhalli M. Attacks which do not kill training make adversarial learning stronger. In: Proc. of the 37th Int’l Conf. on Machine Learning. PMLR, 2020. 11278–11287.

[30] Sharma A, Narayan A. Soft adversarial training can retain natural accuracy. In: Proc. of the 14th Int’l Conf. on Agents and Artificial Intelligence. SciTePress, 2022. 1–7.

[31] Gehr T, Mirman M, Drachsler-Cohen D, Tsankov P, Chaudhuri S, Vechev M. AI2: Safety and robustness certification of neural networks with abstract interpretation. In: Proc. of the 2018 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2018. 3–18.

[32] Takase T. Feature combination mixup: Novel mixup method using feature combination for neural networks. Neural Computing and Applications, 2023, 35(17): 12763–12774.

[33] Papernot N, McDaniel P, Wu X, Jha S, Swami A. Distillation as a defense to adversarial perturbations against deep neural networks. In: Proc. of the 2016 IEEE Symp. on Security and Privacy. San Jose: IEEE, 2016. 582–597. [doi: 10.1109/SP.2016.41]

[34] Dong NQ, Wang JY, Voiculescu I. Revisiting vicinal risk minimization for partially supervised multi-label classification under data scarcity. In: Proc. of the 2022 IEEE/CVF Conf. on Computer Vision and Pattern Recognition Workshops. New Orleans: IEEE, 2022. 4211–4219. [doi: 10.1109/CVPRW56347.2022.00466]

[35] Hoffman J, Roberts DA, Yaida S. Robust learning with Jacobian regularization. In: Proc. of the 2020 Int’l Conf. on Learning Representations. 2020. 1–21.

[36] Le BM, Tariq S, Woo SS. OTJR: Optimal Transport Meets Optimal Jacobian Regularization for Adversarial Robustness. In: Proc. of the 23rd IEEE Conf. on Computer Vision and Pattern Recognition. 2023. 7551–7562.

引用本文

王益民,龙显忠,李云,熊健.面向卷积神经网络泛化性和健壮性权衡的标签筛选方法.软件学报,2025,36(5):2114-2129

复制

文章指标

点击次数:195
下载次数: 1720
HTML阅读次数: 222
引用次数: 0

历史

收稿日期:2023-11-07
最后修改日期:2023-12-24
录用日期:
在线发布日期: 2024-06-14
出版日期: 2025-05-06

微信服务号

微信订阅号

引用本文

相关视频

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

相关视频

分享

微信扫一扫：分享

文章指标

历史

文章二维码