多源遥感影像深度识别模型对抗攻击鲁棒性评估
Adversarial robustness evaluation of multiple-source remote sensing image recognition based on deep neural networks
- 2023年27卷第8期 页码:1951-1963
纸质出版日期: 2023-08-07
DOI: 10.11834/jrs.20210597
引用
阅读全文PDF
扫 描 看 全 文
纸质出版日期: 2023-08-07
扫 描 看 全 文
引用
阅读全文PDF
基于深度神经网络的多源遥感影像目标识别系统已逐步在空天遥感情报侦察、无人作战自主环境认知、多模复合末制导等多个军事场景中广泛应用。然而,由于深度学习理论上的不完备性、深度神经网络结构设计工程上的强复用性、以及多源成像识别系统在复杂电磁环境中易受到各类干扰等多因素的影响,使得现有识别系统在对抗攻击鲁棒性方面评估不足,存在极大安全隐患。本文首先从深度学习理论不完备性和识别系统攻击样式两个方面分析了潜在安全风险,并重点介绍了深度识别模型对抗样本攻击基本原理和典型方法。其次,针对光学遥感影像和SAR遥感影像两类典型数据形式,从鲁棒正确识别率和对抗攻击可解释性两个方面开展多源遥感影像深度识别模型对抗攻击鲁棒性评估,覆盖了9类常见深度识别网络架构和7类典型对抗样本攻击方法,验证了现有深度识别模型对抗攻击鲁棒性普遍不足的问题,分析了对抗样本与正常样本的多隐层特征激活差异,为下一步设计对抗样本检测算法和提升模型对抗鲁棒性提供参考。
Deep-neural-network-based multiple-source remote sensing image recognition systems have been widely used in many military scenarios, such as in aerospace intelligence reconnaissance, unmanned aerial vehicles for autonomous environmental cognition, and multimode automatic target recognition systems. Deep learning models rely on the assumption that the training and testing data are from the same distribution. However, these models show poor performance under common corruption or adversarial attacks. In the remote sensing community, the adversarial robustness of deep-neural-network-based recognition models have not received much attention, thence increasing the risk for many security-sensitive applications.
This article evaluates the adversarial robustness of deep-neural-network-based recognition models for multiple-source remote sensing images. First, we discuss the incompleteness of deep learning theory and reveal the presence of great security risks. The independent identical distribution assumption is often violated, and the system performance cannot be guaranteed under adversarial scenarios. The whole process chain of a deep-neural-network-based image recognition system is then analyzed for its vulnerabilities. Second, we introduce several representative algorithms for adversarial example generation under both the white- and black-box settings. The gradient-propagation-based visualization method is also proposed for analyzing adversarial attacks.
We perform a detailed evaluation of nine deep neural networks across two publicly available remote sensing image datasets. Both optical remote sensing and SAR remote sensing images are used in our experiments. For each model, we generate seven perturbations, ranging from gradient-based optimization to unsupervised feature distortion, for each testing image. In all cases, we observe a significant reduction in average classification accuracy between the original clean data and their adversarial images. Apart from adversarial average recognition accuracy, feature attribution techniques have also been adopted to analyze the feature diffusion effect of adversarial attacks, hence contributing to the present understanding of the vulnerability of deep learning models.
Experimental results demonstrate that all deep neural networks have suffered great losses in classification accuracy when the testing images are adversarial examples. Understanding such adversarial phenomena improves our understanding of the inner workings of deep learning models. Additional efforts are needed to enhance the adversarial robustness of deep learning models.
随着成像方式的多样化以及数据获取能力的增强,空天地一体化对地观测网已经积累并将持续获取大量不同时—空—谱尺度的多源(多光谱/高光谱、雷达、多时相、多角度等)遥感影像,例如目前中国高分重大专项数据中心日生产数据超过25 TB,数据存储能力超过20 PB(
然而,由于深度学习理论本身的不完备性(
深度神经网络模型具有处理不同模态信息的能力,其在处理不同模态信息时模型结构上的相似性及层次化的分析方法,为建立多源遥感影像特征表示模型提供了有力工具。深度神经网络已在多源遥感影像地物覆盖信息提取、目标检测、场景分类及图像检索等多个方面获得大量应用(
然而,现有的多源遥感影像深度语义学习方法只有在训练数据和测试数据均来自同一特征空间且具有相同分布这一普遍假设下才有效。复杂动态对抗场景条件下,由于成像系统和成像过程引入的影像内容降质、地表时空变化造成的数据分布漂移、敌我伪装与干扰等多种因素影响,上述假设往往因为过于严格而难以成立,造成模型泛化能力大幅度下降。深度识别模型预测的不确定性和分布外数据泛化能力等问题在理论上还有待进一步深入研究。
多源遥感影像深度识别系统不能向操作人员解释其决策过程。许多安全敏感领域的高风险意味着深度识别系统必须透明,以取得决策者的信任并便于进行风险分析。然而现有的深度神经网络识别技术都是缺乏足够透明性的黑盒,模型的可解释性不足。此外,多源遥感影像深度识别网络架构设计及参数优化具有强通用性和高迁移性等特点,在工程上降低了恶意攻击的难度。
面向高动态复杂电磁对抗军事应用场景,基于深度神经网络计算模型的多源遥感影像智能化识别系统面临着诸多安全性和可靠性的挑战(
图1 多源遥感影像深度识别系统潜在攻击面
Fig. 1 Attack surface for deep learning based multiple source remote sensing images recognition
多源遥感影像深度识别系统潜在攻击最常见的一种形式是针对深度神经网络模型的对抗样本生成(
d(x',x)<ε且ˆy(x')≠ˆy(x) | (1) |
式中,ε是一个很小的常数,用于限制扰动的幅度;ˆy(⋅)表示深度神经网络模型的预测标记,即ˆy(x)=argmaxcf(x;θ)(c),c是类别标记索引。计算机视觉领域光学影像标准数据集上,为了防止人类感知到扰动,通常限制扰动常数ε在区间[1/255,8/255]范围内。对红外遥感影像和微波遥感影像而言,扰动范围可以更大。
图2 遥感影像深度识别网络对抗样本示例
Fig. 2 Adversarial example for deep neural network based remote sensing image recognition
基于对抗样本的攻击通常可以分为白盒攻击和黑盒攻击(
基于对抗样本的攻击在信息链路对抗中属于模型推理阶段攻击,对抗样本攻击是逃避式攻击的代表性形式。以多源遥感影像军事侦察应用场景为例,应用流程上,首先是在数字域通过研究对抗样本生成技术,寻找具有强对抗性、高迁移性的扰动模式;然后在对应的物理域实现扰动模式,并将扰动模式合理地与待探测识别对象混合,实现智能化伪装,达到自动化反识别的目的。
对抗样本生成方法近几年发展迅速,研究成果非常丰富,但方法背后的基本原理变化不大。白盒攻击方法的基本原理可归类为基于梯度的优化、基于受限约束的优化、基于统计模型的对抗生成、基于敏感性分析的对抗生成等;黑盒攻击方法的基本原理可归类为梯度近似或决策边界近似。此外诸如自监督学习、因果学习和注意力机制等新型学习机制也不断被引入到白盒优化或黑盒近似问题的求解过程。
(1)快速梯度符号攻击FGSM(Fast Gradient Sign Method)(
x'=x+ε⋅sign(∇xL(x, y)) | (2) |
式中,∇xL(x,y)是损失函数对于输入x的一阶导数。对于深度神经网络,可以通过后向传播算法计算。实际操作过程中,产生的对抗样本必须在输入空间范围内,需要进行数值重映射。
(2)投影梯度下降攻击PGD(Project Gradient Descent)(
x'i+1=∏B(x,ε)(x'i-α⋅sign(∇x'iL(x'i, y))) | (3) |
式中,i是迭代次数索引,0<α<ε是迭代扰动幅度,∏B(x,ε)表示约束扰动范围的重映射函数, PGD在约束范围内随机选择一个初始化样本点进行迭代。
(3)C&W攻击(Carlini and Wagner Attacks)(
LCW(x', t)=max(maxi≠t){Z(x')(i)-Z(x')(t),κ} | (4) |
式中,Z(x')(i)表示表示对抗样本输入神经网络后logit输出,t表示目标类别,κ表示对抗样本的最小期望置信边界,用于约束对抗扰动幅度。
(4)深度欺骗攻击DF(Deep Fool Algorithm)(
(5)弹性网络攻击EAD(Elastic-Net Attack to Deep Neural Network)(
(6)多类型决策估计攻击HSJA(Hop Skip Jump Attack)(
(7)自监督扰动攻击SSP(Self Supervised Perturbation)(
深度神经网络的可解释性研究方法可分为可视化技术、模型蒸馏技术和内部机制(
图3 深度神经网络特征可视化技术
Fig. 3 Visualization techniques of deep neural network based feature analysis
采用基于反向传播的梯度加权类别激活图Grad-CAM(Gradient-weighted Class Activation Map)(
mapc=K∑kwk, cAk | (5) |
Grad-CAM采用网络输出对于最后一层卷积层的梯度实现类别激活图,仅要求网络预测的激活函数可微。对于神经网络最后一个卷积层的每幅特征图Ak,计算类别c的梯度得分yc并进行平均化得到特征图Ak的重要性αk,c。
αk, c=1m⋅nm∑i=1 n∑j=1∂yc∂Ak, i, j | (6) |
mapc=ReLU(K∑kαk, cAk) | (7) |
式中,Ak,i,j是m×n大小的特征图Ak中位置坐标为(i,j)的神经元。
为了验证多源遥感影像深度神经网络识别模型的对抗脆弱性,本文实验采用微波遥感影像识别领域广泛使用的MSTAR(Moving and Stationary Target Acquisition and Recognition)数据集(
图4 MSTAR 数据集遥感影像样例
Fig. 4 MSTAR data set exemplar imagery
图5 UC-Merced 数据集遥感影像样例
Fig. 5 UC-Merced data set exemplar imagery
为了更加全面评估不同深度识别模型的对抗攻击鲁棒性,实验中选取了9种广泛使用的AlexNet、ResNet18、VGG16、Densenet201、Inceptionv3、GoogleNet、NASNet1_0、Mobilenet_v2、SqueezeNet架构,覆盖了手工设计深度网络(AlexNet、ResNet18、VGG16、Densenet201、Inceptionv3、GoogleNet)、自动搜索深度网络(NASNet1_0)和轻量深度网络(Mobilenet_v2、SqueezeNet)3类典型深度神经网络识别架构。为了避免不同识别模型实现方法和训练方法带来的不一致性,我们选择使用PyTorch标准库中实现的模型架构,采用同样的学习策略进行模型参数优化。
对抗攻击方法包括FGSM、PGD、DF、C&W、EAD等5类白盒攻击方法和HSJA、SSP两类黑盒攻击方法。实验中FGSM攻击噪声范数选用L∞,扰动强度约束ε=0.3;PGD攻击噪声范数选用L∞,扰动强度约束ε=0.3,最大迭代次数设定为100;C&W攻击学习率0.01,最大迭代次数设定为100;DF攻击扰动步长设定为10-6,最大迭代次数100;EAD攻击噪声范数选用L2,学习率0.01,最大迭代次数100;HSJA攻击和SSP攻击噪声范数选用L2,强度约束ε=0.3,最大迭代次数100。
区分两类典型攻击场景,开展非定向对抗攻击和定向对抗攻击两组实验。在非定向对抗攻击实验中,主要实验目的是验证多类别平均意义下的多源遥感影像深度识别模型对抗攻击鲁棒性,并重点对比分析光学遥感影像和SAR遥感影像深度识别模型对抗扰动之间的相似性与差异性。在定向对抗攻击实验中,主要实验目的是分析深度识别模型特定类别的对抗鲁棒性,进一步细化分析不同类别间存在的对抗攻击鲁棒性不平衡问题。此外,我们还结合多隐层特征激活特性,尝试理解对抗样本攻击的作用机理,从深度识别模型的可解释性角度研究对抗攻击鲁棒性。
攻击方法 | AlexNet | VGG16 | ResNet18 | InceptionV3 | DenseNet201 | GoogleNet | MNASNet1_0 | SqueezeNet | MobileNetV2 |
---|---|---|---|---|---|---|---|---|---|
无攻击 | 71.62 | 95.59 | 96.87 | 98.60 | 81.61 | 92.62 | 87.67 | 92.33 | 75.05 |
FGSM | 15.79 | 20.99 | 1.48 | 9.81 | 23.16 | 13.16 | 7.89 | 27.18 | 16.84 |
PGD | 0.53 | 2.11 | 0.53 | 0.53 | 8.95 | 7.89 | 17.89 | 4.21 | 8.95 |
DF | 7.89 | 1.05 | 5.79 | 21.58 | 16.32 | 7.37 | 8.42 | 3.16 | 15.26 |
C&W | 37.37 | 5.79 | 7.89 | 21.05 | 21.05 | 7.89 | 8.95 | 5.79 | 17.37 |
EAD | 18.95 | 1.58 | 4.74 | 0.93 | 8.95 | 3.27 | 9.47 | 5.79 | 11.68 |
HSJA | 18.42 | 3.16 | 17.89 | 16.84 | 28.95 | 14.21 | 8.95 | 14.21 | 18.42 |
SSP | 23.83 | 24.30 | 14.95 | 24.87 | 31.78 | 28.04 | 11.21 | 57.01 | 16.36 |
注: 每行正确率前3名加粗标识。
攻击方法 | AlexNet | VGG16 | ResNet18 | InceptionV3 | DenseNet201 | GoogleNet | MNASNet1_0 | SqueezeNet | MobileNetV2 |
---|---|---|---|---|---|---|---|---|---|
无攻击 | 91.43 | 96.43 | 96.90 | 98.33 | 98.31 | 94.76 | 92.14 | 93.57 | 97.14 |
FGSM | 77.38 | 47.86 | 40.48 | 45.71 | 67.14 | 54.05 | 40.00 | 70.24 | 44.52 |
PGD | 7.14 | 6.19 | 4.29 | 2.38 | 5.95 | 6.67 | 8.81 | 6.43 | 5.95 |
DF | 35.95 | 25.95 | 24.52 | 35.96 | 56.43 | 41.67 | 36.19 | 35.95 | 29.05 |
C&W | 5.95 | 2.38 | 1.90 | 4.29 | 1.43 | 3.81 | 5.00 | 3.81 | 1.67 |
EAD | 2.62 | 1.19 | 2.37 | 19.05 | 9.29 | 16.43 | 11.90 | 1.43 | 1.90 |
HSJA | 44.76 | 7.38 | 6.43 | 6.19 | 14.29 | 13.33 | 9.52 | 31.19 | 2.62 |
SSP | 76.19 | 8.57 | 29.76 | 51.19 | 48.81 | 46.67 | 32.14 | 55.00 | 13.10 |
注: 每行正确率前3名加粗标识。
综合
图6 对抗扰动可视化
Fig. 6 Visualization of adversarial perturbation
由于各个类别样本数据量和类别区分难度的不同,多源遥感影像深度识别模型对每个类别的正确识别率并不相同,因此需要进一步细化分析面向特定类别的对抗攻击鲁棒性,诊断深度识别模型的定向攻击脆弱性。
图7 无对抗攻击时VGG16模型识别正确率混淆矩阵(颜色越深代表错误分类样本数越多)
Fig. 7 Confusion matrix of VGG16 recognition accuracy (dark colors represent more classification errors)
图8 定向攻击特征激活分析
Fig. 8 Feature activation of targeted adversarial attack
深度神经网络模型具有处理不同模态信息的能力,其在处理不同模态信息时模型结构上的相似性及层次化的分析方法,为建立多源遥感影像特征表示与语义识别模型提供了有力工具。然而,由于深度学习理论本身的不完备性、深度识别网络结构设计与优化方法的强复用性、以及多源成像识别系统在复杂电磁环境中易受到各类干扰等多因素的影响,使得现有识别系统在对抗鲁棒性方面评估不足,给其在军事场景和安全敏感领域的深入应用和广泛部署带来巨大隐患。本文首先分析了多源遥感影像深度神经网络识别系统在理论上和应用中的潜在安全风险;其次重点介绍了面向深度模型推理阶段的对抗样本攻击形式,并在讨论基本原理和可解释性的基础上,针对光学遥感影像和SAR遥感影像开展了深度神经网络识别模型对抗攻击实验,从对抗攻击正确识别率和对抗扰动可视化两个方面评估对抗攻击。
现有的深度神经网络识别模型存在巨大的安全隐患,对抗鲁棒性普遍不足,模型准确率与模型对抗攻击鲁棒性之间的关系还有待进一步深入研究;在机器学习、计算机视觉和自然语言处理等领域对抗攻击与防御已经开展了大量研究,在多源遥感影像解译领域需要引发重点关注。复杂电磁环境下新一代人工智能多源遥感影像识别系统需要融合来自不同模态传感器的数据,开展基于领域知识图谱嵌入、多粒度知识深度迁移、鲁棒对抗样本防御的多模型融合新方法研究,充分挖掘先验领域知识,建立模型驱动的多任务深度学习模型,提升学习模型的可解释性和透明性,提升识别系统在对抗场景中的准确性和安全性。
Berghoff C, Neu M and Von Twickel A. 2020. Vulnerabilities of connectionist AI applications: evaluation and defence. arXiv preprint arXiv:2003.08837 [百度学术]
Blasch E. 2020. Self-proficiency assessment for ATR systems//Proceedings of SPIE 11393, Algorithms for Synthetic Aperture Radar Imagery XXVII. [s.l.]: SPIE: 113930T [DOI: 10.1117/12.2563259] [百度学术]
Carlini N and Wagner D. 2017. Towards evaluating the robustness of neural networks//Proceedings of 2017 IEEE Symposium on Security and Privacy. San Jose: IEEE: 39-57 [DOI: 10.1109/SP.2017.49] [百度学术]
Chen J B, Jordan M I and Wainwright M J. 2020. HopSkipJumpAttack: a query-efficient decision-based attack//Proceedings of 2020 IEEE Symposium on Security and Privacy. San Francisco: IEEE: 1277-1294 [DOI: 10.1109/SP40000.2020.00045] [百度学术]
Chen P Y, Sharma Y, Zhang H, Yi J F and Hsieh C J. 2018. EAD: elastic-net attacks to deep neural networks via adversarial examples. Proceedings of the 32nd AAAI Conference on Artificial Intelligence. New Orleans: AAAI: 2 [百度学术]
Cheng G, Xie X X, Han J W, Guo L and Xia G S. 2020. Remote sensing image scene classification meets deep learning: challenges, methods, benchmarks, and opportunities. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 13: 3735-3756 [DOI: 10.1109/JSTARS.2020.3005403] [百度学术]
Fawzi A, Moosavi-Dezfooli S M and Frossard P. 2017. The robustness of deep networks: a geometrical perspective. IEEE Signal Processing Magazine, 34(6): 50-62 [DOI: 10.1109/MSP.2017.2740965] [百度学术]
Goodfellow I J, Shlens J and Szegedy C. 2015. Explaining and harnessing adversarial examples. Proceedings of the 3rd International Conference on Learning Representations. San Diego: ICLR [百度学术]
Kurte K R, Durbha S S, King R L, Younan N H and Vatsavai R. 2017. Semantics-enabled framework for spatial image information mining of linked earth observation data. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 10(1): 29-44 [DOI: 10.1109/JSTARS.2016.2547992] [百度学术]
Madry A, Makelov A, Schmidt L, Tsipras D and Vladu A. 2018. Towards deep learning models resistant to adversarial attacks. Proceedings of the 6th International Conference on Learning Representations. Vancouver: ICLR [百度学术]
Moosavi-Dezfooli S M, Fawzi A and Frossard P. 2016. DeepFool: a simple and accurate method to fool deep neural networks//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Las Vegas: IEEE: 2574-2582 [DOI: 10.1109/CVPR.2016.282] [百度学术]
Naseer M, Khan S, Hayat M, Khan F S and Porikli F. 2020. A self-supervised approach for adversarial robustness//Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Seattle: IEEE: 259-268 [DOI: 10.1109/CVPR42600.2020.00034] [百度学术]
Ras G, Xie N, Van Gerven M and Doran D. 2020. Explainable deep learning: a field guide for the uninitiated. arXiv preprint arXiv:2004.14545 [百度学术]
Ross T D, Worrell S W, Velten V J, Mossing J C and Bryant M L. 1998. Standard SAR ATR evaluation experiments using the MSTAR public release data set//Proceedings of the SPIE 3370, Algorithms for Synthetic Aperture Radar Imagery V. Orlando: SPIE, 1998. 566-573 [DOI: 10.1117/12.321859] [百度学术]
Selvaraju R R, Cogswell M, Das A, Vedantam R, Parikh D and Batra D. 2017. Grad-CAM: visual explanations from deep networks via gradient-based localization//Proceedings of 2017 IEEE International Conference on Computer Vision (ICCV). Venice: IEEE: 618-626 [DOI: 10.1109/ICCV.2017.74] [百度学术]
Sun H, Chen J, Lei L, Ji K F and Kuang G Y. 2021. Adversarial robustness of deep convolutional neural network based image recognition models: a review. Journal of Radars, 10(4): 571-594 [百度学术]
孙浩, 陈进, 雷琳, 计科峰, 匡纲要. 2021. 深度卷积神经网络图像识别模型对抗鲁棒性技术综述. 雷达学报, 10(4): 571-594 [DOI: 10.12000/JR21048] [百度学术]
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I J and Fergus R. 2014. Intriguing properties of neural networks. Proceedings of the 2nd International Conference on Learning Representations. Banff: ICLR [百度学术]
Tong X D. 2016. Development of China high-resolution earth observation system. Journal of Remote Sensing, 20(5): 775-780 [百度学术]
童旭东. 2016. 中国高分辨率对地观测系统重大专项建设进展. 遥感学报, 20(5): 775-780 [DOI: 10.11834/JRS.20166302] [百度学术]
Wiyatno R R, Xu A Q, Dia O and De Berker A. 2019. Adversarial examples in modern machine learning: a review. arXiv preprint arXiv:1911.05268 [百度学术]
Xu Y H, Du B and Zhang L P. 2021. Assessing the threat of adversarial examples on deep neural networks for remote sensing scene classification: attacks and defenses. IEEE Transactions on Geoscience and Remote Sensing, 59(2): 1604-1617 [DOI: 10.1109/TGRS.2020.2999962] [百度学术]
Yang Y and Newsam S. 2010. Bag-of-visual-words and spatial extensions for land-use classification//Proceedings of the 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems. San Jose: ACM: 270-279 [DOI: 10.1145/1869790.1869829] [百度学术]
Yuan X Y, He P, Zhu Q L and Li X L. 2019. Adversarial examples: attacks and defenses for deep learning. IEEE Transactions on Neural Networks and Learning Systems, 30(9): 2805-2824 [DOI: 10.1109/TNNLS.2018.2886017] [百度学术]
Zhou B L, Khosla A, Lapedriza A, Oliva A and Torralba A. 2016. Learning deep features for discriminative localization//Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition. Las Vegas: IEEE: 2921-2929 [DOI: 10.1109/CVPR.2016.319] [百度学术]
Zhu X X, Montazeri S, Ali M, Hua Y S, Wang Y Y, Mou L C, Shi Y L, Xu F and Bamler R. 2020. Deep learning meets SAR. arXiv preprint arXiv:2006.10027 [百度学术]
相关文章
相关作者
相关机构