雷达像智能识别对抗研究进展

高勋章 张志伟 刘梅 龚政辉 黎湘

高勋章, 张志伟, 刘梅, 等. 雷达像智能识别对抗研究进展[J]. 雷达学报, 2023, 12(4): 696–712. doi: 10.12000/JR23098
引用本文: 高勋章, 张志伟, 刘梅, 等. 雷达像智能识别对抗研究进展[J]. 雷达学报, 2023, 12(4): 696–712. doi: 10.12000/JR23098
GAO Xunzhang, ZHANG Zhiwei, LIU Mei, et al. Intelligent radar image recognition countermeasures: A review[J]. Journal of Radars, 2023, 12(4): 696–712. doi: 10.12000/JR23098
Citation: GAO Xunzhang, ZHANG Zhiwei, LIU Mei, et al. Intelligent radar image recognition countermeasures: A review[J]. Journal of Radars, 2023, 12(4): 696–712. doi: 10.12000/JR23098

雷达像智能识别对抗研究进展

DOI: 10.12000/JR23098
基金项目: 国家自然科学基金(61921001)
详细信息
    作者简介:

    高勋章,研究员,博士生导师,主要研究方向为雷达目标识别、智能信息处理

    张志伟,博士生,主要研究方向为雷达目标识别、智能对抗攻击与防御

    刘 梅,硕士生,主要研究方向为智能感知与处理、雷达目标识别

    龚政辉,助理研究员,主要研究方向为雷达对抗、雷达抗干扰、雷达通信一体化

    黎 湘,教授,博士生导师,主要研究方向为雷达目标特性与识别

    通讯作者:

    高勋章 gaoxunzhang@nudt.edu.cn

    张志伟 514131141@qq.com

  • 责任主编:徐丰 Corresponding Editor: XU Feng
  • 中图分类号: TP753

Intelligent Radar Image Recognition Countermeasures: A Review

Funds: The National Natural Science Foundation of China (61921001)
More Information
  • 摘要: 基于深度神经网络的雷达像智能识别技术已经成为雷达信息处理领域的前沿和热点。然而,深度神经网络模型易受到对抗攻击的威胁。攻击者可以在隐蔽的条件下误导智能目标识别模型做出错误预测,严重影响其识别精度和鲁棒性。该文梳理了近年来雷达像智能识别对抗技术发展现状,总结分析了现有雷达一维/二维像识别对抗攻击方法和防御方法的特点,最后讨论了当前雷达像智能识别对抗研究领域值得关注的5个开放问题。

     

  • 图  1  雷达目标对抗样本示例

    Figure  1.  Radar target adversarial sample

    图  2  深度模型识别原理图

    Figure  2.  Recognition process of deep neural network

    图  3  对抗攻击方法分类

    Figure  3.  Categories of adversarial attack

    图  4  基于全距离单元扰动[63]的HRRP对抗攻击示意图

    Figure  4.  All-range-cell[63] adversarial attacks on radar HRRP

    图  5  基于特定距离单元扰动[66]的HRRP对抗攻击示意图

    Figure  5.  Certain-range-cell[66] adversarial attacks on radar HRRP

    图  6  对抗防御方法分类

    Figure  6.  Categories of adversarial defense

    图  7  基于优化目标函数的防御方法

    Figure  7.  Adversarial defense based on optimizing objective function

    表  1  基于属性散射中心模型的典型雷达二维像对抗攻击方法

    Table  1.   Typical radar image adversarial attacks based on attribute scattering center model

    方法干净样本扰动对抗样本关键技术
    文献[46]散射中心提取,空域形变
    文献[47]单散射中心攻击
    文献[48]改进OMP算法,黑盒攻击
    下载: 导出CSV

    表  2  雷达二维像对抗攻击研究现状

    Table  2.   Summary of adversarial attacks on radar two-dimensional image

    文献攻击先验扰动范数验证模型数据集攻击特异性优缺点
    [33]白盒${L_\infty }$VGG[50]
    ResNet[51]
    DenseNet[52]
    GoogleNet[53]
    InceptionV3[54]
    MSTAR
    SENSAR[58]
    非定向验证光学方法的适用性和差异性,未结合雷达像特性
    [34]白盒${L_0}$A-ConvNet[10]MSTAR非定向
    [35]白盒${L_2}/{L_\infty }$自定义CNNMSTAR非定向
    [36]白盒${L_2}$ResNetMSTAR定向/非定向结合了雷达像自身特性和识别场景,未考虑对抗样本的物理实现问题
    [37]白盒/黑盒${L_2}/{L_0}$A-ConvNet
    ResNet
    MSTAR
    OpenSARship[59]
    定向/非定向
    [38]白盒${L_0}$ResNet
    VGG
    MobleNet-v2[55]
    So2Sat-LCZ42[60]非定向
    [40]黑盒${L_\infty }$AlexNet[56]
    ResNet
    DenseNet
    VGG
    A-ConvNet
    MSTAR
    SARSIM[61]
    非定向
    [41]白盒${L_\infty }$CNNMSTAR非定向对扰动区域进行初步限制,未建立扰动像素与雷达信号的对应关系
    [42]白盒/黑盒${L_2}$GoogleNet
    DenseNet
    InceptionV3
    ResNet
    MSTAR非定向
    [43]白盒${L_2}$自定义CNNMSTAR非定向
    [44]黑盒${L_\infty }$AconvNet
    VGG
    ResNet
    DenseNet
    InceptionV4[57]
    MSTAR非定向
    [46]白盒双线性变换ResNet
    MobileNet-v2
    MSTAR非定向考虑了单帧静止目标对抗样本的物理实现,未考虑目标运动过程中的扰动变化
    [47]白盒${L_0}/{L_2}/{L_\infty }$A-convNet
    VGG
    ResNet
    DenseNet
    MobileNet-v2
    MSTAR
    SARBake[62]
    非定向
    [48]黑盒${L_2}$VGG
    ResNet
    MobileNet
    MSTAR非定向
    下载: 导出CSV

    表  3  雷达一维像对抗攻击研究现状

    Table  3.   Summary of adversarial attacks on radar HRRP

    文献攻击先验扰动方式验证模型数据集攻击目标特点
    [63]白盒全距离单元自定义CNN3类飞机目标:雅克42;塞斯纳S/II;安26非定向仅设计数字域攻击,未考虑物理实现性
    [64]白盒全距离单元自定义CNN3类飞机目标:雅克42;塞斯纳 S/II;安26定向/非定向
    [65]白盒/黑盒全距离单元自定义CNN;全连接网络MSTAR数据集的HRRP还原数据[67]定向/非定向
    [66]白盒/黑盒特定距离单元AlexNet
    ResNet
    DenseNet
    InceptionNet
    3类飞机目标:雅克42;塞斯纳S/II;安26定向/非定向较好的物理实现性,未考虑目标姿态等因素带来的影响
    下载: 导出CSV

    表  4  雷达像识别对抗防御方法

    Table  4.   Summary of adversarial defense in radar image recognition

    防御层级文献验证模型数据集可防御优缺点
    输入端[73]ResNetUC-Merced[90]FGSM/PGD[91]/CW[20]/
    DeepFool[19]/
    HopSkipJump[92]/
    Square[93]
    仅需在数据端操作,影响干净样本识别率
    [74]ResNet
    DenseNet
    MobileNet
    ShuffleNet
    A-ConvNet
    MSTAR
    OpenSAR-Ship[59]
    FGSM/PGD/DeepFool/
    CW/SparseFool[94]/
    HopSkipJump/Square
    模型端[77]A-ConvNet
    VGG
    ResNet
    ShuffleNet
    MSTAR[11]FGSM[17]/PGD已知攻击类型时防御效果好,训练耗时
    [47]A-ConvNetMSTAR
    SARBake[62]
    PGD/SMGAA[47]
    [78]自定义CNNMSTARDeepFool具有较好的可解释性,难以兼容主流模型
    [79]SAR-BagNet[80]
    ResNet
    MSTARFGSM/PGD/
    CW/DeepFool
    输出端[87]VGG
    ResNet
    DenseNet
    MSTAR
    SARBake
    FGSM/BIM[18]/
    CW/DeepFool
    无需更改模型结构,难以单独胜任识别任务
    [88]ResNetMSTARFGSM/BIM/
    CW/DeepFool
    [89]VGG
    ResNet
    DenseNet
    MSTAR
    SARBake
    FGSM/BIM/
    CW/DeepFool
    下载: 导出CSV
  • [1] ZHU Xiaoxiang, MONTAZERI S, ALI M, et al. Deep learning meets SAR: Concepts, models, pitfalls, and perspectives[J]. IEEE Geoscience and Remote Sensing Magazine, 2021, 9(4): 143–172. doi: 10.1109/MGRS.2020.3046356
    [2] GOODFELLOW I J, SHLENS J, and SZEGEDY C. Explaining and harnessing adversarial examples[J]. arXiv preprint arXiv: 1412. 6572, 2014.
    [3] 孙浩, 陈进, 雷琳, 等. 深度卷积神经网络图像识别模型对抗鲁棒性技术综述[J]. 雷达学报, 2021, 10(4): 571–594. doi: 10.12000/JR21048

    SUN Hao, CHEN Jin, LEI Lin, et al. Adversarial robustness of deep convolutional neural network-based image recognition models: A review[J]. Journal of Radars, 2021, 10(4): 571–594. doi: 10.12000/JR21048
    [4] XU Yonghao, BAI Tao, YU Weikang, et al. AI security for geoscience and remote sensing: Challenges and future trends[J]. IEEE Geoscience and Remote Sensing Magazine, 2023, 11(2): 60–85. doi: 10.1109/MGRS.2023.3272825
    [5] CAO Dongsheng, HUANG Jianhua, YAN Jun, et al. Kernel k-nearest neighbor algorithm as a flexible SAR modeling tool[J]. Chemometrics and Intelligent Laboratory Systems, 2012, 114: 19–23. doi: 10.1016/j.chemolab.2012.01.008
    [6] 袁莉, 刘宏伟, 保铮. 基于中心矩特征的雷达HRRP自动目标识别[J]. 电子学报, 2004, 32(12): 2078–2081. doi: 10.3321/j.issn:0372-2112.2004.12.036

    YUAN Li, LIU Hongwei, and BAO Zheng. Automatic target recognition of radar HRRP based on central moments features[J]. Acta Electronica Sinica, 2004, 32(12): 2078–2081. doi: 10.3321/j.issn:0372-2112.2004.12.036
    [7] SAEPULOH A, KOIKE K, and OMURA M. Applying Bayesian decision classification to Pi-SAR polarimetric data for detailed extraction of the geomorphologic and structural features of an active volcano[J]. IEEE Geoscience and Remote Sensing Letters, 2012, 9(4): 554–558. doi: 10.1109/LGRS.2011.2174611
    [8] LI Min, ZHOU Gongjian, ZHAO Bin, et al. Sparse representation denoising for radar high resolution range profiling[J]. International Journal of Antennas and Propagation, 2014, 2014: 875895. doi: 10.1155/2014/875895
    [9] CHEN Wenchao, CHEN Bo, PENG Xiaojun, et al. Tensor RNN with Bayesian nonparametric mixture for radar HRRP modeling and target recognition[J]. IEEE Transactions on Signal Processing, 2021, 69: 1995–2009. doi: 10.1109/TSP.2021.3065847
    [10] CHEN Sizhe, WANG Haipeng, XU Feng, et al. Target classification using the deep convolutional networks for SAR images[J]. IEEE Transactions on Geoscience and Remote Sensing, 2016, 54(8): 4806–4817. doi: 10.1109/TGRS.2016.2551720
    [11] ROSS T D, WORRELL S W, VELTEN V J, et al. Standard SAR ATR evaluation experiments using the MSTAR public release data set[C]. SPIE 3370, Algorithms for Synthetic Aperture Radar Imagery, Orlando, USA, 1998: 566–573.
    [12] PEI Jifang, HUANG Yulin, HUO Weibo, et al. SAR automatic target recognition based on multiview deep learning framework[J]. IEEE Transactions on Geoscience and Remote Sensing, 2018, 56(4): 2196–2210. doi: 10.1109/TGRS.2017.2776357
    [13] SUN Yuanshuang, WANG Yinghua, LIU Hongwei, et al. SAR target recognition with limited training data based on angular rotation generative network[J]. IEEE Geoscience and Remote Sensing Letters, 2020, 17(11): 1928–1932. doi: 10.1109/LGRS.2019.2958379
    [14] HUANG Zhongling, PAN Zongxu, and LEI Bin. What, where, and how to transfer in SAR target recognition based on deep CNNs[J]. IEEE Transactions on Geoscience and Remote Sensing, 2020, 58(4): 2324–2336. doi: 10.1109/TGRS.2019.2947634
    [15] FU Kun, ZHANG Tengfei, ZHANG Yue, et al. Few-shot SAR target classification via metalearning[J]. IEEE Transactions on Geoscience and Remote Sensing, 2022, 60: 2000314. doi: 10.1109/TGRS.2021.3058249
    [16] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[C]. 2nd International Conference on Learning Representations, Banff, Canada, 2014.
    [17] GOODFELLOW I J, SHLENS J, and SZEGEDY C. Explaining and harnessing adversarial examples[C]. 3rd International Conference on Learning Representations, San Diego, USA, 2015: 1050.
    [18] KURAKIN A, GOODFELLOW I J, and BENGIO S. Adversarial Examples in the Physical World[M]. YAMPOLSKIY R V. Artificial Intelligence Safety and Security. New York: Chapman and Hall/CRC, 2018: 99–112.
    [19] MOOSAVI-DEZFOOLI S M, FAWZI A, and FROSSARD P. DeepFool: A simple and accurate method to fool deep neural networks[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2574–2582.
    [20] CARLINI N and WAGNER D. Towards evaluating the robustness of neural networks[C]. 2017 IEEE Symposium on Security and Privacy (SP), San Jose, USA, 2017: 39–57.
    [21] PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]. 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, Germany, 2016: 372–387.
    [22] SU Jiawei, VARGAS D V, and SAKURAI K. One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828–841. doi: 10.1109/TEVC.2019.2890858
    [23] POURSAEED O, KATSMAN I, GAO Bicheng, et al. Generative adversarial perturbations[C]. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 4422–4431.
    [24] DU Chuan and ZHANG Lei. Adversarial attack for SAR target recognition based on UNet-generative adversarial network[J]. Remote Sensing, 2021, 13(21): 4358. doi: 10.3390/rs13214358
    [25] XIAO Chaowei, LI Bo, ZHU Junyan, et al. Generating adversarial examples with adversarial networks[C]. 27th International Joint Conference on Artificial Intelligence, Stockholm, Sweden, 2018: 3905–3911.
    [26] ILYAS A, ENGSTROM L, ATHALYE A, et al. Black-box adversarial attacks with limited queries and information[C]. 35th International Conference on Machine Learning, Stockholm, Sweden, 2018: 2142–2151.
    [27] GUO Chuan, GARDNER J R, YOU Yurong, et al. Simple black-box adversarial attacks[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 2484–2493.
    [28] TASHIRO Y, SONG Y, ERMON S. Diversity can be transferred: Output diversification for white-and black-box attacks[C]. The 34th International Conference on Neural Information Processing Systems. 2020: 4536–4548.
    [29] GUO Wei, TONDI B, and BARNI M. A master key backdoor for universal impersonation attack against DNN-based face verification[J]. Pattern Recognition Letters, 2021, 144: 61–67. doi: 10.1016/j.patrec.2021.01.009
    [30] GU Tianyu, LIU Kang, DOLAN-GAVITT B, et al. BadNets: Evaluating backdooring attacks on deep neural networks[J]. IEEE Access, 2019, 7: 47230–47244. doi: 10.1109/ACCESS.2019.2909068
    [31] BREWER E, LIN J, and RUNFOLA D. Susceptibility & defense of satellite image-trained convolutional networks to backdoor attacks[J]. Information Sciences, 2022, 603: 244–261. doi: 10.1016/j.ins.2022.05.004
    [32] ISLAM S, BADSHA S, KHALIL I, et al. A triggerless backdoor attack and defense mechanism for intelligent task offloading in multi-UAV systems[J]. IEEE Internet of Things Journal, 2023, 10(7): 5719–5732. doi: 10.1109/JIOT.2022.3172936
    [33] LI Haifeng, HUANG Haikuo, CHEN Li, et al. Adversarial examples for CNN-based SAR image classification: An experience study[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2021, 14: 1333–1347. doi: 10.1109/JSTARS.2020.3038683
    [34] 周隽凡, 孙浩, 雷琳, 等. SAR图像稀疏对抗攻击[J]. 信号处理, 2021, 37(9): 1633–1643. doi: 10.16798/j.issn.1003-0530.2021.09.007

    ZHOU Junfan, SUN Hao, LEI Lin, et al. Sparse adversarial attack of SAR image[J]. Journal of Signal Processing, 2021, 37(9): 1633–1643. doi: 10.16798/j.issn.1003-0530.2021.09.007
    [35] WANG Lulu, WANG Xiaolei, MA Shixin, et al. Universal adversarial perturbation of SAR images for deep learning based target classification[C]. 2021 IEEE 4th International Conference on Electronics Technology (ICET), Chengdu, China, 2021: 1272–1276.
    [36] DU Chuan, HUO Chaoying, ZHANG Lei, et al. Fast C&W: A fast adversarial attack algorithm to fool SAR target recognition with deep convolutional neural networks[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4010005. doi: 10.1109/LGRS.2021.3058011
    [37] ZHANG Fan, MENG Tianying, XIANG Deliang, et al. Adversarial deception against SAR target recognition network[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2022, 15: 4507–4520. doi: 10.1109/JSTARS.2022.3179171
    [38] 徐延杰, 孙浩, 雷琳, 等. 基于稀疏差分协同进化的多源遥感场景分类攻击[J]. 信号处理, 2021, 37(7): 1164–1170. doi: 10.16798/j.issn.1003-0530.2021.07.005

    XU Yanjie, SUN Hao, LEI Lin, et al. Multi-source remote sensing classification attack based on sparse differential coevolution[J]. Journal of Signal Processing, 2021, 37(7): 1164–1170. doi: 10.16798/j.issn.1003-0530.2021.07.005
    [39] RONNEBERGER O, FISCHER P, and BROX T. U-net: Convolutional networks for biomedical image segmentation[C]. 18th International Conference on Medical Image Computing and Computer-Assisted Intervention, Munich, Germany, 2015: 234–241.
    [40] PENG Bowen, PENG Bo, YONG Shaowei, et al. An empirical study of fully black-box and universal adversarial attack for SAR target recognition[J]. Remote Sensing, 2022, 14(16): 4017. doi: 10.3390/rs14164017
    [41] DANG Xunwang, YAN Hua, HU Liping, et al. SAR image adversarial samples generation based on parametric model[C]. 2021 International Conference on Microwave and Millimeter Wave Technology (ICMMT), Nanjing, China, 2021: 1–3.
    [42] DU M, BI D, DU M, et al. Local aggregative attack on SAR image classification models[J]. Authorea Preprints, 2022.
    [43] MENG Tianying, ZHANG Fan, and MA Fei. A target-region-based SAR ATR adversarial deception method[C]. 2022 7th International Conference on Signal and Image Processing (ICSIP), Suzhou, China, 2022: 142–146.
    [44] PENG Bowen, PENG Bo, ZHOU Jie, et al. Speckle-variant attack: Toward transferable adversarial attack to SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4509805. doi: 10.1109/LGRS.2022.3184311
    [45] GERRY M J, POTTER L C, GUPTA I J, et al. A parametric model for synthetic aperture radar measurements[J]. IEEE Transactions on Antennas and Propagation, 1999, 47(7): 1179–1188. doi: 10.1109/8.785750
    [46] ZHOU Junfan, FENG Sijia, SUN Hao, et al. Attributed scattering center guided adversarial attack for DCNN SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4001805. doi: 10.1109/LGRS.2023.3235051
    [47] PENG Bowen, PENG Bo, ZHOU Jie, et al. Scattering model guided adversarial examples for SAR target recognition: Attack and defense[J]. IEEE Transactions on Geoscience and Remote Sensing, 2022, 60: 5236217. doi: 10.1109/TGRS.2022.3213305
    [48] QIN Weibo, LONG Bo, and WANG Feng. SCMA: A scattering center model attack on CNN-SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4003305. doi: 10.1109/LGRS.2023.3253189
    [49] LIU Hongwei, JIU Bo, LI Fei, et al. Attributed scattering center extraction algorithm based on sparse representation with dictionary refinement[J]. IEEE Transactions on Antennas and Propagation, 2017, 65(5): 2604–2614. doi: 10.1109/TAP.2017.2673764
    [50] SIMONYAN K and ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[C]. 3rd International Conference on Learning Representations, San Diego, USA, 2014.
    [51] HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep residual learning for image recognition[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 770–778.
    [52] HUANG Gao, LIU Zhuang, VAN DER MAATEN L, et al. Densely connected convolutional networks[C]. 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, USA, 2017: 2261–2269.
    [53] SZEGEDY C, LIU Wei, JIA Yangqing, et al. Going deeper with convolutions[C]. 2015 IEEE Conference on Computer Vision and Pattern Recognition, Boston, USA, 2015: 1–9.
    [54] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2818–2826.
    [55] SANDLER M, HOWARD A, ZHU Menglong, et al. MobileNetV2: Inverted residuals and linear bottlenecks[C]. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 4510–4520.
    [56] KRIZHEVSKY A, SUTSKEVER I, and HINTON G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84–90. doi: 10.1145/3065386
    [57] SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, inception-ResNet and the impact of residual connections on learning[C]. Thirty-First AAAI Conference on Artificial Intelligence, San Francisco, USA, 2017: 4278–4284.
    [58] SCHMITT M, HUGHES L H, and ZHU X X. The SEN1–2 dataset for deep learning in Sar-optical data fusion[J]. ISPRS Annals of the Photogrammetry, Remote Sensing and Spatial Information Sciences, 2018, 4: 141–146. doi: 10.5194/isprs-annals-IV-1-141-2018
    [59] HUANG Lanqing, LIU Bin, LI Boying, et al. OpenSARShip: A dataset dedicated to Sentinel-1 ship interpretation[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2018, 11(1): 195–208. doi: 10.1109/JSTARS.2017.2755672
    [60] ZHU Xiaoxiang, HU Jingliang, QIU Chunping, et al. So2Sat LCZ42: A benchmark data set for the classification of global local climate zones [Software and Data Sets][J]. IEEE Geoscience and Remote Sensing Magazine, 2020, 8(3): 76–89. doi: 10.1109/MGRS.2020.2964708
    [61] MALMGREN-HANSEN D, KUSK A, DALL J, et al. Improving SAR automatic target recognition models with transfer learning from simulated data[J]. IEEE Geoscience and remote sensing Letters, 2017, 14(9): 1484–1488. doi: 10.1109/LGRS.2017.2717486
    [62] MALMGREN-HANSEN D and NOBEL-JØRGENSEN M. Convolutional neural networks for SAR image segmentation[C]. 2015 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Abu Dhabi, United Arab Emirates, 2015: 231–236.
    [63] YUAN Yijun, WAN Jinwei, and CHEN Bo. Robust attack on deep learning based radar HRRP target recognition[C]. 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Lanzhou, China, 2019: 704–707.
    [64] 万锦伟. 基于深度网络的HRRP目标识别与对抗攻击研究[D]. [博士论文], 西安电子科技大学, 2020.

    WAN Jinwei. Research on HRRP target recognition and adversarial attacks based on deep neural networks[D]. [Ph. D. dissertation], Xidian University, 2020.
    [65] HUANG Teng, CHEN Yongfeng, YAO Bingjian, et al. Adversarial attacks on deep-learning-based radar range profile target recognition[J]. Information Sciences, 2020, 531: 159–176. doi: 10.1016/j.ins.2020.03.066
    [66] DU Chuan, CONG Yulai, ZHANG Lei, et al. A practical deceptive jamming method based on vulnerable location awareness adversarial attack for radar HRRP target recognition[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 2410–2424. doi: 10.1109/TIFS.2022.3170275
    [67] GAO Fei, HUANG Teng, WANG Jun, et al. A novel multi-input bidirectional LSTM and HMM based approach for target recognition from multi-domain radar range profiles[J]. Electronics, 2019, 8(5): 535. doi: 10.3390/electronics8050535
    [68] YANG Yuzhe, ZHANG Guo, XU Zhi, et al. ME-Net: Towards effective adversarial robustness with matrix estimation[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 7025–7034.
    [69] WANG Yutong, ZHANG Wenwen, SHEN Tianyu, et al. Binary thresholding defense against adversarial attacks[J]. Neurocomputing, 2021, 445: 61–71. doi: 10.1016/j.neucom.2021.03.036
    [70] LeCun Y. The MNIST database of handwritten digits[EB/OL]. http://yann.lecun.com/exdb/mnist/, 1998.
    [71] MUSTAFA A, KHAN S H, HAYAT M, et al. Image super-resolution as a defense against adversarial attacks[J]. IEEE Transactions on Image Processing, 2020, 29: 1711–1724. doi: 10.1109/TIP.2019.2940533
    [72] AGARWAL A, SINGH R, VATSA M, et al. Image transformation-based defense against adversarial perturbation on deep learning models[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(5): 2106–2121. doi: 10.1109/TDSC.2020.3027183
    [73] 孙浩, 徐延杰, 陈进, 等. 基于自监督对比学习的深度神经网络对抗鲁棒性提升[J]. 信号处理, 2021, 37(6): 903–911. doi: 10.16798/j.issn.1003-0530.2021.06.001

    SUN Hao, XU Yanjie, CHEN Jin, et al. Self-supervised contrastive learning for improving the adversarial robustness of deep neural networks[J]. Journal of Signal Processing, 2021, 37(6): 903–911. doi: 10.16798/j.issn.1003-0530.2021.06.001
    [74] XU Yanjie, SUN Hao, CHEN Jin, et al. Adversarial self-supervised learning for robust SAR target recognition[J]. Remote Sensing, 2021, 13(20): 4158. doi: 10.3390/rs13204158
    [75] SONG Chuanbiao, HE Kun, LIN Jiadong, et al. Robust local features for improving the generalization of adversarial training[C]. 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020.
    [76] ZHANG Hongyang, YU Yaodong, JIAO Jiantao, et al. Theoretically principled trade-off between robustness and accuracy[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 7472–7482.
    [77] INKAWHICH N, DAVIS E, MAJUMDER U, et al. Advanced techniques for robust SAR ATR: Mitigating noise and phase errors[C]. 2020 IEEE International Radar Conference (RADAR), Washington, USA, 2020: 844–849.
    [78] WAGNER S, PANATI C, and BRÜGGENWIRTH S. Fool the COOL-on the robustness of deep learning SAR ATR systems[C]. 2021 IEEE Radar Conference (RadarConf21), Atlanta, USA, 2021: 1–6.
    [79] LI Peng, HU Xiaowei, FENG Cunqian, et al. SAR-AD-BagNet: An interpretable model for SAR image recognition based on adversarial defense[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4000505. doi: 10.1109/LGRS.2022.3230243
    [80] LI Peng, FENG Cunqian, HU Xiaowei, et al. SAR-BagNet: An ante-hoc interpretable recognition model based on deep network for SAR image[J]. Remote Sensing, 2022, 14(9): 2150. doi: 10.3390/rs14092150
    [81] HENDRYCKS D and GIMPEL K. Early methods for detecting adversarial images[C]. 5th International Conference on Learning Representations, Toulon, France, 2017.
    [82] FEINMAN R, CURTIN R R, SHINTRE S, et al. Detecting adversarial samples from artifacts[OL]. https://arxiv.org/abs/1703.00410.
    [83] MA Xingjun, LI Bo, WANG Yisen, et al. Characterizing adversarial subspaces using local intrinsic dimensionality[C]. 6th International Conference on Learning Representations, Vancouver, Canada, 2018.
    [84] LEE K, LEE K, LEE H, et al. A simple unified framework for detecting out-of-distribution samples and adversarial attacks[C]. 32nd International Conference on Neural Information Processing Systems, Montréal, Canada, 2018: 7167–7177.
    [85] ZHAO Chenxiao, FLETCHER P T, YU Mixue, et al. The adversarial attack and detection under the fisher information metric[C]. Thirty-Third AAAI Conference on Artificial Intelligence, Honolulu, USA, 2019: 5869–5876.
    [86] COHEN G, SAPIRO G, and GIRYES R. Detecting adversarial samples using influence functions and nearest neighbors[C]. 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, USA, 2020: 14441–14450.
    [87] ZHANG Zhiwei, LIU Shuowei, GAO Xunzhang, et al. An empirical study towards SAR adversarial examples[C]. 2022 International Conference on Image Processing, Computer Vision and Machine Learning (ICICML), Xi’an, China, 2022: 127–132.
    [88] ZHANG Zhiwei, LIU Shuowei, GAO Xunzhang, et al. Improving adversarial detection methods for SAR image via joint contrastive cross-entropy training[C]. 4th International Academic Exchange Conference on Science and Technology Innovation (IAECST), Guangzhou, China, 2022: 1107–1110.
    [89] ZHANG Zhiwei, GAO Xunzhang, LIU Shuowei, et al. Energy-based adversarial example detection for SAR images[J]. Remote Sensing, 2022, 14(20): 5168. doi: 10.3390/rs14205168
    [90] YANG Yi and NEWSAM S. Bag-of-visual-words and spatial extensions for land-use classification[C]. 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems, San Jose, USA, 2010: 270–279.
    [91] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C]. 6th International Conference on Learning Representations, Vancouver, Canada, 2018.
    [92] CHEN Jianbo, JORDAN M I, and WAINWRIGHT M J. HopSkipJumpAttack: A query-efficient decision-based attack[C]. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2020: 1277–1294.
    [93] ANDRIUSHCHENKO M, CROCE F, FLAMMARION N, et al. Square attack: A query-efficient black-box adversarial attack via random search[C]. 16th European Conference on Computer Vision, Glasgow, UK, 2020: 484–501.
    [94] MODAS A, MOOSAVI-DEZFOOLI S M, and FROSSARD P. SparseFool: A few pixels make a big difference[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 9079–9088.
    [95] YUAN Xuejing, CHEN Yuxuan, ZHAO Yue, et al. Commandersong: A systematic approach for practical adversarial voice recognition[C]. 27th USENIX Conference on Security Symposium, Baltimore, USA, 2018: 49–64.
    [96] DAS N, SHANBHOGUE M, CHEN S T, et al. ADAGIO: Interactive experimentation with adversarial attack and defense for audio[C]. Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Dublin, Ireland, 2019: 677–681.
    [97] DOAN K, LAO Y, and LI P. Backdoor attack with imperceptible input and latent modification[J]. Advances in Neural Information Processing Systems, 2021, 34: 18944–18957.
    [98] BAGDASARYAN E and SHMATIKOV V. Blind backdoors in deep learning models[C]. 30th USENIX Security Symposium, 2021: 1505–1521.
    [99] DOAN K, LAO Yingjie, ZHAO Weijie, et al. LIRA: Learnable, imperceptible and robust backdoor attacks[C]. 2021 IEEE/CVF International Conference on Computer Vision (ICCV), Montreal, Canada, 2021: 11946–11956.
    [100] SAHA A, SUBRAMANYA A, and PIRSIAVASH H. Hidden trigger backdoor attacks[C]. 34th AAAI Conference on Artificial Intelligence, New York, USA, 2020: 11957–11965.
    [101] SHUMAILOV I, SHUMAYLOV Z, KAZHDAN D, et al. Manipulating SGD with data ordering attacks[C]. 34th International Conference on Neural Information Processing Systems, 2021: 18021–18032.
    [102] SOURI H, FOWL L, CHELLAPPA R, et al. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch[J]. Advances in Neural Information Processing Systems, 2022, 35: 19165–19178.
    [103] DOAN B G, ABBASNEJAD E, and RANASINGHE D C. Februus: Input purification defense against Trojan attacks on deep neural network systems[C]. Annual Computer Security Applications Conference, Austin, USA, 2020: 897–912.
    [104] WANG Bolun, YAO Yuanshun, SHAN S, et al. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks[C]. 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2019: 707–723.
    [105] GIRSHICK R. Fast r-CNN[C]. 2015 IEEE International Conference on Computer Vision, Santiago, Chile, 2015: 1440–1448.
    [106] REDMON J, DIVVALA S, GIRSHICK R, et al. You only look once: Unified, real-time object detection[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 779–788.
    [107] CHOW K H, LIU Ling, LOPER M, et al. Adversarial objectness gradient attacks in real-time object detection systems[C]. 2020 Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), Atlanta, USA, 2020: 263–272.
    [108] WANG Yajie, LV Haoran, KUANG Xiaohui, et al. Towards a physical-world adversarial patch for blinding object detection models[J]. Information Sciences, 2021, 556: 459–471. doi: 10.1016/j.ins.2020.08.087
    [109] 张磊, 陈晓晴, 郑熠宁, 等. 电磁超表面与信息超表面[J]. 电波科学学报, 2021, 36(6): 817–828. doi: 10.12265/j.cjors.2021218

    ZHANG Lei, CHEN Xiaoqing, ZHENG Yining, et al. Electromagnetic metasurfaces and information metasurfaces[J]. Chinese Journal of Radio Science, 2021, 36(6): 817–828. doi: 10.12265/j.cjors.2021218
  • 加载中
图(7) / 表(4)
计量
  • 文章访问数:  1859
  • HTML全文浏览量:  508
  • PDF下载量:  442
  • 被引次数: 0
出版历程
  • 收稿日期:  2023-05-29
  • 修回日期:  2023-07-13
  • 网络出版日期:  2023-07-26
  • 刊出日期:  2023-08-28

目录

    /

    返回文章
    返回