作者中心
专家审稿
责编办公
编辑办公
-
摘要: 基于深度神经网络的雷达像智能识别技术已经成为雷达信息处理领域的前沿和热点。然而,深度神经网络模型易受到对抗攻击的威胁。攻击者可以在隐蔽的条件下误导智能目标识别模型做出错误预测,严重影响其识别精度和鲁棒性。该文梳理了近年来雷达像智能识别对抗技术发展现状,总结分析了现有雷达一维/二维像识别对抗攻击方法和防御方法的特点,最后讨论了当前雷达像智能识别对抗研究领域值得关注的5个开放问题。Abstract: Intelligent radar image recognition based on Deep Neural Networks (DNN) has become an important topic in radar information processing. However, DNN models are susceptible to adversarial attacks. Malicious attackers can cause intelligent image recognition models to make incorrect predictions, considerably reducing their recognition accuracy and robustness. This article reviews recent research progress on intelligent radar image recognition countermeasures. Then it summarizes the adversarial attack methods on one/two-dimensional radar image recognition models and adversarial defense methods. Finally, it discusses five open questions worthy of in-depth research in intelligent radar image recognition countermeasures.
-
图 7 基于优化目标函数的防御方法
Figure 7. Adversarial defense based on optimizing objective function
表 1 基于属性散射中心模型的典型雷达二维像对抗攻击方法
Table 1. Typical radar image adversarial attacks based on attribute scattering center model
下载: 导出CSV
表 2 雷达二维像对抗攻击研究现状
Table 2. Summary of adversarial attacks on radar two-dimensional image
文献 攻击先验 扰动范数 验证模型 数据集 攻击特异性 优缺点 [33] 白盒 ${L_\infty }$ VGG[50]
ResNet[51]
DenseNet[52]
GoogleNet[53]
InceptionV3[54]MSTAR
SENSAR[58]非定向 验证光学方法的适用性和差异性,未结合雷达像特性 [34] 白盒 ${L_0}$ A-ConvNet[10] MSTAR 非定向 [35] 白盒 ${L_2}/{L_\infty }$ 自定义CNN MSTAR 非定向 [36] 白盒 ${L_2}$ ResNet MSTAR 定向/非定向 结合了雷达像自身特性和识别场景,未考虑对抗样本的物理实现问题 [37] 白盒/黑盒 ${L_2}/{L_0}$ A-ConvNet
ResNetMSTAR
OpenSARship[59]定向/非定向 [38] 白盒 ${L_0}$ ResNet
VGG
MobleNet-v2[55]So2Sat-LCZ42[60] 非定向 [40] 黑盒 ${L_\infty }$ AlexNet[56]
ResNet
DenseNet
VGG
A-ConvNetMSTAR
SARSIM[61]非定向 [41] 白盒 ${L_\infty }$ CNN MSTAR 非定向 对扰动区域进行初步限制,未建立扰动像素与雷达信号的对应关系 [42] 白盒/黑盒 ${L_2}$ GoogleNet
DenseNet
InceptionV3
ResNetMSTAR 非定向 [43] 白盒 ${L_2}$ 自定义CNN MSTAR 非定向 [44] 黑盒 ${L_\infty }$ AconvNet
VGG
ResNet
DenseNet
InceptionV4[57]MSTAR 非定向 [46] 白盒 双线性变换 ResNet
MobileNet-v2MSTAR 非定向 考虑了单帧静止目标对抗样本的物理实现,未考虑目标运动过程中的扰动变化 [47] 白盒 ${L_0}/{L_2}/{L_\infty }$ A-convNet
VGG
ResNet
DenseNet
MobileNet-v2MSTAR
SARBake[62]非定向 [48] 黑盒 ${L_2}$ VGG
ResNet
MobileNetMSTAR 非定向
下载: 导出CSV
表 4 雷达像识别对抗防御方法
Table 4. Summary of adversarial defense in radar image recognition
防御层级 文献 验证模型 数据集 可防御 优缺点 输入端 [73] ResNet UC-Merced[90] FGSM/PGD[91]/CW[20]/
DeepFool[19]/
HopSkipJump[92]/
Square[93]仅需在数据端操作,影响干净样本识别率 [74] ResNet
DenseNet
MobileNet
ShuffleNet
A-ConvNetMSTAR
OpenSAR-Ship[59]FGSM/PGD/DeepFool/
CW/SparseFool[94]/
HopSkipJump/Square模型端 [77] A-ConvNet
VGG
ResNet
ShuffleNetMSTAR[11] FGSM[17]/PGD 已知攻击类型时防御效果好,训练耗时 [47] A-ConvNet MSTAR
SARBake[62]PGD/SMGAA[47] [78] 自定义CNN MSTAR DeepFool 具有较好的可解释性,难以兼容主流模型 [79] SAR-BagNet[80]
ResNetMSTAR FGSM/PGD/
CW/DeepFool输出端 [87] VGG
ResNet
DenseNetMSTAR
SARBakeFGSM/BIM[18]/
CW/DeepFool无需更改模型结构,难以单独胜任识别任务 [88] ResNet MSTAR FGSM/BIM/
CW/DeepFool[89] VGG
ResNet
DenseNetMSTAR
SARBakeFGSM/BIM/
CW/DeepFool
下载: 导出CSV
-
[1] ZHU Xiaoxiang, MONTAZERI S, ALI M, et al. Deep learning meets SAR: Concepts, models, pitfalls, and perspectives[J]. IEEE Geoscience and Remote Sensing Magazine, 2021, 9(4): 143–172. doi: 10.1109/MGRS.2020.3046356 [2] GOODFELLOW I J, SHLENS J, and SZEGEDY C. Explaining and harnessing adversarial examples[J]. arXiv preprint arXiv: 1412. 6572, 2014. [3] 孙浩, 陈进, 雷琳, 等. 深度卷积神经网络图像识别模型对抗鲁棒性技术综述[J]. 雷达学报, 2021, 10(4): 571–594. doi: 10.12000/JR21048SUN Hao, CHEN Jin, LEI Lin, et al. Adversarial robustness of deep convolutional neural network-based image recognition models: A review[J]. Journal of Radars, 2021, 10(4): 571–594. doi: 10.12000/JR21048 [4] XU Yonghao, BAI Tao, YU Weikang, et al. AI security for geoscience and remote sensing: Challenges and future trends[J]. IEEE Geoscience and Remote Sensing Magazine, 2023, 11(2): 60–85. doi: 10.1109/MGRS.2023.3272825 [5] CAO Dongsheng, HUANG Jianhua, YAN Jun, et al. Kernel k-nearest neighbor algorithm as a flexible SAR modeling tool[J]. Chemometrics and Intelligent Laboratory Systems, 2012, 114: 19–23. doi: 10.1016/j.chemolab.2012.01.008 [6] 袁莉, 刘宏伟, 保铮. 基于中心矩特征的雷达HRRP自动目标识别[J]. 电子学报, 2004, 32(12): 2078–2081. doi: 10.3321/j.issn:0372-2112.2004.12.036YUAN Li, LIU Hongwei, and BAO Zheng. Automatic target recognition of radar HRRP based on central moments features[J]. Acta Electronica Sinica, 2004, 32(12): 2078–2081. doi: 10.3321/j.issn:0372-2112.2004.12.036 [7] SAEPULOH A, KOIKE K, and OMURA M. Applying Bayesian decision classification to Pi-SAR polarimetric data for detailed extraction of the geomorphologic and structural features of an active volcano[J]. IEEE Geoscience and Remote Sensing Letters, 2012, 9(4): 554–558. doi: 10.1109/LGRS.2011.2174611 [8] LI Min, ZHOU Gongjian, ZHAO Bin, et al. Sparse representation denoising for radar high resolution range profiling[J]. International Journal of Antennas and Propagation, 2014, 2014: 875895. doi: 10.1155/2014/875895 [9] CHEN Wenchao, CHEN Bo, PENG Xiaojun, et al. Tensor RNN with Bayesian nonparametric mixture for radar HRRP modeling and target recognition[J]. IEEE Transactions on Signal Processing, 2021, 69: 1995–2009. doi: 10.1109/TSP.2021.3065847 [10] CHEN Sizhe, WANG Haipeng, XU Feng, et al. Target classification using the deep convolutional networks for SAR images[J]. IEEE Transactions on Geoscience and Remote Sensing, 2016, 54(8): 4806–4817. doi: 10.1109/TGRS.2016.2551720 [11] ROSS T D, WORRELL S W, VELTEN V J, et al. Standard SAR ATR evaluation experiments using the MSTAR public release data set[C]. SPIE 3370, Algorithms for Synthetic Aperture Radar Imagery, Orlando, USA, 1998: 566–573. [12] PEI Jifang, HUANG Yulin, HUO Weibo, et al. SAR automatic target recognition based on multiview deep learning framework[J]. IEEE Transactions on Geoscience and Remote Sensing, 2018, 56(4): 2196–2210. doi: 10.1109/TGRS.2017.2776357 [13] SUN Yuanshuang, WANG Yinghua, LIU Hongwei, et al. SAR target recognition with limited training data based on angular rotation generative network[J]. IEEE Geoscience and Remote Sensing Letters, 2020, 17(11): 1928–1932. doi: 10.1109/LGRS.2019.2958379 [14] HUANG Zhongling, PAN Zongxu, and LEI Bin. What, where, and how to transfer in SAR target recognition based on deep CNNs[J]. IEEE Transactions on Geoscience and Remote Sensing, 2020, 58(4): 2324–2336. doi: 10.1109/TGRS.2019.2947634 [15] FU Kun, ZHANG Tengfei, ZHANG Yue, et al. Few-shot SAR target classification via metalearning[J]. IEEE Transactions on Geoscience and Remote Sensing, 2022, 60: 2000314. doi: 10.1109/TGRS.2021.3058249 [16] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[C]. 2nd International Conference on Learning Representations, Banff, Canada, 2014. [17] GOODFELLOW I J, SHLENS J, and SZEGEDY C. Explaining and harnessing adversarial examples[C]. 3rd International Conference on Learning Representations, San Diego, USA, 2015: 1050. [18] KURAKIN A, GOODFELLOW I J, and BENGIO S. Adversarial Examples in the Physical World[M]. YAMPOLSKIY R V. Artificial Intelligence Safety and Security. New York: Chapman and Hall/CRC, 2018: 99–112. [19] MOOSAVI-DEZFOOLI S M, FAWZI A, and FROSSARD P. DeepFool: A simple and accurate method to fool deep neural networks[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2574–2582. [20] CARLINI N and WAGNER D. Towards evaluating the robustness of neural networks[C]. 2017 IEEE Symposium on Security and Privacy (SP), San Jose, USA, 2017: 39–57. [21] PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]. 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, Germany, 2016: 372–387. [22] SU Jiawei, VARGAS D V, and SAKURAI K. One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828–841. doi: 10.1109/TEVC.2019.2890858 [23] POURSAEED O, KATSMAN I, GAO Bicheng, et al. Generative adversarial perturbations[C]. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 4422–4431. [24] DU Chuan and ZHANG Lei. Adversarial attack for SAR target recognition based on UNet-generative adversarial network[J]. Remote Sensing, 2021, 13(21): 4358. doi: 10.3390/rs13214358 [25] XIAO Chaowei, LI Bo, ZHU Junyan, et al. Generating adversarial examples with adversarial networks[C]. 27th International Joint Conference on Artificial Intelligence, Stockholm, Sweden, 2018: 3905–3911. [26] ILYAS A, ENGSTROM L, ATHALYE A, et al. Black-box adversarial attacks with limited queries and information[C]. 35th International Conference on Machine Learning, Stockholm, Sweden, 2018: 2142–2151. [27] GUO Chuan, GARDNER J R, YOU Yurong, et al. Simple black-box adversarial attacks[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 2484–2493. [28] TASHIRO Y, SONG Y, ERMON S. Diversity can be transferred: Output diversification for white-and black-box attacks[C]. The 34th International Conference on Neural Information Processing Systems. 2020: 4536–4548. [29] GUO Wei, TONDI B, and BARNI M. A master key backdoor for universal impersonation attack against DNN-based face verification[J]. Pattern Recognition Letters, 2021, 144: 61–67. doi: 10.1016/j.patrec.2021.01.009 [30] GU Tianyu, LIU Kang, DOLAN-GAVITT B, et al. BadNets: Evaluating backdooring attacks on deep neural networks[J]. IEEE Access, 2019, 7: 47230–47244. doi: 10.1109/ACCESS.2019.2909068 [31] BREWER E, LIN J, and RUNFOLA D. Susceptibility & defense of satellite image-trained convolutional networks to backdoor attacks[J]. Information Sciences, 2022, 603: 244–261. doi: 10.1016/j.ins.2022.05.004 [32] ISLAM S, BADSHA S, KHALIL I, et al. A triggerless backdoor attack and defense mechanism for intelligent task offloading in multi-UAV systems[J]. IEEE Internet of Things Journal, 2023, 10(7): 5719–5732. doi: 10.1109/JIOT.2022.3172936 [33] LI Haifeng, HUANG Haikuo, CHEN Li, et al. Adversarial examples for CNN-based SAR image classification: An experience study[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2021, 14: 1333–1347. doi: 10.1109/JSTARS.2020.3038683 [34] 周隽凡, 孙浩, 雷琳, 等. SAR图像稀疏对抗攻击[J]. 信号处理, 2021, 37(9): 1633–1643. doi: 10.16798/j.issn.1003-0530.2021.09.007ZHOU Junfan, SUN Hao, LEI Lin, et al. Sparse adversarial attack of SAR image[J]. Journal of Signal Processing, 2021, 37(9): 1633–1643. doi: 10.16798/j.issn.1003-0530.2021.09.007 [35] WANG Lulu, WANG Xiaolei, MA Shixin, et al. Universal adversarial perturbation of SAR images for deep learning based target classification[C]. 2021 IEEE 4th International Conference on Electronics Technology (ICET), Chengdu, China, 2021: 1272–1276. [36] DU Chuan, HUO Chaoying, ZHANG Lei, et al. Fast C&W: A fast adversarial attack algorithm to fool SAR target recognition with deep convolutional neural networks[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4010005. doi: 10.1109/LGRS.2021.3058011 [37] ZHANG Fan, MENG Tianying, XIANG Deliang, et al. Adversarial deception against SAR target recognition network[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2022, 15: 4507–4520. doi: 10.1109/JSTARS.2022.3179171 [38] 徐延杰, 孙浩, 雷琳, 等. 基于稀疏差分协同进化的多源遥感场景分类攻击[J]. 信号处理, 2021, 37(7): 1164–1170. doi: 10.16798/j.issn.1003-0530.2021.07.005XU Yanjie, SUN Hao, LEI Lin, et al. Multi-source remote sensing classification attack based on sparse differential coevolution[J]. Journal of Signal Processing, 2021, 37(7): 1164–1170. doi: 10.16798/j.issn.1003-0530.2021.07.005 [39] RONNEBERGER O, FISCHER P, and BROX T. U-net: Convolutional networks for biomedical image segmentation[C]. 18th International Conference on Medical Image Computing and Computer-Assisted Intervention, Munich, Germany, 2015: 234–241. [40] PENG Bowen, PENG Bo, YONG Shaowei, et al. An empirical study of fully black-box and universal adversarial attack for SAR target recognition[J]. Remote Sensing, 2022, 14(16): 4017. doi: 10.3390/rs14164017 [41] DANG Xunwang, YAN Hua, HU Liping, et al. SAR image adversarial samples generation based on parametric model[C]. 2021 International Conference on Microwave and Millimeter Wave Technology (ICMMT), Nanjing, China, 2021: 1–3. [42] DU M, BI D, DU M, et al. Local aggregative attack on SAR image classification models[J]. Authorea Preprints, 2022. [43] MENG Tianying, ZHANG Fan, and MA Fei. A target-region-based SAR ATR adversarial deception method[C]. 2022 7th International Conference on Signal and Image Processing (ICSIP), Suzhou, China, 2022: 142–146. [44] PENG Bowen, PENG Bo, ZHOU Jie, et al. Speckle-variant attack: Toward transferable adversarial attack to SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4509805. doi: 10.1109/LGRS.2022.3184311 [45] GERRY M J, POTTER L C, GUPTA I J, et al. A parametric model for synthetic aperture radar measurements[J]. IEEE Transactions on Antennas and Propagation, 1999, 47(7): 1179–1188. doi: 10.1109/8.785750 [46] ZHOU Junfan, FENG Sijia, SUN Hao, et al. Attributed scattering center guided adversarial attack for DCNN SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4001805. doi: 10.1109/LGRS.2023.3235051 [47] PENG Bowen, PENG Bo, ZHOU Jie, et al. Scattering model guided adversarial examples for SAR target recognition: Attack and defense[J]. IEEE Transactions on Geoscience and Remote Sensing, 2022, 60: 5236217. doi: 10.1109/TGRS.2022.3213305 [48] QIN Weibo, LONG Bo, and WANG Feng. SCMA: A scattering center model attack on CNN-SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4003305. doi: 10.1109/LGRS.2023.3253189 [49] LIU Hongwei, JIU Bo, LI Fei, et al. Attributed scattering center extraction algorithm based on sparse representation with dictionary refinement[J]. IEEE Transactions on Antennas and Propagation, 2017, 65(5): 2604–2614. doi: 10.1109/TAP.2017.2673764 [50] SIMONYAN K and ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[C]. 3rd International Conference on Learning Representations, San Diego, USA, 2014. [51] HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep residual learning for image recognition[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 770–778. [52] HUANG Gao, LIU Zhuang, VAN DER MAATEN L, et al. Densely connected convolutional networks[C]. 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, USA, 2017: 2261–2269. [53] SZEGEDY C, LIU Wei, JIA Yangqing, et al. Going deeper with convolutions[C]. 2015 IEEE Conference on Computer Vision and Pattern Recognition, Boston, USA, 2015: 1–9. [54] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2818–2826. [55] SANDLER M, HOWARD A, ZHU Menglong, et al. MobileNetV2: Inverted residuals and linear bottlenecks[C]. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 4510–4520. [56] KRIZHEVSKY A, SUTSKEVER I, and HINTON G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84–90. doi: 10.1145/3065386 [57] SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, inception-ResNet and the impact of residual connections on learning[C]. Thirty-First AAAI Conference on Artificial Intelligence, San Francisco, USA, 2017: 4278–4284. [58] SCHMITT M, HUGHES L H, and ZHU X X. The SEN1–2 dataset for deep learning in Sar-optical data fusion[J]. ISPRS Annals of the Photogrammetry, Remote Sensing and Spatial Information Sciences, 2018, 4: 141–146. doi: 10.5194/isprs-annals-IV-1-141-2018 [59] HUANG Lanqing, LIU Bin, LI Boying, et al. OpenSARShip: A dataset dedicated to Sentinel-1 ship interpretation[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2018, 11(1): 195–208. doi: 10.1109/JSTARS.2017.2755672 [60] ZHU Xiaoxiang, HU Jingliang, QIU Chunping, et al. So2Sat LCZ42: A benchmark data set for the classification of global local climate zones [Software and Data Sets][J]. IEEE Geoscience and Remote Sensing Magazine, 2020, 8(3): 76–89. doi: 10.1109/MGRS.2020.2964708 [61] MALMGREN-HANSEN D, KUSK A, DALL J, et al. Improving SAR automatic target recognition models with transfer learning from simulated data[J]. IEEE Geoscience and remote sensing Letters, 2017, 14(9): 1484–1488. doi: 10.1109/LGRS.2017.2717486 [62] MALMGREN-HANSEN D and NOBEL-JØRGENSEN M. Convolutional neural networks for SAR image segmentation[C]. 2015 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Abu Dhabi, United Arab Emirates, 2015: 231–236. [63] YUAN Yijun, WAN Jinwei, and CHEN Bo. Robust attack on deep learning based radar HRRP target recognition[C]. 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Lanzhou, China, 2019: 704–707. [64] 万锦伟. 基于深度网络的HRRP目标识别与对抗攻击研究[D]. [博士论文], 西安电子科技大学, 2020.WAN Jinwei. Research on HRRP target recognition and adversarial attacks based on deep neural networks[D]. [Ph. D. dissertation], Xidian University, 2020. [65] HUANG Teng, CHEN Yongfeng, YAO Bingjian, et al. Adversarial attacks on deep-learning-based radar range profile target recognition[J]. Information Sciences, 2020, 531: 159–176. doi: 10.1016/j.ins.2020.03.066 [66] DU Chuan, CONG Yulai, ZHANG Lei, et al. A practical deceptive jamming method based on vulnerable location awareness adversarial attack for radar HRRP target recognition[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 2410–2424. doi: 10.1109/TIFS.2022.3170275 [67] GAO Fei, HUANG Teng, WANG Jun, et al. A novel multi-input bidirectional LSTM and HMM based approach for target recognition from multi-domain radar range profiles[J]. Electronics, 2019, 8(5): 535. doi: 10.3390/electronics8050535 [68] YANG Yuzhe, ZHANG Guo, XU Zhi, et al. ME-Net: Towards effective adversarial robustness with matrix estimation[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 7025–7034. [69] WANG Yutong, ZHANG Wenwen, SHEN Tianyu, et al. Binary thresholding defense against adversarial attacks[J]. Neurocomputing, 2021, 445: 61–71. doi: 10.1016/j.neucom.2021.03.036 [70] LeCun Y. The MNIST database of handwritten digits[EB/OL]. http://yann.lecun.com/exdb/mnist/, 1998. [71] MUSTAFA A, KHAN S H, HAYAT M, et al. Image super-resolution as a defense against adversarial attacks[J]. IEEE Transactions on Image Processing, 2020, 29: 1711–1724. doi: 10.1109/TIP.2019.2940533 [72] AGARWAL A, SINGH R, VATSA M, et al. Image transformation-based defense against adversarial perturbation on deep learning models[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(5): 2106–2121. doi: 10.1109/TDSC.2020.3027183 [73] 孙浩, 徐延杰, 陈进, 等. 基于自监督对比学习的深度神经网络对抗鲁棒性提升[J]. 信号处理, 2021, 37(6): 903–911. doi: 10.16798/j.issn.1003-0530.2021.06.001SUN Hao, XU Yanjie, CHEN Jin, et al. Self-supervised contrastive learning for improving the adversarial robustness of deep neural networks[J]. Journal of Signal Processing, 2021, 37(6): 903–911. doi: 10.16798/j.issn.1003-0530.2021.06.001 [74] XU Yanjie, SUN Hao, CHEN Jin, et al. Adversarial self-supervised learning for robust SAR target recognition[J]. Remote Sensing, 2021, 13(20): 4158. doi: 10.3390/rs13204158 [75] SONG Chuanbiao, HE Kun, LIN Jiadong, et al. Robust local features for improving the generalization of adversarial training[C]. 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020. [76] ZHANG Hongyang, YU Yaodong, JIAO Jiantao, et al. Theoretically principled trade-off between robustness and accuracy[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 7472–7482. [77] INKAWHICH N, DAVIS E, MAJUMDER U, et al. Advanced techniques for robust SAR ATR: Mitigating noise and phase errors[C]. 2020 IEEE International Radar Conference (RADAR), Washington, USA, 2020: 844–849. [78] WAGNER S, PANATI C, and BRÜGGENWIRTH S. Fool the COOL-on the robustness of deep learning SAR ATR systems[C]. 2021 IEEE Radar Conference (RadarConf21), Atlanta, USA, 2021: 1–6. [79] LI Peng, HU Xiaowei, FENG Cunqian, et al. SAR-AD-BagNet: An interpretable model for SAR image recognition based on adversarial defense[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4000505. doi: 10.1109/LGRS.2022.3230243 [80] LI Peng, FENG Cunqian, HU Xiaowei, et al. SAR-BagNet: An ante-hoc interpretable recognition model based on deep network for SAR image[J]. Remote Sensing, 2022, 14(9): 2150. doi: 10.3390/rs14092150 [81] HENDRYCKS D and GIMPEL K. Early methods for detecting adversarial images[C]. 5th International Conference on Learning Representations, Toulon, France, 2017. [82] FEINMAN R, CURTIN R R, SHINTRE S, et al. Detecting adversarial samples from artifacts[OL]. https://arxiv.org/abs/1703.00410. [83] MA Xingjun, LI Bo, WANG Yisen, et al. Characterizing adversarial subspaces using local intrinsic dimensionality[C]. 6th International Conference on Learning Representations, Vancouver, Canada, 2018. [84] LEE K, LEE K, LEE H, et al. A simple unified framework for detecting out-of-distribution samples and adversarial attacks[C]. 32nd International Conference on Neural Information Processing Systems, Montréal, Canada, 2018: 7167–7177. [85] ZHAO Chenxiao, FLETCHER P T, YU Mixue, et al. The adversarial attack and detection under the fisher information metric[C]. Thirty-Third AAAI Conference on Artificial Intelligence, Honolulu, USA, 2019: 5869–5876. [86] COHEN G, SAPIRO G, and GIRYES R. Detecting adversarial samples using influence functions and nearest neighbors[C]. 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, USA, 2020: 14441–14450. [87] ZHANG Zhiwei, LIU Shuowei, GAO Xunzhang, et al. An empirical study towards SAR adversarial examples[C]. 2022 International Conference on Image Processing, Computer Vision and Machine Learning (ICICML), Xi’an, China, 2022: 127–132. [88] ZHANG Zhiwei, LIU Shuowei, GAO Xunzhang, et al. Improving adversarial detection methods for SAR image via joint contrastive cross-entropy training[C]. 4th International Academic Exchange Conference on Science and Technology Innovation (IAECST), Guangzhou, China, 2022: 1107–1110. [89] ZHANG Zhiwei, GAO Xunzhang, LIU Shuowei, et al. Energy-based adversarial example detection for SAR images[J]. Remote Sensing, 2022, 14(20): 5168. doi: 10.3390/rs14205168 [90] YANG Yi and NEWSAM S. Bag-of-visual-words and spatial extensions for land-use classification[C]. 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems, San Jose, USA, 2010: 270–279. [91] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C]. 6th International Conference on Learning Representations, Vancouver, Canada, 2018. [92] CHEN Jianbo, JORDAN M I, and WAINWRIGHT M J. HopSkipJumpAttack: A query-efficient decision-based attack[C]. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2020: 1277–1294. [93] ANDRIUSHCHENKO M, CROCE F, FLAMMARION N, et al. Square attack: A query-efficient black-box adversarial attack via random search[C]. 16th European Conference on Computer Vision, Glasgow, UK, 2020: 484–501. [94] MODAS A, MOOSAVI-DEZFOOLI S M, and FROSSARD P. SparseFool: A few pixels make a big difference[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 9079–9088. [95] YUAN Xuejing, CHEN Yuxuan, ZHAO Yue, et al. Commandersong: A systematic approach for practical adversarial voice recognition[C]. 27th USENIX Conference on Security Symposium, Baltimore, USA, 2018: 49–64. [96] DAS N, SHANBHOGUE M, CHEN S T, et al. ADAGIO: Interactive experimentation with adversarial attack and defense for audio[C]. Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Dublin, Ireland, 2019: 677–681. [97] DOAN K, LAO Y, and LI P. Backdoor attack with imperceptible input and latent modification[J]. Advances in Neural Information Processing Systems, 2021, 34: 18944–18957. [98] BAGDASARYAN E and SHMATIKOV V. Blind backdoors in deep learning models[C]. 30th USENIX Security Symposium, 2021: 1505–1521. [99] DOAN K, LAO Yingjie, ZHAO Weijie, et al. LIRA: Learnable, imperceptible and robust backdoor attacks[C]. 2021 IEEE/CVF International Conference on Computer Vision (ICCV), Montreal, Canada, 2021: 11946–11956. [100] SAHA A, SUBRAMANYA A, and PIRSIAVASH H. Hidden trigger backdoor attacks[C]. 34th AAAI Conference on Artificial Intelligence, New York, USA, 2020: 11957–11965. [101] SHUMAILOV I, SHUMAYLOV Z, KAZHDAN D, et al. Manipulating SGD with data ordering attacks[C]. 34th International Conference on Neural Information Processing Systems, 2021: 18021–18032. [102] SOURI H, FOWL L, CHELLAPPA R, et al. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch[J]. Advances in Neural Information Processing Systems, 2022, 35: 19165–19178. [103] DOAN B G, ABBASNEJAD E, and RANASINGHE D C. Februus: Input purification defense against Trojan attacks on deep neural network systems[C]. Annual Computer Security Applications Conference, Austin, USA, 2020: 897–912. [104] WANG Bolun, YAO Yuanshun, SHAN S, et al. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks[C]. 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2019: 707–723. [105] GIRSHICK R. Fast r-CNN[C]. 2015 IEEE International Conference on Computer Vision, Santiago, Chile, 2015: 1440–1448. [106] REDMON J, DIVVALA S, GIRSHICK R, et al. You only look once: Unified, real-time object detection[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 779–788. [107] CHOW K H, LIU Ling, LOPER M, et al. Adversarial objectness gradient attacks in real-time object detection systems[C]. 2020 Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), Atlanta, USA, 2020: 263–272. [108] WANG Yajie, LV Haoran, KUANG Xiaohui, et al. Towards a physical-world adversarial patch for blinding object detection models[J]. Information Sciences, 2021, 556: 459–471. doi: 10.1016/j.ins.2020.08.087 [109] 张磊, 陈晓晴, 郑熠宁, 等. 电磁超表面与信息超表面[J]. 电波科学学报, 2021, 36(6): 817–828. doi: 10.12265/j.cjors.2021218ZHANG Lei, CHEN Xiaoqing, ZHENG Yining, et al. Electromagnetic metasurfaces and information metasurfaces[J]. Chinese Journal of Radio Science, 2021, 36(6): 817–828. doi: 10.12265/j.cjors.2021218 -
图(7) / 表(4)
计量
- 文章访问数: 1762
- HTML全文浏览量: 492
- PDF下载量: 429
- 被引次数: 0
