Loading [MathJax]/jax/output/SVG/jax.js

雷达像智能识别对抗研究进展

高勋章 张志伟 刘梅 龚政辉 黎湘

夏德平, 张良, 吴涛, 等. 机载双基地极化敏感阵列多干扰抑制[J]. 雷达学报, 2022, 11(3): 399–407. doi: 10.12000/JR21212
引用本文: 高勋章, 张志伟, 刘梅, 等. 雷达像智能识别对抗研究进展[J]. 雷达学报, 2023, 12(4): 696–712. doi: 10.12000/JR23098
XIA Deping, ZHANG Liang, WU Tao, et al. A multiple interference suppression algorithm based on airborne bistatic polarization radar[J]. Journal of Radars, 2022, 11(3): 399–407. doi: 10.12000/JR21212
Citation: GAO Xunzhang, ZHANG Zhiwei, LIU Mei, et al. Intelligent radar image recognition countermeasures: A review[J]. Journal of Radars, 2023, 12(4): 696–712. doi: 10.12000/JR23098

雷达像智能识别对抗研究进展

DOI: 10.12000/JR23098
基金项目: 国家自然科学基金(61921001)
详细信息
    作者简介:

    高勋章,研究员,博士生导师,主要研究方向为雷达目标识别、智能信息处理

    张志伟,博士生,主要研究方向为雷达目标识别、智能对抗攻击与防御

    刘 梅,硕士生,主要研究方向为智能感知与处理、雷达目标识别

    龚政辉,助理研究员,主要研究方向为雷达对抗、雷达抗干扰、雷达通信一体化

    黎 湘,教授,博士生导师,主要研究方向为雷达目标特性与识别

    通讯作者:

    高勋章 gaoxunzhang@nudt.edu.cn

    张志伟 514131141@qq.com

  • 责任主编:徐丰 Corresponding Editor: XU Feng
  • 中图分类号: TP753

Intelligent Radar Image Recognition Countermeasures: A Review

Funds: The National Natural Science Foundation of China (61921001)
More Information
  • 摘要: 基于深度神经网络的雷达像智能识别技术已经成为雷达信息处理领域的前沿和热点。然而,深度神经网络模型易受到对抗攻击的威胁。攻击者可以在隐蔽的条件下误导智能目标识别模型做出错误预测,严重影响其识别精度和鲁棒性。该文梳理了近年来雷达像智能识别对抗技术发展现状,总结分析了现有雷达一维/二维像识别对抗攻击方法和防御方法的特点,最后讨论了当前雷达像智能识别对抗研究领域值得关注的5个开放问题。

     

  • 随着雷达极化理论研究不断深入以及新器件的高速发展,极化抗干扰技术[1,2]已进入工程应用,其本质是利用干扰与目标在极化域的差异,减弱或消除干扰对雷达检测性能的影响。针对主瓣干扰和欺骗性干扰,文献[3,4]提出了基于超复数的极化-空域级联滤波算法和空-时-极化联合滤波算法,用于机载雷达抑制干扰;文献[5]提出了一种基于重叠滑窗子阵合成的空-极化域联合自适应波束形成算法,用于机载雷达抑制欺骗式干扰;为了解决与目标同向的主瓣干扰抑制问题,文献[6,7]将极化信息引入独立成分分析(Independent Component Analysis, ICA),实现干扰抑制而不影响同向目标的检测。文献[8]提出空间极化域零解耦方法实现主副瓣多干扰抑制,但是该算法需要主波束范围内主瓣干扰与目标的极化特性不同,且主波束内只能有1个干扰,限制了该算法的应用。从上述文献来看,极化域增加了新的维度,有效提升抗主瓣干扰能力,但存在探测视角单一,所获目标信息有限等问题,制约了单基地极化敏感阵列抗干扰性能。

    双/多基雷达系统主要利用空间分置的两部或多部雷达来实现,当干扰信号和目标信号同时进入雷达主瓣时,可利用干扰信号与目标信号在不同平台间的特征差异,有效抑制主瓣干扰[9-12]。文献[13-17]利用同一干扰信号在不同平台相关而目标非相关特性,通过平台间相消处理来实现主瓣干扰抑制;为了实现目标空间独立性条件,需要不同平台的基线长度满足一定要求[18],从而限制了算法应用场景。文献[19]利用一种基于极化滤波的多基雷达协同主瓣干扰抑制方法,可实现主瓣干扰对消,但该算法没有充分利用空域自由度,当存在强副瓣干扰,尤其是主瓣和副瓣干扰同时存在情况,该算法已无法有效应对。在现代复杂电子对抗场景下,机载雷达将面临多个主副瓣干扰压制,雷达探测能力大幅下降,这就需要综合空域、时域以及极化域等多维信息,来提升机载雷达对抗主副瓣干扰能力。本文基于这个考虑,综合双基地和极化抗干扰优势,构建了一种机载双基地雷达极化敏感阵列,利用双基地-极化来分级抑制主副瓣干扰,首先,对机载双基地主辅两个雷达分别处理,在遮蔽主瓣干扰的基础上利用自适应处理抑制副瓣干扰;然后,再利用双基地极化信息对主瓣干扰进行抑制,为了提升主瓣干扰抑制效果,在对消前优先修正干扰空域导向矢量,最后,通过构建干扰对抗场景来对该方法仿真验证。

    机载双基地极化敏感阵列是在机载双基地雷达基础上通过增加能够敏感极化信息的正交偶极子对来实现的,如图1所示。该雷达包括主雷达和辅雷达两部分,每部分都由一部极化敏感阵列组成,每个阵列包括1×M个正交偶极子对,沿飞机正侧面布置。假设以主雷达地面投影点O为中心建立空间直角坐标系O-XYZ,假定平台的基线长度为L且到Y轴投影为D,主辅雷达的高度分别为HpHa,速度分别为VpVa,主辅雷达平台与基线的夹角分别为βpβa,为便于描述,假定主辅雷达平台均沿Y轴飞行,夹角为零。极化敏感阵列M个阵元沿Y轴,按照半波长均匀排列,每个偶极子对由两个相互正交的水平极化通道H(沿X轴方向)和垂直极化通道V(沿Z轴方向)组成,极化间隔离度相对较高,忽略互耦问题。该雷达系统采用单发双收模式,主雷达正交极化通道采用正交波形同时发射,主辅雷达正交极化通道同时接收工作。

    图  1  机载双基地极化敏感阵列信号模型
    Figure  1.  Signal model of airborne bistatic polarization-sensitive array

    假设1个目标和n个干扰信号从远场入射分别进入主辅雷达,如图1所示,其中,标志T代表目标,标志I代表干扰,目标回波信号和干扰信号的空间到达角为(θ,φ)θ, φ分别为方位角和俯仰角;目标回波信号和干扰信号的极化域参数为(γ,η)γ, η为完全极化波相位描述子,γ为极化辅角,η为极化相位角,其极化矢量可表示为

    s(θ,φ,γ,η)=[sinθcosφcosθcosθcosφsinθ][cosγsinγejη] (1)

    目标回波信号或干扰信号到达第m个阵元的相位延迟为

    ϕm(θ,φ)=2π(m1)sinθcosφ/λ (2)

    其中,λ为载频信号波长。线阵的空域导向矢量可表示为

    a(θ,φ)=[ejϕ0(θ,φ),ejϕ1(θ,φ),,ejϕM(θ,φ)] (3)

    式(1)—式(3)适用于主辅雷达,没有利用下标来区分。

    在目标和干扰信号同时存在的情况下,主雷达在t时刻的接收信号由目标回波信号Xt(t)、干扰信号Xj(t)以及噪声信号Np(t)组成,可表示为

    Xp(t)=Xt(t)+Xj(t)+Np(t) (4)

    其中,目标回波信号Xt(t)

    Xt(t)=GpQprApSeptr(tτp) (5)

    式(5)中,Gp为目标回波幅度,并假定水平和垂直极化通道一致,Qpr=[epr1,epr2,,eprM]T, QprM个通道接收矩阵,epr=[ErpH,ErpV]T, epr为水平和垂直两个极化通道接收矢量,表示Hadamard积,Ap=[ap(θ,φ),ap(θ,φ)]Ap为两个极化通道空域导向矩阵,S为目标极化散射矩阵(Polarization Scattering Matrix, PSM),ept=[EtpH,EtpV]T, ept为发射极化矢量,r(tτp)为信号复包络,τp为目标回波时延,Np(t)为零均值方差的高斯白噪声。

    干扰信号Xj(t)表示为

    Xj(t)=Pp(θ1,φ1)QprApejjp(tτjp)+nk=2Pk(θk,φk)RprApejkjp(tτjk) (6)

    其中,Pp(θ1,φ1), Pk(θk,φk)分别为主副瓣干扰幅度,ej=[EjH,EjV]T为主瓣干扰极化矢量,ejk=[EjkH,EjkV]T为副瓣干扰极化矢量,j(tτjp), j(tτjk)分别为主副瓣干扰时延。

    类似地,辅雷达接收极化导向矢量ear=[EraH,EraV],辅雷达在t 时刻的接收信号可表示为

    Xa(t)=GaQarAaSeptr(tτa)+Pa(θ1,φ1)QarAaejja(tτja)+nk=2Pk(θk,φk)QarAaejja(tτja)+Na(t) (7)

    式(7)中定义同式(5)和式(6),只需把下标由p更换为a

    在窄带工作条件下,远场目标可视为点目标,距离主雷达Rp处的雷达目标散射回波分别被H极化通道和V极化通道所接收,则输出信号可以表示为

    Xp(t)=[XH(t)XV(t)]=GpQprApSeptr(tτp)+Np(t) (8)

    在忽略接收机噪声等影响情况下,输出信号可近似表示为

    Xp(t)=[XH(t)XV(t)]=[Gpap(θ,φ)SHHEtpH(t)+Gpap(θ,φ)SVHEtpV(t)Gpap(θ,φ)SHVEtpH(t)+Gpap(θ,φ)SVVEtpV(t)] (9)

    其中,SHH, SHV, SVHSVV为目标PSM的元素,具体定义为

    S=[SHHSHVSVHSVV] (10)

    类似地,辅雷达接收目标回波信号可近似表示为

    Xa(t)=[XH(t)XV(t)]=[Gaaa(θ,φ)SHHEtpH(t)+Gaaa(θ,φ)SVHEtpV(t)Gaaa(θ,φ)SHVEtpH(t)+Gaaa(θ,φ)SVVEtpV(t)] (11)

    有源噪声干扰条件下,主雷达接收的噪声干扰信号近似表示为

    Xjp(t)=[XH(t)XV(t)]=[Gpap(θ,φ)EjH(t)Gpap(θ,φ)EjV(t)] (12)

    同样,辅雷达接收的噪声干扰信号近似为

    Xja(t)=[XH(t)XV(t)]=[Gaaa(θ,φ)EjH(t)Gaaa(θ,φ)EjV(t)] (13)

    从上述分析来看,由于雷达系统采用单发双收模式,主雷达发射,主辅雷达分别接收,目标回波信号在主辅雷达间存在差异,而有源干扰信号在主辅雷达间近似相同,因此,可通过双基地协同对消有源干扰信号而基本不影响目标信号。

    机载双基地极化敏感阵列同时对抗主、副瓣干扰方法的流程如图2所示,从图中可看出,该方法首先通过对主辅雷达的两个极化通道的协方差矩阵进行重构来遮蔽主瓣干扰,降低自适应处理对主波束的影响,然后对主辅雷达两个极化通道各自进行副瓣干扰抑制,最后再利用双基地极化通道对主瓣干扰进行对消,从而达到同时有效抑制主副瓣干扰的目的,在极化对消主瓣干扰之前,优先对主辅雷达的主瓣干扰空间导向矢量进行了修正,用来提升主瓣干扰抑制效果。

    图  2  主副瓣干扰同时抑制流程
    Figure  2.  The main-lobe and side-lobe interference suppressed simultaneously

    对主辅雷达H极化和V极化通道内副瓣干扰进行自适应抑制,不失一般性,以主雷达的H极化通道为例进行相应算法介绍。主雷达H极化通道信号加权求和为

    Y = WHX (14)

    其中,W为波束形成权矢量,()H为共轭转置。在信号回波无失真同时最小化输出通道条件下求取最优矢量

    minWWHRW;s.t.WHa0=1 (15)

    根据拉格朗日乘子法求取最优权

    Wopt = μR1a0 (16)

    其中,μ = 1/(aH0R1a0)为归一化复常数,R为接收协方差矩阵

    R= E{XXH}=Rs+R1+Rj+Rn=σ20a0aH0+σ21a1aH1+nk=2σ2kakaHk+σ2nI (17)

    其中,E{}为数学期望,Rs为信号协方差矩阵,R1为主瓣干扰协方差矩阵,Rj为副瓣干扰协方差矩阵,Rn为噪声协方差矩阵;σ20, σ21, σ2k, σ2n分别代表信号功率、主瓣干扰功率、副瓣干扰功率和噪声功率,a0, a1, ak分别为信号、主瓣干扰和第k个干扰的空域导向矢量,I代表单位矩阵。实际中,常利用样本协方差矩阵ˆR来代替R

    ˆR = 1LLl=1X(l)XH(l) (18)

    其中,L为样本数。在主副瓣干扰同时存在情况下,直接对干扰进行抑制会导致主波束畸变[15]。为了在主波束保形条件下实现副瓣干扰抑制,需对接收协方差矩阵进行重构。本文通过构建特征投影矩阵来遮蔽主瓣干扰和目标回波,假设Θ为3 dB主瓣宽度对应的角度区域,主瓣干扰和目标回波均落在该角度区域内,通过构建一个特征投影矩阵B来消除主瓣干扰和目标回波[20]B可以表示为

    B=IUUH+ΔI (19)

    其中,U=[a(θ0κδ),a(θ0(κ1)δ),,a(θ0+κδ)]U为导向矢量矩阵,由2κ + 1个导向矢量构成,δκ分别为角度展宽间隔和角度展宽个数,预设的δκ应确保[a(θ0κδ),a(θ0+κδ)]覆盖ΘΔ为加载量。对接收到的数据用投影矩阵B来消除主瓣干扰和目标回波信号成分

    ˆX=BH(X(l))=BH(Xt(l)+X1(l)+Xj(l)+Xn(l))BH(Xj(l)+Xn(l)) (20)

    将投影后的数据代入式(18),其协方差矩阵表示为

    ˜R=1LLl=1ˆX(l)ˆXH(l)=BH1KLl=1ˆX(l)ˆXH(l)B=BHˆRB (21)

    修正后的最优权矢量应为

    Wopt = μ˜R1a0 (22)

    采用式(22)权矢量可实现主辅雷达两个极化通道副瓣干扰抑制;然后将辅雷达两个极化通道数据送主雷达,形成了主辅雷达两个极化4通道数据,本文假设通道间数据在时域上已对齐,输出的主辅雷达4通道数据可表示为

    Ypa = [YpH,YpV,YaH,YaV]T (23)

    其中,Ym=WHoptXm为副瓣干扰对消后数据,下标m代表主辅雷达不同极化通道pH, pV, aH以及aV

    考虑干扰信号的入射角度与主辅雷达的波束指向存在角度偏差且存在方向误差,导致主辅雷达的干扰信号极化导向矢量与理想导向矢量存在误差,从而在一定程度上影响干扰对消结果;为了消除该影响,拟通过约束条件对估计的干扰信号极化导向矢量sp进行优化[21],约束条件如下:

    min sHpR1ysp;s.t.sp˜spi2=δ (24)

    其中,δ为常数,用来代表极化导向矢量偏差大小,˜sp=[spH,spV,saH,saV]为理想极化导向矢量,Ry为无源侦收条件下双基地极化通道协方差矩阵。

    Ry= E{YpaYHpa}=Rin=Ry1+Ryn=σ21a1aH1+σ2nI (25)

    通过拉格朗日乘子法求解式(24),求解式为

    J(sp) = sHpR1ysp+ζ(sp˜spi2δ) (26)

    其中,ζ为拉格朗日乘数,通过对sp求梯度运算,并令其为零,最终可以解得

    ζ=1s1pR1ysp (27)

    从而求得最优加权矢量Wpa

    Wpa=R1ysps1pR1ysp (28)

    从而获得的主瓣干扰对消后输出为

    Z=WHpaYpa (29)

    通过构建干扰对抗场景对本文算法的有效性进行计算仿真。主要参数如下:双基地雷达平台飞行高度为8000 m,飞行速度150 m/s,同向飞行,天线阵面构型为1×48,载频1250 MHz,重复频率8000 Hz,采样带宽5 MHz。假设主辅雷达两个平台距离相隔50 km,干扰1极化参数(γ,η)=(30,60),干扰2极化参数(γ,η)=(20,50),干扰3极化参数(γ,η)=(45,45),目标极化参数(γ,η)=(10,70)δ为0.2°,Δ为1e-4,干扰和目标的相对主辅雷达的距离和入射角度等其他参数如表1所示。文中为简化说明,假设将辅雷达的干扰数据传输到主雷达来对消,仅考虑主雷达的目标检测,辅雷达的目标暂不考虑,其与主雷达的目标融合算法另文论述。

    表  1  干扰与目标参数
    Table  1.  Interference and target parameters
    类型距主雷达距离(km)入射角度(º)距辅雷达距离(km)入射角度(º)干噪比/信噪比(dB)
    干扰1350.0(85.9, –1)350.0(94.1, –1)40
    干扰2300.0(50.0, –1)270.5(58.2, –1)40
    干扰3150.0(80.4, –2)150.0(99.6, –2)15
    目标1148.0(80.3, –2)148.0(99.7, –2)25
    下载: 导出CSV 
    | 显示表格

    在天线坐标系下进行主辅雷达主瓣区域构建凹口遮蔽主瓣干扰和目标回波仿真。假定波束指向角(90.0°, 0°)为阵面法向,根据主雷达波束排布,当(80.0°, 0°)为波束指向时,转换为天线坐标系下为(–10.0°, 0°)。在此波束指向下,分别构建波束指向角、3 dB波束宽度以及主波束宽度3种情况凹口。其中,波束指向角对应δ = 0, κ = 1,3 dB波束宽度对应δ = 0.05, κ = 80,主波束宽度对应δ = 0.05, κ = 120;从图3(a)可看出,在此3种情况下均能有效形成凹口;同样,在辅助雷达波束指向(10°, 0°)时,此3种情况均能形成有效凹口,如图3(b)所示。

    图  3  主辅雷达凹口构建仿真
    Figure  3.  Simulation of the primary and auxiliary radar notch construction

    在天线坐标系下进行干扰抑制响应分析,3个干扰在天线坐标系下对应角度分别为干扰1(–4.1°, –1°)、干扰2 (–40°, –1°)、干扰3 (–9.6°, –2°),目标为(–9.7°, –2°),其中,干扰1、干扰2为副瓣干扰,干扰3为主瓣干扰。图4(a)给出了协方差矩阵未重构情况下的空间自适应响应图,从图中可看出,因同时存在主副瓣干扰,主波束出现畸变,影响目标检测。图4(b)为主波束遮蔽后空间自适应响应图, 从图中可看出,主波束内干扰方向没有形成零点,主波束没有畸变,而副瓣干扰方向形成凹口,副瓣干扰得到抑制而目标检测基本不受影响。

    图  4  主雷达自适应响应方向图
    Figure  4.  Adaptive response pattern of the primary radar

    同样对辅雷达进行分析,根据辅雷达波束排布,当(100.0°,0°)为波束指向时,转换为天线坐标系下为(10.0°, 0°),干扰在天线坐标系下分别为干扰1(4.1°, –1°),干扰2(–31.8°, –1°),干扰3(9.6°, –2°),以及目标(9.7°, –2°)。其中,干扰1、干扰2为副瓣干扰,干扰3为主瓣干扰,其空间自适应响应图在有、没有遮蔽条件下的结果分别为图5(a)图5(b)所示。从图中可看出,通过重构协方差矩阵可对主波束进行遮蔽,在抑制干扰时,主波束没有畸变,而在副瓣干扰方向形成凹口,能形成对副瓣干扰有效抑制,而未重构协方差矩阵则对目标检测存在影响。

    图  5  辅雷达自适应响应方向图
    Figure  5.  Adaptive response pattern of the auxiliary radar

    双基地极化敏感阵列采用单发双收模式,主雷达发射,主辅雷达分别接收,对接收的目标空间-极化参数(θ,φ,γ,η)进行仿真,仿真结果如图6所示(考虑俯仰角φ相同,不单独给出),从图中可看出,目标极化参数(10,70)相同,但由于目标进入主辅雷达的空间角度不同,主雷达为80.3,辅雷达为99.7,主辅雷达接收的目标回波信号也就不同;而对于干扰信号来说,极化参数和空间角度基本相同,因此利用主辅雷达进行主瓣干扰对消而对目标基本不产生影响。

    图  6  主辅雷达的目标空间-极化分布
    Figure  6.  The space-polarization of targets of the primary and auxiliary radar

    在主副瓣干扰同时存在条件下,文献[19]算法的干扰抑制能力大幅下降,而采用本文方法则可有效抑制。图7给出主瓣干扰对消仿真结果,通过500次蒙特卡罗实验验证。从仿真结果来看,导向矢量未修正时主瓣干扰能被有效抑制,干扰抑制后的目标信干噪比为21.53 dB,损失了约3.5 dB;通过导向矢量修正后,干扰抑制能力进一步改善,干扰抑制后的目标信干噪比为22.8 dB,损失了约2.2 dB。

    图  7  主瓣干扰对消后目标仿真
    Figure  7.  Simulation of target under the main-lobe interference suppressed

    本文针对主副瓣干扰难以同时抑制,而双基地雷达对基线长度又有限定问题,提出了一种基于机载双基地-极化分级同时对抗主副瓣干扰的方法。该方法充分利用目标在主辅雷达的极化特性存在差异,而干扰基本相同的特点,推导了机载双基地雷达分级对消处理算法,并对算法进行理论分析与仿真验证。仿真表明,该方法在对主副瓣干扰抑制的同时实现了目标的有效检测,所提算法有效提升了机载雷达对抗复杂电磁环境能力,为后续开展分布式协同探测研究打下基础。

  • 图  1  雷达目标对抗样本示例

    Figure  1.  Radar target adversarial sample

    图  2  深度模型识别原理图

    Figure  2.  Recognition process of deep neural network

    图  3  对抗攻击方法分类

    Figure  3.  Categories of adversarial attack

    图  4  基于全距离单元扰动[63]的HRRP对抗攻击示意图

    Figure  4.  All-range-cell[63] adversarial attacks on radar HRRP

    图  5  基于特定距离单元扰动[66]的HRRP对抗攻击示意图

    Figure  5.  Certain-range-cell[66] adversarial attacks on radar HRRP

    图  6  对抗防御方法分类

    Figure  6.  Categories of adversarial defense

    图  7  基于优化目标函数的防御方法

    Figure  7.  Adversarial defense based on optimizing objective function

    表  1  基于属性散射中心模型的典型雷达二维像对抗攻击方法

    Table  1.   Typical radar image adversarial attacks based on attribute scattering center model

    方法干净样本扰动对抗样本关键技术
    文献[46]散射中心提取,空域形变
    文献[47]单散射中心攻击
    文献[48]改进OMP算法,黑盒攻击
    下载: 导出CSV

    表  2  雷达二维像对抗攻击研究现状

    Table  2.   Summary of adversarial attacks on radar two-dimensional image

    文献攻击先验扰动范数验证模型数据集攻击特异性优缺点
    [33]白盒LVGG[50]
    ResNet[51]
    DenseNet[52]
    GoogleNet[53]
    InceptionV3[54]
    MSTAR
    SENSAR[58]
    非定向验证光学方法的适用性和差异性,未结合雷达像特性
    [34]白盒L0A-ConvNet[10]MSTAR非定向
    [35]白盒L2/L自定义CNNMSTAR非定向
    [36]白盒L2ResNetMSTAR定向/非定向结合了雷达像自身特性和识别场景,未考虑对抗样本的物理实现问题
    [37]白盒/黑盒L2/L0A-ConvNet
    ResNet
    MSTAR
    OpenSARship[59]
    定向/非定向
    [38]白盒L0ResNet
    VGG
    MobleNet-v2[55]
    So2Sat-LCZ42[60]非定向
    [40]黑盒LAlexNet[56]
    ResNet
    DenseNet
    VGG
    A-ConvNet
    MSTAR
    SARSIM[61]
    非定向
    [41]白盒LCNNMSTAR非定向对扰动区域进行初步限制,未建立扰动像素与雷达信号的对应关系
    [42]白盒/黑盒L2GoogleNet
    DenseNet
    InceptionV3
    ResNet
    MSTAR非定向
    [43]白盒L2自定义CNNMSTAR非定向
    [44]黑盒LAconvNet
    VGG
    ResNet
    DenseNet
    InceptionV4[57]
    MSTAR非定向
    [46]白盒双线性变换ResNet
    MobileNet-v2
    MSTAR非定向考虑了单帧静止目标对抗样本的物理实现,未考虑目标运动过程中的扰动变化
    [47]白盒L0/L2/LA-convNet
    VGG
    ResNet
    DenseNet
    MobileNet-v2
    MSTAR
    SARBake[62]
    非定向
    [48]黑盒L2VGG
    ResNet
    MobileNet
    MSTAR非定向
    下载: 导出CSV

    表  3  雷达一维像对抗攻击研究现状

    Table  3.   Summary of adversarial attacks on radar HRRP

    文献攻击先验扰动方式验证模型数据集攻击目标特点
    [63]白盒全距离单元自定义CNN3类飞机目标:雅克42;塞斯纳S/II;安26非定向仅设计数字域攻击,未考虑物理实现性
    [64]白盒全距离单元自定义CNN3类飞机目标:雅克42;塞斯纳 S/II;安26定向/非定向
    [65]白盒/黑盒全距离单元自定义CNN;全连接网络MSTAR数据集的HRRP还原数据[67]定向/非定向
    [66]白盒/黑盒特定距离单元AlexNet
    ResNet
    DenseNet
    InceptionNet
    3类飞机目标:雅克42;塞斯纳S/II;安26定向/非定向较好的物理实现性,未考虑目标姿态等因素带来的影响
    下载: 导出CSV

    表  4  雷达像识别对抗防御方法

    Table  4.   Summary of adversarial defense in radar image recognition

    防御层级文献验证模型数据集可防御优缺点
    输入端[73]ResNetUC-Merced[90]FGSM/PGD[91]/CW[20]/
    DeepFool[19]/
    HopSkipJump[92]/
    Square[93]
    仅需在数据端操作,影响干净样本识别率
    [74]ResNet
    DenseNet
    MobileNet
    ShuffleNet
    A-ConvNet
    MSTAR
    OpenSAR-Ship[59]
    FGSM/PGD/DeepFool/
    CW/SparseFool[94]/
    HopSkipJump/Square
    模型端[77]A-ConvNet
    VGG
    ResNet
    ShuffleNet
    MSTAR[11]FGSM[17]/PGD已知攻击类型时防御效果好,训练耗时
    [47]A-ConvNetMSTAR
    SARBake[62]
    PGD/SMGAA[47]
    [78]自定义CNNMSTARDeepFool具有较好的可解释性,难以兼容主流模型
    [79]SAR-BagNet[80]
    ResNet
    MSTARFGSM/PGD/
    CW/DeepFool
    输出端[87]VGG
    ResNet
    DenseNet
    MSTAR
    SARBake
    FGSM/BIM[18]/
    CW/DeepFool
    无需更改模型结构,难以单独胜任识别任务
    [88]ResNetMSTARFGSM/BIM/
    CW/DeepFool
    [89]VGG
    ResNet
    DenseNet
    MSTAR
    SARBake
    FGSM/BIM/
    CW/DeepFool
    下载: 导出CSV
  • [1] ZHU Xiaoxiang, MONTAZERI S, ALI M, et al. Deep learning meets SAR: Concepts, models, pitfalls, and perspectives[J]. IEEE Geoscience and Remote Sensing Magazine, 2021, 9(4): 143–172. doi: 10.1109/MGRS.2020.3046356
    [2] GOODFELLOW I J, SHLENS J, and SZEGEDY C. Explaining and harnessing adversarial examples[J]. arXiv preprint arXiv: 1412. 6572, 2014.
    [3] 孙浩, 陈进, 雷琳, 等. 深度卷积神经网络图像识别模型对抗鲁棒性技术综述[J]. 雷达学报, 2021, 10(4): 571–594. doi: 10.12000/JR21048

    SUN Hao, CHEN Jin, LEI Lin, et al. Adversarial robustness of deep convolutional neural network-based image recognition models: A review[J]. Journal of Radars, 2021, 10(4): 571–594. doi: 10.12000/JR21048
    [4] XU Yonghao, BAI Tao, YU Weikang, et al. AI security for geoscience and remote sensing: Challenges and future trends[J]. IEEE Geoscience and Remote Sensing Magazine, 2023, 11(2): 60–85. doi: 10.1109/MGRS.2023.3272825
    [5] CAO Dongsheng, HUANG Jianhua, YAN Jun, et al. Kernel k-nearest neighbor algorithm as a flexible SAR modeling tool[J]. Chemometrics and Intelligent Laboratory Systems, 2012, 114: 19–23. doi: 10.1016/j.chemolab.2012.01.008
    [6] 袁莉, 刘宏伟, 保铮. 基于中心矩特征的雷达HRRP自动目标识别[J]. 电子学报, 2004, 32(12): 2078–2081. doi: 10.3321/j.issn:0372-2112.2004.12.036

    YUAN Li, LIU Hongwei, and BAO Zheng. Automatic target recognition of radar HRRP based on central moments features[J]. Acta Electronica Sinica, 2004, 32(12): 2078–2081. doi: 10.3321/j.issn:0372-2112.2004.12.036
    [7] SAEPULOH A, KOIKE K, and OMURA M. Applying Bayesian decision classification to Pi-SAR polarimetric data for detailed extraction of the geomorphologic and structural features of an active volcano[J]. IEEE Geoscience and Remote Sensing Letters, 2012, 9(4): 554–558. doi: 10.1109/LGRS.2011.2174611
    [8] LI Min, ZHOU Gongjian, ZHAO Bin, et al. Sparse representation denoising for radar high resolution range profiling[J]. International Journal of Antennas and Propagation, 2014, 2014: 875895. doi: 10.1155/2014/875895
    [9] CHEN Wenchao, CHEN Bo, PENG Xiaojun, et al. Tensor RNN with Bayesian nonparametric mixture for radar HRRP modeling and target recognition[J]. IEEE Transactions on Signal Processing, 2021, 69: 1995–2009. doi: 10.1109/TSP.2021.3065847
    [10] CHEN Sizhe, WANG Haipeng, XU Feng, et al. Target classification using the deep convolutional networks for SAR images[J]. IEEE Transactions on Geoscience and Remote Sensing, 2016, 54(8): 4806–4817. doi: 10.1109/TGRS.2016.2551720
    [11] ROSS T D, WORRELL S W, VELTEN V J, et al. Standard SAR ATR evaluation experiments using the MSTAR public release data set[C]. SPIE 3370, Algorithms for Synthetic Aperture Radar Imagery, Orlando, USA, 1998: 566–573.
    [12] PEI Jifang, HUANG Yulin, HUO Weibo, et al. SAR automatic target recognition based on multiview deep learning framework[J]. IEEE Transactions on Geoscience and Remote Sensing, 2018, 56(4): 2196–2210. doi: 10.1109/TGRS.2017.2776357
    [13] SUN Yuanshuang, WANG Yinghua, LIU Hongwei, et al. SAR target recognition with limited training data based on angular rotation generative network[J]. IEEE Geoscience and Remote Sensing Letters, 2020, 17(11): 1928–1932. doi: 10.1109/LGRS.2019.2958379
    [14] HUANG Zhongling, PAN Zongxu, and LEI Bin. What, where, and how to transfer in SAR target recognition based on deep CNNs[J]. IEEE Transactions on Geoscience and Remote Sensing, 2020, 58(4): 2324–2336. doi: 10.1109/TGRS.2019.2947634
    [15] FU Kun, ZHANG Tengfei, ZHANG Yue, et al. Few-shot SAR target classification via metalearning[J]. IEEE Transactions on Geoscience and Remote Sensing, 2022, 60: 2000314. doi: 10.1109/TGRS.2021.3058249
    [16] SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[C]. 2nd International Conference on Learning Representations, Banff, Canada, 2014.
    [17] GOODFELLOW I J, SHLENS J, and SZEGEDY C. Explaining and harnessing adversarial examples[C]. 3rd International Conference on Learning Representations, San Diego, USA, 2015: 1050.
    [18] KURAKIN A, GOODFELLOW I J, and BENGIO S. Adversarial Examples in the Physical World[M]. YAMPOLSKIY R V. Artificial Intelligence Safety and Security. New York: Chapman and Hall/CRC, 2018: 99–112.
    [19] MOOSAVI-DEZFOOLI S M, FAWZI A, and FROSSARD P. DeepFool: A simple and accurate method to fool deep neural networks[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2574–2582.
    [20] CARLINI N and WAGNER D. Towards evaluating the robustness of neural networks[C]. 2017 IEEE Symposium on Security and Privacy (SP), San Jose, USA, 2017: 39–57.
    [21] PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]. 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbruecken, Germany, 2016: 372–387.
    [22] SU Jiawei, VARGAS D V, and SAKURAI K. One pixel attack for fooling deep neural networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828–841. doi: 10.1109/TEVC.2019.2890858
    [23] POURSAEED O, KATSMAN I, GAO Bicheng, et al. Generative adversarial perturbations[C]. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 4422–4431.
    [24] DU Chuan and ZHANG Lei. Adversarial attack for SAR target recognition based on UNet-generative adversarial network[J]. Remote Sensing, 2021, 13(21): 4358. doi: 10.3390/rs13214358
    [25] XIAO Chaowei, LI Bo, ZHU Junyan, et al. Generating adversarial examples with adversarial networks[C]. 27th International Joint Conference on Artificial Intelligence, Stockholm, Sweden, 2018: 3905–3911.
    [26] ILYAS A, ENGSTROM L, ATHALYE A, et al. Black-box adversarial attacks with limited queries and information[C]. 35th International Conference on Machine Learning, Stockholm, Sweden, 2018: 2142–2151.
    [27] GUO Chuan, GARDNER J R, YOU Yurong, et al. Simple black-box adversarial attacks[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 2484–2493.
    [28] TASHIRO Y, SONG Y, ERMON S. Diversity can be transferred: Output diversification for white-and black-box attacks[C]. The 34th International Conference on Neural Information Processing Systems. 2020: 4536–4548.
    [29] GUO Wei, TONDI B, and BARNI M. A master key backdoor for universal impersonation attack against DNN-based face verification[J]. Pattern Recognition Letters, 2021, 144: 61–67. doi: 10.1016/j.patrec.2021.01.009
    [30] GU Tianyu, LIU Kang, DOLAN-GAVITT B, et al. BadNets: Evaluating backdooring attacks on deep neural networks[J]. IEEE Access, 2019, 7: 47230–47244. doi: 10.1109/ACCESS.2019.2909068
    [31] BREWER E, LIN J, and RUNFOLA D. Susceptibility & defense of satellite image-trained convolutional networks to backdoor attacks[J]. Information Sciences, 2022, 603: 244–261. doi: 10.1016/j.ins.2022.05.004
    [32] ISLAM S, BADSHA S, KHALIL I, et al. A triggerless backdoor attack and defense mechanism for intelligent task offloading in multi-UAV systems[J]. IEEE Internet of Things Journal, 2023, 10(7): 5719–5732. doi: 10.1109/JIOT.2022.3172936
    [33] LI Haifeng, HUANG Haikuo, CHEN Li, et al. Adversarial examples for CNN-based SAR image classification: An experience study[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2021, 14: 1333–1347. doi: 10.1109/JSTARS.2020.3038683
    [34] 周隽凡, 孙浩, 雷琳, 等. SAR图像稀疏对抗攻击[J]. 信号处理, 2021, 37(9): 1633–1643. doi: 10.16798/j.issn.1003-0530.2021.09.007

    ZHOU Junfan, SUN Hao, LEI Lin, et al. Sparse adversarial attack of SAR image[J]. Journal of Signal Processing, 2021, 37(9): 1633–1643. doi: 10.16798/j.issn.1003-0530.2021.09.007
    [35] WANG Lulu, WANG Xiaolei, MA Shixin, et al. Universal adversarial perturbation of SAR images for deep learning based target classification[C]. 2021 IEEE 4th International Conference on Electronics Technology (ICET), Chengdu, China, 2021: 1272–1276.
    [36] DU Chuan, HUO Chaoying, ZHANG Lei, et al. Fast C&W: A fast adversarial attack algorithm to fool SAR target recognition with deep convolutional neural networks[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4010005. doi: 10.1109/LGRS.2021.3058011
    [37] ZHANG Fan, MENG Tianying, XIANG Deliang, et al. Adversarial deception against SAR target recognition network[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2022, 15: 4507–4520. doi: 10.1109/JSTARS.2022.3179171
    [38] 徐延杰, 孙浩, 雷琳, 等. 基于稀疏差分协同进化的多源遥感场景分类攻击[J]. 信号处理, 2021, 37(7): 1164–1170. doi: 10.16798/j.issn.1003-0530.2021.07.005

    XU Yanjie, SUN Hao, LEI Lin, et al. Multi-source remote sensing classification attack based on sparse differential coevolution[J]. Journal of Signal Processing, 2021, 37(7): 1164–1170. doi: 10.16798/j.issn.1003-0530.2021.07.005
    [39] RONNEBERGER O, FISCHER P, and BROX T. U-net: Convolutional networks for biomedical image segmentation[C]. 18th International Conference on Medical Image Computing and Computer-Assisted Intervention, Munich, Germany, 2015: 234–241.
    [40] PENG Bowen, PENG Bo, YONG Shaowei, et al. An empirical study of fully black-box and universal adversarial attack for SAR target recognition[J]. Remote Sensing, 2022, 14(16): 4017. doi: 10.3390/rs14164017
    [41] DANG Xunwang, YAN Hua, HU Liping, et al. SAR image adversarial samples generation based on parametric model[C]. 2021 International Conference on Microwave and Millimeter Wave Technology (ICMMT), Nanjing, China, 2021: 1–3.
    [42] DU M, BI D, DU M, et al. Local aggregative attack on SAR image classification models[J]. Authorea Preprints, 2022.
    [43] MENG Tianying, ZHANG Fan, and MA Fei. A target-region-based SAR ATR adversarial deception method[C]. 2022 7th International Conference on Signal and Image Processing (ICSIP), Suzhou, China, 2022: 142–146.
    [44] PENG Bowen, PENG Bo, ZHOU Jie, et al. Speckle-variant attack: Toward transferable adversarial attack to SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2022, 19: 4509805. doi: 10.1109/LGRS.2022.3184311
    [45] GERRY M J, POTTER L C, GUPTA I J, et al. A parametric model for synthetic aperture radar measurements[J]. IEEE Transactions on Antennas and Propagation, 1999, 47(7): 1179–1188. doi: 10.1109/8.785750
    [46] ZHOU Junfan, FENG Sijia, SUN Hao, et al. Attributed scattering center guided adversarial attack for DCNN SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4001805. doi: 10.1109/LGRS.2023.3235051
    [47] PENG Bowen, PENG Bo, ZHOU Jie, et al. Scattering model guided adversarial examples for SAR target recognition: Attack and defense[J]. IEEE Transactions on Geoscience and Remote Sensing, 2022, 60: 5236217. doi: 10.1109/TGRS.2022.3213305
    [48] QIN Weibo, LONG Bo, and WANG Feng. SCMA: A scattering center model attack on CNN-SAR target recognition[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4003305. doi: 10.1109/LGRS.2023.3253189
    [49] LIU Hongwei, JIU Bo, LI Fei, et al. Attributed scattering center extraction algorithm based on sparse representation with dictionary refinement[J]. IEEE Transactions on Antennas and Propagation, 2017, 65(5): 2604–2614. doi: 10.1109/TAP.2017.2673764
    [50] SIMONYAN K and ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[C]. 3rd International Conference on Learning Representations, San Diego, USA, 2014.
    [51] HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep residual learning for image recognition[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 770–778.
    [52] HUANG Gao, LIU Zhuang, VAN DER MAATEN L, et al. Densely connected convolutional networks[C]. 2017 IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, USA, 2017: 2261–2269.
    [53] SZEGEDY C, LIU Wei, JIA Yangqing, et al. Going deeper with convolutions[C]. 2015 IEEE Conference on Computer Vision and Pattern Recognition, Boston, USA, 2015: 1–9.
    [54] SZEGEDY C, VANHOUCKE V, IOFFE S, et al. Rethinking the inception architecture for computer vision[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 2818–2826.
    [55] SANDLER M, HOWARD A, ZHU Menglong, et al. MobileNetV2: Inverted residuals and linear bottlenecks[C]. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, USA, 2018: 4510–4520.
    [56] KRIZHEVSKY A, SUTSKEVER I, and HINTON G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84–90. doi: 10.1145/3065386
    [57] SZEGEDY C, IOFFE S, VANHOUCKE V, et al. Inception-v4, inception-ResNet and the impact of residual connections on learning[C]. Thirty-First AAAI Conference on Artificial Intelligence, San Francisco, USA, 2017: 4278–4284.
    [58] SCHMITT M, HUGHES L H, and ZHU X X. The SEN1–2 dataset for deep learning in Sar-optical data fusion[J]. ISPRS Annals of the Photogrammetry, Remote Sensing and Spatial Information Sciences, 2018, 4: 141–146. doi: 10.5194/isprs-annals-IV-1-141-2018
    [59] HUANG Lanqing, LIU Bin, LI Boying, et al. OpenSARShip: A dataset dedicated to Sentinel-1 ship interpretation[J]. IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing, 2018, 11(1): 195–208. doi: 10.1109/JSTARS.2017.2755672
    [60] ZHU Xiaoxiang, HU Jingliang, QIU Chunping, et al. So2Sat LCZ42: A benchmark data set for the classification of global local climate zones [Software and Data Sets][J]. IEEE Geoscience and Remote Sensing Magazine, 2020, 8(3): 76–89. doi: 10.1109/MGRS.2020.2964708
    [61] MALMGREN-HANSEN D, KUSK A, DALL J, et al. Improving SAR automatic target recognition models with transfer learning from simulated data[J]. IEEE Geoscience and remote sensing Letters, 2017, 14(9): 1484–1488. doi: 10.1109/LGRS.2017.2717486
    [62] MALMGREN-HANSEN D and NOBEL-JØRGENSEN M. Convolutional neural networks for SAR image segmentation[C]. 2015 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Abu Dhabi, United Arab Emirates, 2015: 231–236.
    [63] YUAN Yijun, WAN Jinwei, and CHEN Bo. Robust attack on deep learning based radar HRRP target recognition[C]. 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Lanzhou, China, 2019: 704–707.
    [64] 万锦伟. 基于深度网络的HRRP目标识别与对抗攻击研究[D]. [博士论文], 西安电子科技大学, 2020.

    WAN Jinwei. Research on HRRP target recognition and adversarial attacks based on deep neural networks[D]. [Ph. D. dissertation], Xidian University, 2020.
    [65] HUANG Teng, CHEN Yongfeng, YAO Bingjian, et al. Adversarial attacks on deep-learning-based radar range profile target recognition[J]. Information Sciences, 2020, 531: 159–176. doi: 10.1016/j.ins.2020.03.066
    [66] DU Chuan, CONG Yulai, ZHANG Lei, et al. A practical deceptive jamming method based on vulnerable location awareness adversarial attack for radar HRRP target recognition[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 2410–2424. doi: 10.1109/TIFS.2022.3170275
    [67] GAO Fei, HUANG Teng, WANG Jun, et al. A novel multi-input bidirectional LSTM and HMM based approach for target recognition from multi-domain radar range profiles[J]. Electronics, 2019, 8(5): 535. doi: 10.3390/electronics8050535
    [68] YANG Yuzhe, ZHANG Guo, XU Zhi, et al. ME-Net: Towards effective adversarial robustness with matrix estimation[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 7025–7034.
    [69] WANG Yutong, ZHANG Wenwen, SHEN Tianyu, et al. Binary thresholding defense against adversarial attacks[J]. Neurocomputing, 2021, 445: 61–71. doi: 10.1016/j.neucom.2021.03.036
    [70] LeCun Y. The MNIST database of handwritten digits[EB/OL]. http://yann.lecun.com/exdb/mnist/, 1998.
    [71] MUSTAFA A, KHAN S H, HAYAT M, et al. Image super-resolution as a defense against adversarial attacks[J]. IEEE Transactions on Image Processing, 2020, 29: 1711–1724. doi: 10.1109/TIP.2019.2940533
    [72] AGARWAL A, SINGH R, VATSA M, et al. Image transformation-based defense against adversarial perturbation on deep learning models[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(5): 2106–2121. doi: 10.1109/TDSC.2020.3027183
    [73] 孙浩, 徐延杰, 陈进, 等. 基于自监督对比学习的深度神经网络对抗鲁棒性提升[J]. 信号处理, 2021, 37(6): 903–911. doi: 10.16798/j.issn.1003-0530.2021.06.001

    SUN Hao, XU Yanjie, CHEN Jin, et al. Self-supervised contrastive learning for improving the adversarial robustness of deep neural networks[J]. Journal of Signal Processing, 2021, 37(6): 903–911. doi: 10.16798/j.issn.1003-0530.2021.06.001
    [74] XU Yanjie, SUN Hao, CHEN Jin, et al. Adversarial self-supervised learning for robust SAR target recognition[J]. Remote Sensing, 2021, 13(20): 4158. doi: 10.3390/rs13204158
    [75] SONG Chuanbiao, HE Kun, LIN Jiadong, et al. Robust local features for improving the generalization of adversarial training[C]. 8th International Conference on Learning Representations, Addis Ababa, Ethiopia, 2020.
    [76] ZHANG Hongyang, YU Yaodong, JIAO Jiantao, et al. Theoretically principled trade-off between robustness and accuracy[C]. 36th International Conference on Machine Learning, Long Beach, USA, 2019: 7472–7482.
    [77] INKAWHICH N, DAVIS E, MAJUMDER U, et al. Advanced techniques for robust SAR ATR: Mitigating noise and phase errors[C]. 2020 IEEE International Radar Conference (RADAR), Washington, USA, 2020: 844–849.
    [78] WAGNER S, PANATI C, and BRÜGGENWIRTH S. Fool the COOL-on the robustness of deep learning SAR ATR systems[C]. 2021 IEEE Radar Conference (RadarConf21), Atlanta, USA, 2021: 1–6.
    [79] LI Peng, HU Xiaowei, FENG Cunqian, et al. SAR-AD-BagNet: An interpretable model for SAR image recognition based on adversarial defense[J]. IEEE Geoscience and Remote Sensing Letters, 2023, 20: 4000505. doi: 10.1109/LGRS.2022.3230243
    [80] LI Peng, FENG Cunqian, HU Xiaowei, et al. SAR-BagNet: An ante-hoc interpretable recognition model based on deep network for SAR image[J]. Remote Sensing, 2022, 14(9): 2150. doi: 10.3390/rs14092150
    [81] HENDRYCKS D and GIMPEL K. Early methods for detecting adversarial images[C]. 5th International Conference on Learning Representations, Toulon, France, 2017.
    [82] FEINMAN R, CURTIN R R, SHINTRE S, et al. Detecting adversarial samples from artifacts[OL]. https://arxiv.org/abs/1703.00410.
    [83] MA Xingjun, LI Bo, WANG Yisen, et al. Characterizing adversarial subspaces using local intrinsic dimensionality[C]. 6th International Conference on Learning Representations, Vancouver, Canada, 2018.
    [84] LEE K, LEE K, LEE H, et al. A simple unified framework for detecting out-of-distribution samples and adversarial attacks[C]. 32nd International Conference on Neural Information Processing Systems, Montréal, Canada, 2018: 7167–7177.
    [85] ZHAO Chenxiao, FLETCHER P T, YU Mixue, et al. The adversarial attack and detection under the fisher information metric[C]. Thirty-Third AAAI Conference on Artificial Intelligence, Honolulu, USA, 2019: 5869–5876.
    [86] COHEN G, SAPIRO G, and GIRYES R. Detecting adversarial samples using influence functions and nearest neighbors[C]. 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Seattle, USA, 2020: 14441–14450.
    [87] ZHANG Zhiwei, LIU Shuowei, GAO Xunzhang, et al. An empirical study towards SAR adversarial examples[C]. 2022 International Conference on Image Processing, Computer Vision and Machine Learning (ICICML), Xi’an, China, 2022: 127–132.
    [88] ZHANG Zhiwei, LIU Shuowei, GAO Xunzhang, et al. Improving adversarial detection methods for SAR image via joint contrastive cross-entropy training[C]. 4th International Academic Exchange Conference on Science and Technology Innovation (IAECST), Guangzhou, China, 2022: 1107–1110.
    [89] ZHANG Zhiwei, GAO Xunzhang, LIU Shuowei, et al. Energy-based adversarial example detection for SAR images[J]. Remote Sensing, 2022, 14(20): 5168. doi: 10.3390/rs14205168
    [90] YANG Yi and NEWSAM S. Bag-of-visual-words and spatial extensions for land-use classification[C]. 18th SIGSPATIAL International Conference on Advances in Geographic Information Systems, San Jose, USA, 2010: 270–279.
    [91] MADRY A, MAKELOV A, SCHMIDT L, et al. Towards deep learning models resistant to adversarial attacks[C]. 6th International Conference on Learning Representations, Vancouver, Canada, 2018.
    [92] CHEN Jianbo, JORDAN M I, and WAINWRIGHT M J. HopSkipJumpAttack: A query-efficient decision-based attack[C]. 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2020: 1277–1294.
    [93] ANDRIUSHCHENKO M, CROCE F, FLAMMARION N, et al. Square attack: A query-efficient black-box adversarial attack via random search[C]. 16th European Conference on Computer Vision, Glasgow, UK, 2020: 484–501.
    [94] MODAS A, MOOSAVI-DEZFOOLI S M, and FROSSARD P. SparseFool: A few pixels make a big difference[C]. 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, USA, 2019: 9079–9088.
    [95] YUAN Xuejing, CHEN Yuxuan, ZHAO Yue, et al. Commandersong: A systematic approach for practical adversarial voice recognition[C]. 27th USENIX Conference on Security Symposium, Baltimore, USA, 2018: 49–64.
    [96] DAS N, SHANBHOGUE M, CHEN S T, et al. ADAGIO: Interactive experimentation with adversarial attack and defense for audio[C]. Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Dublin, Ireland, 2019: 677–681.
    [97] DOAN K, LAO Y, and LI P. Backdoor attack with imperceptible input and latent modification[J]. Advances in Neural Information Processing Systems, 2021, 34: 18944–18957.
    [98] BAGDASARYAN E and SHMATIKOV V. Blind backdoors in deep learning models[C]. 30th USENIX Security Symposium, 2021: 1505–1521.
    [99] DOAN K, LAO Yingjie, ZHAO Weijie, et al. LIRA: Learnable, imperceptible and robust backdoor attacks[C]. 2021 IEEE/CVF International Conference on Computer Vision (ICCV), Montreal, Canada, 2021: 11946–11956.
    [100] SAHA A, SUBRAMANYA A, and PIRSIAVASH H. Hidden trigger backdoor attacks[C]. 34th AAAI Conference on Artificial Intelligence, New York, USA, 2020: 11957–11965.
    [101] SHUMAILOV I, SHUMAYLOV Z, KAZHDAN D, et al. Manipulating SGD with data ordering attacks[C]. 34th International Conference on Neural Information Processing Systems, 2021: 18021–18032.
    [102] SOURI H, FOWL L, CHELLAPPA R, et al. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch[J]. Advances in Neural Information Processing Systems, 2022, 35: 19165–19178.
    [103] DOAN B G, ABBASNEJAD E, and RANASINGHE D C. Februus: Input purification defense against Trojan attacks on deep neural network systems[C]. Annual Computer Security Applications Conference, Austin, USA, 2020: 897–912.
    [104] WANG Bolun, YAO Yuanshun, SHAN S, et al. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks[C]. 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, USA, 2019: 707–723.
    [105] GIRSHICK R. Fast r-CNN[C]. 2015 IEEE International Conference on Computer Vision, Santiago, Chile, 2015: 1440–1448.
    [106] REDMON J, DIVVALA S, GIRSHICK R, et al. You only look once: Unified, real-time object detection[C]. 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, USA, 2016: 779–788.
    [107] CHOW K H, LIU Ling, LOPER M, et al. Adversarial objectness gradient attacks in real-time object detection systems[C]. 2020 Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), Atlanta, USA, 2020: 263–272.
    [108] WANG Yajie, LV Haoran, KUANG Xiaohui, et al. Towards a physical-world adversarial patch for blinding object detection models[J]. Information Sciences, 2021, 556: 459–471. doi: 10.1016/j.ins.2020.08.087
    [109] 张磊, 陈晓晴, 郑熠宁, 等. 电磁超表面与信息超表面[J]. 电波科学学报, 2021, 36(6): 817–828. doi: 10.12265/j.cjors.2021218

    ZHANG Lei, CHEN Xiaoqing, ZHENG Yining, et al. Electromagnetic metasurfaces and information metasurfaces[J]. Chinese Journal of Radio Science, 2021, 36(6): 817–828. doi: 10.12265/j.cjors.2021218
  • 期刊类型引用(4)

    1. 张仁李,朱蕾,邱爽,盛卫星. 单脉冲测角的二维分级主旁瓣干扰联合抑制方法. 电子与信息学报. 2024(01): 213-221 . 百度学术
    2. 谢前朋,杜奕航,孙兵,闫华,潘小义,赵锋. 基于降维变换的低复杂度双基地EMVS-MIMO雷达高分辨多维参数估计. 系统工程与电子技术. 2024(06): 1899-1907 . 百度学术
    3. 韩乐天,司伟建,曲明超. 双极化面阵的快速波达方向估计算法. 航空兵器. 2023(01): 120-126 . 百度学术
    4. 张翔,陈楠祺,张珂,王中洋. 基于斜投影算子的引信抗主瓣干扰方法. 装备环境工程. 2022(11): 10-17 . 百度学术

    其他类型引用(2)

  • 加载中
图(7) / 表(4)
计量
  • 文章访问数: 1787
  • HTML全文浏览量: 399
  • PDF下载量: 517
  • 被引次数: 6
出版历程
  • 收稿日期:  2023-05-29
  • 修回日期:  2023-07-13
  • 网络出版日期:  2023-07-26
  • 刊出日期:  2023-08-28

目录

/

返回文章
返回