Adversarial detection based on feature invariant in license plate recognition systems
扫码查看
点击上方二维码区域,可以放大扫码查看
原文链接
万方数据
维普
深度神经网络已成为人们日常生活的重要部分.但研究人员发现,深度神经网络容易受到对抗样本的威胁,使网络模型发生错误分类等异常行为.对抗样本的存在极大地威胁了深度神经网络的应用,特别是在对于安全性需求非常敏感的场景,如车牌识别系统.目前,大部分现有的对抗样本防御和检测技术对某些特定类型的对抗攻击可以呈现出很好的效果,但通常情况下,它们并不能对所有类型的对抗攻击都具有通用性.针对真实场景下车牌识别系统的对抗样本攻击,通过分析神经网络在干净样本上训练的内在变化和干净样本之间的维度复杂度,提出了基于神经网络不变量和局部固有维数不变量的特征不变量无监督对抗样本检测系统,称为特征不变量对抗检测(feature invariant adversarial detection,FIAD).该研究将本检测系统部署到广泛使用的开源车牌识别系统HyperLPR和EasyPR中,并以真实的中国车牌数据集(Chinese city parking data-set,CCPD)对该检测系统进行了广泛的实验.对11种不同类型的攻击进行实验,结果表明,相比其他4种先进的检测方法,FIAD可以在更低的假阳率下有效地检测所有攻击,且平均检测准确率始终高达99%.因此,FIAD对各种类型的对抗攻击具有良好的通用性.
Deep neural networks have become an integral part of people's daily lives.However,researchers observed that these networks were susceptible to threats from adversarial samples,leading to abnormal behaviors such as misclassification by the network model.The presence of adversarial samples poses a significant threat to the application of deep neural networks,especially in security-sensitive scenarios like license plate recognition systems.Presently,most existing defense and detection technologies against adversarial samples show promising results for specific types of adversarial attacks.However,they often lack generality in addressing all types of adversarial attacks.In response to adversarial sample attacks on real-world license plate recognition systems,an unsupervised adversarial sample detection system named FIAD was proposed,which was based on analyzing the inherent variations in neural networks trained on clean samples and the dimensional complexity between clean samples.FIAD utilized neural network invariants and local intrinsic dimensionality invariants for effective sample detection.The detection system was deployed into widely used open-source license plate recognition systems,HyperLPR and EasyPR,and extensive experiments were conducted using the real dataset CCPD.The results from experiments involving 11 different types of attacks indicate that,compared to 4 other advanced detection methods,FIAD can effectively detect all these attacks at a lower false positive rate,with an accuracy consistently reaching 99%.Therefore,FIAD exhibits good generality against various types of adversarial attacks.
deep neural networkadversarial sample detectionlicense plate recognitionfeature invariants
万方数据
维普
