基於空間頻率域下模型之對抗式攻擊的穩健性

Abstract

卷積神經網絡 (CNN) 常用於大多數電腦視覺任務。然而，CNN 模型對於對抗性 攻擊的脆弱性引起了人們對於將這些模型部署到安全性系統的擔憂。相比之下，人類視覺系統 (HVS) 利用空間頻率處理視覺信號，且具備不受對抗性攻擊影響的性質。因此，本文提出了一系列實證研究，探索 CNN 模型在空間頻域中的脆弱性。具體來說，我們利用離散餘弦轉換來構建 Spatial-Frequency (SF) 層以生成輸入圖像的塊狀頻譜，接著更近一步利用 SF 層替換原始 CNN 模型的初始特徵提取層，進而生成 Spatial Frequency CNNs (SF-CNNs) 。透過廣泛的實驗，我們觀察到 SF-CNN 模型在白盒和黑盒攻擊下都比原始的 CNN 模型更具穩健性。為了進一步解釋 SF-CNN 的穩健性，我們使用兩種混合策略將 SF 層與具有相同內核大小的可訓練卷積層進行比較，結果顯示低頻訊號對 SF-CNN 的穩健性貢獻最大。我們相信透過這些實驗觀察可以指引未來朝向更穩健的 CNN 模型設計。

Convolutional Neural Networks (CNNs) have dominated the majority of computer vision tasks. However, CNNs’ vulnerability to adversarial attacks has raised concerns about de- ploying these models to safety-critical applications. In contrast, the Human Visual System (HVS), which utilizes spatial frequency channels to process visual signals, is immune to adversarial attacks. As such, this paper presents an empirical study exploring the vulnerability of CNN models in the frequency domain. Specifically, we utilize the discrete cosine transform (DCT) to construct the Spatial-Frequency (SF) layer to produce a block-wise frequency spectrum of an input image and formulate Spatial Frequency CNNs (SF-CNNs) by replacing the initial feature extraction layers of widely-used CNN backbones with the SF layer. Through extensive experiments, we observe that SF-CNN models are more robust than their CNN counterparts under both white-box and black-box attacks. To further explain the robustness of SF-CNNs, we compare the SF layer with a trainable convolutional layer with identical kernel sizes using two mixing strategies to show that the lower frequency components contribute the most to the adversarial robustness of SF-CNNs. We believe our observations can guide the future design of robust CNN models.