面向图像语义理解的对抗机器学习理论与方法

With widely applied in related areas of image semantic understanding, deep learning methods’ vulnerability and its robustness to adversarial attacks have received more and more focuses. Adversarial machine learning targets to explore the vulnerability of machine learning methods via developing adversarial examples, i.e., whether the machine learning model had learned true concepts and in what conditions the model would become invalid. In this proposal, taking deep learning methods that applied in image semantic understanding as targets, we will explore relationships between adversarial image examples and deep leanring architectures, decision boundaries, as well as manifold distributions of training data etc., so as to improve the theories for the existence of adversarial examples. Based on the theories, towards improving the specificity and generability of the adversarial attack, we will develop the framework of new adversarial attack methods. Moreover, in order to construct practical applications of adversarial attack and defence, we will explore how to improve the robustness of adversarial attack and develop fusion mechanisms of multiple attack methods. Finally, integratting the proposed algorithms and technologies, we will develop a prototype system of adversarial attack and defence for systems of large-scale image classsification and video object detection. The output novel theories and methods mainly contribute to the further understanding of the vulnerability and interpretability of deep learning methods, which will provide theorectic evidences and methodology strategies for constructing a safer and more reliable system of image semantic understanding.

随着深度学习广泛应用于图像语义理解的相关领域，深度学习方法的脆弱性和抗攻击能力开始引起关注。对抗机器学习通过构建对抗样本来探测机器学习方法的脆弱性，即机器学习模型是否真正学习到了正确的语义概念，以及该模型在何种情况下失效。本项目以图像语义理解应用中的深度学习方法为研究对象，研究对抗图像样本与深度神经网络结构、决策边界和训练数据流形分布等之间的关系，完善对抗样本存在性的理论体系。在理论研究的基础上，以提升对抗攻击的针对性和普适性为牵引，构建对抗攻击的方法框架。面向图像语义理解应用中的对抗攻防，研究如何提升对抗攻击的鲁棒性，构建多种攻击方法的融合策略。集成算法和技术，面向大规模图像分类和视频对象检测构建对抗攻防原型系统，进行应用示范。项目研究所形成的的理论体系和方法框架在进一步揭示深度学习方法的脆弱性和可解释性的同时，可对构建更加安全可靠的图像语义理解系统提供理论依据和策略指导。

对抗机器学习通过构建对抗样本来探测机器学习方法的脆弱性，即机器学习模型是否真正学习到了正确的语义概念，以及该模型在何种情况下失效。本项目以图像语义理解应用中的深度学习方法为研究对象，主要研究了：对抗样本的存在性机理和迁移能力、可解释性对抗攻防方法、攻防应用中的可靠性和适用性、以及对抗攻防应用验证等。相关研究成果在“图像语义理解和对抗机器学习”相关方向上共发表学术论文28篇，其中CCF推荐A类期刊和会议论文14篇，包括2篇论文发表在期刊IEEE TPAMI上，相关技术成果申请国家发明专利5项；相关算法在NeurIPS 2018（CCF-A）“对抗视觉挑战赛”中取得优异成绩。本项目研究所形成的的理论体系和方法框架在进一步揭示深度学习方法的脆弱性和可解释性的同时，可对构建更加安全可靠的图像语义理解系统提供理论依据和策略指导。