DE-JSMA: a sparse adversarial attack algorithm for SAR-ATR models

DE-JSMA: 面向SAR-ATR模型的稀疏对抗攻击算法

¹ School of Cyberspace Security, Northwestern Polytechnical University, Xi'an 710072, China
² School of Automation, Northwestern Polytechnical University, Xi'an 710072, China

Received: 27 December 2022

Abstract

The vulnerability of DNN makes the SAR-ATR system that uses an intelligent algorithm for recognition also somewhat vulnerable. In order to verify the vulnerability, this paper proposes DE-JSMA, a novel sparse adversarial attack algorithm based on a salient map's adversarial attack algorithm and differential evolution algorithm, with the synthetic aperture radar (SAR) image feature sparsity considered. After accurately screening out the salient features that have a great impact on the model inference results, the DE-JSMA algorithm optimizes the appropriate feature values for the salient features. In order to verify its effectiveness more comprehensively, a new metric that combines the attack success rate with the average confidence interval of adversarial examples is proposed. The experimental results show that DE-JSMA extends JSMA, which can be used only for targeted attack scenario, to untargeted attack scenario without increasing too much time consumption but ensuring a high attack success rate, thus achieving sparse adversarial attack with higher reliability and better sparsity in both attack scenarios. The pixel perturbations of only 0.31% and 0.85% can achieve the untargeted and targeted attack success rates up to 100% and 78.79% respectively.

摘要

DNN易受攻击的特点使得以智能算法为识别手段的SAR-ATR系统也存在一定脆弱性。为验证其脆弱性, 结合SAR图像特征稀疏的特点, 在显著图对抗攻击算法和差分进化算法基础上提出了DE-JSMA稀疏攻击算法, 精确筛选出对模型推理结果影响较大的显著特征后, 为显著特征优化出合适的特征值。为了更全面地验证攻击的有效性, 构建了一种结合攻击成功率和对抗样本平均置信度的新指标F_c值。实验结果表明, 在没有增加过多耗时, 且保证高攻击成功率情况下, DE-JSMA将只能定向攻击的JSMA扩展到了非定向攻击场景, 且在2种攻击场景下均实现了可靠性更高、稀疏性更优的稀疏对抗攻击, 仅扰动0.31%与0.85%的像素即可达到100%与78.79%以上的非定向与定向攻击成功率。