利用特征融合和整体多样性提升单模型鲁棒性

It is an inevitable trend to use deep neural network to process the massive image data generated by the rapid increase of Internet of Things (IoT) devices. However, as the DNN is vulnerable to adversarial examples, it is easy to be attacked and would endanger the security of the IoT. So how to improve the robustness of the model has become an important topic. Usually, the defensive performance of the ensemble model is better than the single model, but the limited computing power of the IoT device makes the ensemble model difficult to apply. Therefore, this study proposes a novel model transformation and training method on a single model to achieve similar defense effect like ensemble model: adding additional branches to the base model; using feature pyramids to fuse features; and introducing ensemble diversity for training. Experiments on the common datasets, like MNIST and CIFAR-10, show that this method can significantly improve the robustness. The accuracy increases more than fivefold against four gradient-based attacks such as FGSM, and can be up to 10 times while against JSMA, C&W, and EAD. This method does not disturb the classification of clean examples, and could obtain better performance while combining adversarial training.