摘要
基于深度神经网络的合成孔径雷达(SAR)图像目标识别已成为SAR应用领域的研究热点和前沿方向。然而,有研究指出深度神经网络模型易受到对抗样本攻击。对抗样本定义为在数据集内故意引入微小扰动所产生的输入样本,这种扰动足以使模型高信度地产生错误判断。现有SAR对抗样本生成技术本质上仅作用于二维图像,即为数字域对抗样本。尽管近期有部分研究开始将SAR成像散射机理考虑用于对抗样本生成,但是仍然存在两个重要缺陷,一是仅在SAR图像上考虑成像散射机理,而没有将其置于SAR实际成像过程中进行考虑;二是在机制上无法实现三维物理域的攻击,即只实现了伪物理域对抗攻击。该文对SAR智能识别对抗攻击的技术现状和发展趋势进行了研究。首先,详细梳理了传统SAR图像对抗样本技术的发展脉络,并对各类技术的特点进行了对比分析,总结了现有技术存在的不足;其次,从SAR成像原理和实际过程出发,提出了物理域对抗攻击技术,通过调整目标物体的后向散射特性,或通过发射振幅和相位精细可调的干扰信号来实现对SAR智能识别算法对抗攻击的新思路,并展望了SAR对抗攻击在物理域下的具体实现方式;最后,进一步讨论了未来SAR智能对抗攻击技术的发展方向。
Deep Neural Network(DNN)-based Synthetic Aperture Radar(SAR)image target recognition has become a prominent area of interest in SAR applications.However,deep neural network models are vulnerable to adversarial example attacks.Adversarial examples are input samples that introduce minute perturbations within the dataset,causing the model to make highly confident yet incorrect judgments.Existing generation techniques of SAR adversarial examples fundamentally operate on two-dimensional images,which are classified as digital-domain adversarial examples.Although recent research has started to incorporate SAR imaging scattering mechanisms in adversarial example generation,two important flaws still remain:(1)imaging scattering mechanisms are only applied to SAR images without being integrated into the actual SAR imaging process,and(2)the mechanisms achieve only pseudo-physical-domain adversarial attacks,failing to realize true three-dimensional physical-domain adversarial attacks.This study investigates the current state and development trends in adversarial attacks on SAR intelligent target recognition.First,the development trajectory of traditional generation technologies of SAR-image adversarial examples is meticulously traced and a comparative analysis of various technologies is conducted,thus summarizing their deficiencies.Building on the principles and actual processes of SAR imaging,physical-domain adversarial attack techniques are then proposed.These techniques manipulate the target object’s backscattering properties or emit finely adjustable interference signals in amplitude and phase to counter SAR intelligent target recognition algorithms.The paper also envisions practical implementations of SAR adversarial attacks in the physical domain.Finally,this paper concludes by discussing the future directions of SAR intelligent adversarial attack technologies.
作者
阮航
崔家豪
毛秀华
任建迎
罗镔延
曹航
李海峰
RUAN Hang;CUI Jiahao;MAO Xiuhua;REN Jianying;LUO Binyan;CAO Hang;LI Haifeng(Beijing Institute of Tracking and Communication Technology,Beijing 100094,China;School of Geosciences and Info-Physics,Central South University,Changsha 410083,China;Science&Technology on Integrated Information System Laboratory,Beijing 100094,China)
出处
《雷达学报(中英文)》
EI
CSCD
北大核心
2024年第6期1298-1326,共29页
Journal of Radars
基金
国家自然科学基金(42171458,42271481)。
