Spear and Shield: Attack and Detection for CNN-Based High Spatial Resolution Remote Sensing Images Identification

Wenmei Li; Zhuangzhuang Li; Jinlong Sun; Yu Wang; Haiyan Liu; Jie Yang; Guan Gui

doi:10.1109/ACCESS.2019.2927376

IEEE Access (Jan 2019)

Spear and Shield: Attack and Detection for CNN-Based High Spatial Resolution Remote Sensing Images Identification

Wenmei Li,
Zhuangzhuang Li,
Jinlong Sun,
Yu Wang,
Haiyan Liu,
Jie Yang,
Guan Gui

Affiliations

Wenmei Li: ORCiD; School of Geographic and Biologic Information, Nanjing University of Posts and Telecommunications, Nanjing, China
Zhuangzhuang Li: College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China
Jinlong Sun: College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China
Yu Wang: College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China
Haiyan Liu: College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China
Jie Yang: ORCiD; College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China
Guan Gui: ORCiD; College of Telecommunications and Information Engineering, Nanjing University of Posts and Telecommunications, Nanjing, China

DOI: https://doi.org/10.1109/ACCESS.2019.2927376
Journal volume & issue: Vol. 7
pp. 94583 – 94592

Abstract

Read online

High spatial resolution remote sensing (HSRRS) images classification and identification is an important technology to acquire land surface information for land resource management, geographical situation monitoring, and global climate change. As the hottest deep learning method, convolutional neural network (CNN) has been successfully applied in HSRRS image classification and identification due to its powerful information extraction capability. However, adversarial perturbations caused by radiation transfer process or artificial or other unpredictable disturbances often deteriorate the stability of CNN. Under this background, we propose a robust architecture for adversarial attack and detection to classify and identify HSRRS images. First of all, two white-box attacks [i.e., large Broyden–Fletcher–Goldfarb–Shanno (L-BFGS) and fast gradient sign method (FGSM)] are adopted respectively to generate adversarial images to confuse the model, and to assess the robustness of the HSRRS image classifier. Second, adversarial detection models based on support vector machine (SVM) with single or fused two level features are proposed to improve the detection accuracy. The features extracted from the testing CNN full connected layers contain adversarial perturbations and real information, from which SVM classifier and discriminate the real and the adversarial images. The adversarial attack model is evaluated in terms of overall accuracy ( $OA$ ) and kappa coefficient ( $kc$ ). The simulation results show that the $OA$ decreases from 96.4% to 44.4% and 33.3% for L-BFGS and FGSM attacked classifier model, respectively. The adversarial detection is evaluated via $OA$ , detection probability $P_{D}$ , false alarm probability $P_{FA}$ , and miss probability $P_{M}$ . The simulation results indicate that the fused model with two different level features based on SVM can obtain the best $OA$ (94.5%), $P_{D}$ (0.933), $P_{FA}$ (0.040), and $P_{M}$ (0.067) among the detectors if the classifier is attacked by the FGSM. Meanwhile, when facing the L-BFGS attack, the fused model presents similar performance if the best single level features are utilized.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords