基于改进加权显著图的雷达信号对抗攻击方法

杨 箫; 谢 军; $2; $2

引用本文:	杨箫，谢军，王国丽，邓志安. 基于改进加权显著图的雷达信号对抗攻击方法[J]. 雷达科学与技术, 2025, 23(4): 451-461.[点击复制]
	YANG Xiao, XIE Jun, WANG Guoli, DENG Zhian. Radar Signal Adversarial Attack Method Based on Improved Weighted Saliency Map[J]. Radar Science and Technology, 2025, 23(4): 451-461.[点击复制]

【打印本页】【下载PDF全文】【查看/发表评论】【下载PDF阅读器】【关闭】

←前一篇|后一篇→

过刊浏览高级检索

本文已被：浏览 498次下载 199次	码上扫一扫！
分享到：微信更多字体:加大+\|默认\|缩小-
基于改进加权显著图的雷达信号对抗攻击方法
杨箫，谢军，王国丽，邓志安
1. 哈尔滨工程大学信息与通信工程学院，黑龙江哈尔滨 150001;2. 先进船舶通信与信息技术工业和信息化部重点实验室，黑龙江哈尔滨 150001;3. 中国电子科技集团公司第五十四研究所，河北石家庄 050081

摘要:

为了提升当前对抗攻击方法的攻击成功率和生成对抗样本的隐蔽性，本文提出了基于改进加权显著图的雷达信号对抗攻击方法。首先基于链式法则计算模型输出关于输入的雅可比矩阵；之后基于矩阵构建反映输入数据对输出影响程度的显著图，通过在显著图表达式中引入与真实标签导数相关的约束项，减少了攻击成功所需的总扰动点数；最后选取显著性最高的数据点添加双向扰动，迭代生成对抗样本。实验结果表明：在对ResNet和VGG两改进模型进行目标攻击时，相较于已有方法，本文方法具有更高的攻击成功率，生成的对抗样本也具有更好的隐蔽性。将生成的对抗样本直接迁移到CNN和CLDNN模型中进行黑盒攻击，模型识别率下降30个百分点以上。

关键词: 对抗攻击加权雅可比显著图双向扰动雷达信号识别

DOI：DOI:10.3969/j.issn.1672-2337.2025.04.011

分类号:TN971

基金项目:国家自然科学基金（No.62371152）

Radar Signal Adversarial Attack Method Based on Improved Weighted Saliency Map

YANG Xiao, XIE Jun, WANG Guoli, DENG Zhian

1. College of Information and Communication Engineering, Harbin Engineering University, Harbin 150001, China;2. Key Laboratory of Advanced Marine Communication and Information Technology, Ministry of Industry and InformationTechnology, Harbin 150001, China;3. The 54th Research Institute of China Electronics Technology Group Corporation, Shijiazhuang 050081, China

Abstract:

In order to improve the attack success rate of the current adversarial attack methods and the concealment of generated adversarial samples, a radar signal adversarial attack method based on improved weighted saliency map is proposed in this paper. Firstly, the chain rule is used to calculate the Jacobian matrix of the model output with respect to the inputs. Then, based on the matrix, a saliency map reflecting the influence of the input on the output is constructed, and the total number of perturbation points required for successful attack is reduced by introducing constraints related to the derivatives of the real label in the saliency map expression. Finally, the points with the highest significance are selected to add bidirectional perturbations, and the adversarial samples are iteratively generated. The experimental results show that compared with the existing methods, the proposed method has a higher attack success rate and the generated adversarial samples have better concealment. When the generated adversarial samples are directly migrated to the CNN and CLDNN models for black?box attacks, the model recognition rate is decreased by more than 30 percen?tage points.

Key words: adversarial attacks weighted Jacobian saliency map bidirectional perturbation radar signal recognition