Next Article in Journal
Top-Down Pyramid Fusion Network for High-Resolution Remote Sensing Semantic Segmentation
Next Article in Special Issue
Frequency Diversity Gain of a Wideband Radar Signal
Previous Article in Journal
Enhancing Animal Movement Analyses: Spatiotemporal Matching of Animal Positions with Remotely Sensed Data Using Google Earth Engine and R
Previous Article in Special Issue
Ship Object Detection of Remote Sensing Image Based on Visual Attention
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Adversarial Self-Supervised Learning for Robust SAR Target Recognition

1
State Key Laboratory of Complex Electromagnetic Environment Effects on Electronics and Information System, National University of Defense Technology, Changsha 410073, China
2
Beijing Institute of Remote Sensing Information, Beijing 100092, China
*
Author to whom correspondence should be addressed.
Remote Sens. 2021, 13(20), 4158; https://doi.org/10.3390/rs13204158
Submission received: 23 August 2021 / Revised: 30 September 2021 / Accepted: 15 October 2021 / Published: 17 October 2021
(This article belongs to the Special Issue Target Detection and Information Extraction in Radar Images)

Abstract

:
Synthetic aperture radar (SAR) can perform observations at all times and has been widely used in the military field. Deep neural network (DNN)-based SAR target recognition models have achieved great success in recent years. Yet, the adversarial robustness of these models has received far less academic attention in the remote sensing community. In this article, we first present a comprehensive adversarial robustness evaluation framework for DNN-based SAR target recognition. Both data-oriented metrics and model-oriented metrics have been used to fully assess the recognition performance under adversarial scenarios. Adversarial training is currently one of the most successful methods to improve the adversarial robustness of DNN models. However, it requires class labels to generate adversarial attacks and suffers significant accuracy dropping on testing data. To address these problems, we introduced adversarial self-supervised learning into SAR target recognition for the first time and proposed a novel unsupervised adversarial contrastive learning-based defense method. Specifically, we utilize a contrastive learning framework to train a robust DNN with unlabeled data, which aims to maximize the similarity of representations between a random augmentation of a SAR image and its unsupervised adversarial example. Extensive experiments on two SAR image datasets demonstrate that defenses based on adversarial self-supervised learning can obtain comparable robust accuracy over state-of-the-art supervised adversarial learning methods.

1. Introduction

Synthetic aperture radar (SAR) actively emits microwaves and improves azimuth resolution through the principle of a synthetic aperture to obtain large-area high-resolution radar images [1]. SAR images have been widely used for automatic target detection and recognition in both civil and military applications. Due to their imaging mechanism, different terrains in SAR images exhibit several special phenomena such as overlap, shadows, and perspective shrinkage. Moreover, coherent speckle noises are apparent in SAR images. It is difficult to manually design effective features for SAR target recognition [2]. With the rapid development of deep learning technology, deep neural network (DNN) models have been widely used for SAR target recognition. Shao et al. [3] analyzed the performance of different DNNs on the MSTAR [4] dataset according to classification accuracy, training time, and some other metrics to verify the superiority of DNNs for SAR target recognition. Ding et al. [5] carried out angle synthesis of the training data for DNN-based recognition models. Ayzel et al. [6] proposed all convolutional neural networks (A-ConvNet), which do not contain a fully connected layer. Gu and Xu [7] proposed that a wider convolution kernel was more suitable for a SAR image with stronger speckles noise, taking the multi-scale feature extraction module as the bottom layer of the network.
Despite the great success that DNN models have obtained, they have proved to be very sensitive to adversarial examples: inputs that are specifically designed to cause the target model to produce erroneous outputs [8]. The vulnerability of DNN models to imperceptibly small perturbations raises security concerns from a number of safety-sensitive applications [9]. Szegedy et al. [8] first discovered that DNNs were very susceptible to adversarial examples using a box-constrained L-BFGS algorithm. Goodfellow et al. [10] noted that the linear nature of DNN is the primary cause for its vulnerability to adversarial perturbations. Based on this theory, they proposed a gradient-based approach to generate adversarial examples, named the fast gradient sign method (FGSM). Moosavi-Dezfooli et al. [11] proposed the DeepFool algorithm to simplify L-BFGS and fool deep models, and thus reliably quantified the robustness of models. Kurakin et al. [12] proposed to incorporate iterative methods to approximate the inner maximization problem. Moosavi-Dezfooli et al. [13] further found that the existence of universal adversarial examples by adding very small perturbation vectors to original images could cause error outputs for different DNNs with high probability. Although these adversarial examples may remain imperceptible to a human observer, they can easily fool the DNN models to yield the wrong predictions [9].
So far, there are only a handful of studies [14,15] that explore the threat of adversarial attacks on DNNs for SAR target recognition. Deep SAR target recognition models are more likely to suffer from the overfitting problem, resulting in a weaker generalization capability and greater sensitivity to perturbation [14]. Hence, their vulnerability to adversarial attacks might be even more serious. An example of adversarial attacks on DNN models for SAR target recognition is shown in Figure 1. It can be observed that, although the difference between the adversarial examples and the original ones is too small to be perceived by human vision, it can fool the DNN model. This phenomenon limits the practical deployment of DNN models in the safety-critical SAR target recognition field.
Adversarial defense methods can enhance adversarial robustness and further lead to robust SAR target recognition. Among them, adversarial training (AT) and AT-based defenses, which augment training data with adversarial examples perturbed to maximize the loss on the target model, remain a highly effective method for safeguarding DNNs from adversarial examples [9]. Such a strategy requires a large amount of labeled data as support. The labeling and sample efficiency challenges of deep learning, in fact, are further exacerbated by its vulnerability to adversarial attacks. The sample complexity of learning an adversarially robust model with current methods is significantly higher than that of standard learning [16]. Additionally, AT-based techniques have been observed to cause an undesirable decline in standard accuracy (the classification accuracy on unperturbed inputs) while increasing robust accuracy (the classification accuracy on worst-case perturbed inputs) [16,17,18].
Recent research [19] proposed the use of unlabeled data for training adversarially robust DNN models. Self-supervised learning holds great promise for improving representations with unlabeled data and has shown great potential to enhance adversarial robustness. Hendrycks et al. [17] proposed a multi-task learning framework that incorporated a self-supervised objective to be co-optimized with the conventional classification loss. Jiang et al. [18] improved robustness by learning representations that were consistent under both augmented data and adversarial examples. Chen et al. [16] generalized adversarial training to different self-supervised pretraining and fine-tuning schemes. Other studies [18,20,21] exploited contrastive learning to improve model robustness in unsupervised/semi-supervised settings and achieved advanced robustness.
Though a plethora of adversarial defense methods has been proposed, the corresponding evaluation is often inadequate. For example, by evaluating simple white-box attacks, most adversarial defenses pose a false sense of robustness by introducing gradient masking, which can be easily circumvented and defeated [22]. Therefore, rigorous and extensive evaluation of adversarial robustness is necessary for SAR target recognition.
To address the aforementioned issues, in this paper, we systematically analyzed the effect of adversarial attacks and defenses on DNNs and utilized adversarial self-supervised learning to enhance robustness for SAR target recognition. The main contributions of this article are summarized as follows:
(1)
We systematically evaluated adversarial attacks and defenses in SAR target recognition tasks using both data-oriented robustness metrics and model-oriented robustness metrics. These metrics provide detailed characteristics of DNN models under adversarial scenarios.
(2)
We introduced adversarial self-supervised learning into SAR target recognition tasks for the first time. The defenses based on adversarial self-supervised learning obtained comparable robustness to supervised adversarial learning approaches without using any class labels, while achieving significantly better standard accuracy.
(3)
We propose a novel defense method, unsupervised adversarial contrastive learning (UACL), which explicitly suppresses vulnerability in the representation space by maximizing the similarity of representations between clean data and corresponding unsupervised adversarial examples.
The rest of this paper is organized as follows. In Section 2, we describe the adversarial robustness of SAR target recognition. In Section 3, we review the defenses based on adversarial self-supervised learning and propose our method, UACL. In Section 4, we present the information on datasets used in this paper and the experimental results. Our conclusions and other discussions are summarized in Section 5.

2. Adversarial Robustness of SAR Target Recognition

2.1. Definition of Adversarial Robustness

A DNN model for SAR target recognition can be described as a function f ( x ) : X Y parameterized by θ W , which maps input x X to label y Y . Given data distribution D over pairs ( x , y ), the goal of the learning algorithm is to find θ that can minimize the expected risk, i.e.,
min θ E ( x , y ) D [ L ( x , y ; θ ) ]
where L ( x , y ; θ ) is the cross-entropy classification loss between the output of the DNN model and the true labels. In practice, we do not have access to the full data distribution D and only know a subset of training samples { ( x i , y i ) } i = 1 N D N . Thus, θ cannot be obtained by minimizing Equation (1), and it is usually obtained as the solution to the empirical risk minimization problem:
min θ 1 N i = 1 N L ( x i , y i ; θ )
The difference between the expected risk and the empirical risk attained by DNN model f θ is known as the generalization gap. Generally speaking, a DNN model achieves strong robustness when its generalization gap is small [23]. The amount and quality of training datasets are critical to training robust models.
A DNN model can extract image feature, and its entries of the output of the last layer z L R D L with D L = C are generally referred to as logits. To be more interpretable, logits are normally mapped to a set of probabilities p θ ( x ) [ 0 , 1 ] C using a soft maximum operator, i.e.,
[ p θ ( x ) ] k = exp ( [ z L ] k ) c = 1 C exp [ z L ] c
The predicted class is the index of the highest estimated probability.
f θ ( x ) = a r g m a x k { 1 , , C } [ p θ ( x ) ] k
A notable feature of most DNNs is that, in most cases, the decision boundary appears relatively far from any typical sample. For most DNNs used in SAR target recognition, one needs to add random noise with a very large variance, σ2, to fool a model. Intriguingly, the robustness to random noise contrasts with the extra vulnerability of DNNs to adversarial perturbations [8]. Surprisingly, we can always find adversarial examples for any input, which suggests that some directions for which the decision boundary is very close to the input sample always exist. Adding perturbation in such a direction can fool the model easily.
We can define adversarial perturbation as follows:
min δ R D Q ( δ )       s . t .   f θ ( x + δ ) f θ ( x ) , δ C
where Q ( δ ) represents a general objective function, C denotes the constraints of adversarial perturbations, and x + δ are generally referred to as adversarial examples. In all adversarial attacks, Q ( δ ) and C are mainly instantiated by two methods. One method represents the notion of the smallest adversarial perturbation required to cross the decision boundary of DNN models without regard to constraints ( C = ):
Q ( δ ) = δ p = ( k = 1 D ( [ δ ] k ) p ) 1 / p
The other method represents the worst-case perturbation, maximizing the loss of model in given radius ε around an input sample and the ε is limited such that the perturbation is imperceptible:
Q ( δ ) = L ( x + δ , y ; θ )
C = { δ R D : δ p ε }
The fact that we can craft adversarial examples easily exposes a crucial vulnerability of current state-of-the-art DNNs. To address this issue, it is important to define some target metric to quantify the adversarial robustness of DNNs. Corresponding to the above two strategies to craft adversarial perturbations, we can define the adversarial robustness ρ ( f θ ) of a DNN in two ways. One measures the adversarial robustness of a DNN as the average distance of samples to the decision boundary:
ρ p ( f θ ) = E ( x , y ) D [ δ p ( x ) p ]
Under this metric, adversarial robustness becomes purely a property of the DNN, and it is agnostic to the type of adversarial attack. Making a DNN more robust means that its boundary is pushed further away from the samples.
The other approach defines adversarial robustness as the worst-case accuracy of a DNN that is subject to an adversarial attack:
ρ p ε ( f θ ) = P ( x , y ) D ( f θ ( x + δ p ε ( x ) ) = y )
This quantity is relevant from a security perspective, as it highlights the vulnerability of DNNs to certain adversarial attacks. Constraints C reflect the attack strength of the adversary and combine the choice of metric such as Lp norm.
In fact, measuring the “true” adversarial robustness in terms of Equation (9) or Equation (10) directly is challenging. The average distance of samples to the decision boundary in Equation (9) takes too many computing resources to achieve. For most DNNs used in practice, a closed-form analysis of their properties is not possible with our current mathematical tools. In practice, we can simplify the calculation and estimate the approximate results in Equation (9). As for Equation (10), The current adversaries are not optimal in computing the adversarial perturbation. In practice, we usually substitute standard adversarial examples (projected gradient descent, PGD) for the optimal adversarial examples to measure adversarial robustness.

2.2. Adversarial Robustness Evaluation

There have been a number of works that rigorously evaluate the adversarial robustness of DNNs [14,24]. However, most of them focus on providing practical benchmarks for robustness evaluations, ignoring the significance of evaluation metrics. Simple evaluation metrics result in incomplete evaluation, which is far from satisfactory for measuring the intrinsic behavior of a DNN in an adversarial setting. Therefore, incomplete evaluation cannot provide comprehensive understandings of the strengths and limitations of defenses [25]. To mitigate this problem, we leverage a multi-view robustness evaluation framework to evaluate adversarial attacks and defenses. This evaluation can be roughly divided into two parts: model oriented and data oriented [25], as shown in Figure 2.

2.2.1. Model-Oriented Robustness Metrics

To evaluate the robustness of a model, the most intuitive approach is to measure its performance in an adversarial setting. By default, we use PGD as standard attack to generate adversarial examples with the perturbation magnitude ε under L norm.
Standard Accuracy (SA). Classification accuracy on clean data is one of the most important properties in an adversarial setting. A model achieving high accuracy against adversarial examples but low accuracy on clean data will not be employed in practice.
Robust Accuracy (RA). Classification accuracy on adversarial examples (L PGD by default) is the most important property for evaluating model robustness.
Average Confidence of Adversarial Class (ACAC). Confidence of adversarial examples on misclassification gives further indications of model robustness. ACAC can be defined follows:
A C A C ( f , D , A ε , p ) = 1 m i = 1 m P y a d v ( A ε , p ( x i ) )
where D = { X , Y } is the test set, A ε , p is the adversary, m is the number of adversarial examples that attack successfully, and P y a d v is the prediction confidence of the incorrect class.
Relative Confidence of Adversarial Class (RCAC). In addition to ACAC, we also use RCAC to further evaluate to what extent the attacks escape from the ground truth relatively:
R C A C ( f , D , A ε , p ) = 1 m i = 1 m ( P y a d v ( A ε , p ( x i ) ) / P y ( A ε , p ( x i ) ) )
where P y is the prediction confidence of the true class.
Noise Tolerance Estimation (NTE). Given the adversarial examples, NTE further calculates the gap between the probability of a misclassified class and the maximum probability of all other classes as follows:
N T E ( f , D , A ε , p ) = 1 m i = 1 m P y a d v ( A ε , p ( x i ) max P j ( A ε , p ( x i ) ) )
Empirical Boundary Distance (EBD). EBD calculates the minimum distance to the model decision boundary in a heuristic way. A larger EBD value means a stronger model in some way. Given a model, it first generates a set V of m random orthogonal directions [26]. Then, it estimates the root mean square (RMS) distances ϕ i ( V ) for each direction in V until the prediction changes. Among ϕ i ( V ) , di denotes the minimum distance moved to change the prediction. Then, the EBD is defined as follows:
E B D = 1 n i = 1 n d i ,   d i = min ϕ i ( V )
where n is the number of images.
Guided Backpropagation. Given a high-level feature map, the “deconvnet” inverts the data flow of a DNN, going from neuron activations in the given layer down to an image sample. Typically, a single neuron is left as non-zero in the high-level feature map. Then, the resulting reconstructed image shows the part of the input image that is most strongly activating this neuron and, hence, the part that is most discriminative to it [27].
Extremal perturbations [28]. Extremal perturbations perform an analysis of the effect of perturbing the network’s input on its output, which selectively deletes (or preserve) parts of the input sample and observe the effect of that change to the DNN’s output. Specifically, it would like to find a mask assigned to each pixel and use said mask to induce a local perturbation of the image. Then, it can find the fixed-size mask that maximizes the model’s output and further visualize the activation of model.

2.2.2. Data-Oriented Robustness Metrics

We use data-oriented metrics considering data imperceptibility, including average Lp perturbation (ALPp), average structural similarity (ASS), perturbation sensitivity distance (PSD), and neuron coverage, including top-K neuron coverage (TKNC) to measure robustness.
ALPp. To measure the computer visual perceptibility of adversarial examples, we use the average Lp perturbation (ALPp) as:
A L P p = 1 m i = 1 m x a d v i x i p
ASS. To evaluate the human visual imperceptibility of adversarial examples, we further use structural similarity (SSIM) as a similarity measurement:
S S I M ( x , y ) = ( 2 μ x μ y + c 1 ) ( 2 σ x y + c 2 ) ( μ x 2 + μ y 2 + c 1 ) ( σ x 2 + σ y 2 + c 2 )
where μx and μy are the mean value of x and y, σ x 2 and σ y 2 are the variance of x and y, and σ x y is the covariance of x and y. ASS can be defined as the average SSIM similarity between clean data and the corresponding adversarial example:
A S S = 1 m i = 1 m S S I M ( x a d v i , x i )
The higher the ASS, the more imperceptible the adversarial perturbation.
PSD. Based on the contrast masking theory, PSD is proposed to evaluate human perception of perturbations [29]:
P S D = 1 n i = 1 n j = 1 t δ j i S e n ( R ( x j i ) )
where t is the total number of pixels and δ j i represents the j-th pixel of the i-th image. R ( x j i ) is the square surrounding region of x j i , and S e n ( R ( x j i ) ) = 1 / s t d ( R ( x j i ) ) . Evidently, the smaller the PSD, the more imperceptible the adversarial perturbation.
TKDC. Given test input and neurons, the i-th layer uses topk (x,i) to denote the neurons that have the largest k (3 by default) outputs. TKNC measures how many neurons were once the most active k neurons on each layer. It is defined as the ratio of the total number of top-k neurons and the total number of neurons in a DNN:
T K N C ( D , k ) = | U x D ( U 1 i l t o p k ( x , i ) ) | N
The neurons from the same layer often play similar roles, and active neurons from different layers are important indicators to characterize the major functionality of a DNN. A high TKNC means the data can activate the model more fully.

3. Adversarial Self-Supervised Learning

3.1. Drawbacks of Adversarial Training

AT is currently one of the most promising ways to obtain the adversarial robustness of a DNN model by augmenting the training set with adversarial examples [10], as shown in Figure 3a. Specifically, AT minimizes the worst-case loss within some perturbation region for the models. Though we cannot find a worst-case perturbation, an implication of this claim is that, if a model is robust to PGD, it is also robust against any other adversary; as such, AT with PGD adversary (i.e., PGD AT) is generally thought to yield certain robustness guarantees. Setting the x X as a training sample, y Y as a corresponding label, and a DNN model as vϖ, where ϖ is the parameter of the model, AT first generates the adversarial examples. Then, AT uses adversarial examples x + δ to solve the following min–max optimization:
arg min E ( x , y ) C [ m a x L C E ( ϖ , x + δ , y ) ]
Such an AT strategy results in the following challenges. (a) Data dependency: There is a significant generalization gap in adversarial robustness between the training and testing datasets. It has been observed that such a gap gradually increases from the middle of training, i.e., robust overfitting, which makes practitioners consider heuristic approaches for a successful optimization [30]. However, robust overfitting is inevitably sensitive to data in the AT-based method. The sample complexity of learning a robust representation with AT-based methods is significantly higher than that of standard learning. Insufficient data will widen the gap and further lead to poor robustness. (b) Accuracy drop: Models trained with AT lose significant accuracy in terms of the original distribution, e.g., in our experiment, ResNet18 accuracy on the MSTAR test set dropped from 97.65% to 86.23%, without any adversarial attacks.

3.2. Adversarial Self-Supervised Learning Defenses

The latest studies have introduced adversarial learning into self-supervision. These defenses utilize a contrastive learning framework to pretrain an adversarially robust DNN with unlabeled data. Conventional contrastive learning aims to reduce the distance between representations of different augmented views of the same image (positive pairs) and increase the distance between representations of augmented views from different images (negative pairs) [31]. This fits particularly well with AT, as one cause of adversarial fragility could be attributed to the non-smooth feature space near samples, i.e., small perturbations can result in large feature variations and even label change. Adversarial contrastive pretraining defenses such as adversarial contrastive learning (ACL) [18] and robust contrastive learning (RoCL) [20], which both augment positive samples with adversarial examples, have led to state-of-the-art robustness.
RoCL proposed a framework to train an adversarially robust DNN, as shown in Figure 3b, which aimed to maximize the similarity between a random augmentation of a data sample and its instance-wise adversarial example, and to minimize the similarity between a data sample and another sample:
L ( x , { x p o s } , { x n e g } ) = l o g { z p o s } exp ( s i m ( z , { z p o s } ) / τ ) { z p o s } exp ( s i m ( z , { z p o s } ) / τ ) + { z p o s } exp ( s i m ( z , { z n e g } ) / τ )
where z , { z p o s } , z n e g are corresponding latent feature vectors of image data. Specifically, RoCL first generates instance-wise adversarial examples as follows:
t ( x ) i + 1 = Π B ( t ( x ) , ε ) ( t ( x ) i + α s i g n ( t ( x ) i L ( t ( x ) i , { t ( x ) } , { t ( x ) n e g } ) )
where t ( x ) and t ( x ) are transformed images with stochastic data augmentations, and t ( x ) n e g are examples of other samples. Then, we used the instance-wise adversarial examples as additional elements in the positive set and formulated the objective as follows:
L t o t a l = L ( t ( x ) , { t ( x ) , t ( x ) a d v } , { t ( x ) n e g } ) + L ( t ( x ) a d v , { t ( x ) } , { t ( x ) n e g } )
After optimization, we can obtain an adversarially robust pretrained DNN.
ACL contains all kinds of workflows to leverage a contrastive framework to learn robust representations, including ACL(A2A), ACL(A2S), and ACL(DS). Among these, ACL(DS) achieves advanced performance, and its workflow is as shown in Figure 3c. Specifically, for each input, ACL(DS) augments into it twice (creating four augmented views): t ( x ) , t ( x ) by standard augmentations, and instance-wise adversarial examples t ( x ) a d v , t ( x ) a d v . The final unsupervised loss consists of a contrastive loss term on the former pair (through two standard branches) and another contrastive loss term on the latter pair (through two adversarial branches); the two terms are, by default, equally weighted:
L t o t a l = L ( t ( x ) , { t ( x ) } , { t ( x ) n e g } ) + L ( t ( x ) a d v , { t ( x ) a d v } , { t ( x ) n e g } )

3.3. Unsupervised Adversarial Contrastive Learning

Unsupervised adversarial contrastive learning (UACL) aims to pretrain a robust DNN that can be used in target recognition tasks by adversarial self-supervised learning. As shown in Figure 4, the framework of UACL consists of a target network, f, with parameter ξ and an online network, q, with parameter θ. The online network consists of three parts: an encoder, a projector, and a predictor, while the target network does not have a predictor. Specifically, the encoder is a DNN (ResNet-18 excluding the fully connected (FC) layer by default) that can represent SAR image effectively. The projector and predictor are multi-layer perceptron (MLP) made up of a linear layer, followed by batch normalization (BN), rectified linear units (ReLU), and a final linear layer that outputs a 256-dimensional feature vector. The data argumentation contains random cropping, random color distortion, random flip, and Gaussian blur.
During training, UACL leverages the unlabeled data to train the Siamese networks, whose core represents the adversarial example close to that of the clean data.
First, UACL crafts unsupervised adversarial examples as positive samples. Specifically, given an unlabeled SAR image input x, UACL adds perturbation δ to it to alter its representation as much as possible by maximizing the contrastive similarity loss between the positive samples as follows:
L f ( t ( x ) ) ¯ q ( x i ) ¯ 2 2 = f ( t ( x ) ) , q ( x i ) f ( t ( x ) ) 2 2 q ( x i ) 2 2
x i + 1 = Π B ( x , ε ) ( x i + α   s i g n ( x i   L ( θ , ξ , x i , t ( x ) ) ) )
Second, the UACL utilizes unsupervised adversarial examples x + δ to optimize the parameters of the Siamese network via contrastive learning. The adversarial contrastive learning objective is given as the following min–max formulation:
arg min θ E x C [ m a x L ( θ , ξ , x i , t ( x ) ) ]
where C represents data distribution and t represents data augmentation. It should be noted that the input of the online network is not augmented. The augmentation of clean data can increase diversity to ensure robustness, but it is not suitable for adversarial examples. Data augmentation before an unsupervised adversarial attack may reduce the effect of the enhanced robustness.
In every training step, UACL minimizes loss L θ , ξ by optimizing weight θ but without ξ (i.e., stop-gradient), as shown in Figure 4. Weight ξ is updated later with θ by EMA. The dynamics of UACL can be summarized as follows:
θ o p t i m i z e r ( θ , θ L θ , ξ , η )
ξ τ ξ + ( 1 τ ) θ
where η is the learning rate and τ is the target decay rate. Algorithm 1 summarizes the progress of UACL.
Algorithm 1 summarizes the progress of UACL.
Input: Dataset C, weight of online network θ, and target network ξ,
for all number of training iteration do
  for all minibatch B = {x1, x2, …, xn} do
    Generate unsupervised adversarial examples from clean data
     x i + 1 = П x , ε ( x i + α s i g n ( x i L ( θ , t ( x ) , x i ) ) )
       L = 1 n k = 1 n f ( t ( x k ) ) , q ( x k i ) f ( t ( x k ) ) 2 · q ( x k i ) 2
Optimize the weight θ over L
          θ optimizer ( θ , θ L , η )
Update the weight ξ
           ξ τ ξ + ( 1 τ ) θ
  end for
end for
Through the above pretraining, we can obtain a robust encoder, gφ, without using any labeled data. However, since the encoder is trained for identity-wise classification, it cannot be directly used for class-wise SAR target recognition. Thus, we need to fine-tune the robust encoder finally to obtain a CNN model vϖ (i.e., ResNet18) as follows:
arg min ϖ   E ( x , y ) C L C E ( ϖ , x , y )
where all the parameters of the model are optimized according to LCE.
UACL can also be combined with supervised defenses, such as tradeoff-inspired adversarial defense via surrogate-loss minimization (TRADES) [32] and adversarial training fast is better than free (ATFBF) [33], to achieve composite defenses. Specifically, we first fine-tune the pretrained model from UACL to obtain a classifier and then use the AT-based defense to enhance the robustness of the above classifier once again.

4. Experimental Results

In this section, we used nine attack algorithms to attack nine DNNs trained on MSTAR [4] and FUSAR-Ship [34] datasets, and further used six defense methods to enhance adversarial robustness. Specifically, the adversarial attacks include gradient-based white-box attack: FGSM, PGD, and Auto-PGD (APGD) [35]; boundary-based white-box attacks: DeepFool and Carlini and Wagner Attacks (CW); score-based black-box attacks: Square-Attack and Sparse Random Search (Sparse-RS); decision-based black-box attacks: HopSkipJump Attack. The defenses include AT, TRADES [32], ATFBF [33], RoCL, ACL, UACL, and composite defenses (UACL+TRADES and UACL+ATFBF). The DNN models include ResNet18, ResNet50, ResNet101 [36], DenseNet121, DenseNet201 [37], MobileNet [38], ShuffleNet [39], A-ConvNet, and A-ConvNet-M [40]. At the end, the experimental results are analyzed comprehensively.

4.1. Data Descriptions

(1) MSTAR [4] Dataset: MSTAR was produced by the US Defense Advanced Research Projects Agency using high-resolution spotlight SAR to collect SAR images of various Soviet military vehicles. The collection conditions for the MSTAR images are divided into two types: standard operating condition (SOC) and extended operating condition (EOC). In this article, we use SAR images collected by SOC, whose details are as shown in Table 1. The dataset includes ten target classes with different sizes. To simplify recognition, we resized the images to 128 × 128. The training dataset was collected at a 17° imaging side view, and the test dataset was collected at a 15° imaging side view [14]. Figure 5 shows example images for each of the classes in MSTAR.
(2) FUSAR-Ship Dataset: FUSAR-Ship is the high-resolution AIS dataset obtained by a GF-3 satellite, which is used for ship detection and recognition. The root node is the maritime target, which can be divided into two branches: ship and non-ship. The ship node includes almost all types of ships. In this paper, we selected four kinds of sub-class targets for the experiment. Specifically, the experimental data contain BulkCarrier, CargoShip, Fishing, and Tank, which were divided into the training set and the test set according to the ratio of 0.8 to 0.2. The details of this dataset are as shown in Table 2. To simplify recognition, we resized the images to 512 × 512. Figure 6 shows example images for each of the classes in FUSAR-Ship.

4.2. Experimental Design and Settings

The experiments were conducted in three parts. In the first part, we evaluated nine common DNN models for SAR target recognition against both standard attack (PGD) with different Lp norm limit and some other attacks. In the second part, we evaluated the defense methods against adversarial attacks. Finally, the third part visualized how adversarial attacks and defenses changed the activation of the DNN model.
We implement the experiments with the Pytorchplatform. All DNN models were initialized with random parameters. We used the optimizer Adam to train the networks with a learning rate of 1 × 10−3 and a batch size of 16 in all supervised learning for 100 epochs and a learning rate of 3 × 10−4 and a batch size of 8 for 200 epochs in all unsupervised learning. By default, we chose ResNet18 as the backbone in all defense experiments. As for UACL, we chose τ = 0.99 as the target decay rate. The experiments were carried out with a computer that ran a Windows 7 system on a 3.60 GHz Intel(R) i9-9900KF 64-bit CPU with 32 GB of RAM and one NVIDIA GeForce RTX 2080 Ti GPU with 11 GB. Moreover, it should be noted that all experimental adversarial examples were crafted to attack the standard classifier in view of unified measurements and the wide use of a standard model.

4.3. Evaluation on Adversarial Attacks

In this section, we evaluate the robustness of different DNN models in adversarial settings. The quantitative classification results of standard attack are presented in Table 3 and Table 4. It can be observed that DNNs can yield good performance on the classification of original clean data in both datasets, especially MSTAR, which contains adequate data. All DNN models of MSTAR performed poorly against L attacks, whose robust accuracy dropped by more than 90%, while those of FUSAR-Ship all dropped to less than 30%. As for L 2 and L 1 attacks, most MSTAR DNN models still maintained high accuracy, except for lightweight networks (ShuffleNet and MobileNet). However, in the classification of the L 2 and L 1 FUSAR-Ship adversarial examples, the performance of DNN models differs greatly. Even though their structures are similar, DenseNet121 and DenseNet201 show completely different performances. Matching a SAR image dataset with a suitable DNN can lead to higher robustness.
The classification results of different adversarial attacks are presented in Table 5 and Table 6. It can be seen that all kinds of adversarial attack, especially the gradient-based and boundary-based attacks, can effectively reduce the classification accuracy to a very low level. Sparseness-based attacks (Sparse-RS, SparseFool), which are easy to implement in SAR target recognition, also lead to low robust accuracy. PGD and APGD behave well in attacking all kind of models in the classification of both MSTAR and FUSAR-Ship datasets. The defense of PGD and APGD should be a priority in evaluation. Additionally, models with a high standard of accuracy are not necessarily more robust. For example, A-ConvNet performs well in classifying clean data but shows poor robustness against most kinds of adversarial attacks. Lightweight networks show strong robustness when facing boundary-based attacks (DeepFool and CW) and poor robustness against other attacks. Residual networks such as ResNet18, ResNet101, and DenseNet201 behave well in the classification of black-box adversarial examples. A-ConvNet and A-ConvNet m are more robust against sparseness-based attacks.
The comprehensive evaluation results are presented in Table 7 and Table 8. According to the results of RCAC, ACAC, and NTE, the model had a high confidence in the misclassification of white-box adversarial examples; this is difficult to correct. The EBD of the model depends on the data type and model structure. The EBD of MSTAR classification models is almost the same, but the EBD of the FUSAR-Ship dataset is different. On the whole, the model with a small EBD is less robust, such as ResNet18, ResNet50, and A-ConvNet. However, this does not equate to AA; for example, DenseNet121 has a small EBD and a comparatively high AA. We can see the importance of data distribution for AA. The PGD adversarial examples under the L limit also obtained similar results in L 0 ALPp evaluation. However, in L 2 ALPp evaluation, it showed a great difference, and this will affect the attack’s effect to some extent. The perceptive evaluation of human vision is related to that of computer vision, but it also shows some differences. For example, PGD adversarial examples of the ShuffleNet model in the MSTAR dataset have lower computer vision similarity and higher human vision similarity compared to the A-ConvNet m model. TKNC is generally small and the smallest one is only 0.02, showing that DNN can hardly keep the whole network active to classify adversarial examples.

4.4. Evaluation of Adversarial Defenses

In this section, we evaluate the models with defense methods, including AT, TRADES, ATFBF, RoCL, ACL, and UACL, as well as those with composite defenses and no-defense but with a pretraining method, including SimCLR and BYOL. Furthermore, we evaluate models trained with fewer data to simulate a situation in which there are insufficient data.
The classification results of adversarial defenses against standard attack are presented in Table 9 and Table 10. Models with defense are significantly more robust than no-defense models. AT-based defenses obtain stable adversarial accuracy, especially in the face of perturbations with significant power. Their robust accuracy decreases very little, but this is at the expense of standard accuracy. Adversarial contrastive pretraining defenses can improve robustness and hardly reduce standard accuracy. This low-cost method for enhancing model robustness has potential in SAR target recognition tasks. Compared with a standard model, UACL increases robustness accuracy by 78.90% at the cost of only a 2.56% decline in standard accuracy. Compared with AT-based defense methods, UACL behaves better in the classification of clean data and L 2 , L 1 adversarial examples, yielding similar robust accuracy in the classification of L adversarial examples. Combining UACL with ATFBF can result in the most advanced performance in the classification of both clean data and adversarial examples. Additionally, the results of SimCLR and BYOL are also notable. They can increase the accuracy of clean data and L 2 , L 1 adversarial examples, demonstrating the potential of utilizing unlabeled data to enhance adversarial robustness.
The comprehensive evaluation results of adversarial defenses against different adversarial attacks are presented in Table 11 and Table 12. It can be seen that the robustness of the models is transferable. A model that is robust to PGD has a high probability of being robust against other attacks. AT-based defenses behave well in defending gradient-based attacks, while adversarial contrastive pretraining defenses perform better in defending boundary-based attacks. As for sparseness-based attacks and black-box attacks, the above two defenses have a similar performance. Compared with TRADES, UACL yields notable improvements in standard accuracy by 4.24% and robust accuracy (PGD) by 0.05%; this makes UACL more appealing over baselines in SAR target recognition. Moreover, it is noteworthy that combining UACL with ATFBF or TRADES leads to the best robustness against almost all kinds of attack. Composite defense has a unique advantage in enhancing robustness.
The comprehensive evaluation results of MSTAR and FURASR-Ship classification against different adversarial attacks are presented in Table 13 and Table 14. According to ACAC, RCAC, and NTE, the defense methods not only improve the adversarial accuracy of the model but also reduce the confidence of the error class in adversarial classification. Compared with TKNC, we can see that adversarial contrastive pretraining defenses can enhance the overall activation of the model more than AT-based defenses. An active model often means a higher robustness.
To further research the relation between attack strength and robust accuracy, we utilized a standard adversarial attack ( L PGD) with different attack strengths to attack the DNN models. As shown in Figure 7 and Figure 8, adversarial contrastive pretraining defenses, especially UACL, behave better than AT-based defense methods against attacks with low strength. AT-based defense methods can maintain steady robust accuracy as attack strength increases. UACL combined with AT-based defense can lead to stable and excellent robust accuracy in all attack strengths.
Given the lack of labeled SAR image data, we attempted to enhance robustness with a single defense method with only 10% of labeled data and attack the model with PGD, as shown in Table 15. Defense, especially AT-based defenses, will reduce standard accuracy sharply when labeled data are inadequate and adversarial contrastive pretraining defense is significantly better. Adversarial contrastive pretraining defense also performs better in the classification of adversarial examples compared to all AT-based defense methods. Therefore, it should be given priority in the absence of sufficient data. As such, what are the advantages of UACL compared with other adversarial contrastive pretraining defenses such as RoCL and ACL? UACL is faster. The time taken by RoCL, ACL, and UACL to pretrain the model with all data for 200 epochs in our experimental setting is shown in Table 16. We can see that UACL is much faster than RoCL and ACL, as it benefits from the abandonment of negative pairs.

4.5. Visualization of DNNs

To further understand how defenses improve robust representations, we used guided backpropagation [27] and extremal perturbations [28] to visualize the model and obtain the activation maps of clean images and their PGD adversarial examples.
Guided backpropagation images show which part of the image drives the model to make its final prediction. Guided backpropagation images of MSATR and FUSAR-Ship in standard and adversarial settings are shown in Figure 9, Figure 10, Figure 11 and Figure 12. It can be seen that adversarial examples can effectively destroy the activation of the standard model and make the standard model pay attention to the whole region. The activation region of the standard model is larger both in the face of the clean data and in the adversarial examples. The model with defense will pay more attention to the core region of the image, which improves the adversarial robustness of the model. For a model with AT-based defense (AT), a model with adversarial contrastive pretraining (UACL), and a model with composite defenses (UACL+ATFBF), the active area reduces, in turn showing that the latter has a deeper understanding of the realistic significance of the SAR target.
Extremal perturbations show which part of the image the DNNs pay more attention to. Extremal perturbation images are shown in Figure 13, Figure 14, Figure 15 and Figure 16. It can be seen that the adversarial examples can shift the focus area of the standard model, but not completely change it. Models with adversarial contrastive pretraining can better target the focus area in the face of both the clean data and the adversarial examples, reflecting the advantages and potential of adversarial contrastive pretraining defenses.

5. Conclusions

Robustness is important for SAR target recognition tasks. Although DNNs have achieved great success in SAR target recognition tasks, previous studies have shown that DNN models can be easily fooled by adversarial examples. In this paper, we first systematically evaluated the threat of adversarial examples to DNN-based SAR target recognition models. To alleviate the vulnerability of models to adversarial examples, we then introduced adversarial contrastive pretraining defense into SAR target recognition and proposed a novel unsupervised adversarial contrastive learning defense method. Our experimental results demonstrate that adversarial contrastive pretraining defenses behave well in the classification of both clean data and adversarial examples compared with AT-based defenses, and have great potential to be used in practical applications. Potential future work should include an investigation of the influence of adversarial attacks and defenses on other SAR image datasets and the incorporation of more diverse adversarial self-supervised learning methods.

Author Contributions

Conceptualization, Y.X. and H.S.; methodology, Y.X.; software, Y.X.; validation, H.S., J.C. and L.L.; formal analysis, H.S. and J.C.; investigation, K.J.; resources, L.L. and G.K.; data curation, Y.X.; writing—original draft preparation, Y.X.; writing—review and editing, Y.X. and H.S.; visualization, Y.X.; supervision, H.S.; project administration, G.K.; funding acquisition, H.S. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the National Natural Science Foundation of China under Grant 61971426.

Data Availability Statement

The data presented in this study are available in article. Our codes have been released at: https://github.com/Xu-Yj/Unsupervised-Adversarial-Contrastive-Learning-UACL.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Tait, P. Introduction to Radar Target Recognition; IET: London, UK, 2005; Volume 18. [Google Scholar]
  2. Xiang, D.; Tang, T.; Ban, Y.; Su, Y. Man-made target detection from polarimetric sar data via nonstationarity and asymmetry. IEEE J. Sel. Top. Appl. Earth Obs. Remote Sens. 2016, 9, 1459–1469. [Google Scholar] [CrossRef]
  3. Shao, J.; Qu, C.; Li, J. A performance analysis of convolutional neural network models in sar target recognition. In Proceedings of the 2017 SAR in Big Data Era: Models, Methods and Applications (BIGSARDATA), Beijing, China, 13–14 November 2017; pp. 1–6. [Google Scholar]
  4. Keydel, E.R.; Lee, S.W.; Moore, J.T. Mstar extended operating conditions: A tutorial. In Proceedings of the Algorithms for Synthetic Aperture Radar Imagery III, Orlando, FL, USA, 10 June 1996; pp. 228–242. [Google Scholar]
  5. Ding, J.; Chen, B.; Liu, H.; Huang, M. Convolutional neural network with data augmentation for sar target recognition. IEEE Geosci. Remote Sens. Lett. 2016, 13, 364–368. [Google Scholar] [CrossRef]
  6. Ayzel, G.; Heistermann, M.; Sorokin, A.; Nikitin, O.; Lukyanova, O. All convolutional neural networks for radar-based precipitation nowcasting. Procedia Comput. Sci. 2019, 150, 186–192. [Google Scholar] [CrossRef]
  7. Gu, Y.; Xu, Y. Architecture design of deep convolutional neural network for sar target recognition. J. Image Graph. 2018, 23, 928–936. [Google Scholar]
  8. Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.; Goodfellow, I.; Fergus, R. Intriguing properties of neural networks. arXiv 2013, arXiv:1312.619. [Google Scholar]
  9. Xu, Y.; Du, B.; Zhang, L. Assessing the threat of adversarial examples on deep neural networks for remote sensing scene classification: Attacks and defenses. IEEE Trans. Geosci. Remote Sens. 2021, 59, 1604–1617. [Google Scholar] [CrossRef]
  10. Goodfellow, I.J.; Shlens, J.; Szegedy, C. Explaining and harnessing adversarial examples. arXiv 2014, arXiv:1412.6572. [Google Scholar]
  11. Moosavi-Dezfooli, S.M.; Fawzi, A.; Frossard, P. Deepfool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 2574–2582. [Google Scholar]
  12. Kurakin, A.; Goodfellow, I.; Bengio, S. Adversarial machine learning at scale. In Proceedings of the 5th International Conference on Learning Representations, ICLR - Conference T rack Proceedings, Toulon, France, 24–26 April 2017. [Google Scholar]
  13. Moosavi-Dezfooli, S.M.; Fawzi, A.; Fawzi, O.; Frossard, P. Universal adversarial perturbations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Honolulu, HI, USA, 21–26 July 2017; pp. 1765–1773. [Google Scholar]
  14. Li, H.; Huang, H.; Chen, L.; Peng, J.; Huang, H.; Cui, Z.; Mei, X.; Wu, G. Adversarial examples for cnn-based sar image classification: An experience study. IEEE J. Sel. Top. Appl. Earth Obs. Remote Sens. 2020, 14, 1333–1347. [Google Scholar] [CrossRef]
  15. Guo, Y.; Du, L.; Wei, D.; Li, C. Robust sar automatic target recognition via adversarial learning. IEEE J. Sel. Top. Appl. Earth Obs. Remote Sens. 2020, 14, 716–729. [Google Scholar] [CrossRef]
  16. Chen, T.; Liu, S.; Chang, S.; Cheng, Y.; Amini, L.; Wang, Z. Adversarial robustness: From self-supervised pre-training to fine-tuning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, 18 June 2018; pp. 699–708. [Google Scholar]
  17. Hendrycks, D.; Mazeika, M.; Kadavath, S.; Song, D. Using self-supervised learning can improve model robustness and uncertainty. arXiv 2019, arXiv:1906.12340. [Google Scholar]
  18. Jiang, Z.; Chen, T.; Chen, T.; Wang, Z. Robust pre-training by adversarial contrastive learning. arXiv 2020, arXiv:2010.13337. [Google Scholar]
  19. Alayrac, J.-B.; Uesato, J.; Huang, P.-S.; Fawzi, A.; Stanforth, R.; Kohli, P. Are labels required for improving adversarial robustness? In Proceedings of the Neural Information Processing Systems, Salt Lake City, UT, USA, 18 June 2018; pp. 12192–12202. [Google Scholar]
  20. Kim, M.; Tack, J.; Hwang, S.J. Adversarial self-supervised contrastive learning. arXiv 2020, arXiv:2006.07589. [Google Scholar]
  21. Bui, A.; Le, T.; Zhao, H.; Montague, P.; Camtepe, S.; Phung, D. Understanding and achieving efficient robustness with adversarial contrastive learning. arXiv 2021, arXiv:2101.10027. [Google Scholar]
  22. Athalye, A.; Carlini, N.; Wagner, D. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. arXiv 2018, arXiv:1802.00420. [Google Scholar]
  23. Ortiz-Jiménez, G.; Modas, A.; Moosavi-Dezfooli, S.-M.; Frossard, P. Optimism in the face of adversity: Understanding and improving deep learning through adversarial robustness. arXiv 2020, arXiv:2010.09624. [Google Scholar]
  24. Czaja, W.; Fendley, N.; Pekala, M.; Ratto, C.; Wang, I.-J. Adversarial examples in remote sensing. In Proceedings of the 26th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems, Seattle, WA, USA, 6–9 November 2018; pp. 408–411. [Google Scholar]
  25. Liu, A.; Liu, X.; Guo, J.; Wang, J.; Ma, Y.; Zhao, Z.; Gao, X.; Xiao, G. A comprehensive evaluation framework for deep model robustness. arXiv 2021, arXiv:2101.09617. [Google Scholar]
  26. He, W.; Li, B.; Song, D. Decision boundary analysis of adversarial examples. In Proceedings of the International Conference on Learning Representations, Vancouver, BC, Canada, 30 April–3 May 2018. [Google Scholar]
  27. Springenberg, J.T.; Dosovitskiy, A.; Brox, T.; Riedmiller, M. Striving for simplicity: The all convolutional net. arXiv 2014, arXiv:1412.6806. [Google Scholar]
  28. Fong, R.; Patrick, M.; Vedaldi, A. Understanding deep networks via extremal perturbations and smooth masks. In Proceedings of the IEEE/CVF International Conference on Computer Vision, Seoul, Korea, 27 Octember–2 November 2019; pp. 2950–2958. [Google Scholar]
  29. Liu, A.; Lin, W.; Paul, M.; Deng, C.; Zhang, F. Just noticeable difference for images with decomposition model for separating edge and textured regions. IEEE Trans. Circuits. Syst. Video Technol. 2010, 20, 1648–1652. [Google Scholar] [CrossRef]
  30. Tack, J.; Yu, S.; Jeong, J.; Kim, M.; Hwang, S.J.; Shin, J. Consistency regularization for adversarial robustness. arXiv 2021, arXiv:2103.04623. [Google Scholar]
  31. Chen, T.; Kornblith, S.; Norouzi, M.; Hinton, G. A simple framework for contrastive learning of visual representations. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, WA, USA, 13–19 June 2020; 2020; pp. 2574–2582. [Google Scholar]
  32. Zhang, H.; Yu, Y.; Jiao, J.; Xing, E.; El Ghaoui, L.; Jordan, M. Theoretically principled trade-off between robustness and accuracy. In Proceedings of the International Conference on Machine Learning, Long Beach, CA, USA, 10–15 July 2019; pp. 7472–7482. [Google Scholar]
  33. Wong, E.; Rice, L.; Kolter, J.Z. Fast is better than free: Revisiting adversarial training. arXiv 2020, arXiv:2001.03994 2020. [Google Scholar]
  34. Hou, X.; Ao, W.; Song, Q.; Lai, J.; Wang, H.; Xu, F. Fusar-ship: Building a high-resolution sar-ais matchup dataset of gaofen-3 for ship detection and recognition. Sci. China Inf. Sci. 2020, 63, 140303. [Google Scholar] [CrossRef] [Green Version]
  35. Croce, F.; Hein, M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In Proceedings of the International Conference on Machine Learning, Las Vegas, NV, USA, November 2020; pp. 2206–2216. [Google Scholar]
  36. He, K.; Zhang, X.; Ren, S.; Sun, J. Deep Residual Learning for Image Recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; pp. 770–778. [Google Scholar]
  37. Huang, G.; Liu, Z.; Van Der Maaten, L.; Weinberger, K.Q. Densely connected convolutional networks. In Proceedings of the 30th IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, USA, 21–26 July 2017; pp. 4700–4708. [Google Scholar]
  38. Howard, A.; Zhmoginov, A.; Chen, L.-C.; Sandler, M.; Zhu, M. Inverted residuals and linear bottlenecks: Mobile networks for classification, detection and segmentation. arXiv 2018, arXiv:1801.04381. [Google Scholar]
  39. Ma, N.; Zhang, X.; Zheng, H.-T.; Sun, J. Shufflenet v2: Practical guidelines for efficient cnn architecture design. arXiv 2018, arXiv:1807.11164. [Google Scholar]
  40. Feng, S.; Ji, K.; Ma, X.; Zhang, L.; Kuang, G. Target region segmentation in sar vehicle chip image with acm net. IEEE Geosci. Remote Sens. Lett. 2021, 1–5. [Google Scholar] [CrossRef]
Figure 1. Illustration of adversarial attacks on DNN models for SAR target recognition. The perturbations are amplified ten times for ease of observation.
Figure 1. Illustration of adversarial attacks on DNN models for SAR target recognition. The perturbations are amplified ten times for ease of observation.
Remotesensing 13 04158 g001
Figure 2. With 11 evaluation methods in total, our comprehensive robustness evaluation framework focuses on data and model, which are the key factors in an adversarial setting.
Figure 2. With 11 evaluation methods in total, our comprehensive robustness evaluation framework focuses on data and model, which are the key factors in an adversarial setting.
Remotesensing 13 04158 g002
Figure 3. Illustration of workflow comparison: (a) AT; (b) RoCL; (c) ACL(DS). Note that RoCL and ACL(DS) share all weights; however, adversarial and standard encoders use independent BN parameters.
Figure 3. Illustration of workflow comparison: (a) AT; (b) RoCL; (c) ACL(DS). Note that RoCL and ACL(DS) share all weights; however, adversarial and standard encoders use independent BN parameters.
Remotesensing 13 04158 g003
Figure 4. Illustration of UACL’s architecture. We minimize the similarity loss between the features of augmented data and the corresponding unsupervised adversarial examples to optimize the Siamese network. EMA means exponential moving average. At the end of training, everything but the robust encoder, i.e., the ResNet18, is discarded.
Figure 4. Illustration of UACL’s architecture. We minimize the similarity loss between the features of augmented data and the corresponding unsupervised adversarial examples to optimize the Siamese network. EMA means exponential moving average. At the end of training, everything but the robust encoder, i.e., the ResNet18, is discarded.
Remotesensing 13 04158 g004
Figure 5. Example images from the MSTAR dataset.
Figure 5. Example images from the MSTAR dataset.
Remotesensing 13 04158 g005
Figure 6. Example images from the FUSAR-Ship dataset.
Figure 6. Example images from the FUSAR-Ship dataset.
Remotesensing 13 04158 g006
Figure 7. Robust accuracy of MSTAR models trained with adversarial defense methods against adversarial attacks ( L PGD) with different strengths (/255).
Figure 7. Robust accuracy of MSTAR models trained with adversarial defense methods against adversarial attacks ( L PGD) with different strengths (/255).
Remotesensing 13 04158 g007
Figure 8. Robust accuracy of FUSAR-Ship models trained with adversarial defense methods against adversarial attacks ( L PGD) with different strengths (/255).
Figure 8. Robust accuracy of FUSAR-Ship models trained with adversarial defense methods against adversarial attacks ( L PGD) with different strengths (/255).
Remotesensing 13 04158 g008
Figure 9. Guided backpropagation images of MSTAR model in the classification of clean data.
Figure 9. Guided backpropagation images of MSTAR model in the classification of clean data.
Remotesensing 13 04158 g009
Figure 10. Guided backpropagation images of MSTAR model in the classification of adversarial examples.
Figure 10. Guided backpropagation images of MSTAR model in the classification of adversarial examples.
Remotesensing 13 04158 g010
Figure 11. Guided backpropagation images of FUSAR-Ship model in the classification of clean data.
Figure 11. Guided backpropagation images of FUSAR-Ship model in the classification of clean data.
Remotesensing 13 04158 g011
Figure 12. Guided backpropagation images of FUSAR-Ship model in the classification of adversarial examples.
Figure 12. Guided backpropagation images of FUSAR-Ship model in the classification of adversarial examples.
Remotesensing 13 04158 g012
Figure 13. Extremal perturbations images of MSTAR model in the classification of clean data.
Figure 13. Extremal perturbations images of MSTAR model in the classification of clean data.
Remotesensing 13 04158 g013
Figure 14. Extremal perturbations images of MSTAR model in the classification of adversarial examples.
Figure 14. Extremal perturbations images of MSTAR model in the classification of adversarial examples.
Remotesensing 13 04158 g014
Figure 15. Extremal perturbations images of FUSAR-Ship model in the classification of clean data.
Figure 15. Extremal perturbations images of FUSAR-Ship model in the classification of clean data.
Remotesensing 13 04158 g015
Figure 16. Extremal perturbations images of FUSAR-Ship model in the classification of adversarial examples.
Figure 16. Extremal perturbations images of FUSAR-Ship model in the classification of adversarial examples.
Remotesensing 13 04158 g016
Table 1. Details of MSTAR, including target class and data number.
Table 1. Details of MSTAR, including target class and data number.
Target ClassTraining NumberTesting Number
2S1299274
BMP2233296
BRDM2298274
BTR60256195
BTR70233196
D7299274
T62299273
T72232196
ZIL131299274
ZSU234299274
Table 2. Details of FURSAR-Ship, including target class and data number.
Table 2. Details of FURSAR-Ship, including target class and data number.
Target ClassTraining NumberTesting Number
BulkCarrier9725
CargoShip12632
Fishing7519
Tanker3610
Table 3. Classification accuracy of MSTAR models against standard adversarial attack (PGD). The adversarial examples can be divided into L norm, L 2 norm, and L 1 norm limited attacks.
Table 3. Classification accuracy of MSTAR models against standard adversarial attack (PGD). The adversarial examples can be divided into L norm, L 2 norm, and L 1 norm limited attacks.
Clean DataAdversarial Examples
L L 2 L 1
8/25516/2550.250.57.8412
ResNet1897.65 ± 0.282.02 ± 0.081.86 ± 0.0462.60 ± 0.8517.53 ± 0.4786.23 ± 1.3376.87 ± 1.47
ResNet5097.86 ± 0.121.73 ± 0.071.65 ± 0.0756.41 ± 0.8719.51 ± 0.6875.18 ± 1.5859.01 ± 1.21
ResNet10198.68 ± 0.251.53 ± 0.111.36 ± 0.1256.25 ± 1.1615.13 ± 0.9772.49 ± 1.0257.73 ± 0.93
DenseNet12198.56 ± 0.130.82 ± 0.080.37 ± 0.1347.67 ± 2.076.02 ± 1.2886.35 ± 2.4769.44 ± 1.84
DenseNet20198.68 ± 0.070.66 ± 0.090.08 ± 0.1552.82 ± 2.127.46 ± 1.6784.45 ± 3.1169.94 ± 2.03
MobileNet98.23 ± 0.172.31 ± 0.061.32 ± 0.0710.31 ± 2.153.46 ± 1.3567.09 ± 1.0935.09 ± 1.04
ShuffleNet95.01 ± 0.781.48 ± 0.061.32 ± 0.099.24 ± 1.453.09 ± 1.2274.64 ± 1.3823.92 ± 0.79
A-ConvNet99.79 ± 0.840.12 ± 0.010.12 ± 0.0171.84 ± 2.4617.73 ± 0.3894.39 ± 2.4683.55 ± 2.34
A-ConvNet-M98.14 ± 0.331.98 ± 0.031.69 ± 0.0768.78 ± 2.7321.85 ± 1.5287.05 ± 1.1073.15 ± 1.22
Table 4. Classification accuracy of FUSAR-Ship models against standard adversarial attack (PGD).
Table 4. Classification accuracy of FUSAR-Ship models against standard adversarial attack (PGD).
Clean DataAdversarial Examples
L L 2 L 1
8/25516/2550.250.57.8412
ResNet1869.77 ± 2.328.14 ± 2.328.14 ± 2.3216.28 ± 2.3213.95 ± 2.3253.49 ± 3.4937.21 ± 3.49
ResNet5068.60 ± 3.494.65 ± 1.164.65 ± 1.1613.95 ± 2.3212.79 ± 1.1650.00 ± 2.3237.21 ± 2.32
ResNet10170.93 ± 4.6529.07 ± 2.3229.07 ± 2.3225.58 ± 3.4920.93 ± 2.3253.49 ± 3.4945.35 ± 2.32
DenseNet12166.28 ± 4.6524.42 ± 2.3224.42 ± 2.3211.63 ± 2.326.98 ± 1.1659.30 ± 3.4941.86 ± 3.49
DenseNet20168.60 ± 4.6529.06 ± 3.4929.07 ± 2.3230.23 ± 3.4924.42 ± 2.3268.60 ± 2.3255.81 ± 3.49
MobileNet63.95 ± 4.6529.07 ± 4.6529.07 ± 2.3220.93 ± 1.1620.93 ± 1.1622.09 ± 1.1623.26 ± 2.32
ShuffleNet45.35 ± 5.8126.74 ± 3.4926.74 ± 2.3229.07 ± 2.3229.07 ± 3.4938.37 ± 2.3236.05 ± 2.32
A-ConvNet81.34 ± 3.495.81 ± 2.325.81 ± 2.3248.83 ± 3.4926.74 ± 2.3263.95 ± 2.3256.98 ± 3.49
A-ConvNet-M70.93 ± 2.3225.58 ± 4.6525.58 ± 2.3231.39 ± 2.3226.74 ± 3.4943.02 ± 3.4936.05 ± 2.32
Table 5. Classification accuracy of MSTAR models against different kinds of adversarial attack.
Table 5. Classification accuracy of MSTAR models against different kinds of adversarial attack.
MethodClean DataPGDFGSMAPGDDeep FoolCWSparse-RSSparse FoolSquare AttackHop Skip Jump
ResNet1897.65 ± 0.282.02 ± 0.083.01 ± 0.572.02 ± 0.052.10 ± 0.0614.85 ± 0.7963.59 ± 0.8451.76 ± 0.8670.47 ± 2.4413.81 ± 0.76
ResNet5097.86 ± 0.121.73 ± 0.079.61 ± 0.661.32 ± 0.051.94 ± 0.1312.29 ± 0.4762.93 ± 0.9250.98 ± 0.6958.68 ± 1.769.36 ± 0.55
ResNet10198.68 ± 0.251.53 ± 0.1112.33 ± 0.931.36 ± 0.071.73 ± 0.2610.56 ± 0.7761.94 ± 0.9548.98 ± 0.9360.66 ± 1.5714.72 ± 0.87
DenseNet12198.56 ± 0.130.82 ± 0.086.14 ± 1.640.82 ± 0.091.32 ± 0.1418.68 ± 1.5660.70 ± 1.2150.32 ± 0.9857.24 ± 1.228.74 ± 0.58
DenseNet20198.68 ± 0.070.66 ± 0.096.02 ± 1.060.62 ± 0.091.03 ± 0.2516.29 ± 1.3660.82 ± 1.0951.30 ± 0.9048.00 ± 0.7416.33 ± 0.80
MobileNet98.23 ± 0.172.31 ± 0.064.58 ± 0.602.10 ± 0.053.38 ± 0.2031.30 ± 2.3245.61 ± 0.8341.26 ± 0.8447.96 ± 0.499.40 ± 0.48
ShuffleNet95.01 ± 0.781.48 ± 0.062.10 ± 0.491.32 ± 0.061.73 ± 0.0829.69 ± 2.1442.64 ± 0.4241.09 ± 0.6848.16 ± 0.839.07 ± 0.74
A-ConvNet99.79 ± 0.840.12 ± 0.010.16 ± 0.010.08 ± 0.010.16 ± 0.0116.41 ± 0.9271.05 ± 1.2469.03 ± 1.2239.59 ± 0.663.79 ± 0.32
A-ConvNet-M98.14 ± 0.031.98 ± 0.038.78 ± 0.871.94 ± 0.073.75 ± 0.1483.34 ± 2.5667.84 ± 1.0768.11 ± 1.0117.36 ± 0.8210.47 ± 0.54
Table 6. Classification accuracy of FUSAR-Ship models against different kinds of adversarial attack.
Table 6. Classification accuracy of FUSAR-Ship models against different kinds of adversarial attack.
MethodClean DataPGDFGSMAPGDDeep FoolCWSparse-RSSparse FoolSquare AttackHop Skip Jump
ResNet1869.77 ± 2.328.14 ± 2.3229.07 ± 2.328.14 ± 1.1622.09 ± 1.1619.77 ± 2.3212.79 ± 1.1633.72 ± 2.3269.77 ± 2.3224.42 ± 2.32
ResNet5068.60 ± 3.494.65 ± 1.1629.07 ± 2.325.81 ± 1.1620.93 ± 2.3226.74 ± 2.3213.95 ± 1.1633.72 ± 2.3268.60 ± 3.494.65 ± 1.16
ResNet10170.93 ± 4.6529.07 ± 2.3244.19 ± 2.3226.74 ± 2.3223.26 ± 2.3232.56 ± 1.1640.70 ± 2.3238.37 ± 3.4970.93 ± 4.6529.07 ± 2.32
DenseNet12166.28 ± 4.6524.42 ± 2.3217.44 ± 1.168.14 ± 2.3220.93 ± 1.1624.42 ± 2.3230.23 ± 2.3250.00 ± 3.4966.28 ± 4.6524.42 ± 2.32
DenseNet20168.60 ± 4.6529.06 ± 3.4929.07 ± 2.325.81 ± 1.1620.93 ± 1.1627.91 ± 3.1619.77 ± 2.3243.03 ± 2.3268.60 ± 4.6529.06 ± 3.49
MobileNet63.95 ± 4.6529.07 ± 4.6529.07 ± 2.3216.28 ± 2.3247.67 ± 3.4925.58 ± 1.1622.09 ± 1.1633.72 ± 2.3263.95 ± 4.6529.07 ± 4.65
ShuffleNet45.35 ± 5.8126.74 ± 3.4919.77 ± 2.3215.12 ± 2.3238.37 ± 1.1637.21 ± 3.1630.23 ± 2.3238.37 ± 3.4945.35 ± 5.8126.74 ± 3.49
A-ConvNet81.34 ± 3.495.81 ± 2.3240.70 ± 3.499.30 ± 2.3236.04 ± 2.328.14 ± 1.1636.05 ± 1.1612.79 ± 2.3281.34 ± 3.495.81 ± 2.32
A-ConvNet-M70.93 ± 2.3225.58 ± 4.6526.74 ± 2.3223.26 ± 2.3223.26 ± 1.1641.86 ± 4.6548.84 ± 2.3213.95 ± 3.4970.93 ± 2.3225.58 ± 4.65
Table 7. Comprehensive evaluation of different DNN models against PGD attack (attack strength is 8/255 in L norm) in MSTAR dataset.
Table 7. Comprehensive evaluation of different DNN models against PGD attack (attack strength is 8/255 in L norm) in MSTAR dataset.
SARAACACRCACNTEEBDALPpASSPSDTKNC
L0L2 L
ResNet1897.652.020.996850.991.660.9768580.834230.11
ResNet5097.861.731.00inf1.001.550.9791780.844150.03
ResNet10198.68 1.531.00inf1.001.660.9791480.844140.03
DenseNet12198.560.820.9914700.981.660.9588080.853920.03
DenseNet20198.680.660.9916680.981.660.9689780.844020.02
MobileNet98.232.310.9915140.981.660.9478980.863420.03
ShuffleNet95.011.480.9914740.981.520.9583080.843640.06
A-ConvNet99.790.121.0inf1.01.660.9686280.843850.23
A-ConvNet-M98.141.981.00inf1.01.660.9481980.843850.18
Table 8. Comprehensive evaluation of different DNN models against PGD attack (attack strength is 8/255 in L norm) in FUSAR-Ship dataset.
Table 8. Comprehensive evaluation of different DNN models against PGD attack (attack strength is 8/255 in L norm) in FUSAR-Ship dataset.
SARAACACRCACNTEEBDALPpASSPSDTKNC
L0L2 L
ResNet1869.778.141.00inf1.001.300.9229248.000.3861530.07
ResNet5068.606.981.00inf1.001.300.9736418.000.3968340.04
ResNet10170.9320.930.99inf1.001.850.9634858.000.2964450.01
DenseNet12166.2824.421.00inf1.001.590.9736678.000.3569150.01
DenseNet20168.6010.471.00inf1.001.850.9735098.000.2965150.01
MobileNet63.9529.071.00inf1.001.850.9838218.000.3573380.01
ShuffleNet45.3526.741.00inf1.001.790.9835718.000.2866750.02
A-ConvNet81.345.811.00inf1.001.590.9737628.000.3563430.01
A-ConvNet-M70.9326.740.99inf1.001.850.9431458.000.3569340.01
Table 9. Classification accuracy of models (ResNet18) with no-defense or defense methods against PGD adversarial attacks in MSTAR dataset.
Table 9. Classification accuracy of models (ResNet18) with no-defense or defense methods against PGD adversarial attacks in MSTAR dataset.
Clean DataAdversarial Examples
L L 2 L 1
8/25516/2550.250.57.8412
No DefenseStandard97.65 ± 0.282.02 ± 0.111.86 ± 0.0862.60 ± 0.6817.53 ± 0.7786.23 ± 1.4476.87 ± 1.11
SimCLR99.38 ± 0.1922.93 ± 0.742.27 ± 0.5497.65 ± 0.9293.15 ± 0.6998.56 ± 1.2098.35 ± 1.01
BYOL99.51 ± 0.2229.15 ± 0.664.99 ± 0.5197.28 ± 0.9993.24 ± 0.8898.43 ± 1.2397.94 ± 0.78
DefenseAT86.23 ± 1.5979.13 ± 0.7469.98 ± 0.6185.11 ± 1.2484.33 ± 0.9385.57 ± 0.9785.36 ± 0.55
TRADES90.85 ± 0.8680.87 ± 0.8366.02 ± 0.7790.14 ± 1.0988.45 ± 0.6990.56 ± 1.5480.87 ± 0.98
ATFBF86.02 ± 0.5884.41 ± 0.6782.06 ± 0.5384.29 ± 1.1084.49 ± 0.7983.75 ± 1.2984.12 ± 0.69
RoCL92.43 ± 0.9580.73 ± 0.8265.40 ± 0.7688.16 ± 1.3390.29 ± 0.9089.65 ± 0.9389.10 ± 0.69
ACL95.34 ± 1.3374.43 ± 0.4451.88 ± 0.3588.99 ± 2.2283.59 ± 1.2090.19 ± 1.4990.43 ± 0.93
UACL95.09 ± 0.9080.92 ± 0.8960.74 ± 0.5494.10 ± 2.0493.36 ± 0.8094.31 ± 1.1094.27 ± 0.90
UACL+TRADES90.02 ± 0.4887.88 ± 0.6284.91 ± 0.4489.73 ± 1.7989.53 ± 0.7789.98 ± 0.9289.90 ± 0.53
UACL+ ATFBF96.99 ± 0.2995.38 ± 0.6092.16 ± 0.3896.86 ± 1.5396.66 ± 0.7497.03 ± 0.8897.03 ± 0.47
Table 10. Classification accuracy of models (ResNet18) with no-defense or defense methods against PGD adversarial attacks in FUSAR-Ship dataset.
Table 10. Classification accuracy of models (ResNet18) with no-defense or defense methods against PGD adversarial attacks in FUSAR-Ship dataset.
Clean DataAdversarial Examples
L L 2 L 1
8/25516/2550.250.57.8412
No DefenseStandard69.77 ± 2.328.14 ± 2.328.14 ± 2.3216.28 ± 2.3213.95 ± 2.3253.49 ± 3.4937.21 ± 3.49
SimCLR80.23 ± 5.8137.21 ± 2.3226.74 ± 2.3247.67 ± 2.3247.67 ± 3.4940.70 ± 2.3246.51 ± 3.49
BYOL80.23 ± 5.8151.16 ± 2.3241.86 ± 3.4959.30 ± 3.4958.14 ± 3.4959.30 ± 3.4959.30 ± 4.65
DefenseAT60.47 ± 2.3260.47 ± 3.4960.47 ± 2.3260.47 ± 4.6560.47 ± 4.6560.47 ± 4.6560.47 ± 3.49
TRADES61.63 ± 3.4961.63 ± 3.4961.63 ± 3.4961.63 ± 4.6561.63 ± 4.6561.63 ± 4.6561.63 ± 3.49
ATFBF59.30 ± 2.3260.47 ± 4.6560.47 ± 2.3259.30 ± 3.4959.30 ± 3.4959.30 ± 4.6559.30 ± 4.65
RoCL62.79 ± 2.3256.98 ± 3.4937.21 ± 2.3261.63 ± 5.8161.63 ± 3.4962.79 ± 5.8162.79 ± 5.81
ACL69.77 ± 3.4956.98 ± 5.8153.49 ± 2.3272.09 ± 5.8169.77 ± 5.8170.93 ± 5.8170.93 ± 5.81
UACL68.60 ± 2.3265.12 ± 3.4955.81 ± 2.3267.44 ± 3.4967.44 ± 4.6568.60 ± 3.4968.60 ± 4.65
UACL+TRADES69.77 ± 2.3267.44 ± 4.6568.60 ± 5.8168.60 ± 4.6568.60 ± 4.6569.77 ± 5.8169.77 ± 4.65
UACL+ ATFBF66.28 ± 3.4966.28 ± 4.6567.44 ± 5.8166.28 ± 4.6566.28 ± 4.6566.28 ± 4.6566.28 ± 3.49
Table 11. Classification accuracy of models (ResNet18) with no-defense or defense methods against different kinds of adversarial attack in MSTAR dataset.
Table 11. Classification accuracy of models (ResNet18) with no-defense or defense methods against different kinds of adversarial attack in MSTAR dataset.
PGDFGSMAPGDDeepFoolCWSparse-RSSparsefoolSquareAttackHopSkipJump
No DefenseStandard2.02 ± 0.113.01 ± 0.342.02 ± 0.092.10 ± 0.0914.85 ± 1.2963.59 ± 1.0851.76 ± 1.4670.47 ± 0.8613.81 ± 0.32
SimCLR22.93 ± 0.7447.22 ± 0.5919.34 ± 0.5036.70 ± 0.0993.57 ± 0.5374.89 ± 1.2260.33 ± 1.4655.96 ± 0.5346.35 ± 0.89
BYOL29.15 ± 0.6658.10 ± 0.5626.93 ± 0.3330.19 ± 0.0997.20 ± 1.1676.16 ± 1.4061.09 ± 1.4671.22 ± 0.7667.88 ± 0.96
DefenseAT79.13 ± 0.7481.53 ± 0.9879.84 ± 0.4274.14 ± 0.0984.91 ± 1.2984.91 ± 1.3181.93 ± 1.4685.32 ± 0.9286.10 ± 0.94
TRADES80.87 ± 0.8385.03 ± 1.2081.98 ± 0.5475.01 ± 0.0989.24 ± 1.7989.11 ± 1.5785.31 ± 1.4689.81 ± 0.9890.35 ± 1.02
ATFBF84.41 ± 0.6783.59 ± 0.9783.26 ± 0.4781.07 ± 0.0983.67 ± 1.6084.08 ± 1.3084.24 ± 1.4683.30 ± 0.6783.55 ± 0.89
RoCL80.73 ± 0.8286.02 ± 0.8476.29 ± 0.7081.07 ± 0.0990.38 ± 1.5790.55 ± 1.6988.49 ± 1.4684.08 ± 1.2491.90 ± 1.23
ACL74.43 ± 0.4479.53 ± 0.6859.98 ± 0.3168.60 ± 0.0980.62 ± 1.0187.42 ± 1.6482.10 ± 1.4682.14 ± 1.0886.52 ± 1.20
UACL80.92 ± 0.8985.20 ± 1.1476.33 ± 0.6681.53 ± 0.0993.20 ± 1.3293.07 ± 1.8993.07 ± 1.4685.15 ± 1.3392.33 ± 1.08
UACL+TRADES87.88 ± 0.6288.66 ± 0.9287.92 ± 0.6886.47 ± 0.0989.65 ± 1.0589.40 ± 1.0289.67 ± 1.4689.53 ± 1.0389.65 ± 1.01
UACL+ ATFBF95.38 ± 0.6095.92 ± 0.7795.55 ± 0.5388.29 ± 0.0996.82 ± 1.1095.22 ± 0.7795.18 ± 1.4696.91 ± 0.9396.99 ± 0.92
Table 12. Classification accuracy of models (ResNet18) with no-defense or defense methods against different kinds of adversarial attack in FUSAR-Ship dataset.
Table 12. Classification accuracy of models (ResNet18) with no-defense or defense methods against different kinds of adversarial attack in FUSAR-Ship dataset.
PGDFGSMAPGDDeepFoolCWSparse-RSSparsefoolSquareAttackHopSkipJump
No DefenseStandard8.14 ± 2.3219.77 ± 2.328.14 ± 1.1629.07 ± 2.3219.77 ± 2.3238.49 ± 2.3236.90 ± 3.4912.79 ± 2.3234.88 ± 2.32
SimCLR37.21 ± 2.3246.51 ± 2.3253.49 ± 3.4947.67 ± 2.3247.67 ± 3.4953.49 ± 3.4946.51 ± 4.6517.44 ± 2.3253.49 ± 4.65
BYOL51.16 ± 2.3240.70 ± 2.3248.84 ± 2.3258.14 ± 3.4955.81 ± 4.6546.51 ± 2.3240.70 ± 3.4946.51 ± 4.6548.84 ± 4.65
DefenseAT60.47 ± 3.4960.47 ± 2.3260.47 ± 3.4960.47 ± 3.4960.47 ± 4.6560.47 ± 3.4960.47 ± 5.8160.47 ± 3.4960.47 ± 2.32
TRADES61.63 ± 3.4961.63 ± 3.4961.63 ± 3.4961.63 ± 4.6561.63 ± 4.6561.63 ± 3.4961.63 ± 4.6562.79 ± 3.4961.63 ± 3.49
ATFBF60.47 ± 4.6560.47 ± 3.4960.47 ± 2.3259.30 ± 3.4959.30 ± 3.4959.30 ± 2.3259.30 ± 4.6560.47 ± 3.4960.47 ± 2.32
RoCL56.98 ± 3.4946.51 ± 4.6554.65 ± 3.4962.79 ± 3.4962.79 ± 4.6559.30 ± 4.6555.81 ± 5.8158.14 ± 5.8156.98 ± 5.81
ACL56.98 ± 5.8126.74 ± 4.6533.72 ± 4.6570.93 ± 5.8170.93 ± 4.6561.63 ± 4.6559.30 ± 5.8130.23 ± 5.8155.81 ± 5.81
UACL65.12 ± 3.4962.79 ± 3.4963.95 ± 3.4968.60 ± 4.6569.77 ± 3.4968.60 ± 3.4968.60 ± 4.6556.98 ± 3.4955.81 ± 4.65
UACL+TRADES67.44 ± 4.6567.44 ± 4.6567.44 ± 3.4969.77 ± 4.6569.77 ± 4.6569.77 ± 3.4969.77 ± 4.6568.60 ± 4.6570.93 ± 3.49
UACL+ ATFBF66.28 ± 4.6566.28 ± 4.6567.44 ± 2.3266.28 ± 3.4966.28 ± 3.4966.28 ± 2.3266.28 ± 4.6567.44 ± 3.4967.44 ± 3.49
Table 13. Comprehensive evaluation of models (ResNet18) with no-defense or defense methods against PGD attacks (attack strength is 8/255 in L norm) in MSTAR dataset.
Table 13. Comprehensive evaluation of models (ResNet18) with no-defense or defense methods against PGD attacks (attack strength is 8/255 in L norm) in MSTAR dataset.
SARAACACRCACNTEEBDPSDTKNC
No DefenseStandard97.652.020.9986850.9961.664230.11
SimCLR99.3822.930.91627.60.8411.664270.49
BYOL99.5129.150.92729.00.8631.604230.47
DefenseAT86.2379.130.4911.40.1421.674220.41
TRADES90.8580.870.5631.80.2471.674240.39
ATFBF86.0284.410.5401.60.1941.674410.49
RoCL92.4380.730.69141.40.8551.664230.51
ACL95.3434.430.62913.60.6981.674220.57
UACL95.0980.920.6619.80.7421.644330.56
UACL+TRADES90.0287.880.5261.40.1611.504180.58
UACL+ ATFBF96.9995.380.7873.80.5791.674030.43
Table 14. Comprehensive evaluation of models (ResNet18) with no-defense or defense methods against PGD attacks (attack strength is 8/255 in L norm) in FUSAR-Ship dataset. Because the robust accuracy of some models is not less than the standard accuracy, some parameters cannot be obtained.
Table 14. Comprehensive evaluation of models (ResNet18) with no-defense or defense methods against PGD attacks (attack strength is 8/255 in L norm) in FUSAR-Ship dataset. Because the robust accuracy of some models is not less than the standard accuracy, some parameters cannot be obtained.
SARAACACRCACNTEEBDPSDTKNC
No DefenseStandard69.778.141inf11.3061530.07
SimCLR80.2337.210.849.100.701.2151730.05
BYOL80.2351.160.8110.40.771.1458020.04
DefenseAT60.4760.47\\\1.77\0.02
TRADES61.6361.63\\\1.80\0.03
ATFBF59.3060.47\\\1.74\0.03
RoCL62.7956.980.653.560.351.5945980.03
ACL69.7756.980.707.330.341.6247940.03
UACL68.6065.120.612.020.311.6845600.03
UACL+TRADES69.7767.440.501.010.011.7449920.03
UACL+ ATFBF66.2866.28\\\1.42\0.03
Table 15. Classification accuracy of models (ResNet18) with different defense methods trained with 10% labeled data against PGD adversarial attacks.
Table 15. Classification accuracy of models (ResNet18) with different defense methods trained with 10% labeled data against PGD adversarial attacks.
Clean dataPGD(ε = 8/255)PGD(ε = 16/255)
Standard77.152.022.02
AT42.7642.6442.72
TRADES40.8737.7737.90
ATFTF41.2440.9941.03
RoCL63.4262.0261.77
ACL68.2047.9045.18
UACL64.4562.3561.28
Table 16. The training times of adversarial contrastive pretraining defenses.
Table 16. The training times of adversarial contrastive pretraining defenses.
RoCLACLUACL
MSTAR25:01:2429:12:3617:28:14
FUSAR-Ship7:12:095:34:564:09:40
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Xu, Y.; Sun, H.; Chen, J.; Lei, L.; Ji, K.; Kuang, G. Adversarial Self-Supervised Learning for Robust SAR Target Recognition. Remote Sens. 2021, 13, 4158. https://doi.org/10.3390/rs13204158

AMA Style

Xu Y, Sun H, Chen J, Lei L, Ji K, Kuang G. Adversarial Self-Supervised Learning for Robust SAR Target Recognition. Remote Sensing. 2021; 13(20):4158. https://doi.org/10.3390/rs13204158

Chicago/Turabian Style

Xu, Yanjie, Hao Sun, Jin Chen, Lin Lei, Kefeng Ji, and Gangyao Kuang. 2021. "Adversarial Self-Supervised Learning for Robust SAR Target Recognition" Remote Sensing 13, no. 20: 4158. https://doi.org/10.3390/rs13204158

APA Style

Xu, Y., Sun, H., Chen, J., Lei, L., Ji, K., & Kuang, G. (2021). Adversarial Self-Supervised Learning for Robust SAR Target Recognition. Remote Sensing, 13(20), 4158. https://doi.org/10.3390/rs13204158

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop