Adversarial Self-Supervised Learning for Robust SAR Target Recognition

: Synthetic aperture radar (SAR) can perform observations at all times and has been widely used in the military ﬁeld. Deep neural network (DNN)-based SAR target recognition models have achieved great success in recent years. Yet, the adversarial robustness of these models has received far less academic attention in the remote sensing community. In this article, we ﬁrst present a comprehensive adversarial robustness evaluation framework for DNN-based SAR target recognition. Both data-oriented metrics and model-oriented metrics have been used to fully assess the recognition performance under adversarial scenarios. Adversarial training is currently one of the most successful methods to improve the adversarial robustness of DNN models. However, it requires class labels to generate adversarial attacks and suffers signiﬁcant accuracy dropping on testing data. To address these problems, we introduced adversarial self-supervised learning into SAR target recognition for the ﬁrst time and proposed a novel unsupervised adversarial contrastive learning-based defense method. Speciﬁcally, we utilize a contrastive learning framework to train a robust DNN with unlabeled data, which aims to maximize the similarity of representations between a random augmentation of a SAR image and its unsupervised adversarial example. Extensive experiments on two SAR image datasets demonstrate that defenses based on adversarial self-supervised learning can obtain comparable robust accuracy over state-of-the-art supervised adversarial learning methods.


Introduction
Synthetic aperture radar (SAR) actively emits microwaves and improves azimuth resolution through the principle of a synthetic aperture to obtain large-area high-resolution radar images [1]. SAR images have been widely used for automatic target detection and recognition in both civil and military applications. Due to their imaging mechanism, different terrains in SAR images exhibit several special phenomena such as overlap, shadows, and perspective shrinkage. Moreover, coherent speckle noises are apparent in SAR images. It is difficult to manually design effective features for SAR target recognition [2]. With the rapid development of deep learning technology, deep neural network (DNN) models have been widely used for SAR target recognition. Shao et al. [3] analyzed the performance of different DNNs on the MSTAR [4] dataset according to classification accuracy, training time, and some other metrics to verify the superiority of DNNs for SAR target recognition. Ding et al. [5] carried out angle synthesis of the training data for DNN-based recognition models. Ayzel et al. [6] proposed all convolutional neural networks (A-ConvNet), which do not contain a fully connected layer. Gu and Xu [7] proposed that a wider convolution kernel was more suitable for a SAR image with stronger speckles noise, taking the multi-scale feature extraction module as the bottom layer of the network.
wider convolution kernel was more suitable for a SAR image with stronger speckles noise, taking the multi-scale feature extraction module as the bottom layer of the network.
Despite the great success that DNN models have obtained, they have proved to be very sensitive to adversarial examples: inputs that are specifically designed to cause the target model to produce erroneous outputs [8]. The vulnerability of DNN models to imperceptibly small perturbations raises security concerns from a number of safety-sensitive applications [9]. Szegedy et al. [8] first discovered that DNNs were very susceptible to adversarial examples using a box-constrained L-BFGS algorithm. Goodfellow et al. [10] noted that the linear nature of DNN is the primary cause for its vulnerability to adversarial perturbations. Based on this theory, they proposed a gradient-based approach to generate adversarial examples, named the fast gradient sign method (FGSM). Moosavi-Dezfooli et al. [11] proposed the DeepFool algorithm to simplify L-BFGS and fool deep models, and thus reliably quantified the robustness of models. Kurakin et al. [12] proposed to incorporate iterative methods to approximate the inner maximization problem. Moosavi-Dezfooli et al. [13] further found that the existence of universal adversarial examples by adding very small perturbation vectors to original images could cause error outputs for different DNNs with high probability. Although these adversarial examples may remain imperceptible to a human observer, they can easily fool the DNN models to yield the wrong predictions [9].
So far, there are only a handful of studies [14,15] that explore the threat of adversarial attacks on DNNs for SAR target recognition. Deep SAR target recognition models are more likely to suffer from the overfitting problem, resulting in a weaker generalization capability and greater sensitivity to perturbation [14]. Hence, their vulnerability to adversarial attacks might be even more serious. An example of adversarial attacks on DNN models for SAR target recognition is shown in Figure 1. It can be observed that, although the difference between the adversarial examples and the original ones is too small to be perceived by human vision, it can fool the DNN model. This phenomenon limits the practical deployment of DNN models in the safety-critical SAR target recognition field. Adversarial defense methods can enhance adversarial robustness and further lead to robust SAR target recognition. Among them, adversarial training (AT) and AT-based defenses, which augment training data with adversarial examples perturbed to maximize the loss on the target model, remain a highly effective method for safeguarding DNNs from adversarial examples [9]. Such a strategy requires a large amount of labeled data as support. The labeling and sample efficiency challenges of deep learning, in fact, are further exacerbated by its vulnerability to adversarial attacks. The sample complexity of Adversarial defense methods can enhance adversarial robustness and further lead to robust SAR target recognition. Among them, adversarial training (AT) and AT-based defenses, which augment training data with adversarial examples perturbed to maximize the loss on the target model, remain a highly effective method for safeguarding DNNs from adversarial examples [9]. Such a strategy requires a large amount of labeled data as support. The labeling and sample efficiency challenges of deep learning, in fact, are further exacerbated by its vulnerability to adversarial attacks. The sample complexity of learning an adversarially robust model with current methods is significantly higher than that of standard learning [16]. Additionally, AT-based techniques have been observed to cause an undesirable decline in standard accuracy (the classification accuracy on unperturbed inputs) Remote Sens. 2021, 13, 4158 3 of 27 while increasing robust accuracy (the classification accuracy on worst-case perturbed inputs) [16][17][18].
Recent research [19] proposed the use of unlabeled data for training adversarially robust DNN models. Self-supervised learning holds great promise for improving representations with unlabeled data and has shown great potential to enhance adversarial robustness. Hendrycks et al. [17] proposed a multi-task learning framework that incorporated a self-supervised objective to be co-optimized with the conventional classification loss. Jiang et al. [18] improved robustness by learning representations that were consistent under both augmented data and adversarial examples. Chen et al. [16] generalized adversarial training to different self-supervised pretraining and fine-tuning schemes.
Other studies [18,20,21] exploited contrastive learning to improve model robustness in unsupervised/semi-supervised settings and achieved advanced robustness.
Though a plethora of adversarial defense methods has been proposed, the corresponding evaluation is often inadequate. For example, by evaluating simple white-box attacks, most adversarial defenses pose a false sense of robustness by introducing gradient masking, which can be easily circumvented and defeated [22]. Therefore, rigorous and extensive evaluation of adversarial robustness is necessary for SAR target recognition.
To address the aforementioned issues, in this paper, we systematically analyzed the effect of adversarial attacks and defenses on DNNs and utilized adversarial self-supervised learning to enhance robustness for SAR target recognition. The main contributions of this article are summarized as follows: (1) We systematically evaluated adversarial attacks and defenses in SAR target recognition tasks using both data-oriented robustness metrics and model-oriented robustness metrics. These metrics provide detailed characteristics of DNN models under adversarial scenarios. (2) We introduced adversarial self-supervised learning into SAR target recognition tasks for the first time. The defenses based on adversarial self-supervised learning obtained comparable robustness to supervised adversarial learning approaches without using any class labels, while achieving significantly better standard accuracy. (3) We propose a novel defense method, unsupervised adversarial contrastive learning (UACL), which explicitly suppresses vulnerability in the representation space by maximizing the similarity of representations between clean data and corresponding unsupervised adversarial examples.
The rest of this paper is organized as follows. In Section 2, we describe the adversarial robustness of SAR target recognition. In Section 3, we review the defenses based on adversarial self-supervised learning and propose our method, UACL. In Section 4, we present the information on datasets used in this paper and the experimental results. Our conclusions and other discussions are summarized in Section 5.

Definition of Adversarial Robustness
A DNN model for SAR target recognition can be described as a function f (x) : X → Y parameterized by θ ∈ W, which maps input x ∈ X to label y ∈ Y. Given data distribution D over pairs (x, y), the goal of the learning algorithm is to find θ that can minimize the expected risk, i.e., min where L(x, y; θ) is the cross-entropy classification loss between the output of the DNN model and the true labels. In practice, we do not have access to the full data distribution D and only know a subset of training samples ( Thus, θ cannot be obtained by minimizing Equation (1), and it is usually obtained as the solution to the empirical risk minimization problem: The difference between the expected risk and the empirical risk attained by DNN model f θ is known as the generalization gap. Generally speaking, a DNN model achieves strong robustness when its generalization gap is small [23]. The amount and quality of training datasets are critical to training robust models.
A DNN model can extract image feature, and its entries of the output of the last layer z L ∈ R D L with D L = C are generally referred to as logits. To be more interpretable, logits are normally mapped to a set of probabilities p θ (x) ∈ [0, 1] C using a soft maximum operator, i.e., The predicted class is the index of the highest estimated probability.
A notable feature of most DNNs is that, in most cases, the decision boundary appears relatively far from any typical sample. For most DNNs used in SAR target recognition, one needs to add random noise with a very large variance, σ 2 , to fool a model. Intriguingly, the robustness to random noise contrasts with the extra vulnerability of DNNs to adversarial perturbations [8]. Surprisingly, we can always find adversarial examples for any input, which suggests that some directions for which the decision boundary is very close to the input sample always exist. Adding perturbation in such a direction can fool the model easily.
We can define adversarial perturbation as follows: where Q(δ) represents a general objective function, C denotes the constraints of adversarial perturbations, and x + δ are generally referred to as adversarial examples. In all adversarial attacks, Q(δ) and C are mainly instantiated by two methods. One method represents the notion of the smallest adversarial perturbation required to cross the decision boundary of DNN models without regard to constraints (C = ∅): The other method represents the worst-case perturbation, maximizing the loss of model in given radius ε around an input sample and the ε is limited such that the perturbation is imperceptible: The fact that we can craft adversarial examples easily exposes a crucial vulnerability of current state-of-the-art DNNs. To address this issue, it is important to define some target metric to quantify the adversarial robustness of DNNs. Corresponding to the above two strategies to craft adversarial perturbations, we can define the adversarial robustness ρ( f θ ) of a DNN in two ways. One measures the adversarial robustness of a DNN as the average distance of samples to the decision boundary: Under this metric, adversarial robustness becomes purely a property of the DNN, and it is agnostic to the type of adversarial attack. Making a DNN more robust means that its boundary is pushed further away from the samples. The other approach defines adversarial robustness as the worst-case accuracy of a DNN that is subject to an adversarial attack: This quantity is relevant from a security perspective, as it highlights the vulnerability of DNNs to certain adversarial attacks. Constraints C reflect the attack strength of the adversary and combine the choice of metric such as L p norm.
In fact, measuring the "true" adversarial robustness in terms of Equation (9) or Equation (10) directly is challenging. The average distance of samples to the decision boundary in Equation (9) takes too many computing resources to achieve. For most DNNs used in practice, a closed-form analysis of their properties is not possible with our current mathematical tools. In practice, we can simplify the calculation and estimate the approximate results in Equation (9). As for Equation (10), The current adversaries are not optimal in computing the adversarial perturbation. In practice, we usually substitute standard adversarial examples (projected gradient descent, PGD) for the optimal adversarial examples to measure adversarial robustness.

Adversarial Robustness Evaluation
There have been a number of works that rigorously evaluate the adversarial robustness of DNNs [14,24]. However, most of them focus on providing practical benchmarks for robustness evaluations, ignoring the significance of evaluation metrics. Simple evaluation metrics result in incomplete evaluation, which is far from satisfactory for measuring the intrinsic behavior of a DNN in an adversarial setting. Therefore, incomplete evaluation cannot provide comprehensive understandings of the strengths and limitations of defenses [25]. To mitigate this problem, we leverage a multi-view robustness evaluation framework to evaluate adversarial attacks and defenses. This evaluation can be roughly divided into two parts: model oriented and data oriented [25], as shown in Figure 2.

Model-Oriented Robustness Metrics
To evaluate the robustness of a model, the most intuitive approach is to measure its performance in an adversarial setting. By default, we use PGD as standard attack to generate adversarial examples with the perturbation magnitude ε under L∞ norm.
Standard Accuracy (SA). Classification accuracy on clean data is one of the most important properties in an adversarial setting. A model achieving high accuracy against adversarial examples but low accuracy on clean data will not be employed in practice.
Robust Accuracy (RA). Classification accuracy on adversarial examples (L∞ PGD by default) is the most important property for evaluating model robustness.

Model-Oriented Robustness Metrics
To evaluate the robustness of a model, the most intuitive approach is to measure its performance in an adversarial setting. By default, we use PGD as standard attack to generate adversarial examples with the perturbation magnitude ε under L ∞ norm.
Standard Accuracy (SA). Classification accuracy on clean data is one of the most important properties in an adversarial setting. A model achieving high accuracy against adversarial examples but low accuracy on clean data will not be employed in practice.
Robust Accuracy (RA). Classification accuracy on adversarial examples (L ∞ PGD by default) is the most important property for evaluating model robustness.
Average Confidence of Adversarial Class (ACAC). Confidence of adversarial examples on misclassification gives further indications of model robustness. ACAC can be defined follows: where D = {X, Y} is the test set, A ε,p is the adversary, m is the number of adversarial examples that attack successfully, and P y adv is the prediction confidence of the incorrect class.
Relative Confidence of Adversarial Class (RCAC). In addition to ACAC, we also use RCAC to further evaluate to what extent the attacks escape from the ground truth relatively: where P y is the prediction confidence of the true class. Noise Tolerance Estimation (NTE). Given the adversarial examples, NTE further calculates the gap between the probability of a misclassified class and the maximum probability of all other classes as follows: Empirical Boundary Distance (EBD). EBD calculates the minimum distance to the model decision boundary in a heuristic way. A larger EBD value means a stronger model in some way. Given a model, it first generates a set V of m random orthogonal directions [26]. Then, it estimates the root mean square (RMS) distances φ i (V) for each direction in V until the prediction changes. Among φ i (V), d i denotes the minimum distance moved to change the prediction. Then, the EBD is defined as follows: where n is the number of images. Guided Backpropagation. Given a high-level feature map, the "deconvnet" inverts the data flow of a DNN, going from neuron activations in the given layer down to an image sample. Typically, a single neuron is left as non-zero in the high-level feature map. Then, the resulting reconstructed image shows the part of the input image that is most strongly activating this neuron and, hence, the part that is most discriminative to it [27].
Extremal perturbations [28]. Extremal perturbations perform an analysis of the effect of perturbing the network's input on its output, which selectively deletes (or preserve) parts of the input sample and observe the effect of that change to the DNN's output. Specifically, it would like to find a mask assigned to each pixel and use said mask to induce a local perturbation of the image. Then, it can find the fixed-size mask that maximizes the model's output and further visualize the activation of model.

Data-Oriented Robustness Metrics
We use data-oriented metrics considering data imperceptibility, including average L p perturbation (ALP p ), average structural similarity (ASS), perturbation sensitivity distance (PSD), and neuron coverage, including top-K neuron coverage (TKNC) to measure robustness.
ASS. To evaluate the human visual imperceptibility of adversarial examples, we further use structural similarity (SSIM) as a similarity measurement: where µ x and µ y are the mean value of x and y, σ 2 x and σ 2 y are the variance of x and y, and σ xy is the covariance of x and y. ASS can be defined as the average SSIM similarity between clean data and the corresponding adversarial example: The higher the ASS, the more imperceptible the adversarial perturbation. PSD. Based on the contrast masking theory, PSD is proposed to evaluate human perception of perturbations [29]: where t is the total number of pixels and δ i j represents the j-th pixel of the i-th image. R(x i j ) is the square surrounding region of x i j , and Sen(R(x i j )) = 1/std(R(x i j )). Evidently, the smaller the PSD, the more imperceptible the adversarial perturbation.
TKDC. Given test input and neurons, the i-th layer uses top k (x,i) to denote the neurons that have the largest k (3 by default) outputs. TKNC measures how many neurons were once the most active k neurons on each layer. It is defined as the ratio of the total number of top-k neurons and the total number of neurons in a DNN: The neurons from the same layer often play similar roles, and active neurons from different layers are important indicators to characterize the major functionality of a DNN. A high TKNC means the data can activate the model more fully.

Drawbacks of Adversarial Training
AT is currently one of the most promising ways to obtain the adversarial robustness of a DNN model by augmenting the training set with adversarial examples [10], as shown in Figure 3a. Specifically, AT minimizes the worst-case loss within some perturbation region for the models. Though we cannot find a worst-case perturbation, an implication of this claim is that, if a model is robust to PGD, it is also robust against any other adversary; as such, AT with PGD adversary (i.e., PGD AT) is generally thought to yield certain robustness guarantees. Setting the x ∈ X as a training sample, y ∈ Y as a corresponding label, and a DNN model as v , where is the parameter of the model, AT first generates the adversarial examples. Then, AT uses adversarial examples x + δ to solve the following min-max optimization:

Adversarial Self-Supervised Learning Defenses
The latest studies have introduced adversarial learning into self-supervision. These defenses utilize a contrastive learning framework to pretrain an adversarially robust DNN with unlabeled data. Conventional contrastive learning aims to reduce the distance between representations of different augmented views of the same image (positive pairs) and increase the distance between representations of augmented views from different images (negative pairs) [31]. This fits particularly well with AT, as one cause of adversarial fragility could be attributed to the non-smooth feature space near samples, i.e., small perturbations can result in large feature variations and even label change. Adversarial contrastive pretraining defenses such as adversarial contrastive learning (ACL) [18] and robust contrastive learning (RoCL) [20], which both augment positive samples with adversarial examples, have led to state-of-the-art robustness.
RoCL proposed a framework to train an adversarially robust DNN, as shown in Figure 3b, which aimed to maximize the similarity between a random augmentation of a data sample and its instance-wise adversarial example, and to minimize the similarity between a data sample and another sample: where ( ) t x and ' ( )  Such an AT strategy results in the following challenges. (a) Data dependency: There is a significant generalization gap in adversarial robustness between the training and testing datasets. It has been observed that such a gap gradually increases from the middle of training, i.e., robust overfitting, which makes practitioners consider heuristic approaches for a successful optimization [30]. However, robust overfitting is inevitably sensitive to data in the AT-based method. The sample complexity of learning a robust representation with AT-based methods is significantly higher than that of standard learning. Insufficient data will widen the gap and further lead to poor robustness. (b) Accuracy drop: Models trained with AT lose significant accuracy in terms of the original distribution, e.g., in our experiment, ResNet18 accuracy on the MSTAR test set dropped from 97.65% to 86.23%, without any adversarial attacks.

Adversarial Self-Supervised Learning Defenses
The latest studies have introduced adversarial learning into self-supervision. These defenses utilize a contrastive learning framework to pretrain an adversarially robust DNN with unlabeled data. Conventional contrastive learning aims to reduce the distance between representations of different augmented views of the same image (positive pairs) and increase the distance between representations of augmented views from different images (negative pairs) [31]. This fits particularly well with AT, as one cause of adversarial fragility could be attributed to the non-smooth feature space near samples, i.e., small perturbations can result in large feature variations and even label change. Adversarial contrastive pretraining defenses such as adversarial contrastive learning (ACL) [18] and robust contrastive learning (RoCL) [20], which both augment positive samples with adversarial examples, have led to state-of-the-art robustness.
RoCL proposed a framework to train an adversarially robust DNN, as shown in Figure 3b, which aimed to maximize the similarity between a random augmentation of a data sample and its instance-wise adversarial example, and to minimize the similarity between a data sample and another sample: where z, {z pos }, z neg are corresponding latent feature vectors of image data. Specifically, RoCL first generates instance-wise adversarial examples as follows: where t(x) and t (x) are transformed images with stochastic data augmentations, and t(x) neg are examples of other samples. Then, we used the instance-wise adversarial examples as additional elements in the positive set and formulated the objective as follows: After optimization, we can obtain an adversarially robust pretrained DNN. ACL contains all kinds of workflows to leverage a contrastive framework to learn robust representations, including ACL(A2A), ACL(A2S), and ACL(DS). Among these, ACL(DS) achieves advanced performance, and its workflow is as shown in Figure 3c. Specifically, for each input, ACL(DS) augments into it twice (creating four augmented views): t(x), t (x) by standard augmentations, and instance-wise adversarial examples t(x) adv , t (x) adv . The final unsupervised loss consists of a contrastive loss term on the former pair (through two standard branches) and another contrastive loss term on the latter pair (through two adversarial branches); the two terms are, by default, equally weighted:

Unsupervised Adversarial Contrastive Learning
Unsupervised adversarial contrastive learning (UACL) aims to pretrain a robust DNN that can be used in target recognition tasks by adversarial self-supervised learning. As shown in Figure 4, the framework of UACL consists of a target network, f, with parameter ξ and an online network, q, with parameter θ. The online network consists of three parts: an encoder, a projector, and a predictor, while the target network does not have a predictor. Specifically, the encoder is a DNN (ResNet-18 excluding the fully connected (FC) layer by default) that can represent SAR image effectively. The projector and predictor are multi-layer perceptron (MLP) made up of a linear layer, followed by batch normalization (BN), rectified linear units (ReLU), and a final linear layer that outputs a 256-dimensional feature vector. The data argumentation contains random cropping, random color distortion, random flip, and Gaussian blur.
After optimization, we can obtain an adversarially robust pretrained DNN. ACL contains all kinds of workflows to leverage a contrastive framework to learn robust representations, including ACL(A2A), ACL(A2S), and ACL(DS). Among these, ACL(DS) achieves advanced performance, and its workflow is as shown in Figure 3c. Specifically, for each input, ACL(DS) augments into it twice (creating four augmented views): ( ) t x , ' ( ) (through two standard branches) and another contrastive loss term on the latter pair (through two adversarial branches); the two terms are, by default, equally weighted:

Unsupervised Adversarial Contrastive Learning
Unsupervised adversarial contrastive learning (UACL) aims to pretrain a robust DNN that can be used in target recognition tasks by adversarial self-supervised learning. As shown in Figure 4, the framework of UACL consists of a target network, f, with parameter ξ and an online network, q, with parameter θ. The online network consists of three parts: an encoder, a projector, and a predictor, while the target network does not have a predictor. Specifically, the encoder is a DNN (ResNet-18 excluding the fully connected (FC) layer by default) that can represent SAR image effectively. The projector and predictor are multi-layer perceptron (MLP) made up of a linear layer, followed by batch normalization (BN), rectified linear units (ReLU), and a final linear layer that outputs a 256-dimensional feature vector. The data argumentation contains random cropping, random color distortion, random flip, and Gaussian blur. During training, UACL leverages the unlabeled data to train the Siamese networks, whose core represents the adversarial example close to that of the clean data.
First, UACL crafts unsupervised adversarial examples as positive samples. Specifically, given an unlabeled SAR image input x, UACL adds perturbation δ to it to alter its During training, UACL leverages the unlabeled data to train the Siamese networks, whose core represents the adversarial example close to that of the clean data.
First, UACL crafts unsupervised adversarial examples as positive samples. Specifically, given an unlabeled SAR image input x, UACL adds perturbation δ to it to alter its representation as much as possible by maximizing the contrastive similarity loss between the positive samples as follows: Second, the UACL utilizes unsupervised adversarial examples x + δ to optimize the parameters of the Siamese network via contrastive learning. The adversarial contrastive learning objective is given as the following min-max formulation: where C represents data distribution and t represents data augmentation. It should be noted that the input of the online network is not augmented. The augmentation of clean data can increase diversity to ensure robustness, but it is not suitable for adversarial examples. Data augmentation before an unsupervised adversarial attack may reduce the effect of the enhanced robustness.
In every training step, UACL minimizes loss L θ,ξ by optimizing weight θ but without ξ (i.e., stop-gradient), as shown in Figure 4. Weight ξ is updated later with θ by EMA. The dynamics of UACL can be summarized as follows: where η is the learning rate and τ is the target decay rate. Algorithm 1 summarizes the progress of UACL.
Through the above pretraining, we can obtain a robust encoder, g ϕ , without using any labeled data. However, since the encoder is trained for identity-wise classification, it cannot be directly used for class-wise SAR target recognition. Thus, we need to fine-tune the robust encoder finally to obtain a CNN model v (i.e., ResNet18) as follows: where all the parameters of the model are optimized according to L CE . UACL can also be combined with supervised defenses, such as tradeoff-inspired adversarial defense via surrogate-loss minimization (TRADES) [32] and adversarial training fast is better than free (ATFBF) [33], to achieve composite defenses. Specifically, we first fine-tune the pretrained model from UACL to obtain a classifier and then use the AT-based defense to enhance the robustness of the above classifier once again.

Data Descriptions
(1) MSTAR [4] Dataset: MSTAR was produced by the US Defense Advanced Research Projects Agency using high-resolution spotlight SAR to collect SAR images of various Soviet military vehicles. The collection conditions for the MSTAR images are divided into two types: standard operating condition (SOC) and extended operating condition (EOC). In this article, we use SAR images collected by SOC, whose details are as shown in Table 1. The dataset includes ten target classes with different sizes. To simplify recognition, we resized the images to 128 × 128. The training dataset was collected at a 17 • imaging side view, and the test dataset was collected at a 15 • imaging side view [14]. Figure 5 shows example images for each of the classes in MSTAR. (2) FUSAR-Ship Dataset: FUSAR-Ship is the high-resolution AIS dataset obtained by a GF-3 satellite, which is used for ship detection and recognition. The root node is the maritime target, which can be divided into two branches: ship and non-ship. The ship node includes almost all types of ships. In this paper, we selected four kinds of sub-class targets for the experiment. Specifically, the experimental data contain BulkCarrier, CargoShip, Fishing, and Tank, which were divided into the training set and the test set according to the ratio of 0.8 to 0.2. The details of this dataset are as shown in Table 2. To simplify recognition, we resized the images to 512 × 512. Figure 6 shows example images for each of the classes in FUSAR-Ship.

Experimental Design and Settings
The experiments were conducted in three parts. In the first part, we evaluated nin common DNN models for SAR target recognition against both standard attack (PGD with different Lp norm limit and some other attacks. In the second part, we evaluated th defense methods against adversarial attacks. Finally, the third part visualized how adver sarial attacks and defenses changed the activation of the DNN model. We implement the experiments with the Pytorchplatform. All DNN models were in itialized with random parameters. We used the optimizer Adam to train the network with a learning rate of 1e −3 and a batch size of 16 in all supervised learning for 100 epoch and a learning rate of 3e −4 and a batch size of 8 for 200 epochs in all unsupervised learn ing. By default, we chose ResNet18 as the backbone in all defense experiments. As fo UACL, we chose τ=0.99 as the target decay rate. The experiments were carried out with computer that ran a Windows 7 system on a 3.60GHz Intel(R) i9-9900KF 64-bit CPU with 32 GB of RAM and one NVIDIA GeForce RTX 2080 Ti GPU with 11GB. Moreover, i should be noted that all experimental adversarial examples were crafted to attack th standard classifier in view of unified measurements and the wide use of a standard mode

Evaluation on Adversarial Attacks
In this section, we evaluate the robustness of different DNN models in adversaria settings. The quantitative classification results of standard attack are presented in Table  3 and 4. It can be observed that DNNs can yield good performance on the classification o original clean data in both datasets, especially MSTAR, which contains adequate data. Al DNN models of MSTAR performed poorly against attacks, whose robust accuracy

Experimental Design and Settings
The experiments were conducted in three parts. In the first part, we evaluated nin common DNN models for SAR target recognition against both standard attack (PGD with different Lp norm limit and some other attacks. In the second part, we evaluated th defense methods against adversarial attacks. Finally, the third part visualized how adver sarial attacks and defenses changed the activation of the DNN model. We implement the experiments with the Pytorchplatform. All DNN models were in itialized with random parameters. We used the optimizer Adam to train the network with a learning rate of 1e −3 and a batch size of 16 in all supervised learning for 100 epoch and a learning rate of 3e −4 and a batch size of 8 for 200 epochs in all unsupervised learn ing. By default, we chose ResNet18 as the backbone in all defense experiments. As fo UACL, we chose τ=0.99 as the target decay rate. The experiments were carried out with computer that ran a Windows 7 system on a 3.60GHz Intel(R) i9-9900KF 64-bit CPU wit 32 GB of RAM and one NVIDIA GeForce RTX 2080 Ti GPU with 11GB. Moreover, should be noted that all experimental adversarial examples were crafted to attack th standard classifier in view of unified measurements and the wide use of a standard mode

Evaluation on Adversarial Attacks
In this section, we evaluate the robustness of different DNN models in adversaria settings. The quantitative classification results of standard attack are presented in Table  3 and 4. It can be observed that DNNs can yield good performance on the classification o

Experimental Design and Settings
The experiments were conducted in three parts. In the first part, we evaluated nine common DNN models for SAR target recognition against both standard attack (PGD) with different L p norm limit and some other attacks. In the second part, we evaluated the defense methods against adversarial attacks. Finally, the third part visualized how adversarial attacks and defenses changed the activation of the DNN model.
We implement the experiments with the Pytorchplatform. All DNN models were initialized with random parameters. We used the optimizer Adam to train the networks with a learning rate of 1 × 10 −3 and a batch size of 16 in all supervised learning for 100 epochs and a learning rate of 3 × 10 −4 and a batch size of 8 for 200 epochs in all unsupervised learning. By default, we chose ResNet18 as the backbone in all defense experiments. As for UACL, we chose τ = 0.99 as the target decay rate. The experiments were carried out with a computer that ran a Windows 7 system on a 3.60 GHz Intel(R) i9-9900KF 64-bit CPU with 32 GB of RAM and one NVIDIA GeForce RTX 2080 Ti GPU with 11 GB. Moreover, it should be noted that all experimental adversarial examples were crafted to attack the standard classifier in view of unified measurements and the wide use of a standard model.

Evaluation on Adversarial Attacks
In this section, we evaluate the robustness of different DNN models in adversarial settings. The quantitative classification results of standard attack are presented in Tables 3 and 4. It can be observed that DNNs can yield good performance on the classification of original clean data in both datasets, especially MSTAR, which contains adequate data. All DNN models of MSTAR performed poorly against L ∞ attacks, whose robust accuracy dropped by more than 90%, while those of FUSAR-Ship all dropped to less than 30%. As for L 2 and L 1 attacks, most MSTAR DNN models still maintained high accuracy, except for lightweight networks (ShuffleNet and MobileNet). However, in the classification of the L 2 and L 1 FUSAR-Ship adversarial examples, the performance of DNN models differs greatly. Even though their structures are similar, DenseNet121 and DenseNet201 show completely different performances. Matching a SAR image dataset with a suitable DNN can lead to higher robustness. The classification results of different adversarial attacks are presented in Tables 5 and 6. It can be seen that all kinds of adversarial attack, especially the gradient-based and boundary-based attacks, can effectively reduce the classification accuracy to a very low level. Sparseness-based attacks (Sparse-RS, SparseFool), which are easy to implement in SAR target recognition, also lead to low robust accuracy. PGD and APGD behave well in attacking all kind of models in the classification of both MSTAR and FUSAR-Ship datasets. The defense of PGD and APGD should be a priority in evaluation. Additionally, models with a high standard of accuracy are not necessarily more robust. For example, A-ConvNet performs well in classifying clean data but shows poor robustness against most kinds of adversarial attacks. Lightweight networks show strong robustness when facing boundarybased attacks (DeepFool and CW) and poor robustness against other attacks. Residual networks such as ResNet18, ResNet101, and DenseNet201 behave well in the classification of black-box adversarial examples. A-ConvNet and A-ConvNet m are more robust against sparseness-based attacks.
The comprehensive evaluation results are presented in Tables 7 and 8. According to the results of RCAC, ACAC, and NTE, the model had a high confidence in the misclassification of white-box adversarial examples; this is difficult to correct. The EBD of the model depends on the data type and model structure. The EBD of MSTAR classification models is almost the same, but the EBD of the FUSAR-Ship dataset is different. On the whole, the model with a small EBD is less robust, such as ResNet18, ResNet50, and A-ConvNet. However, this does not equate to AA; for example, DenseNet121 has a small EBD and a comparatively high AA. We can see the importance of data distribution for AA. The PGD adversarial examples under the L ∞ limit also obtained similar results in L 0 ALP p evaluation. However, in L 2 ALP p evaluation, it showed a great difference, and this will affect the attack's effect to some extent. The perceptive evaluation of human vision is related to that of computer vision, but it also shows some differences.

Evaluation of Adversarial Defenses
In this section, we evaluate the models with defense methods, including AT, TRADES, ATFBF, RoCL, ACL, and UACL, as well as those with composite defenses and no-defense but with a pretraining method, including SimCLR and BYOL. Furthermore, we evaluate models trained with fewer data to simulate a situation in which there are insufficient data.
The classification results of adversarial defenses against standard attack are presented in Tables 9 and 10. Models with defense are significantly more robust than no-defense models. AT-based defenses obtain stable adversarial accuracy, especially in the face of perturbations with significant power. Their robust accuracy decreases very little, but this is at the expense of standard accuracy. Adversarial contrastive pretraining defenses can improve robustness and hardly reduce standard accuracy. This low-cost method for enhancing model robustness has potential in SAR target recognition tasks. Compared with a standard model, UACL increases robustness accuracy by 78.90% at the cost of only a 2.56% decline in standard accuracy. Compared with AT-based defense methods, UACL behaves better in the classification of clean data and The comprehensive evaluation results of adversarial defenses against different adversarial attacks are presented in Tables 11 and 12. It can be seen that the robustness of the models is transferable. A model that is robust to PGD has a high probability of being robust against other attacks. AT-based defenses behave well in defending gradient-based attacks, while adversarial contrastive pretraining defenses perform better in defending boundary-based attacks. As for sparseness-based attacks and black-box attacks, the above two defenses have a similar performance. Compared with TRADES, UACL yields notable improvements in standard accuracy by 4.24% and robust accuracy (PGD) by 0.05%; this makes UACL more appealing over baselines in SAR target recognition. Moreover, it is noteworthy that combining UACL with ATFBF or TRADES leads to the best robustness against almost all kinds of attack. Composite defense has a unique advantage in enhancing robustness.    The comprehensive evaluation results of MSTAR and FURASR-Ship classification against different adversarial attacks are presented in Tables 13 and 14. According to ACAC, RCAC, and NTE, the defense methods not only improve the adversarial accuracy of the model but also reduce the confidence of the error class in adversarial classification. Compared with TKNC, we can see that adversarial contrastive pretraining defenses can enhance the overall activation of the model more than AT-based defenses. An active model often means a higher robustness. To further research the relation between attack strength and robust accuracy, we utilized a standard adversarial attack (L ∞ PGD) with different attack strengths to attack the DNN models. As shown in Figures 7 and 8, adversarial contrastive pretraining defenses, especially UACL, behave better than AT-based defense methods against attacks with low strength. AT-based defense methods can maintain steady robust accuracy as attack strength increases. UACL combined with AT-based defense can lead to stable and excellent robust accuracy in all attack strengths.
Given the lack of labeled SAR image data, we attempted to enhance robustness with a single defense method with only 10% of labeled data and attack the model with PGD, as shown in Table 15. Defense, especially AT-based defenses, will reduce standard accuracy sharply when labeled data are inadequate and adversarial contrastive pretraining defense is significantly better. Adversarial contrastive pretraining defense also performs better in the classification of adversarial examples compared to all AT-based defense methods. Therefore, it should be given priority in the absence of sufficient data. As such, what are the advantages of UACL compared with other adversarial contrastive pretraining defenses such as RoCL and ACL? UACL is faster. The time taken by RoCL, ACL, and UACL to pretrain the model with all data for 200 epochs in our experimental setting is shown in Table 16. We can see that UACL is much faster than RoCL and ACL, as it benefits from the abandonment of negative pairs. Remote Sens. 2021, 13, 4158 1 To further research the relation between attack strength and robust accuracy, w lized a standard adversarial attack ( PGD) with different attack strengths to atta DNN models. As shown in Figures 7 and 8, adversarial contrastive pretraining def especially UACL, behave better than AT-based defense methods against attacks wit strength. AT-based defense methods can maintain steady robust accuracy as strength increases. UACL combined with AT-based defense can lead to stable and lent robust accuracy in all attack strengths.  Given the lack of labeled SAR image data, we attempted to enhance robustnes a single defense method with only 10% of labeled data and attack the model with PG shown in Table 15. Defense, especially AT-based defenses, will reduce standard acc sharply when labeled data are inadequate and adversarial contrastive pretraining de is significantly better. Adversarial contrastive pretraining defense also performs be the classification of adversarial examples compared to all AT-based defense me Therefore, it should be given priority in the absence of sufficient data. As such, wh the advantages of UACL compared with other adversarial contrastive pretrainin fenses such as RoCL and ACL? UACL is faster. The time taken by RoCL, ACL, and U to pretrain the model with all data for 200 epochs in our experimental setting is sho To further research the relation between attack strength and robust accuracy, we utilized a standard adversarial attack ( PGD) with different attack strengths to attack the DNN models. As shown in Figures 7 and 8, adversarial contrastive pretraining defenses, especially UACL, behave better than AT-based defense methods against attacks with low strength. AT-based defense methods can maintain steady robust accuracy as attack strength increases. UACL combined with AT-based defense can lead to stable and excellent robust accuracy in all attack strengths.  Given the lack of labeled SAR image data, we attempted to enhance robustness with a single defense method with only 10% of labeled data and attack the model with PGD, as shown in Table 15. Defense, especially AT-based defenses, will reduce standard accuracy sharply when labeled data are inadequate and adversarial contrastive pretraining defense is significantly better. Adversarial contrastive pretraining defense also performs better in the classification of adversarial examples compared to all AT-based defense methods. Therefore, it should be given priority in the absence of sufficient data. As such, what are the advantages of UACL compared with other adversarial contrastive pretraining defenses such as RoCL and ACL? UACL is faster. The time taken by RoCL, ACL, and UACL to pretrain the model with all data for 200 epochs in our experimental setting is shown in Table 16. We can see that UACL is much faster than RoCL and ACL, as it benefits from the abandonment of negative pairs.

Visualization of DNNs
To further understand how defenses improve robust representations, we used guided backpropagation [27] and extremal perturbations [28]

Visualization of DNNs
To further understand how defenses improve robust representations, we used guided backpropagation [27] and extremal perturbations [28]

Conclusion
Robustness is important for SAR target recognition tasks. Although DNNs have achieved great success in SAR target recognition tasks, previous studies have shown that DNN models can be easily fooled by adversarial examples. In this paper, we first systematically evaluated the threat of adversarial examples to DNN-based SAR target recognition models. To alleviate the vulnerability of models to adversarial examples, we then introduced adversarial contrastive pretraining defense into SAR target recognition and proposed a novel unsupervised adversarial contrastive learning defense method. Our experimental results demonstrate that adversarial contrastive pretraining defenses behave well in the classification of both clean data and adversarial examples compared with ATbased defenses, and have great potential to be used in practical applications. Potential future work should include an investigation of the influence of adversarial attacks and defenses on other SAR image datasets and the incorporation of more diverse adversarial self-supervised learning methods.

Conclusions
Robustness is important for SAR target recognition tasks. Although DNNs have achieved great success in SAR target recognition tasks, previous studies have shown that DNN models can be easily fooled by adversarial examples. In this paper, we first systematically evaluated the threat of adversarial examples to DNN-based SAR target recognition models. To alleviate the vulnerability of models to adversarial examples, we then introduced adversarial contrastive pretraining defense into SAR target recognition and proposed a novel unsupervised adversarial contrastive learning defense method. Our experimental results demonstrate that adversarial contrastive pretraining defenses behave well in the classification of both clean data and adversarial examples compared with ATbased defenses, and have great potential to be used in practical applications. Potential future work should include an investigation of the influence of adversarial attacks and defenses on other SAR image datasets and the incorporation of more diverse adversarial self-supervised learning methods.