Deep neural networks have recently achieved promising performance in the vein recognition task and have shown an increasing application trend, however, they are prone to adversarial perturbation attacks by adding imperceptible perturbations to the input, resulting in making incorrect recognition. To address this issue, we propose a novel defense model named MsMemoryGAN, which aims to filter the perturbations from adversarial samples before recognition. First, we design a multi-scale autoencoder to achieve high-quality reconstruction and two memory modules to learn the detailed patterns of normal samples at different scales. Second, we investigate a learnable metric in the memory module to retrieve the most relevant memory items to reconstruct the input image. Finally, the perceptional loss is combined with the pixel loss to further enhance the quality of the reconstructed image. During the training phase, the MsMemoryGAN learns to reconstruct the input by merely using fewer prototypical elements of the normal patterns recorded in the memory. At the testing stage, given an adversarial sample, the MsMemoryGAN retrieves its most relevant normal patterns in memory for the reconstruction. Perturbations in the adversarial sample are usually not reconstructed well, resulting in purifying the input from adversarial perturbations. We have conducted extensive experiments on two public vein datasets under different adversarial attack methods to evaluate the performance of the proposed approach. The experimental results show that our approach removes a wide variety of adversarial perturbations, allowing vein classifiers to achieve the highest recognition accuracy.

翻译：深度神经网络在静脉识别任务中近期取得了显著性能并展现出日益增长的应用趋势，然而它们容易受到对抗扰动攻击，通过在输入中添加难以察觉的扰动导致识别错误。为解决这一问题，我们提出了一种名为MsMemoryGAN的新型防御模型，其目标是在识别前从对抗样本中滤除扰动。首先，我们设计了一个多尺度自编码器以实现高质量重建，并采用两个记忆模块来学习正常样本在不同尺度下的细节模式。其次，我们在记忆模块中研究了一种可学习的度量方法，以检索最相关的记忆项来重建输入图像。最后，感知损失与像素损失相结合，进一步提升了重建图像的质量。在训练阶段，MsMemoryGAN仅利用记忆中记录的正常模式的少量原型元素来学习重建输入。在测试阶段，给定一个对抗样本，MsMemoryGAN从记忆中检索其最相关的正常模式进行重建。对抗样本中的扰动通常无法被良好重建，从而实现从对抗扰动中净化输入。我们在两个公开静脉数据集上针对不同对抗攻击方法进行了大量实验以评估所提方法的性能。实验结果表明，我们的方法能够消除多种对抗扰动，使静脉分类器达到最高的识别准确率。