尹宋佳,任亚唯,杜荐之

• 1:北京信息科技大学计算机学院

摘要(Abstract)：

为提升遥感图像目标检测模型在对抗攻击下的鲁棒性与效率，提出了一种结合粒子群优化（particle swarm optimization, PSO）与AdamW优化器的对抗补丁生成方法PSO-AdamW。该方法采用“PSO全局搜索+AdamW局部精细优化”的两阶段优化框架，并在PSO阶段引入余弦退火算法动态调整惯性权重，以兼顾全局探索与收敛速度。PSO用于快速寻找高质量补丁初始解，AdamW利用梯度更新和L_2正则化进行精细化调整，同时联合目标损失、不可打印性分数损失和全变差损失进行优化，从而在攻击性与隐蔽性之间实现平衡。实验结果表明，PSO-AdamW在公开遥感数据集DOTAv1.5及自建沙盘数据集上均显著优于现有方法，在攻击性能和跨场景迁移能力方面表现出优势。进一步地，物理域实验验证了该方法在真实场景中对检测算法的稳定干扰效果，展现出良好的物理可实现性与应用潜力。

关键词(KeyWords)： 遥感图像;对抗样本;PSO粒子群优化;AdamW优化器

Abstract:

Keywords:

基金项目(Foundation): 慧眼行动（F2B6A194）

作者(Author): 尹宋佳,任亚唯,杜荐之

DOI: 10.16508/j.cnki.11-5866/n.2025.05.002

参考文献(References)：

• [1] SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al. Intriguing properties of neural networks[EB/OL].(2014-02-19)[2025-07-15]. https：//arxiv. org/abs/1312. 6199.
• [2] GOODFELLOW I J,SHLENS J,SZEGEDY C. Explaining and harnessing adversarial examples[EB/OL].(2015-03-20)[2025-07-15]. https：//arxiv. org/abs/1412. 6572.
• [3] MADRY A,MAKELOV A,SCHMIDT L,et al. Towards deep learning models resistant to adversarial attacks[EB/OL].(2019-09-04)[2025-07-15]. https：//arxiv. org/abs/1706. 06083.
• [4] MOOSAVI-DEZFOOLI S M,FAWZI A,FROSSARD P.DeepFool:a simple and accurate method to fool deep neural networks[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition(CVPR). Los Alamitos, CA, USA:IEEE Computer Society,2016:2574-2582.
• [5] CARLINI N,WAGNER D. Towards evaluating the robustness of neural networks[C]//2017 IEEE Symposium on Security and Privacy(SP). Los Alamitos, CA, USA:IEEE Computer Society,2017:39-57.
• [6] ZHANG Z J. Improved Adam optimizer for deep neural networks[C]//2018 IEEE/ACM 26th International Symposium on Quality of Service(IWQoS). New York, USA:IEEE,2018:1-2.
• [7] ZHOU P,XIE X Y,LIN Z C,et al. Towards understanding convergence and generalization of AdamW[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence,2024,46(9):6486-6493.
• [8] MARINI F,WALCZAK B. Particle swarm optimization(PSO). A tutorial[J]. Chemometrics and Intelligent Laboratory Systems,2015,149(Part B):153-165.
• [9] COELLO C A. An updated survey of GA-based multiobjective optimization techniques[J]. ACM Computing Surveys,2000,32(2):109-143.
• [10] CUI X X,CHANG S,LI C,et al. DEAttack:a differential evolution based attack method for the robustness evaluation of medical image segmentation[J]. Neurocomputing,2021,465:38-52.
• [11]邓欢，黄敏桓，李虎，等.物理对抗补丁攻击与防御技术研究综述[J].信息安全学报，2025,10(1):75-90.DENG H,HUANG M H,LI H,et al. A review on physical adversarial patch attacks and defenses techniques[J]. Journal of Cyber Security,2025,10(1):75-90.(in Chinese)
• [12] KURAKIN A,GOODFELLOW I J,BENGIO S. Adversarial Examples in the Physical World[M]//Artificial Intelligence Safety and Security. Boca Raton:Chapman and Hall/CRC,2018.
• [13] MAHENDRAN A,VEDALDI A. Understanding deep image representations by inverting them[C]//2015 IEEE Conference on Computer Vision and Pattern Recognition(CVPR). New York,USA:IEEE,2015:5188-5196.
• [14] SHARIF M,BHAGAVATULA S,BAUER L,et al. Accessorize to a crime:real and stealthy attacks on state-of-the-art face recognition[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA:ACM,2016:1528-1540.
• [15] ATHALYE A,ENGSTROM L,ILYAS A,et al. Synthesizing robust adversarial examples[C]//Proceedings of the 35th International Conference on Machine Learning. San Diego, CA,USA:JMLR,2018:284-293.
• [16] ZHOU Y,SUN S Q,JIANG X,et al. DGA:direction-guided attack against optical aerial detection in camera shooting direction-agnostic scenarios[J]. IEEE Transactions on Geoscience and Remote Sensing,2024,62:5618522.
• [17] GUESMI A,BILASCO I M,SHAFIQUE M,et al. AdvART:adversarial art for camouflaged object detection attacks[EB/OL].(2024-02-09)[2025-07-18]. https：//arxiv. org/abs/2303. 01734.
• [18] HUANG J J,WANG Z Y,LIU T R,et al. DeMPAA:deployable multi-mini-patch adversarial attack for remote sensing image classification[J]. IEEE Transactions on Geoscience and Remote Sensing,2024,62:1-13.
• [19] LIAN J W,MEI S H,ZHANG S,et al. Benchmarking adversarial patch against aerial detection[J]. IEEE Transactions on Geoscience and Remote Sensing,2022,60:1-16.
• [20] SUN X X,CHENG G,LI H D,et al. Task-specific importanceawareness matters:on targeted attacks against object detection[J]. IEEE Transactions on Circuits and Systems for Video Technology,2024,34(11):11619-11629.
• [21]应凯泉，王家宝，潘志松，等.二维码对抗补丁加速生成方法[J/OL].计算机技术与发展，2025:1-10.(2025-06-18)[2025-08-10]. https：//doi. org/10. 20165/j. cnki. ISSN1673-629X. 2025. 0176.YING K Q,WANG J B,PAN Z S,et al. Accelerated generation method for QR codes adversarial patches[J/OL]. Computer Technology and Development,2025:1-10.(2025-06-18)[2025-08-10]. https：//doi. org/10. 20165/j. cnki. ISSN1673-629X. 2025. 0176.(in Chinese)