A traditional neural network cannot realize the invariance of image rotation and distortion well, so an attacker can fool the neural network by adding tiny disturbances to an image. If traffic signs are attacked, automatic driving will probably be misguided, leading to disastrous consequences. Inspired by the principle of human vision, this paper proposes a defense method based on an attentional mechanism for traffic sign adversarial samples. In this method, the affine coordinate parameters of the target objects in the images are extracted by a CNN, and then the target objects are redrawn by the coordinate mapping model. In this process, the key areas in the image are extracted by the attention mechanism, and the pixels are filtered by interpolation. Our model simulates the daily behavior of human beings, making it more intelligent in the defense against the adversarial samples. Experiments show that our method has a strong defense ability for traffic sign adversarial samples generated by various attack methods. Compared with other defense methods, our method is more universal and has a strong defense ability against a variety of attacks. Moreover, our model is portable and can be easily implanted into neural networks in the form of defense plug-ins.

传统的神经网络无法很好地实现图像旋转和畸变的不变性，因此攻击者可以通过在图像上添加微小的干扰来欺骗神经网络。如果交通标志受到攻击，自动驾驶可能会被误导，从而导致灾难性的后果。在人类视觉原理的启发下，提出了一种基于注意机制的交通标志对抗样本防御方法。在这种方法中，图像中的目标对象的仿射坐标参数由CNN提取，然后通过坐标映射模型重绘目标对象。在此过程中，图像中的关键区域通过注意力机制提取，并且像素通过插值进行滤波。我们的模型模拟了人类的日常行为，使它在对抗对抗样本方面更具智慧。实验表明，该方法对各种攻击方式产生的交通标志对抗样本具有较强的防御能力。与其他防御方法相比，我们的方法更具通用性，对各种攻击都有很强的防御能力。此外，我们的模型是便携式的，可以轻松地以防御性插件的形式植入到神经网络中。