【摘要】 深度学习模型易受包含微小扰动的对抗样本的攻击，输出完全错误的识别结果。攻击无人驾驶轨道车辆的图像识别传感器，会使其产生错误的判断。找出可能的对轨道交通标志的对抗攻击方法，可以发现识别模型的漏洞，提高轨道交通标志识别系统的安全性。图像水印可以用于版权保护，在图像中添加水印也可以攻击神经网络模型。文章基于对抗水印(Adv-watermark)对轨道交通标志识别模型进行攻击，首先制作合适的对抗水印，用α融合方法改变水印的透明度并将水印添加到轨道交通标志图像上，再通过BH算法寻找到最合适的水印攻击位置。将不同透明度和位置的水印输入自己训练的ResNet34轨道交通标志识别模型进行测试，找出能促使攻击效果最好的参数。最终对模型的最高攻击成功率达到了86%。文章首次将对抗水印和轨道交通标志的对抗攻击进行结合，提出的攻击方法步骤较为简单、攻击效果较为隐形，对未来无人驾驶列车的辅助驾驶系统的安全问题提供了研究基础。更多还原

【Abstract】 The deep learning model is vulnerable to the attack of adversarial examples containing small perturbations, and thus outputs entirely wrong results of identification. The attack on the image identification sensor of driverless rail vehicles will lead to the wrong judgment of the sensor. Finding out possible methods of adversarial attack on the rail transit signs allows us to discover bugs in the identification mode and improve the safety of the rail transit sign identification system. The image watermark may be used for copyright protection, while adding a watermark to the image may attack the neural network model. This article describes the attack on the rail transit sign identification model based on Adv-watermark. Firstly, make an appropriate Adv-watermark, modify its transparency utilizing α fusion, add the watermark to the rail transit sign image, and then find the most appropriate attack position with the BH algorithm. Input the watermarks of different transparencies and positions into the self-trained ResNet34 rail transit sign identification model for testing to find out the parameters that have the best attack effect. The success rate of attacks on the model has finally reached 86%. The article first combines the Adv-watermark with the adversarial attack on the rail transit sign, proposes a simpler attack method, and steps with a hidden attack effect, providing a basis for a study on the safety problem of the auxiliary driving system for the future driverless train.更多还原