A method for generating an adversarial sample of a SAR image and application

By correcting the gradient direction during the integrated gradient update process, high-quality SAR image adversarial examples are generated, which solves the problem of low attack success rate in black-box scenarios in existing technologies and achieves higher attack success rate and model robustness.

CN117710770BActive Publication Date: 2026-07-07HUAZHONG UNIV OF SCI & TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUAZHONG UNIV OF SCI & TECH
Filing Date
2023-12-18
Publication Date
2026-07-07

AI Technical Summary

Technical Problem

Existing technologies cannot generate high-quality SAR image adversarial examples in real-world black-box scenarios, resulting in a low attack success rate and affecting the accuracy of security detection.

Method used

By randomly selecting a portion of the ensemble model during the ensemble gradient update process, calculating the difference between the inner and outer loop gradients, and using a decay factor and a pruning function to correct the gradient direction, high-quality adversarial examples are generated.

Benefits of technology

It improves the attack success rate and security detection accuracy in black-box scenarios, enhances the robustness of the model, and can effectively defend against adversarial sample attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117710770B_ABST
    Figure CN117710770B_ABST
Patent Text Reader

Abstract

The application discloses a kind of SAR image's adversarial sample generation method and application, belong to synthetic aperture radar automatic target recognition security technical field;The present application is based on the average value of using integral integrated gradient, by randomly selecting part of model in integrated model multiple times, and calculating the difference of the temporary adversarial sample gradient generated in inner and outer loop, to correct the outer loop integrated gradient, so that its update direction is more accurate, can generate high-quality adversarial samples in real black box scene, and then can improve the success rate of attack in black box attack, and then affect the accuracy of security detection, in addition, it can also be used to reinforce depth learning model, such as in the process of training model, by adding the generated adversarial sample in data set can further construct better model with robustness, and then can effectively defend the attack of adversarial sample.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of automatic target recognition security technology for synthetic aperture radar, and more specifically, relates to a method for generating adversarial samples for SAR images and its application. Background Technology

[0002] Synthetic Aperture Radar (SAR) is widely used in both civilian and military fields because it can emit microwaves and capture high-resolution radar images under various weather conditions. In recent years, with the development of artificial intelligence and machine learning, deep learning models have been widely applied in SAR target recognition tasks. However, Szegedy et al. demonstrated in 2014 that deep learning models are easily affected by carefully designed small adversarial perturbations added to clean samples. Therefore, researching the security and robustness of deep learning models for automatic target recognition of SAR images will be a challenging task.

[0003] Adversarial attacks are a common method used to study the security and robustness of deep learning models. Generally, adversarial attacks can be divided into two categories: white-box attacks and black-box attacks. White-box attacks involve attackers possessing detailed internal information about the target deep learning model, including its architecture, parameters, and training data. Black-box attacks, on the other hand, do not know this specific information and can only explore the model's behavior through experimentation and attempt to construct deceptive inputs to cause the model to make incorrect predictions. Because SAR (Automatic Target Recognition) tasks, whether in military or civilian applications, inherently possess high levels of secrecy, attackers find it difficult to obtain information about the deep learning model used. Therefore, in real-world scenarios, black-box attacks are often more suitable for SAR automatic target recognition tasks.

[0004] In black-box attacks, the quality of the generated adversarial examples determines the success rate of the attack, thus affecting the accuracy of security detection. In addition, adversarial examples can be used to strengthen deep learning models. For example, during model training, adding perturbed samples to the dataset can build a more robust model that can effectively defend against adversarial attacks.

[0005] A common black-box attack method is model ensemble attack, which integrates multiple different source models or data to generate adversarial examples with strong generalization ability. Common methods include MI-FGSM and SVRE. MI-FGSM proposes to use multiple models to output samples, then integrate the output logit or p to obtain the final logit or p, and finally use momentum attack methods to generate adversarial examples. SVRE uses variance reduction to randomly select models to correct the average gradient direction, thereby improving the transferability of adversarial examples.

[0006] However, in the aforementioned adversarial attack methods, since the integrated gradients used assign the same weights to the output of each model without considering the gradient differences caused by model structure differences, there are significant differences between the initial and final gradient directions when generating adversarial examples on SAR data, making it impossible to generate high-quality adversarial examples in real-world black-box scenarios. Summary of the Invention

[0007] In view of the above-mentioned defects or improvement needs of the existing technology, the present invention provides a method and application for generating adversarial examples of SAR images, so as to solve the technical problem that the existing technology cannot generate high-quality adversarial examples in real black box scenarios.

[0008] To achieve the above objectives, in a first aspect, the present invention provides a method for generating adversarial examples for SAR images, comprising:

[0009] S1. Let t = 0; for any pre-acquired SAR image sample x carrying a target identification tag y, the corresponding outer loop adversarial sample... Initialize to x; initialize the outer loop integrated gradient.

[0010] S2. Calculate the model pairs in the ensemble model respectively. The gradient is calculated, and the average value of each gradient is also calculated.

[0011] S3. Set m = 0; then add the inner loop adversarial sample. Initialize to Initialize the inner loop integrated gradient

[0012] S4. Randomly select multiple models from the ensemble model; calculate the pair of each selected model. The gradient is calculated, and the average value is obtained to obtain the average gradient of the inner loop. Calculate each selected model pair separately The gradient is calculated, and the average value is obtained to obtain the average gradient of the outer loop. by The normalized result is used as the update direction to update the integrated gradient of the inner loop, resulting in... Then update the inner loop adversarial example to obtain

[0013] S5. Determine if m is less than M. If yes, let m = m + 1 and go to step S4; otherwise, go to step S6; M is a positive integer.

[0014] S6, with The normalized result is used as the update direction to update the outer loop integrated gradient, resulting in... Then update the outer loop adversarial examples to obtain

[0015] S7. Determine if t is less than T. If so, let t = t + 1 and go to step S2. Otherwise, take the last obtained outer loop adversarial sample as the adversarial sample corresponding to x. T is a positive integer.

[0016] More preferably, in step S4, Where μ is the attenuation factor; ||·||1 represents the first norm.

[0017] More preferably, in step S4, Where α is the preset step size; sign(·) represents the sign function; and Clip{·} is the clipping function.

[0018] More preferably, in step S6, Where μ is the attenuation factor; ||·||1 represents the first norm.

[0019] More preferably, in step S6, Where α is the preset step size; sign(·) represents the sign function; and Clip{·} is the clipping function.

[0020] More preferably, in step S2, Where K is the total number of models in the ensemble model; Let be the loss function for the automatic identification task of SAR images, representing the loss function of SAR images. The difference between the target recognition result obtained by automatic target recognition of SAR images after inputting into the k-th model in the ensemble model and the target recognition label y.

[0021] More preferably, in step S4, Where N is the total number of selected models; Indicates will The difference between the target recognition result obtained by automatic target recognition of SAR image after inputting into the nth model in the selected model and the target recognition label y; Indicates will The difference between the target recognition result obtained by automatic target recognition of SAR image after inputting into the nth model in the selected model and the target recognition label y.

[0022] Secondly, the present invention provides a security assessment method for an automatic target recognition model for SAR images, comprising:

[0023] For each SAR image sample in the pre-collected SAR sample dataset, the adversarial sample generation method provided in the first aspect of the present invention is used to generate a corresponding adversarial sample; each adversarial sample is input into the SAR automatic target recognition model to be evaluated to obtain the corresponding target recognition result;

[0024] The accuracy of the identification results is calculated by comparing the differences between the identification results of each adversarial example and the corresponding real results; the higher the accuracy of the identification results, the better the security of the SAR automatic target identification model.

[0025] Thirdly, the present invention provides a security assessment method system for an automatic target recognition model of SAR, comprising: a memory and a processor, wherein the memory stores a computer program, and the processor executes the security assessment method provided in the second aspect of the present invention when executing the computer program.

[0026] Fourthly, the present invention also provides a computer-readable storage medium comprising a stored computer program, wherein, when the computer program is executed by a processor, it controls the device where the storage medium is located to execute the adversarial example generation method for SAR images provided in the first aspect of the present invention and / or the security assessment method provided in the second aspect of the present invention.

[0027] In summary, the above-described technical solutions conceived in this invention can achieve the following beneficial effects:

[0028] 1. This invention provides a method for generating adversarial examples for SAR images, using the overall ensemble gradient average. Based on this, by randomly selecting some models in the ensemble model multiple times and calculating the differences between them and the gradients of the temporary adversarial examples generated in the inner and outer loops, the gradient of the outer loop ensemble is corrected, making its update direction more accurate and enabling the generation of high-quality adversarial examples in real-world black-box scenarios.

[0029] 2. Furthermore, the adversarial example generation method provided by the present invention can stabilize the direction of gradient update by adding a decay factor to the gradient iteration process. At the same time, after considering the difference between the initial and final perturbation directions, it makes full use of future gradient information to guide the current gradient iteration process, thereby further improving the quality of adversarial examples generated in real black-box scenarios.

[0030] 3. Furthermore, the adversarial example generation method provided by this invention can improve the success rate of attacks in black-box attacks, thereby affecting the accuracy of security detection; in addition, it can also be used to strengthen deep learning models. For example, during the training process, if the generated adversarial examples are added to the dataset, a more robust model can be built, thereby effectively defending against adversarial example attacks.

[0031] 4. Furthermore, the adversarial example generation method provided by this invention can not only improve the success rate of migration attacks in black-box scenarios, but also improve the success rate of white-box attacks. It is an effective method for evaluating the security and robustness of SAR automatic identification models. Attached Figure Description

[0032] Figure 1 A flowchart of the adversarial sample generation method for SAR images provided by the present invention;

[0033] Figure 2 A flowchart of an adversarial example generation method for SAR images provided in an embodiment of the present invention;

[0034] Figure 3 The attack success rate curves of the adversarial sample generation method provided by this invention under different perturbation sizes. Detailed Implementation

[0035] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention. Furthermore, the technical features involved in the various embodiments of this invention described below can be combined with each other as long as they do not conflict with each other.

[0036] Firstly, the present invention provides a method for generating adversarial examples for SAR images, such as... Figure 1 As shown, it includes:

[0037] S1. Let t = 0; for any pre-acquired SAR image sample x carrying a target identification tag y, the corresponding outer loop adversarial sample... Initialize to x; initialize the outer loop integrated gradient.

[0038] S2. Calculate the model pairs in the ensemble model respectively. The gradient is calculated, and the average value of each gradient is also calculated.

[0039] S3. Set m = 0; then add the inner loop adversarial sample. Initialize to Initialize the inner loop integrated gradient

[0040] S4. Randomly select multiple models from the ensemble model; calculate the pair of each selected model. The gradient is calculated, and the average value is obtained to obtain the average gradient of the inner loop. Calculate each selected model pair separately The gradient is calculated, and the average value is obtained to obtain the average gradient of the outer loop. by The normalized result is used as the update direction, and the gradient update formula in the gradient-based iterative attack method is used to update the inner loop ensemble gradient, resulting in... Then update the inner loop adversarial example to obtain

[0041] S5. Determine if m is less than M. If yes, let m = m + 1 and go to step S4; otherwise, go to step S6; M is a positive integer.

[0042] S6, with The normalized result is used as the update direction, and the gradient update formula in the gradient-based iterative attack method is used to update the outer loop ensemble gradient, resulting in... Then update the outer loop adversarial examples to obtain

[0043] S7. Determine if t is less than T. If so, let t = t + 1 and go to step S2. Otherwise, take the last obtained outer loop adversarial sample as the adversarial sample corresponding to x. T is a positive integer.

[0044] This invention employs a gradient-based iterative attack method to update the inner loop ensemble gradient, and correspondingly, solves for the average value. Inner circulation average gradient and the average gradient of the outer circulation The method depends on the gradient-based iterative attack method used. There are various gradient-based iterative attack methods, including FGSM, I-FGSM, MI-FGSM, NI-FGSM, etc.; different gradient-based iterative attack methods have different gradient update formulas and corresponding average values. Inner circulation average gradient and the average gradient of the outer circulation The solution methods also differ, but all are applicable here. In this invention, an iterative attack method based on gradient and momentum, such as MI-FGSM and NI-FGSM, is preferred. Specifically, in step S4, Where μ is the attenuation factor; ||·||1 represents the first norm.

[0045] Where α is the preset step size; sign(·) represents the sign function; Clip{·} is the clipping function, which can represent that for each pixel value within ·, if it is less than the minimum pixel value of x, it is adjusted to the minimum pixel value of x; if it is greater than the maximum pixel value of x, it is adjusted to the maximum pixel value of x; Clip{·} can also be... This indicates that the · is processed so that the output image is located within [x-ε, x+ε], where ε is the preset maximum perturbation.

[0046] In step S6, Where μ is the attenuation factor; ||·||1 represents the first norm.

[0047] Where α is the preset step size; sign(·) represents the sign function; Clip{·} is the clipping function, which means that for each pixel value within ·, if it is less than the minimum pixel value of x, it is adjusted to the minimum pixel value of x; if it is greater than the maximum pixel value of x, it is adjusted to the maximum pixel value of x. Clip{·} can also be... This indicates that the · is processed so that the output image is located within [x-ε, x+ε], where ε is the preset maximum perturbation.

[0048] Solving for the average value Inner circulation average gradient and the average gradient of the outer circulation The method depends on the gradient-based iterative attack method used. The following example uses MI-FGSM:

[0049] In step S2, Where K is the total number of models in the ensemble model; Let be the loss function for the automatic identification task of SAR images, representing the loss function of SAR images. The difference between the target recognition result obtained by automatic target recognition of SAR images after inputting into the k-th model in the ensemble model and the target recognition label y.

[0050] More preferably, in step S4, Where N is the total number of selected models; Indicates will The difference between the target recognition result obtained by automatic target recognition of SAR image after inputting into the nth model in the selected model and the target recognition label y; Indicates will The difference between the target recognition result obtained by automatic target recognition of SAR image after inputting into the nth model in the selected model and the target recognition label y.

[0051] The models in the above ensemble model are deep learning models for the automatic recognition of SAR images. They can be CNN, AConvNet, ResNet-18, VGG-16, Inception-v3, ResNet-50, Inception-ResNetV2, etc., and there are no restrictions here.

[0052] It should be noted that if other gradient-based attack methods such as FGSM, I-FGSM, or NI-FGSM are chosen, the form of the update formula remains the same; the only difference lies in calculating the average value. Inner circulation average gradient and the average gradient of the outer circulation The method involves adaptive replacement based on the update formula in the corresponding attack method. For example, if NI-FGSM is used, then... The only difference is that it adopts Alternative The only difference is that it adopts Alternative The only difference is that it adopts Alternative

[0053] To further illustrate the adversarial example generation method for SAR images provided by this invention, a specific embodiment is described in detail below:

[0054] This embodiment provides an adversarial example generation method based on model ensemble, denoted as the DEGA method; this embodiment selects MI-FGSM as a gradient-based iterative attack method.

[0055] like Figure 2 As shown, the specific steps are as follows:

[0056] Step 1: Input a clean SAR sample dataset X = {x1, x2, ... x} n} and the corresponding label set Y = {y1, y2, ... y n}

[0057] Step 2: For each clean sample, initialize its corresponding outer loop adversarial sample to be the same as the clean sample, i.e.: And initialize the outer loop integrated gradient. In this embodiment, the number of iterations T = 10, and the initial value t = 0.

[0058] Step 3: Calculate the average gradient of the ensemble model with respect to the t-th generated outer loop adversarial example, i.e.: In this embodiment, the number of models K = 6.

[0059] Step 4: For the inner loop adversarial example, initialize its value to be the same as the outer loop adversarial example, i.e. Simultaneously initialize the inner loop integrated gradient:

[0060] Step 5: First, randomly select N models from the ensemble model. In this embodiment, the number of randomly selected models is N = 2.

[0061] Steps 6 and 7: Calculate the gradient of the inner loop ensemble model with respect to the adversarial examples in the inner and outer loops during the m-th round of the inner loop:

[0062]

[0063]

[0064] Step 8: Update the momentum of the (m+1)th round of the inner loop according to the momentum formula:

[0065]

[0066] The attenuation factor μ collects the gradients from the first m iterations. In this embodiment, the attenuation factor μ = 1.

[0067] Step 9: Update the inner loop adversarial sample:

[0068]

[0069] In this embodiment, the value of α is the perturbation magnitude divided by the iteration number T, that is: It is used to control the size of the adversarial examples updated in each iteration loop.

[0070] Step 10: Determine if m is less than the iteration number M. If yes, execute m = m + 1 and return to step 5; otherwise, output the current adversarial sample to the outer loop and proceed to step 11. In this embodiment, M is 16.

[0071] Step 11: Update external circulation momentum:

[0072]

[0073] The decay factor μ collects the gradients from the previous t iterations. In this embodiment, the decay factor μ = 1.

[0074] Step 12: Update the outer loop adversarial example:

[0075]

[0076] In this embodiment, the value of α is the perturbation magnitude divided by the iteration number T, that is: It is used to control the size of the adversarial examples updated in each iteration loop.

[0077] Step 13: Determine if t is less than T. If yes, execute t = t + 1 and return to step 3. If no, output and save the current outer loop adversarial sample.

[0078] Specifically, for the input sample x, the pseudocode for generating SAR image adversarial examples is shown in Table 1.

[0079] Table 1

[0080]

[0081] To further illustrate the performance of the adversarial example generation method provided by this invention in model security detection, a specific experimental example is analyzed below:

[0082] This experimental example uses the typical SAR target dataset MSTAR (The Moving and Stationary Target Acquisition and Recognition). The MSTAR dataset was collected and released by Sandia National Laboratories in the United States. It contains various ground targets and variants captured by synthetic aperture radar, different scenes and observation conditions, and variations in rotation angle and grazing angle. The example uses the Standard Operating Conditions (SOCs) dataset constructed from MSTAR. The adversarial example generation method provided in this invention is used to attack the model under different perturbation sizes to test the model's security.

[0083] Table 2 shows a comparison of the attack success rates between the Adversarial Example Generation (DEGA) method provided by this invention and ordinary ensemble attack methods. The experiments used seven SAR intelligent recognition models: Resnet-18, Resnet-50, Inc-v3, IncRes-v2, VGG-16, AConvNet, and ResNeXt-50. When testing the black-box attack effectiveness of each model, all other models were selected as source models for ensemble (for example, when testing the black-box attack effectiveness against the target model VGG-16 network, Resnet-18, Resnet-50, Inc-v3, IncRes-v2, AConvNet, and ResNeXt-50 were selected as source models). Furthermore, the DEGA provided by this invention can integrate update formulas from different gradient-based iterative attack methods. Under the DEGA framework provided by this invention, update formulas from MI-FGSM, TIM, DIM, TI-DIM, and SI-TI-DIM iterative attack methods were used for adversarial attacks. As can be seen from Table 2, among all methods, the success rate of DEGA attacks provided by this invention is consistently better than that of ordinary integrated attack methods. Specifically, the success rates of attacks based on the update formulas in MI-FGSM, TIM, DIM, TI-DIM, and SI-TI-DIM are improved by an average of 5.36%, 11.75%, 4.39%, 4.10%, and 3.72%, respectively.

[0084] Table 2

[0085]

[0086]

[0087] Furthermore, such as Figure 3 The figure shows the attack success rate curves of the Adversarial Example Generation Method (DEGA) provided by this invention under different perturbation sizes; where the x-axis represents the total number N of models selected in the inner loop (values ​​include 0, 1, 2, 3), and the y-axis represents the attack success rate. Adversarial examples are created on networks other than VGG16, specifically N randomly selected from ResNet-18, ResNet-50, Inc-v3, IncRes-v2, AConvNet, and ResNeXt-50. Figure 3It can be seen that the success rate of the DEGA method against SAR intelligent identification networks increases with the number of internal models. When N is 2, the average success rate of migration attacks under the update formulas in MI-FGSM and TIM reaches 83.96% and 84.29%, respectively; when N is 3, the average success rate of migration attacks under the update formulas in DIM, TI-DIM, and SI-TI-DIM reaches 82.07%, 83.47%, and 80.09%, respectively. This demonstrates that the adversarial example generation method provided by this invention exhibits superior attack migration capabilities in real-world black-box scenarios.

[0088] In summary, this invention aims to improve the attack performance of SAR automatic target recognition models in real-world black-box scenarios by utilizing the relevant characteristics of SAR images. This invention can effectively generate SAR image adversarial samples with a high attack success rate, thereby effectively deceiving SAR automatic target recognition models in black-box scenarios. This invention has the following advantages: (1) It is more in line with the characteristics of SAR data and is suitable for military and civilian SAR-ATR practical application scenarios; (2) It performs well in black-box attacks and fully considers the strategies of attackers to improve the attack success rate when lacking detailed information about the target model; (3) It has stronger adaptability and robustness and can cope with different target models and defense strategies.

[0089] This invention fully considers attackers' strategies to increase attack success rates when detailed target model information is lacking, and the generated adversarial examples achieve better attack performance compared to existing benchmark methods. This invention is more consistent with the characteristics of SAR image data and can play a better role in practical military and civilian SAR-ATR applications.

[0090] Secondly, the present invention provides a security assessment method for an automatic target recognition model for SAR images, comprising:

[0091] For each SAR image sample in the pre-collected SAR sample dataset, the adversarial sample generation method provided in the first aspect of the present invention is used to generate a corresponding adversarial sample; each adversarial sample is input into the SAR automatic target recognition model to be evaluated to obtain the corresponding target recognition result;

[0092] The accuracy of the identification results is calculated by comparing the differences between the identification results of each adversarial example and the corresponding real results; the higher the accuracy of the identification results, the better the security of the SAR automatic target identification model.

[0093] The related technical solutions are the same as the adversarial example generation method provided in the first aspect of this invention, and will not be described in detail here.

[0094] Thirdly, the present invention provides a security assessment method system for an automatic target recognition model of SAR, comprising: a memory and a processor, wherein the memory stores a computer program, and the processor executes the security assessment method provided in the second aspect of the present invention when executing the computer program.

[0095] The relevant technical solutions are the same as the safety assessment method provided in the second aspect of this invention, and will not be described in detail here.

[0096] Fourthly, the present invention also provides a computer-readable storage medium comprising a stored computer program, wherein, when the computer program is executed by a processor, it controls the device where the storage medium is located to execute the adversarial example generation method for SAR images provided in the first aspect of the present invention and / or the security assessment method provided in the second aspect of the present invention.

[0097] The related technical solutions are the same as the adversarial sample generation method provided in the first aspect of this invention and the security assessment method provided in the second aspect of this invention, and will not be described in detail here.

[0098] Those skilled in the art will readily understand that the above description is merely a preferred embodiment of the present invention and is not intended to limit the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A method for generating adversarial examples for SAR images, characterized in that, include: S1, Let t = 0; For any pre-acquired SAR image sample x carrying a target identification tag y, the corresponding outer loop adversarial sample will be... Initialize to x; initialize the outer loop integrated gradient. S2. Calculate the model pairs in the ensemble model respectively. The gradient is calculated, and the average value of each gradient is also calculated. S3. Let m = 0; Internal loop adversarial examples Initialize to Initialize the inner loop integrated gradient S4. Randomly select multiple models from the ensemble model; calculate the pair of each selected model. The gradient is calculated, and the average value is obtained to obtain the average gradient of the inner loop. Calculate each selected model pair separately The gradient is calculated, and the average value is obtained to obtain the average gradient of the outer loop. by The normalized result is used as the update direction to update the integrated gradient of the inner loop, resulting in... Then update the inner loop adversarial example to obtain S5. Determine if m is less than M. If yes, let m = m + 1 and go to step S4; otherwise, go to step S6; M is a positive integer. S6, with The normalized result is used as the update direction to update the outer loop integrated gradient, resulting in... Then update the outer loop adversarial examples to obtain S7. Determine if t is less than T. If so, let t = t + 1 and go to step S2. Otherwise, take the last obtained outer loop adversarial sample as the adversarial sample corresponding to x. T is a positive integer.

2. The adversarial example generation method according to claim 1, characterized in that, In step S4, Where μ is the attenuation factor; ||·||1 represents the first norm.

3. The adversarial example generation method according to claim 2, characterized in that, In step S4, Where α is the preset step size; sign(·) represents the sign function; and Clip{·} is the clipping function.

4. The adversarial example generation method according to any one of claims 1-3, characterized in that, In step S2, Where K is the total number of models in the ensemble model; Let be the loss function for the automatic identification task of SAR images, representing the loss function of SAR images. The difference between the target recognition result obtained by automatic target recognition of SAR images after inputting into the k-th model in the ensemble model and the target recognition label y.

5. The adversarial example generation method according to any one of claims 1-3, characterized in that, In step S4, Where N is the total number of selected models; Indicates will The difference between the target recognition result obtained by automatic target recognition of SAR image after inputting into the nth model in the selected model and the target recognition label y; Indicates will The difference between the target recognition result obtained by automatic target recognition of SAR image after inputting into the nth model in the selected model and the target recognition label y.

6. A security assessment method for an automatic target recognition model of SAR images, characterized in that, include: For each SAR image sample in the pre-collected SAR sample dataset, the adversarial sample generation method described in any one of claims 1-5 is used to generate a corresponding adversarial sample; each adversarial sample is input into the SAR automatic target recognition model to be evaluated to obtain the corresponding target recognition result; The accuracy of the identification results is calculated by comparing the differences between the identification results of each adversarial example and the corresponding real results. A higher accuracy rate in the identification results indicates better security of the SAR automatic target identification model.

7. A security assessment method system for an automatic target recognition model of SAR, characterized in that, include: A memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the security assessment method of claim 6.

8. A computer-readable storage medium, characterized in that, The computer-readable storage medium includes a stored computer program, wherein, when the computer program is executed by a processor, it controls the device where the storage medium is located to perform the adversarial example generation method for SAR images according to any one of claims 1-5 and / or the security assessment method according to claim 6.