随着深度学习技术的不断演进，它已经从科研领域走入实际应用中，给人们的生活带来了极大的便利。尽管如此，当深度学习模型应对一些难以察觉到的对抗扰动时，它们仍然会出现误分类的情况，从而影响模型性能。为了提高深度学习模型的鲁棒性，通常采用对抗训练的方法对模型进行优化。但是对抗训练需要大量的运算资源以及模型容量，这使得对抗训练后的模型难以部署到边缘设备以及资源受限的设备上。为了解决对抗训练模型参数量过大的问题，本文从模型剪枝的角度入手对模型进行轻量化。本文通过对图像频率分量以及模型结构进行分析，认为对抗扰动主要集中在图像的高频分量中，同时批规范化层的放缩因子可以反映所在的通道对于图像高频分量的学习情况。基于以上分析，本文提出了针对对抗训练模型的结构剪枝以及非结构剪枝方法，从而使剪枝后的模型变得轻量化而且稀疏。本文还对剪枝模型的再训练方式进行了修改，通过权重回溯方法进一步提高了剪枝模型的鲁棒性。最后，本文在对抗训练模型剪枝领域验证了彩票假设。本文的主要研究内容包括：本文通过对图像频率分量以及模型结构进行分析，发现批规范化层的放缩因子可以反映所在通道对于图像高频分量的学习情况。因此，本文提出了针对对抗训练模型的结构剪枝方法“?-剪枝”以及非结构剪枝方法“有效权重剪枝”，可以有效地降低模型对于图像高频分量的学习，从而提高模型的鲁棒性。实验证明，相比于目前常用的其它剪枝方法，本文提出的剪枝方法在各种攻击方式以及各种攻击强度下，都能更好地保持剪枝模型的鲁棒性。本文还对剪枝模型的再训练方式进行了修改，用权重回溯方法代替了常用的继承预训练模型参数的再训练方法，进一步提升了剪枝模型的鲁棒性。此外，基于权重回溯方法，本文还将结构剪枝和非结构剪枝融合在一起，提出了融合剪枝方法。通过融合剪枝，可以使剪枝后的模型既轻量化又稀疏，还能保持和原模型相近的鲁棒性。

With the continuous evolution of deep learning technology, it has gone from scientificresearch to practical application, bringing great convenience to people’s life. Eventhough, when deep learning models deal with some imperceptible adversarial perturbations,they still suffer from misclassification, which affects models’ performance. In orderto improve the robustness of deep learning model, adversarial training is usually used tooptimize the model. However, adversarial training requires a large amount of computingresources and model capacities, which make it difficult to deploy the model after adversarialtraining to edge devices and resource-constrained devices. In order to solve theproblem of too many parameters in the adversarially trained model, we make the modellightweight by model pruning. In this paper, by analyzing the images’ frequency componentsand model structure, it is considered that the adversarial perturbations are mainlyconcentrated in the high-frequency components of the images, and the scaling factor ofthe batch normalization layer can reflect the learning situation of the channel to the highfrequencycomponents of the images. Based on the above analysis, this paper proposesstructured pruning and unstructured pruning methods for adversarially trained model, sothat the pruned model becomes lightweight and sparse. The retraining method of prunedmodel is modified and the robustness of pruned model is improved by weight rewindingmethod. Finally, we verify the lottery ticket hypothesis in the field of adversarial pruning.The main contributions of this paper include:Through the analysis of images’ frequency components and model structure, it isfound that the scaling factor of batch normalization layer can reflect the learningsituation of the channel to high-frequency components of the images. Therefore,the structured pruning method “?-pruning” and the unstructured pruning method“effective weight pruning” are proposed to reduce the model’s learning of highfrequencycomponents effectively and improve the robustness of the model. Experimentalresults show that the proposed pruning method can better maintain therobustness of the pruned model under various attack modes and different attackintensities than other pruning methods.In this paper, the retraining method of pruned model is modified, and the weightrewinding method is used to replace the common retraining method which inherits the pretraining model’s parameters, which further improves the robustness ofpruned model. In addition, based on the weight rewinding method, a fusion pruningmethod is proposed by combining structured pruning and unstructured pruning.By fusion pruning, the pruned model can be lightweight, sparse and robust.