基于深度神经网络的多源遥感影像目标识别系统已逐步在空天遥感情报侦察、无人作战自主环境认知、多模复合末制导等多个军事场景中广泛应用。然而，由于深度学习理论上的不完备性、深度神经网络结构设计工程上的强复用性、以及多源成像识别系统在复杂电磁环境中易受到各类干扰等多因素的影响，使得现有识别系统在对抗攻击鲁棒性方面评估不足，存在极大安全隐患。本文首先从深度学习理论不完备性和识别系统攻击样式两个方面分析了潜在安全风险，并重点介绍了深度识别模型对抗样本攻击基本原理和典型方法。其次，针对光学遥感影像和SAR遥感影像两类典型数据形式，从鲁棒正确识别率和对抗攻击可解释性两个方面开展多源遥感影像深度识别模型对抗攻击鲁棒性评估，覆盖了9类常见深度识别网络架构和7类典型对抗样本攻击方法，验证了现有深度识别模型对抗攻击鲁棒性普遍不足的问题，分析了对抗样本与正常样本的多隐层特征激活差异，为下一步设计对抗样本检测算法和提升模型对抗鲁棒性提供参考。

Deep neural network based multiple source remote sensing image recognition systems have been widely used in many military scenarios such as aerospace intelligence reconnaissance, unmanned aerial vehicle for autonomous environmental cognition and multimode automatic target recognition systems. Deep learning models rely on the assumption that the training data and the testing data are from the same distribution. The performance drops under common corruption or adversarial attacks. In the remote sensing community, the adversarial robustness of deep neural network based recognition models have not received much attention. This raises great risks for many security-sensitive applications. This article evaluates the adversarial robustness of deep neural network based recognition models for multiple source remote sensing images. Firstly, we discuss the incompleteness of deep learning theory and reveal that there exist great security risks. The independent identical distribution assumption is often violated and the system performance cannot be guaranteed under adversarial scenarios. The whole process chain of deep neural network based image recognition system is then analyzed with respect to vulnerabilities. Secondly, we give a detailed introduction of several representative algorithms for adversarial example generation under both white-box settings and black-box settings. Gradient propagation based visualization method is also presented for the analysis of adversarial attacks. We perform a detailed evaluation of nine deep neural networks across two public available remote sensing images datasets. Both optical remote sensing images and SAR remote sensing images are used in our experiments. For each model, seven different perturbations, ranging from gradient based optimization to unsupervised feature distortion, are generated for each testing image. In all cases, we find that there is a significant drop of average classification accuracy between the original clean data and their adversarial images. Besides adversarial average recognition accuracy, feature attribution techniques have also been adopted to analyze the feature diffusion effect of adversarial attacks, which promotes the understanding of vulnerability of deep learning models. Experimental results demonstrate that all the deep neural networks have suffered great loss in terms of classification accuracy when the testing images are adversarial examples. Understanding this adversarial phenomena leads us to better understand the inner workings of deep learning models. Much efforts are needed to increase the adversarial robustness of deep learning models.