Generalized Adversarial Attack And Defense For Deep Learning Models

In recent years,based on the significant growth of annotated data and the rapid development of computational devices,deep learning technology has made groundbreaking advancements.Deep learning models have been successfully applied in many practical scenarios,bringing convenience to people’s lives.However,this also raises concerns about the security and privacy of deep learning models.Adversarial examples,which can cause deep learning models to produce incorrect outputs with imperceptible perturbations,play a crucial role in the research on security and privacy.However,in complex generalization scenarios of current deep learning applications,such as multi-modal,multi-task,and generalization across samples,the existing common adversarial examples have limited capability.Therefore,this thesis focuses on the generalization of adversarial attacks and defenses,with a particular emphasis on generating generalized adversarial examples in complex scenarios.The goal is to enable more efficient and practical attacks or privacy protection for deep learning models,thus promoting further research on the security and privacy of deep learning models.The main contributions can be summarized as follows:(1)Multi-modal adversarial attack based on correlation.In the context of complex multi-modal scenarios,this thesis proposes a method to generate generalized multi-modal adversarial examples by leveraging the correlation between raw multi-modal data.The objective is to attack a multi-modal deep learning model in autonomous driving scenario that incorporates both image and point cloud modalities.The method involves generating adversarial examples for the image modality using a generative adversarial network,modeling the correlation between the two modalities of the original data,and using this correlation to generalize the adversarial examples from the image modality to the point cloud modality.This ensures that the adversarial examples for different modalities focus on the same vulnerable areas,thereby destroying the robustness of multi-modal models that can exploit complementary information from different modalities to weaken dispersed adversarial attacks.Experimental results on the commonly used autonomous driving dataset KITTI demonstrate that this method enhances the generalization capability of adversarial examples across modalities and achieves effective attacks on multi-modal models.(2)Multi-task adversarial attack based on attention distraction with gradient sharpening.In the context of complex scenes with multiple tasks,this thesis proposes a method for generating multi-task generalized adversarial examples that yield universal attack effects across multiple tasks.The method aims to improve the generalization ability of adversarial examples across multiple tasks by leveraging the generalization knowledge among multiple tasks while reducing the impact of task-specific information during the generation process.Specifically,it first attacks the attention heat maps,which contain more generalization information than feature representations,by distracting the attention on the attack regions,thereby affecting the performance of each task.Additionally,gradient sharpening is applied during the gradient-based adversarial example generating process so that the gradients with multi-task information rather than only task-specific information can make a greater impact.The experimental results conducted on multi-task datasets,NYUD-V2 and PASCAL,demonstrate that the proposed method can improve the generalization ability of adversarial examples among multiple tasks and achieve better attack performance.(3)Attribute discriminative face universal adversarial perturbation based on feature disentanglement for face privacy protection.To address the privacy concerns of deep learning models,this thesis proposes to generate generalized adversarial perturbations for face privacy protection in complex scenarios with generalization across samples.Considering the need to balance privacy protection and facial recognition capability,this method focuses on attribute discriminative privacy protection for vulnerable populations with target attributes,such as minors and females.Specifically,a feature disentanglement based approach is introduced to separate the information of target attribute from non-target attribute and calculate adversarial perturbation through distinct optimizations.The optimizations of changing and preserving the original feature distribution are conducted separately for target attribute face samples requiring privacy protection and non-target attribute face samples requiring identity recognition capability maintenance.By iteratively optimizing different samples,the adversarial perturbation can achieve generalization across samples.Experimental results on the CelebA face dataset demonstrate the effectiveness of this method,as it can mislead deep facial recognition models to protect the privacy of vulnerable population samples without affecting the identity recognition of other population samples.In summary,this thesis focuses on the security and privacy of deep learning models by conducting research on generating generalized adversarial examples.The aim is to enhance the ability of the adversarial examples to attack or protect privacy in complex scenarios,thereby promoting the secure and reliable development of deep learning models and further advancing the widespread applications of deep learning technology.