Research On Approaches Of Adversarial Sample Generation And Utilization Based On Transferability

In recent years,with the improvement of hardware performance and the rapid development of AI algorithm theory,AI technology has been widely used in people’s lives.While AI technology is boosting productivity development and bringing convenience to people’s life,the security of AI algorithms and the abuse of AI algorithms have brought threats to people’s life and property safety.As an important threat to AI technology,adversarial samples have attracted a lot of attention from researchers,and current research on adversarial samples is mainly focused on offense and defense.Unfortunately,none of the existing methods for detection and defense of adversarial samples can solve the adversarial sample problem.On the premise that adversarial samples have long accompanied the development of artificial intelligence technology,it is important to study the approaches to generate and utilize adversarial samples to deepen the knowledge of artificial intelligence technology and expand the research value of adversarial samples.Transferability is an important property of adversarial samples,i.e.,an adversarial attack that is effective for one model has a higher probability of being effective for other similar task models.In this dissertation,we focus on the transferability of adversarial samples,generate adversarial samples with different transferability by controlling the transferability of adversarial samples,and use these adversarial samples to implement efficient black-box attacks,face data targeted anonymization,artificial intelligence intellectual property verification,and character-level Chinese text image steganography,respectively.The main research contents of each part of this dissertation are specified as follows.The first part reviews the research techniques related to adversarial samples.This part firstly reviews the deep learning foundation involved in this dissertation? then introduces and analyzes the existing white-box and black-box adversarial sample generation methods,among which,the transfer-based black-box attack method is highlighted.This section provides the theoretical basis and technical support for the later research on different transferable adversarial sample generation methods.In the second part,an efficient black-box adversarial sample generation method based on transferability is proposed.This research addresses the difficulties of existing blackbox adversarial attack methods to simultaneously meet the problems of high attack success rate,low number of interrogations,and low perturbation,and applies the transferability enhancement method to score-based black-box adversarial attacks,proposing the use of transfer-based attacks to generate samples for each query to improve the query efficiency of black-box attacks.In the specific implementation,on the one hand,random surrogate models and random white-box attack parameters are used to increase the variance of each query vector,and on the other hand,dynamic coefficients and adaptive learning rates are proposed to accelerate optimization convergence and further reduce the number of queries.The experiments conducted on MNIST,CIFAR-10,and Image Net datasets show that the study can effectively perform black-box adversarial attacks with a success rate of no less than 98.5%.Among them,the experiments on Image Net dataset show that this method requires at least 97.42% fewer queries to reach the specified perturbation and nearly 50%less perturbation size compared to the state-of-the-art method.The third part proposes a face data targeted anonymization method based on adversarial attacks.The study addresses the need of organizations to re-identify and anonymize their stored face data,and proposes to achieve differential anonymization of adversarial samples for different ownership face recognition models by controlling the transferability of generated adversarial samples.The study proposes a usage scenario for face data targeted anonymization for organizations’ need to re-identify their stored face data.Then,a basic framework for face data targeted anonymization based on adversarial attacks is proposed.Based on this,the study bounded the range of perturbations generated by the adversarial attack to achieve correct identification of anonymized data by the authorized model.Further,the study proposes a boundary walking strategy to add as few perturbations as possible for ensuring correct recognition by the authorized model,while allowing more perturbations for improving the transferability of anonymized data against the attack.Local experiments show that the perturbation constraints proposed in this dissertation ensure that the matching accuracy of the authorized model does not change significantly from that before adding perturbations? the boundary walking strategy enhances the transferability of anonymized data to other unauthorized models.Online experiments show that this study can achieve anonymization success rate of no less than 80% for online unauthorized models when the added perturbation is 10/255,and the added perturbation does not prevent the human eye from performing recognition.In the fourth part,an IP verification method for AI models based on adversarial transferability control is proposed.This study addresses the problems that existing IPR verification methods have difficulties in verifying the models stolen by model extraction attacks and the excessive models required to generate fingerprints,and proposes to generate adversarial samples with stronger transferability to the source model and its derived models to achieve model ownership distinction.This study proposes the use of an integrated model to obtain adversarial samples near the decision boundary of the source model in order to maximize the difference between the output results of the surrogate models and the reference models.This study verifies several model sets consisting of models stolen by model modification attacks,models stolen by model extraction attacks,and reference models on the CIFAR-10,CINIC-10,and CIFAR-100 datasets,and experiments show that the proposed method can verify model IP with 100% success rate,and the number of models required to generate model fingerprints is also significantly reduced.The number of models needed to generate model fingerprints is reduced to 8 models.In the fifth part,a character-level Chinese text image steganography method based on weakening transferability adversarial attacks is proposed.For the need of image steganography,this study proposes to embed the embedded information in the form of adversarial samples.The one-to-one correspondence between the adversarial samples and the extracted model is achieved by using transferability weakening strategies.To ensure the security of the embedded information,this study adopts a similarity filtering and transferability weakening strategy to reduce the impact of the adversarial attack on the output of other OCR models in order to achieve a one-to-one correspondence between the adversarial sample and the local model.The experiments show that the study can embed and extract the steganographic information with a success rate of 100%? in terms of security,because the steganographic method is different from the traditional steganographic method,it is difficult for the traditional steganographic detectors to detect the perturbations added in this study,and at the same time,because the embedding uses a common OCR model without using a customized steganographic algorithm and model,it is extremely stealthy and has certain anti-forensic ability.