Research On The Robustness Of Deep Visual Models In Adversarial Environment

With the repaid development of deep neural networks,deep learning has been the basis of numerous artificial intelligence applications,such as face recognization,auto-driving,smart home,smart medicine,etc.However,the deep learning is facing many security threats.Among them,the robustness of deep model,which is the cornerstone of building deep learning applications,has been proved to be fragile in many literatures.For example,the image classification model can be fooled by the adversarial examples,thus making wrong predictions.Low robustness（i.e.,fragility）reflects that the model cannot tolerate small changes in the input.In this case,it is difficult for people to trust the decision of the model,and low robustness will seriously hinder the development and application of deep learning in safety sensitive fields（e.g.,self-driving）.Therefore,it is of great significance to conduct an in-depth study on the robustness of deep models.The existing research on model robustness mainly focuses on image classification tasks,while image classification is the most basic task in the field of artificial intelligence.It is also worth studying whether there are similar robustness defects in models used in other artificial intelligence tasks.At the same time,the existing research also has the problems of low efficiency and low success rate.Low efficiency will increase the cost of evaluating model’s robustness,and low success rate will cause the illusion that the target model has robustness,thus causing security risks.To address the above problems,this thesis focuses on three typical application scenarios of depth learning in the field of computer vision,including image classification,deep hiding,and scene text editing,and conducts a comprehensive study on the robustness defects of corresponding deep models.The main work includes:（1）The robustness of image classification models under a white-box setting is studied,an effective unrestricted adversarial example generation algorithm is proposed,which includes an efficient unrestricted adversarial example generation model（EGM）and a universal adversarial label augmentation strategy（ALA）.Unrestricted adversarial example expands the traditional adversarial example,discarding-norm constraints and posing a new threat to the robustness of classification models.EGM consists of a condition generator and a condition transformer.The former converts random noise into a reference sample conforming to the true category,and the latter further converts the reference sample into an adversarial example conforming to the target category.Compared with the existing unrestricted adversarial example generation scheme based on optimization,EGM improves the generation efficiency by 88 times.At the same time,ALA generates dynamic adversarial labels for each sample in the training process of EGM,expanding the exploration ability of EGM and encouraging it to search for better solutions.With the help of ALA,even though the target model has been strengthened in robustness,EGM can still find the robustness weaknesses of the target model,and generate effective unrestricted adversarial examples to mislead its predictions.（2）The robustness of image classification models under black-box attack is studied,and an efficient algorithm for generating adversarial examples in a black-box setting is proposed,which mainly designs a universal dual-transferability-based preprocessing strategy（DT）.In the black-box setting,the internal details of the target model cannot be accessed,so a large number of queries with the target model are required to generate adversarial examples.To improve the query efficiency,DT uses the transferability of the model interpretation results to determine the salient regions on which the target model depends,narrowing the search space for subsequent queries.At the same time,DT uses the transferability of local adversarial perturbation to achieve Warm Start,which provides a better starting point for subsequent queries.The experimental results show that DT can be applied to the mainstream adversarial example generation scheme in the black-box setting,and significantly improves the query efficiency.In addition,DT has a high tolerance for the performance of the auxiliary model,which further reduces the burden of generating adversarial examples.（3）The robustness of deep hiding models is studied,and an efficient box-free secret removal algorithm（EBRA）is proposed to prevent the models from revealing potential secret information.Deep hiding models can hide a large amount of secret information in an image in an imperceptible way,and extract the corresponding secret information from the stego image.EBRA found that the existing deep hiding models are generally local and have low redundancy.Based on the observations,EBRA uses image inpainting technology to erase the secret information in the stego image.To improve removal efficiency,EBRA simultaneously processes multiple local regions in parallel,reducing the number of iterations to a constant.To improve the precision of the repair of pixels,EBRA uses auxiliary models to extract the contour and color information of the missing areas to assist in the repair process.Extensive experiments show that even if the robustness of the deep hiding model has been enhanced,EBRA can still completely erase the secret information without affecting the quality of the stego image,and can destroy the revealing process of the secret.（4）The robustness of scene text editing（STE）models is studied,and a fine-grained yet effective anti-tampering algorithm,Text Armor,is proposed to distort the editing results of STE models.A STE model can edit or replace the text in images and maintain its original style,and it is usually composed of multiple sub-modules.To prevent the STE model from tampering with the text naturally,Text Armor analyzes the components of the mainstream STE models and generates adversarial examples to break the robustness of corresponding sub-modules.To reduce the negative impact of adversarial perturbation on image quality,Text Armor adopts local perturbation instead of global perturbation to perturb text areas.To improve the effect of local perturbation,Text Armor uses a newly designed Partial Sign（PS）strategy in the process of adversarial example generation to replace the widely used sign function,which can support a more precise update direction,making the update process move towards a better solution.Extensive subjective and objective experimental results show that the scene text processed by Text Armor cannot be edited naturally by the existing mainstream STE models.