Research On Adversarial Attack And Defense Methods For Image Classification

Deep learning algorithms have been hugely successful in a wide range of fields,becoming a workhorse in applications ranging from self-driving cars to security and healthcare.With its popularization in practical application,the security of neural network has become a hot topic of academic research.The existence of adversarial examples brings great threats to the security of deep learning applications.When serious,these threats can cause deep learning system to fail or even collapse.A classification network is a basic neural network that is used in a variety of tasks.In this paper,the security of classification network is studied from two aspects of adversarial attack and defense.The research progress is as follows:This paper presents a gradient-based multi-scale feature attack algorithm.Existing adversarial example generation methods usually overfit the structure and characteristics of the source model,which leads to a low success rate of black box attack.In order to solve this problem,a multi-scale feature attack algorithm is proposed to enhance the transferability of the attack.A low-level feature and a high-level feature of the source model are selected for perturbation,so that the internal feature space representation of the adversarial image is far away from the internal representation of the original image.The carefully crafted adversarial example differs from the original image not only in the class but also in the feature space representation.In order to improve the transferability of the adversarial example,the inverse cross entropy loss is used to reduce the overfitting,and it is proved that the inverse cross entropy loss is effective to the adversarial training model with strong defense ability.Extensive experiments show that the proposed methods consistently outperform the Iterative Fast Gradient Sign Method(IFGSM)and Momentum Iterative Gradient Sign Method(MIFGSM)under the challenging black-box setting.In this paper,a novel adversarial attack algorithm based on color space is proposed to generate adversarial examples.Different depend on the model information generated against samples of attack algorithm,the method using the human visual system and the neural network system with shape preference when classifying image features,based on image color space transformation,while guarantee the image semantic information disturbance HSV and Lab color channel to generate adversarial examples.In addition,a segmentation model is added in this paper to ensure that the appearance of sensitive areas(such as human skin)in the image is limited within a specific range,so as to make the adversarial examples more natural.A large number of experiments have proved the effectiveness of our method.At the same time,this method is a kind of black box attack method,which can be widely used in the model robustness detection of real security system.This paper also proposes an unsupervised adversarial defense algorithm(t-DIP)based on depth image prior.Inspired by the idea that deep convolutional networks give priority to learning the unspoiled content in the image,this method uses two deep image prior networks to remove the adversarial disturbance in the adversarial example.The first network learns the main information of the image quickly.Then use the prior information learned by the first network to accelerate and enhance the learning of the second network.This method does not need to change the frame of the target model or pre-train the defense frame.Compared with the more advanced defense methods currently available,t-DIP achieves higher defense accuracy against various attacks on multiple models.