Research On Adversarial Samples Generation And Defense Method For Image Classification

Deep neural network-based image classification,the hottest task in computer vision,has far-reaching and widespread applications in both academia and industry.However,deep learning models show vulnerability in the face of well-designed adversarial samples,and classification models can make incorrect predictions simply by adding small perturbations invisible to the naked eye to clean samples.The presence of adversarial samples is not only a security threat,but also reveals the limitations and vulnerabilities within deep learning models.Therefore,this dissertation investigates the generation and defense methods of adversarial samples for image classification,with the following main research and innovation points:(1)Two-stage one pixel adversarial sample generation method based on Grad-CAM:one pixel adversarial attack is a partial perturbation adversarial attack method under extreme conditions,which achieves adversarial attack by modifying only a single pixel of the image,which has great advantages in effectiveness,stealth and flexibility,but because it only searches for the optimal solution through differential evolution,it makes the generated perturbation of low quality and suffers from problems such as premature convergence and search stagnation.Therefore,this dissertation introduces the CNN interpretable method Grad-CAM and proposes a two-stage one pixel adversarial attack,which is experimentally verified in terms of attack success rate,stealthiness and relocatability,respectively;(2)Multi-target adversarial sample generation method based on Gaussian kernel and momentum iterative gradient:this scheme is also a local pixel attack method,by introducing Center-Net to generate key Gaussian circles for each foreground target in the sample,using momentum iterative gradient method to generate adversarial samples,and combining Gaussian circles and adversarial samples to generate adversarial patches and replace them on the original image,a multi-target adversarial samples.Compared with the all-pixel adversarial attack,this scheme has more advantages in concealment and the success rate of the attack has been improved at a certain level;(3)Combined adversarial sample defense method based on image denoising and integrated adversarial training:This dissertation proposes an adversarial defense method that combines image pre-processing and model robustness improvement.Image denoising is used to reduce the impact of adversarial perturbations before the samples are input to the model,but it also affects the semantic features of clean samples and reduces the performance of the model;the adversarial training method improves the robustness of the model by improving the model training process,but the trained model does not have generalization and can only defend against known attacks.In this dissertation,we combine the two approaches to improve the model in both the input and training phases.In addition,this dissertation chooses an integrated adversarial training method with more diverse samples in order to maximise the generalisability of the model defense.In-depth study of the adversarial sample generation and defense methods is important for understanding the internal mechanism of the network and further improving the robustness of the model and the security of the application.It provides a better basis for the subsequent design of safer and more robust deep learning models as well as a more comprehensive and in-depth understanding of neural networks.