Research On Trusted Artificial Intelligence Based On Adversarial Attack Strategies

In the era of rapid development of deep learning technology,security issues have become an important part of trusted AI that cannot be ignored,and how to effectively deal with backdoor attacks in deep learning models to ensure that the models are safe and secure has become an important part of the security of trusted AI.Due to hardware constraints,most deep learning training processes are provided to outsourcing companies,which gives opportunities for malicious attackers to take advantage of.Attackers usually implant backdoor triggers in the provided datasets and training process and submit them to users.The models behave normally on clean samples,but on samples containing triggers the models behave as predefined by the attackers.The existence of backdoors in artificial intelligence systems may lead to unauthorized access or manipulation,allowing the system to perform unintended operations or disclose sensitive information,and therefore investigating counteracting backdoor attacks from an attack perspective is an important aspect of building trustworthy artificial intelligence.Since preprocessing operations on datasets generate perturbations on images,the perturbations are used as invisible triggers and superimposed onto clean images as backdoors,and when an infected model receives input images with these injected perturbations,the backdoors are triggered,causing the model to produce wrong outputs or perform malicious behaviors under specific conditions.In response to the uncontrollability of invisible triggers generated by existing methods and the fact that research methods focus only on attack performance,this research additionally considers stealthiness as an important metric and takes controllable backdoors as a design goal to investigate the relationship between trigger stealthiness,attack performance,and model perturbation.The main research results of this paper are as follows:1.This paper proposes four new invisible backdoor attack methods from the common image processing operations of data collection and cleaning,including filtering,watermarking,super-resolution reconstruction,and lossy compression of images,whose backdoor implantation process is difficult to detect and the generated backdoor images are extremely stealthy.2.Based on the parameters obtained from the four invisible backdoor generation methods to control the trigger and image quality,the stealthiness of the trigger and the performance of the backdoor attack are controlled by adjustable parameters so that they can be better adapted to different attack environments.3.This paper applies the label consistency attack to invisible triggers for the first time and shows excellent attack performance,and proposes that an ASR of 83.91%can be achieved when a specific sample of only 10%of the target labels is poisoned with a priori knowledge of the training process.4.Experiments are conducted to verify the performance of the attack method in different environments using three publicly available datasets with different resolutions.The proposed method with controllable BDR,image concealment and ASR is demonstrated through a large number of experiments.The performance of the proposed attack method is also visualized by attention and 3D performance graphs based on a large number of experiments with different parameters,and the excellent performance of the proposed adjustable parameter backdoor attack method is further demonstrated in general model experiments,robustness analysis,adversarial defense and comparison experiments.