Research On Defense Against Adversarial Attacks Based On Low-rank And Sparse Image Features

Recent research has shown that deep learning models are extremely vulnerable to a type of imperceptible perturbation,leading to their classification errors,which has become a security threat to deep learning model applications.In order to understand and prevent the hidden dangers brought by the adversarial perturbation to the computer vision field,this thesis aims to find the image defense against adversarial attack with high efficiency,strong robustness and generalization.This thesis starts by introducing the background of adversarial perturbation and the current research status of adversarial attacks and defenses.Targeting at deep learning based image classification,we introduce commonly used image classification models and adversarial attacks,and then explain the formation mechanism of adversarial perturbation.We propose two online defense algorithms against adversarial attacks.The main contributions of this thesis are summarized as follows: Firstly,we propose a defense algorithm based on low-rank dimensionality reduction and sparse reconstruction.In light of the low-rank and sparse properties of digital images,this algorithm uses non-negative matrix factorization to get low-rank representation of the adversarial image to attenuate adversarial perturbation.Multi-scale sparse coding is then applied on the low-rank approximated image to filter residual perturbation and recover the rich textural details of the original image.Secondly,we design a defense algorithm based on low-rank sparse decomposition and wavelet de-perturbation.This algorithm uses robust principal component analysis to decompose the input image into low-rank and sparse components,and performs wavelet threshold denoising to tackle the difference of the perturbation on the two components,which not only retains the original image details in the sparse component,but also effectively filters out perturbation in two components.We verify the effectiveness of our algorithms using three attacking methods in black-box and gray-box settings and compare them with four defense algorithms.The results show that the adversarial images processed by proposed algorithms show the highest Top-1 accuracy of image classification than those by comparative algorithms,indicating the high robustness and generalization of our algorithms.