Research On Adversarial Example Detection And Restoration For Image Classification

Deep neural networks(DNNs),a core technology in the current rise of artificial intelligence.It has solved complex learning problems that were difficult for traditional machine learning techniques and outperformed humans in image classification tasks.However,the structural non-linearity of DNNs can induce systems based on DNNs models to misjudge certain examples,called adversarial examples(AEs),which are usually composed of adversarial perturbations added to normal examples(NEs)that are indistinguishable to the human eyes.It can seriously undermine the robustness of deep learning intelligent systems.Therefore,how to effectively defend against AEs attacks becomes a major challenge for deep learning widely used in industry nowadays.Recent research has defended from both model and data directions,but the diversity of AEs has gradually increased the complexity of defense,revealing problems such as the unstable performance of model-based AEs detection defense and the weakness of data-based AEs defense.Our work is based on the idea of detection and recovery for AEs to defend,and the main research contents are as follows:(1)For the problem that the AEs cause misjudgments and damage the robustness of the DNNs systems.Previous studies have defended against AEs by detecting,but it is challenging to ensure a stable and high performance of detecting AEs,while with a poor false detection.To this end,an AEs detection method named Image Reconstruction Differences(IRD)is proposed to enhance the robustness of DNNs.Firstly,We use an endto-end Com-Rec network to reconstruct examples with feature compression to expand the distinguishing features.Secondly,we propose an Image Reconstruction Differences based on information-theoretic VIF,structural information UQI and spectral information RASE composition to discriminate AEs.Moreover,we introduce the idea of integrated learning to form a random forest binary classifier to enhance the accuracy of detecting AEs.The extensive experiments with BIM,FGSM and PGD whitebox attacks demonstrated that the IRD effectively detected AEs and achieved a high average accuracy of 98.33%.Specifically it also performs favorably against the following methods based on Feature Squeezing,Local Intrinsic Dimensionality,Kernel Density and Network Invariance Checking with an average detection rate of 99.54% and an average false positive rate of 1.44%.(2)For the problem how to improve the ability of classification model to defend against AEs and reduce an impact on its own recognition performance,an AEs defense with denoising convolutional neural networks method named Adversarial-denfense CNNs(Ad CNNs)was proposed.The VGG network is used as the denoising convolutional neural networks to eliminate adversarial disturbances,which removes the pooling layer and the full connection layer.In the training,residual learning is adopted to optimize the error between the expected residual and the network output residual.In addition,the batch normalization layer is added to improve the Ad CNNs ability to eliminate adversarial disturbances.The experimental results show that Ad CNNs can make a classification accuracy of Lenet-5 and VGG-16 basic models reach more than 80.36%.Compared with FGSM adversarial training and Denoising Autoencoder AEs defense methods,Ad CNNs has a stronger effect in removing adversarial disturbances and reducing an impact on the performance of the classification model.(3)An image AE detection and restoration system is developed in this paper to apply and deploy the proposed detection and restoration methods and visualize the results,providing three major defense functions of AEs generation,AEs detection and AEs recovery.