Research On Enhancing The Migration Of Adversarial Samples Based On Frequency Domain Transformation And Attention Mechanism

With the rapid development of deep learning technology,artificial intelligence has been widely applied in multiple fields such as image classification,text processing,and autonomous driving.However,the accompanying security issues are also becoming increasingly apparent.Research has shown that deep neural network models are susceptible to adversarial sample attacks,which involve adding carefully crafted but imperceptible disturbances to the image to deceive the model’s classification results,exposing significant security risks in the application of deep learning models.Studying efficient adversarial attack algorithms can not only promote the progress of adversarial defense,but also conduct robustness and security testing before deploying deep learning models.So far,many adversarial sample algorithms have been proposed,and their performance in white box attacks is almost always close to 100%.However,in actual tasks,black box scenarios account for the majority,and their performance is not satisfactory.Black box attacks mainly include query-based attack and transfer-based attack,but query-based attack methods require a large number of queries on the model,and abnormal traffic is easily detected.Transfer-based attack methods have zero queries and do not need to access the network parameters and structure of the attacked model,nor do they need to access the output of the target model.Therefore,their application in the real world is more practical.This article analyzes the reasons for the poor transferability of black box attacks,and proposes a method based on attention mechanism and frequency domain transformation from the perspective of model and image preprocessing to improve the transferability of adversarial samples in deep learning model black box attack scenarios.The main research results of this article include the following three aspects:(1)By introducing an attention mechanism into adversarial sample transferability attacks,specifically,an enhancement model CBAM-Res Net50 based attention mechanism is introduced into adversarial sample transferability attacks to enhance the model’s ability to recognize important areas of the image,by adding perturbations to these areas where attention is concentrated,the transferability of adversarial samples can be improved.The introduction of attention mechanism forces the attack focus to add effective disturbance on the robustness area of the image,reduces the overfitting of confrontation samples to a single model,increases the generalization and robustness of confrontation samples on other models,and thus enhances the transferability of confrontation samples.By introducing the attention mechanism as an example,it was discovered and analyzed in depth that adding disturbances to key feature regions(also known as robust regions)on the image would result in higher transferability of adversarial samples.(2)Propose a method for image transformation in the frequency domain.Compared with existing image preprocessing methods that mainly focus on the spatial domain,frequency domain image transformation has stronger advantages in denoising ability,image compression,and morphological operations.The proposed method for randomly transforming image enhancement in the frequency domain is introduced into adversarial sample generation.Specifically,in each iteration of the generation of confrontation samples,this paper randomly selects one of the four transformation methods of Gaussian blur,sharpening,rotation and scaling,and applies it to the image with probability P=0.5.This frequency domain random transformation makes the disturbance more distributed on the edge and texture,thus increasing the diversity and robustness of the confrontation samples,so as to achieve the purpose of improving mobility.(3)By combining the CBAM attention mechanism with frequency domain image transformation,it was found that the two can enhance the transferability of adversarial samples.Through visualizing adversarial samples,the two were analyzed in depth to enhance the transferability of adversarial samples from both global and local levels,and the reasons for the combined effect of the two were analyzed in depth.In addition,in order to better select the hyperparameter in the adversarial sample algorithm to ensure the best performance after the combination of CBAM attention mechanism and frequency domain image transformation,and to explore the specific impact of changes in factors related to the adversarial sample mobility on mobility,this paper uses the 10 algorithms and 3 models mentioned in the article to explore the maximum disturbance value,iteration times and frequency domain transformation probability P.