Research On Adversarial Sample Detection Algorithm Based On Reconfiguration Model

Deep learning is now widely used in a variety of fields,and an increasing number of deep learning models have been proposed and applied to solve a variety of complex problems.However,the emergence of adversarial examples poses a threat to the security of deep learning models.Adversarial examples are abnormal samples that attack classifier models.Attackers modify input samples by creating malicious perturbations,causing classifier models to make wrong predictions and damaging their robustness.Because malicious perturbations are extremely small,adversarial examples are usually difficult to be detected by human eyes.In view of the serious harm of adversarial examples to classifier models,how to better protect classifier models in attacks is a very important research topic.The defense work for adversarial examples mainly falls into two types of frameworks.The first type eliminates adversarial examples by removing adversarial perturbations,improving the robustness of the model,etc.,so that the model’s prediction results cannot be perturbed.The second type detects whether an input has adversarial properties by setting up a detection method.In this paper,we use the second type of defense framework for adversarial examples and design two detection methods based on the idea of reconstruction models.The main contributions of this paper are as follows:(1)In this paper,we propose a method for detecting adversarial samples by directional reconstruction based on the Style GAN model,which we call DBDR.This method introduces the features obtained from the sample input to the model into the reconstruction process,which causes the samples to be reconstructed in a specific direction.If the input is a clean sample,it is reconstructed with features that are consistent with the image content,and there is no significant difference between before and after reconstruction;If the input is an adversarial sample,it is reconstructed with features that are inconsistent with the image content,and there is a significant difference between before and after reconstruction.DBDR then designs a feature combination scheme to better exploit these reconstruction differences for adversarial sample detection.Our experimental data shows that DBDR outperforms other detection methods in terms of performance.(2)In this paper,we propose a method for detecting adversarial samples based on the reconstruction characteristics of the VDVAE model,which we call DBVR.The encoder and decoder of the VDVAE model are composed of multiple layers,and in the decoding process,low-dimensional vectors are gradually transformed into high-dimensional reconstructed images through continuous learning.This paper finds that adversarial samples exhibit a “decoding instability” pattern in the decoding process,that is,there is a class confusion situation at some intermediate layer stage of decoding,while normal samples have more stable class changes at the same stage in the decoding process.Based on this pattern,DBVR obtains intermediate reconstructed samples by truncating the decoding process in advance,and captures the feature differences before and after reconstruction to detect adversarial samples.This method achieves a better detection rate and generalization ability compared to other detection methods.