Adversarial Patch Defense Method Based On Image Phase Information

With the continuous development of technology,deep neural networks play an important role in image recognition,speech recognition,natural language processing and other fields.However,classical deep neural network models are not resistant to adversarial patches.In current research on adversarial patch defense schemes,feature-based defense can detect and even possibly eliminate the impact of adversarial patch attacks to some extent,but the reliability of this defense method is still questionable.To address this issue,this thesis combines featurebased defense with verifiable robustness defense to propose a verifiable robustness defense method(Robust Phase-only Smooth,RPOS)based on phase reconstruction features,where the so-called phase reconstruction feature is a feature constructed using phase information in the frequency domain to distinguish natural images from adversarial patches.The RPOS algorithm can not only effectively detect and eliminate the impact of adversarial patch attacks,but its robustness can also be rigorously proven and verified through experiments to ensure the safety of the prediction results of models protected by RPOS when facing white-box adversaries.The main contribution of this thesis is as follows:(1)Proposed an adversarial patch detector based on phase reconstruction features.Based on existing research on feature-based defense,phase reconstruction features are extracted to identify adversarial patches by exploiting differences between natural images and adversarial patches in the frequency domain.On the basis of traditional convolutional neural networks,an adversarial patch detector based on phase reconstruction features is designed and the feasibility and detection accuracy of the scheme are experimentally verified.(2)Proposed a sliding window defense scheme based on phase reconstruction features.In view of the difficulties that may be encountered in the application of adversarial patch defense,such as unknown types of adversarial patch attacks and difficulty in training detectors due to the small number of attacks,a threshold-based sliding window defense(Phase-only Smooth,POS)method is designed based on the research of phase reconstruction features.This method does not rely on neural network models and only judges whether there are adversarial patches by calculating whether the phase reconstruction feature values in each window area of the input image exceed the threshold.Finally,the windows at risk are covered to effectively defend against adversarial patches and restore normal prediction results.Experiments show that POS defense can provide relatively efficient protection for neural network models with different structures and performs well in comparison experiments with various indicators.(3)Proposed RPOS scheme with verifiable robustness.In response to the issue that featurebased defense methods often cannot provide reliable security guarantees against whitebox adversary attacks,the RPOS scheme was further proposed.This scheme will perform a two-stage masking algorithm on all windows with phase reconstruction eigenvalues exceeding the threshold based on the POS algorithm.By comparing the prediction results of all masked images,the impact of adversarial patches is eliminated.Moreover,a verifiable robustness proof for the defense algorithm is given and simulations are performed.It ensures that for any input sample that passes robustness verification,the prediction result is unaffected regardless of whether it contains adversarial patches or not,as long as the computational resources used by the model protected by RPOS do not exceed the limit conditions.Compared to other adversarial patch defense algorithms,the defense method proposed in this thesis has better robustness and reduces the loss of model accuracy caused by defense.This algorithm has been verified to be applicable to protecting convolutional neural networks with various structures,expanding its application range.By applying this method,it can be ensured that under the condition that the computing resources of the defense side do not exceed the limit,any image samples output as true by the simulation program can guarantee that the prediction results will not be tampered with,improving the security and reliability of the model in practical applications.