Research On Adversarial Sample Detection Methods For Intelligent Image Recognition Networks

With the continuous development of deep learning,deep neural network(DDN)models show excellent performance in image recognition and classification tasks,but studies show that intelligent application systems based on deep learning are prone to be misled by adversarial samples and thus produce wrong decisions.Adversarial samples can be categorized into pixel-constrained adversarial samples and spatially-constrained adversarial samples,wherein adversarial perturbations are respectively superimposed on the entirety of the clean sample and on the region of constraint.The enhancement of security in intelligent systems necessitates the implementation of detection strategies targeted toward adversarial attacks.The primary focus of detection defense research is to enhance the performance and generalization of models designed to detect adversarial samples.This thesis proposes detection models against pixel-constrained adversarial attacks and spatially-constrained adversarial attacks respectively.The main work of this thesis is as follows:(1)To address the issue of ineffectiveness and lack of generalization of detection models facing unknown adversarial attacks,this thesis proposes a two-branch adversarial samples detection based on global and local features(ASD-GLF).In the global feature detection branch,to address the issue of insufficient sensitivity and numerical overflow in traditional spatial mapping methods,this thesis proposes to expand mapping methods and soften prediction vector based on temperature coefficient control,thereby enhancing the salience of global features.In the local feature detection branch,to address the issue that traditional methods cannot extract distinctive local features from adversarial samples directly,this thesis employs a preprocessing method based on JPEG compression and error level analysis(ELA).It reveals significant differences in the distribution of SIFT features between the preprocessed adversarial samples and clean samples.Through various adversarial attack datasets and generalization tests,the results show that compared to superior adversarial detection algorithms such as SRM and PACA,ASDGLF achieves comparable detection accuracy and better generalization performance.(2)To address the detection problem of spatially-constrained adversarial samples,this thesis proposes an adversarial sample detection method based on transfer learning(MTL).MTL utilizes adaptive average pooling and a combination of small size convolutional kernels to effectively ensure model automatically adapts to multiple input resolutions without sacrificing detection accuracy.Under various combinations of input resolutions and classical neural networks,MTL achieves an average adversarial samples detection accuracy of 99.48% on real datasets,indicating its strong applicability and generalization performance.The above methods have been validated through experiments.The results show that ASD-GLF and MTL can effectively improve the detection accuracy and generalization performance against pixel-constrained adversarial samples and spatially-constrained adversarial samples.