The Technology Of Antagonism Sample Generation For Machine Learning Model

At present,various technologies using machine learning models are widely used in natural language processing,character recognition,computer vision and other fields,but various models are very vulnerable to the impact of confrontation samples,resulting in erroneous output results.Studying the generation methods of adversarial samples can help people understand the fragility of machine learning models and serve to improve the security of the models.This thesis conducts research on adversarial sample generation methods for deep learning models and traditional machine learning models.In the traditional machine learning model,taking the partition based clustering algorithm as the attack model,an attack algorithm based on multi particle swarm optimization is proposed.In the generation of adversarial samples in deep learning models,the methods for generating image adversarial samples and text adversarial samples under black box conditions are provided.The main work and innovation points are as follows:1)Aiming at the traditional machine learning model,a multi particle swarm optimization is proposed to generate confrontation samples-PsoAttack.Different from the traditional particle swarm optimization method,the multi particle swarm optimization method is to quickly iteratively generate confrontation samples by finding the shortest Euclidean distance between the global optimal particle of different particle swarm and the calculated particle.In the experiment,it was found that this algorithm can effectively obtain decision edges in the KMeans clustering algorithm model,and can also achieve good attack effects in attacks on multidimensional data.2)A universal adversarial disturbance generation method-CjpAttack,is proposed for detecting significant graphic domains in image adversarial sample generation.A method of using generative models to obtain salient image domains and adding perturbations to the salient feature domains to generate adversarial samples.The experimental results on the Mnist dataset indicate that under black box conditions,CjpAttack conditionally increases the L2 normal form difference between the adversarial sample and the original sample,resulting in a higher attack success rate than white box methods such as FGSM and Deeppool,and a faster attack rate compared to Deeppool.3)A multi granularity text adversarial sample attack method-MultiAttack,is proposed for text adversarial samples under semantic similarity constraints.The target sample is generated by combining word replacement(word level)and short text generative model(sentence level),and the semantic similarity restriction and part of speech restriction of the text are added when generating the confrontation text,so that the generated confrontation text has more semantic similarity.Due to the adoption of genetic evolution algorithms in the entire attack framework resulting in a large number of subclasses,which in the worst case can lead to an exponential increase in computational complexity,a dynamic parameter tuning method is proposed to prune the generated target subclass population.Experiments have shown that using this multi granularity attack method can generate adversarial samples with higher success rates and semantic similarity compared to methods such as TextBugger,PWWS,VIPER,etc.The results of this article can be used to discover the vulnerability of the target model and serve to improve the security of the model.