Research On Adversarial Example Generation Method For Deep Learning Image Classification

In the context of the data age,the theory and application of deep learning have developed rapidly,but researchers have found that deep learning models are very vulnerable to carefully designed input samples,which are called adversarial sample.Taking image classification as an example,after adding modifications that are imperceptible to the naked eye to the original image,a classification model with a high accuracy rate can be misclassified.In the era of such vigorous development of artificial intelligence,the study of adversarial examples is not only a study of the robustness of artificial intelligence models,but also a study of the security of the models.Attacks can be classified into black-box attacks and white-box attacks depending on the amount of information obtained from the model.Relatively speaking,black-box attacks are more difficult,but they are more relevant to situations in the physical world than white-box attacks,and therefore more relevant for practical research.In this thesis,we focus on the task of countermeasure sample generation in the black-box attack scenario.Most of the existing black-box attack methods are attacked by adding meaningless noise,and it is a problem to generate countermeasure samples by using meaningful noise,and it is also a problem to improve the success rate of the attack with a small number of queries.To address the above two problems,this thesis purposefully proposes the adversarial sample generation method,and the specific work is as follows.(1)To address the problem of how to generate black-box adversarial samples using meaningful noise,this thesis proposes a black-box adversarial sample generation method based on differential evolutionary algorithm and heat map mechanism,which makes the sample aggressive and also carries a watermark that protects the digital copyright function of the image.Through experimental verification,this method can effectively generate adversarial samples and has certain advantages over other black-box attack algorithms.(2)To address the problem of low success rate of black-box attacks under lower limit number of queries,this thesis proposes an efficient query-based black-box adversarial sample generation method based on random search.this method uses the heat map mechanism and the prequery adaptation to increase the perturbation to reduce the number of queries,so as to achieve the purpose of fast attacks.Through experiments,it is shown that the proposed improvement strategy of this method on top of the original baseline algorithm is effective and can improve the problem that the baseline algorithm does not have a high success rate of attacks with a low number of queries,and has some advantages over other black box attack algorithms.