The Vulnerabilities Study Based On Deep Neural Networks

With the rapid development of artificial intelligence,deep neural networks have shown great potential in fields such as autonomous driving and medical diagnosis,while Chat GPT’s excellent performance in various natural language processing tasks also gives researchers hope for general artificial intelligence.However,the training methods of deep neural networks,which learn directly from data,have a lot of uncertainty,leading to a lack of interpretability and susceptibility to adversarial attacks.The greatest harm of adversarial examples lies in their two major properties: trans-ferability and stealth.In recent years,the focus of research has been on improving the transferability of adversarial examples while neglecting stealth.As a result,although the perturbations of adversarial examples are within constraints,many algorithms generate perturbations that are still very obvious to the human eye.Thus,the concept of unrestricted attack has been proposed,replacing the norm constraints on perturbations in adversarial attack algorithms with a more realistic soft constraint of “looking natural to the human eye”.This thesis mainly studies general attribute attack algorithms,namely color attacks.In order to ensure that the image “looks natural to the human eye”,most color attack algo-rithms impose significant constraints on perturbations,which also limits the transferability of adversarial examples.In order to enhance the black-box transferability of adversarial examples and increase the flexibility of color attacks,this paper proposes the following solutions:1)Existing color attacks usually constrain the range of perturbations in the neigh-borhood space of the original color,which limits the transferability of color attacks.This thesis proposes the Natural Color Fool(NCF)algorithm,which constructs a natural color distribution library for each semantic class using real natural image datasets,selects high-attack color distribution combinations from them,and uses color transfer algorithms to transfer them to the target image to generate adversarial examples.Finally,neighborhood search and initialization reset strategies are used to further optimize adversarial examples and enhance their black-box transferability.Under conditions where the image quality of the proposed NCF algorithm is similar to that of state-of-the-art algorithms,the black-box attack success rate on normally trained models is 15.0% ～32.9% higher than that of comparative algorithms.2)To facilitate and expedite color attacks,this thesis proposes the Tone Curve At-tack(TCA).Tone curves are common tools in digital image processing that can handle most color correction scenarios and are convenient and fast.Therefore,based on tone curves,this thesis designs a color attack algorithm TCA,which uses a tone transfer matrix to simulate a tone curve and optimizes the tone curve using adversarial and quality losses simultaneously.The proposed TCA has a higher black-box attack success rate than com-parative algorithms through simple tone curve transformations and generates adversarial examples with high image quality that can be easily and conveniently applied to image privacy protection.