Research Of Adversarial Attack Algorithm Based On Grad-CAM Guidance

Image classification technology is widely used in autonomous driving,face recognition and other fields due to its excellent performance,but the current image classification technology is easily affected by adversarial attacks,which makes its classification function almost ineffective.However,the main problem of existing adversarial attack methods is that they rely too much on the parameters and gradient information of the source model,while the feature information with stronger generalization is ignored,which leads to the poor transferability and invisibility of the adversarial examples crafted by these methods,and low attack success rate on blackbox test models.In response to the above shortcomings,this paper focuses on the analysis and research work of the black-box adversarial attack methods for image,the research and innovation of this paper are as follows:(1)In the classical adversarial attack methods for images,analyze three methods,namely,the introduction of momentum means,the introduction of data enhancement methods,and the introduction of attention mechanism,and obtain the research framework of transfer-based adversarial attack method.Through experiment results and analysis,it is found that: 1)The adversarial attack is essentially an attack against the feature;2)the random data augmentation introduced into the adversarial attack method has the disadvantages of low efficiency and poor invisibility.Therefore,on the basis of fully considering the advantages of the above methods,a method design idea for attacking features with stronger generalization is proposed.(2)Aiming at the shortcomings of random data augmentation,a Grad-CAM Guided Data Augmentation Attack Method(GCG-DAAM)is proposed.GCG-DAAM obtains the main decision area of the model on the image through the weighted gradient class activation map(Grad-CAM)of the model to the image,and then attacks based on this feature regions can further improve the transferability of the adversarial examples;and a loss function of smooth mask is designed to make the adversarial examples more natural.The experimental results show that the adversarial examples crafted by GCGDAAM have better transferability and need less average perturbation.(3)In order to further obtain features with stronger generalization for attacking,considering the problem of insufficient generalization of supervised learning features,GCG-DAAM with self-supervised features is proposed.Based on self-supervised learning,an improved Grad-CAM acquisition module is designed,the Grad-CAM of the self-supervised model and the Grad-CAM of the supervised model are weighted and fused,so that the final result is both judgmental and global;considering that the human pays more attention to the shape change of the object,an edge loss function is designed to limit the disturbance to the edge region of the object.Experimental results show that the GCG-DAAM introducing self-supervised features improves the transferability of adversarial examples and the attack success rate on different models,and the test results on the Image Net dataset are 1% to 3% higher than the baseline methods.