| Deep learning algorithms are gradually maturing in the field of computer vision.However,studies in recent years have shown that deep neural networks for computer vision are vulnerable to adversarial examples,for example,adding imperceptible perturbations to the identified examples in a classification task can often cause the model to misclassify.Since the classification task is the foundation of the computer vision field,this seriously affects the security and robustness of the visual model.In recent years,in the research of adversarial example generation algorithms,the blackbox attack method based on decision boundary plays a key role in reducing the amount of adversarial perturbation,query model number,and improving the attack success rate.In this thesis,two new black-box adversarial example generation algorithms are proposed from the geometric optimization-based and key-region-based attack methods.The main research work is as follows:(1)In order to solve the problem of most of the previous black-box based geometric optimization algorithms did not consider the nonlinearity of decision boundary,resulting in the error of the generated optimal adversarial example,an adversarial example generation algorithm based on the maximum inscribed circle is proposed.This method uses the angle traversal algorithm to generate the maximum inscribed circle discrete equation of the decision boundary,and then combines the geometric radius reduction attack(GRRA)algorithm to retrieve the closest adversarial example point to the original example point,so as to further reduce the adversarial perturbation of the adversarial example.Experimental data show that the perturbation amount of the algorithm for adversarial examples is more deceptive than the algorithm that does not take into account the nonlinearity of the decision boundary.(2)In order to further reduce the query model number and adversarial perturbation of the black-box attack algorithm and improve the attack success rate,an image adversarial example generation algorithm based on neural network(NNA)is proposed.This method uses the greedy algorithm to generate the specified label of the attack target,and then uses the neural network to optimize the value of each pixel of the example to generate an adversarial example.In addition,two two-sided suppressed activation functions are designed to ensure that the pixel values of the adversarial examples are mapped to the specified range.Experimental data show that compared with the previous black-box attack method,this method can effectively improve the attack success rate of adversarial examples,reduce the query model number and the amount of adversarial perturbation,thereby improving the deception and universal applicability of adversarial examples. |
PDF Full Text Request