| Neural Network and other machine learning models have performed excellently in lots of classification task and have been used generally,but they were proved to be vulnerable to adversarial examples,which can lead to misclassification of neural network with high probability.Moreover,adversarial examples will threaten security with Evasion Attack.Based on the characteristics of neural network and dataset,more and more methods that generate adversarial examples have been proposed,meanwhile there have been lots of approaches to deal with this problem which target at different kinds of attacks.In order to defend as many adversarial attacks as possible,a framework for dealing with different kinds of adversarial examples is proposed which is based on the predecessors' work.With analysis of domestic and international research results,research of neural network,and discuss of attacking and defending methods of adversarial exmaples,it is that MagNet and FeatureSqueezing methods augmented some filter devices for preprocessing adversarial examples,and leverage the difference between normal examples and adversarial examples through the AE(AutoEncoder)for detecting adversarial examples,but they doesn't process the detected adversarial examples further.In order to deal with the shortcoming of them,the difference of divergence between normal examples and adversarial examples through VAE(Variational AutoEncoder)is used to be the detecting indicator,and changing the divergence of adversarial examples can reconstruct normal examples for improving accuracy.The framework consists of VAE and CNN(Convolutional Neural Network)that both are neural networks,VAE works as the detector and reverser before CNN,and CNN is the classifier.The detecting part is based on the difference of KL-divergence between adversarial examples and normal examples,which can be used to detect adversarial examples through VAE,and the reversing part can reconstruct the adversarial examples into normal examples through changing the KL-divergence of adversarial examples with VAE.The proposed framework not only detect the adversarial examples mainly,but also a step further to reverse those examples into normal ones.With this framework,CNN can classify correctly and prevent the evasion attacks.The experiments' results show that the trained VAE is able to help CNN to classify correctly,the best ROC-AUC is round 0.94,which means that the framework can distinguish adversarial and normal examples.Moreover,the framework can reverse adversarial examples to normal examples,the reversing approach achieves about 2%-10% more accuracy improved for CNN classification of adversarial examples,and implements a secure image classifier. |
PDF Full Text Request