Research On Defense Against Adversarial Examples For Image Classification

Deep neural networks have recently led to significant improvements in many fields,such as image classification,object detection,semantic segmentation and natural lan-guage processing.However,the existence of adversarial examples has led to concerns about the security of deep neural networks.An adversarial example is a slightly mod-ified sample that is intended to cause an error output of the deep neural network.Re-cent works show that adversarial examples have threatened deep learning systems in security-critical applications,such as autonomous vehicles,face recognition and mal-ware detection.The existence of adversarial examples poses great threats to the security of artificial intelligence.These threats can make the artificial intelligence systems mal-function or even collapse.Therefore,how to protect deep neural networks from threats caused by adversarial examples is a very important and challenging problem.In recent years,domestic and foreign researchers have proposed many defense methods to resist adversarial attacks.These defense methods are mainly divided into two categories:one is robustness based defense,using existing technology to make it difficult for attackers to generate adversarial examples or to make the deep neural net-works still output correct results when they are attacked by adversarial examples;the other is detection based defense,detecting whether the input sample is an adversarial example,and refusing to send the adversarial example to the deep neural network for classification.To improve the performance of defense methods against adversarial ex-amples,three key problems need to be solved.The first problem is to resist adversarial examples generated on large-scale image datasets.The second problem is to not affect the performance of the original neural network as much as possible.The third problem is to resist secondary adversarial attacks.Focusing on these three key issues,this disser-tation studies the defense methods against adversarial examples for image classification.The main work and innovations of this dissertation are as follows:1.Detection based defense from the steganalysis point of view:This dissertation regards adversarial examples as a sort of accidental steganography,and proposes a detection method against adversarial examples from the steganalysis point of view.This dissertation uses steganalysis to measure the correlations between adjacent pixels of the input image to identify whether the input image is an ad-versarial example.Moreover,this dissertation enhances the steganalysis features based on the characteristics of the adversarial examples to further improve the de-tection accuracy rate.Experimental results show that the detection method based on steganalysis can accurately detect various kinds of adversarial attack methods.In addition,the secondary adversarial attacks are hard to be directly performed to our method because the structure of our detection model is not based on a neural network but artificial features.2.Defense based on image inpainting:This dissertation proposes the defense method based on image inpainting.This dissertation leverages the class activa-tion map to find the areas in the input image that may be modified by adversarial attacks.After erasing the pixels in these areas,the defense method restores the erased areas by image inpainting to obtain the reconstructed image.So most of the possible adversarial perturbations are removed from the input image.In order to remove the possible remaining adversarial perturbations,this dissertation uses JPEG compression to process the unerased areas of the input image,and then fuses the JPEG compression areas with the image inpainting areas together.Ex-perimental results show that the proposed method can effectively defend various kinds of adversarial attack methods,and has little influence on the classification accuracy rate of clean images at the same time.3.Joint defense strategy against adversarial attacks:This dissertation combines the detection method with the defense method and proposes the joint defense strat-egy against adversarial attacks.In the joint defense strategy,the detection method distinguishes whether the input is benign or adversarial.Then,if it detects that the input is benign,the joint defense strategy will directly send the input to the orig-inal classifier to predict its label.Otherwise,the joint defense strategy will send the adversarial example to the defense method to mitigate the adversarial pertur-bations.Moreover,the joint defense strategy simplifies the problem faced by the defense method because the defense method only needs to consider the case that the input image has a high probability of being an adversarial example.Experi-mental results show that the joint defense strategy can still classify the adversarial examples with high accuracy rate while hardly affecting the performance of the original classification network.