Adversarial Attacks And Robustness Evaluation In Deep Learning

Artificial intelligence technologies,especially deep learning,have made significant progress in numerous fields such as computer vision and speech recognition,while largescale applications are now dawning.However,the existing deep learning models have the problem of insufficient robustness that they can be easily deceived by the adversarial examples maliciously generated by adversaries to produce wrong predictions.The lack of robustness of deep learning has been proven to pose threats to some areas closely related to security.Meanwhile,this problem hinders the further development of deep learning.Adversarial attacks and robustness evaluation are important directions of the research on deep learning robustness,aiming to efficiently generate adversarial examples under different scenarios and conduct comprehensive robustness evaluation of deep learning models.The research in this area helps to identify the vulnerabilities of deep learning models,compare the robustness of different models,and develop more robust deep learning models.The research on adversarial attacks and robustness evaluation still has some problems that need to be solved urgently.First,the existing adversarial attack methods exhibit low attack success rate and inefficiency under the black-box scenarios where model structure and parameters cannot be obtained,which hinders the analysis of model’s vulnerability mechanism.Second,the diversity of adversarial examples generated by the existing adversarial attack methods is insufficient,which limits the robustness of the models trained on these adversarial examples.Third,the current research on adversarial robustness evaluation is relatively lacking,such that it is difficult for researchers to effectively evaluate the robustness of different deep learning models and the effectiveness of adversarial attack and defense algorithms.To solve the above key problems,this dissertation builds a benchmark and a platform for evaluating adversarial attacks and defenses,and develops efficient adversarial attack algorithms under different scenarios.The main contributions are summarized as follows:1.For the problem of low success rate of black-box transfer-based attacks,a momentum iterative method and a translation-invariant adversarial attack method are proposed.They introduce a momentum term and adopt a set of translated images,respectively,for generating adversarial examples,which greatly improve the success rate of black-box transfer-based attacks.They lay the theoretical and methodological foundation for understanding the vulnerability mechanism of deep learning models and discovering model’s security holes.2.For the problem of inefficiency of black-box decision-based attacks,an evolutionary attack method is proposed for face recognition.It models the local geometry of the search direction and reduces the dimension of the search space in black-box decision-based attacks to effectively improve the efficiency of black-box decisionbased attacks,which lays the theoretical and methodological foundation for digging the security holes of face recognition models.3.For the problem of insufficient robustness of adversarial training models,an adversarial distributional training is proposed to use adversarial distributions to characterize the diverse adversarial examples around the original one,which parameterizes the adversarial distributions through three adversarial attacks,laying the theoretical and methodological foundation for building more robust deep learning models.4.For the problem of the lack of adversarial robustness evaluations,an adversarial robustness benchmark is constructed for image classification,which uses robustness curves to conduct fair and comprehensive robustness evaluation of many typical adversarial attack and defense algorithms.It lays the evaluation foundation for further development of adversarial attack and defense algorithms.