Research And Application On Ensemble Adversarial Machine Learning

Deep learning(DL)models have been widely applied into security-sensitivity tasks,such as facial recognition,security monitoring,automated driving,etc.Attacks and defenses concerned with the DL have gradually become hot spots in the field of information security.The Black-Box attack is the most frequently-used attack type in the real world.Without knowing the specific structure,parameters,data set,etc.,the attacker can query the target system,and establish a substitute model based on the observed input-output pairs.Then the attacker can generate the adversarial examples for the sub-stitute model,and these adversarial examples may transfer to disorder the target system.Two types of ensemble-based black-box attack strategies are proposed to explore the vulnerability of DL models and effectively proves the relationship between transferability of adversarial examples and diversity in substitutes ensembles.Owning to the existence of adversarial examples,a reasonable analysis of the vulnerability of the DL model and design of a more robust model against black-box attacks has become an emergent topic.The traditional adversarial training defense algorithms based on single-model are not effective in defending black-box attacks.While ensemble adversarial training based on multiple-model is difficult to effectively resist adversarial examples with stronger transferability.Thus,the adversarial example strength search strategy is integrated into the original ensemble adversarial training method,and the superior adversarial example strength is selected for batch-mixed adversarial training.The quantitative input mechanism is used to reduce the dimension of adversarial example space and mitigate the transferability of adversarial examples,realizing the ability to resist the black box attack while not losing the accuracy of the model on the test set.In this paper,the effectiveness of ensemble adversarial black-box attack strategy and batch-mixed adversarial training is verified in the traffic sign recognition application.In addition,in order to accelerate the generation rate of adversarial examples and the ensemble adversarial training process,a distributed framework is used to realize the distributed training of deep neural network.