Research On Black-box Adversarial Attack Based On Bayes Optimization And Wavelet Transform

The adversarial example is a kind of malicious example that can mislead the neural network model into making wrong prediction.The existence of the adversarial example may cause security risks to the applications based on machine learning and deep learning.Therefore,it is of great practical significance to study the generation of adversarial examples and adversarial attacks for testing and improving the robustness of neural network classification model.Without knowing the internal structure of the model,the black-box attack can guide the adversary attack by building the surrogate model of the target model or querying the target model.Compared with the white-box adversarial attack,the blackbox attack is more suitable for the real world.However,the black-box attack methods still have a high number of model queries.Therefore,the thesis proposes two kinds of black box attack methods,BOBA(Bayesian Optimization Black-box Attack)and WTDS(Black-box Attack based on Wavelet Transformation and Dynamic Sampling),to reduce the amount of model queries.BOBA uses Bayesian Optimization to select the most effective position in the clean example for perturbation,which can greatly reduce the number of model queries.BOBA can generate effective adversarial example by disturbing only a few positions in the clean example.After the algorithm framework of BOBA method is given,the thesis elaborates the key steps.(1)A black box objective function is constructed to transform the disturbance location and disturbance value into the certainty of correct classification.(2)The effective adversarial example can be generated through several iterations.In each iteration,an effective disturbance position and disturbance value are obtained through Bayesian Optimization.(3)The specific method of Bayesian Optimization is: firstly,a small amount of sampling data is used to construct the surrogate model of black box objective function,and then based on the surrogate model,the sampling function is used to continuously select the most potential sampling location and obtain its sampling value,which is used to update the surrogate model.WTDS combines the gradient estimation method with the gradient descent method,iteratively superposes perturbations to the clean example,and finally generates the adversarial example that can mislead the model.WTDS uses discrete wavelet transform to separate the high-frequency component and the low-frequency component of the clean example,and only superposes perturbations in the low-frequency component.In order to reduce the number of model queries,WTDS dynamically adjusts the sampling points during the process of gradient estimation.The thesis presents the algorithm framework of WTDS and describes the key steps.(1)Discrete wavelet transform is used to separate the low-frequency and highfrequency components of the attacked example.(2)Natural evolution strategy is used to estimate the gradient of low-frequency components iteratively.(3)In the natural evolution strategy,the dynamic sampling strategy is adopted to enhance the randomness,and the current estimated gradient and historical estimated gradient are used to guide the update of the low-frequency component together,until an effective adversarial example is generated.Finally,two kinds of methods are tested on the CIFAR10-10 data set and ILSVRC-2012 data set respectively,and compared with other five black-box attack methods.The results show that BOBA achieves 90% attack success rate when only three pixels of the clean example are changed,and the amount of model queries is reduced by 88%?93%.WTDS can achieve 100% attack success rate.Compared with other black-box attack methods,the model queries amount of WTDS is greatly reduced by 23% ? 84% both in target attack and non-target attack.