Research On Adversarial Defense Methods For Image Classification

In recent years,deep neural network(DNN)has developed rapidly.One of the most important DNNs is convolutional neural network(CNN)has achieved amazing performance in many fields,like computer vision,natural language processing,speech recognition and so on.However,Szegedy et al.first found that CNN is extremely vulnerable to specially crafted adversarial examples,which have negligible differences relative to the original ones but could severely confuse CNN to make incorrect predictions in image classification field.Such adversarial attacks pose serious security threats for using CNNs in image classification applications with high security requirements.So,it's necessary and meaningful to study how to effectively resist against adversarial attacks.Although scholars have put forward kinds of adversarial defense methods,and High-Level Representation Guided Denoiser(HGD)won first place at the NIPS2017 competition on Defense against Adversarial Attacks,we find HGD's loss function has the problem that the reconstruction cost of the misclassified image may be less than or equal to the cost of correctly classified image.In addition,a single defense method could not resist against adversarial examples made by different attack methods and attack intensities.Based on the HGD model,we propose an improved method Weighted High-Level Representation Guided Denoiser(WHGD),which introduces a weight vector on the HGD's loss function to overcome its problem,and we prove the feasibility of WHGD in theory and mathematics detailly.What's more,we extend the WHGD from a reconstructor to a detector,which is responsible for determining whether the input is beyond the ability of the WHGD reconstructor.In view of the shortcomings of the single defense strategy,we propose a hybrid defense system for joint adversarial example detection and reconstruction,which consists of a large adversarial perturbation detector,WHGD reconstructors,WHGD detectors and special WHGD reconstructors,in which WHGD detectors and special reconstructors are optional.In the case that all optional modules are selected,the input sample is first classified by the large adversarial perturbation detector,and then is passed to different WHGD detectors according to its category.If the input sample is considered to be beyond the ability of the WHGD reconstructor by the detector,it will be passed to a special WHGD reconstructor,otherwise,the sample will be directly sent to the WHGD reconstructor.In the last,the output of any reconstructor is passed to the target network for classification.Finally,experiment results show that our proposed WHGD algorithm and hybrid defense system can effectively defend against different kinds of attack methods and attack intensities.