Research On Image Classification Adversarial Attack Based On Multiobjective Evolution Model In The Black-box Scenario

The image classifier based on the deep learning model performs excellent,bu t lurks serious security risks.For example,the classifier was found tend to suffer misclassification when images have tainted by a small perturbation.Attackers use this vulnerability to challenge the robustness of neural networks,which is called adversarial attacks,and referred to perturbed examples as adversarial examples.The essence of adversarial attack is to seek the optimal perturbation so that the adversarial examples can not only fool the target model classifier but also minimize the perturbation,that is,to optimize the adversarial attack capability and the visual quality of the adversarial examples at the same time.In most attack scenarios,the attacker's knowledge of the classifier is very limited,which causes the attacker to only execute a black-box attack.There is a general black-box attack idea that dynamically adjusts the perturbation by continuously querying the classification results of the target model classifier and finally achieves the adversarial attack.In this scenario,how to get the optimal perturbation,and how to get the optimal perturbation based on the limited number of access query target model,is the key to achieve the adversarial attack.We focus on the problem that the existing attack algorithms in black-box attack scenes are difficult to simultaneously optimize the adversarial attack power and the visual quality of the adversarial examples,proposed an image adversarial examples generation framework(MOEA-AEGF),which based on the multi-objective evolution.The framework encodes the adversarial perturbation into the individual as the form of the chromosome and uses the multi-objective evolution theory to optimize the perturbation.The result of the evolution is a set of diverse Pareto optimal perturbations,and the attacker can formulate a filter strategy based on subjective preferences to finally determine an adversarial perturbation to achieve the attack.We proposed a basic algorithm MOEA-APGA based on this framework,which including individual coding,individual fitness assessment,evolutionary strategy and so on.MOEA-APGA achieved excellent results in the grayscale image dataset(MNIST)attack experiment.In the high-dimensional color image attack scenario,the optimization space becomes huge due to the sharp increase in the attack space,and the evolution efficiency is limited by the length of the individual encoding,which in turn makes the problem of attack efficiency more serious.To solve the above problems,an improved algorithm MOEA-APGA II is proposed.After analyzing the preconditions for the success of the adversarial attack,we propose a segmented target function based on the index of the prediction probability to reduce invalid calculations during evolution.In the evolution process,we propose “The key position priority mutation strategy”,and “The momentum-based adaptive amplitude strategy” to introduce the heuristic to guide attacks.At the same time,based on the idea of the local correlation of the image,we propose “The transformation of the pixel block with a random step size” to reasonably reduce the attack space and solve the problem of the low efficiency and difficult to attack when attacking the high-dimensional image data.The experimental results on three benchmark image datasets with different dimensions show that compared with One-pixel attack,ZOO attack,and the Auto ZOOM attack,our algorithm can achieve a higher success rate with fewer queries while ensuring that the visual quality of the adversarial examples does not deteriorate.In addition,the results of attacking the target model with defensive distillation and attacking the more complex deep learning model,also show that the proposed algorithm has a strong attack capability against the black-box scenario.