Research On Black-box Attack Methods In Image Adversarial Examples Generation

In recent years,with the maturity of big data technology and the improvement of computing capabilities of hardware devices,deep neural network has developed rapidly.Convolutional neural network is a deep neural network with powerful feature extraction capabilities.It has been widely used in computer vision,speech recognition and natural language processing.However,recent research shows that convolutional neural networks are vulnerable to adversarial attacks.This phenomenon was first proposed in the field of image classification.By adding artificially designed perturbation to clean images,convolutional neural networks can be misclassified.Adversarial attacks are divided into white-box and black-box attacks.In actual attack scenarios,the internal information of the target model is mostly unknown.Therefore,it is more practical to study black-box attack and two methods of adversarial example generation are presented.Firstly,we apply Nesterov momentum to adversarial example generation method.Deepfool iteratively generates perturbation based on the gradient of the objective function.The transferability of adversarial examples can form black-box attack.But the algorithm falls into the local extreme value during the iteration process,which makes the algorithm unable to obtain the optimal perturbation and limits the ability of the black-box attack.Inspired by Nesterov momentum optimization algorithm,we apply Nesterov momentum into iterative process,break through local extreme value region and stabilize the algorithm's iterative direction to achieve higher attack effect.Secondly,different from classical methods for generating perturbation that rely on model information,we propose a method for generating semantic adversarial examples based on color model.Based on the shape bias property of human cognitive system and model recognition,we transform the color model and perturb the color channels to generate adversarial examples.The adversarial examples can make black-box attack because of unknown to the target model during the generation process.Our method shows that convolutional neural network tends to learn surface statistical regularities in the dataset rather than higher-level semantic features of images.We propose two types of black-box attacks based on Nesterov momentum and transformation of color model.Both of these two methods can achieve effective black-box attacks.Therefore,our method has practical reference significance.Before practical application of convolutional neural networks,our method can evaluate the robustness of the model.