| Deep learning models have been widely applied to security-related tasks such as facial recognition,biological monitoring,and automated driving.The vulnerability of the deep model has also spawned a series of researches on attack and defense,which have gradually get widespread attention in the field of information security.The Black-Box attack is a common type of attack in real-world scenarios in which attackers can mislead the target model without obtaining information such as the specific structure and parameters of the target model.Generally,a substitute model is trained to approximate the target model,so that attackers can use the information of the substitute model to generate adversarial examples to attack an unknown target modelIn order to ensure the security of deep learning models in actual scenarios,it is necessary to explore the reasons for their vulnerability to adversarial attacks and devise better strategies to improve the model's defense performance.One effective defense algorithm is adversarial training,traditional adversarial training methods have their shortcomings.Single-model adversarial training is challenging to defend against Black-Box attacks.Ensemble adversarial training can alleviate this problem but is easily broken by adversarial examples which have strong transferability.To solve the above problems,the adversarial strength search strategy is added to the traditional ensemble adversarial training,i.e.,the Batch-Mixed adversarial training algorithm.The proposed algorithm can ensure the performance of the target model under Black-Box and diversified attacks,without significantly reducing the target model classification accuracy on clean examplesIn addition,adversarial training can improve the robustness of the target model against one-step attacks,but not for unknown iterative attacks.Cascade adversarial training can relieve this problem,but it can be easily broken by a new type attack,namely the blind-spot attack.In order to improve the performance of the target model under blind-spot attacks,we have incorporated the ideas of pre-training and fine-tuning in cascade adversarial training.Through pre-training and fine-tuning,we have obtained a pre-trained model that have specific defense capabilities against blind-spot attacks.At the same time,considering the idea of the ensemble,we train a network by injecting adversarial examples iteratively crafted from multiple pre-trained defended models.Then one-step adversarial examples crafted from the target model are also employed to adversarial training.The performance of the target model,when facing blind-spot and Black-Box attacks,can significantly be improved.Finally,the Batch-Mixed adversarial training defense strategy is applied to the traffic sign recognition system to verify the effectiveness of the proposed defense algorithm in actual scenarios. |
PDF Full Text Request