Research On Detection Method Against Adversarial Example Based On Attention Mechanism

In recent years,machine learning has greatly improved the ability of image recognition.However,researches show that even deep neural network models with reliable decisions are also vulnerable to adversarial attacks.Adversarial examples generated by adding small perturbations to legal examples cause models to produce error outputs without interpretability,which pose serious threats to the security of systems.Therefore,this paper uses attention mechanisms to understand models' decision-making basis for examples,and achieves the study of detection methods against adversarial examples from two perspectives: the features of examples' attention maps and attention features distance spaces.This has practical significance for explaining reasons why adversarial examples make models wrong and implementing adversarial defenses.Due to attention mechanisms for attention maps of adversarial examples display characteristic information which is different from that of legal examples.Therefore,this paper study detection methods of adversarial examples based on features of attention maps.In terms of using single feature of example,this paper designs adversarial examples detection method based on texture features of attention maps.By extracting texture features based on gray level co-occurrence matrix from attention maps of a large number of legal examples and adversarial examples to draw feature statistical histograms,and adopt threshold policy.In order to make full use of feature information of examples' attention maps,in terms of using multi-features of examples,this paper additionally designs adversarial examples detection method based on statistical features of attention maps.A variety of statistical features,including contrast,energy,correlation,entropy based on gray level co-occurrence matrix,and mean,standard deviation,kurtosis are extracted from attention maps of legal examples and adversarial examples to train support vector machine-based detectors.In the process of forward propagation,since adversarial examples have different attention features outputs from legal examples inside multiple hidden layers of convolutional neural networks.Therefore,this paper further studies the detection method of adversarial examples based on attention feature distance space.Leverage the attention outputs of examples from multiple hidden layers of models to form attention features spaces,and use legal examples to embed the central points in each space.Trajectories of attention outputs are encoded by calculating relative position sequences between attention features outputs and central points.According to distance sequences obtained from legal examples and adversarial examples to train detectors based on long-short-term memory network.This paper uses CIFAR-10 and Image Net datasets,with VGG19 and Res Net50 as target models,to test the detection effects of this paper's detection methods against attacks based on gradient.Results show that detection method based on attention maps' texture features has good detection effect against high dimensional adversarial examples generated by iterative attack without target,detection AUC value close to 100%.Compared with only using texture feature,the detection based on the statistical features of attention maps is better for iterative attacks with targets,detection AUC value against CIFAR-10 is increased by about 10.3%.In addition,the detection based on the features of attention maps has the advantages of simple and rapid detection way.The detection method based on attention feature distance space has excellent detection results for both single-step and iterative attacks.The average detection AUC value of CIFAR-10 and Image Net is about 97.02% and 99.63% respectively.The detection methods designed in this paper based on attention mechanisms not only increase the interpretability of models,but also improve the security of systems.