Research On Image Adversarial Examples Defense Based On Joint Defense System

In recent years,with the continuous development of deep learning,the application of artificial intelligence is more and more extensive.It has achieved remarkable results in many fields,such as computer vision,natural language processing and speech processing.However,in the field of image classification of convolutional neural networks,the neural network will be subject to the adversarial example attack and produce wrong classification.The adversarial attack generates adversarial examples by adding subtle perturbations to the image,and the convolutional neural network will misclassify the adversarial example with high confidence.Therefore,the adversarial example attack poses a serious threat to related applications of image recognition.This paper analyzes the basic principles of current adversarial attacks,summarizes the research status of adversarial example defense models,and proposes a defense system against adversarial examples.The main research results of this paper include the following aspects:(1)An adversarial example joint defense system based on detector and dilated convolution denoising U-NET network(Dilated DUNET)is proposed.The adversarial example defense system includes two parts: a detector and a denoising model.It has little effect on clean samples while ensuring effective defense performance.Specifically,the detector first discriminates the input example.If it is classified as an adversarial example,it will be input into the denoising network to eliminate the adversarial perturbations,and then the denoised example is input into the target network for recognition.If the detector classifies the input sample as a clean sample,it directly inputs the clean sample into the target network for recognition.(2)The detection method of adversarial examples is proposed.The detector trains the classifier in a similar way to adversarial training.First,we use clean examples to generate corresponding adversarial examples,classify all clean examples into one class,and classify all adversarial examples into another class,and integrate them into a training set,and train a classifier to distinguish between adversarial examples and clean samples.The classifier uses ensemble classifiers,which is composed of multiple base classifiers,and uses the principle of majority to get the final decision result.The experimental results show that the average detection accuracy of the five common adversarial examples on the detector reaches 98.24%,which can effectively detect multiple types of adversarial examples.(3)A method of adversarial perturbations elimination based on dilated convolution denoising U-NET network is proposed.The architecture of the denoising network is based on the U-NET network,and the horizontal connection used to transfer image details in the U-NET network is modified to a combination of long connection and short connection,so that features of the same size and similar semantic information are merged to reduce the information loss caused by the upsampling and downsampling in the U-NET network.At the same time,the dilated convolution is used in the convolution layer to expand the receptive field of the model and enable the model to capture richer image features.Through feature fusion and dilated convolution,the denoising network obtains a stronger learning ability.This paper defines a joint loss function,which is composed of the weighted sum of Smooth L1 loss and image structure similarity(SSIM)loss.They evaluate the difference between the denoised example and the clean example from the semantic content of the image and visual perception,respectively.Therefore,minimizing the joint loss function can effectively train the denoising network,and the output denoising samples have similar classification performance to clean samples.The experimental results show that the average classification accuracy of the five types of adversarial examples after denoising by the denoising network reaches 90.98%,which can effectively eliminate adversarial perturbations.The defense system composed of detector and denoising network can effectively enhance the robustness of the target network.