Research On Attack And Defense Algorithm Of Image Adversarial Examples Based On Generative Adversarial Network

With the rapid development of deep neural networks in recent years,artificial intelligence has achieved great success in many fields,such as image classification,text processing,and speech recognition.As a transformative technology,it has brought enormous economic and social benefits,as well as the security of artificial intelligence.Some researchers have recently proved that deep neural networks are vulnerable to adversarial examples,the carefully crafted samples looking similar to original samples but designed to mislead a pretrained model.The existence of adversarial examples leads to potential security threats by attacking or misleading the practical artificial intelligence systems,such as autonomous driving,face payment,etc.In the past years,various attack algorithms and defense algorithms have been proposed against each other to form a virtuous cycle of increasing artificial intelligence security.Therefore,research on the attack and defense algorithms of adversarial example is of great value to the development of artificial intelligence security.Based on the mechanism of generating adversarial example,the adversarial example and the clean sample can be regarded as two different data distributions,and the mutual transformation can be realized by adding specific disturbances.Generative adversarial network can realize the conversion of the noise distribution to the image distribution through the mutual game between the generator and the discriminator,realizing the migration of the data distribution,and has achieved good application in many fields.Therefore,it is possible to learn the relationship between the two data distributions of the adversarial example and the clean sample by generative adversarial network,facilitating the change from the original research for a single adversarial example to the study against the distribution of the adversarial example,providing a new research framework for further efficiently generating adversarial examples with high transferability and effective restoring adversarial examples.Based on the advantage of generative adversarial network in data distribution migration,this paper studies the problem of attack and defense algorithms from the perspective of data distributions of clean sample and adversarial example,and the main contributions are as follows:1.For the separation of existing adversarial attack algorithm and adversarial defense algorithm,there is a lag between the attack and defense performance improvement,and it is difficult to promote each other in the same framework.This paper proposes an integrated attack and defense algorithm of adversarial example based on the cycle consistence generative adversarial network.The algorithm is based on the cycle consistency,combines the adversarial attack and the adversarial defense,builds a unified framework,continuously confronts the attack generator and the defense generator,promotes the continuous improvement of the offensive and defensive performance,and finally realizes the integration of attack and defense.The experimental results on MNIST and CIFAR-10 show that the proposed algorithm achieves 97.46% and 94.80% attack success rate and 98.12% and 54.82% defense success rate on the two datasets,respectively,indicating that it can promote both attack and defense capabilities,achieve the integration of attack and defense,and have better transferability.2.For the traditional adversarial defense algorithm of image de-perturbation,it is usually difficult to guarantee the training dataset to match the adversarial example and the clean sample.This paper proposes an unsupervised adversarial perturbation eliminating algorithm via disentangled representations to solve this problem.The algorithm introduces cycle consistent loss and perturbation branches to solves the problem of non-matching datasets,and realizes extracting the disturbance characteristics and content features separately and then separates them by the perturbation encoder and the content encoder,thereby effectively removing the ability of deperturbation.The experimental results on MNIST and CIFAR-10 show that the proposed algorithm achieves 96.81% and 50.63% defense success rates on the two datasets,respectively,indicating that it can achieve good defense performance and improve the visual effect of restored images.3.For the adversarial attack algorithm of adversarial patch generation,it is usually difficult to generate a multi-target adversarial patch with a single model.This paper proposes a conditional adversarial patch generation algorithm based on the attention mechanism to solve the problem.The algorithm based on the condition generative adversarial network integrates the category information into the framework of adversarial patch generation,and locates the key areas based on the attention mechanism to place the patch,so that the single generated model generates multitarget adversarial patch and completes the multi-target attack.The experimental results on a subset of the natural dataset ImageNet show that the success rate of target attacks can reach 73.00% in white-box settings and 51.96% in black-box settings on average,indicating that it can effectively achieve multi-target attacks,improve visual effects,and significantly reduce training costs and model storage,with good mobility.