Research On Black-box Method For Neural Network Adversarial Examples Generation Based On Derivative-free Optimization

In recent years,the rapid development of artificial intelligence has injected new power into computer technology.Especially,deep learning has been widely used in many fields with its excellent performance,including many safety critical applications such as autonomous driving.Therefore,the safety of deep learning has attracted much attention.Recent research has shown that deep neural networks are vulnerable to adversarial examples.By generating adversarial examples that are well designed,attackers may cause serious safety accidents.Therefore,it is of great significance to study the technology of adversarial example generation methods.According to whether the generation methods need to obtain the internal information of the networks such as parameters,adversarial example generation methods can be divided into the white-box methods and the black-box methods.The white-box methods can make full use of the model information and generate adversarial examples efficiently,but it is limited by the fact that it is difficult to obtain all the information of networks in real situations.The black-box methods can only access the input and output layers of the network,so it highly depends on the interaction with the models,and the access frequency is high.Furthermore,most of the white-box and black-box methods have different degrees of discretization problems.This work mainly researches on the adversarial examples generation methods with neural networks as the attack target.Aiming at the existing problems,the main work is in the following three aspects:· This work proposes a black-box method for neural network adversarial examples generation based on derivative-free optimization.This method transforms the problem of adversarial examples generation to an optimization problem,which can be solved by a classification-based derivative-free optimization method.This optimization method classifies the samples of each iteration into the “good” set and the“not good” set.In this way,the sampling model can be optimized by the two sets to generate better samples.This black-box method does not need to obtain the internal information of networks and is not limited by real situations.At the same time,because of the sampling process designed by this method,there is no discretization problem existing in this method.· This work proposes a generic functional framework for neural network adversarial examples generation based on derivative-free optimization.To improve the universality of the method mentioned above,this work divides and abstracts the function modules of the method into three modules: problem space,evaluation system,and search strategy.We also make strict symbolic definitions for all components in the modules.Based on the components,a generic functional framework for neural network adversarial examples generation based on derivative-free optimization is proposed.This framework can be adapted to the adversarial example generation problems in different situations,which greatly improves the universality of this method.· This work also designs experiments to evaluate the method and the framework we proposed.We selected two datasets of different scales,MNIST and Image Net,and a total of 13 tools of white/black-box methods to do experiment comparison.Experimental results show that our method achieves a significantly higher success rate,with comparable query times and without the discretization problem.At the same time,the results show that our framework has high universality.