Research On Neural Network Adversarial Sample Generate Based On Heuristic Search

At present,Deep Learning is widely used in many fields.It plays a significant role in solving complex tasks.However,with the increasing attention of deep neural networks,researchers have found that there are existing terrible security issues.If they are exploited maliciously by attackers,it is likely to bring irreparable losses.Therefore,the research on the robustness of neural networks is necessary,and a variety of attack and defense methods against deep neural networks are emerging.This thesis mainly studies the robustness of neural networks in image classification tasks.Generating adversarial examples is the major way to apply attacks on neural networks in most researches.Among the existing attack methods,the development of gradient-based adversarial examples generation method is relatively mature,but it needs to know the details of the attacked network.In most cases,it seems that attackers are difficult to get those knowledge,and other attack methods that do not rely on gradients only need to obtain the corresponding output by the input of the neural network,which can reduce the cost of the attack.This thesis focuses on the non-gradient attack.In the existing non-gradient attack methods,there are problems during the period of generating adversarial examples such that the attack effect cannot be guaranteed,and as the input dimension increases,the time cost and calculation cost will increase accordingly,and the applicable scenarios are limited so that the targeted attack cannot be achieved.This thesis proposes adversarial attack algorithms based on heuristic search algorithms.The main contents are as follows:(1)Attack algorithm GA-SA-Attack,is proposed based on genetic algorithm and simulated annealing algorithm.First,the input image is performed dimensionality reduction operation,then key points are extracted,the image area that actually participates in the attack is reduced,and a Gaussian model is constructed on the feature area to obtain a saliency map,and retain the structural information in the image through the edge detection method.The algorithm proposes an adaptive change mechanism for the key steps in the genetic algorithm,the simulated annealing algorithm is combined to accept the new solution,which adjust the algorithm search process and avoid the problem of premature convergence;(2)Attack methods CMA-ES-Attack and MA-ES-Attack,are respectively based on the covariance matrix adaptation evolution strategy and matrix adaptation evolution strategy.In addition to using feature extraction and edge detection algorithms in the process of dimensionality reduction,CMA-ES-Attack combined with the idea of distributed estimation to filter the extracted key points.And CMA-ES-Attack improves search efficiency from the perspective of increasing the diversity of sampling.The standard covariance matrix adaptation evolution strategy involves complex matrix operations.MA-ES-Attack,using the optimized matrix adaptive evolution strategy to apply the attack,which will further enhance the attack in computing.(3)The experimental comparison can reflect the effect of heuristic search algorithms to apply the attack.The experiments show that the three attacks,GA-SA-Attack,CMA-ES-Attack and MA-ESAttack can be applied to untargeted and targeted attack scenarios.After experimental analysis on three different data sets,the attack algorithm MA-ES-Attack based on matrix adaptive evolution strategy is better than the other two algorithms.