Research On The Robustness Of Deep Image Classification Models Based On Adversarial Examples

In recent years,with the development of information technologies such as big data,cloud computing,the Internet,and the Internet of Things,artificial intelligence has become the focus of research worldwide.Artificial intelligence technologies represented by deep learning have been used in computer vision,speech recognition,automatic driving and other fields,which have achieved technological breakthroughs at the application level and have shown great performance in tasks such as image classification.However,recent studies have shown that deep learning models are not robust and are easily attacked by artificially designed adversarial examples,resulting in severe performance degradation or even complete failure of the model.This poses a serious threat to the security of the application of deep learning technology.Therefore,researching on the robustness of deep learning models based on adversarial examples has significantly practical significance.The current research on adversarial examples mainly includes two directions: adversarial attack and adversarial defense.Adversarial attack refers to the research and design of adversarial examples to evaluate the robustness of deep learning models.Adversarial defense refers to the study of defense methods against adversarial attacks to improve the robustness of deep learning models.This thesis focuses on these two perspectives,and explores the attack method that can break through the deep learning model with adversarial training and establishes the adversarial defense framework with strong defensive performance.First of all,for the most commonly used adversarial training method in adversarial defense,its practicality and limitations are explored,and an attack method against adversarial training based on image transformation is proposed.Secondly,aiming at the shortcomings of commonly used additional network defense strategies and adversarial training defense strategies,a defense framework based on the fusion of additional networks and adversarial training strategies is designed to enhance the robustness of deep learning models.The research results of this thesis mainly include:(1)Explore the limitations of adversarial training defense from the aspects of effectiveness and sensitivity,and propose an image transformation attack method based on image transformation to evaluate the robustness of adversarial training,and the effectiveness of the proposed attack method is verified on commonly used data sets.The experimental results show that the proposed attack method can cause the classification accuracy of the model to decrease significantly from 91.2% to 36.8% for PGD adversarial training method with the strongest white-box defense capability.(2)Analyze the principles and defects of commonly used additional networks and adversarial training defense strategies,and design a defense framework based on the fusion of additional networks and confrontation training strategies to enhance the robustness of deep learning models.The experimental results show that the proposed defense framework can achieve better white-box and black-box defenses performance and stronger defense generalization ability against different attack methods compared with the independent additional network and adversarial training defenses.In addition,the defense framework also has defense capabilities against attack method based on image transformation.