Research On Defense Method Of Adversarial Samples Based On VAE-GAN

As deep learning technology matures,more and more deep learning solutions,such as face recognition,voice recognition,and autonomous driving,enter people’s daily lives.Researchers have found that deep learning models are highly susceptible facing adversarial samples’ attack.Only a slight disturbance imposed on the original samples may lead deep learning models output wrong results.So,adversarial samples significantly hinder the application of deep learning solutions.Although several defending methods have been proposed in recent years,most of them are designed for specific,known adversarial samples attacks,and defense cost is extremely high.For the problems mentioned above along with exploring the origin adversarial samples generation,this thesis designs and implements a VAE-GAN based method for adversarial sample defense.VAE-GAN network is utilized as a pre-processing block of deep learning models.All samples are firstly denoised by this VAE-GAN network,then they can be directed to deep learning models,and the normal operation of deep learning systems can then be ensured.To verify the effectiveness of the above-mentioned defense model,this thesis selects 4 typical attack algorithms of adversarial samples generating,and on MNIST and CIFAR-10 data sets,designs and performs a set of black and white box experiments of attack and defense.To verify whether the VAE-GAN network can restore adversarial samples to the original samples,this thesis designs a recovery experiment of adversarial samples.The attack and defense experiment shows that the classification accuracy of ordinary samples drops only 1 ～ 4% after they are pre-processed by the VAE-GAN network,indicating that the negative effect to the recognition of ordinary samples can be neglected;under the condition of the black and white box experiment,the defense success rate of this defense method is 76～98%;compared with other defense methods,this defense method has no obvious shortcomings and can effectively defend against various attack algorithms;at the same time,this defense method has a good migration capability,therefore it can effectively lower defense cost.The recovery experiment shows that after noise reduction by the VAEGAN network,the PSNR value of adversarial samples is increased from 15 ～ 38% to 35 ～ 40%,indicating that the VAE-GAN network has a much better capability to restore adversarial samples back to its original samples.