Research On The Nearest Neighbor Discrimination Method For Adversarial Sample Detection

Recent studies have shown that the prediction results of classifiers based on deep neural network models are not robust in specific environments,and small changes to the input often result in very different output prediction results.The adversarial sample is an artificially designed technical method that causes deep learning applications to be spoofed,or even fails to maximize the loss of the target network.The security problem is an important aspect that cannot be ignored in the field of artificial intelligence.Research on how to mitigate and defend against attacks from samples has a profound impact on the future development and application of artificial intelligence.At present,the defense work against adversarial samples mostly solves the robust optimization problem directly during model training.However,such a defense strategy often greatly increases the training overhead and the reasoning process of the original model,and is backward compatible with the cost.It is huge and often requires major changes and updates to the deployed model,even for specific types of network structures.Aiming at the particularity of the adversarial disturbance added by the adversarial samples,the hierarchical structure of the neural network and the intermediate learning inference results,an adversarial sample detection method based on parameter-free nearest neighbor discrimination is proposed.By designing the GK-Maps feature fusion method,the category labels and detailed information related to the final prediction of the target network in the convolution feature map of the input sample are effectively retained,so as to construct a depth feature of a comparable high-resolution input sample intermediate convolution result set.Based on different nearest neighbor projection weight combination schemes,the SK-NN parameterless nearest neighbor discrimination model is improved,and the subspace nearest neighbor search is performed in the learned deep feature set to approximate the data popularity of the input samples,used to calculate the input samples and prediction Distinguish the similarity difference between category labels,so as to provide a confidence estimate for the input of the model,to effectively detect malicious adversarial samples input to the target network when the target network is running,and this defense strategy can be well applied in Most of the pre-trained classification network models based on the convolutional neural network model architecture.The experimental results show that the adversarial disturbance added by the adversarial sample has different neuron activation properties under different hidden layers compared to the clean sample.And the SK-NN nearest neighbor discrimination method can effectively detect this difference,so as to correctly determine the adversarial samples input to the target model,the optimal detection accuracy rate reaches 0.876,and improves the robustness of the output of the classifier It reduces the impact of adversarial samples on model prediction.