Research On Adversarial Examples Generation For Typical Recognition Neural Networks

Recent research has shown that human-designed adversarial examples are capable of attacking typical deep-recognition networks.Such adversarial disturbances are too subtle to be detected by the naked eye,but it can lead to misclassification of the originally correctly identified models.However,traditional methods of adversarial examples generation have failed under some defense methods.The main research content of this article is to show how to effectively improve the attack success rate as well as the label transferability rate of the adversarial examples and how to reduce the difference between adversarial example and the original example to make it undetectable in the meantime.For the targeted attack with l₀ norm metrics,the weighted based fast Saliency Map attack algorithm proposed in this paper successfully conducts the few-pixel attack on large-scale datasets.The method that JSMA few-pixel attack utilizes to generate an adversarial saliency map does not take the impact which the weights of the different categories have on the results into account,making the allocation of impact weights for each category unreasonable.To address this problem,this paper proposes to weaken the effect of invalid categories on the saliency map by weighting based on the category probability distribution,thereby providing a more effective measurement of saliency;Secondly,in order to further reduce the number of altered pixels,this paper retains both positive and negative representations of the gradient in the algorithm implementation to avoid losing valuable gradient information;Finally,to address the inefficiency of the JSMA method of category-by-category and pixel-by-pixel pair-wise traversal computation when generating adversarial examples,this paper proposes a fast method to reduce the computational overhead by filtering the categories by its weights before calculating the saliency map.As for the black box attack with l₂ norm metrics,this paper proposes an ensemble adversarial attack approach(E-ADA).This approach adopts the loss function which is directly defined by the logits of the model,thus addressing the problem that some traditional algorithms fail under gradient masking methods such as defensive distillation.In addition,in order to further improve the transferable performance of adversarial examples in the optimization phase and to tackle the problem that some traditional methods share low transferability across models,the E-ADA method uses the gradient of multiple networks to constraint the forward direction of the perturbation,enhancing the attack performance against the black box model.By conducting experiments on publicly available image classification datasets,the two methods proposed in this paper are compared to other recent methods of adversarial attack.The experimental results show that the W-FSMA proposed in this paper outperforms the comparison methods in terms of the attack success rate,the perturbation norm and the execution efficiency metrics.Meanwhile,the E-ADA method also has better attack success rate,label transferability rate and robustness in the face of the black box models.Finally,this paper verifies the effectiveness of the non-maximal suppression attack algorithm on a YOLOV3-based vehicle detection network,successfully implementing the attack by generating adversarial examples of the vehicle detection network.