Research On Defense Technology Of Adversarial Examples Based On Different Norms

In recent years,deep learning has achieved unprecedented success due to the acquisition of massive multimedia data,the powerful neural network algorithms and the improvement of hardware-level computing ability.However,most machine learning tasks do not consider the existence of the adversary,which leads to the deep neural network vulnerable to attack.Recent studies have found that by adding a well-designed disturbance to the original test sample,the sample will be mistakenly classified as a specific category or error category by the model,even if the test sample has high confidence for the correct category before.The disturbance is called"adversarial noise",and the samples which can make the model produce misclassification after adding adversarial noise are called"adversarial examples".It is not only to change the classification results but also to affect the safety of automatic driving and even bypass the identity authentication system,which poses a great threat to the life and property of citizens and even national security.In order to deal with the threat of adversarial examples,some defense methods have been proposed by scholars.Although the current defense methods have achieved beautiful results,unfortunately,these defense methods have more or less certain limitations,and are easy to be bypassed by evolving and changing attack methods;at the same time,due to the uniqueness of the adversarial examples,the traditional security technology represented by feature matching is not competent for this defense work.Therefore,in order to improve the robustness of the deep learning model and promote the security development of artificial intelligence technology,this paper will design a more effective defense method against adversarial examples in view of the known characteristics of anti-attack and the shortcomings of defense methods.Generally speaking,the work of this paper mainly includes the following aspects:(1)Based on the iterative verification of most adversarial example generation algorithms and the observation that the adversarial examples generated by ₀ norm has fewer pixel changes than the original sample,a defense method is proposed to destroy the iterative process of the adversarial examples.The method uses the perceptual hash as the judgment layer and adds a time layer to avoid the attacker's defense method through time analysis.The defense results of three deep models for white-box attack show that this method can reduce the attack success rate by 36.3%on average;the defense results of six mainstream deep models for black-box attacks show that this method can reduce the attack success rate by 74.8%on average.Compared with existing defense methods,this method does not need to add other additional networks,therefore,it has the characteristics of light weight and flexibility.(2)Based on the observation of the deviation between the active area of the adversarial examples and the origin samples,and the integrity of the adversarial noises,a defense method that gives deep model the ability of error recognition to destroy the integrity of the adversarial examples is proposed,which is called Just One More Time(JOMT),which uses thermograph to improve the interpretability of the model,and combines two image processing methods to detect inconsistency of the prediction.A large number of experiments show that the method can detect the adversarial examples on the premise of ensuring the accuracy of the original model;through comparison with other defense methods,the results show that the defense method has a better effect.Different from other methods,this method is based on the idea of adding noise.