The Research For Detection And Defense Of Adversarial Examples

Deep learning is a hot topic in the field of artificial intelligence,which has demonstrated phenomenal success in many AI applications,such as image recognition,semantic segmentation,natural language processing and so on.However,recent studies have shown that deep neural networks are vulnerable to adversarial examples.These subtle adversarial examples can completely fool the deep neural networks to give false results with high confidence.Adversarial examples pose a great threat to the security of deep learning.Therefore,improving the robustness of deep learning model has practical significance.A large number of contributions have been proposed to defend against adversarial examples in recent years.The techniques about defense can be further divided into two types:‘detection only'and‘complete defense',in this thesis that is,detection and defense.In terms of detection,the existing methods,which utilize feature squeezing to detect adversarial examples,have a high detection rate,but accompanied by a high false positive rate.In this thesis,a new joint detection method of multi-feature squeezing is proposed.In addition,this thesis also proposes a method,which utilizes bilateral smoothing to squeeze images to detect adversarial examples.In the aspect of defense,the existing randomized defense methods have great damage to legitimate examples and low defense efficiency.This thesis proposes a defense mechanism called Randomly Perturbed Images Ensemble Defense,which can improve the robustness of deep neural networks by utilizing random noise.The main contributions are the following:1?A Joint Method Of Multi-Feature Squeezers Based On Adversarial Score(ASMFS)is developed to detect adversarial examples.We found that the information entropy change of adversarial examples before and after feature squeezing was different from that of legitimate examples.Based on this observation,we use the weighted sum of information entropy difference and l1,-norm distance as the basis to detect adversarial examples.Experiments on MNIST and CIFAR-10 showed that using Adversarial Score as the detection basis has a lower false positive rate than only using l1,-norm.2?A method based on bilateral smoothing to detect adversarial examples is proposed.Considering the features that bilateral smoothing can keep the edge of the image and simultaneously limit the feature space on the spatial space and the color space,this thesis proposes a method which uses bilateral smoothing to squeeze the original example to detect the adversarial examples,and adds bilateral smoothing to ASMFS.Experiments on MNIST and cifar-10 showed that ASMFS with addition of bilateral smoothing improves both detection rate and false positive rate.3?A novel method named Randomly Perturbed Images Ensemble Defense(RPIED),is proposed.Based on the feature that natural samples are more robust to noise than adversarial examples,this thesis proposes Randomly Perturbed Images Ensemble Defense method which makes multiple copies of the original image and injects different random noises to obtain multiple variant images.The target neural networks predict these variants,and the final prediction class is obtained by picking the majority vote.Through experimental comparison with other methods,the defense effect of RPIED is proved.