Generation Method Of Adversarial Examples Based On Sensitive Feature Information

In-depth research on adversarial example attacks is an important way to enhance the security of deep learning systems.Adversarial example attacks use generation meth-ods to construct adversarial examples to cheat the target deep neural network.The main problem of the existing generation methods is that their attacks usually focus on the loss of the target deep neural network while ignoring the model's learning ability for the data feature information.This problem makes the adversarial example to be highly coupled with the structure and parameters of the target deep neural network,as a result,these adversarial examples are difficult to transfer their attack ability to other deep neural net-works,which greatly limits their application scenarios.To solve this problem,in this paper,methods of generating adversarial examples to attack sensitive feature informa-tion are proposed.Based on convolution neural network and capsule neural network,the research work are as follows:1.For the convolutional neural network,the method for extracting sensitive fea-ture information is described,and the adversarial example generation method for de-stroying sensitive feature information and increasing model's loss is proposed.This method attacks sensitive feature information by increasing the difference of Grad-CAM(Gradient-weighted Class Activation Map)between the generated examples and the original examples.Because the sensitive feature information of convolutional neural network extracted by Grad-CAM has high similarity in different models,there-fore,using Grad-CAM to attack the sensitive feature information of white box model,the attack performance of the generated adversarial examples is easier to migrate to the black box model,which alleviates the problem of high coupling between adversarial ex-amples and models.Experiments show that this method can improve the transferability of adversarial examples.2.For the capsule neural network,According to the dynamic routing algorithm,The sensitive feature information is extracted,and the method,which can weaken the influence of sensitive feature information on model classification,is proposed.The dynamic routing algorithm is the core of the capsule neural network.Ac-cording to the algorithm,capsule vectors are more affected by the capsule vectors with higher similarity in the previous network layer.Therefore,this method uses the gradi-ent iteration method to attack capsule network by weakening the influence of sensitive feature information on model classification.On the one hand,this attack process is designed before the dynamic routing algorithm,which avoids the confusion of gradi-ent information in the routing process.On the other hand,it only aims at attacking sensitive feature,which reduces the coupling between the generated examples and the model.Experiments show that the adversarial samples generated by this method have certain advantages in attack performance under the gray box and black box conditions,and the transferability of adversarial examples is stronger.