The Block Box Attack Method Based On Image Latent Space

With the continuous application and remarkable success of deep neural network in many fields,it is being applied in many security-critical environments,especially in the field of computer vision.In image recognition,target detection and semantic segmentation,the performance of convolutional neural network has surpassed that of human beings.However,some studies have shown that the addition of weak perturbation invisible to human eyes in the original sample will lead to neural network error.Such added weak perturbation samples are called adversarial examples.In general,human eyes cannot distinguish the adversarial sample from the original sample.The adversarial sample has become one of the important factors affecting the application safety of deep learning.The research of adversarial examples has become the latest hotspot in the field of artificial intelligence security,which is of great importance to ensure the security of deep learning.Traditional adversarial sample generation methods are mostly to add weak perturbation to the original sample,which is not in the semantic space of the image and appears very unnatural.This paper proposes to generate adversarial sample in the latent space of the image,and the related attack algorithm is designed and implemented,which can generate natural counter sample,and attack the success rate is higher.The main research achievements and contributions of this paper are as follows:(1)In order to generate more natural adversarial samples,a black box attack method based on image hidden space is proposed.At present,the common attack methods,such as generation method based on gradient perturbation,optimization method and generation method based on generation adversarial network to generate adversarial example,are to add adversaries perturbation to the original sample,which have problems such as,easy to be protected and unable to achieve complete black box attack.Aiming at the problem of attack in black box scene,this paper designs and implements targeted attack and untargeted attack of black box based on image latent space.The experimental results show that the adversaries generated by this method is more natural than the method of adding perturbation directly to the image,the adversarial perturbation is more focused on the semantic information content of the image,and the success rate of black box attack is very high.(2)In order to reduce the number of queries,a distributed adversaries method is proposed.The black box attack algorithm in the stand-alone system usually needs to constantly query the attacked model in large quantities.If the AI provider counts the number of visits to it within a period of time,it is easy to find exceptions.In this paper,the distributed adversarial attack algorithm is designed and implemented to solve the problem of adversarial attack in the distributed scene,which reduces the number of queries of the single machine and makes it difficult to be found in the real attack scene,and the attack success rate does not decrease.