Research On Security Detection Technology Of Deep Learning Model Based On Adversarial Technology

Deep learning models have been widely used in automatic driving,image recognition,speech recognition,steganalysis and other fields,and plays an increasingly important role.Therefore,the security of deep learning models themselves has attracted academic and industrial attention.In this thesis,we study the adversarial example generation technology and watermark robust detection technology for detecting the security of deep learning models,and focus on three aspects.Deep learning models for classification are widely used.In this thesis,first,we study the countermeasure technology for most classification models.In addition,although the deep learning model for steganalysis is the same as the classification model,it is very different from the general computer vision task,so this thesis also studies its security detection technology.Finally,the watermarking technology for the intellectual property protection of deep learning models uses the backdoor of deep learning models,which is particularly special.This thesis takes it as the third kind of research object.The main work and contribution of this thesis are as follows:1.At present,there are some problems in the algorithms for generating adversarial examples,such as having too many iterations and too low a fooling rate.In order to reduce the number of iterations and improve the fooling rate,this thesis proposes an adversarial examples algorithm based on cross-correlation,AGCC.The cross-correlation function is usually used to judge the correlation of two matrices.In this thesis,the cross-correlation function is used to calculate the visual distance between the adversarial example and the original image.The idea of a sub-module is used to improve the fooling rate.The simulation results show that,compared with the current C&W algorithm with superior performance at present,which needs 10000 iterations,the average number of iterations is reduced to 230 and 650 respectively,and the fooling rate reaches 100%and 89.56%,which is similar to C&W algorithm and twice as high as the UPSET algorithm.2.Steganalysis is an important technology to discover hidden communication in public platforms such as social networks.It is of great significance to study the adversarial example generation technology for steganalysis models to detect its security.One of the challenges of this scenario is to ensure that the hidden secret information is not changed when generating adversarial examples.Another challenge is that the floating-point data requirement of gradient computation conflicts with the integer data requirement of the saving.Therefore,this thesis proposes an adversarial example generation and saving algorithm for steganalysis,AGSS.The rounding and saving algorithm in this thesis can improve the probability that the adversarial example can still fool the target model after rounding.Simulation results show that when the target models are Yedrudj-Net and YeNet respectively,the average peak signal-to-noise ratios of the counter samples generated by the AGSS algorithm are 52.42 and 44.82 respectively.The probability that the adversarial example can still fool the target model is about 1.5 times of the commonly used approximate rounding,which is 84%and 71.43%respectively.3.Aiming at the problem that the existing deep learning watermark robust detection algorithms require large resources and the watermark removal effect is not high and detect the robustness of deep learning model watermark and enhance the security of deep learning model watermark,this thesis designs an attack algorithm for output-based deep learning model watermark,selective confusion.In this algorithm,a small number of watermark images with wrong labels are used to retrain the watermark model together with the task image,so that the watermark in the model can be removed without changing the task accuracy of the watermark model.The simulation results show that after 5 rounds of training at most,the watermark extraction accuracy of the model can be reduced from more than 95%to less than 15%,that is,the watermark in the model can be completely removed.The consumption of computing resources is 1/7 of the common input filtering and 1/4 of the model fine-tuning.4.In order to prevent the selective confusion algorithm,this thesis proposes a more robust deep learning model watermarking algorithm using an automatic encoder as a one-way trapdoor function.In order to ensure the security of the watermark,an automatic encoder is used to generate the watermark image which can not be extracted by the attacker.The simulation results show that the change of task accuracy of the deep learning model is less than 2.5%,and the watermark accuracy is higher than 70%,which can effectively protect the intellectual property rights of the deep learning model.