Research And Implementation Of Key Technologies Of Adversarial Example Generation In Convolutional Neural Network

In recent years,with the continuous development in the field of artificial intelligence,deep neural networks have achieved excellent success.With the gradual and widespread attention,security problems of deep neural networks(DNN)have gradually achieved certain results,one of which is adversarial example attack.More and more researches prove that DNN are vulnerable to adversarial examples.The existence of adversarial examples will bring great challenges to deep learning model and pose threats to its security and robustness.Adversarial example attack means that the attacker inputs well-designed adversarial examples to the deep learning model,which results in the model outputs error classification results with high confidence.There are two important meanings to study the generation of adversarial examples:Firstly,adversarial examples can help us to find the root security flaw of DNN,such as the reasons of the system confusion,wrong prediction and missed discrimination of the attacked model.The emergence of adversarial examples gives us the opportunity to study how to improve the robustness of DNN.Secondly,it helps us to stimulate the research on the attack and defense algorithm and model of adversarial examples,as well as promote the development of deep learning algorithm.In this paper,we propose an enhancement algorithm to generate adversarial examples based on convolutional neural network.The main contributions are summarized as follows:1.Propose the combination of RMSProp and traditional algorithm:In order to effectively improve the success attack rate of adversarial examples in white-box and black-box situation,we propose RMSProp-IFGSM to solve the three major problems of the previous generation algorithm:Adaptive learning rate is employed to solve the update problem of gradient descent;The exponential average of the cumulative gradient square is employed to solve the problem of the gradient update direction;The mean square root of the gradient square is employed to solve the problem of uncontrollable number of iterations.At the same time,this method can be easily extended to other attacks,and to some extent,it can alleviate the trade-off between white box attack and transferability.By accumulating the root mean square of previous gradient,we update gradient more efficiently and accurately.The experimental results show that with the proposed algorithm,we can generate effective,inconspicuous,robust,aggressive and transferable adversarial examples for the current mainstream convolutional neural network.2.Generate effective non-targeted adversarial examples:In this paper,RMSProp algorithm is integrated into IFGSM and IFGM algorithm respectively under L_?-norm and L₂-norm constraints to generate two groups of non-targeted adversarial examples more efficiently and quickly.Through a large number of experiments to optimize the parameters,we evaluated these two groups of adversarial examples with effectiveness,inconspicuousness,robustness,transferability,attack ability and generation cost.We analyzed the indicators under the conditions of black-box and white-box attack respectively.Experimental results show that we can generate effective,imperceptive,robust,attackable and transferable non-targeted adversarial examples for the current mainstream convolutional neural network,and improve the effect of black box attack to a certain extent.Compared with the traditional FGSM,IFGSM,MIFGSM,FGM,IFGM,MIFGM algorithm,the adversarial examples generated by our algorithm can not only achieve the high attack success rate,but also obtain strong transferability and outstanding performance.Based on the evaluation experiment,we optimize the parameters and hyper-parameters of our generation algorithm.By optimizing the number of iterations,the size of perturbation and learning rate,we also provide a general rule for the parameter value of the research in adversarial example generation.3.Generate effective targeted adversarial examples:We adopts the idea of ensemble training to attack multiple models under L_?-norm and L₂-norm constraints respectively.We integrates RMSProp algorithm into IFGSM and IFGM algorithm,and generates two groups of targeted adversarial examples.We analyze the indicators and evaluate the effectiveness of our algorithm under the conditions of black-box and white-box attack respectively,which is similar to the non-targeted adversarial examples attack.The comparison with the traditional methods(FGSM,IFGSM,MIFGSM,FGM,IFGM,MIFGM)proves the effectiveness,robustness,imperceptibility,transferablity and superiority of our algorithm.