The Attack And Defense Researches Based On The Adversarial Examples

In recent years,with the rapid development of deep learning,understanding and preventing security risks caused by adversarial examples has become more and more important.Attack and defense researches for adversarial examples has attracted the attention of security researchers,who aim to improve the robustness of the model by analyzing attack mechanisms.The initial adversarial attacks are evaluated on classification tasks and then transferred to specialized areas,such as attacks on recurrent neural networks or semantic segmentation networks.However,existing works cannot perfectly explain every popular computer vision task.For instance,researchers rarely pay attention to cross-mode tasks,such as reasonable attacks towards the image-captioning field and the forensic field.Considering such cases,further investigations on universal attacks and defenses,and in-depth researches on specific fields that do not involve adversarial examples,have high practical application value.The research topic of this thesis is related to the defense and attack of adversarial examples,aiming to deeply understand the internal mechanism of adversarial attacks and the threats that adversarial examples have brought to the security field.This thesis has the following contributions:(1)Propose universal adversarial attack and defense methods,including researches on sparsity attack methods and the defense method for iterative attacks.In this thesis,the universal least pixel attacks are used to study the coupling relationship between image pixels and model features,as well as the universal buffer-based structure black box to pre-defense the iterative attack method.The pre-defense method aims to prevent the generation of adversarial samples instead of identifying the generated adversarial samples;(2)Utilizing noise retraining to identify adversarial samples under the task of the source camera identification,including the identification for Gaussian noise added and noise samples generated by existing attack methods.Combined with the camera fingerprint research under traditional forensic tasks and the noise retrained model,we proposed reasonable adversarial attacks for the source camera identification,including the fingerprint copy-move attack and the auto-learning attack;(3)Conduct a systematic study on the adversarial attack of the image captioning task in cross-modal domains.This thesis proposes 9 different attack methods,including 5 targeted attacks and 4 untargeted attacks,and verify the understanding ability of image-captioning models on various captions.Furthermore,the conclusions based on these adversarial attacks are helpful to improve the network performance and accomplish the network pruning;(4)Propose a newly designed double-steamed architecture-directional adversarial poisoning attack,for protecting high-quality labeled data that is full of commercial value under the novel notion-poisoned data sharing mode,which including adversarial poisoning attack,detoxification reconstruction,and watermark reconstruction tasks.To balance the adversarial poisoning attack,detoxification reconstruction,and the watermark reconstruction performance,this thesis proposes the de-temperature optimization strategy.