Adversarial Black-box Attacks For Deep Image Recognition

Today,more and more applications and systems are driven by neural networks(deep learning),affecting many aspects of human daily life,such as recommendation systems,human-computer interaction and even security protection,such as credit account evaluation,spam filtering,license plate recognition and so on.But neural networks themselves are flawed,and even image classifiers based on deep neural networks are susceptible to small,imperceptible disturbances.Maliciously generated adversarial samples,although don't have a great impact on the human visual identification system,it will use the instability of neural networks,misleading the model to obtain the wrong results,thus affect the accuracy of the model.Taking object classification tasks as an example,two algorithms are proposed.The first is an adversarial attack algorithm based on an evolutionary algorithm and the second is an algorithm based on noise compression.The former algorithm considers the three tasks of source/target target attack and non-target attack,black box attack and global disturbance,searches the adversarial samples by using improved differential evolution algorithm and particle optimization algorithm,encodes random noise into population individuals,gradually evolves to adversarial noise through cross-variation and other operations,and uses adversarial initialization to improve search efficiency.Experiments show that the algorithm has effect on MNIST,CIFAR10,CIFAR100 dataset,which makes the misclassification rate of different models improve significantly,and the ability to migrate of the adversarial samples is also strong,even for the model defense measures such as adversarial training.The latter algorithm is noise compression algorithm,which uses the robustness of disturbance against disturbance and the decreasing marginal effect of iterative attack to use the methods of group noise reduction and random noise reduction for noise compression operation,and uses the improved iterative attack algorithm combined with the noise compression algorithm to improve the performance of targeted attack.Experiments in the Image Net and Tiny Image Net datasets verify the effectiveness of the algorithm.