Research On Deep Neural Network Adversarial Samples Defense

In recent years,the deep neural network model has been able to achieve high accuracy in a variety of classification tasks.However,recent studies show that the deep neural network is vulnerable to the attack of adversarial samples.The attacker only needs to add some small disturbances that could not be recognized by human eyes in the clean samples to generate adversarial samples,so that the deep neural network model can easily misclassify them.With the deep neural network widely used in various fields,these deep neural network systems are facing a huge security threat due to the adversarial samples.Therefore,in order to reduce the impact of adversarial samples on neural network and improve the robustness of neural network,the defense of adversarial samples in deep neural network is studied.On the premise of ensuring the classification performance of neural network model for clean samples,three methods of defense against adversarial samples are proposed,and the experimental verification is carried out on MNIST and CIFAR10 data sets.First of all,in order to make the neural network model achieve better defense effect on both single step attack and iterative attack adversarial samples,an adversarial training defense GILLC based on Gaussian enhancement and iterative attack is proposed.Gaussian enhancement improves the generalization ability of the model defense adversarial samples,while ILLC iterative attack is used to approximately solve the internal maximization problem in adversarial training.Experimental results show that GILLC can achieve almost the same effect as NAT in defense of single step attack,and the same effect as PAT in defense of iterative attack,while NAT/PAT only has better defense effect against single step attack/iterative attack.GILLC comprehensively improves the robustness of the deep neural network.Secondly,in order to make the defense method more widely used in various training models,a defense method based on K-WTA-BRelu activation function is proposed.By combining the bounded activation function BRelu and K-WTA-Relu activation function,the structure of Relu activation function is simply modified to blur and destroy the gradient information in the network,prevent the accumulation and propagation of adversarial disturbance in the network layer,and reduce the impact on the network influence of adversarial disturbance on model.Defense based on K-WTA-BRelu activation function can be used not only for normal model training,but also for adversarial training.Experiments show that among the models trained by K-WTA-BRelu,Relu,BRelu and K-WTA-Relu activation function,the model trained by K-WTA-BRelu activation function has the best defense performance.Finally,in order to further improve the defense effect of adversarial training,a defense ILF based on the loss function of improved adversarial training is proposed.Because the training sets correctly classified and wrongly classified by the network have different effects on the robustness of the training network,the loss functions of correctly classified and wrongly classified training sets are proposed respectively,and KL divergence term is added to improve the robustness of the model,finally,the ILF is obtained by combining and optmizing the two loss functions.The experimental results show that the model using ILF for adversarial training has higher classification accuracy than the model using Standard and MART loss functions.Therefore,the model using ILF for adversarial training has higher robustness.