| With the gradual maturity of convolutional networks,the application of convolutional neural networks has become more and more extensive,and the subsequent model security issues have also received more and more attention.In recent years,the researches of convolutional neural network model attacks and defense have also received more and more attention.Among them,the most representative is adversarial sample attack and defense.Adversarial sample attack is an external threat to the model,that is,external input causes abnormal errors in the function of the model.And this thesis focuses more on the offensive and defensive scenes inside the model.For example,model stealing attack is aimed at the privacy security of the model.The model stealer can achieve personal economic benefits by stealing the function of the model or prepare for further attack research.In addition,the model-reuse attack,through tampering with the parameters,achieves the directional error of the model when identifying a specific category.It is similar to the adversarial sample attack,but its realization principle is completely different.In summary,these two types of attacks are aimed at the internal privacy and parameters of the model,and they are not used to interfere with the model through external input.Firstly,aiming at the model stealing attacks caused by the theft of data in the data transmission process,this thesis designed an image partial encryption and label encryption and decryption method using autoencoder.This method is based on the neural network class activation mapping technology,and this thesis quantifies the final recognition results in different areas of the image.According to the quantization results of the image area,this thesis designed a least important area extraction algorithm to segment the least important area for encryption,and the remaining areas are not encrypted,which reduces the cost of image encryption and decryption.In addition,this thesis uses autoencoder.The inherent encryption and decryption properties of the encoder,the encoder part is used for label encryption,and the decoder part is used for label decryption.Finally,this thesis encrypted the data related to neural network training from the two dimensions of image and label to defend against model stealing attacks.Secondly,for model stealing attacks accessed through APIs,this thesis uses multiple obfuscation model fuzziness for fuzzy inference,which interferes with the final output probability distribution results,which prevents attackers from exploring the boundaries of task domain,and then interferes with model stealing attacks.Specifically,this thesis modifies the decision boundary and some feature extraction modes of the original model to make the output probability distribution of the modified model deviate from the probability distribution of the original model.This thesis deploies multiple models under different temperature coefficients,and randomly select models for output.At the same time,this thesis ensures that the output labels of the modified model are the same as the original model,which guarantees the use of normal users.Lastly,for model-reuse attack scenarios,this thesis prunes parameters based on the critical weight quantification for defense.This thesis has designed two key-parameterquantification methods.The first method is a gradient quantization method based on the recognition result.By corresponding to the gradient of the recognition result to the weight,this thesis quantifies the importance of the weight according to the magnitude of the gradient.In the second way,this thesis draws on the critical path method of neural network interpretable research,and extend the critical quantification method to neural network in weights.Finally,this thesis using pruning and model retraining techniques to trim non-critical parameters,and retrain the model after pruning to eliminate the threat of model reuse attacks. |
PDF Full Text Request