Research And Implementation Of Deep Learning Protection Technologies For Adversarial Examples

Deep learning can extract the complexity of data from the original input features at a higher and more abstract level,so it can achieve various functions.Deep learning has taken significant progress in various fields: image classification,object recognition,object detection,speech recognition,language translation,and speech synthesis.Driven by big data,hardware acceleration,and learning algorithms,deep learning provides support for the growing number of practical applications and systems.Intelligent voice assistants,recommendation systems,and autonomous driving systems are becoming an indispensable part of life.Despite the great success in many applications,recent studies have found that deep learning models are vulnerable to well-designed input examples,which are called adversarial examples.Adversarial examples can deceive deep learning models,but they have little impact on human judgment.In order to better study adversarial examples and effectively reduce the harm of adversarial examples,this thesis focuses on the research and implementation of protection techniques for adversarial examples.It mainly involves three aspects: multi-version defense technology based on fine-grained detection,active defense optimization method based on data interpretability,and research on adversarial attacks and defense methods based on critical nodes.First of all,the current adversarial example defense method cannot defend against all adversarial example attacks.To address this problem,this thesis proposes a multi-version adversarial defense method based on fine-grained detection.The attack performance and characteristics of typical adversarial attacks are studied,and propose a norm-based adversarial examples classification and grading rule,which divides adversarial attacks into six types.Test the defense performance of ten typical defense methods against these six adversarial attacks,and recommend the best defense method for each type of adversarial attack.Second,this thesis proposes a defense method based on data interpretability to reduce the time cost of passive defense.According to the visualization results of the input example,the key areas of classification are extracted.A series of input transformations are performed on the key areas of classification.Preliminary experiments have evaluated the defense method based on data interpretability and proved the effectiveness of the defense method.Finally,this thesis strengthens adversarial attacks and defenses by critical neuron nodes of deep neural networks.The propagation of adversarial perturbations in the single layer and multiple layers of the deep neural network model is formulated,and it can observe that critical neuron nodes play a major role in the propagation of perturbation.Based on this observation,non-targeted attacks and targeted attacks based on critical neuron nodes are proposed,and an adversarial training method based on critical neuron nodes is further designed.Experiments are conducted to evaluate the attack and defense methods based on critical neuron nodes,which proves the effectiveness of these methods.