Attack And Defense Of Adversarial Examples Based On Information Hiding Technology

At present,deep learning has made breakthroughs in many fields and has become the core force that promotes the re-emergence of artificial intelligence technology.Recent studies have shown that deep neural networks are vulnerable to adversarial examples created by deliberately adding subtle perturbations to the input data,which poses a serious threat to the security of deep learning models.The attack and defense researches of adversarial examples will help to further promote the development of artificial intelligence security and accelerate the better application of artificial intelligence scientific and technological achievements.Based on this,from the perspective of information hiding,the dissertation has carried out relevant researches on the attack and defense of adversarial examples.The main research results are as follows:(1)Adversarial Attack based on Reversible Data Hiding.Aiming at the benign adversarial examples,the dissertation uses its hidden attack capabilities to fool malicious artificial intelligence systems,thereby preventing unauthorized models from accessing protected data and ensuring that authorized models can access them normally.In order to construct a reversible adversarial example,the proposed scheme takes the adversarial example as the target image and uses the reversible image transformation technology to directly disguise the original image as its adversarial example image.The scheme completely solves the problem that the perturbation information is difficult to be completely embedded due to the adversarial perturbation enhancement in the existing methods,and the original image cannot be restored without loss,and the realization of reversibility is not restricted by the perturbation intensity.Experimental results show that while ensuring the visual quality of reversible adversarial examples,the proposed scheme can achieve more ideal access control goals with a higher attack success rate.(2)Adversarial Defense based on Watermarking Attack.Aiming at malicious adversarial examples,the dissertation proposes a pre-processing defense method for deep neural networks to ensure the normal operation of the model.The preprocessing module is based on two watermarking attack technologies,WebP compression and image mirror flipping,for collaborative defense.Specifically,before the image is input to the model,the module is used to preprocess the model input data,and then the denoised image is fed to the neural network for classification.The comparison of visual quality and the characteristic indication of class activation mapping proves the effectiveness of these two watermarking attack techniques.The proposed scheme solves the weaknesses of the existing methods,such as high computational complexity and unsatisfactory defense effects.Experimental results show that the scheme can effectively defend against adversarial attacks.The processed adversarial examples can be correctly classified by the model just like normal samples,while ensuring that the accuracy loss on clean samples is minimal.