Research On Robust Adversarial Attack Method In Three-dimensional Space

"Adversarial examples" has appeared in the field of deep learning as an emerging vocabulary in recent years.It refers to the input examples formed by deliberately adding subtle interference in the dataset,can cause the target model give an incorrect output with high confidence.The research on the attack methods of adversarial examples has important theoretical and application value for acknowledging the defects of deep neural networks,and has attracted extensive attention from academia.Since most existing adversarial attack methods are based on modifying some pixels in digital image space,they cannot effectively resist the 3D physical characteristics of real-world(such as rotation,translation,and lighting condition,etc.),resulting in the failure of the attack.To this end,this paper intends to study robust adversarial attack in three-dimensional space and has achieved the following research results:(1)This article proposes an end-to-end adversarial attack method based on 3D space simulation transformation: Modify the texture image of the 3D model slightly by sampling and modeling the transformation distribution in the 3D space during 3D rendering process,so that the final 3D renderer can generate the 2D images of the model.These images can successfully attack a deep neural network classifier and mislead it into any targeted incorrect label.Meanwhile,Aiming at the problems of insufficient quantity and poor quality of existing 3D model datasets,a dedicated 3D model dataset is constructed using 3D modeling software 3dsmax,meshlab,etc.,which provides a data basis for the algorithm in this paper.The experimental results on the self-built 3D model dataset show that the method can achieve a high attack success rate on the white-box model,and at the same time,it can also maintain adversary in the relevant semantic context.(2)Propose a black-box attack method based on ensemble network model training:In the case of targeted adversarial attack,in order to address the problem of poor transitivity of adversarial examples and poor generalization of black-box models,Based on the idea of ensemble,this paper generates adversarial examples by combining the outputs of multiple different network models,which effectively reduces the coupling between the success rate of white-box attacks and transfer performance,and successfully improves the transferability of adversarial examples on the black-box model.The experimental results on the dataset show that the method can improve the attack success rate by about 6% on the black-box model compared to the pre-integration method.(3)Proposes an attack method NNIP based on the perturbation of the neural network middle layer: Since the above methods all enhance the intensity of the disturbance directly on the input data,this may affect the perceived degree of the adversarial example.In response to this problem,this paper uses the adversarial examples generated in the first work as the baseline,and slightly changes them.The modification method is: Using the adversarial examples directly input into the neural network again,and use the NNIP method mentioned in this article to generate new adversarial examples for the output results of the middle layer of the neural network.The experimental results show that the adversarial samples obtained by this method can increase the attack success rate of the black box model by approximately 5% under targeted attacks.