| Recently,deep neural networks(DNNs)have achieved great success in computer vision,etc.However,DNNs are vulnerable to adversarial examples that may be imperceptible to human perception but can trigger misclassification of DNNs.This may result in huge threats in real-world applications with strict security requirements.In this sense,it is important to study adversarial attacks and how to defend against such attacks to obtain robust DNNs.On the one hand,most existing attack methods on the construction of adversarial examples use such?_pdistance as a similarity metric to perturb original samples.However,this kind of metric is hard to conduct distribution perturbation.On the other hand,adversarial defense aims to defend against adversarial examples and has been an important means which improves the robustness of DNNs.However,most existing defense methods focus on some specific types of adversarial examples and may fail to defend well in different(even unknown)attack samples.To address the issues of?_pdistance,this thesis proposes an internal Wasserstein distance(IWD)to measure image similarity between an original sample and its adversarial example.We apply IWD to perform adversarial attack and defense.Specifically,this thesis develops a novel attack method by measuring the distribution of patches in original samples and the one in adversarial examples to craft adversarial examples.In this case,the proposed attack method is able to generate semantically similar but diverse adversarial examples.Relying on IWD,this thesis builds a new defense method that seeks to learn robust models to defend against unseen adversarial examples.Theoretical evidence justifies that adversarial examples with more diversity are required in adversarial training.Extensive experiments demonstrate the effectiveness of the proposed method.To defend against various(even unknown)attacks,motivated by that adversarial examples are more likely to appear near the classification boundary,this thesis studies adversarial examples from a new perspective that whether we can defend against adversarial examples by pulling them back to the original clean distribution.This thesis theoretically and empirically verifies the existence of defense affine transformations that restore adversarial examples.Relying on this,this thesis learns a defense transformer to counterattack the adversarial examples by parameterizing the affine transformations and exploiting the boundary information of DNNs.Extensive experiments on both toy and real-world datasets demonstrate the effectiveness and generalization of the proposed defense methods. |
PDF Full Text Request