Research On Image Adversarial Attack Algorithm Based On Decision Boundary In The Black-Box Scenario

Image classifiers based on deep learning have been widely used.Due to the robustness of the model,they cannot correctly classify samples with small perturbations,which is called an adversarial attack,the perturbed samples are called adversarial examples.Existing black-box adversarial attack algorithms directly use the classification results of the attacked model to generate adversarial examples,but they do not make full use of the information related to the model classification results,such as the decision boundary.The decision boundary is the classification hyperplane where the classification model divides samples of different classes in the sample space.In the process of adversarial attacks,generating adversarial samples based on original samples needs to cross the decision boundary between two classes in the sample space,so that the adversarial examples can be classified into specified class.Therefore,in the black-box scenario,adversarial attacks based on the decision boundary of the target model has practical research significance.This thesis proposes a method that uses the specific expressions of the decision boundary to conduct an adversarial attack to find decision boundary.Firstly,this method defines the objective function containing the decision boundary information,according to the definition of the decision boundary,and can obtain the expression of the decision boundary.And the projection operation is used to find adversarial examples near the decision boundary.In this method,a conversion model is constructed according to the objective function,and the output information of the target model is used to fit the conversion model.However,only using the output of the target model cannot make the conversion model fit all the information contain ed in the target model,and cannot generate adversarial samples with high attack success rate for high-dimensional image data sets,limiting the improvement of adversarial attack performance.Aiming at the deficiencies of the attack method based on the expression of decision boundary,this thesis uses the known part of the decision boundary information to find perturbations in the low-dimensional space,and proposes an adversarial method to control the perturbation search in the low-dimensional space.First,this method uses a convolutional auto-encoder to map samples to the latent space to obtain feature vectors,and uses a perturbation generator to generate a perturbation vector in the latent space,which reduces the sample dimension and effectively reduces the perturbation search space.Secondly,this method uses the feature discrimination strategy in the latent space to divide the fea ture vector.When adding perturbations to the feature vector,this method uses the known part of the decision boundary information to search the perturbation at a specific location along the direction of the known decision boundary,and generates adversarial examples near the decision boundary through the decoder.Finally,the perturbation fine-tuning strategy is used to find the adversarial examples closer to the decision boundary to further improve the performance of adversarial attacks.This thesis uses data sets of different dimensions to verify the attack performance of the above attack methods,and uses three evaluation indicators of attack success rate,average disturbance and average times of visits to evaluate the proposed methods.The experimental results show that,in the attack method based on fitting decision boundary,the adversarial samples can carry out an effective attack under the limited number of visits and the perturbation is imperceptible.By using the method of controlling perturbation search,it is possible to achieve a similar attack success rate with other algorithms such as ZOO algorithm and Adv GAN algorithm and reduces the time of visits to the target model to 10,000.