Adversarial Examples Defense In Deep Learning

Artificial intelligence’s application in the security field is becoming more and more extensive.In particular,in recent years,it has been applied at industrial level in security vulnerability detection,Web application firewall,virus detection and other fields.As a result,the security of deep learning has attracted more and more attention.Adversarial attack is one of the security threats to deep learning.The security problem of adversarial perturbations has been proved to exist in almost all fields where deep learning models are used.The attacker looks for the perturbation which can change the classification result to the minimum by means of white box or black box.Due to the characteristics of small differently and high transferability,the normal use of the model is greatly affected.Existed adversarial example resistance methods mainly consider from two aspects: adversarial examples’ detections or improving models’ robustness.The adversarial example detection algorithm tries to detect the adversarial example in the sample input and throws it out in time to avoid affecting the target model.Most of the existing algorithms distinguish according to the different density characteristics of the adversarial examples and the normal examples or the inconsistent feedback before and after some processing.To improve the model robustness is to modify the target model to improve the model’s ability to distinguish against the adversarial examples to make it difficult for the attacker to generate the ideal adversarial example.According to the characteristics of adversarial examples,the ideal defense solution should defense against adversarial attacks on the premise of avoiding reducing the classification accuracy of the model to normal examples.The scheme should avoid excessive use of the target model of information and modify the structure or parameters,convenient different scenarios of defense,response iterative update of adversarial example attack technology,and realize the defense against different attack methods.Based on this,an adversarial example detection scheme and an adversarial example defense scheme are designed in this paper.The specific works are as follows:(1)This paper designs an adversarial example detection scheme based on the combination of preprocessing and local intrinsic dimensionality.The input mixed with the adversarial example and the normal example is pretreated,and all the samples are perturbated,and the highest confidence of the target model output is further increased without changing the category to amplify the difference between the adversarial example and the normal example.Then the activation function values of each layer of the deep learning model are used to calculate the local intrinsic dimensionality of the example.According to the characteristic that the local intrinsic dimensionality of the adversarial subspace is larger than the local intrinsic dimensionality of the normal sample subspace,the adversarial examples in the input samples are detected by using the logistic regression model.In the experiment,the detection performance is verified by the antagonistic samples generated by the C&W algorithm.Compared with other density-based algorithms,the proposed algorithm has a lower misjudgment rate and achieves better results in terms of accuracy,precision and stability.(2)This paper designs an adversarial example defense scheme based on detector and reformer.Defense system is divided into two parts,and deployed before the target model.When sample input system,the detector will also have a kernel density estimate or K neighbor distance.Once is lower than the preset threshold,the adversarial example will no longer be processed.Examples passing the detector will be modified by the reformer,which is essentially a pre-trained denoising autoencoder.The scheme trains the denoising autoencoder separately for each category of the target classifier and learns the features of each subclass manifold,so that the model can achieve better denoising effect for a specific category than the unified processing.The samples receive the corrections of all the denoising autoencoders respectively,and the corresponding reconstruction errors are calculated.The smaller the errors,the closer the sample is to the submanifold,and the output of the autoencoder corresponding to the minimum error is transmitted to the target model as the substitute of the sample to obtain the classification results.The experiment uses different attack algorithms and C&W attacks of different intensities to verify the defense scheme,and the success rate is above 90%.