| In the field of image classification,the Adversarial Examples(AEs)usually refer to the images that have tiny distinction to the original input image of target classifier,meanwhile,equip the ability to dramatically perturb the output of the classifier.Researches show that a large number of AEs appear in quite a part state-of-the-art image classification deep neural networks,which are wide open to adversarial attacks,thus leading to security flaws.Benefiting by the continuous development of deep neural network and computational ability of hardware,deep learning has been widely deployed into various practical fields.However,the existence of AEs indicates that numerous deep neural networks are not robust and reliable,as the adversarial attack aiming at them could cause accident,thus severely preventing them from further practical application.Generating Adversarial Example(GAE)algorithms can be principally divided into two types that are white-box and black-box.The white-box algorithm relies on the architecture and parameters of target network,and utilizes the gradient from backpropagation with original image to find the AEs.Because of its high efficiency and powerful,the researches about white-box usually contribute to evaluate robustness thoroughly,adversarial training and explain the network principle,etc.For the reason that black-box algorithm does not require the information of target network,hence it has wider applications.For the image classification,this thesis propose the following three novel GAEs:1.A new white-box algorithm based on gradient is proposed,which can optimize the derivative of activation function during the backpropagation of target network.Different from the common way utilizing the gradient to optimize,we focus on how to obtain a more accurate gradient itself.After analysis we find when deep network backpropagation passing by activation function Re LU,it appears two drawbacks called wrong blocking and over transmission respectively.They all arise from the discontinuous derivative of Re LU.Therefore,we design two filtering mechanisms to alleviate the two phenomena respectively for obtaining a more guiding gradient.2.A new Universal Adversarial Perturbation(UAP)algorithm integrated with self-paced learning is proposed.The existing UAP algorithm is a fixed adversarial perturbation that can integrate into multiple original samples to form corresponding AEs,and it continually and circularly adapts single original example to increase the universal,leading to an inefficient computation and a defect of parallel.In order to improve those drawbacks,we apply the mechanism that self-paced learning automatically sorts the training sample to UAPs,thus implementing a more efficient parallel computing algorithm to generate UAPs.3.A new multi-pixel AE algorithm with neighboring block is proposed.The existing one pixel attack is a GAE algorithm that only changes one pixel in the original image.However,the one pixel attack can hardly hold the high success rate of adversarial attack with the increasing of the size of input image of network and the optimizing of target network structure.For the defect,we design a GAE algorithm perturbing by neighboring pixel block,thereby increase the perturbing space under the similar visual effect of perturbation,and can attack the network with larger input image sizes more lightly. |
PDF Full Text Request