Research On Universal Adversarial Perturbation Generation Methods Of Neural Network

With the application and development of deep learning technology,its security risks are gradually exposed.Neural networks have been shown to be vulnerable to adversarial attacks.Adding small perturbations to the samples can make the model output wrong results.This security threat has gradually penetrated into various fields such as computer vision,speech recognition,and natural language processing.There are still many problems in current research on adversarial samples: First,most studies on adversarial examples focus on imagedependent adversarial attack methods.Such methods need to generate specific adversarial perturbations for each sample.The realization of the attack depends on the sample.The efficiency is low.Recent studies have shown that neural networks can also be deceived by universal adversarial perturbations that are image-agnostic.Therefore,it is necessary to study efficient universal adversarial perturbation generation methods;secondly,the current universal adversarial attacks only achieve good results in the untargeted setting.The transferability of universal adversarial perturbations is poor.Due to the constraints of perturbations,it is still difficult to achieve targeted attacks.The adversarial capabilities of the proposed methods have much room for improvement.Therefore,it is necessary to overcome the poor transferability of universal adversarial attacks.Finally,there is a lack of discussion on the interpretability of universal adversarial perturbations,and it is necessary to explore the reasons why it can achieve universal attacks.In response to the above problems,this article mainly carried out the following work:(1)This paper proposes Simple Fool,an efficient generation method for universal adversarial perturbations,which combines targeted universal adversarial perturbations and untargeted universal adversarial perturbations into the same generation framework,transforms the solution of universal adversarial perturbations into an optimization problem,and realizes simple and efficient universal adversarial perturbations with strong attack ability.(2)The targeted universal adversarial attack method proposed in this paper successfully attacked each target category of CIFAR-10,GTSRB-43,and Image Net classification tasks.After adding perturbations to the test data set of the respective tasks,all of the adversarial examples have achieved a more than 95% attack success rate.Facing the uneven distribution of training data,balanced distribution of training samples but very small sample size,and even the inability to obtain the training data of the target model,it is still possible to implement successful and effective attacks.This proves the strong attack ability of the proposed method and further exposes the vulnerability of existing neural networks.(3)The proposed untargeted universal adversarial perturbations generation method achieves more than 93% attack effects on different classification tasks and multiple classic neural network models such as VGG16,VGG19,Goog Le Net,Res Net50,and Res Net152.Compared with other existing methods,the attack modification area in this paper is smaller and the attack ability of this paper is stronger.Under the same attack task and target models,the untargeted universal adversarial attack capability proposed in this paper is the best among the current methods.(4)Visualized feature analysis of the proposed universal adversarial perturbations from the perspective of cross-data and cross-model.From the data point of view,it is found that no matter what data set is used,the universal adversarial perturbations synthesized for the same target category have similar structures,and the perturbation has the characteristics of the target category data.Its strong triggering can directly make the model output the wrong result.From the perspective of the model,this paper finds that no matter what model we attack,for the same classification task,the synthesized untargeted universal adversarial perturbations vary with the structure of the model.The perturbations synthesized for models with similar structures are also similar,and the ability to attack each other is stronger.Such visual feature analysis provides an interpretable answer to the universal adversarial attack ability of the proposed universal adversarial perturbations.