Research On Image Adversarial Attack Algorithms Based On Black-box Transferability

In recent years,with the rapid development of artificial intelligence technology,artificial intelligence applications have been deployed to all aspects of human production and life.As an important engine of a new round of industrial revolution,it has greatly promoted the development of social productivity,improved human work efficiency and enriched human life.However,studies have shown that artificial intelligence is vulnerable to be attacked by adversarial example.This is a special sample which makes the model mistakes by adding specific perturbation on the original sample.This attack has developed into a major threat that can affect the order of production and life from the academic research that can only be launched under restrictive conditions.Adversarial examples have become a gap that must be crossed by artificial intelligence to fully land.According to the known information of attackers,adversarial attacks can be divided into white-box attacks and black-box attacks.In white-box attacks,attackers master all the information of the attacked model.Such attacks are relatively simple,but their actual attack scenarios have great limitations.In black-box attacks,attackers cannot obtain the internal information of the model,but according to whether the model output can be accessed,it can be divided into access attacks and transfer attacks.Access attacks construct an approximate alternative model through a large number of access queries or realize attacks by estimating the gradient of the adversarial example.This kind of attack requires a large number of visits,and its abnormal flow is easily monitored,so it has certain limitations.At present,the most threatening and valuable research in the field of adversarial attack is transfer attack,which does not need to know the network structure and parameters of the target model,nor access the output of the target model,and has the characteristics of zero access to model,so it is easy to confuse into the processing flow of normal samples to attack artificial intelligence systems.However,at the same time,since transfer attack do not have any information about the target model,it is also the most difficult attack method.The purpose of such attacks is to find a general and robust adversarial example that can attack most models.Transfer attacks can be divided into two kinds of attack methods based on gradient iteration and generation-based meythods.The two methods have their own advantages and disadvantages.The method based on gradient iteration has great advantages for small sample data sets,and the generation speed is fast.In addition,it has strong operability,and attackers can choose any angle of gradient information flow to launch attacks.However,this kind of method has a long time-consuming problem in the face of large sample data sets,and it is difficult to choose the gradient iteration method in the face of difficult samples.The attack method based on the generation model learns the distribution of adversarial example through the generator,rather than dealing with a single adversarial example,so it can effectively solve the problem of difficulty in gradient iterative selection.At the same time,the end-to-end generation method greatly reduces the generation time of confrontation samples.However,there are few researches on generation-based methods,and its current transfer performance is poor.In general,the method based on gradient iteration is significantly more than the method based on generation model,but thet transfer attack performance of both needs to be improved.This paper will focus on improving the transferability of image adversarial examples,and conduct research under the two attack modes of gradient iteration and generation-based respectively.The main research results are as follows:1.Aiming at the problem of poor transferable ability caused by limited iterative relationship in existing gradient iterative attack methods,this paper proposes a relaxed gradient iterative framework and an adversarial attack algorithm based on input dropout.The gradient iteration framework redefines the relationship among step size,iteration rounds and maximum disturbance,and breaks the fixed iteration paradigm of the three,so as to effectively explore the potential of existing attack algorithms.In addition,aiming at the problem that the defense model is sensitive to step size,a data enhancement method based on input dropout is proposed,which can effectively prevent the overfitting of the defense model with the increase of iteration step size.The experimental results show that the average attack success rate of this method for integrated adversarial training model reaches 96.2%,which reaches the industry leading level.2.Aiming at the problem that the existing data enhancement framework cannot be compatible with some large scale transformation data enhancement methods,this paper proposes a framework based on noise data enhancement.This framework will only perform data enhancement transformation for adversarial perturbation,so as to prevent the destruction of clean samples,which can be compatible with larger-scale transformation.This paper also proposes an attack method based on random erasing,and under this framework,random erasing can effectively prevent the over-fitting of adversarial perturbation.In addition,the framework can be combined with the traditional data enhancement framework to achieve greater performance.Experimental results show that this method can effectively improve the transferability of adversarial examples.Our method is 4.2% higher than DI-FGSM on average,and the average attack success rate can be increased by 3.9% when combined with DI-TI-MIFGSM,and the average attack success rate can be increased by 5.7% when combined with SINI-TI-FGSM.Our method can achieve an average attack success rate of 93.8% for the ensemble adversarial training model under the loose iterative framework proposed in Chapter 2.3.In view of the problem that the current generation-based attack methods are prone to over-fitting with the increase of iteration rounds,this paper proposes an attack algorithm based on the combination of data enhancement and Generation Adversarial Network(GAN).The algorithm introduces data enhancement as a defense mechanism into the training of the generation model.On the one hand,diversified data enhancement methods enrich the gradient flow information returned by the target model to increase the diversity of the model.On the other hand,the introduction of data enhancement makes the generator have the ability to resist various transformations to enhance the robustness of adversarial examples.The experimental results show that the algorithm realizes the approximate positive correlation between transfer attack ability and iteration rounds.Compared with the classical algorithm,the attack performance is greatly improved,and the defense model has better attack ability.Our method is best achieved with an average attack success rate of 56.7% on adversarial training models,which is 31.1% higher than AdvGAN.