Research On Defense Method Of Adversarial Examples In Deep Learning

Deep learning has been applied to more and more practical scenarios,such as human face identification,automatic driving,and image classification.Security issues in deep learning are increasingly valued,and the production of adversarial examples makes scholars more realize it.Adversarial attack adds less disturbance to the original image to cause a deep learning model to misclassify the image,which severely affect the development of deep learning technology.Therefore,while developing deep neural networks,it should be noted that the threats and challenges of adversarial attack.In recent years,how to defend against the threats and challenges brought by adversarial attack has become a hotspot of academic research.At present,the existing defense method includes detection defense and robustness defense.Detection defense refuses to add detected adversarial-like examples to neural networks,reducing the number of samples that enters the classifier.Robustness defense method such as adversarial training is due to the seriousness of the attack algorithm,and the migration of defense is poor.In response to these two problems,this paper proposes a two-defense framework method based on combined autoencoder and image reconstruction.The main innovation point and the work content include the following:(1)A dual defense framework is proposed and implemented,which includes a primary detection defense method based on the combined autoencoder and a secondary robust defense method based on image reconstruction.The adversarial examples detected in the primary defense are not discarded,but enter the secondary defense for image reconstruction to get the samples that can be correctly classified.It combines detection defense with robust defense,and uses FGSM,C&W and other four adversarial algorithms to generate adversarial examples.The efficiency and aggressiveness of each algorithm are compared and analyzed.Clean samples and the four adversarial examples are input into the defense system.The experimental results show that the system has good performance in detection accuracy and defense robustness.(2)The junior defense framework based on the combined autoencoder is designed to detect adversarial examples.Based on autoencoder,the reconstruction error before and after the autoencoder is performed as a detection threshold of the adversarial-like examples,and the reconstruction error of the adversarial examples is greater than the threshold,which finished the detection of adversarial examples.During training combined autoencoder,only clean samples are used to train,which takes the combination of the mean square error of the image after the decoding and KL divergence as the loss function.By detecting adversarial examples of MNIST data set,it proves that the detection effectiveness of our method.By comparing this paper detection method with others,it shows that our method has better detection performance.Further,for the image detected as an adversarial-like sample,it would enter the secondary defense frame to remove disturbances.(3)The secondary robustness defense framework based on image reconstruction is designed.In the secondary defense framework,image reconstruction of the adversarial examples would cause the classifier to correctly classify the sample.According to the size characteristics of MNIST,we propose central variance minimization algorithm and image quilting optimization algorithm to reconstruct the image.Central variance minimization algorithm reconstructs the center position of the image,which is carried out with the goal of minimizing the variance of L2.In image quilting optimization algorithm,the clean samples were divided into patch database,and the similarity between adversarial examples and patch blocks was compared according to the K-means principle to reconstruct the image,and the overlapping area between patch blocks was introduced to correlate the patches before and after.The reconstructed image only contains clean samples and the disturbance information in the countersample is removed.By comparing with other image reconstruction methods,the rationality of the image reconstruction scheme in this paper is illustrated.At the same time,the method can correctly classify multiple adversarial examples after reconstruction,which shows that the defense robustness of the framework is strong.