Research On Black Box Countermeasure Algorithm For Deep Neural Network

Neural network adversarial for classification tasks is the addition of elaborate perturbations to the original samples that cause the target model to misclassify them.The study of neural network adversarial is a crucial part of the task of improving the robustness of models,and the study of adversarial attacks on neural networks provides a deeper understanding of neural networks and identifies the security risks of neural networks.The success rate of existing adversarial attack methods on white-box settings is close to 100%.In the black-box setting,which is closer to the realistic scenario,the model parameters are not known and the network structure is diversified,which leads to the generation of adversarial samples relying on a large number of model queries and insufficient migration ability on different models.Therefore,in thesis,we address the above problems by conducting research in two directions: superpixel clustering,and multi-model integration learning.The main research contents are as follows.1.Superpixel-based adversarial sample generation method.To address the problem of low model query efficiency in black-box adversarial sample generation methods,we propose a fusion of superpixel and random forest image key region acquisition unit,which completes the effective extraction of key regions affecting image classification and significantly reduces the number of target model queries required for adversarial sample generation.By conducting comparison experiments with existing mainstream black-box attack methods such as Auto ZOOM,QL and NP-Attack on MNIST,CIFAR10 and Image Net datasets,the experimental results show that the average query count of this method on the non-target attack task is 639,which reduces the query count by more than 25%compared with other mainstream methods.2.Gradient optimization-based adversarial sample migration method.To address the problem that the adversarial samples of the black-box attack algorithm have insufficient migration ability on different network structure models,a meta-learning multi-model integration architecture with gradient optimization is proposed to realize the feature information learning of the adversarial samples on different network architectures and eliminate the negative impact of random transformations on image migrability,so as to improve the generalization of the adversarial samples.By conducting comparison experiments on Image Net data with existing mainstream black-box adversarial sample generation methods based on model migration such as TI-DIM,SI-NI and MGAA,and improving the average attack success rate of adversarial samples in other classification models to 79.3% and99.9% under single-model and multi-model settings.3.Image protection system based on image perturbation encryption.Combined with the demand of image protection in Internet scenarios,the image protection system with functions of image encryption,result query and file viewing is built using B/S architecture,and the related functions are visualized and displayed.