Research On Adversarial Attack And Defense Technology In Machine Learning

With the increasing specialization of software,the dramatic increase in computing power and the explosion in the size of the data available for training,machine learning has become more powerful.As an implementation technology of machine learning,the excellent performance of deep learning in applications has made it widely deployed in fields such as computer vision,malware classification,and face recognition.However,studies have shown that when a clean input sample is added with tiny noise that cannot be recognized by the human eye,the neural network can produce incorrect classification results with a high confidence score.Such carefully crafted,perturbed samples are called for adversarial samples.The proposal of adversarial samples has attracted extensive attention,especially in key areas that require high security and reliability.Therefore,it is urgent and meaningful to study adversarial attack and defense strategies.In recent years,the number of research results related to adversarial samples has grown rapidly.Not only the research and deployment related to adversarial attacks have been gradually carried out in practice,but also many defensive countermeasures have emerged to mitigate the impact of adversarial attacks.From the perspective of adversarial attack and defense,this thesis constructs an adversarial attack algorithm based on flow model and an adversarial training defense algorithm based on metric learning and weighting.Specifically,the main work of this thesis is as follows:In the adversarial attack based on the flow model,the thesis uses the flow model to fit the sample distribution in the black-box scenario,and adopts the training strategy of pretraining the flow model on natural samples and then fine-tuning on the adversarial samples.Meanwhile,the scheme performs gradient search and black-box optimization with the help of natural evolution strategy.Compared with the previous adversarial attack work based on the flow model,the adversarial samples obtained in the thesis have more advantages in the attack success rate.Even in the face of some common defense techniques,it can maintain a high attack accuracy rate;while in the query efficiency,in terms of mobility and mobility,the proposed scheme also has better performance.In the adversarial training based on metric learning and weighting algorithm,the thesis selects the simple and effective triple loss in metric learning to adjust the distance between adversarial samples and positive samples and negative samples to improve the robustness of the model,and introduces weighting The idea makes reasonable use of the model capacity.The defense scheme in the thesis has the following advantages: it can improve the adversarial robustness of the model without losing the accuracy of the model;it alleviates the classification boundary distortion defect in standard adversarial training;it is simple and easy to implement,and does not need to change the architecture of the model;has certain versatility and can be used with other adversarial defense schemes to further improve the adversarial robustness.