Research On Adversarial Examples Methods Based On Evolutionary Strategy

With the rapid development of AI,more and more deep methods which are based on deep learning have been proposed and used widely in many scenarios.With the frequently application of deep learning,its security problems have also attracted more and more attention,such as adverasarial examples.State of the art studies revealed that by adding imperceptible perturbations to the orginal image,the image classifier will make a wrong judgement,which would result in serious consequence.Therefore,study on adverasarial ex-amples so as to improve security of deep learning models is of great value.According to the attacker's knowledge of the model,attacks can be divided into white-box attacks,score-based attacks and decision-based attacks.Since,studies on white-box attacks have been relatively comprehensive,we focus on attacks on image in black-box scenario.State of the art black-box adversarial methods require a huge mount of query count and large distortion which is unacceptable in practice.So we propose one score-based method and one score-based method respectively.The details are as follows.In black-box soft label scenario,we propose a score-based method called CEMA based on Cross-Entropy Method.We use autoencoder firstly to reduce the searching space,and solve the Optimization problem in the low-dimensional space with the help of Cross-Entropy Method.Experiments on MNIST,CIFAR10 and Image Net dataset show that CEMA can effective generate adverasarial examples.Experiments among CMEA,NES,SPSA and Auto ZOOM on Image Net dataset show that with l_?maximum perturbation limit less than4/255,the success rate of CEMA is higher than that of NES,SPSA and Auto ZOOM re-spectively by 9.6%,4.6%,and 4%.For the model enhanced by JPEG,limiting the maxi-mum access to 2500,the success rate of CEMA attack is higher than that of NES,SPSA,and Auto ZOOM by 6.5%,9.1%,and 2.7%respectively.for the model enhanced by con-vex,the success rate of CEMA attack is higher than that of NES,SPSA,and Auto ZOOM respectively by 6.6%,5.1%,and 4.8%.In the black-box hard label scenario,we propose a decision-based method called CMA-ESA based on an adaptive evolutionary strategy of covariance matrix.Firstly we use a bi-nary search method to search for adversarial samples that are closer to the original image so as to improve the quality of the initial solution.Meanwile,we use bilinear interpolation method to reduce the search space of the problem.Adaptive covariance matrix is applied to model the local geometric structure of sample,and solution is found using CMA-ES algorithm.Experimens on CIFAR10 and Image Net datasets show that by limiting query count to 5000,success rate of CMA-ESA is higher than Opt,Boundary and HSJA respec-tively by 3.6%,40.5%and 2.3%.Besides,relative experiments on the model pretrained with ALP also show that the attack success rate of CMA-ESA is higher than that of Opt and Boundary by more than 7% respectively.