| In recent years,with the sudden emergence of deep neural network,modern artificial intelligence technology has been widely used in people's daily life,such as image recognition,object detection,natural language processing,speech recognition,etc.However,there are "visual blind spots" in deep neural network,that is,for adding artificially designed small perturbations to clean samples to form adversarial samples,although human eye recognition is not affected,the model misclassifies it with high confidence.As a result,the landing of deep neural network in security-sensitive fields such as autonomous driving is seriously threatened.Taking the object classification task as an example,this thesis conducts in-depth research on the adversarial sample generation algorithm from the two aspects of gradient estimation and transferability and aiming at the defects and deficiencies of the existing black-box attack methods.The main research work is as follows:First,for most of the current attack algorithms based on gradient estimation,the computational overhead is large(The time complexity of gradient estimation is O(n))and the lack of mathematical proofs can't guarantee the convergence of the attack.This thesis proposes an adversarial attack algorithm based on Monte Carlo Sampling,which mainly uses Monte Carlo Sampling to estimate the gradient unbiased and reduces the time complexity of gradient estimation to O(1),and then the estimated gradient is combined with the gradient-optimized attack methods to generate adversarial examples.A large number of comparative experiments on data sets such as MNIST,CIFAR10 and Tiny-Image Net have proved that our method all achieves success rates comparable to white-box C?W attack in both non-targeted and targeted attack scenarios.It is superior to other more advanced attack algorithms based on gradient estimation in terms of attack efficiency,invisibility and transferability,and the consumption of computing resources is also greatly reduced.Secondly,this thesis proposes an adversarial attack algorithm based on data augmentation,which greatly improves the transferability of adversarial samples.Since transfer-based attack methods are often prone to overfitting,inspired by data augmentation strategies,previous researchers performed some simple random transformations on images by manually adjusting parameters to improve the transferability of adversarial samples.However,because the combinations of these transformations and distortions are too single,it is difficult to cover most of the transformation combinations of the image,resulting in poor transferability of adversarial samples.Aiming at this problem,the attack method based on data augmentation proposed in this thesis performs rich data augmentation transformations by training a simple CNN network in front of an ensemble model with fixed weights.These transformations can destroy adversarial noise and make the final generated adversarial samples resistant to this data augmentation transformation,and finally,the improvement of the transferability of adversarial samples is realized.The comparative experimental results on the Tiny-Image Net dataset show that the attack success rate of our proposed attack method against defended and undefended models is significantly better than the current more advanced attack methods based on transferability.But there is still a certain gap in invisibility and if the internal structure of the ensemble model used as a substitute model is more complex,the attack success rate of generating adversarial samples will naturally be higher.Meanwhile,our method can also be combined with other transfer-based attack methods to further improve their attack performance. |
PDF Full Text Request