| Due to the excellent performance of neural networks,they have been applied to many fields,such as finance,medical aided diagnosis,and so on.However,the proposal of adversarial samples exposes the vulnerability of deep learning models.If we want to realize the critical application of deep learning models in production and our daily life,the security problem of deep learning models must be solved.At present,the defense against adversarial samples is mainly divided into two categories,one is the detection of adversarial samples,and the other is to improve the robustness of the model through adversarial training.The detection of adversarial samples is mainly to detect the input of the model and detect the adversarial samples in the input data.Although adversarial sample detection can effectively avoid the interference of adversarial samples on the model,there are many ways to generate adversarial samples,and it is difficult to have a detection method with high detection accuracy for multiple adversarial samples.The method of adversarial training is to add adversarial samples for training in the process of model training.The advantage of this is to enhance the generalization ability of the model,thereby improving the robustness of the model.However,the traditional adversarial training method has many shortcomings,such as the single-strength adversarial training model can only effectively resist FGSM attacks,and has insufficient defense against other attacks;the integrated adversarial training model is still unable to resist the adversarial samples generated by iterative attacks;the model that uses iterative adversarial samples for adversarial training has no guarantee of high accuracy in the case of single-strength adversarial samples.The main work and contributions of this thesis for active defense and passive defense against adversarial samples are as follows:1.This thesis proposes a hybrid adversarial training method,which solves the problem that single-strength adversarial training and ensemble-adversarial training cannot defend against iterative adversarial sample attacks,and the mapping gradient descent adversarial training does not perform well in single-strength adversarial sample attacks.Based on the TRADES algorithm,we further balance the accuracy and robustness in the training process,so that the final training model meets the system’s requirements for accuracy and robustness.2.We apply the ideas of single-strength adversarial training and mapped gradient adversarial training to the federated learning,and propose methods of the singlestrength federated adversarial training and the mapped gradient descent adversarial training respectively.We further improve the federated single-strength adversarial training and the federated mapping adversarial training based on experimental results analysis.We propose federated hybrid adversarial training method,which makes the federated model better resist the attacks of multiple adversarial samples.3.For the detection of adversarial samples,this thesis takes advantage of the differences between adversarial samples and normal samples in different scenarios,and proposes an adversarial sample detection algorithm based on a machine learning voting model,which can detect adversarial samples generated in a variety of ways. |
PDF Full Text Request