Research On Adversarial Attack Algorithm Against AI-Based Image Recognition

Artificial intelligence algorithms,which take deep learning as the core,have been widely used in important fields such as autonomous driving and medical diagnosis.However,the in-interpretability of deep neural network(DNN)leads to its uncontrollable prediction results,which brings huge security threats to application and deployment of artificial intelligence algorithms.Adversarial examples are specially designed examples which are generated by adding imperceptible perturbation to original input to mislead neural network models.Such examples are security vulnerabilities caused by DNN in-interpretability and generally used to attack DNN models.At the same time,existence of the adversarial example reveals the differences between human brain and neural networks in terms of cognitive rules of things.Therefore,it is of great importance to explore adversarial example generation algorithm and adversarial attack algorithm for DNN security and comprehensively understanding interpretability of neural network models.However,existing adversarial example generation algorithms against image recognition are facing challenges including low generation efficiency,limited example quality,unstable transferability and so on.In this paper,latent space information of an image is sufficiently utilized,thus to turn the adversarial example generation problem into an adversarial distribution searching problem and speed up generation process of adversarial examples.Then,a cross-channel and local noise adding method is realized by adding customized noise on maps from different color channels to optimize quality of adversarial examples.Moreover,searching network model is improved to search for adversarial perturbation distribution with higher transferability.The main content and contributions of this paper is as follows:(1)Propose a novel adversarial example generation algorithm,namely LSS-Adv,by utilizing latent space feature searching network to search adversarial perturbation distribution in latent space to improve generation efficiency of adversarial examples.Aiming at the problem that current adversarial example generation algorithms always generate the examples with low efficiency and generative adversarial network based generation algorithms are hard to present steady state during convergent process,this paper proposes to use a single latent space feature searching network to search a distribution,which could be used as adversarial perturbation,in latent space of an image.Single network structure stabilizes and speeds up the convergent process,thus reduces training time.Moreover,the trained latent space feature searching network effectively promotes generation efficiency of adversarial examples,which generates 1000 adversarial examples in 12.34s and reaches an attack successful rate of 96.17%on Image Net-1000 data set.(2)Propose a new quality optimization method,namely CCL-Adv,for adversarial example by allocating appropriate perturbation on maps from different color channels in a reasonable way to improve quality of adversarial examples.Traditional adversarial example generation algorithms directly add global noise on original examples and restrict pixel value by l_p limitation to make the adversarial perturbation imperceptible.However,such operation cannot get rid of dependence on machine judgement,which causes contradiction between visual effect and attack ability.To solve the above problem,this paper fully explores characteristics of different color channels and optimizes perturbation assignment by cross-channel local noise adding method to generate adversarial examples with high quality,which finds a good balance between visual effect and attack ability.(3)Propose a transferable adversarial attack algorithm,namely HDSAttack,by mapping low-dimensional dense information to high-dimensional sparse information to improve transferability of adversarial attack.Aiming at the problem of unstable adversarial attack transferability,this paper proposes to map the example from low-dimensional dense input space to high-dimensional latent space,thus to enlarge searching space and obtain more effective information.At the same time,KL divergence is utilized for sparsity limitation on the whole training process to obtain high-dimensional sparse information which is linearly separable,so as to search effective information efficiently.Furthermore,to realize transferable adversarial attack,ensemble attack is conducted on multiple target networks for the searching network to learn more information of neural network structures.Experimental results show that compared with traditional Autoencoder structure,which is like an hourglass,the proposed structure of searching network improves a successful rate of transferable attack of 10.39%.To sum up,the proposed algorithm in this paper not only improves the generation efficiency and quality of adversarial examples,but also makes the adversarial attack more transferable,which provides a basis for in-depth understanding of adversarial attacks as well as neural network models.