Research Of Defense Method Against Adversarial Perturbed Images For Deep Neural Network

Machine learning and deep learning have made great progress in perception tasks in recent years,however,they are still susceptible to adversarial perturbations of the input,which are specifically designed to fool the system while being almost impossible for humans perceived.In this thesis,a malicious sample defense method is proposed for the security problem of maliciously perturbed image input in deep neural network.This thesis proposes an adversarial sample defense model（GS-DACNN）based on image domain adaptation,which mainly includes two modules:data preprocessing and domain adaptation generation network.The data preprocessing module first adds Gaussian random noise to the input image data,and then Then use the spatial smoothing method to smooth the image,and the domain adaptation generation network module will reconstruct the image after data preprocessing to obtain a clean standard sample,which realizes the defense against the sample.At the same time,the participation of adversarial samples is not required during the training of the defense model,which greatly reduces the training time cost.By using four mainstream adversarial sample attack algorithms on the MNIST dataset to attack the LeNet-5 and ResNet-18 classification models respectively to test the performance of the defense model,the experimental results show that the defense effect of the GS-DACNN defense model proposed in this thesis is better than A similar defense method based on image compression and reconstruction,compared with other defense methods,this method does not need to know and modify the parameters of any classification model.This thesis proposes an anomaly detection method based on multi-hidden layer features.This method trains a corresponding number of detector models by extracting multiple hidden layer features of input samples in a classification neural network and combining noise data with different intensities.The probability values output by multiple detectors are input to the SVM support vector machine for decision-making.On the MNIST dataset,four attack algorithms are used to test the performance of the detection method.The experimental results show that the F₁ value of the detection model in this thesis can reach up to 98.03%,which proves its effectiveness.This thesis also designs and implements an adversarial sample defense system.The system is mainly composed of a user management module,an adversarial sample detection module and a log module.The core functions of the system support the verification of attack capabilities of various attack algorithms,visualization of attack disturbances,and evaluation of defense effects.