Research On Attack And Defense Of Adversarial Examples Based On Attention Mechanism

Deep neural network models have been widely applied to get excellent results in the autonomous driving,semantic segmentation and handwritten text recognition.However,as the adversarial samples are stored in open networks,malicious attackers can modify the sample data using the targeted or undirected attacks.How to build secure and robust deep learning networks is of important problems.This thesis uses the heat maps based on the gradient-based class activation mapping in counter-attack algorithms to reduce the perturbation range and computational overhead.Moreover,we investigate the adversarial defence model by combing the global attention mechanism and perceptual loss in the adversarial generative network.A projection gradient algorithm based on the attention mechanism is proposed for against picture samples.By using gradient-based weighted class activation mapping the new model can find special permutation regions.The gradient noise is added adaptively to realize an adversarial attack on picture samples.The simulations are based on VGG19,VGG16,Resnet50,and Resnet18.The network models are from MNIST(Mixed National Institute of Standards and Technology database),CIFAR-10 and ImageNet datasets.The simulation results show that the success rate of the attack against the mini ImageNet dataset is 96.3%,which is 23.4% larger than its by using the FGSM(Fast Gradient Sign Method)algorithm.Compared to the previous strongest first-order attack,that is PGD(Projected Gradient Descent),the present model reduces the memory consumption by 67%,the time for generating the adversarial samples by 46%,and achieves similar attack success rates while it can reduce the perturbation region.A model of adversarial defence network(ABD-GAN)is proposed by combining the global attention network and perceptual loss with an adversarial generative network framework.The network is against adversarial samples by reconstructing images.Some comparative experiments are implemented on three benchmark datasets MNIST,CIFAR10 and ImageNet.The experimental results show that the proposed model can improve the classification success ratio by 53.3% and reduce the corresponding adversarial success ratio.Compared with the APE-GAN adversarial defence framework,it improves the classification success ratio of the target model by 3.9%.As the reconstructing images is completed by a pre-processing mechanism,the ABD-GAN framework can accomplish the adversarial defence without any training target model structure and parameters.