Adversarial Attack And Defense Algorithms Based On Domain Adaptation Model

Deep learning models have been applied to many industrial scenarios widely.However,there are considerable differences between the real-world dataset and the training dataset,such as images under different lighting and seasons,leading to the model’s poor classification result in the real-world dataset.Researchers have proposed domain adaptation models to perform feature alignment for datasets in different environments so that the model can identify the common features of images between two different domains and achieve domain adaptation.Although domain adaptation models can solve the above problems well,the discussion on the security of deep learning has become more and more heated in recent years,and adversarial attacks could successfully fool most state-of-the-art image classification models.Therefore,it is natural to raise concerns about the security of the domain adaptation models.This thesis systematically studies the adversarial attack and defense on domain adaptation models,and verifies that domain adaptation models are also vulnerable to adversarial attacks.In view of the lack of labels in the target domain data,this thesis proposes an adversarial attack method for the target domain based on pseudo-labels.This method makes the adversarial attack more threatening to domain adaptation models.After that,this thesis considers the defense method from the perspective of network architecture,combines one-shot NAS with a lot of improvement and optimization,and proposes an adversarial defense method for domain adaptation models based on one-shot NAS.The main contributions of this thesis are as follows:1.For the first time,this thesis tests two different types of domain adaptation models against adversarial attacks.It is verified that domain adaptation models are also vulnerable to adversarial attacks.In view of the problem that the target domain data has no label and it is difficult to resist adversarial attacks on large-scale target domain data sets,this thesis proposes a target domain adversarial attack method based on pseudo label,which automatically adjusts the adversarial disturbance direction by fusing multiple models.Without knowing the real label,the adversarial disturbance gradient deviates from the correct direction to the greatest extent so that the adversarial attack poses a greater threat to the domain adaptation model.2.Aiming at the problem that domain adaptation model’s architecture is fragile and vulnerable to adversarial attacks,this thesis proposes a defense method for domain adaptation model based on one-shot NAS.In order to improve the search efficiency and make the network search process focus on the defense ability of the model,this thesis designs a concise search space and a search strategy based on feature vulnerability.The search strategy based on feature vulnerability calculates the feature vulnerability of each layer in each round of search,and adjusts the search probability according to the feature vulnerability,so as to realize the search in the direction of the highest confrontation stability in each round of iteration.Finally,this thesis combines the model classification accuracy and confrontation accuracy as the model evaluation criteria,so that NAS can avoid selecting the network architecture which vulnerable to adversarial attack in the search process,and further improve the defense ability of the model to adaptation examples.3.The effectiveness of the proposed algorithm is proved by a large number of experimental comparisons,including adversarial attack and defense under the setting of black box and white box,random search and feature-based vulnerability search.The optimal parameters of the proposed algorithm are obtained through experiments.