| Adversarial samples refer to samples formed by minor modifications based on the original samples,aiming to deceive the output of the pre-trained classification model,while maintaining the similarity between the original samples and the adversarial samples.Adversarial examples can lead to the misclassification of deep neural networks,which brings great risks to several applications in the field of artificial intelligence.Studies have shown that even high-confidence models can be easily broken by adversarial examples.Research on adversarial sample generation methods can provide a reference for the prevention of security risks.Therefore,the study of adversarial samples has important scientific significance.Adversarial sample generation methods are divided into single-sample adversarial perturbation generation algorithms and universal perturbation generation algorithms.The single-sample adversarial perturbation generation algorithm has many defects in crossmodel transfer,resulting in the insufficient ability of adversarial samples to misclassify the black-box model;the universal perturbation generation algorithm is an extension of the single-sample adversarial perturbation generation algorithm,although it is more efficient to generate adversarial samples,the algorithm requires a large amount of labeled data as the premise,which limits its scope of application.In response to the above problems,this paper aims to study the generation method of adversarial samples,specifically by improving the misclassification ability of the adversarial samples generated by the singlesample adversarial perturbation generation algorithm in the black-box model,and the general perturbation generation under a small amount of labeled data.Carry out research work,the main work is as follows:(1)An adversarial example generation method based on simulated annealing is proposed.Since multiple pre-trained models trained on the same dataset have similar but not completely consistent decision boundaries,adversarial examples located at the local minima or saddle points of the current model may only be effective for the current model,and it is difficult to transfer to the black-box model.To improve the transferability of adversarial samples in the black-box model,a simulated annealing algorithm is integrated into the adversarial sample generation process,and an adversarial sample generation method based on simulated annealing is proposed.This method uses the random walk strategy to optimize the local minima and saddle points existing in the adversarial samples to a certain extent,which is beneficial to discovering the adversarial samples with stronger transferability.The research results show that the method improves the attack success rate by about 10% in the black-box model.(2)The phenomenon of model tendency was found.From the experimental results,it is found that when the same original sample is input to multiple models trained with the same dataset,multiple models tend to generate adversarial samples of almost the same error category,which shows that the attack ability and transferability of adversarial samples are not completely negative correlation,for the attack rate of the black-box model provides theoretical support.(3)An improved universal perturbation generation algorithm is proposed.Existing universal perturbation generation algorithms pay more attention to the influence of semantic labels of images on the universal perturbation generation process,ignore the incomplete fitting of the dataset by the pre-training model itself,and cannot optimize the original samples that are classified incorrectly by the pre-training model itself.To reduce the algorithm’s dependence on labeled data and improve the misclassification ability of adversarial samples,the algorithm uses self-supervision to generate universal perturbations by mining the implicit information of unlabeled data,which further enhances the adaptability of the universal perturbation algorithm. |
PDF Full Text Request