| Classification technology based on deep neural network is widely used in natural language processing,text recognition,computer vision and other fields,but it is easily affected by adversarial samples and misclassified.Studying image recognition adversarial samples can help people understand the vulnerability of deep neural network models,and at the same time think about the security risks of network models and improve them.In practical scenarios,the attack scenarios of adversarial samples are mostly black-box attacks.Based on this feature,this dissertation proposes two black-box attack methods to study the generation of adversarial samples.The dissertation first proposes an adversarial sample generation algorithm Local Range based on perturbed key regions and greedy local search technology.This algorithm improves the local search attack algorithm Local Sec ADV,which has many cycles and takes a long time.The correlation between the two,expand the disturbance from key pixels to key areas,and increase the number of disturbed pixels by a small amount,reduce the number of cycles,and reduce the time-consuming of the algorithm.The experimental results on MNIST and CIFAR-10 datasets show that the local range perturbation algorithm has a high successful attack rate in the face of different datasets and different network models.Secondly,according to the preference of the neural network for shape,an adversarial sample generation method spec Range Adv based on edge detection is proposed.The scope of the disturbance area is determined by the analysis of the method,so that the attack is targeted.Finally,the imperceptibility of the disturbance is successfully achieved by continuously adjusting the relationship between the added disturbance and the classification result of the network model.Experiments on the Image Net dataset provide experimental data support for the effectiveness of the algorithm proposed in this dissertation. |
PDF Full Text Request