Research On Adversarial Attack And Defense For Image Classification

In recent years,with the explosive growth of data volume and the rapid improvement of computer performance,deep neural networks have achieved unprecedented development.Deep neural networks are widely used in more and more fields due to their powerful feature extraction and expression capabilities.However,researchers have found that deep neural networks also have security threats.Especially in the field of image classification,attackers can make deep neural network classifiers make wrong predictions by adding carefully designed tiny perturbations to clean images,and such perturbations are invisible to humans.The image after adding the perturbations is the adversarial sample.The existence of adversarial samples seriously threatens the application of deep learning models in many security fields,such as face recognition,autonomous driving,and medical assistance systems.Therefore,how to protect deep learning models from adversarial examples is an urgent and challenging problem.In addition,the study of powerful adversarial attack algorithms is of great significance for understanding the inherent vulnerability of deep network and further improving the robustness and security of the model.The current adversarial example generation algorithms are prone to overfitting,and the white-box attack has a high success rate,while the black-box attack has a low success rate.To solve this problem,this thesis proposes a adversarial examples generation algorithm based on integrated loss,which uses the integrated loss function to measure the importance of model input to model output,and then finds out the important input characteristics that can affect model output,and perturbs these characteristics,which effectively improves the success rate of adversarial examples attack.Experimental results show that compared with the current mainstream PGD algorithm,on the Image Net dataset,the proposed algorithm not only retains almost 100% of the success rate of white box attack,but also further improves the success rate of black box attack by 10-20%.The traditional robust defense algorithm based on image reconstruction has a common practice,that is to reconstruct the whole image.This approach is very time-consuming in some algorithms,such as the total variance minimization algorithm.At the same time,the image reconstruction algorithm will also affect the classification accuracy of the original image dataset to a certain extent.To solve the above problems,this thesis proposes a robust defense algorithm for image reconstruction based on random region.The experimental results show that on the Image Net dataset,compared with the traditional full-region image reconstruction algorithm,the proposed algorithm reduces the running time by up to 50%,and reduces the impact on the classification accuracy of the original image dataset to a certain extent without reducing the defense performance against adversarial examples.