Research On Black-box Adversarial Example Generation Method For Image Classification Model

In recent years,the deep learning has gradually become the mainstream research direction in the field of artificial intelligence.It has achieved great results in many complex tasks of artificial intelligence,such as image classification,object detection,semantic segmentation and speech recognition.At present,the deep learning has been gradually applied to the safety-critical applications,like autonomous driving,medical image processing,speech control and intrusion detection.However,recent studies show that the deep learning model is vulnerable to the adversarial example,which raise strong concerns about the deep learning-based safety-critical applications.The adversarial example refers to the attack example obtained by adding carefully designed slight perturbations by the attacker.The adversarial example that has slight perturbations can cause a well-performing model to make wrong decision,and the perturbations are usually not perceptible to humans.The adversarial example becomes one of important factors affecting the deep learning is applied in the safety-critical applications.Therefore,in-depth research on the generation principle of the adversarial example,and the improvement of attack power of the adversarial example to promote the deep learning robustness are the current hot research in the field of artificial intelligence security.This paper studies the adversarial example generation method for image classification models.According to whether the attack can obtain the interval information of the deep learning target model,the adversarial example can be divided into white-box adversarial example generation method and black-box adversarial example generation method.At present,the most of the adversarial example generation generate adversarial example by the gradient of the target model in white-box scenario,it can not effectively attack the target model in black-box scenario.Moreover,the adversarial example generated by the existing adversarial example generation method have obvious noise patterns,which decrease the concealment of adversarial example and are easily detected by human eyes.Therefore,how to make the adversarial examples have strong black-box attack power and better concealment is the main research content of this paper.Firstly,aiming at the problems of weak black-box attack power and obvious noise patterns which exist in the existing adversarial example generation method,taking the improvement of the black-box attack power and the concealment of the adversarial example as the starting point,studying the method of replacing noise pattern by color transformation and enhancing the black-box attack power of the color adversarial example.Based on the research on the color space and the analysis of the decision-making process of the model,constructing the color-space based perturbation generation method and the color perturbation direction search method,a color space-based black-box adversarial example generation method is proposed by using the color perturbation generation method and the color perturbation direction search method to realize the elimination of noise patterns in the adversarial example and stronger black-box attack power.Secondly,considering the problems of further improving the black-box attack power of the target and the non-target adversarial examples and the concealment of the adversarial perturbations,taking the traditional adversarial example objective function as the starting point,studying the style transfer method and the transferability principle of the adversarial example.Determining the research idea which introduces style transfer loss function and designs multi-model ensemble adversarial loss for optimizing the traditional adversarial example objective function,an image style-based black-box adversarial example generation method is proposed to improve the black-box attack power of the target and non-target adversarial example and the concealment of the adversarial perturbations.Finally,for the typical image classification models,a comparative experiment is conducted on the Image Net dataset to verify the effectiveness and advancement of the proposed methods in this paper.