Research And Implementation Of Defense Method For Image Adversarial Examples

In recent years,deep learning technology has made breakthroughs and has been widely used in many fields,including image recognition,natural language processing,and speech recognition.However,deep learning technology is facing huge security threats.Adversarial examples attack is an important attack technology against deep learning algorithms.Adversarial examples have been proven to take a significant presence in the physical world and have become one of the main factors hindering the development of deep learning technology.At present,the main problem of the adversarial examples defense algorithm is that it will reduce the recognition accuracy of clean examples.This paper studies adversarial examples of defense algorithms in the two stages of image preprocessing and model recognition from the perspective of features.The goal is to make the deep neural network much more robust to adversarial examples,without compromising on the recognition accuracy of clean examples.The main work of this paper is as follows:(1)This paper proposes a feature protection defense method based on spatial transformation.At present,most of the defense methods in the image preprocessing stage defend against the adversarial example by destroying the specific perturbation structures of the input image.But these methods will damage the basic structure information of the input image,resulting in the reduction of the recognition accuracy for clean examples.To solve this problem,this paper proposes the feature protection defense method based on spatial transformation.The method utilizes the attention mechanism to transform the input image to another vector space.The spatial transformation maintains the basic structure information of the original images while mitigating the effect of adversarial perturbations.This can effectively protect the fragile features and improve the robustness of the model.The experiments prove that the proposed spatial transformation method is effective at defending against both single-step and iterative attacks,especially for the iterative attack,the defense effect is significantly improved.(2)This paper proposes a feature selection defense method based on the genetic algorithm.At present,most of the feature selection defense methods select features through the difference between clean examples and adversarial examples.They only consider the robustness of features but don’t consider the impact of features on model classification,resulting in the reduction of the recognition accuracy of clean examples.To solve this problem,this paper proposes a feature selection defense method based on the genetic algorithm,which comprehensively considers the robustness and usefulness of features.This method improves the robustness of the model,without compromising on the recognition accuracy of clean examples.The effectiveness of this method is proved by experiments.(3)In this paper,we design and implement a road sign recognition system that is resistant to adversarial attacks based on the defense approach proposed above.We studied the existing road sign recognition system and found its deficiencies in security.By analyzing the security function requirements of the road sign identification system,a defense scheme against adversarial attacks is designed.The system is mainly designed with B/S structure,including interaction layer,service layer and database layer.The interaction layer is responsible for handling the information interaction between users and the system;the service layer is responsible for handling the background logic of the system,including four main functional modules of user management,data processing,adversarial examples generation and road sign recognition;the database layer is responsible for storing the user and road sign data generated during the operation of the system.