Adversarial Attacks And Defenses Based On Deep Neural Image Classification Models

Deep neural networks have achieved significant success in artificial intelligence,especially in many machine learning tasks,such as natural language processing,computer vision,speech recognition,and autonomous driving.However,these deep neural networks are easily fooled with adversarial examples.Adversarial examples are created by input samples and artificial invisible perturbations,which can mislead the deep neural networks to incorrect results with high confidence.On the one hand,adversarial examples are threats to applying deep learning in many fields and cause a crisis of confidence in artificial intelligence’s decisions.On the other hand,adversarial examples make researchers rethink the robustness of artificial intelligence for the development of robust and reliable deep neural networks.Thus,a closer look at adversarial examples has important scientific interest and social significance.In recent years,discoveries of adversarial examples by domestic and foreign researchers mainly focus on adversarial attacks and defense on deep neural networks.Adversarial attacks aim at generating more threatening adversarial examples to mislead neural networks.However,adversarial defense is responsible for keeping models from adversarial attacks,contributing to artificial intelligence security.Moreover,image classification is one of computer vision’s most basic and important tasks.It has witnessed the development of deep learning in computer vision and is at the leading edge of vision techniques nowadays as well.And the concept of adversarial examples is first proposed in image classification.However,existing works on adversarial examples in image classification still have some problems:The majority of adversarial attacks need more transferability,generalization,and theoretical supports,And adversarial defenses are usually troubled with limited effectiveness and unaffordable computational costs.Therefore,the dissertation works frantically to address these problems,and its main work and contributions are as follows:·Adversarial attack based on information entropy and Wasserstein distance of feature maps:Feature-based adversarial attacks in black-box settings gradually come into the researchers’ view and prosper with great transferability across multiple models in recent years.However,these feature-based adversarial attacks usually rely on heuristic loss function designs and lack theoretical support and generalization.The dissertation proposes a novel adversarial attack based on information entropy and Wasserstein distance of feature maps with the help of a novel unified framework.It eliminates the heuristic design of the loss functions to some extent and shows outstanding performance among adversarial attacks.·Adversarial defense based on matrix recovery:In general,adversarial perturbations in adversarial examples can mislead image classification models to wrong predictions.Therefore,we want to destroy the adversarial perturbations and repair the distorted image.It can hold information about the image and disenable adversarial perturbations.Meanwhile,we notice that natural images are usually low-rank.Thus,we propose an adversarial defense method based on matrix recovery.The defense mainly focuses on adding distortions randomly and then repairs the target image with high-quality low-rank matrix recovery algorithms.Extensive experiments demonstrate that this method can protect models from several adversarial attacks.Moreover,the proposed defense can combine with other adversarial defense methods,like adversarial training to improve the robustness of deep neural networks.