Research And Implementation Of Deep Learning Decision-Based Black-Box Attack Defense Method Based On Obfuscation Near Boundary

Adversarial attack is a kind of attack against the deep learning model,which makes the prediction result of the model wrong by adding a disturbance that is difficult to detect to the sample.The black-box adversarial attack can attack the target model without any internal information,which seriously threatens the security application of the deep learning model.Decision-based black-box attack is a new kind of blackbox attack method,which can effectively attack the model just by conducting a limited number of sample prediction label queries with the model.However,the current defense methods cannot effectively defend against decision-based black-box attacks.Traditional defense methods such as detection against adversarial samples have low defense capability and lack defense ideas for key processes of decision-based attacks.Defense methods based on randomization have certain defense effects,but randomization factors will significantly reduce the recognition accuracy of clean samples.Therefore,the defense of decision-based black-box attack is an urgent problem to be solved,and its research is of great significance to promote the security application of deep learning model.To solve these problems,this paper proposes a decision-based blackbox adversarial defense method ONBD(Obfuscation Near Boundary Defense)based on boundary obfuscation.The defense idea of ONBD originates from the analysis and summary of the decision attack process.The correct running of the two key steps of the decision-based attacks depends on the sample information near the decision boundary.Therefore,after judging whether the sample is near the decision boundary,only the prediction results of the samples near the boundary are randomly confused,which can effectively interfere with the decision-based attack process.In the concrete implementation of ONBD defense,the method of checking the consistency of prediction results is used to determine whether the samples are near the decision boundary,and the actual scenario that model predict batch samples is further considered,the proportion of samples in the current batch near the decision boundary is used as the probability of confusion,and the prediction results of samples near the decision boundary are randomly transformed.ONBD makes the sample prediction results of normal queries in actual scenarios rarely affected,while the sample prediction results near the boundary from the decision attacker will be confused,greatly interfering with the running of the decision-based attack process,taking into account the two key indicators of clean sample recognition accuracy and attack success rate reduction.The experimental results show that on the ImageNet and CIFAR-10 datasets,the accuracy of clean sample recognition and the defense effect of ONBD under the decision-based attack of three kinds of optimization theories are superior to the previous best defense method SND.The results show that ONBD can effectively defend against black box decision attacks with almost no loss of recognition accuracy of clean samples.Based on this method,this paper designs and implements a decisionbased black box attack defense system.The system uses Flask framework,mainly including sample input preprocessing module,decision-based black-box attack module,adversarial defense module,clean sample recognition accuracy evaluation module and model management module.This paper introduces the structure of the framework and the flow of each functional module in detail.Finally,through the test of the decision-based black-box attack defense system,it is verified that the system can effectively defend decision-based attacks,and the availability and effectiveness of the system is proved.