Research And Implementation Of Robust Adversarial Defense For Images

The adversarial vulnerability of deep learning models has been discovered in recent years.Adversarial examples generated by adding carefully-crafted imperceptible perturbations to clean examples can mislead deep learning models into making erroneous predictions.At the same time,the transferability of adversarial examples enables them to successfully attack unknown models.The existence of adversarial examples has brought great security challenges and more uncertainties to the large-scale application and development of deep learning in various security-sensitive fields such as automatic driving,face recognition,and monitoring systems.Therefore,research on defense technology of adversarial examples is very important.However,existing adversarial defense methods generally have problems such as insufficient generalization and difficulty protecting deployed models.The Neural Representation Purifier(NRP)proposed in CVPR,the top conference in the field of computer vision,provides a feasible solution to this problem.Based on self-supervised adversarial training,this method trains an input processing model that can remove a variety of adversarial disturbances.It has strong adversarial robustness,is independent of tasks and label space,and is easy to deploy and use in practice.However,the feature construction and self-supervised sample generation method of this solution are still too simple.It also reduces the accuracy of tasks.There is still a lot of room for optimization.Therefore,this paper makes improvements in the following three aspects:(1)From the perspective of model ensemble,a self-supervised adversarial example defense technology based on feature ensemble is proposed.The transferability of adversarial examples used in adversarial training directly affects the robustness of the defense model.Analysis of experimental results has shown that different feature layers of different models have diverse adversarial transferability.NRP only uses a single intermediate layer feature of a single pre-trained model,so it is difficult to achieve optimal attack and defense for all models at the same time.Inspired by ensemble learning,this paper analyzes the adversarial transferability of different models through experiments and designs a feature ensemble strategy based on NRP to enrich the feature information of the intermediate layer and maximize the distance between adversarial examples and clean examples in the feature space of multiple pre-trained models.An adversarial example training set with better transferability is therefore generated.The final goal is to produce a robust purifier based on feature ensemble,the Feature Ensemble Purifier(FEP).Experimental results have shown that,compared with NRP,FEP further reduces the attack success rate of adversarial examples and is more robust against various attack methods.(2)From two perspectives,the update process of adversarial examples and loss function in training,a diversity-based self-supervised adversarial examples defense technique is proposed.On the one hand,data augmentation has been successfully applied to improve the transferability of adversarial example attacks and the image reconstruction ability of super-resolution networks.Inspired by this,introduce a diversity strategy on the basis of SSP to add differences in feature layers between adversarial examples and clean examples,thus optimizing the self-supervised adversarial example generation method and improving transferability of adversarial examples.On the other hand,using the idea of contrastive learning,the loss function in model training is optimized by reducing the differences between purified examples and clean examples in feature space and widening the diversity gap between adversarial examples and clean examples.Combining these two aspects,Different Feature Purifier(DFP)is designed.Experimental results have shown that this method can significantly improve the defense robustness against attack examples under the premise of suppressing interference with the task performance of the target model,achieving improvements both in robustness and on accuracy.(3)Design and implement a WEB-oriented image confrontation defense system.This article takes the above-mentioned purifier model at its core,plans for the overall system architecture and functional architecture,and builds an image confrontation defense prototype system that can be applied in a practical environment,supporting user registration and login,single or batch image purification,generation of adversarial examples,image recognition comparison,image upload and download,and other functions.