Research On Defense Methods Of Adversarial Examples Based On Fourier Features

Due to the extremely complex scenarios and security issues that deep learning faces in practical applications,particularly in the finance and healthcare fields,assuming that the training and prediction environments of models are independently and identically distributed may lead to unexpected security risks.Researchers have found that deep neural networks that perform well under normal conditions are easily influenced by adversarial examples,which severely hinders the development of deep learning in security-sensitive areas.There are two main issues with research on adversarial examples: on one hand,the generation methods of adversarial examples are diverse,and defense methods need to consider multiple attack methods to ensure the robustness of the model;on the other hand,the evaluation of the model’s adversarial robustness is primarily based on accuracy,lacking quantifiable metrics integrated with other fields.In this study,focusing on image classification tasks,we investigated adversarial example defense methods and evaluation issues for adversarial examples,and achieved the following innovative results:Firstly,an adversarial examples defense method based on Fourier features mapping is proposed and named Fourier Features Input Transformation.Fourier features mapping is applied to the samples for feeding into the neural network before training,to enhance the model’s adversarial robustness.Under adversarial conditions,this method can map the input data to more easily classified data.Experimental results show that Fourier Features Input Transformation not only strengthens the model’s adversarial robustness,but also accelerates the convergence speed of the model.Secondly,to further enhance the adversarial robustness of the model,an adversarial examples defense method is proposed by combining Fourier Features Input Transformation with adversarial training and named adversarial training based on Fourier feature input transformation.This method first maps the input adversarial examples to Fourier features before feeding them to the neural network for adversarial training,to enhance the model’s adversarial robustness.Experimental results show that this method significantly improves the model’s accuracy in recognizing adversarial examples,but may lead to a decrease in accuracy when recognizing original examples.Finally,drawing on relevant concepts in the field of psychophysics,we combine psychophysics and machine learning to propose a metric for evaluating adversarial robustness called adversarial robustness perception.This metric treats adversarial examples as a type of "stimulus" to the neural network and quantifies the degree of this "stimulus" through calculation,to measure the model’s adversarial robustness.When comparing the adversarial robustness of two models,we only need to compare the adversarial robustness perception of the adversarial examples that can cause misclassification of the models.Experimental results show that adversarial robustness perception can evaluate the model’s adversarial robustness,and the stronger the attack ability of the adversarial examples,the smaller the adversarial robustness perception.Thus,the model’s adversarial robustness and adversarial robustness perception are inversely proportional.