Research On The Defense Method Of Adversarial Examples Of Deep Neural Networks For Image Classification

With the rapid development of computer technology,deep learning has been widely applied in fields such as computer vision and has made breakthrough progress,particularly in solving image classification tasks.However,research has shown that deep neural networks are vulnerable and easily attacked by adversarial samples.Attackers can mislead neural networks into making erroneous predictions with high confidence by adding subtle and well-designed malicious perturbations to input samples.These adversarial samples are imperceptible to the human eye but pose a severe security threat to deep neural networks.Therefore,how to defend against adversarial samples has become a hot research topic in the academic community.This thesis conducts research on two defense mechanisms,namely adversarial sample detection and adversarial perturbation elimination,to address the above issues.The main results are as follows:Firstly,this thesis proposes an adversarial sample detection method based on sentiment analysis.This method utilizes the different change trends between clean and adversarial samples inside the neural network,maps a series of feature maps generated by the protected image classifier’s hidden layer to sentences using a sentence generator,and then extracts subtle emotional features from the sentences using a sentiment analysis model to identify adversarial samples.Experimental results show that this method achieves a detection score AUC of 94.39%for EAD attack on the CIFAR-100 dataset,which is approximately 10%higher than SOTA methods such as PNDetector and BEYOND.Secondly,this thesis proposes an adversarial perturbation elimination method based on activation calibration.This method identifies the type of attack on adversarial samples using a multi-attack detection classifier and uses a corresponding image calibrator to eliminate the adversarial perturbations on the feature maps outputted by the neural network’s hidden layers,re-mapping the adversarial sample’s feature maps back to the clean manifold to help the classifier correctly classify them.Experimental results show that after the method defends against Pixel attacks on the CIFAR-10 dataset,the classification accuracy rate increases to 91.59%,which is approximately 15%higher than that of SOTA methods such as FeaDenoise.Finally,this paper designs and implements an adversarial sample defense demonstration system based on the above two research achievements.The system consists of three parts:an adversarial sample generation module,an adversarial sample defense module,and a log module,and it provides users with functions such as generating adversarial samples,visualizing adversarial perturbations,testing defense performance,and storing and querying logs.The system has passed tests on four functions:adversarial sample generation and perturbation visualization,single image testing,batch image testing,and log storage and querying,as well as performance tests on query and defense performance.