Research On Adversarial Example Generation Method For Image Classification Transfer Attack

Driven by the combination of big data,strong computing power and core algorithms,artificial intelligence based on deep learning has ushered in a new climax of development.Deep neural network models are widely used in face recognition,autonomous driving and other scenarios,and play an important role as the core of technology.However,the existence of adversarial examples exposes the significant security risks of the model itself,where only a subtle perturbation added to the image can make a powerful image classification model erroneous in its judgment.This phenomenon has aroused widespread concern about the security of deep neural networks,and attracted a large number of researchers to conduct scientific research on the causes,causal mechanisms,attack methods,and defense methods.The principles and methods of adversarial attacks are among the fundamental issues that can not only promote the technical progress of adversarial defense,but also are often used for robustness checking and security testing before the deployment of image classification models.Depending on the attack scenarios,adversarial attacks can be classified into white-box attacks and black-box attacks.White-box attacks are attacks carried out when the structure and parameters of the target model are known,and their attack success rate has reached a high level,while blackbox attacks are still lower because they are carried out when the internal information of the model is unknown,but they have wider application and research space because they are more in line with the real-world condition settings.Currently,black-box attacks mainly include two types of attack methods,query-based and transfer-based.Transfer-based black box attacks do not require a large number of queries to image classification models,and the attack behavior is more efficient.In this thesis,we analyze the problems of low success rate and poor attack concealment of the black-box attack of the adversarial examples,use the migration feature of the adversarial examples,based on the idea that the adversarial examples generated on the known model can migrate to attack the unknown target model with similar structure,and focus on improving the aggressiveness and concealment of the adversarial examples by introducing the methods of data enhancement,model enhancement and local optimization to improve the attack performance of the adversarial examples comprehensively.The main work of the thesis includes the following aspects.1.Adversarial example generation method based on translation random transformation.To address the problem of "overfitting" between the adversarial examples and the input images,in order to improve the success rate of the black-box attack,this thesis introduces the translation random transformation technology into the generation process of the adversarial examples,and performs random translational transformation on the original image through the probability model.Then,the gradient value of the transformed image is obtained,and the adversarial perturbation is generated according to the step size in the process of multiple iterations,which is added to the original image to generate adversarial examples.This thesis designs attack algorithms in two scenarios,and shows that the method has good scalability and can be transformed into similar attack methods through hyperparameter adjustment.On the Image Net dataset,single model attack experiments and ensemble model attack experiments are carried out to verify the effectiveness of the method,and the highest black-box attack success rate is 80.1%.2.Adversarial example generation method based on diverse input strategies.The transfer attack ability of adversarial examples is also related to the classification model.In order to solve the problem of "overfitting" between the adversarial examples and the classification model,this thesis first establishes an image transformation method set,and performs policy-based combined transformation on the original image.The transformed batch image gradient value is obtained,and its weighted average is obtained,and the original image is iteratively added perturbation to generate adversarial examples.This method achieves the effect of multi-model enhancement on a single classification model in a model-equivalent manner,which effectively attenuates the problem of overfitting and improves the success rate of black-box attacks.This method can also be combined with other methods to form an attack method with better attack performance.Among them,the SI-NI-DISM method achieves an 88.4% black-box attack success rate.3.Adversarial example generation method based on salient region optimization.In the current research on adversarial examples,the global perturbation method is usually used to generate adversarial examples.This process will generate a large number of adversarial noise textures,which are easily detected by the human eye and cause the attack to fail.To solve this problem,this thesis proposes a salient region optimization generation method by using the semantic characteristics of the image.The saliency map is generated for the original image through salient object detection technology,and then it is binarized.The obtained saliency mask is used to limit the adversarial disturbance to the salient region.Meanwhile,by introducing the Nadam optimization algorithm,the gradient of the loss function of the image is accumulated and the step size is dynamically adjusted,thus stabilizing the loss function update direction and accelerating the convergence speed,which keeps the concealment of the adversarial attack and the success rate of the attack at a high level.Compared with the benchmark method,the invisibility evaluation index of the MA-NA-SI-TI-DIM method achieves a performance improvement of 27.2%,and the black-box attack success rate also remains a high level.