| As a key technology in the field of deep learning,deep neural network has been widely used in various artificial intelligence systems to achieve different task requirements,such as image classification,human pose detection,face recognition,etc.However,research in recent years has shown that deep neural networks are fragile and vulnerable to adversarial examples.The so-called adversarial example refers to the image after adding the adversarial perturbation,where the perturbation is carefully crafted and imperceptible to the human eye.Adversarial examples can cause deep neural networks to give incorrect results when they complete inferences,which has led researchers to focus on the security of deep neural networks.Therefore,how to improve the robustness of the network to resist adversarial attacks has become a crucial issue.This thesis will study its own characteristics from adversarial samples,and then propose a new adversarial defense method on this basis,so that the deep network model can better resist adversarial examples.The main research work and innovation points of this thesis are as follows:(1)The thesis proposed a method to measure the transferability of adversarial examples.Previous studies have pointed out that adversarial samples are not only aggressive but also transferable,but no one has explored the characteristics of their transferability.In order to study aggressiveness and transferability of adversarial examples on different models,a method to measure the transferability of adversarial examples is proposed.In addition,in order to link the perturbation strength and visual sense,the structural similarity metric is proposed to re-measure the magnitude of the adversarial perturbation,and based on this,explores the transferability of the adversarial samples when the adversarial perturbation are not readily visible.The experimental results show that the adversarial samples have the characteristics of strong aggressiveness and weak transferability.(2)The thesis proposed a two-phase adversarial defense method.Existing defense methods are studied separately from a model or data perspective,but most defenses are limited in effectiveness and lose defense capabilities in white-box situations.To address this phenomenon,this thesis proposes a two-phase adversarial defense method,which takes randomness as the core idea while applying defenses from both data and model levels.Defend against adversarial attacks through random geometric transformation and random prediction.The former reduces the deceptiveness of adversarial perturbations from the data level,and the latter utilizes the weak transferability of adversarial samples from the model level.The experimental results show that the method can effectively improve the adversarial robustness of the network model,and still has the defense ability in the white-box situation. |
