Research Of Unknown Adversarial Example Detection Method Based On Reconstructed Differences

Deep neural networks,with its high expressive power,have become one of the machine learning models with the most attention in recent years and have been widely used in various fields.However,the vulnerability of deep neural networks to interference from adversarial examples has challenged their reliability for applications in many fields.To protect the security of deep neural network application systems,researchers have proposed a series of adversarial example defense methods.Among them,reconstruction difference-based adversarial example detection methods possess deployment flexibility and can be used for real-time defense,but lack the ability to deal with unknown attacks and are less robust against strong perturbation attacks.The ability to respond to unknown attacks is one of the key factors to measure the performance of adversarial example detection as well as other defense systems.In this thesis,these issues are investigated in an attempt to find an adversarial example detection method that can be flexibly deployed and capable of defending against unknown attacks.The main studies are as follows:1.This thesis concludes through experimental analysis that the failure reconstruction phenomenon of the reconstructor is the reason for the poor performance of existing detection methods against unknown attacks.Since the reconstruction performance of the reconstructor has a decisive impact on the actual defense capability of existing detection methods,this part of the study focuses on evaluating the reconstruction performance and finding the specific performance of the failed reconstruction done by the reconstructor against unknown attacks and the reasons for their causes.Since the reconstructor is a noise-reducing autoencoder model,the section presents experiments around the two degradation processes(Gaussian noise and adversarial perturbation)used in the training phase of the reconstructor.The experimental results identified limitations of the two degradation processes,and these problems led to the reconstructor completing a failed reconstruction in response to the unknown attacks.2.In this thesis,based on the 1st research content,we interpret the causes of failure reconstruction from the perspective of deep neural network decision region,then propose to use a special attack patch to solve the failure reconstruction problem of the reconstructor,and thus design a novel adversarial example detection method.The reconstructor in this method is trained on a training set degradation by a unique attack patch.In the detection phase,the proactive intervention based on overlaying patches on the input samples allows the poorly performing reconstructor to process the input samples after adding stickers,avoiding the direct reconstruction of the input attack examples.The above improvements enable the reconstructor to steadily create significant reconstructed differences in reconstructing unknown attack examples,which in turn excludes any adverse effects on the detection rate of the detection method due to reconstructor performance issues.A series of performance evaluation experiments on the proposed method show its better pervasiveness and stability against unknown attacks,and its robustness against strong perturbation attacks.