Research On Transferability Of Adversarial Example For Image Classification

In recent years,deep neural networks(DNNs)have made great progress in the field of computer vision,playing an important role in various fields such as image recognition,face recognition,and autonomous driving.However,a large amount of research has shown that there are still many concerns regarding the stability of neural networks,and the networks are vulnerable to attacks by adversarial examples.Therefore,in order to improve the robustness of DNNs,crafting adversarial examples to expose as many “blind spots” of DNNs as possible is necessary.In general,adversarial attacks can be classified into two types: white-box and blackbox.Among them,black-box attacks are the most challenging and realistic because adversary usually do not have access to deployed DNNs.To overcome this limitation,a common practice of black-box attacks turns to investigate the inherent cross-model transferability of adversarial examples.Typically,an adversary crafts adversarial examples via a substitute model(a.k.a.white-box model),and then transfers them to a target model(a.k.a.black-box model)for attacking.In transfer-based attacks,there are two main problems.First,for model augmentation methods that narrow the gap between substitute model and target model,existing spatial domain model augmentation do not translate to significantly diverse augmented models,resulting in weaker attack performance.Second,there exist intrinsic robustness differences between normally trained models and defense models with defense mechanisms,which limits the transferability of the adversarial examples generated by the black-box attack algorithm on the defense models.This thesis will address these issues in two ways:1.Attacks by Frequency Domain Model Augmentation: To address the problems in spatial domain model augmentation,this thesis proposes a novel Spectrum Simulation Attack to produce more transferable adversarial examples against both normally trained and defense models.Specifically,this thesis applies a spectrum transformation to the input and thus perform the model augmentation in the frequency domain.Through theoretical analysis,this thesis finds that the transformation derived from frequency domain leads to a diverse spectrum saliency map,an indicator proposed to reflect the characteristic of models.This effectively narrows the gap between substitute model and target model,and thus improves the transferability of the ad-versarial example.2.Adversarial Examples Generation Algorithm by Robust Substitute Model: To improve the attack performance of black-box attack algorithms on defense models with defense mechanisms.This thesis analyzes the essential differences between normally trained models and defense models from the perspective of robustness,and then proposes an adversarial example generation algorithm based on robust substitute model,which uses low-pass filters to make robust improvements to the substitute model to reduce the robustness differences between models,so that robust adversarial examples can be generated,effectively improving the transferability of adversarial examples on defense models.A large number of experiments have verified the effectiveness of the attack algorithms proposed in this thesis,which can generate more transferable adversarial examples and thus help to evaluate the robustness and reliability of models.