Research On Adversarial Attack Method Based On Deep Neural Network

Deep learning techniques have made significant breakthroughs in some tasks beyond the reach of traditional machine learning,including image classification,text translation,and speech recognition.With the development of big data technology and computing resources,deep learning has gradually become the primary choice for developing critical life applications such as face recognition,autonomous driving,and security system.However,discovering adversarial examples exposes the vulnerability of deep learning models and raises questions about the safety of deep learning models.The phenomenon of adversarial examples hinders the application and promotion of deep learning models in practical manufacturing,and its generation mechanism is of great significance.The research on adversarial attacks can evaluate the robustness of deep learning models and promote the development of adversarial defenses,which can boost the development of adversarial machine learning.Black-box attacks are a more complicated attack scenario than white-box attacks.Attackers often exploit the transferability of the adversarial examples generated on the alternative white-box model to attack the black-box model.The classical Fast Gradient Sign Method(FGSM)for untargeted attacks is widely used because of its simple and fast computation.However,FGSM tends to be overfitting to the white-box model,making the generated adversarial examples have insufficient transferability for the black-box model.In the targeted attack setting,the mainstream practice in the research is to attack the intermediate layer of the model to improve the transferability of the adversarial examples.However,the mainstream practice applies pixel-level Euclidean distance on the intermediate feature map,limiting the white-box attack performance of the generated adversarial examples,which in turn,reduces the transferability of the adversarial examples.To address the above problems,this thesis gives the corresponding solutions whose main contents and innovations are as follows:1)Fast Gradient Sign Method Based on Data Augmentation: The process of generating adversarial examples using Fast Gradient Sign Method is similar to the process of model training,so this thesis applies techniques of preventing model overfitting and improving model generalization to the adversarial example generation process.Brightness Invariant Method(BIM)based on image brightness transformation in data augmentation and Dropout Method(Do M)based on Dropout technique are proposed.The experimental results demonstrate that the methods proposed in this thesis enhance the transferability of the generated adversarial examples.2)Intermediate Layer Targeted Attack Based on Weighted Feature Maps:To address the deficiency of using Euclidean distance to regulate the feature map movement direction in the mainstream practice,this thesis introduces the gradient-weighted class activation mapping technique from model interpretability into the intermediate layer attack for obtaining weighted feature maps to guide the feature map movement direction and proposes a Guided Activation Attack(GAA)method.The experimental results demonstrate that the GAA method can effectively improve the attack performance of the adversarial examples in the black-box model.