Research On The Adversarial Sample Generation Method Based On The Importance Of Image Regions

In recent years,with the rapid development of artificial intelligence,humans have been surpassed by deep learning algorithms in many aspects,and related technologies and theories are rapidly penetrating into all aspects of today’s society.The superior performance of deep learning algorithms is also increasingly applied to some security-related scenarios with certain risks.The emergence of adversarial samples has raised concerns about the safety and reliability of convolutional neural networks.An adversarial sample,in terms of an image,is a perturbation added to an image to make the network model misclassify it with a high confidence level.This makes it necessary to have a deep understanding and research on the generation of adversarial samples and the principles of attacks.According to the current research,the adversarial sample attack is divided into white-box and black-box attacks.The white-box attack requires knowledge of the internal knowledge of the model and the dataset of the attack target,which is more demanding,while the black-box attack does not need to know this a priori knowledge,but only the output of the attack target.In addition,the current adversarial sample generation methods mainly focus on global perturbation of images,although this method can effectively attack the model to a certain extent,but too large perturbation will lead to image distortion or directly detected by the artificial,while too small added perturbation will make the generation of adversarial samples less aggressive.Therefore,it is an important issue to ensure the stability of the attack performance while ensuring the invisible perturbation of the image in the current adversarial sample research.This is also the focus of the current adversarial sample research.In this paper,we propose an adversarial sample generation method based on the importance of image regions to address the above focus.By analyzing and studying the methods related to image important regions for image recognition,the traditional methods and deep learning-based methods are outlined and compared,and the advantages and disadvantages of each method are analyzed.The Grad-CAM algorithm is finally selected as the method for extracting high importance regions of images in this paper.When the differential evolution algorithm used in the single-pixel attack method,the current visually interpretable class activation graph algorithm is used to find the high importance region of interest in recognizing images,and the original full graph search range is reduced to only within the high importance region of the image,which accelerates the convergence of the algorithm,thus increasing the effectiveness of the algorithm and improving the efficiency of the attack.On the cifar10 dataset,in comparison with the original single-pixel attack method,we choose three common network models-VGG16,Resnet18,and Dense Net121-as the target models for the attack.With the assurance that all the above three target models have high recognition accuracy,the method in this paper improves on the evaluation index of the attack success rate.In comparison with the original single-pixel attack method,the accuracy rate and recall rate are both reduced,and in another evaluation index F1 value comparison,this method is also reduced compared with the original single-pixel attack method,through the comparison of experimental results,this method has certain superiority.For the dataset mini-Image Net with larger images,our method is smaller than the single-pixel attack method in terms of time per iteration due to the reduced initial search space,and the success rate of the attack is also higher than that of the single-pixel attack method.These experiments are enough to prove that our method has good attack effect and the invisibility of perturbation is also very good.The attack method proposed in this paper also has some portability,i.e.,the adversarial samples generated for one model can successfully deceive other models.In the experiments,this paper can achieve about 38% success rate when attacking Res Net18 and Dense Net121 models using the adversarial samples generated by VGG16 model.For the other two models,the average attack success rates of about 41% and 47% are also achieved when using their generated adversarial samples to attack the other two models.These results show that the method in this paper benefits from the fact that different classification models have a certain similarity of attention on the same image,which makes the attack method proposed in this paper highly transferable.