| The adversarial example technology has intensified the security risk of deep learning models in practical applications,which has drawn great attention to defense strategies in academia.In technical terms,the adversarial attack and defense are a mutual game process,and the study of high-quality attacks can serve as a solid foundation for the development of a more effective defense.For the deep learning model of image classification,the current adversarial attack technologies have yet to be studied in-depth for success rate and concealment.Meanwhile,the corresponding defense strategies need to be further enhanced in improving the model’s robustness.In this paper,we propose adversarial examples generation methods with a high success rate and concealment,and design a defense training method to improve the robustness of models.The primary research contents of the paper include:(1)An attention mechanism-based adversarial example generation method is proposed.For the randomness problem in the success rate of local perturbation attack,we introduce a spatial attention module to initialize the generation range of the key perturbed pixel set.This provides high-quality initial solutions for generating adversarial examples using the local search algorithm.Meanwhile,the algorithm iteration process is optimized to avoid falling into the local optima and to achieve an improved success rate of the adversarial attack with local perturbation of the image.(2)An adaptive differential evolution-based adversarial example optimization method is proposed.To solve the bottleneck in improving the success rate of the onepixel attack,we adaptively adjust the control parameters and differential strategies in the evolutionary algorithm to generate the variable mutation factor and crossover probability.Furthermore,the dynamic demands on the global search capability and local optimization capability of the algorithm are satisfied in different optimization stages of the perturbation.And the attack success rate and concealment are enhanced with very few pixel perturbations to the image.(3)A triplet loss-based adversarial defense method is proposed.For the problem of adversarial training in enhancing the robustness of the model,we utilize adversarial examples and original images to construct adversarial triples.After that,the triplet loss as regularization is introduced in the optimized adversarial training framework.In this way,the distance between the adversarial examples and the original samples is adjusted,and the classification decision boundary of the model is smoothed.Finally,the robustness of the model against adversarial attacks is improved. |
PDF Full Text Request