Research And Application Of Black-box Adversarial Attack Model Based On Meta-learning

At present,serious insecurity problems have been found in deep neural networks.An attacker can disable the recognition ability of target model by using pre-generated adversarial perturbation examples.According to whether the internal information of the target model needs to be used to generate adversarial perturbation examples,adversarial attack methods can now be divided into white-box adversarial attacks and black-box adversarial attacks.In existing research on adversarial attacks,black-box adversarial attack research is considered to be the closest to the real environment due to its strict constraints.Under the black-box conditions,the internal information of the target model is completely hidden from attackers.Attackers can only use the limited output information of the target model,which completely simulates the attack environment in the realistic scenario.Therefore,the research of black-box adversarial attacks has become an important topic in the current field of computer security development.However,the mainstream black-box adversarial attack methods still currently have problems with incomplete information utilization and excessive target model queries.To solve the problems mentioned above,we study and improve the adversarial attack method based on a meta-learning black-box adversarial attack framework,and proposes a new black-box adversarial attack model,Simulator Attack+.The main work includes the following three parts:(1)We prove the correctness and usability of the feature layer information in the initial simulator model.The initial simulator model that we use is obtained by the first-stage meta-learning training of whole attack.By extracting and visualizing the feature layer information of the initial simulator model,and comparing it with the feature layer information of the mainstream recognition model,this research finds that the feature layer of the initial simulator model has been able to focus on the key feature areas in the images.Using this kind of feature area information and related enhancement modules can improve the information utilization rate and query efficiency of black-box adversarial attack.(2)We propose a new black-box adversarial attack model based on meta-learning,Simulator Attack+.This adversarial attack model mainly uses four different newly designed modules,including: a.feature attentional boosting module(FABM): according to the discovery of(1),this module uses the feature layer information of the initial simulator model to enhance the attack effect of related areas and accelerate the generation of corresponding adversarial perturbation examples;b.linear self-adaptive simulator-predict interval mechanism(LSSIM): This module allows the simulator model to fully fine-tune itself in the early stage of adversarial attack,so as to simulate the black-box model more accurately;c.unsupervised clustering module(UCM): This module makes each round of attack obtain a hot start in the case of targeted black-box adversarial attack,so as to improve the query efficiency;d.cosine similarity loss function module(Cos Loss M): This module puts the direction information and vector angle information of the outputs into the measurement of updating simulator model,so as to adjust the simulator model more similar to the black-box target model.(3)We design an application system based on this meta-learning black-box adversarial attack model,implanting the black-box adversarial attack method into it,and providing multiple meta-learning material models for experimenters to choose.The system integrates the simulator meta-learning training function,the black-box adversarial attack target model selection function,the black-box adversarial attack function and other basic system management functions.The system makes the application of this research realized.The experimental results on CIFAR-10 and CIFAR-100 datasets clearly show the fact that this meta-learning-based black-box adversarial attack model can effectively reduce the query times towards the black-box target model,improve the query efficiency and have a relatively high attack success rate,and complete the black-box adversarial attack on the corresponding image within an acceptable time period.