Research on adversarial attacks in multiple deep neural networks

Abstract

Deep neural networks (DNNs) are widely used for image recognition, speech recognition, intrusion tolerance, natural language processing, and game-playing. The security and safety of neural networks and machine learning receive considerable attention from the security research community. Adversarial examples are presented in image classification

in an evasion attack, images that are transformed slightly can be incorrectly classified by a machine learning classifier, even when the changes are so small that a human cannot easily recognize them. Such an attack can cause a self-driving car to perform an unwanted action, provided a slight change is made to a road sign. Countermeasures against these attacks have been proposed, and subsequently, more advanced attacks were developed to defeat the countermeasures. In this dissertation, we study the adversarial example attack according to recognition purpose in multiple deep neural networks. For example, an adversarial example might be useful, such as when deceiving an enemy classifier on the battlefield. In such a scenario, it is necessary that a friendly classifier not be deceived. In this dissertation, we propose a friend-safe adversarial example, meaning that the friendly machine can classify the adversarial example correctly. To produce such examples, a transformation is carried out to minimize incorrect classifications by the friend and correct classifications by the adversary. We suggest two configurations for the scheme: targeted and untargeted class attacks. We performed experiments with this scheme using the MNIST and CIFAR10 datasets. Our proposed method shows a 100% attack success rate and 100% friend accuracy with only a small distortion: 2.18 and 1.54 for the two respective MNIST configurations, and 49.02 and 27.61 for the two respective CIFAR10 configurations. In addition, my research expanded into selective attack in the field of speech, attack on multiple models, random untargeted attacks, attack on specific areas, selective untargeted attack, and defenses of the adversarial example. My research also extended to CAPTCHA system, face recognition system, backdoor attack, and poisoning attack.