Adversarial attack and defense method and system based on prediction correction and stochastic step size optimization

Abstract

The invention discloses an adversarial attack and defense method and system based on prediction correction and stochastic step size optimization. The method comprises the following steps: inputting a training data set and a machine learning model; training a machine learning model according to the input training data set; judging whether the loss function converges or not; if the loss function is not converged, generating an adversarial sample by adopting an adversarial attack based on prediction correction and stochastic step size optimization, and using the adversarial sample and the original data as a training data set to train a machine learning model until the loss function is converged, and obtaining a trained machine learning model; and if the loss function converges, directly outputting a result. The confrontation samples are generated through confrontation attacks, the higher attack success rate can be achieved under the same disturbance constraint limitation, and the method can be used for evaluating the performance of a machine learning model and the effectiveness of a confrontation defense method; the generated adversarial sample carries out adversarial training on the machine learning model, so that various adversarial attacks can be effectively resisted, and the robustness of the model is improved.

Description

technical field [0001] The invention relates to the field of artificial intelligence machine learning, in particular to an adversarial attack and defense method and system based on prediction correction and random step size optimization. Background technique [0002] As deep learning has achieved remarkable results in many fields such as data mining, computer vision, natural language processing, and driverless driving, the robustness and stability of deep neural networks have attracted more and more attention. However, recent studies have confirmed that almost all machine learning models are vulnerable to adversarial examples. Attackers can obtain adversarial samples by adding some small perturbations to the original input samples. The perturbed adversarial samples and the original samples have the same category or attribute in the eyes of human observers, but it will mislead the neural network model to produce wrong predictions. output, which brings serious security issues...

AI Technical Summary

Problems solved by technology

This is mainly caused by two reasons. The first reason is that the complexity and nonlinearity of the deep neural network lead to the addition of perturbations, and the loss value of the generated adversarial samples does not necessarily change strictly along the gradient direction; the second reason It is the step size of each iteration that determines the magnitude of the perturbation, but in practice, neither the fixed step size nor the adaptive step size can guarantee the optimal perturbation magnitude, so that the generated adversarial samples have the largest loss value

Therefore, existing techniques cannot accurately evaluate the robustness of machine learning models and the effectiveness of adversarial defense methods

Images