RESEARCH ON THE STABILITY OF NEURAL NETWORKS TRAINED USING COMPETITIVE ATTACK MODELS
DOI:
https://doi.org/10.31471/1993-9981-2024-1(52)-121-128Keywords:
Competitive attacks, competitive training, neural network, machine learning, FGSM, C&W, JSMA, black box attack.Abstract
The article provides a detailed analysis of the effectiveness of adversarial learning to increase the resistance of neural networks to attacks by attackers in image recognition tasks. The issue of vulnerability of neural networks is considered, in particular, their tendency to misclassification under the influence of adversarial examples created specifically to deceive the model. The research is aimed at developing training methods that increase the resistance of models to various types of attacks, while maintaining high quality classification of clean samples. The work found that traditional approaches to network training, focused on countering only one type of attack, are insufficient to ensure the overall stability of the model. To achieve comprehensive protection, the use of several types of adversarial examples (FGSM, JSMA, C&W) was proposed. This allows the model to form more resistant representations of data to attacks. In order to evaluate the effectiveness of the proposed approach, a series of experiments were conducted using the MNIST dataset, which contains 60,000 training and 10,000 test images in grayscale. The research results showed that adversarial learning significantly improves the model's resistance to attacks. In particular, the average classification accuracy for different types of attacks increases to 97.48%–97.95%, and the use of data augmentation further increases the accuracy to 99.42%. At the same time, unprotected models without data augmentation demonstrate higher accuracy only for individual attacks, but their overall robustness remains low. The proposed approach also allows to reduce the average attack efficiency by 29.2%, while maintaining high classification accuracy (98.9%) for pure samples. To assess the impact of adversarial learning, a combination of metrics was used that take into account not only classification accuracy, but also the model's robustness to attacks. It was found that adversarial learning contributes to improving the generalization properties of the model, which allows to reduce vulnerability to various malicious inputs created using different attack algorithms.
Downloads
References
1. Moosavi-Dezfooli S.M., Fawzi A., Frossard P. Deepfool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016, pp. 2574–2582.
2. Papernot N., McDaniel P., Jha S., Fredrikson, M., Celik Z.B., Swami, A. The limitations of deep learning in adversarial settings. In Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbrucken, Germany, 21–24 March 2016, pp. 372–387.
3. Madry A., Makelov A., Schmidt L., Tsipras, D., Vladu A. Towards Deep Learning Models Resistant to Adversarial Attacks. arXiv 2018, arXiv:1706.06083.
4. Schott L., Rauber J., Bethge M., Brendel W. Towards the first adversarially robust neural network model on MNIST . arXiv 2019, arXiv:1805.09190/
5. Schmidt L., Santurkar S., Tsipras D., Talwar K., Madry A. Adversarially robust generalization requires more data. Adv. Neural Inf. Process. Syst. 2018, 31, 5014–5026.
1. Tramèr F., Boneh D. Adversarial training and robustness for multiple perturbations. Adv. Neural Inf. Process. Syst. 2019, 32, 5866–5876.
7 Guo C., Gardner, J.R., You Y., Wilson A.G., Weinberger K.Q. Simple Black-box Adversarial Attacks. arXiv 2019, arXiv:1905.07121.
9 LeCun Y., Bottou L., Bengio Y., Haffner P. Gradient-based learning applied to document recognition. Proc. IEEE 1998, 86, 2278–2324.
10 Chen P.Y., Sharma Y., Zhang H., Yi J., Hsieh C.J. EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples. In Proceedings of the Thirty-Second AAAI Conference on Artificial Intelligence (AAAI-18), New Orleans, LA, USA, 2–7 February 2018.
11 Kurakin A., Goodfellow I., Bengio S. Adversarial examples in the physical world. arXiv 2017, arXiv:1607.02533.
12 Dong Y., Liao F., Pang T., Su H., Zhu, J., Hu X., Li J. Boosting Adversarial Attacks with Momentum. In Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, 18–23 June 2018, pp. 9185–9193.
.png)
