Evaluating the Vulnerability of Image Classification Models to Adversarial Attacks: A Comparative Analysis of FGSM, Carlini-Wagner, and the Effectiveness of Defensive Distillation

Deep neural networks used for image classification are vulnerable to adversarial attacks, which involve subtle manipulations of input data to cause misclassification. This study investigates the impact of FGSM and Carlini-Wagner attacks on three pre-trained CNN models, and examines the effectiveness of defensive distillation as a countermeasure.

This research project aimed to evaluate the vulnerability of three pre-trained CNN models (Resnext50_32x4d, DenseNet201, and VGG19) to adversarial attacks, specifically the FGSM and Carlini-Wagner (CW) approaches. It also explored the effectiveness of defensive distillation as a defense mechanism against these attacks. The study began by assessing the baseline classification performance of the models on the Tiny ImageNet dataset, using both top-1 and top-5 accuracy metrics. This provided a benchmark for evaluating the impact of the adversarial attacks. The FGSM attack was then applied to the models, with the perturbation magnitude (epsilon) varied from 1% to 10%. The results showed a significant decline in classification accuracy as the epsilon value increased, with the Resnext50_32x4d model exhibiting the highest top-1 error of 91.80% and top-5 error of 61.66% at epsilon = 5%. Next, the more sophisticated CW attack was evaluated, again using epsilon values from 1% to 10%. The CW attack proved to be highly effective, causing even greater degradation in the models' performance compared to the FGSM attack. The Resnext50_32x4d model's top-1 and top-5 errors peaked at 91.80% and 61.66%, respectively, at epsilon = 5%. The study then investigated the potential of defensive distillation as a countermeasure against the FGSM attack. A ResNet101 model was first trained on the CIFAR-10 dataset, and its softened probabilities were used to train a smaller Resnext50_32x4d model. This distillation process improved the student model's accuracy from 0.55 to 0.87 when subjected to the FGSM attack. However, defensive distillation was found to be ineffective against the more sophisticated CW attack, failing to improve the model's performance. This highlights the need for more robust defense strategies that can counter advanced adversarial techniques. In conclusion, the study demonstrates the vulnerability of popular CNN models to adversarial attacks, with the CW attack posing a significant challenge. While defensive distillation showed promise against the FGSM attack, it was unable to effectively mitigate the CW attack. This underscores the importance of developing more comprehensive defense mechanisms to ensure the reliability and security of deep learning systems in critical applications.

The top-1 and top-5 error rates (%) for the three models under FGSM and CW attacks at various epsilon values are as follows: FGSM Attack on Resnext50_32x4d: Epsilon = 1%, Top-1 Error = 77.88%, Top-5 Error = 33.82% Epsilon = 5%, Top-1 Error = 91.80%, Top-5 Error = 60.58% CW Attack on Resnext50_32x4d: Epsilon = 1%, Top-1 Error = 77.88%, Top-5 Error = 33.86% Epsilon = 5%, Top-1 Error = 91.80%, Top-5 Error = 60.58%

"Even with the relatively low ε value of 0.02, the impact of the CW attack on the resnext50_32x4d model's performance was substantial. The model's classification accuracy was significantly compromised under this attack." "Defensive distillation did not improve accuracy after the CW attack. Notably, both teacher and student models were trained on the CIFAR-10 dataset, with parameters set under the same conditions as the FGSM attack."