This research project aimed to evaluate the vulnerability of three pre-trained CNN models (Resnext50_32x4d, DenseNet201, and VGG19) to adversarial attacks, specifically the FGSM and Carlini-Wagner (CW) approaches. It also explored the effectiveness of defensive distillation as a defense mechanism against these attacks.
The study began by assessing the baseline classification performance of the models on the Tiny ImageNet dataset, using both top-1 and top-5 accuracy metrics. This provided a benchmark for evaluating the impact of the adversarial attacks.
The FGSM attack was then applied to the models, with the perturbation magnitude (epsilon) varied from 1% to 10%. The results showed a significant decline in classification accuracy as the epsilon value increased, with the Resnext50_32x4d model exhibiting the highest top-1 error of 91.80% and top-5 error of 61.66% at epsilon = 5%.
Next, the more sophisticated CW attack was evaluated, again using epsilon values from 1% to 10%. The CW attack proved to be highly effective, causing even greater degradation in the models' performance compared to the FGSM attack. The Resnext50_32x4d model's top-1 and top-5 errors peaked at 91.80% and 61.66%, respectively, at epsilon = 5%.
The study then investigated the potential of defensive distillation as a countermeasure against the FGSM attack. A ResNet101 model was first trained on the CIFAR-10 dataset, and its softened probabilities were used to train a smaller Resnext50_32x4d model. This distillation process improved the student model's accuracy from 0.55 to 0.87 when subjected to the FGSM attack.
However, defensive distillation was found to be ineffective against the more sophisticated CW attack, failing to improve the model's performance. This highlights the need for more robust defense strategies that can counter advanced adversarial techniques.
In conclusion, the study demonstrates the vulnerability of popular CNN models to adversarial attacks, with the CW attack posing a significant challenge. While defensive distillation showed promise against the FGSM attack, it was unable to effectively mitigate the CW attack. This underscores the importance of developing more comprehensive defense mechanisms to ensure the reliability and security of deep learning systems in critical applications.
Na inny język
z treści źródłowej
arxiv.org
Głębsze pytania