CN114091597A

CN114091597A - Countermeasure training method, device and equipment based on adaptive group sample disturbance constraint

Info

Publication number: CN114091597A
Application number: CN202111350578.6A
Authority: CN
Inventors: 王滨; 张峰; 王星; 钱亚冠
Original assignee: Hangzhou Hikvision Digital Technology Co Ltd
Current assignee: Hangzhou Hikvision Digital Technology Co Ltd
Priority date: 2021-11-15
Filing date: 2021-11-15
Publication date: 2022-02-25

Abstract

The application provides an adaptive group sample disturbance constraint-based confrontation training method, device and equipment, wherein the method comprises the following steps: inputting the training image to an initial network model to obtain a network output vector and a prediction category corresponding to the training image; if the classification result of the training image is determined to be wrong based on the prediction type and the actual type of the training image, determining the training image as a natural sample image; if the classification result of the training image is determined to be correct based on the prediction type and the actual type, determining a target adaptive set corresponding to the training image based on the network output vector; determining a target disturbance vector corresponding to a training image based on a target sample disturbance constraint corresponding to a target adaptive set, and generating a disturbance sample image based on the target disturbance vector and the training image; and training the initial network model based on the natural sample image and the disturbance sample image to obtain a target network model. According to the technical scheme, the anti-interference capability of the target network model on the attack sample is obviously improved.

Description

Countermeasure training method, device and equipment based on adaptive group sample disturbance constraint

Technical Field

The application relates to the technical field of artificial intelligence safety, in particular to an confrontation training method, device and equipment based on adaptive group sample disturbance constraint.

Background

Deep learning is a new research direction in the field of machine learning, and is introduced into machine learning to make it closer to the original goal, i.e., to implement artificial intelligence. Deep learning is the intrinsic law and expression level of the learning sample data, and the information obtained in the learning process is very helpful for the interpretation of data such as characters, images and sounds. The final goal of deep learning is to enable the machine to have an analytical learning capability, and to recognize data such as text, images, and sounds. Deep learning is a complex machine learning algorithm, and has remarkable effects in the fields of image recognition, voice recognition, natural language processing and the like, so that the deep learning is widely applied.

When implementing functions such as image recognition, voice recognition, and natural language processing using deep learning, it is necessary to first train a deep Neural Network model, for example, a CNN (Convolutional Neural Network) model, and implement functions such as image recognition, voice recognition, and natural language processing based on the deep Neural Network model. However, in the deep learning field, various deep neural network models including the CNN model have relatively high vulnerability to attack samples. For example, if an attacker adds a small disturbance to an input sample to form an attack sample, after the attack sample is input to the deep neural network model, the deep neural network model outputs an error result with high confidence, so that the reliability of the deep neural network model is reduced. For example, when the deep neural network model is used to realize the image classification function, the image needs to be input to the deep neural network model, and the deep neural network model performs artificial intelligence processing on the image to obtain an image classification result. However, if an attacker adds a small disturbance to the image, after the modified image is input to the deep neural network model, the deep neural network model performs artificial intelligence on the image, and the obtained image classification result may be an erroneous classification result.

Disclosure of Invention

The application provides a confrontation training method based on adaptive group sample disturbance constraint, which comprises the following steps:

acquiring a plurality of training images; inputting the training images to an initial network model aiming at each training image to obtain a network output vector and a prediction category corresponding to the training images;

determining the training image as a natural sample image if the classification result of the training image is determined to be wrong based on the prediction type and the actual type of the training image;

if the classification result of the training image is determined to be correct based on the prediction type and the actual type, determining a target adaptive set corresponding to the training image based on the network output vector; determining a target disturbance vector corresponding to the training image based on a target sample disturbance constraint corresponding to the target adaptive set, and generating a disturbance sample image based on the target disturbance vector and the training image;

training the initial network model based on the natural sample images and the disturbance sample images corresponding to the training images to obtain a trained target network model;

the target network model is used for classifying the image to be classified.

The application provides a confrontation training device based on adaptive group sample disturbance constraint, includes:

an acquisition module for acquiring a plurality of training images; inputting the training images to an initial network model aiming at each training image to obtain a network output vector and a prediction category corresponding to the training images;

a determining module, configured to determine the training image as a natural sample image if the classification result of the training image is determined to be an error based on the prediction class and the actual class of the training image;

the training module is used for training the initial network model based on the natural sample images and the disturbance sample images corresponding to the training images to obtain a trained target network model;

the target network model is used for classifying the image to be classified.

An adaptive group sample perturbation constraint-based antagonistic training device comprises a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to perform the steps of:

the target network model is used for classifying the image to be classified.

According to the technical scheme, in the embodiment of the application, when a target network model (such as a deep neural network model) is trained, a natural sample image and a disturbance sample image can be used for training together to obtain the target network model, so that the target network model with higher natural precision and robustness level is obtained, the confrontation capacity of the target network model on an attack sample can be improved, and the anti-interference capacity of the target network model on the attack sample is obviously improved. For example, if an attacker adds small disturbance to an image to form an attack sample, after the attack sample is input to the target network model, the target network model can also output a correct conclusion, so that the reliability of the target network model is improved, the trained target network model has a good classification effect on the input image added with the small disturbance, and an accurate classification result can be obtained. In addition, for the disturbance samples used in the training process of the target network model, a plurality of adaptive groups can be divided, each adaptive group corresponds to a uniform sample disturbance constraint, on the basis, the target adaptive group corresponding to the training image can be determined, the target disturbance vector corresponding to the training image is determined based on the target sample disturbance constraint corresponding to the target adaptive group, the disturbance sample image is generated based on the target disturbance vector and the training image, and then the target network model is obtained by using the disturbance sample image for training.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present application or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present application.

FIG. 1 is a schematic flow diagram of a method of confrontational training based on adaptive set of sample perturbation constraints;

FIG. 2 is a schematic flow diagram of a method of confrontational training based on adaptive set of sample perturbation constraints;

FIG. 3 is a schematic diagram of a structure of a confrontation training device based on adaptive group sample perturbation constraints;

FIG. 4 is a hardware block diagram of a resistance training device based on adaptive set of sample perturbation constraints.

Detailed Description

The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".

In order to improve the anti-interference capability of the network model for the attack sample, in a possible implementation, a training data set may be constructed, and the training data set may include a plurality of natural samples (e.g., training images), and based on this, corresponding countermeasure samples (adaptive examples) may be obtained from the natural samples, where the countermeasure samples refer to: and adding the slightly disturbed sample on the natural sample which can be correctly classified by the network model originally, and counteracting the sample to enable the network model to output a wrong classification result. Since the training data set includes the natural samples and the confrontation samples, when the network model is trained by using the training data set, the network model is trained by using the natural samples and the confrontation samples together. The network model is trained by using the natural samples, so that natural training of the network model is realized, and the classification precision of the natural samples can be ensured; by training the network model by using the confrontation sample, the confrontation training of the network model is realized, and the confrontation capacity of the attack sample can be improved.

In the above method, it is necessary to generate a countermeasure sample based on the natural sample, and in order to generate the countermeasure sample, a fixed sample perturbation constraint (for example, manually set by a user) is usually set, and based on the sample perturbation constraint, the countermeasure sample is generated based on the natural sample. However, all the natural samples correspond to the same sample disturbance constraint, and the difference of the anti-interference capability of the natural samples is ignored (for example, the natural samples far from the decision boundary of the classifier can resist disturbance better), so that the efficiency of the countertraining is low, and the counterability of the network model is poor.

In another possible embodiment, in order to generate the confrontation samples based on the natural samples, a plurality of adaptation groups may be divided, each adaptation group corresponding to a sample perturbation constraint, and different adaptation groups may correspond to different sample perturbation constraints. On the basis, an adaptive group corresponding to the natural sample can be determined, and a corresponding confrontation sample is generated on the basis of sample disturbance constraint corresponding to the adaptive group, wherein the disturbance constraint not only considers the anti-interference capability of different natural samples, but also improves the efficiency of confrontation training, and finally, the confrontation capability of the network model to the attack sample is improved, and simultaneously, higher natural precision is ensured.

The technical solutions of the embodiments of the present application are described below with reference to specific embodiments.

The embodiment of the application provides a confrontation training method based on adaptive group sample disturbance constraint, which can be applied to any equipment, and is shown in fig. 1 as a flow diagram of the method, and the method includes:

step 101, obtaining a plurality of training images; and inputting the training image to the initial network model aiming at each training image to obtain a network output vector and a prediction category corresponding to the training image.

For example, the training image may be input to a first sub-network of the initial network model, and the feature vector output by the first sub-network may be determined as the network output vector corresponding to the training image. Wherein the initial network model comprises a first sub-network and a second sub-network, the second sub-network comprises a last network layer in the initial network model, and the first sub-network comprises the rest network layers except the last network layer.

And 102, if the classification result of the training image is determined to be wrong based on the prediction type and the actual type of the training image, determining the training image as a natural sample image.

103, if the classification result of the training image is determined to be correct based on the prediction type and the actual type of the training image, determining a target adaptive set corresponding to the training image based on the network output vector; and determining a target disturbance vector corresponding to the training image based on a target sample disturbance constraint corresponding to the target adaptive set, and generating a disturbance sample image based on the target disturbance vector and the training image.

For example, determining the target adaptation group corresponding to the training image based on the network output vector may include, but is not limited to: determining a target characteristic value for the maximum characteristic value in the network output vector corresponding to the correct training image based on all classification results, and determining at least two self-adaptive groups based on the target characteristic value; each adaptive set corresponds to a characteristic value interval, and the characteristic value intervals corresponding to different adaptive sets are different. And determining a characteristic value interval corresponding to the maximum characteristic value in the network output vector, and determining an adaptive group corresponding to the characteristic value interval as a target adaptive group corresponding to the training image.

Illustratively, at least two adaptation groups are determined based on the target feature value, including but not limited to: a first adaptation group, a second adaptation group, and a third adaptation group are determined based on the target feature value. The interval start value of the eigenvalue interval corresponding to the first adaptive set is the difference between the target eigenvalue and a preset first threshold (which can be configured empirically), and the interval end value of the eigenvalue interval corresponding to the first adaptive set is the sum of the target eigenvalue and a preset second threshold (which can be configured empirically). The interval end value of the characteristic value interval corresponding to the second adaptive set is the difference between the target characteristic value and a preset first threshold value. The interval starting value of the characteristic value interval corresponding to the third adaptive set is the sum of the target characteristic value and a preset second threshold value.

For example, the target sample perturbation constraint corresponding to the target adaptation group may be determined by the following methods, including but not limited to: obtaining initial sample disturbance constraint, determining an initial disturbance vector based on the initial sample disturbance constraint, and generating an initial sample image based on the initial disturbance vector and a training image corresponding to a target adaptive set; inputting an initial sample image to a configured reference network model to obtain a prediction type corresponding to the initial sample image; and if the classification result of the initial sample image is determined to be wrong based on the prediction type, determining whether the initial sample disturbance constraint meets a search end condition. If yes, determining target sample disturbance constraint corresponding to the target adaptive set based on the initial sample disturbance constraint; if not, reducing the disturbance constraint of the initial sample, and returning to execute the operation of determining the initial disturbance vector based on the disturbance constraint of the initial sample based on the reduced disturbance constraint of the initial sample.

After the initial sample image is input to the configured reference network model to obtain the prediction type corresponding to the initial sample image, if the classification result of the initial sample image is determined to be correct based on the prediction type, the initial sample disturbance constraint can be increased, and whether the increased initial sample disturbance constraint is greater than the configured sample disturbance constraint maximum value or not is judged. If not, based on the increased initial sample disturbance constraint, returning to execute the operation of determining the initial disturbance vector based on the initial sample disturbance constraint; and if so, determining a target sample disturbance constraint corresponding to the target adaptive set based on the maximum value of the sample disturbance constraint.

Determining a target perturbation vector corresponding to the training image based on the target sample perturbation constraint corresponding to the target adaptation group may include, but is not limited to: determining a perturbation vector interval based on the target sample perturbation constraint corresponding to the target adaptive set; wherein the maximum perturbation vector of the perturbation vector interval is determined based on the target sample perturbation constraint; and determining the perturbation vector in the perturbation vector interval as the target perturbation vector.

And 104, training the initial network model based on the natural sample images and the disturbance sample images corresponding to the training images to obtain a trained target network model. Illustratively, the target network model is used for classifying the image to be classified, that is, after the image to be classified is input to the target network model, the target network model may perform artificial intelligence processing on the image to be classified to obtain a classification result.

In one possible implementation, the natural sample image may be input to the initial network model, a first feature vector corresponding to the natural sample image is obtained, and the first loss value is determined based on the first feature vector. The disturbance sample image can be input to the initial network model, a second feature vector corresponding to the disturbance sample image is obtained, and a second loss value is determined based on the second feature vector. And then, determining a target loss value based on the first loss value and the second loss value, and adjusting the initial network model based on the target loss value to obtain an adjusted network model. On the basis, if the adjusted network model is converged, determining the adjusted network model as a target network model; and if the adjusted network model is not converged, determining the adjusted network model as the initial network model, and returning to execute the operation of inputting the training image to the initial network model.

The confrontation training method based on adaptive group sample perturbation constraint according to the embodiment of the present application is described below with reference to specific embodiments. Referring to fig. 2, a schematic flowchart of an adaptive group sample perturbation constraint-based confrontation training method in an embodiment of the present application is shown, where the method may include the following steps:

step 201, a training data set is obtained, where the training data set includes a plurality of natural samples, and the natural samples may be image samples or other types of samples, and this is not limited to this, and then, taking the image samples as an example, the natural samples in the training data set are called training images, that is, the training data set includes a plurality of training images.

Step 202, aiming at each training image in the training data set, inputting the training image to the initial network model to obtain a network output vector and a prediction category corresponding to the training image.

For example, a network model may be preconfigured as an initial network model, and a structure of the initial network model is not limited, the initial network model may be a network model using a deep learning algorithm (e.g., a deep neural network model), or a network model using other machine learning algorithms, and a type of the initial network model is not limited, for example, the initial network model may be a CNN model, an RNN (recurrent neural network) model, or a fully-connected network model. The initial network model may be used to implement a classification function, i.e. to identify the class of the target object in the image, without limiting the functionality of this initial network model.

The initial network model may be an untrained network model, and the initial network model may be trained using a training data set, for which training process, reference may be made to the following embodiments.

The initial network model may include a plurality of network layers, which may include, but are not limited to, a convolutional layer (Conv), a pooling layer (Pool), a stimulus layer, a full connectivity layer (FC), etc., without limitation to the type of network layer. Based on this, all network layers of the initial network model may be divided into a first sub-network and a second sub-network, the second sub-network including a last network layer in the initial network model, the first sub-network including the remaining network layers except the last network layer. For example, the initial network model includes M network layers, the second sub-network includes the mth network layer, and the first sub-network includes the 1 st network layer to the M-1 st network layer. If M is 5, the first sub-network includes the 1 st network layer (denoted as network layer a1), the 2 nd network layer (denoted as network layer a2), the 3 rd network layer (denoted as network layer a3), and the 4 th network layer (denoted as network layer a4), and the second sub-network includes the 5 th network layer (denoted as network layer a 5).

For example, for each training image in the training data set, the training image may be input to the initial network model, and a network output vector and a prediction class corresponding to the training image may be obtained. For example, the training image is input to a first sub-network of the initial network model, and the feature vector output by the first sub-network is determined as the network output vector corresponding to the training image. And determining a prediction class corresponding to the training image based on the network output vector. For example, if the initial network model is used to identify 10 categories, the network output vector may correspond to 10 probability values, where the 10 probability values correspond to 10 categories, and the category with the highest probability value is used as the prediction category corresponding to the training image, which is not limited in this process.

For example, for each training image, the training image is input to the network layer a1 of the initial network model, the training image is processed by the network layer a1 to obtain a feature vector b1, the feature vector b1 is input to the network layer a2, the feature vector b1 is processed by the network layer a2 to obtain a feature vector b2, the feature vector b2 is input to the network layer a3, the feature vector b2 is processed by the network layer a3 to obtain a feature vector b3, the feature vector b3 is input to the network layer a4, the feature vector b3 is processed by the network layer a4 to obtain a feature vector b4, and the feature vector b4 is used as a network output vector corresponding to the training image. After the feature vector b4 is obtained, the prediction class corresponding to the training image can be known based on this feature vector b 4.

In summary, for each training image in the training data set, after the training image is input to the initial network model, the network output vector and the prediction class corresponding to the training image can be obtained.

Exemplarily, can define

Is an initial network model with a parameter theta, which can be expressed as

The feature vector (Logit) of the second to last layer output of the initial network model is recorded as

This feature vector (Logit) is referred to herein as the net output vector. Based on initial network modelThe feature vector of the second last layer output of the model can obtain the network output vector and the prediction category corresponding to the training image. In summary, after the training image is input to the initial network model, the network output vector and the prediction class corresponding to the training image can be obtained.

Step 203, for each training image in the training data set, the training image may correspond to an actual class (a calibration class of the training image, which is a real class of the training image) and a prediction class (a class obtained by inputting the training image to the initial network model), and if the classification result of the training image is determined to be wrong based on the prediction class and the actual class, that is, the prediction class is different from the actual class, the training image is stored in the first subset. And if the classification result of the training image is determined to be correct based on the prediction type and the actual type, namely the prediction type is the same as the actual type, storing the training image to a second subset.

In summary, it can be seen that for all training images in the training data set, part of the training images may be stored in the first subset, and the rest of the training images may be stored in the second subset. For example, the training data set includes training images c 1-c 10, training images c 1-c 6 are stored in a first subset (the first subset is used for storing the training images with the wrong classification result), and training images c 7-c 10 are stored in a second subset (the second subset is used for storing the training images with the correct classification result).

For example, for the training images in the first subset, it is not necessary to generate a confrontation sample corresponding to the training images, and the initial network model may be trained based on the training images. For the training images in the second subset, a confrontation sample corresponding to the training image needs to be generated, the initial network model may be trained based on the confrontation sample, and for convenience of differentiation, the confrontation sample is referred to as a disturbance sample image.

Step 204, for each training image in the second subset, the training imageThe corresponding net output vector may include a plurality of eigenvalues, and the largest eigenvalue (denoted as z) is selected from all eigenvalues of the net output vector_max) And determining a target eigenvalue based on the largest eigenvalue in all network output vectors.

In one possible embodiment, the net output vector comprises a plurality of eigenvalues (also called element values) for the net output vector, e.g. the net output vector is a matrix in m × n dimensions, each value in the matrix being called an eigenvalue. And aiming at each training image in the second subset, selecting the maximum characteristic value from all characteristic values of the network output vector corresponding to the training image. For example, the maximum eigenvalue d1 is selected from all eigenvalues of the net output vector corresponding to the training image c7, the maximum eigenvalue d2 is selected from all eigenvalues of the net output vector corresponding to the training image c8, the maximum eigenvalue d3 is selected from all eigenvalues of the net output vector corresponding to the training image c9, and the maximum eigenvalue d4 is selected from all eigenvalues of the net output vector corresponding to the training image c 10. The target feature value is determined based on the maximum feature value d1, the maximum feature value d2, the maximum feature value d3, and the maximum feature value d 4. For example, the average value of the 4 maximum feature values is set as a target feature value, the maximum value of the 4 maximum feature values is set as a target feature value, or the minimum value of the 4 maximum feature values is set as a target feature value, which is not limited to this.

Step 205, determining at least two adaptive sets based on the target eigenvalue, where each adaptive set corresponds to one eigenvalue interval (the eigenvalue range of the eigenvalue interval may be determined based on the target eigenvalue), and the eigenvalue intervals corresponding to different adaptive sets are different, that is, the adaptive sets and the eigenvalue intervals may correspond to each other.

For example, a first adaptation group and a second adaptation group may be determined based on the target eigenvalue, the first adaptation group corresponding to the eigenvalue spread e1, the second adaptation group corresponding to the eigenvalue spread e 2. The segment end value of the eigenvalue segment e1 is the target eigenvalue (hereinafter referred to as d), and the segment start value of the eigenvalue segment e1 may be 0 or- ∞, that is, e1 is (— ∞, d). The starting value of the segment of the eigenvalue segment e2 is the target eigenvalue d, and the ending value of the segment of the eigenvalue segment e2 may be + ∞, i.e., e2 ═ d, + ∞).

For another example, based on the target feature value, a first adaptation group, a second adaptation group, and a third adaptation group may be determined, where the first adaptation group may correspond to the feature value interval e3, the second adaptation group may correspond to the feature value interval e4, and the third adaptation group may correspond to the feature value interval e 5. The starting value of the characteristic value interval e3 may be the difference between the target characteristic value d and a preset first threshold (which may be empirically configured and is denoted as f1, where f1 is a positive number), and the ending value of the interval of the characteristic value interval e3 may be the sum of the target characteristic value d and a preset second threshold (which may be empirically configured and is denoted as f2, where f2 is a positive number, and where f2 and f1 may be the same as or different from each other), that is, e3 ═ d-f1, d + f 2. The end-of-interval value of the eigenvalue interval e4 may be the difference between the target eigenvalue d and a preset first threshold value, and the start-of-interval value of the eigenvalue interval e4 may be 0 or- ∞, i.e., e4 ═ infinity, d-f 1. The starting value of the interval of the eigenvalue interval e5 may be the sum of the target eigenvalue d and the preset second threshold value, and the ending value of the interval of the eigenvalue interval e5 may be + ∞, i.e. e5 ═ d + f2, + ∞.

In summary, the training images correctly classified by the initial network model can be selected to obtain z of the training images_maxThe frequency distribution of (a) was found to be approximately following a normal distribution, centered on z_maxThe training images around the mean (i.e. the target feature value d) are grouped into a set (first adaptive set) that will be below z_maxThe training images of the mean are grouped into a set (second adaptive set) that will be higher than z_maxThe training images of the mean are grouped into one group (third adaptive group).

For another example, based on the target eigenvalue, 4 adaptation groups may be determined, the eigenvalue interval corresponding to the 1 st adaptation group is [ d-f1, d + f2], the eigenvalue interval corresponding to the 2 nd adaptation group is (— infinity, d-f1), the eigenvalue interval corresponding to the 3 rd adaptation group is (d + f2, d + f2+ f 3), and the eigenvalue interval corresponding to the 4 th adaptation group is (d + f2+ f3, + ∞).

And step 206, determining the sample disturbance constraint corresponding to each adaptive group.

For example, since the sample perturbation constraint corresponding to each adaptation group is determined in the same manner, in the following embodiments, the determination process of the sample perturbation constraint corresponding to one adaptation group is taken as an example.

For step 206, the sample perturbation constraint corresponding to the adaptive set may be determined by:

step 2061, obtaining an initial sample disturbance constraint, where the initial sample disturbance constraint may be arbitrarily configured according to experience, for example, initializing a sample disturbance constraint interval [ epsilon ]_l，ε_r]，ε_lMinimum value, epsilon, representing a sample perturbation constraint interval_rThe maximum value representing the sample perturbation constraint interval can be configured empirically, and is not limited thereto, as long as epsilon_lLess than epsilon_rThat is, can be represented by_rAs the initial sample perturbation constraint.

Step 2062, determining an initial disturbance vector based on the initial sample disturbance constraint. For example, a perturbation vector interval is determined based on the initial sample perturbation constraint, the maximum perturbation vector of the perturbation vector interval is determined based on the initial sample perturbation constraint, and the perturbation vector in the perturbation vector interval is determined as the initial perturbation vector. It should be noted that the initial perturbation vector may include a plurality of perturbation values, that is, for each pixel point of the image, one perturbation value corresponds to, and the perturbation values corresponding to different pixel points may be the same or different, but the perturbation value corresponding to each pixel point needs to be located in the perturbation vector interval.

For example, the perturbation vector interval may be [ - ε_r，ε_r]The method is not limited to this, as long as the maximum perturbation vector of the perturbation vector interval is the initial sample perturbation constraint epsilon_rAnd (4) finishing. After the disturbance vector interval is obtained, determining any disturbance vector in the disturbance vector interval as an initial disturbance vector, which is not limited to this but only needs to beThe initial perturbation vector is required to be located in the perturbation vector interval. For example, from the perturbation vector interval [ - ε_r，ε_r]Randomly selecting a disturbance vector, and taking the selected disturbance vector as an initial disturbance vector. It should be noted that in the range from the perturbation vector [ - ε_r，ε_r]When the initial disturbance vector is randomly selected, a plurality of disturbance values need to be randomly selected, namely each pixel point corresponds to one disturbance value, and the disturbance values need to be positioned in a disturbance vector interval [ -epsilon ]_r，ε_r]。

And step 2063, generating an initial sample image based on the initial disturbance vector and the training image corresponding to the adaptive set.

For example, assuming that a first adaptive set, a second adaptive set, and a third adaptive set are divided, when determining a sample perturbation constraint corresponding to the first adaptive set (taking the first adaptive set as an example, the implementation manner of the second adaptive set and the third adaptive set is similar to this), for each training image in the second subset, the maximum eigenvalue z is selected from all eigenvalues of the network output vector corresponding to the training image_maxIf the maximum eigenvalue z is_maxIn the range of eigenvalue e3 corresponding to the first adaptive set, the training image is divided into the first adaptive set, if the maximum eigenvalue z is_maxIf the training image is not in the range e3 of feature values corresponding to the first adaptation group, the training image is not divided into the first adaptation group. In summary, a training image (which may be a plurality of training images) corresponding to the first adaptive set can be obtained, and the example of the training image c7 corresponding to the first adaptive set is taken.

Based on the initial perturbation vector corresponding to the first adaptation group and the training image c7 corresponding to the first adaptation group, an initial sample image c7 ' corresponding to the training image c7 may be generated, for example, the initial perturbation vector is added on the basis of the training image c7 to obtain an initial sample image c7 ', that is, the initial perturbation vector is added on the basis of the pixel value of each pixel point of the training image c7 to obtain an initial sample image c7 '.

The initial disturbance vector comprises a plurality of disturbance values, namely each pixel point corresponds to one disturbance value, and the disturbance value corresponding to the pixel point is added on the basis of the pixel value of the pixel point aiming at each pixel point.

Step 2064, inputting the initial sample image to the configured reference network model (i.e. the reference network model configured according to experience), and obtaining the prediction type corresponding to the initial sample image.

Illustratively, in determining the sample perturbation constraints corresponding to the adaptation groups, the reference network model is used to provide the prediction classes corresponding to the initial sample images. In the process of determining the sample disturbance constraint, the reference network model remains unchanged, i.e., does not change, i.e., the reference network model does not need to be trained.

For example, the structure of the reference network model may be the same as the structure of the initial network model, the function of the reference network model may be the same as the function of the initial network model, and the parameter values in the reference network model may be different from the parameter values in the initial network model.

For example, after the initial sample image is input to the reference network model, the reference network model may process the initial sample image and obtain a prediction type corresponding to the initial sample image, and an obtaining manner of the prediction type may refer to step 202, which is not repeated herein.

Step 2065, determining whether the classification result of the initial sample image is an error based on the prediction class corresponding to the initial sample image and the actual class corresponding to the initial sample image.

If so, i.e., the prediction class corresponding to the initial sample image is different from the actual class corresponding to the initial sample image, step 2066 is executed. If not, that is, the prediction class corresponding to the initial sample image is the same as the actual class corresponding to the initial sample image, step 2069 is executed.

Step 2066, if the classification result of the initial sample image is wrong, determining whether the initial sample disturbance constraint meets the search end condition. If so, step 2067 is performed, and if not, step 2068 is performed.

Step 2067, determining a sample disturbance constraint corresponding to the initial sample image based on the initial sample disturbance constraint, for example, using the initial sample disturbance constraint as the sample disturbance constraint corresponding to the initial sample image.

And 2068, reducing the initial sample disturbance constraint, returning to the step 2062 based on the reduced initial sample disturbance constraint, and when the step 2062 is executed again, determining the initial disturbance vector based on the reduced initial sample disturbance constraint, wherein the initial sample disturbance constraint is the reduced initial sample disturbance constraint.

For steps 2066 to 2068, it may be determined whether the search end condition has been satisfied, and the search end condition may be configured empirically, but is not limited thereto, for example, the search end condition may be: maximum value epsilon of sample disturbance constraint interval_r(i.e., initial sample perturbation constraint ε_r) Minimum value epsilon of constraint interval with sample disturbance_lThe difference between them is less than or equal to a preset threshold value gamma, i.e. epsilon_r-ε_lγ ≦ γ, however, the search end condition may be other conditions as well, and this is not limited. On the basis of this, if ε_rAnd epsilon_lIs less than or equal to gamma, the initial sample perturbation is constrained to epsilon_rAs a sample perturbation constraint corresponding to the initial sample image. If epsilon_rAnd epsilon_lIf the difference is greater than gamma, then the initial sample perturbation constraint epsilon is reduced_rI.e. the sample perturbation constraint interval [ epsilon ]_l，ε_r]Of_rDecrease, decrease of_rAnd updating to be an initial sample disturbance constraint, namely updating to be a sample disturbance constraint interval.

Initial sample disturbance constraint epsilon based on reduction_rReturning to step 2062-step 2065, in step 2065, if the classification result of the initial sample image is wrong, epsilon is determined_rAnd epsilon_lIf the difference is less than or equal to gamma, then epsilon will be_rAs a sample perturbation constraint corresponding to the initial sample image, if the difference is greater than γ, then decreaseInitial sample perturbation constraint epsilon_rAnd so on. In the above process,. epsilon_rRefers to the reduced initial sample perturbation constraint, ε_lIs the minimum value of the sample perturbation constraint interval, obviously, the above process is continuously applied to epsilon_rIs subjected to a reduction of_lRemain unchanged, i.e. epsilon_rAnd epsilon_lThe difference of (a) becomes smaller and smaller until epsilon_r-ε_l≤γ。

Illustratively, the constraint ε is constrained in reducing initial sample perturbation_rIn time, the dichotomy can be adopted to reduce the disturbance constraint epsilon of the initial sample_rI.e. reduced initial sample perturbation constraint epsilon_rHalf of the original sample perturbation constraint before reduction. Of course, other ways of reducing the initial sample perturbation constraint ε may be used_rThis is not limitative.

Step 2069, if the classification result of the initial sample image is correct, increasing the initial sample disturbance constraint, and determining whether the increased initial sample disturbance constraint is greater than the maximum value of the configured sample disturbance constraint (which can be configured according to experience). If not, returning to execute step 2062 based on the increased initial sample disturbance constraint, and when step 2062 is executed again, determining an initial disturbance vector based on the increased initial sample disturbance constraint. If so, determining the sample perturbation constraint corresponding to the initial sample image based on the maximum value of the sample perturbation constraint, for example, taking the maximum value of the sample perturbation constraint as the sample perturbation constraint corresponding to the initial sample image.

For step 2069, an initial sample perturbation constraint ε may be added_rI.e. the sample perturbation constraint interval [ epsilon ]_l，ε_r]Of_rIncrease, will increase_rAnd updating to be an initial sample disturbance constraint, namely updating to be a sample disturbance constraint interval. And, the sample perturbation constraint interval [ epsilon ] can be increased_l，ε_r]Of_lWill increase epsilon_lUpdating to a sample disturbance constraint interval, namely a sample disturbance constraint interval [ epsilon ]_l，ε_r]Of_lAnd ε_rAre all increased.

For example, in adding the initial sample perturbation constraint ε_rThen, the following manner may be adopted:

is a value configured empirically and can be a positive number, i.e. the constraint epsilon is perturbed at the initial sample_rIncrease the numerical value on the basis of

Obtaining the added initial sample disturbance constraint epsilon_r. In the increasing sample disturbance constraint interval [ epsilon ]_l，ε_r]Of_lThen, the following manner may be adopted:

is a value configured empirically and can be positive, i.e. in ε_lIncrease the numerical value on the basis of

To obtain increased epsilon_l. In the above process, numerical values

And a numerical value

May be the same or different, and the numerical values are used in this embodiment

And a numerical value

The same is taken as an example. Of course, other means may be used to increaseAdding initial sample perturbation constraint epsilon_rThis is not limitative.

In practical applications, the epsilon is constrained in order to prevent initial sample perturbation_rIs too large, also can be through continuously updating epsilon_l←(ε_l+ε_r) 2 or epsilon_r←(ε_l+ε_r) /2, thereby continuously reducing [ epsilon ]_l,ε_r]The range of (1).

The disturbance constraint epsilon of the added initial sample can be judged_rAnd if so, taking the maximum value of the sample perturbation constraint as the sample perturbation constraint corresponding to the initial sample image. If not, then constraint epsilon is disturbed based on the increased initial sample_rReturning to step 2062-step 2065, in step 2065, if the classification result of the initial sample image is correct, the initial sample disturbance constraint epsilon is continuously added_rAnd so on until the added initial sample perturbation constraint epsilon_rGreater than the maximum sample perturbation constraint, or, based on the increased initial sample perturbation constraint ∈_rIf the classification result of the initial sample image is found to be wrong, step 2066 to step 2068 are executed, and finally, the sample disturbance constraint corresponding to the initial sample image is obtained.

To sum up, for each training image corresponding to the first adaptive set, steps 2061 to 2069 may be adopted to obtain a sample disturbance constraint corresponding to the initial sample image corresponding to the training image, and based on the sample disturbance constraint corresponding to the training image corresponding to the first adaptive set, the sample disturbance constraint corresponding to the first adaptive set may be obtained. For example, the average value of the sample perturbation constraints corresponding to the training images corresponding to the first adaptive set is used as the sample perturbation constraints corresponding to the first adaptive set, or the maximum value of the sample perturbation constraints corresponding to the training images corresponding to the first adaptive set is used as the sample perturbation constraints corresponding to the first adaptive set, or the minimum value of the sample perturbation constraints corresponding to the training images corresponding to the first adaptive set is used as the sample perturbation constraints corresponding to the first adaptive set, which is not limited.

Similarly, the sample perturbation constraint corresponding to the second adaptive set and the sample perturbation constraint corresponding to the third adaptive set can be obtained, so as to obtain the sample perturbation constraint corresponding to each adaptive set.

Step 207, selecting the maximum feature value from all feature values of the network output vector corresponding to the training image for each training image in the second subset, and determining a target adaptive set corresponding to the training image based on the maximum feature value; and determining a target disturbance vector corresponding to the training image based on the target sample disturbance constraint corresponding to the target adaptive set, and generating a disturbance sample image based on the target disturbance vector and the training image.

For example, assuming that the first adaptive set, the second adaptive set and the third adaptive set are divided, the maximum eigenvalue z may be selected from all eigenvalues of the network output vector corresponding to the training image_maxIf the maximum eigenvalue z is_maxIn the eigenvalue interval e3 corresponding to the first adaptation group, the target adaptation group is the first adaptation group, if the maximum eigenvalue z is_maxIn the eigenvalue interval e4 corresponding to the second adaptation group, the target adaptation group is the second adaptation group, if the maximum eigenvalue z is_maxIn the eigenvalue interval e5 corresponding to the third adaptation group, the target adaptation group is the third adaptation group. And determining the sample perturbation constraint corresponding to the first adaptive set as the target sample perturbation constraint, assuming that the target adaptive set is the first adaptive set.

Then, determining a disturbance vector interval based on a target sample disturbance constraint, wherein the maximum disturbance vector of the disturbance vector interval is determined based on the target sample disturbance constraint, determining the disturbance vector in the disturbance vector interval as a target disturbance vector corresponding to the training image, and generating a disturbance sample image based on the target disturbance vector and the training image. It should be noted that the target perturbation vector may include a plurality of perturbation values, that is, for each pixel point of the image, one perturbation value corresponds to, and the perturbation values corresponding to different pixel points may be the same or different, but the perturbation value corresponding to each pixel point needs to be located in the perturbation vector interval.

For example, the perturbation vector interval may be [ - ε_r，ε_r]The method is not limited to this, as long as the maximum perturbation vector of the perturbation vector interval is the perturbation constraint epsilon of the target sample_rAnd (4) finishing. After the disturbance vector interval is obtained, determining any disturbance vector in the disturbance vector interval as the target disturbance vector corresponding to the training image, which is not limited to this, as long as the target disturbance vector is located in the disturbance vector interval. It should be noted that in the range from the perturbation vector [ - ε_r，ε_r]When a target disturbance vector is randomly selected, a plurality of disturbance values need to be randomly selected, namely each pixel point corresponds to one disturbance value, and the disturbance values need to be positioned in a disturbance vector interval [ -epsilon ]_r，ε_r]。

After the target disturbance vector corresponding to the training image is obtained, the target disturbance vector is added on the basis of the training image to obtain a disturbance sample image, that is, the target disturbance vector is added on the basis of the pixel value of each pixel point of the training image to obtain a disturbance sample image, and then the disturbance sample image can be used for replacing the training image in the second subset, namely, the second subset is updated.

The target disturbance vector comprises a plurality of disturbance values, namely each pixel point corresponds to one disturbance value, and the disturbance value corresponding to the pixel point is added on the basis of the pixel value of the pixel point aiming at each pixel point.

Obviously, after each training image in the second subset is subjected to the above processing, a disturbance sample image corresponding to each training image can be obtained, so that all images included in the second subset are disturbance sample images, and the disturbance sample images are countermeasure samples obtained by adding disturbance on the basis of the training images.

It should be noted that, since the adaptive sets corresponding to different training images may be different, different training images can correspond to different sample disturbance constraints, and the anti-interference capability of different training images is considered, so that the countervailing capability to the attack sample is improved, and the natural precision is properly protected.

In summary, a first subset and a second subset can be obtained, the first subset including a plurality of natural sample images (i.e. non-antagonistic samples), and the second subset including a plurality of perturbed sample images (i.e. antagonistic samples). On this basis, model training may be performed based on the first subset and the second subset, see the subsequent steps.

And 208, training the initial network model based on the natural sample images in the first subset and the disturbance sample images in the second subset to obtain a trained target network model.

In one possible embodiment, the initial network model may be trained using the following steps:

step 2081, inputting the natural sample images in the first subset to the initial network model, obtaining first feature vectors corresponding to the natural sample images, and determining a first loss value based on the first feature vectors.

For example, for each natural sample image in the first subset, the natural sample image is input to a first sub-network of the initial network model, and a feature vector output by the first sub-network is used as a first feature vector corresponding to the natural sample image (i.e., the first feature vector corresponds to the network output vector of the above-described embodiment).

After the first feature vectors corresponding to all natural sample images are obtained, the loss value of the target loss function 1 can be determined based on the first feature vectors, and is recorded as a first loss value. For example, the target loss function 1 may be configured in advance, the input of the target loss function 1 is the first eigenvector, and the output of the target loss function 1 is the first loss value, and the target loss function 1 is not limited as long as the above-described input-output relationship is satisfied. Based on this, after obtaining the first feature vectors, the first feature vectors may be substituted into the objective loss function 1 to obtain a first loss value of the objective loss function 1.

Step 2082, inputting the disturbance sample images in the second subset to the initial network model, obtaining second feature vectors corresponding to the disturbance sample images, and determining a second loss value based on the second feature vectors.

For example, for each perturbed sample image in the second subset, the perturbed sample image may be input to the first sub-network of the initial network model to obtain the second feature vector.

After obtaining the second feature vectors corresponding to all the disturbed sample images, the loss value of the target loss function 2 may be determined based on the second feature vectors, and is recorded as the second loss value. The objective loss function 2 may be the same as or different from the objective loss function 1, and the two may be the same. After the second eigenvectors are obtained, these second eigenvectors can be substituted into the objective loss function 2 to obtain second loss values.

Step 2083, determining a target loss value based on the first loss value and the second loss value, and adjusting the initial network model based on the target loss value to obtain an adjusted network model.

For example, the target loss value may be determined based on the sum of the first loss value and the second loss value, and then the parameters of the initial network model are updated based on the target loss value, for example, the network parameters (i.e., network weights) of the initial network model are updated through a back propagation algorithm, so as to obtain an updated network model (denoted as an adjusted network model), which is not limited in the updating process. An example of a back propagation algorithm may be a gradient descent method, i.e. the network weights of the initial network model are updated by the gradient descent method.

Step 2084, after obtaining the adjusted network model, if the adjusted network model is converged, determining the adjusted network model as the target network model, i.e. completing the model training process to obtain the trained target network model. If the adjusted network model is not converged, the adjusted network model is determined as the initial network model, and the process returns to step 202, namely, each training image in the training data set is input to the adjusted network model, and the steps are repeated until the adjusted network model is converged to obtain the target network model.

For example, if the target loss value is smaller than the preset threshold, it may be determined that the adjusted network model has converged, otherwise, it is determined that the adjusted network model has not converged. Or, if the iteration number of the initial network model reaches a preset number threshold, it may be determined that the adjusted network model has converged, otherwise, it is determined that the adjusted network model has not converged. Or, if the iteration duration of the initial network model reaches the preset duration threshold, it may be determined that the adjusted network model has converged, otherwise, it is determined that the adjusted network model has not converged. Of course, the above are just a few examples of whether the adjusted network model has converged, and the determination method is not limited.

After the target network model is obtained, the target network model is used for classifying the image to be classified, namely after the image to be classified is input into the target network model, the target network model can perform artificial intelligence processing on the image to be classified to obtain a classification result, and the processing process of the target network model is not limited.

According to the technical scheme, in the embodiment of the application, in order to generate the confrontation sample based on the natural sample, a plurality of adaptive groups can be divided, and each adaptive group corresponds to the sample disturbance constraint, namely different adaptive groups correspond to different sample disturbance constraints. On the basis, an adaptive group corresponding to the natural sample can be determined, on the basis of sample disturbance constraint corresponding to the adaptive group, the confrontation sample is generated based on the natural sample, so that different natural samples can correspond to different sample disturbance constraints, the anti-interference capability of different natural samples is considered, the efficiency of confrontation training is improved, the confrontation capability of the network model to the attack sample is improved, a target network model with high natural precision and robustness level is obtained, and the requirements of different application scenes are met. z is a radical of_maxThe distance of a sample from the decision boundary of a classifier can be roughly measured, with similar z_maxAre similar in their ability to resist disturbance, thus according to z_maxThe method comprises the steps of grouping samples (namely self-adaptive groups), carrying out self-adaptive disturbance constraint on each group of samples, improving the efficiency of self-adaptive training, avoiding self-adaptation from obtaining too small or too large disturbance constraint, facilitating the balance between robustness precision and natural precision, improving trade-off between robustness and natural precision, and flexibly coping with different scenes.

The following describes the technical solution of the embodiment of the present application with reference to a specific application scenario.

The embodiment of the application provides a confrontation training method based on adaptive group sample disturbance constraint, which can be applied to any type of electronic equipment, and the method can comprise the following steps:

step S11, the training data set D is divided into K sub data sets (minipatch), each sub data set includes M samples (i.e., the training images in the above embodiment), T epochs are set (a complete training process is performed on the initial network model once using all data of the training data set, i.e., 1 epoch), and the T epochs represent that the initial network model is completely trained T times.

Illustratively, the training dataset D may be a training dataset such as CIFAR-10 and ImageNet-30.

Step S12, all natural samples in the first sub data set are input to the initial network model, and the maximum eigenvalue z in the network output vector corresponding to the natural samples is obtained_maxAnd a prediction category.

And step S13, determining whether the classification result is correct or not based on the prediction type corresponding to the natural sample, if not, storing the natural sample to the first subset, and if so, storing the natural sample to the second subset.

Step S14, based on the natural samples in the second subset, based on the maximum eigenvalue z in the network output vector corresponding to the natural samples_maxDividing a plurality of adaptive groups, determining sample disturbance constraint corresponding to each adaptive group, generating a disturbance sample based on the natural sample under the constraint of the sample disturbance constraint corresponding to the adaptive group corresponding to the natural sample, and storing the disturbance sample to a second subset to replace the natural sample.

Step S15, inputting the natural samples in the first subset and the disturbance samples in the second subset to the initial network model to obtain a target loss value, and performing back propagation to update the network parameters of the initial network model based on the target loss value, thereby completing the training process of a sub data set (minipatch).

And for the remaining K-1 sub-data sets, repeating the training process by adopting the steps S12 to S15, continuously updating the network parameters of the initial network model, and finishing the training of an epoch.

Then, the whole training data set is disordered in sequence, the training process is repeated by adopting the steps S12-S15 aiming at the new K sub data sets, the network parameters of the initial network model are continuously updated, and the training of another epoch is completed. And repeating the process continuously by analogy until the training of the T eopchs is finished.

Based on the same application concept as the method, in the embodiment of the present application, an adaptive group sample perturbation constraint-based confrontation training apparatus is provided, and referring to fig. 3, a schematic structural diagram of the confrontation training apparatus based on the adaptive group sample perturbation constraint-based confrontation training apparatus is shown, where the apparatus may include:

an acquisition module 31 for acquiring a plurality of training images; inputting the training images to an initial network model aiming at each training image to obtain a network output vector and a prediction category corresponding to the training images;

a determining module 32, configured to determine the training image as a natural sample image if the classification result of the training image is determined to be an error based on the prediction class and the actual class of the training image; the determining module 32 is further configured to determine, based on the network output vector, a target adaptation group corresponding to the training image if the classification result of the training image is determined to be correct based on the prediction class and the actual class; determining a target disturbance vector corresponding to the training image based on a target sample disturbance constraint corresponding to the target adaptive set, and generating a disturbance sample image based on the target disturbance vector and the training image;

a training module 33, configured to train the initial network model based on the natural sample images and the disturbance sample images corresponding to the multiple training images to obtain a trained target network model;

the target network model is used for classifying the image to be classified.

In a possible implementation manner, the obtaining module 31 is specifically configured to, when inputting the training image to an initial network model and obtaining a network output vector corresponding to the training image:

inputting the training image to a first sub-network of an initial network model, and determining a feature vector output by the first sub-network as the network output vector; wherein the initial network model includes a first sub-network and a second sub-network, the second sub-network including a last network layer in the initial network model, the first sub-network including remaining network layers except the last network layer.

In a possible implementation, the determining module 32 is specifically configured to, when determining the target adaptation group corresponding to the training image based on the network output vector:

determining a target characteristic value for the maximum characteristic value in the network output vector corresponding to the correct training image based on all classification results, and determining at least two self-adaptive groups based on the target characteristic value; each self-adaptive group corresponds to a characteristic value interval, and the characteristic value intervals corresponding to different self-adaptive groups are different;

and determining a characteristic value interval corresponding to the maximum characteristic value in the network output vector, and determining a self-adaptive group corresponding to the characteristic value interval as a target self-adaptive group corresponding to the training image.

In a possible implementation, the determination module 32 is specifically configured to, based on the target feature values, determine at least two adaptation groups: determining a first adaptation group, a second adaptation group, and a third adaptation group based on the target feature value; the interval starting value of the characteristic value interval corresponding to the first self-adaptive group is the difference between the target characteristic value and a preset first threshold value, and the interval ending value of the characteristic value interval corresponding to the first self-adaptive group is the sum of the target characteristic value and a preset second threshold value; the interval end value of the characteristic value interval corresponding to the second adaptive set is the difference between the target characteristic value and a preset first threshold value; and the interval starting value of the characteristic value interval corresponding to the third adaptive set is the sum of the target characteristic value and a preset second threshold value.

In a possible implementation, the determining module 32 is specifically configured to, when determining the target sample perturbation constraint corresponding to the target adaptation group: obtaining initial sample disturbance constraint, determining an initial disturbance vector based on the initial sample disturbance constraint, and generating an initial sample image based on the initial disturbance vector and a training image corresponding to the target adaptive set; inputting the initial sample image to a configured reference network model to obtain a prediction category corresponding to the initial sample image; if the classification result of the initial sample image is determined to be wrong based on the prediction type, determining whether the initial sample disturbance constraint meets a search ending condition; if yes, determining a target sample disturbance constraint corresponding to the target adaptive set based on the initial sample disturbance constraint; if not, reducing the initial sample disturbance constraint, and returning to execute the operation of determining the initial disturbance vector based on the initial sample disturbance constraint based on the reduced initial sample disturbance constraint.

In a possible implementation, the determining module 32 inputs the initial sample image to the configured reference network model, and after obtaining the prediction category corresponding to the initial sample image, further:

if the classification result of the initial sample image is determined to be correct based on the prediction category, increasing the initial sample disturbance constraint, and judging whether the increased initial sample disturbance constraint is greater than the configured maximum value of the sample disturbance constraint; if not, based on the increased initial sample disturbance constraint, returning to execute the operation of determining an initial disturbance vector based on the initial sample disturbance constraint; and if so, determining a target sample disturbance constraint corresponding to the target adaptive set based on the maximum sample disturbance constraint value.

In a possible implementation, the determining module 32 is specifically configured to, when determining the target perturbation vector corresponding to the training image based on the target sample perturbation constraint corresponding to the target adaptive set:

determining a perturbation vector interval based on a target sample perturbation constraint corresponding to the target adaptive set; wherein a maximum perturbation vector of the perturbation vector interval is determined based on the target sample perturbation constraint;

and determining the disturbance vector in the disturbance vector interval as the target disturbance vector.

In a possible implementation manner, the training module 33 trains the initial network model based on the natural sample images and the disturbance sample images corresponding to the training images, and when obtaining the trained target network model, is specifically configured to: inputting the natural sample image to the initial network model to obtain a first feature vector corresponding to the natural sample image, and determining a first loss value based on the first feature vector; inputting the disturbance sample image to the initial network model to obtain a second feature vector corresponding to the disturbance sample image, and determining a second loss value based on the second feature vector;

determining a target loss value based on the first loss value and the second loss value, and adjusting the initial network model based on the target loss value to obtain an adjusted network model;

if the adjusted network model is converged, determining the adjusted network model as a target network model;

and if the adjusted network model is not converged, determining the adjusted network model as an initial network model, and returning to execute the operation of inputting the training image to the initial network model.

Based on the same application concept as the method, in the embodiment of the present application, an adaptive group sample perturbation constraint-based confrontation training device (i.e. an electronic device) is provided, and referring to fig. 4, the confrontation training device based on the adaptive group sample perturbation constraint-based confrontation training device may include: a processor 41 and a machine-readable storage medium 42, the machine-readable storage medium 42 storing machine-executable instructions executable by the processor 41; the processor 41 is configured to execute machine executable instructions to perform the following steps:

the target network model is used for classifying the image to be classified.

Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored on the machine-readable storage medium, and when the computer instructions are executed by a processor, the confrontation training method based on adaptive group sample perturbation constraint disclosed in the above examples of the present application can be implemented. The machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. An adaptive group sample perturbation constraint-based confrontation training method is characterized by comprising the following steps:

the target network model is used for classifying the image to be classified.

2. The method of claim 1, wherein the inputting the training image to an initial network model to obtain a network output vector corresponding to the training image comprises:

3. The method of claim 1,

the determining a target adaptation group corresponding to the training image based on the network output vector comprises:

4. The method of claim 3,

the determining at least two adaptation groups based on the target feature value comprises:

determining a first adaptation group, a second adaptation group, and a third adaptation group based on the target feature value;

the interval starting value of the characteristic value interval corresponding to the first self-adaptive group is the difference between the target characteristic value and a preset first threshold value, and the interval ending value of the characteristic value interval corresponding to the first self-adaptive group is the sum of the target characteristic value and a preset second threshold value; the interval end value of the characteristic value interval corresponding to the second adaptive set is the difference between the target characteristic value and a preset first threshold value; and the interval starting value of the characteristic value interval corresponding to the third adaptive set is the sum of the target characteristic value and a preset second threshold value.

5. The method of claim 1,

the method for determining the target sample disturbance constraint corresponding to the target adaptive set comprises the following steps:

obtaining initial sample disturbance constraint, determining an initial disturbance vector based on the initial sample disturbance constraint, and generating an initial sample image based on the initial disturbance vector and a training image corresponding to the target adaptive set;

inputting the initial sample image to a configured reference network model to obtain a prediction category corresponding to the initial sample image; if the classification result of the initial sample image is determined to be wrong based on the prediction type, determining whether the initial sample disturbance constraint meets a search ending condition;

if yes, determining a target sample disturbance constraint corresponding to the target adaptive set based on the initial sample disturbance constraint; if not, reducing the initial sample disturbance constraint, based on the reduced initial sample disturbance constraint, and returning to execute the operation of determining the initial disturbance vector based on the initial sample disturbance constraint.

6. The method of claim 5,

after the initial sample image is input to the configured reference network model and the prediction category corresponding to the initial sample image is obtained, the method further includes:

7. The method of claim 1, wherein the determining a target perturbation vector corresponding to the training image based on the target sample perturbation constraint corresponding to the target adaptation group comprises:

8. The method of claim 1,

the training the initial network model based on the natural sample images and the disturbance sample images corresponding to the training images to obtain a trained target network model includes:

inputting the natural sample image to the initial network model to obtain a first feature vector corresponding to the natural sample image, and determining a first loss value based on the first feature vector;

inputting the disturbance sample image to the initial network model to obtain a second feature vector corresponding to the disturbance sample image, and determining a second loss value based on the second feature vector;

9. An adaptive group sample perturbation constraint-based confrontation training device, comprising:

the target network model is used for classifying the image to be classified.

10. An adaptive group sample perturbation constraint-based antagonistic training device, comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to perform the steps of:

the target network model is used for classifying the image to be classified.