CN109948658A - The confrontation attack defense method of Feature Oriented figure attention mechanism and application - Google Patents
The confrontation attack defense method of Feature Oriented figure attention mechanism and application Download PDFInfo
- Publication number
- CN109948658A CN109948658A CN201910138087.1A CN201910138087A CN109948658A CN 109948658 A CN109948658 A CN 109948658A CN 201910138087 A CN201910138087 A CN 201910138087A CN 109948658 A CN109948658 A CN 109948658A
- Authority
- CN
- China
- Prior art keywords
- image
- sample
- attack
- resisting sample
- confrontation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a kind of confrontation attack defense methods towards attention mechanism, the following steps are included: (1) extracts the contour feature of objective contour using attention mechanism, and small disturbance quantity is added based on contour feature, it obtains to resisting sample, again by the method optimizing disturbance variable of momentum iteration to update to resisting sample, to realize to depth model to attack resistance;(2) more intensity dual training strategies are based on to depth model progress dual training, to realize depth model to the defence to attack resistance using to resisting sample.The method increase classifiers to the robustness and generalization ability attacked resisting sample, so that classifier is relatively reliable, stablizes, improves the safety of deep learning model in actual application.Also disclose a kind of application of the confrontation attack defense method in image classification towards attention mechanism.
Description
Technical field
The invention belongs to security application research field of the deep learning algorithm in artificial intelligence in image classification task,
More particularly to a kind of confrontation attack defense method towards attention mechanism and the confrontation attack defense method in image classification
Application.
Background technique
In recent years, deep learning relies on powerful feature learning ability, is widely used in all trades and professions, and achieve
Preferable effect, such as: the fields such as computer vision, bioinformatics, complex network, natural language processing.But with depth
The extensive use of study, disadvantage also gradually expose, one of them main disadvantage is exactly that deep learning model is easy by right
The attack of resisting sample, it is very fragile.For example, the normal picture shot in a nature situation can be set with higher
Reliability is classified as correct category, but is once added to well-designed small sample perturbations and obtains confrontation image, the confrontation sample
This image will be classified by deep learning model errors.Worse, since the disturbance of addition is very small, the vision of the mankind
It is well-designed to resisting sample that system can not tell these.
With going deep into for research, for depth model confrontation attack mode gradually by systematization.According to attacker
Black box attack, white-box attack and ash box can be divided into the degree of understanding of depth model to attack, black box attack, which refers to, not to be known about
It carries out in the case where any parameter and structure of model to attack resistance, white-box attack refers to the whole attributes for understanding model, ash box
Attack is then to understand the partial parameters and structure of model the case where falling between.According to the mistake realized to resisting sample point
Class result can be divided into no target attack, target attack, and no target attack need to only realize misclassification, target attack to resisting sample
It not only needs to realize misclassification, it is also necessary to allow and be mistakenly classified as the preset target class of attacker to resisting sample.It is attacked according to no target
It hits, the purpose of target attack difference, its general optimization object function is also had any different.In addition, these attack methods are not only only deposited
It is in digital space, can also occurs in physical world.It, can be with if attacker can be by wearing well-designed glasses
Pretend to be other personnel, thus face identification system of out-tricking;Attacker can also stick some very littles on license plate or guideboard
Paster causes wrong identification to the guideboard identifying system of Vehicle License Plate Recognition System or automatic driving vehicle of out-tricking.It can be seen that confrontation
The performance of seriously collapse dept learning model is understood in attack, so that the safety of the system based on deep learning model is threatened,
Even threaten the security of the lives and property of people.Therefore, loophole present in the depth of investigation model and to be on the defensive be very must
It wants.
At the same time, emphasis, current defence are increasingly becoming to the defence method research of attack resistance for depth model
Measure mainly includes 3 major class: modify the defence of input data, such as to input picture to be identified add some random noises or
Person overturns image, zoom operations, can destroy addition to disturbance rejection;The defence of prototype network structure is modified, such as
Size, the range in pond of convolution kernel are modified, the network number of plies, modification activation primitive etc. are increased;External hanging type network is added to model
It is on the defensive, such as addition external model carrys out implementation model for the detection or recovery to resisting sample in test.Although big
Part defence method is for all playing certain protection effect to attack resistance, but its migration is limited, cannot preferably prevent
It drives novel to attack resistance.
Meanwhile it is newest studies have shown that modifying the training dataset of model, i.e., addition is to resisting sample pair in training data
Model carries out dual training, is preferably a kind of mean of defense of current effect.But the protection effect of dual training compares dependence
In the quality to resisting sample of generation, current attack method is generated weaker to the transfer ability of resisting sample, therefore is difficult
Reach relatively good dual training protection effect.
Summary of the invention
The object of the present invention is to provide a kind of confrontation attack defense method of Feature Oriented figure attention mechanism, this method is logical
Characteristic pattern attention mechanism is crossed to be focused the contour feature of target in image and increase disturbance quantity to the contour feature of focusing,
It realizes being also easy to produce attack resistance to resisting sample to depth model, and depth model is carried out using to resisting sample and normal sample
Training, to improve disaggregated model to the robustness of confrontation attack defending.
It is a further object of the present invention to provide a kind of confrontation attack defense methods of Feature Oriented figure attention mechanism to scheme
As the application in classification, the confrontation attack defense method of the Feature Oriented figure attention mechanism, which can obtain, is capable of defensive attack
Image classification model, the image classification model can greatly improve the accuracy of image classification.
For achieving the above object, the present invention the following technical schemes are provided:
A kind of confrontation attack defense method towards attention mechanism, comprising the following steps:
(1) contour feature of objective contour in image is extracted using attention mechanism, and special based on the profile extracted
Sign designs small disturbance quantity and is added in original normal sample, obtains to resisting sample, then passes through the method optimizing of momentum iteration
Disturbance variable is to update to resisting sample, to realize to depth model to attack resistance;
(2) it utilizes to resisting sample and the mixed data set of normal sample, based on more intensity dual training strategies to depth
Model carries out dual training, to realize depth model to the defence to attack resistance.
The present invention concentrates objective contour on characteristic pattern to realize that the spatial key correctly classified is believed using spatial attention mechanism
Breath further carries out gradient by the loss function value exported and the position to addition needed for disturbance rejection is calculated, and based on dynamic
The disturbed value of alternative manner optimization each time is measured effectively to attack to generate the realizing resisting sample of high quality.Then to depth mould
Type carries out more intensity dual trainings, to realize depth model to the robustness and migration of confrontation attack defending.
Wherein, the contour feature that objective contour in image is extracted using attention mechanism, and based on extracting
Contour feature designs small disturbance quantity and is added in original normal sample, and acquisition includes: to resisting sample
Characteristic extraction step is reconstructed, it is former to extract input using attention mechanism for the shallow-layer network characterization based on depth model
The shallow-layer characteristic image of beginning image carries out up-sampling operation as characteristic image, and to characteristic image, obtains reconstruct characteristic image;
Channel space attention weight calculation step calculates channel space according to original image and reconstruct characteristic image and pays attention to
Power weight matrix;
Pixel space attention weight calculation step, according to the channel space attention weight matrix and original image of reconstruct
Calculate pixel space attention weight matrix;
To resisting sample generation step, the disturbance quantity of addition is calculated according to pixel space attention weight matrix, by disturbance quantity
It is added in original image, obtains to resisting sample.
The attention mechanism can be divided into soft attention mechanism and hard attention mechanism, wherein hard attention mechanism is that one kind is based on
The random weight distribution process of Bernoulli Jacob's distribution, soft attention mechanism is the embeddable method of weighting of neural network parameterization, can
Preferable effect is obtained by end-to-end training using global information in depth model.Therefore, the present invention uses soft attention machine
System calculate disturbance rejection.
In depth model classifier, compared with shallow-layer feature, the visual field of further feature is larger, but the sky of further feature figure
Between information lose significantly.Therefore, the present invention is reconstructed the shallow-layer feature output of deep neural network by bilinear interpolation,
Be reconstructed into input sample H having the same and W, wherein H indicate image vertical direction pixel number, W indicate image water
Square to pixel number.It include that channel space concern and pixel space are closed to the attention mechanism that disturbance distribution scans for
Note, wherein channel characteristics distribution, pixel space are paid close attention in channel space concern by being weighted Feature Mapping to different channels
Concern is by being weighted Feature Mapping to different pixels region come concerned pixel feature distribution.
Specifically, in channel space attention weight calculation step,
The picture x having a size of [3, l] will be converted to by reshape operation having a size of the original image x of [H, W, 3]re,
Wherein H indicates the pixel number of image vertical direction, and W indicates the pixel number in image level direction, and 3 indicate there is RGB
The color image of triple channel, l=H × W;
By in shallow-layer hidden layer by up-sampling after the reconstruct characteristic image f having a size of [H, W, c]m, grasped by reshape
It is converted to the reconstruct characteristic image f having a size of [c, l]mm;
Pass through formulaObtain the channel space attention weight matrix having a size of [3, c]
Wc, wherein softmax () is activation primitive.
In pixel space attention weight calculation step,
Utilize formulaCalculate the channel space attention weight of the reconstruct having a size of [3, l]Its
In,The multiplication of representing matrix;
Utilize formulaCalculate the pixel space attention weight W having a size of [1, l]p,
In, each corresponding element of representing matrix is multiplied, and softmax () is activation primitive.
To in resisting sample generation step,
It will be having a size of the pixel space attention weight W of [1, l] by reshape function operationpBecome having a size of [H, W,
1] attention maps weight Wmap;
It is calculated by the following formula the disturbance quantity ρ of addition:
Wherein, indicate that two matrix corresponding elements are multiplied;Y indicates the corresponding correct category of original image x;
It indicates to calculate gradient1- norm, i.e. the sum of the absolute number of vector element;xiIndicate the picture element matrix in the i-th channel;
Finally, passing through formulaIt obtains to resisting sample x*, whereinRepresenting matrix corresponding element is added.
Specifically, include: to resisting sample to update by the method optimizing disturbance variable of momentum iteration
The maximum number of iterations for the deep learning classifier f being trained to is set for T, original image x, and the original image
The corresponding correct class of x is designated as y.When iteration starts, enableInitial velocity vector g is set0=0;
Define the attack optimization object function of iterative process are as follows:
Wherein, hyper parameter κ >=0 indicates the confidence level of the misclassification category to resisting sample generated, and the numerical value of κ the big then right
In producing, the requirement to resisting sample is higher, and obtained sample attack performance is relatively reliable;x0Indicate the initial graph for being not added with disturbance
Picture, i.e. original image x;Z(x)yIndicate that sample is classified as the confidence level of y, Z (x)y′Indicate that sample is classified as the confidence of y'
Degree;Indicate x-x02- norm, for limiting the size to disturbance rejection, the i.e. quadratic sum of vector element absolute value again
Carry out out radical sign, yt' indicate the preset specific objective label of attacker;
(1) input pictureTo deep learning classifier f, deep learning classifier f is calculated for the gradient of inputAnd capture imageShallow-layer characteristic image in a networkBy way of bilinear interpolation
To shallow-layer characteristic imageIt carries out up-sampling operation and obtains reconstruct characteristic imagePass through following meter
It calculates formula and obtains pixel space attention weight
Wherein,Indicate the channel space attention weight by reconstruct,
Channel space attention weight before indicating reconstruct.Pass through reshape function pairOperation is reconstructed to obtain Representing matrix multiplication, softmax () are activation primitive,Indicate reconstructed image matrixTransposition,
Representing matrix corresponding element is multiplied, right before executing softmax () functionResulting matrix is calculated to carry out once
Summation on column direction so that
(2) pass through reconstructed operation for pixel space attention weightIt is reconstructed into attention mapping weight
(3) pass through the direction renewal speed vector g based on gradienti+1:
Wherein, μ is decay factor,It indicates to calculate gradient1- norm;
(4) it is based on velocity vector gi+1Disturbance quantity ρ to be added needed for calculatingi:
ρi=gi+1×α
Wherein, α indicates the disturbance step-length added every time in iterative process;
(5) by disturbance quantity ρiIt is added to imageIn, it obtains updated to resisting sample:
Step (1)~(5) are repeated, until disturbance is greater than preset valueOr realize successful attackFunction is had become to resisting sample to generate, whereinIndicate Infinite Norm, i.e.,Middle absolute value
Maximum value, ε are preset disturbance size, and y is the correct category of original image x.
Include: to depth model progress dual training using more intensity dual training strategies are based on to resisting sample
(1) based on default disturbance magnitude parameters ε, using the step in the confrontation attack defense method towards attention mechanism
(1) it generates a batch confrontation sample set and closes { xadv1, then constantly adjustment disturbance amplitude is ε/2, and ε/3, ε/4 obtain confrontation sample
This subclass { xadv2, confrontation sample set close { xadv3, confrontation sample set close { xadv4};
(2) all confrontation sample sets for obtaining step (1) close mixing, obtain the confrontation sample with different attacking abilities
This total collection, according to the value of attack strength AIn from 0.1,0.2,0.3 ..., 1.0 mix resisting sample and normal sample
It closes, obtains the new training dataset with different attack strengths;
(3) weight parameter of the new training dataset with different attack strengths for obtaining step (2) to depth model
It is finely adjusted training.
A kind of above-mentioned application of the confrontation attack defense method in image classification towards attention mechanism, feature exist
In, including following procedure:
Firstly, being made using having the image set of similar characteristics as original image with image to be classified with deep neural network
For image classification model, a large amount of confrontation sample is generated using the confrontation attack defense method of above-mentioned Feature Oriented figure attention mechanism
This, and the more intensity dual trainings of trained image classification model progress are found and repair its presence using to resisting sample
Loophole, obtaining has defence to the image classification model of resisting sample ability;
Then, using trained there is defence to divide classification image the image classification model of resisting sample ability
Class obtains reliable classification results.
The present invention provides a kind of confrontation attack defense methods of Feature Oriented figure attention mechanism, are paid attention to by characteristic pattern
Power mechanism obtain there is more small disturbance but can reliably mislead classifier to resisting sample, and utilize the confrontation sample
This carries out more intensity dual trainings to former classifier and improves classifier to the robustness and generalization ability attacked resisting sample, thus
So that classifier is relatively reliable, stablizes, the safety of deep learning model in actual application is improved.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to do simply to introduce, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art, can be with root under the premise of not making the creative labor
Other accompanying drawings are obtained according to these attached drawings.
Fig. 1 is the schematic diagram of the confrontation sample generating method FineFool based on characteristic pattern attention mechanism;
Fig. 2 is that depth model ResNet-v2 is generated under the attack of MI-FGSM, PGD and FineFool attack method
Fight sample graph;
Fig. 3 is that depth model Inception-v3 is produced under the attack of MI-FGSM, PGD and FineFool attack method
Raw confrontation sample graph;
Fig. 4 is under the attack of MI-FGSM, PGD and FineFool attack method, what depth model ResNet-v2 was generated
To the confidence level decline curve of the original correct category of resisting sample;
Fig. 5 is under the attack of MI-FGSM, PGD and FineFool attack method, and depth model Inception-v3 is generated
To resisting sample mistake classification category confidence level ascending curve.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, with reference to the accompanying drawings and embodiments to this
Invention is described in further detail.It should be appreciated that the specific embodiments described herein are only used to explain the present invention,
And the scope of protection of the present invention is not limited.
For the robustness for improving deep learning model, a kind of pair of Feature Oriented figure attention mechanism is present embodiments provided
Attack resistance defence method mainly includes two stages, respectively the dual training rank to resisting sample generation phase and depth model
Section, detailed process is as follows:
For to resisting sample generation phase:
The stage mainly utilizes attention mechanism to extract the contour feature of objective contour, and it is micro- to be based on contour feature addition
Small disturbance quantity, then pass through the method optimizing disturbance variable of momentum iteration, to realize that depth model, this is right to attack resistance
Attack resistance method is named as FineFool, which can create antagonism sample, specifically, as shown in Figure 1, this is right
Attack resistance method includes reconstruct characteristic extraction step, channel space attention weight calculation step, pixel space attention weight
Calculate step and the generation step to resisting sample.
Wherein, reconstruct characteristic extraction step is mainly used for extracting the shallow-layer network characterization figure in deep learning model, mainly
Including shallow-layer characteristic image extraction operation and bilinearity up-sampling operation.It is (former for the original image having a size of [H, W, 3]
Figure), H is the number of pixels of image vertical direction, and W is the number of pixels in image level direction, 3 RGB for including for original image
The number of channel, by original image x be input to depth sorting model (in namely classifier f), be computed extraction having a size of [H1, W1,
C] shallow-layer characteristic image xfAs characteristic image, which has better space characteristics, then, then to feature
Image carries out bilinearity up-sampling, i.e., using bilinear interpolation to characteristic image xfThe operation up-sampled obtain having a size of
The reconstruct characteristic image f of [H, W, c]m。
Channel (or channel) spatial attention weight calculation step is mainly used for calculating channel space attention weight Wc.Tool
Body process are as follows: the picture x having a size of [3, l] will be converted to by reshape operation having a size of the original image x of [H, W, 3]re,
Wherein H indicates the pixel number of image vertical direction, and W indicates the pixel number in image level direction, l=H × W;By ruler
The very little reconstruct characteristic image f for [H, W, c]m, the reconstruct characteristic image f having a size of [c, l] is converted to by reshape operationmm,
Then, pass through formulaObtain the channel space attention weight matrix W having a size of [3, c]c,
In, softmax () is activation primitive.
Pixel space attention weight calculation step is mainly used for calculating pixel space attention weight Wp.Detailed process
Are as follows: firstly, utilizing formulaCalculate the channel space attention weight of the reconstruct having a size of [3, l]Its
In,The multiplication of representing matrix;Then, formula is utilizedIt is empty to calculate the pixel having a size of [1, l]
Between attention weight Wp, wherein each corresponding element of representing matrix is multiplied, and softmax () is activation primitive.
Resisting sample generation step is mainly used for generating to resisting sample x*, detailed process are as follows: firstly, passing through reshape letter
Number operation will be having a size of the pixel space attention weight W of [1, l]pBecome the attention mapping weight having a size of [H, W, 1]
Wmap, then, it is calculated by the following formula the disturbance quantity ρ of addition:
Wherein, indicate that two matrix corresponding elements are multiplied;Y indicates the corresponding correct category of original image x;It indicates to calculate gradient1- norm, i.e. the sum of the absolute number of vector element;xiIndicate the i-th channel
Picture element matrix;
Finally, passing through formulaIt obtains to resisting sample x*, whereinRepresenting matrix corresponding element is added.
On the basis of above-mentioned generation is to resisting sample, the detailed process to resisting sample is updated by the method for momentum iteration
Are as follows:
The maximum number of iterations for the deep learning classifier f being trained to is set for T, original image x, and the original image
The corresponding correct class of x is designated as y.When iteration starts, enableInitial velocity vector g is set0=0.
Define the attack optimization object function of iterative process are as follows:
Wherein, hyper parameter κ >=0 indicates the confidence level of the misclassification category to resisting sample generated, and the numerical value of κ the big then right
In producing, the requirement to resisting sample is higher, and obtained sample attack performance is relatively reliable;x0Indicate the initial graph for being not added with disturbance
Picture, i.e. original image x;Z(x)yIndicate that sample is classified as the confidence level of y, Z (x)y′Indicate that sample is classified as the confidence of y'
Degree;Indicate x-x02- norm, for limiting the size to disturbance rejection, the i.e. quadratic sum of vector element absolute value again
Carry out out radical sign, yt' indicate the preset specific objective label of attacker;
On this basis, iterative process are as follows:
(1) input pictureTo deep learning classifier f, deep learning classifier f is calculated for the gradient of inputAnd capture imageShallow-layer characteristic image in a networkPass through the side of bilinear interpolation
Formula is to shallow-layer characteristic imageIt carries out up-sampling operation and obtains reconstruct characteristic imageBy following
Calculation formula obtains pixel space attention weight
Wherein,Indicate the channel space attention weight by reconstruct,
Channel space attention weight before indicating reconstruct.Pass through reshape function pairOperation is reconstructed to obtain
Representing matrix multiplication, softmax () are activation primitive,Indicate reconstructed image matrixTransposition, table
Show that matrix corresponding element is multiplied, it is right before executing softmax () functionResulting matrix is calculated once to be arranged
Summation on direction so that
(2) pass through reconstructed operation for pixel space attention weightIt is reconstructed into attention mapping weight
(3) pass through the direction renewal speed vector g based on gradienti+1:
Wherein, μ is decay factor,It indicates to calculate gradient1- norm;
(4) it is based on velocity vector gi+1Disturbance quantity ρ to be added needed for calculatingi:
ρi=gi+1×α
Wherein, α indicates the disturbance step-length added every time in iterative process;
(5) by disturbance quantity ρiIt is added to imageIn, it obtains updated to resisting sample:
Step (1)~(5) are repeated, until disturbance is greater than preset valueOr realize successful attackFunction is had become to resisting sample to generate.Wherein,Indicate Infinite Norm, i.e.,Middle absolute value
Maximum value, ε are preset disturbance size, and y is the correct category of original image x;
Iteration is jumped out if being successfully generated to resisting sample, and is exported to resisting sample.Otherwise, judging current iteration number i is
No is more than maximum number of iterations T, if it is not, then continuing momentum iteration, if so, stopping iteration and exporting attack failure.
Ultimately produce to shown in last column such as in Fig. 2 and Fig. 3 of resisting sample visualization result, wherein ρFineFool
Indicate by FineFool method obtain to disturbance rejection visualization result, AdvFineFoolExpression is added in original normal sample
To after disturbance rejection to resisting sample.
For the dual training stage of depth model:
The stage carries out more intensity dual trainings to depth model to resisting sample using what is generated to resisting sample generation phase,
Specifically:
In the identical situation of other conditions, set different to disturbance rejection upper limit value, i.e., different ε values is then had
Have the attacking ability of varying strength to resisting sample.By being mixed according to a certain percentage to resisting sample and normal sample for varying strength
It closes, obtains the different training datasets for dual training, depth model is carried out in batches using the training dataset
Dual training so that depth model the classification accuracy to normal sample as far as possible less decline in the case where, improve pair
To the generalization ability of confrontation attack defending, can defend that different attack methods generate to resisting sample.
Define the attack strength (attack intensity, AIn) of training dataset are as follows:
AIn=Num (Adv)/Num (Nor)
Wherein, Num (Adv) and Num (Nor) respectively indicate the sample size to resisting sample and normal sample, ordinary circumstance
Under, training data concentrate normal picture sample size be it is fixed, can be according to the different parameters of attack method to resisting sample
It generates, so quantity of the quantity far more than normal sample, the value range of AIn are Ain >=0.
The detailed process of dual training is carried out to depth model are as follows:
(1) it is based on preset disturbance magnitude parameters ε, is attacked by the confrontation attack method based on characteristic pattern attention mechanism
Depth model generates a batch confrontation sample set and closes { xadv1, then constantly adjustment disturbance amplitude is ε/2, and ε/3, ε/4 obtain more
More data sample subclass { xadv2}、{xadv3}、{xadv4, becoming smaller due to disturbing default amplitude, success attack rate can be lower,
Corresponding confrontation sample size will also tail off, and each set also dies down to the whole attacking ability of resisting sample.
(2) all pairs of resisting samples for obtaining step (1) mix, and obtain having always collecting to resisting sample for different attacking abilities
Close, guarantee the harmony and diversity of data distribution, then according to the value of AIn from 0.1,0.2,0.3 ..., 1.0 fought
The mixing of sample and normal sample obtains the new training dataset with different attack strengths;What these new training datas were concentrated
Normal sample is all identical, has certain randomness to resisting sample.
(3) training dataset with different attack strengths for obtaining step (2) to the weight parameter of depth model into
Row fine tuning training, makes it have preferable robustness for the attack to resisting sample, improves the reliability of depth model application.
Application examples
A kind of confrontation attack defense method of Feature Oriented figure attention mechanism of above-mentioned offer is applied in image classification,
Specifically, can classify to animal painting, in the target images classification such as facial image classification.
In application, firstly, to have the image set of similar characteristics as original image with image to be classified, with deep learning
Network (can be Resnet-v2 or Inception-v3) is used as image classification model, utilizes above-mentioned Feature Oriented figure attention
The confrontation attack defense method of mechanism generates largely to resisting sample, and utilizes to resisting sample to trained image classification
Model carries out more intensity dual trainings and finds and repair its existing loophole, obtains the image point for having defence to resisting sample ability
Then class model is classified to classification image using the trained image classification model with defence capability, is obtained reliable
Classification results.
Specific experiment:
The image data set that this experiment uses is the ImageNet picture number from http://www.image-net.org/
According to the subset of collection, the basic condition of data set includes: that (a) image data set has 130000 training image samples, 100000
Test image sample and 50000 verifyings collect sample, and the size of each image pattern is the matrix of 64*64;(b) data set can
To be divided into 1000 classes, each class has the image pattern of identical quantity, i.e., every class has 130 samples, verifying to concentrate every in training set
Class has that 50 samples, every class has 100 samples in test set;(c) every picture has been carried out simply for the ease of experiment
Normalization operation.
Small parameter perturbations training is carried out to trained image classification model using above-mentioned training set, and is utilized
FineFool method is generated to resisting sample.
This experiment image classification model used is Resnet-v2 and Inception-v3, finally obtained to resisting sample
For visualization result as shown in last column of Fig. 2 Fig. 3, the original in Fig. 2 indicates original normal picture, ρMI-FGSM、
AdvMI-FGSM、ρPGD、AdvPGD、ρFineFool、AdvFineFoolIt respectively indicates and is obtained by MI-FGSM, PGD and FineFool attack method
Disturbance figure and confrontation sample graph.Fig. 2 and Fig. 3 respectively indicates attack depth model Resnet-v2 and Inception-v3 and obtains
Result.Fig. 4 and Fig. 5 expression is in attack process, the confidence of the original correct category to resisting sample as shown in Figures 2 and 3
Spend the confidence level ascending curve of decline curve and mistake classification category.
Wherein, PGD and MI-FGSM is attack method as a comparison.PGD is using a normal gradients decline, then
All coordinates are clipped in a region, research shows that the local maximum obtained by PGD with it is normal trained or right
The network of anti-training is compared, and has similar loss function, this phenomenon, which is shown caused by this method, has resisting sample
Good robustness.MI-FGSM attack method introduces a kind of momentum iterative algorithm of broad sense to enhance to anti-attack ability, leads to
Cross by momentum term be embedded into attack iteration during, can during iteration Stable Perturbation update direction, to keep away
Exempt from the problem of falling into local optimum.
Resnet-v2 and Inception-v3 is attacked to above-mentioned MI-FGSM, PGD and FineFool confrontation attack method
Then depth model carries out more intensity dual training defence operations to resisting sample using generated, obtained protection effect is such as
Shown in table 1.Shown success attack rate in table 1, numerical value is smaller, illustrates that model is more not easy by successful attack, defence capability
Better.As can be seen that FineFool proposed by the present invention can be generated preferably to resisting sample, so that model is after dual training
With preferable protection effect.Different attack method attacks carry out resisting sample by what is generated using FineFool attack method
Model after dual training.
Table 1 carries out the success attack rate after dual training based on FineFool attack method
Technical solution of the present invention and beneficial effect is described in detail in above-described specific embodiment, Ying Li
Solution is not intended to restrict the invention the foregoing is merely presently most preferred embodiment of the invention, all in principle model of the invention
Interior done any modification, supplementary, and equivalent replacement etc. are enclosed, should all be included in the protection scope of the present invention.
Claims (8)
1. a kind of confrontation attack defense method towards attention mechanism, comprising the following steps:
(1) contour feature of objective contour in image is extracted using attention mechanism, and is set based on the contour feature extracted
It counts small disturbance quantity to be added in original normal sample, obtain to resisting sample, then disturbed by the method optimizing of momentum iteration
Variable is to update to resisting sample, to realize to depth model to attack resistance;
(2) using to resisting sample and the mixed data set of normal sample, more intensity dual training strategies are based on to depth model
Dual training is carried out, to realize depth model to the defence to attack resistance.
2. as described in claim 1 towards the confrontation attack defense method of attention mechanism, which is characterized in that described using note
Power mechanism of anticipating extracts the contour feature of objective contour in image, and small disturbance quantity is designed based on the contour feature extracted
It is added in original normal sample, acquisition includes: to resisting sample
Characteristic extraction step is reconstructed, the shallow-layer network characterization based on depth model extracts input original graph using attention mechanism
The shallow-layer characteristic image of picture carries out up-sampling operation as characteristic image, and to characteristic image, obtains reconstruct characteristic image;
Channel space attention weight calculation step calculates channel space attention power according to original image and reconstruct characteristic image
Weight matrix;
Pixel space attention weight calculation step is calculated according to the channel space attention weight matrix and original image of reconstruct
Pixel space attention weight matrix;
To resisting sample generation step, the disturbance quantity of addition is calculated according to pixel space attention weight matrix, disturbance quantity is added
Into original image, obtain to resisting sample.
3. as claimed in claim 2 towards the confrontation attack defense method of attention mechanism, which is characterized in that channel space note
In power weight calculation step of anticipating,
The picture x having a size of [3, l] will be converted to by reshape operation having a size of the original image x of [H, W, 3]re, wherein H
Indicate the pixel number of image vertical direction, W indicates the pixel number in image level direction, and 3 indicate there is RGB triple channel
Color image, l=H × W;
By in shallow-layer hidden layer by up-sampling after the reconstruct characteristic image f having a size of [H, W, c]m, turned by reshape operation
It is melted into the reconstruct characteristic image f having a size of [c, l]mm;
Pass through formulaObtain the channel space attention weight matrix W having a size of [3, c]c,
In, softmax () is activation primitive.
4. as claimed in claim 2 towards the confrontation attack defense method of attention mechanism, which is characterized in that pixel space note
In power weight calculation step of anticipating,
Utilize formulaCalculate the channel space attention weight of the reconstruct having a size of [3, l]Wherein,
The multiplication of representing matrix;
Utilize formulaCalculate the pixel space attention weight W having a size of [1, l]p, wherein
Each corresponding element of representing matrix is multiplied, and softmax () is activation primitive.
5. as claimed in claim 2 towards the confrontation attack defense method of attention mechanism, which is characterized in that raw to resisting sample
At in step,
It will be having a size of the pixel space attention weight W of [1, l] by reshape function operationpBecome having a size of [H, W, 1]
Attention maps weight Wmap;
It is calculated by the following formula the disturbance quantity ρ of addition:
Wherein, indicate that two matrix corresponding elements are multiplied;Y indicates the corresponding correct category of original image x;Table
Show calculating gradient1- norm, i.e. the sum of the absolute number of vector element;xiIndicate the picture element matrix in the i-th channel;
Finally, passing through formulaIt obtains to resisting sample x*, whereinRepresenting matrix corresponding element is added.
6. the confrontation attack defense method as claimed in any one of claims 1 to 5 towards attention mechanism, which is characterized in that
Include: to resisting sample to update by the method optimizing disturbance variable of momentum iteration
The maximum number of iterations for the deep learning classifier f being trained to is set for T, original image x, and x pairs of the original image
The correct class answered is designated as y.When iteration starts, enableInitial velocity vector g is set0=0;
Define the attack optimization object function of iterative process are as follows:
Wherein, hyper parameter κ >=0 indicates the confidence level of the misclassification category to resisting sample generated, and the numerical value of κ the big then for life
The requirement produced to resisting sample is higher, and obtained sample attack performance is relatively reliable;x0Indicate the initial pictures for being not added with disturbance, i.e.,
Original image x;Z(x)yIndicate that sample is classified as the confidence level of y, Z (x)y′Indicate that sample is classified as the confidence level of y';Indicate x-x02- norm, for limiting the size to disturbance rejection, i.e. the quadratic sum of vector element absolute value carries out again
Open radical sign, yt' indicate the preset specific objective label of attacker;
(1) input pictureTo deep learning classifier f, deep learning classifier f is calculated for the gradient of input
And capture imageShallow-layer characteristic image in a networkTo shallow-layer spy by way of bilinear interpolation
Levy imageIt carries out up-sampling operation and obtains reconstruct characteristic imageIt is obtained by following calculation formula
Obtain pixel space attention weight
Wherein,Indicate the channel space attention weight by reconstruct,Table
Channel space attention weight before showing reconstruct.Pass through reshape function pairOperation is reconstructed to obtain Table
Show that matrix multiplication, softmax () are activation primitive,Indicate reconstructed image matrixTransposition, indicate square
Battle array corresponding element is multiplied, right before executing softmax () functionIt calculates resulting matrix and carries out a column direction
On summation so that
(2) pass through reconstructed operation for pixel space attention weightIt is reconstructed into attention mapping weight
(3) pass through the direction renewal speed vector g based on gradienti+1:
Wherein, μ is decay factor,It indicates to calculate gradient1- norm;
(4) it is based on velocity vector gi+1Disturbance quantity ρ to be added needed for calculatingi:
ρi=gi+1×α
Wherein, α indicates the disturbance step-length added every time in iterative process;
(5) by disturbance quantity ρiIt is added to imageIn, it obtains updated to resisting sample:
Step (1)~(5) are repeated, until disturbance is greater than preset valueOr realize successful attack
Function is had become to resisting sample to generate, whereinIndicate Infinite Norm, i.e.,The maximum value of middle absolute value, ε are pre-
If disturbance size, y be original image x correct category.
7. as described in claim 1 towards the confrontation attack defense method of attention mechanism, which is characterized in that utilize confrontation sample
Carrying out dual training to depth model based on more intensity dual training strategies includes:
(1) based on default disturbance magnitude parameters ε, using the step (1) in the confrontation attack defense method towards attention mechanism
It generates a batch confrontation sample set and closes { xadv1, then constantly adjustment disturbance amplitude is ε/2, and ε/3, ε/4 are obtained to resisting sample
Gather { xadv2, confrontation sample set close { xadv3, confrontation sample set close { xadv4};
(2) all confrontation sample sets for obtaining step (1) close mixing, obtain having the total to resisting sample of different attacking abilities
Set, according to the value of attack strength AIn from 0.1,0.2,0.3 ..., 1.0 carry out mixing to resisting sample and normal sample, obtain
To the new training dataset with different attack strengths;
(3) the new training dataset with different attack strengths for obtaining step (2) carries out the weight parameter of depth model
Fine tuning training.
8. a kind of confrontation attack defense method as described in any one of claims 1 to 7 towards attention mechanism is in image point
Application in class, which is characterized in that including following procedure:
Firstly, to have the image set of similar characteristics as original image with image to be classified, using deep neural network as figure
As disaggregated model, generated using the confrontation attack defense method of the Feature Oriented figure attention mechanism described in claim 1~7 big
Amount carries out more intensity dual training discoveries simultaneously to trained image classification model to resisting sample, and using to resisting sample
Its existing loophole is repaired, obtaining has defence to the image classification model of resisting sample ability;
Then, using trained there is defence to classify to the image classification model of resisting sample ability to classification image, obtains
Obtain reliable classification results.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910138087.1A CN109948658B (en) | 2019-02-25 | 2019-02-25 | Feature diagram attention mechanism-oriented anti-attack defense method and application |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910138087.1A CN109948658B (en) | 2019-02-25 | 2019-02-25 | Feature diagram attention mechanism-oriented anti-attack defense method and application |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109948658A true CN109948658A (en) | 2019-06-28 |
CN109948658B CN109948658B (en) | 2021-06-15 |
Family
ID=67006468
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910138087.1A Active CN109948658B (en) | 2019-02-25 | 2019-02-25 | Feature diagram attention mechanism-oriented anti-attack defense method and application |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109948658B (en) |
Cited By (55)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110444208A (en) * | 2019-08-12 | 2019-11-12 | 浙江工业大学 | A kind of speech recognition attack defense method and device based on gradient estimation and CTC algorithm |
CN110472672A (en) * | 2019-07-25 | 2019-11-19 | 阿里巴巴集团控股有限公司 | Method and apparatus for training machine learning model |
CN110633655A (en) * | 2019-08-29 | 2019-12-31 | 河南中原大数据研究院有限公司 | Attention-attack face recognition attack algorithm |
CN110674938A (en) * | 2019-08-21 | 2020-01-10 | 浙江工业大学 | Anti-attack defense method based on cooperative multi-task training |
CN110705652A (en) * | 2019-10-17 | 2020-01-17 | 北京瑞莱智慧科技有限公司 | Countermeasure sample, generation method, medium, device and computing equipment thereof |
CN110782420A (en) * | 2019-09-19 | 2020-02-11 | 杭州电子科技大学 | Small target feature representation enhancement method based on deep learning |
CN110852363A (en) * | 2019-10-31 | 2020-02-28 | 大连理工大学 | Anti-sample defense method based on deception attacker |
CN110941794A (en) * | 2019-11-27 | 2020-03-31 | 浙江工业大学 | Anti-attack defense method based on universal inverse disturbance defense matrix |
CN111046847A (en) * | 2019-12-30 | 2020-04-21 | 北京澎思科技有限公司 | Video processing method and device, electronic equipment and medium |
CN111046673A (en) * | 2019-12-17 | 2020-04-21 | 湖南大学 | Countermeasure generation network for defending text malicious samples and training method thereof |
CN111191717A (en) * | 2019-12-30 | 2020-05-22 | 电子科技大学 | Black box confrontation sample generation algorithm based on hidden space clustering |
CN111275106A (en) * | 2020-01-19 | 2020-06-12 | 支付宝(杭州)信息技术有限公司 | Countermeasure sample generation method and device and computer equipment |
CN111325319A (en) * | 2020-02-02 | 2020-06-23 | 腾讯云计算(北京)有限责任公司 | Method, device, equipment and storage medium for detecting neural network model |
CN111325341A (en) * | 2020-02-18 | 2020-06-23 | 中国空间技术研究院 | Adaptive confrontation strength confrontation training method |
CN111340180A (en) * | 2020-02-10 | 2020-06-26 | 中国人民解放军国防科技大学 | Countermeasure sample generation method and device for designated label, electronic equipment and medium |
CN111368908A (en) * | 2020-03-03 | 2020-07-03 | 广州大学 | HRRP (high-resolution Radar) non-target confrontation sample generation method based on deep learning |
CN111368725A (en) * | 2020-03-03 | 2020-07-03 | 广州大学 | HRRP (high-resolution Radar) targeted confrontation sample generation method based on deep learning |
CN111414964A (en) * | 2020-03-23 | 2020-07-14 | 上海金桥信息股份有限公司 | Image security identification method based on defense sample |
CN111476228A (en) * | 2020-04-07 | 2020-07-31 | 海南阿凡题科技有限公司 | White-box confrontation sample generation method for scene character recognition model |
CN111488916A (en) * | 2020-03-19 | 2020-08-04 | 天津大学 | Anti-attack method based on training set data |
CN111625820A (en) * | 2020-05-29 | 2020-09-04 | 华东师范大学 | Federal defense method based on AIoT-oriented security |
CN111754519A (en) * | 2020-05-27 | 2020-10-09 | 浙江工业大学 | Countermeasure defense method based on class activation mapping |
CN111767786A (en) * | 2020-05-11 | 2020-10-13 | 北京航空航天大学 | Anti-attack method and device based on three-dimensional dynamic interaction scene |
CN111783629A (en) * | 2020-06-29 | 2020-10-16 | 浙大城市学院 | Human face in-vivo detection method and device for resisting sample attack |
CN111783085A (en) * | 2020-06-29 | 2020-10-16 | 浙大城市学院 | Defense method and device for resisting sample attack and electronic equipment |
CN111860681A (en) * | 2020-07-30 | 2020-10-30 | 江南大学 | Method for generating deep network difficult sample under double-attention machine mechanism and application |
CN111881436A (en) * | 2020-08-04 | 2020-11-03 | 公安部第三研究所 | Method and device for generating black box face anti-attack sample based on feature consistency and storage medium thereof |
CN112016686A (en) * | 2020-08-13 | 2020-12-01 | 中山大学 | Antagonism training method based on deep learning model |
CN112035834A (en) * | 2020-08-28 | 2020-12-04 | 北京推想科技有限公司 | Countermeasure training method and device, and application method and device of neural network model |
CN112085069A (en) * | 2020-08-18 | 2020-12-15 | 中国人民解放军战略支援部队信息工程大学 | Multi-target countermeasure patch generation method and device based on integrated attention mechanism |
CN112115761A (en) * | 2020-05-12 | 2020-12-22 | 吉林大学 | Countermeasure sample generation method for detecting vulnerability of visual perception system of automatic driving automobile |
CN112215151A (en) * | 2020-10-13 | 2021-01-12 | 电子科技大学 | Method for enhancing anti-interference capability of target detection system by using 3D (three-dimensional) antagonistic sample |
CN112488321A (en) * | 2020-12-07 | 2021-03-12 | 重庆邮电大学 | Antagonistic machine learning defense method oriented to generalized nonnegative matrix factorization algorithm |
CN112507811A (en) * | 2020-11-23 | 2021-03-16 | 广州大学 | Method and system for detecting face recognition system to resist masquerading attack |
CN112541404A (en) * | 2020-11-22 | 2021-03-23 | 同济大学 | Physical attack counterattack sample generation method facing traffic information perception |
CN112580822A (en) * | 2020-12-16 | 2021-03-30 | 北京百度网讯科技有限公司 | Countermeasure training method and apparatus for machine learning model, electronic device, and medium |
CN112804231A (en) * | 2021-01-13 | 2021-05-14 | 广州大学 | Distributed construction method, system and medium for attack graph of large-scale network |
CN112949678A (en) * | 2021-01-14 | 2021-06-11 | 西安交通大学 | Method, system, equipment and storage medium for generating confrontation sample of deep learning model |
CN113076980A (en) * | 2021-03-24 | 2021-07-06 | 中山大学 | Out-of-distribution image detection method based on attention enhancement and input disturbance |
CN113344090A (en) * | 2021-06-18 | 2021-09-03 | 成都井之丽科技有限公司 | Image processing method for resisting attack by target in middle layer |
CN113392932A (en) * | 2021-07-06 | 2021-09-14 | 中国兵器工业信息中心 | Anti-attack system for deep intrusion detection |
CN113485313A (en) * | 2021-06-25 | 2021-10-08 | 杭州玳数科技有限公司 | Anti-interference method and device for automatic driving vehicle |
CN113571067A (en) * | 2021-06-21 | 2021-10-29 | 浙江工业大学 | Voiceprint recognition countermeasure sample generation method based on boundary attack |
CN113611323A (en) * | 2021-05-07 | 2021-11-05 | 北京至芯开源科技有限责任公司 | Voice enhancement method and system based on dual-channel convolution attention network |
CN113780557A (en) * | 2021-11-11 | 2021-12-10 | 中南大学 | Method, device, product and medium for resisting image attack based on immune theory |
CN114092856A (en) * | 2021-11-18 | 2022-02-25 | 西安交通大学 | Video weak supervision abnormity detection system and method of confrontation and attention combined mechanism |
CN114241268A (en) * | 2021-12-21 | 2022-03-25 | 支付宝(杭州)信息技术有限公司 | Model training method, device and equipment |
CN114332569A (en) * | 2022-03-17 | 2022-04-12 | 南京理工大学 | Low-disturbance attack resisting method based on attention mechanism |
CN114612688A (en) * | 2022-05-16 | 2022-06-10 | 中国科学技术大学 | Confrontation sample generation method, model training method, processing method and electronic equipment |
CN114742170A (en) * | 2022-04-22 | 2022-07-12 | 马上消费金融股份有限公司 | Countermeasure sample generation method, model training method, image recognition method and device |
CN114943641A (en) * | 2022-07-26 | 2022-08-26 | 北京航空航天大学 | Method and device for generating anti-texture image based on model sharing structure |
CN114978654A (en) * | 2022-05-12 | 2022-08-30 | 北京大学 | End-to-end communication system attack defense method based on deep learning |
WO2022184019A1 (en) * | 2021-03-05 | 2022-09-09 | 腾讯科技(深圳)有限公司 | Image processing method and apparatus, and device and storage medium |
CN116450187A (en) * | 2023-05-05 | 2023-07-18 | 四川励致科技有限公司 | Digital online application processing method and AI application system applied to AI analysis |
CN111860681B (en) * | 2020-07-30 | 2024-04-30 | 江南大学 | Deep network difficulty sample generation method under double-attention mechanism and application |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
US20180225823A1 (en) * | 2017-02-09 | 2018-08-09 | Siemens Healthcare Gmbh | Adversarial and Dual Inverse Deep Learning Networks for Medical Image Analysis |
CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
CN108932527A (en) * | 2018-06-06 | 2018-12-04 | 上海交通大学 | Using cross-training model inspection to the method for resisting sample |
-
2019
- 2019-02-25 CN CN201910138087.1A patent/CN109948658B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180225823A1 (en) * | 2017-02-09 | 2018-08-09 | Siemens Healthcare Gmbh | Adversarial and Dual Inverse Deep Learning Networks for Medical Image Analysis |
CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
CN108932527A (en) * | 2018-06-06 | 2018-12-04 | 上海交通大学 | Using cross-training model inspection to the method for resisting sample |
Non-Patent Citations (1)
Title |
---|
JINYIN CHEN 等: "FineFool: Fine Object Contour Attack via Attention", 《ARXIV:1812.01713V1》 * |
Cited By (85)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110472672A (en) * | 2019-07-25 | 2019-11-19 | 阿里巴巴集团控股有限公司 | Method and apparatus for training machine learning model |
CN110472672B (en) * | 2019-07-25 | 2023-04-18 | 创新先进技术有限公司 | Method and apparatus for training machine learning models |
CN110444208A (en) * | 2019-08-12 | 2019-11-12 | 浙江工业大学 | A kind of speech recognition attack defense method and device based on gradient estimation and CTC algorithm |
CN110674938A (en) * | 2019-08-21 | 2020-01-10 | 浙江工业大学 | Anti-attack defense method based on cooperative multi-task training |
CN110633655A (en) * | 2019-08-29 | 2019-12-31 | 河南中原大数据研究院有限公司 | Attention-attack face recognition attack algorithm |
CN110782420A (en) * | 2019-09-19 | 2020-02-11 | 杭州电子科技大学 | Small target feature representation enhancement method based on deep learning |
CN110705652A (en) * | 2019-10-17 | 2020-01-17 | 北京瑞莱智慧科技有限公司 | Countermeasure sample, generation method, medium, device and computing equipment thereof |
CN110705652B (en) * | 2019-10-17 | 2020-10-23 | 北京瑞莱智慧科技有限公司 | Countermeasure sample, generation method, medium, device and computing equipment thereof |
CN110852363A (en) * | 2019-10-31 | 2020-02-28 | 大连理工大学 | Anti-sample defense method based on deception attacker |
CN110852363B (en) * | 2019-10-31 | 2022-08-02 | 大连理工大学 | Anti-sample defense method based on deception attacker |
CN110941794A (en) * | 2019-11-27 | 2020-03-31 | 浙江工业大学 | Anti-attack defense method based on universal inverse disturbance defense matrix |
CN110941794B (en) * | 2019-11-27 | 2023-08-22 | 浙江工业大学 | Challenge attack defense method based on general inverse disturbance defense matrix |
CN111046673A (en) * | 2019-12-17 | 2020-04-21 | 湖南大学 | Countermeasure generation network for defending text malicious samples and training method thereof |
CN111046673B (en) * | 2019-12-17 | 2021-09-03 | 湖南大学 | Training method for defending text malicious sample against generation network |
CN111046847A (en) * | 2019-12-30 | 2020-04-21 | 北京澎思科技有限公司 | Video processing method and device, electronic equipment and medium |
CN111191717A (en) * | 2019-12-30 | 2020-05-22 | 电子科技大学 | Black box confrontation sample generation algorithm based on hidden space clustering |
CN111191717B (en) * | 2019-12-30 | 2022-05-10 | 电子科技大学 | Black box confrontation sample generation algorithm based on hidden space clustering |
CN111275106A (en) * | 2020-01-19 | 2020-06-12 | 支付宝(杭州)信息技术有限公司 | Countermeasure sample generation method and device and computer equipment |
CN111275106B (en) * | 2020-01-19 | 2022-07-01 | 支付宝(杭州)信息技术有限公司 | Countermeasure sample generation method and device and computer equipment |
CN111325319A (en) * | 2020-02-02 | 2020-06-23 | 腾讯云计算(北京)有限责任公司 | Method, device, equipment and storage medium for detecting neural network model |
CN111325319B (en) * | 2020-02-02 | 2023-11-28 | 腾讯云计算(北京)有限责任公司 | Neural network model detection method, device, equipment and storage medium |
CN111340180B (en) * | 2020-02-10 | 2021-10-08 | 中国人民解放军国防科技大学 | Countermeasure sample generation method and device for designated label, electronic equipment and medium |
CN111340180A (en) * | 2020-02-10 | 2020-06-26 | 中国人民解放军国防科技大学 | Countermeasure sample generation method and device for designated label, electronic equipment and medium |
CN111325341A (en) * | 2020-02-18 | 2020-06-23 | 中国空间技术研究院 | Adaptive confrontation strength confrontation training method |
CN111325341B (en) * | 2020-02-18 | 2023-11-14 | 中国空间技术研究院 | Countermeasure training method with self-adaptive countermeasure intensity |
CN111368908B (en) * | 2020-03-03 | 2023-12-19 | 广州大学 | HRRP non-target countermeasure sample generation method based on deep learning |
CN111368725A (en) * | 2020-03-03 | 2020-07-03 | 广州大学 | HRRP (high-resolution Radar) targeted confrontation sample generation method based on deep learning |
CN111368725B (en) * | 2020-03-03 | 2023-10-03 | 广州大学 | HRRP targeted countermeasure sample generation method based on deep learning |
CN111368908A (en) * | 2020-03-03 | 2020-07-03 | 广州大学 | HRRP (high-resolution Radar) non-target confrontation sample generation method based on deep learning |
CN111488916A (en) * | 2020-03-19 | 2020-08-04 | 天津大学 | Anti-attack method based on training set data |
CN111488916B (en) * | 2020-03-19 | 2023-01-24 | 天津大学 | Anti-attack method based on training set data |
CN111414964A (en) * | 2020-03-23 | 2020-07-14 | 上海金桥信息股份有限公司 | Image security identification method based on defense sample |
CN111476228A (en) * | 2020-04-07 | 2020-07-31 | 海南阿凡题科技有限公司 | White-box confrontation sample generation method for scene character recognition model |
CN111767786B (en) * | 2020-05-11 | 2023-01-24 | 北京航空航天大学 | Anti-attack method and device based on three-dimensional dynamic interaction scene |
CN111767786A (en) * | 2020-05-11 | 2020-10-13 | 北京航空航天大学 | Anti-attack method and device based on three-dimensional dynamic interaction scene |
CN112115761A (en) * | 2020-05-12 | 2020-12-22 | 吉林大学 | Countermeasure sample generation method for detecting vulnerability of visual perception system of automatic driving automobile |
CN112115761B (en) * | 2020-05-12 | 2022-09-13 | 吉林大学 | Countermeasure sample generation method for detecting vulnerability of visual perception system of automatic driving automobile |
CN111754519A (en) * | 2020-05-27 | 2020-10-09 | 浙江工业大学 | Countermeasure defense method based on class activation mapping |
CN111754519B (en) * | 2020-05-27 | 2024-04-30 | 浙江工业大学 | Class activation mapping-based countermeasure method |
CN111625820A (en) * | 2020-05-29 | 2020-09-04 | 华东师范大学 | Federal defense method based on AIoT-oriented security |
CN111783629A (en) * | 2020-06-29 | 2020-10-16 | 浙大城市学院 | Human face in-vivo detection method and device for resisting sample attack |
CN111783085A (en) * | 2020-06-29 | 2020-10-16 | 浙大城市学院 | Defense method and device for resisting sample attack and electronic equipment |
CN111783085B (en) * | 2020-06-29 | 2023-08-22 | 浙大城市学院 | Defense method and device for resisting sample attack and electronic equipment |
CN111860681B (en) * | 2020-07-30 | 2024-04-30 | 江南大学 | Deep network difficulty sample generation method under double-attention mechanism and application |
CN111860681A (en) * | 2020-07-30 | 2020-10-30 | 江南大学 | Method for generating deep network difficult sample under double-attention machine mechanism and application |
CN111881436A (en) * | 2020-08-04 | 2020-11-03 | 公安部第三研究所 | Method and device for generating black box face anti-attack sample based on feature consistency and storage medium thereof |
CN112016686A (en) * | 2020-08-13 | 2020-12-01 | 中山大学 | Antagonism training method based on deep learning model |
CN112016686B (en) * | 2020-08-13 | 2023-07-21 | 中山大学 | Antagonistic training method based on deep learning model |
CN112085069A (en) * | 2020-08-18 | 2020-12-15 | 中国人民解放军战略支援部队信息工程大学 | Multi-target countermeasure patch generation method and device based on integrated attention mechanism |
CN112035834A (en) * | 2020-08-28 | 2020-12-04 | 北京推想科技有限公司 | Countermeasure training method and device, and application method and device of neural network model |
CN112215151B (en) * | 2020-10-13 | 2022-10-25 | 电子科技大学 | Method for enhancing anti-interference capability of target detection system by using 3D (three-dimensional) countermeasure sample |
CN112215151A (en) * | 2020-10-13 | 2021-01-12 | 电子科技大学 | Method for enhancing anti-interference capability of target detection system by using 3D (three-dimensional) antagonistic sample |
CN112541404A (en) * | 2020-11-22 | 2021-03-23 | 同济大学 | Physical attack counterattack sample generation method facing traffic information perception |
CN112507811A (en) * | 2020-11-23 | 2021-03-16 | 广州大学 | Method and system for detecting face recognition system to resist masquerading attack |
CN112488321B (en) * | 2020-12-07 | 2022-07-01 | 重庆邮电大学 | Antagonistic machine learning defense method oriented to generalized nonnegative matrix factorization algorithm |
CN112488321A (en) * | 2020-12-07 | 2021-03-12 | 重庆邮电大学 | Antagonistic machine learning defense method oriented to generalized nonnegative matrix factorization algorithm |
CN112580822B (en) * | 2020-12-16 | 2023-10-17 | 北京百度网讯科技有限公司 | Countermeasure training method device for machine learning model, electronic equipment and medium |
CN112580822A (en) * | 2020-12-16 | 2021-03-30 | 北京百度网讯科技有限公司 | Countermeasure training method and apparatus for machine learning model, electronic device, and medium |
CN112804231A (en) * | 2021-01-13 | 2021-05-14 | 广州大学 | Distributed construction method, system and medium for attack graph of large-scale network |
CN112949678A (en) * | 2021-01-14 | 2021-06-11 | 西安交通大学 | Method, system, equipment and storage medium for generating confrontation sample of deep learning model |
WO2022184019A1 (en) * | 2021-03-05 | 2022-09-09 | 腾讯科技(深圳)有限公司 | Image processing method and apparatus, and device and storage medium |
CN113076980A (en) * | 2021-03-24 | 2021-07-06 | 中山大学 | Out-of-distribution image detection method based on attention enhancement and input disturbance |
CN113076980B (en) * | 2021-03-24 | 2023-11-14 | 中山大学 | Method for detecting images outside distribution based on attention enhancement and input disturbance |
CN113611323A (en) * | 2021-05-07 | 2021-11-05 | 北京至芯开源科技有限责任公司 | Voice enhancement method and system based on dual-channel convolution attention network |
CN113611323B (en) * | 2021-05-07 | 2024-02-20 | 北京至芯开源科技有限责任公司 | Voice enhancement method and system based on double-channel convolution attention network |
CN113344090A (en) * | 2021-06-18 | 2021-09-03 | 成都井之丽科技有限公司 | Image processing method for resisting attack by target in middle layer |
CN113344090B (en) * | 2021-06-18 | 2022-11-22 | 成都井之丽科技有限公司 | Image processing method for resisting attack by target in middle layer |
CN113571067B (en) * | 2021-06-21 | 2023-12-26 | 浙江工业大学 | Voiceprint recognition countermeasure sample generation method based on boundary attack |
CN113571067A (en) * | 2021-06-21 | 2021-10-29 | 浙江工业大学 | Voiceprint recognition countermeasure sample generation method based on boundary attack |
CN113485313A (en) * | 2021-06-25 | 2021-10-08 | 杭州玳数科技有限公司 | Anti-interference method and device for automatic driving vehicle |
CN113392932B (en) * | 2021-07-06 | 2024-01-30 | 中国兵器工业信息中心 | Anti-attack system for deep intrusion detection |
CN113392932A (en) * | 2021-07-06 | 2021-09-14 | 中国兵器工业信息中心 | Anti-attack system for deep intrusion detection |
CN113780557A (en) * | 2021-11-11 | 2021-12-10 | 中南大学 | Method, device, product and medium for resisting image attack based on immune theory |
CN113780557B (en) * | 2021-11-11 | 2022-02-15 | 中南大学 | Method, device, product and medium for resisting image attack based on immune theory |
CN114092856A (en) * | 2021-11-18 | 2022-02-25 | 西安交通大学 | Video weak supervision abnormity detection system and method of confrontation and attention combined mechanism |
CN114092856B (en) * | 2021-11-18 | 2024-02-06 | 西安交通大学 | Video weak supervision abnormality detection system and method for antagonism and attention combination mechanism |
CN114241268A (en) * | 2021-12-21 | 2022-03-25 | 支付宝(杭州)信息技术有限公司 | Model training method, device and equipment |
CN114332569A (en) * | 2022-03-17 | 2022-04-12 | 南京理工大学 | Low-disturbance attack resisting method based on attention mechanism |
CN114742170B (en) * | 2022-04-22 | 2023-07-25 | 马上消费金融股份有限公司 | Countermeasure sample generation method, model training method, image recognition method and device |
CN114742170A (en) * | 2022-04-22 | 2022-07-12 | 马上消费金融股份有限公司 | Countermeasure sample generation method, model training method, image recognition method and device |
CN114978654A (en) * | 2022-05-12 | 2022-08-30 | 北京大学 | End-to-end communication system attack defense method based on deep learning |
CN114612688B (en) * | 2022-05-16 | 2022-09-09 | 中国科学技术大学 | Countermeasure sample generation method, model training method, processing method and electronic equipment |
CN114612688A (en) * | 2022-05-16 | 2022-06-10 | 中国科学技术大学 | Confrontation sample generation method, model training method, processing method and electronic equipment |
CN114943641A (en) * | 2022-07-26 | 2022-08-26 | 北京航空航天大学 | Method and device for generating anti-texture image based on model sharing structure |
CN116450187A (en) * | 2023-05-05 | 2023-07-18 | 四川励致科技有限公司 | Digital online application processing method and AI application system applied to AI analysis |
Also Published As
Publication number | Publication date |
---|---|
CN109948658B (en) | 2021-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109948658A (en) | The confrontation attack defense method of Feature Oriented figure attention mechanism and application | |
CN106096538B (en) | Face identification method and device based on sequencing neural network model | |
Su et al. | Optimized hyperspectral band selection using particle swarm optimization | |
CN108322349A (en) | The deep learning antagonism attack defense method of network is generated based on confrontation type | |
CN109858368B (en) | Rosenbrock-PSO-based face recognition attack defense method | |
CN108615048A (en) | It is evolved based on disturbance and fights the defence method of sexual assault to Image Classifier | |
CN114067177B (en) | Remote sensing image classification network robustness improving method based on self-supervision learning | |
CN110334749A (en) | Confrontation attack defending model, construction method and application based on attention mechanism | |
CN109272107A (en) | A method of improving the number of parameters of deep layer convolutional neural networks | |
Pare et al. | A context sensitive multilevel thresholding using swarm based algorithms | |
CN109977922A (en) | A kind of pedestrian's mask generation method based on generation confrontation network | |
CN111161191B (en) | Image enhancement method | |
CN106650667A (en) | Pedestrian detection method and system based on support vector machine | |
CN110309854A (en) | A kind of signal modulation mode recognition methods and device | |
CN111414964A (en) | Image security identification method based on defense sample | |
CN110175646A (en) | Multichannel confrontation sample testing method and device based on image transformation | |
CN108345856A (en) | The SAR automatic target recognition methods integrated based on isomery convolutional neural networks | |
CN111047054A (en) | Two-stage countermeasure knowledge migration-based countermeasure sample defense method | |
CN114724189A (en) | Method, system and application for training confrontation sample defense model for target recognition | |
CN113222120B (en) | Neural network back door injection method based on discrete Fourier transform | |
Fang et al. | Neural network application for thermal image recognition of low-resolution objects | |
CN116824485A (en) | Deep learning-based small target detection method for camouflage personnel in open scene | |
CN117057408A (en) | GAN-based black box migration anti-attack method | |
CN115238271A (en) | AI security detection method based on generative learning | |
CN114332623A (en) | Method and system for generating countermeasure sample by utilizing spatial transformation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |