CN110020593A - Information processing method and device, medium and calculating equipment - Google Patents
Information processing method and device, medium and calculating equipment Download PDFInfo
- Publication number
- CN110020593A CN110020593A CN201910108716.6A CN201910108716A CN110020593A CN 110020593 A CN110020593 A CN 110020593A CN 201910108716 A CN201910108716 A CN 201910108716A CN 110020593 A CN110020593 A CN 110020593A
- Authority
- CN
- China
- Prior art keywords
- sample
- candidate
- resisting
- resisting sample
- noise
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/10—Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
- G06V40/16—Human faces, e.g. facial parts, sketches or expressions
- G06V40/172—Classification, e.g. identification
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Biomedical Technology (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Oral & Maxillofacial Surgery (AREA)
- Human Computer Interaction (AREA)
- Multimedia (AREA)
- Image Analysis (AREA)
Abstract
Embodiments of the present invention provide a kind of information processing method and device, storage medium and calculate equipment.Information processing method includes: to obtain scheduled image recognition model;For image recognition model, the obtained input/output relation of sample interview image recognition model is fought in the candidate that the input space searches every time based on utilizing, the optimal solution of default optimization problem is solved by gradually reducing the candidate iterative calculation to the distance between resisting sample and original sample, default optimization problem includes: apart from the smallest candidate in input space acquisition and original sample to resisting sample;And enable the candidate searched when each iteration to resisting sample successful attack image recognition model.Above-mentioned technology of the invention can generate the image recognition model given to resisting sample successful attack in the case where not obtaining model structure and parameter, especially preferable to the attack effect of human face recognition model, and can substantially reduce access times compared with prior art.
Description
Technical field
Embodiments of the present invention are related to field of information processing, more specifically, embodiments of the present invention are related to a kind of letter
It ceases processing method and processing device, medium and calculates equipment.
Background technique
Deep neural network etc. is as a kind of method in machine learning method, due in speech recognition, image classification, object
The remarkable result that the numerous areas such as physical examination survey obtain, obtained people in recent years and widely paid close attention to.But it can in many tasks
It is but highly susceptible to attack in Antagonistic Environment to reach the deep neural network model of very high-accuracy.In Antagonistic Environment,
The network models such as deep neural network can be entered some malice constructions based on normal sample to resisting sample, such as picture or
Person's voice messaging.These are easy to be classified by deep learning model errors to resisting sample, but for human viewer but
It is difficult to find the difference between resisting sample and normal sample.It is different based on deep learning due to that can be measured to resisting sample
The quality of the robustness of system, so research becomes an important field of research to the generation of resisting sample.Meanwhile these are right
Resisting sample can also be used as a kind of mode of data enhancing, obtain more robust neural network for training.
For example, recognition of face is as an important task in computer vision, due to the drive of deep neural network,
Also huge development is achieved.And face identification system is in finance/payment, the reality scenes such as public transport and criminal's identification
In have many applications.Although face identification system achieves very big success and practical application, the safety of these systems
Property does not obtain enough attention.So the safety of face identification system is analyzed in this patent expectation.
Summary of the invention
Thus, it is also very desirable to a kind of improved method generated to resisting sample, to be difficult to get actual face knowledge
Confrontation is realized in the case where other system, and improves confrontation effect.
In the present context, embodiments of the present invention are intended to provide a kind of information processing method and device, medium and meter
Calculate equipment.
According to an aspect of the invention, there is provided a kind of information processing method, comprising: obtain scheduled image recognition mould
Type;For described image identification model, figure described in sample interview is fought in the candidate that the input space searches every time based on utilizing
As the obtained input/output relation of identification model, by gradually reducing candidate to the distance between resisting sample and original sample
Iterate to calculate to solve the optimal solution of default optimization problem, the default optimization problem include: the input space obtain with it is original
Sample is apart from the smallest candidate to resisting sample;And enable the candidate searched when each iteration to resisting sample successful attack
Described image identification model.
Further, the step of optimal solution for solving default optimization problem includes: building loss function, wherein institute
Stating loss function includes the first subitem and the second subitem, and first subitem includes the original sample and current candidate confrontation
The distance between sample, second subitem includes exponential function, wherein when current candidate being capable of successful attack to resisting sample
The value of the exponential function is less than the first preset threshold when described image identification model, when it is current it is candidate cannot be to resisting sample
The value that function attacks exponential function when described image identification model is greater than the second preset threshold, and first preset threshold is less than
Or it is equal to second preset threshold;And solve optimal solution when enabling the loss function minimum.
Further, when it is current it is candidate resisting sample can successful attack described image identification model when the index letter
Several values is 0, the value of the exponential function when current candidate is unable to successful attack described image identification model resisting sample
It is positive infinite.
Further, it is described by gradually reduce it is candidate to resisting sample between original sample at a distance from iterative calculation
During optimal solution to solve default optimization problem, iterative calculation includes: that stochastical sampling is carried out from Gaussian noise every time,
The first noise is obtained, and the partial value in first noise is set as 0;The first current noise is mapped to original sample institute
Corresponding space obtains the second noise;Third noise is obtained by the way that bias term is added to second noise, by the third
Noise is added to current candidate to sample resulting after resisting sample as sample to be updated;And determine the sample to be updated
It whether is still described image identification model to resisting sample: if so, being described to more by current candidate confrontation Sample Refreshment
New samples, and bias term parameter and Gaussian noise parameter are at least updated, so that original sample and next iteration searched
Candidate is smaller to the distance between resisting sample than the candidate that original sample and current iteration search to the distance between resisting sample,
Then next iteration is carried out;Otherwise, terminate search, using it is current it is candidate to resisting sample as it is described with original sample apart from most
It is small to resisting sample.
Further, the bias term of each iteration include original sample and current iteration searches it is candidate to resisting sample it
Between distance and current bias term parameter product.
Further, every time in iterative calculation, described the step of at least updating bias term parameter and Gaussian noise parameter, is wrapped
It includes: successfully side at least being searched for the distance between resisting sample and original sample and before based on updated current candidate
To being updated to bias term parameter and Gaussian noise parameter.
Further, this method further include: the default maximum access times to described image identification model, if current iteration
Number reaches the maximum access times, then terminates entire search after completing current iteration, and current candidate is fought sample
This conduct is described and original sample apart from the smallest to resisting sample.
Further, every time in iterative calculation: every one-dimensional element one searcher of corresponding expression in first noise
To selecting at least one direction in the corresponding all directions of search of first noise, will correspond in first noise
The value that the value at least one direction is set as 1, rest part is set as 0.
Further, the chosen probability in each direction in the corresponding all directions of search of first noise is proportional to
The value of corresponding element on the diagonal line of predetermined covariance matrix.
Further, the first current noise is mapped to by the original by linear interpolation method in iterative calculation every time
The corresponding space of beginning sample.
Further, described image identification model is human face recognition model.
Further, the human face recognition model includes: face verification model or face classification model.
Further, the candidate attack type that resisting sample carries out described image identification model include dodge attack or
Spoof attack.
Further, for attack of dodging, using random noise as the candidate initial value to resisting sample;And for puppet
Dress attack will be used to attack the original image of described image identification model as the candidate initial value to resisting sample.
According to another aspect of the present invention, a kind of information processing unit is additionally provided, comprising: model obtaining unit is suitable for
Obtain scheduled image recognition model;Processing unit is suitable for being directed to described image identification model, empty in input based on utilizing every time
Between the candidate confrontation obtained input/output relation of sample interview described image identification model that searches, by gradually reducing time
Select and the optimal solution of default optimization problem solved to iterating to calculate for the distance between resisting sample and original sample, it is described preset it is excellent
Change problem includes: apart from the smallest candidate in input space acquisition and original sample to resisting sample;And when making each iteration
The candidate searched being capable of successful attack described image identification model to resisting sample.
Further, the processing unit includes: loss function building subelement, is suitable for building loss function, wherein institute
Stating loss function includes the first subitem and the second subitem, and first subitem includes the original sample and current candidate confrontation
The distance between sample, second subitem includes exponential function, wherein when current candidate being capable of successful attack to resisting sample
The value of the exponential function is less than the first preset threshold when described image identification model, when it is current it is candidate cannot be to resisting sample
The value that function attacks exponential function when described image identification model is greater than the second preset threshold, and first preset threshold is less than
Or it is equal to second preset threshold;And subelement is solved, the optimal solution when loss function minimum is enabled suitable for solving.
Further, when it is current it is candidate resisting sample can successful attack described image identification model when the index letter
Several values is 0, the value of the exponential function when current candidate is unable to successful attack described image identification model resisting sample
It is positive infinite.
Further, the processing unit is suitable for described by gradually reducing candidate between resisting sample and original sample
Distance optimal solution of the iterative calculation to solve default optimization problem during, execute following place in each iterative calculation
Reason: carrying out stochastical sampling from Gaussian noise, obtains the first noise, and the partial value in first noise is set as 0;It will work as
The first preceding noise is mapped to space corresponding to original sample, obtains the second noise;It is inclined by being added to second noise
Item is set to obtain third noise, the third noise is added to current candidate to sample resulting after resisting sample as to more
New samples;And determine whether the sample to be updated is still described image identification model to resisting sample: if so, by current
Candidate confrontation Sample Refreshment be the sample to be updated, and at least update bias term parameter and Gaussian noise parameter so that
Original sample searches the distance between resisting sample than original sample and current iteration with the candidate that next iteration searches
Candidate it is smaller to the distance between resisting sample, then carry out next iteration;Otherwise, terminate search, current candidate is right
Resisting sample is as described and original sample apart from the smallest to resisting sample.
Further, the bias term of each iteration include original sample and current iteration searches it is candidate to resisting sample it
Between distance and current bias term parameter product.
Further, the processing unit is suitable in each iterative calculation, at least updates biasing by handling as follows
Parameter and Gaussian noise parameter: at least based on it is updated it is current it is candidate to the distance between resisting sample and original sample with
And successful direction is searched for before, bias term parameter and Gaussian noise parameter are updated.
Further, the device further include: judging unit, suitable for the default maximum access time to described image identification model
Number terminates entire search, and will be current if current iteration number reaches the maximum access times after completing current iteration
It is candidate to resisting sample as described and original sample apart from the smallest to resisting sample.
Further, the processing unit is suitable in each iterative calculation: all searching first noise is corresponding
At least one direction is selected in Suo Fangxiang, and the value that at least one direction is corresponded in first noise is set as 1, its remaining part
The value divided is set as 0;Wherein, every one-dimensional element in first noise is corresponding indicates a direction of search.
Further, the processing unit is suitable for: so that each of corresponding all directions of search of first noise
The chosen probability in direction is proportional to the value of corresponding element on the diagonal line of predetermined covariance matrix.
Further, the processing unit is suitable in each iterative calculation, by linear interpolation method by current the
One noise is mapped to the corresponding space of the original sample.
Further, described image identification model is human face recognition model.
Further, the human face recognition model includes: face verification model or face classification model.
Further, the candidate attack type that resisting sample carries out described image identification model include dodge attack or
Spoof attack.
Further, the processing unit is suitable for: for attack of dodging, using random noise as candidate to resisting sample
Initial value;And for spoof attack, it will be used to attack the original image of described image identification model as candidate to resisting sample
Initial value.
According to another aspect of the invention, a kind of storage medium for being stored with program is additionally provided, described program is processed
Device realizes information processing method as described above when executing.
In accordance with a further aspect of the present invention, a kind of calculating equipment, including storage medium as described above are additionally provided.
The information processing method and device, storage medium of embodiment and calculating equipment according to the present invention, are directed to one
Given image recognition model is obtained on the basis of not obtaining model internal structure and parameter by access target model
Its input and output corresponds to relationship, and proposed method is utilized to scan in the input space, obtains with original sample distance most
The small image recognition model that resisting sample, successful attack are given, it is especially preferable to the attack effect of human face recognition model, and
Access times can be substantially reduced compared with prior art.
Detailed description of the invention
The following detailed description is read with reference to the accompanying drawings, above-mentioned and other mesh of exemplary embodiment of the invention
, feature and advantage will become prone to understand.In the accompanying drawings, if showing by way of example rather than limitation of the invention
Dry embodiment, in which:
Fig. 1 is the stream for schematically showing an exemplary process of the information processing method of embodiment according to the present invention
Cheng Tu;
Fig. 2 is the schematic diagram to the scene description of human face recognition model attack;
Fig. 3 is to carry out dodging to face verification the exemplary schematic diagram of attack and spoof attack;
Fig. 4 is the flow chart for showing an exemplary process of the optimal solution for solving default optimization problem;
Fig. 5 is to solve for the flow chart of the exemplary process of every step iterative calculation during the optimal solution of default optimization problem;
Fig. 6 A is dodge the schematic diagram of the result of attack and spoof attack on LFW data set to face verification;
Fig. 6 B is dodge the schematic diagram of the result of attack and spoof attack on LFW data set to face classification;
Fig. 6 C is dodge the signal of the result of attack and spoof attack on MegaFace data set to face verification
Figure;
Fig. 6 D is dodge the schematic diagram of the result of attack and spoof attack on MegaFace data set to face classification;
Fig. 7 is an exemplary structural frames for schematically showing the information processing unit of embodiment according to the present invention
Figure;
Fig. 8 is the schematic diagram for showing a kind of possible structure of the processing unit in Fig. 7;
Fig. 9 is the structural schematic diagram for schematically showing computer according to an embodiment of the invention;
Figure 10 is the schematic diagram for schematically showing computer readable storage medium according to an embodiment of the invention.
In the accompanying drawings, identical or corresponding label indicates identical or corresponding part.
Specific embodiment
The principle and spirit of the invention are described below with reference to several illustrative embodiments.It should be appreciated that providing this
A little embodiments are used for the purpose of making those skilled in the art can better understand that realizing the present invention in turn, and be not with any
Mode limits the scope of the invention.On the contrary, these embodiments are provided so that this disclosure will be more thorough and complete, and energy
It is enough that the scope of the present disclosure is completely communicated to those skilled in the art.
One skilled in the art will appreciate that embodiments of the present invention can be implemented as a kind of system, device, equipment, method
Or computer program product.Therefore, the present disclosure may be embodied in the following forms, it may be assumed that complete hardware, complete software
The form that (including firmware, resident software, microcode etc.) or hardware and software combine.
Herein, it is to be understood that any number of elements in attached drawing be used to example rather than limit and it is any
Name is only used for distinguishing, without any restrictions meaning.
Below with reference to several representative embodiments of the invention, the principle and spirit of the present invention are explained in detail.
Illustrative methods
The information processing method of illustrative embodiments according to the present invention is described below with reference to Fig. 1.
Fig. 1 schematically shows a kind of illustrative process flow of the information processing method according to the embodiment of the present disclosure
100。
As shown in Figure 1, step S110 is first carried out after process flow 100 starts.
In step s 110, scheduled image recognition model is obtained, wherein the model internal structure of the image recognition model
And parameter is unknown.For example, the model can be directly received from outside, alternatively, the mould can also be obtained by other means
Type.
As an example, described image identification model can be human face recognition model, or other kinds of image is known
Other model, such as the model of predetermined static gesture for identification, or the model etc. of predetermined watermark for identification.
In addition, image recognition model mentioned here for example can be image classification model or image authentication model etc..
For example, above-mentioned human face recognition model can be face verification model or face classification model etc..Wherein, face verification
Refer to that the picture of given two faces, model can judge this two picture whether from the same individual;And face classification
Refer to a given face picture, model can be classified as the individual represented by it.
In the step s 120, it for above-mentioned scheduled image recognition model, is searched every time in the input space based on utilizing
The candidate confrontation obtained input/output relation of sample interview image recognition model, by gradually reduce it is candidate to resisting sample with
The distance between original sample iterates to calculate to solve the optimal solution of default optimization problem, and default optimization problem includes:
It is obtained in the input space and original sample is apart from the smallest candidate to resisting sample;And
Enable the candidate searched when each iteration to resisting sample successful attack image recognition model.
Wherein, it is candidate to the attack type that resisting sample carries out image recognition model for example may include dodge attack or
Spoof attack.
As an example, target of attack of dodging is for not being identified as model by given face picture represented by it
Body can be used for protecting privacy of user;Spoof attack target is that model is made to be erroneously identified as specifying by given face picture
Individual, can be used for invading face identification system.
For example, for face verification, attack of dodging refers to two pictures for giving same individual, so that model divides its mistake
For different individuals;And spoof attack refers to two face pictures of given Different Individual so that model its mistake is divided into it is same
Individual.
In addition, attack of dodging, which refers to, is divided into arbitrary other individuals for a face picture mistake for face classification;And
Spoof attack, which refers to, is divided into a face picture mistake some specified individual.
For attack of dodging, such as can be using random noise as the candidate initial value to resisting sample.
For spoof attack, such as it will can be used to attack the original image of image identification model as candidate to resisting sample
Initial value.
As shown in Fig. 2, black-box model is a human face recognition model, one as image recognition model to be attacked
Example.The image on the left side includes that original image is different with addition to antimierophonic sample (as candidate to resisting sample), by more
Secondary access model, correspond to relationship according to its input and output obtain noise scale it is smaller (namely obtain and original sample away from
From minimum) to resisting sample.
Fig. 3, which gives, dodge the example of attack and spoof attack to face verification.As shown in figure 3, being attacked for dodging
It hits, original image includes two original images of the same face, it is therefore an objective to identify model by this two width figure wrong, i.e., answer originally
When output is the result is that the same face, but mistakenly taken as the face of two people.The dotted line left side is original image, and dotted line is right
While having been added to the candidate after antinoise to resisting sample.In addition, original image includes that the face of two people is former for spoof attack
Beginning image, it is therefore an objective to make model that this two width figure to be taken as to the face of the same person.Candidate is to the numerical tabular below resisting sample in Fig. 3
Show to antimierophonic magnitude.
As an example, the step of solving the optimal solution of default optimization problem may include step S410 as shown in Figure 4 and
S420。
As shown in figure 4, constructing loss function in step S410.Wherein, loss function includes the first subitem and the second son
, the first subitem includes original sample and current candidate to the distance between resisting sample, and the second subitem includes exponential function,
In, when it is current it is candidate to resisting sample can successful attack image recognition model when exponential function value less than the first default threshold
Value, when current candidate is unable to successful attack image recognition model to resisting sample, the value of exponential function is greater than the second default threshold
Value, the first preset threshold are less than or equal to the second preset threshold.
In the step s 420, optimal solution when enabling loss function minimum is solved.
As an example, when it is current it is candidate to resisting sample can successful attack image recognition model when exponential function value be
0, when current candidate is unable to successful attack image recognition model to resisting sample, the value of exponential function is positive infinite.
For example, for different tasks (such as face verification or face classification) and attack type (such as dodge attack or
Spoof attack etc.), it can formally be attributed to a black box optimization problem:
Wherein, L (x*) is loss function, and x* indicates candidate to resisting sample,It indicates so that loss function L
(x*) that the smallest candidate is to resisting sample.
For example, L (x*)=D (x, x*)+δ (E (f (x*))=1).
Wherein, x indicates original sample, and D (x, x*) indicates original sample and current candidate to the distance between resisting sample,
D (x, x*) can be used as the example of the first subitem.
F (x*) indicates above-mentioned image recognition model, and E () indicates the target of attack, and when E (f (x*))=1 indicates in attack
The success of image recognition model is stated, δ () indicates indicator function.δ (E (f (x*))=1) can be used as the example of the second subitem.
In this way, the value of indicator function is zero when attacking the success of image identification model;When attack image identification model failure
When, the value of indicator function is positive infinite.
As an example, by gradually reduce it is candidate to resisting sample between original sample at a distance from iterative calculation ask
During the optimal solution for solving default optimization problem, every time iterative calculation for example may include step S510 as shown in Figure 5~
S560。
In step S510, stochastical sampling is carried out from Gaussian noise, obtain the first noise, and by the portion in the first noise
Score value is set as 0.
Then, in step S520, the first current noise is mapped to space corresponding to original sample, obtains second
Noise.
Then, in step S530, third noise is obtained by the way that bias term is added to the second noise, third noise is added
Current candidate is added to sample resulting after resisting sample as sample to be updated.In this way, sample to be updated is exactly described above
Be added to it is antimierophonic candidate to resisting sample.
In this way, determining whether sample to be updated is still image recognition model to resisting sample in step S540: if so,
Then follow the steps S550;Otherwise, step S560 is executed.
It is sample to be updated by current candidate confrontation Sample Refreshment, and at least update bias term ginseng in step S550
Several and Gaussian noise parameter, so that the candidate that original sample and next iteration search is former to the distance between resisting sample ratio
Beginning sample and the candidate that current iteration searches are smaller to the distance between resisting sample, then carry out next iteration and (return
Step S510 carries out next iterative calculation).
In step S560, terminate search, using it is current it is candidate to resisting sample as with original sample apart from the smallest right
Resisting sample.It is entire that processing terminate.
As an example, every time the bias term of iteration include original sample and current iteration searches it is candidate to resisting sample it
Between distance and current bias term parameter product.
As an example, at least update bias term parameter and the step of Gaussian noise parameter, for example wraps every time in iterative calculation
It includes: successfully side at least being searched for the distance between resisting sample and original sample and before based on updated current candidate
To being updated to bias term parameter and Gaussian noise parameter.
As an example, the maximum access times to image recognition model can also be preset, if current iteration number reaches most
Big access times, then terminate entire search after completing current iteration, and using it is current it is candidate to resisting sample as with original sample
This is apart from the smallest to resisting sample.
As an example, every time in iterative calculation: every one-dimensional element one direction of search of corresponding expression in the first noise,
At least one direction is selected in the corresponding all directions of search of first noise, at least one direction will be corresponded in the first noise
Value be set as the value of 1, rest part and be set as 0.
As an example, the chosen probability in each direction in the corresponding all directions of search of the first noise be proportional to it is predetermined
The value of corresponding element on the diagonal line of covariance matrix.
As an example, the first current noise is mapped to original sample by linear interpolation method in iterative calculation every time
This corresponding space.
For example, being directed to above-mentioned black box optimization problem, can be solved using following alternative manner, in every single-step iteration
In:
1) it is sampled from Gaussian noise, obtains the first noise z, wherein z obeys following Gaussian Profile: z~N (0, σ2C), wherein σ and C is Gaussian noise parameter;
2) k direction in z (k direction, that is, described above at least one selected direction) is chosen to scan for, remaining
Be set as 0.The probability that each direction is selected is proportional to the corresponding value of covariance matrix diagonal line;
3) z is mapped in luv space (i.e. the corresponding space of original image) with the method for linear interpolation, obtains second
Noise
4) toMiddle addition bias termObtain third noiseI.e.Wherein x andPoint
Not Wei the candidate that arrives of original sample and current search to resisting sample;
5) it checksIt whether is still, if set up, to be enabled to resisting sample It is i.e. described above to more
New samples, and using the sample to be updated as current newest candidate to resisting sample;
6) μ, σ and C are updated
For example, can be with for the update rule of μ, σ and C in 6) step are as follows:
Wherein, pcSuccessful direction is searched for before indicating,Indicate it is current it is newest it is candidate to resisting sample with it is original
The distance between sample, PsuccessBefore expression in predetermined multistep (30 steps as before) iterative processStill for resisting sample
Probability, ccIndicate pcTurnover rate (such as 0.01 can be chosen), ccovIndicate covariance matrix element ciiTurnover rate (such as
It can choose 0.001), ciiIndicate [i, i] a element (i.e. the i-th row, the i-th column element) of covariance matrix C.
In a specific example of the invention, this implementation generate resisting sample for human face recognition model.First
3 models are chosen as research object, they are respectively SphereFace, CosFace and ArcFace.These models are in people
Current best performance is achieved on the face identification most common data set LFW and MegaFace in field.This implementation choose LFW and
500 pictures measure the attack efficiency of different attack methods as research object in MegaFace data set, further relate to it and attack
Hit performance.
As illustrated in figs. 6 a-6d, wherein Fig. 6 A is dodge attack to face verification on LFW data set and camouflage is attacked
It is hitting as a result, Fig. 6 B be on LFW data set to face classification dodge attack and spoof attack as a result, Fig. 6 C be
On MegaFace data set to face verification dodge attack and spoof attack as a result, Fig. 6 D is in MegaFace data set
On face classification dodge the result of attack and spoof attack.Wherein, A1, A2 and A3 be respectively NES-LO,
It is when Optimization (optimization), Boundary (boundary) these three existing attack methods attack above-mentioned three kinds of models as a result,
And A4 is result when attacking above-mentioned three kinds of models using method of the invention.By Fig. 6 A-6D it is found that using method of the invention
Method compared with the prior art, can greatly reduce access times i.e. produce meet the requirements to resisting sample, reach identical
Even preferably fight effect.
It follows that the information processing method of embodiment according to the present invention, is directed to a given image recognition mould
Type obtains the corresponding pass of its input and output by access target model on the basis of not obtaining model internal structure and parameter
System, utilizes proposed method to scan in the input space, obtains with original sample apart from the smallest to resisting sample, success
The given image recognition model of attack, it is especially preferable to the attack effect of human face recognition model, and compared with prior art can
Substantially reduce access times.
For human face recognition model, attack efficiency can be promoted using above-mentioned technology of the invention, and can generally be applicable in
In different attack types.
Exemplary means
After describing the information processing method of exemplary embodiment of the invention, next, with reference to Fig. 7 to the present invention
The information processing unit of illustrative embodiments is illustrated.
Referring to Fig. 7, it is schematically shown that the structural schematic diagram of information processing unit according to an embodiment of the invention, it should
Device can be set in terminal device, for example, the device can be set in desktop computer, notebook computer, intelligent sliding
In the intelligent electronic devices such as mobile phone and tablet computer;Certainly, the device of embodiment of the present invention also can be set in service
In device.The device 700 of embodiment of the present invention may include following component units: model obtaining unit 710 and processing unit
720。
As shown in fig. 7, model obtaining unit 710 is suitable for obtaining scheduled image recognition model.
Processing unit 720 is suitable for being directed to image recognition model, based on right using the candidate searched every time in the input space
The obtained input/output relation of resisting sample access images identification model, by gradually reducing candidate to resisting sample and original sample
The distance between iterative calculation solve the optimal solution of default optimization problem, default optimization problem includes:
It is obtained in the input space and original sample is apart from the smallest candidate to resisting sample;And
Enable the candidate searched when each iteration to resisting sample successful attack image recognition model.
As an example, processing unit 720 can have structure shown in fig. 5.
As shown in figure 5, processing unit 720 may include loss function building subelement 810 and solution subelement 820.
Wherein, loss function building subelement 810 is suitable for building loss function.
Loss function includes the first subitem and the second subitem, and the first subitem includes original sample and current candidate confrontation sample
The distance between this, the second subitem includes exponential function, wherein when current candidate being capable of the knowledge of successful attack image to resisting sample
The value of exponential function is less than the first preset threshold when other model, when current candidate is unable to successful attack image recognition to resisting sample
The value of exponential function is greater than the second preset threshold when model, and the first preset threshold is less than or equal to the second preset threshold.
It is suitable for solving optimal solution when enabling loss function minimum in addition, solving subelement 820.
As an example, when it is current it is candidate to resisting sample can successful attack image recognition model when exponential function value be
0, when current candidate is unable to successful attack image recognition model to resisting sample, the value of exponential function is positive infinite.
As an example, processing unit be suitable for by gradually reduce it is candidate to resisting sample between original sample at a distance from
During iterating to calculate the optimal solution to solve default optimization problem, following processing is executed in each iterative calculation: from Gauss
Stochastical sampling is carried out in noise, obtains the first noise, and the partial value in the first noise is set as 0;By the first current noise
It is mapped to space corresponding to original sample, obtains the second noise;It is made an uproar by the way that bias term is added to the second noise to obtain third
Third noise is added to current candidate to sample resulting after resisting sample as sample to be updated by sound;And determine to more
Whether new samples are still image recognition model to resisting sample: if so, being to be updated by current candidate confrontation Sample Refreshment
Sample, and bias term parameter and Gaussian noise parameter are at least updated, so that the time that original sample and next iteration search
Select it is candidate smaller to the distance between resisting sample than what original sample and current iteration searched to the distance between resisting sample, so
After carry out next iteration;Otherwise, terminate search, using it is current it is candidate to resisting sample as with original sample apart from the smallest right
Resisting sample.
As an example, every time the bias term of iteration include original sample and current iteration searches it is candidate to resisting sample it
Between distance and current bias term parameter product.
As an example, processing unit is suitable in each iterative calculation, bias term ginseng is at least updated by handling as follows
Several and Gaussian noise parameter: at least based on it is updated it is current it is candidate to the distance between resisting sample and original sample and it
The preceding successful direction of search, is updated bias term parameter and Gaussian noise parameter.
As an example, above- mentioned information processing unit can also for example include determining whether unit (not shown), judging unit
It can be provided separately with processing unit, that is, judging unit is two units with processing unit;Alternatively, judging unit can also be with
Processing unit is integrally disposed, for example, realizing the function of processing unit and the two units of judging unit by a module, that is, adopts
With the same hardware realization.
Judging unit is for example suitable for the default maximum access times to image recognition model, if current iteration number reaches most
Big access times, then terminate entire search after completing current iteration, and using it is current it is candidate to resisting sample as with original sample
This is apart from the smallest to resisting sample.
As an example, processing unit is suitable in each iterative calculation: in the corresponding all directions of search of the first noise
At least one direction is selected, the value that the value that at least one direction is corresponded in the first noise is set as 1, rest part is set as 0;
Wherein, every one-dimensional element in the first noise is corresponding indicates a direction of search.
As an example, processing unit is suitable for: so that each direction in the corresponding all directions of search of the first noise is selected
Fixed probability is proportional to the value of corresponding element on the diagonal line of predetermined covariance matrix.
As an example, processing unit is suitable in each iterative calculation, current first is made an uproar by linear interpolation method
Sound is mapped to the corresponding space of original sample.
As an example, image recognition model is human face recognition model.
As an example, human face recognition model includes: face verification model or face classification model.
As an example, candidate includes dodge attack or camouflage to the attack type that image recognition model carries out to resisting sample
Attack.
As an example, processing unit is suitable for: for attack of dodging, using random noise as candidate to the initial of resisting sample
Value;And for spoof attack, it will be used to attack the original image of image identification model as the candidate initial value to resisting sample.
It should be noted that component units or subelement energy in the information processing unit of exemplary embodiment of the invention
Correspondence step or sub-step in enough information processing methods for executing invention described above illustrative embodiments respectively
In processing, and similar function and effect can be reached, which is not described herein again.
Fig. 9 shows the block diagram for being suitable for the exemplary computer system/server 90 for being used to realize embodiment of the present invention.
The computer system/server 90 that Fig. 9 is shown is only an example, should not function and use scope to the embodiment of the present invention
Bring any restrictions.
As shown in figure 9, computer system/server 90 is showed in the form of universal computing device.Computer system/service
The component of device 90 can include but is not limited to: one or more processor or processing unit 901, system storage 902, even
Connect the bus 903 of different system components (including system storage 902 and processing unit 901).
Computer system/server 90 typically comprises a variety of computer system readable media.These media, which can be, appoints
What usable medium that can be accessed by computer system/server 90, including volatile and non-volatile media, it is moveable and
Immovable medium.
System storage 902 may include the computer system readable media of form of volatile memory, such as deposit at random
Access to memory (RAM) 9021 and/or cache memory 9022.Computer system/server 90 may further include it
Its removable/nonremovable, volatile/non-volatile computer system storage medium.Only as an example, ROM9023 can be with
For reading and writing immovable, non-volatile magnetic media (not showing in Fig. 9, commonly referred to as " hard disk drive ").Although not existing
It is shown in Fig. 9, disc driver for reading and writing to removable non-volatile magnetic disk (such as " floppy disk ") and right can be provided
The CD drive of removable anonvolatile optical disk (such as CD-ROM, DVD-ROM or other optical mediums) read-write.In these feelings
Under condition, each driver can be connected by one or more data media interfaces with bus 903.In system storage 902
It may include at least one program product, which has one group of (for example, at least one) program module, these program moulds
Block is configured to perform the function of various embodiments of the present invention.
Program/utility 9025 with one group of (at least one) program module 9024, can store in such as system
In memory 902, and such program module 9024 includes but is not limited to: operating system, one or more application program, its
It may include the realization of network environment in its program module and program data, each of these examples or certain combination.
Program module 9024 usually executes function and/or method in embodiment described in the invention.
Computer system/server 90 can also be with one or more external equipment 904 (such as keyboard, sensing equipment, displays
Device etc.) communication.This communication can be carried out by input/output (I/O) interface 905.Also, computer system/server 90
Network adapter 906 and one or more network (such as local area network (LAN), wide area network (WAN) and/or public affairs can also be passed through
Common network network, such as internet) communication.As shown in figure 9, network adapter 906 passes through bus 903 and computer system/server
90 other modules (such as processing unit 901) communication.It should be understood that department of computer science can be combined although being not shown in Fig. 9
System/server 90 uses other hardware and/or software module.
The program that processing unit (or processor) 901 is stored in system storage 902 by operation, thereby executing various
Functional application and data processing, for example, executing and realizing each step in information processing method;For example, obtaining scheduled figure
As identification model;It is candidate to resisting sample visit based on being searched using every time in the input space for described image identification model
Ask described image identification model obtained input/output relation, by gradually reducing candidate between resisting sample and original sample
The iterative calculation of distance solve the optimal solution of default optimization problem, the default optimization problem includes: to obtain in the input space
It obtains with original sample apart from the smallest candidate to resisting sample;And enable the candidate searched when each iteration to resisting sample
Successful attack described image identification model.
One specific example of computer readable storage medium of embodiment of the present invention is as shown in Figure 10.
The computer readable storage medium of Figure 10 is CD 1000, is stored thereon with computer program (i.e. program product),
When the program is executed by processor, documented each step in above method embodiment can be realized, for example, obtaining scheduled figure
As identification model;It is candidate to resisting sample visit based on being searched using every time in the input space for described image identification model
Ask described image identification model obtained input/output relation, by gradually reducing candidate between resisting sample and original sample
The iterative calculation of distance solve the optimal solution of default optimization problem, the default optimization problem includes: to obtain in the input space
It obtains with original sample apart from the smallest candidate to resisting sample;And enable the candidate searched when each iteration to resisting sample
Successful attack described image identification model;This will not be repeated here for the specific implementation of each step.
It should be noted that although being referred to several units, module or the submodule of information processing unit in the above detailed description
Block, but it is this division be only exemplary it is not enforceable.In fact, embodiment according to the present invention, is retouched above
The feature and function for two or more modules stated can embody in a module.Conversely, an above-described module
Feature and function can with further division be embodied by multiple modules.
In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that or
Hint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desired
As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one
Step is decomposed into execution of multiple steps.
Although detailed description of the preferred embodimentsthe spirit and principles of the present invention are described by reference to several, it should be appreciated that, this
It is not limited to the specific embodiments disclosed for invention, does not also mean that the feature in these aspects cannot to the division of various aspects
Combination is benefited to carry out, this to divide the convenience merely to statement.The present invention is directed to cover appended claims spirit and
Included various modifications and equivalent arrangements in range.
To sum up, in accordance with an embodiment of the present disclosure, present disclose provides following scheme, but not limited to this:
A kind of information processing method of scheme 1., characterized by comprising:
Obtain scheduled image recognition model;
For described image identification model, sample interview institute is fought in the candidate that the input space searches every time based on utilizing
State the obtained input/output relation of image recognition model, by gradually reduce it is candidate between resisting sample and original sample away from
From iterative calculation solve the optimal solution of default optimization problem, the default optimization problem includes:
It is obtained in the input space and original sample is apart from the smallest candidate to resisting sample;And
Enable the candidate searched when each iteration to resisting sample successful attack described image identification model.
The information processing method according to scheme 1 of scheme 2., which is characterized in that described to solve default optimization problem most
The step of excellent solution includes:
Construct loss function, wherein the loss function includes the first subitem and the second subitem, and first subitem includes
To the distance between resisting sample, second subitem includes exponential function by the original sample and current candidate, wherein when working as
It is preceding it is candidate resisting sample can successful attack described image identification model when the exponential function value less than the first default threshold
Value, when current candidate is unable to successful attack described image identification model resisting sample, the value of the exponential function is greater than second
Preset threshold, first preset threshold are less than or equal to second preset threshold;And
Solve optimal solution when enabling the loss function minimum.
The information processing method according to scheme 2 of scheme 3., which is characterized in that when current candidate can to resisting sample
The value of the exponential function is 0 when successful attack described image identification model, when current candidate cannot successfully attack resisting sample
The value of the exponential function is positive infinite when hitting described image identification model.
The information processing method according to scheme 1 of scheme 4., wherein described by gradually reducing candidate to resisting sample
During optimal solution of the iterative calculation of the distance between original sample to solve default optimization problem, iterate to calculate every time
Include:
Stochastical sampling is carried out from Gaussian noise, obtains the first noise, and the partial value in first noise is set as
0;
The first current noise is mapped to space corresponding to original sample, obtains the second noise;
Third noise is obtained by the way that bias term is added to second noise, the third noise is added to current
Candidate is to sample resulting after resisting sample as sample to be updated;And
Determine whether the sample to be updated is still described image identification model to resisting sample: if so, by current
Candidate's confrontation Sample Refreshment is the sample to be updated, and at least updates bias term parameter and Gaussian noise parameter, so that former
What the candidate that beginning sample and next iteration search searched the distance between resisting sample than original sample and current iteration
Candidate is smaller to the distance between resisting sample, then carries out next iteration;Otherwise, terminate search, current candidate is fought
Sample is as described and original sample apart from the smallest to resisting sample.
The information processing method according to scheme 4 of scheme 5., wherein the bias term of each iteration include original sample with
The candidate product to the distance between resisting sample and current bias term parameter that current iteration searches.
The information processing method according to scheme 4 of scheme 6., which is characterized in that every time iterative calculation in, it is described at least
It updates bias term parameter and the step of Gaussian noise parameter includes:
At least searched for into based on updated current candidate to the distance between resisting sample and original sample and before
The direction of function is updated bias term parameter and Gaussian noise parameter.
The information processing method according to scheme 4 of scheme 7., it is characterised in that further include: it is default that described image is identified
The maximum access times of model terminate after completing current iteration if current iteration number reaches the maximum access times
Entire search, and using it is current it is candidate to resisting sample as described in and original sample apart from the smallest to resisting sample.
The information processing method according to scheme 4 of scheme 8., which is characterized in that every time in iterative calculation:
Every one-dimensional element one direction of search of corresponding expression in first noise, in the corresponding institute of first noise
Have and select at least one direction in the direction of search, the value that at least one direction is corresponded in first noise is set as 1, it
The value of remaining part point is set as 0.
The information processing method according to scheme 8 of scheme 9., which is characterized in that first noise is corresponding all to be searched
The probability that each direction in Suo Fangxiang is selected is proportional to the value of corresponding element on the diagonal line of predetermined covariance matrix.
The information processing method according to any one of scheme 4-9 of scheme 10., which is characterized in that iterative calculation every time
In, the first current noise is mapped to by the corresponding space of the original sample by linear interpolation method.
The information processing method according to any one of scheme 1-9 of scheme 11., which is characterized in that described image identification
Model is human face recognition model.
The information processing method according to scheme 11 of scheme 12., which is characterized in that the human face recognition model includes:
Face verification model or face classification model.
The information processing method according to scheme 1-9 of scheme 13., which is characterized in that candidate is to resisting sample to the figure
As the attack type that identification model is carried out includes dodge attack or spoof attack.
The information processing method according to scheme 13 of scheme 14., it is characterised in that:
For attack of dodging, using random noise as the candidate initial value to resisting sample;And
For spoof attack, using be used to attack the original image of described image identification model as it is candidate to resisting sample just
Initial value.
A kind of information processing unit of scheme 15., characterized by comprising:
Model obtaining unit is suitable for obtaining scheduled image recognition model;
Processing unit is suitable for being directed to described image identification model, the candidate searched in the input space every time based on utilization
The obtained input/output relation of sample interview described image identification model is fought, it is candidate to resisting sample and former by gradually reducing
The distance between beginning sample iterates to calculate to solve the optimal solution of default optimization problem, and the default optimization problem includes:
It is obtained in the input space and original sample is apart from the smallest candidate to resisting sample;And
Enable the candidate searched when each iteration to resisting sample successful attack described image identification model.
The information processing unit according to scheme 15 of scheme 16., which is characterized in that the processing unit includes:
Loss function constructs subelement, is suitable for building loss function, wherein the loss function includes the first subitem and the
Two subitems, first subitem include the original sample and current candidate to the distance between resisting sample, second son
Include exponential function, wherein when it is current it is candidate resisting sample can successful attack described image identification model when the finger
The value of number function is less than the first preset threshold, when current candidate is unable to successful attack described image identification model to resisting sample
The value of the exponential function is greater than the second preset threshold, and first preset threshold is less than or equal to second preset threshold;
And
Subelement is solved, the optimal solution when loss function minimum is enabled suitable for solving.
The information processing unit according to scheme 16 of scheme 17., it is characterised in that: when current candidate is to resisting sample energy
The value of the exponential function is 0 when enough successful attack described image identification models, when current candidate cannot succeed to resisting sample
The value of the exponential function is positive infinite when attacking described image identification model.
The information processing unit according to scheme 15 of scheme 18., wherein the processing unit be suitable for it is described by by
It is secondary to reduce the candidate iterative calculation to the distance between resisting sample and original sample to solve the optimal solution of default optimization problem
In the process, following processing is executed in each iterative calculation: carrying out stochastical sampling from Gaussian noise, obtain the first noise, and will
Partial value in first noise is set as 0;The first current noise is mapped to space corresponding to original sample, obtains the
Two noises;Third noise is obtained by the way that bias term is added to second noise, the third noise is added to current
Candidate is to sample resulting after resisting sample as sample to be updated;And determine whether the sample to be updated is still described image
Identification model to resisting sample: if so, being the sample to be updated by current candidate confrontation Sample Refreshment, and at least update
Bias term parameter and Gaussian noise parameter, so that the candidate that original sample and next iteration search is between resisting sample
Distance is smaller to the distance between resisting sample than the candidate that original sample and current iteration search, and is then changed next time
Generation;Otherwise, terminate search, using it is current it is candidate to resisting sample as described in and original sample apart from the smallest to resisting sample.
The information processing unit according to scheme 18 of scheme 19., wherein the bias term of each iteration includes original sample
The candidate product to the distance between resisting sample and current bias term parameter searched with current iteration.
The information processing unit according to scheme 18 of scheme 20., which is characterized in that the processing unit is suitable for each
In iterative calculation, bias term parameter and Gaussian noise parameter are at least updated by handling as follows:
At least searched for into based on updated current candidate to the distance between resisting sample and original sample and before
The direction of function is updated bias term parameter and Gaussian noise parameter.
The information processing unit according to scheme 18 of scheme 21., it is characterised in that further include:
Judging unit, suitable for the default maximum access times to described image identification model, if current iteration number reaches
The maximum access times, then terminate entire search after completing current iteration, and using it is current it is candidate to resisting sample as institute
It states with original sample apart from the smallest to resisting sample.
The information processing unit according to scheme 18 of scheme 22., which is characterized in that the processing unit is suitable for each
In iterative calculation:
Scheme selectes at least one direction in the corresponding all directions of search of first noise, by first noise
In correspond to the value at least one direction and be set as the value of 1, rest part and be set as 0;Wherein, every one-dimensional in first noise
Element is corresponding to indicate a direction of search.
The information processing unit according to scheme 22 of scheme 23., which is characterized in that the processing unit is suitable for: so that
The chosen probability in each direction in the corresponding all directions of search of first noise is proportional to predetermined covariance matrix
The value of corresponding element on diagonal line.
The information processing unit according to any one of scheme 18-23 of scheme 24., which is characterized in that the processing is single
Member is suitable in each iterative calculation, and the first current noise is mapped to the original sample by linear interpolation method and is corresponded to
Space.
The information processing unit according to any one of scheme 15-23 of scheme 25., which is characterized in that described image is known
Other model is human face recognition model.
The information processing unit according to scheme 25 of scheme 26., which is characterized in that the human face recognition model includes:
Face verification model or face classification model.
The information processing unit according to scheme 15-23 of scheme 27., which is characterized in that candidate is to resisting sample to described
The attack type that image recognition model carries out includes dodge attack or spoof attack.
The information processing unit according to scheme 27 of scheme 28., which is characterized in that the processing unit is suitable for: for
It dodges attack, using random noise as the candidate initial value to resisting sample;And for spoof attack, will be used to attack described
The original image of image recognition model is as the candidate initial value to resisting sample.
A kind of storage medium for being stored with program of scheme 29. realizes such as scheme 1 to 14 when described program is executed by processor
Any one of described in information processing method.
A kind of calculating equipment of scheme 30., including the storage medium as described in scheme 29.
Claims (10)
1. a kind of information processing method, characterized by comprising:
Obtain scheduled image recognition model;
For described image identification model, figure described in sample interview is fought in the candidate that the input space searches every time based on utilizing
As the obtained input/output relation of identification model, by gradually reducing candidate to the distance between resisting sample and original sample
It iterates to calculate to solve the optimal solution of default optimization problem, the default optimization problem includes:
It is obtained in the input space and original sample is apart from the smallest candidate to resisting sample;And
Enable the candidate searched when each iteration to resisting sample successful attack described image identification model.
2. information processing method according to claim 1, which is characterized in that the optimal solution for solving default optimization problem
The step of include:
Construct loss function, wherein the loss function includes the first subitem and the second subitem, and first subitem includes described
Original sample and current candidate are to the distance between resisting sample, and second subitem includes exponential function, wherein when current
Candidate resisting sample can successful attack described image identification model when the exponential function value less than the first preset threshold, when
It is default that the value of the current candidate exponential function described when being unable to successful attack described image identification model resisting sample is greater than second
Threshold value, first preset threshold are less than or equal to second preset threshold;And
Solve optimal solution when enabling the loss function minimum.
3. information processing method according to claim 2, which is characterized in that when current candidate can succeed to resisting sample
The value for attacking exponential function when described image identification model is 0, when current candidate is unable to successful attack institute to resisting sample
The value of the exponential function is positive infinite when stating image recognition model.
4. information processing method according to claim 1, wherein described candidate to resisting sample and former by gradually reducing
During optimal solution of the iterative calculation of the distance between beginning sample to solve default optimization problem, iterative calculation is wrapped every time
It includes:
Stochastical sampling is carried out from Gaussian noise, obtains the first noise, and the partial value in first noise is set as 0;
The first current noise is mapped to space corresponding to original sample, obtains the second noise;
Third noise is obtained by the way that bias term is added to second noise, the third noise is added to current candidate
To sample resulting after resisting sample as sample to be updated;And
Determine whether the sample to be updated is still described image identification model to resisting sample: if so, by current candidate
Confrontation Sample Refreshment is the sample to be updated, and at least updates bias term parameter and Gaussian noise parameter, so that original sample
This search with next iteration it is candidate to the distance between resisting sample than candidate that original sample and current iteration search
It is smaller to the distance between resisting sample, then carry out next iteration;Otherwise, terminate search, by current candidate to resisting sample
As described and original sample apart from the smallest to resisting sample.
5. information processing method according to claim 4, it is characterised in that further include: it is default to described image identification model
Maximum access times terminate entirely after completing current iteration if current iteration number reaches the maximum access times
Search, and using it is current it is candidate to resisting sample as described in and original sample apart from the smallest to resisting sample.
6. information processing method described in any one of -4 according to claim 1, which is characterized in that described image identification model is
Human face recognition model.
7. information processing method described in -4 according to claim 1, which is characterized in that candidate to be identified to resisting sample to described image
The attack type that model carries out includes dodge attack or spoof attack.
8. a kind of information processing unit, characterized by comprising:
Model obtaining unit is suitable for obtaining scheduled image recognition model;
Processing unit is suitable for being directed to described image identification model, is fought every time in the candidate that the input space searches based on utilizing
The obtained input/output relation of sample interview described image identification model, by gradually reducing candidate to resisting sample and original sample
The distance between this iterates to calculate to solve the optimal solution of default optimization problem, and the default optimization problem includes:
It is obtained in the input space and original sample is apart from the smallest candidate to resisting sample;And
Enable the candidate searched when each iteration to resisting sample successful attack described image identification model.
9. a kind of storage medium for being stored with program was realized when described program is executed by processor such as appointing in claims 1 to 7
Information processing method described in one.
10. a kind of calculating equipment, including storage medium as claimed in claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910108716.6A CN110020593B (en) | 2019-02-03 | 2019-02-03 | Information processing method and device, medium and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910108716.6A CN110020593B (en) | 2019-02-03 | 2019-02-03 | Information processing method and device, medium and computing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110020593A true CN110020593A (en) | 2019-07-16 |
| CN110020593B CN110020593B (en) | 2021-04-13 |
Family
ID=67188924
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910108716.6A Active CN110020593B (en) | 2019-02-03 | 2019-02-03 | Information processing method and device, medium and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110020593B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110705652A (en) * | 2019-10-17 | 2020-01-17 | 北京瑞莱智慧科技有限公司 | Countermeasure sample, generation method, medium, device and computing equipment thereof |
| CN112016677A (en) * | 2019-09-23 | 2020-12-01 | 南京地平线机器人技术有限公司 | Deep neural network training method and device and electronic equipment |
| WO2022252039A1 (en) * | 2021-05-31 | 2022-12-08 | Robert Bosch Gmbh | Method and apparatus for adversarial attacking in deep reinforcement learning |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108257116A (en) * | 2017-12-30 | 2018-07-06 | 清华大学 | A kind of method for generating confrontation image |
| CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
| US10043261B2 (en) * | 2016-01-11 | 2018-08-07 | Kla-Tencor Corp. | Generating simulated output for a specimen |
| CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
| US20180349605A1 (en) * | 2017-06-05 | 2018-12-06 | Microsoft Technology Licensing, Llc | Adversarial quantum machine learning |
-
2019
- 2019-02-03 CN CN201910108716.6A patent/CN110020593B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10043261B2 (en) * | 2016-01-11 | 2018-08-07 | Kla-Tencor Corp. | Generating simulated output for a specimen |
| US20180349605A1 (en) * | 2017-06-05 | 2018-12-06 | Microsoft Technology Licensing, Llc | Adversarial quantum machine learning |
| CN108257116A (en) * | 2017-12-30 | 2018-07-06 | 清华大学 | A kind of method for generating confrontation image |
| CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
| CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
Non-Patent Citations (2)
| Title |
|---|
| TIANYU PANG ET AL: "Towards Robust Detection of Adversarial Examples", 《ARXIV》 * |
| YINPENG DONG ET AL: "Towards Interpretable Deep Neural Networks by Leveraging", 《ARXIV》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112016677A (en) * | 2019-09-23 | 2020-12-01 | 南京地平线机器人技术有限公司 | Deep neural network training method and device and electronic equipment |
| CN110705652A (en) * | 2019-10-17 | 2020-01-17 | 北京瑞莱智慧科技有限公司 | Countermeasure sample, generation method, medium, device and computing equipment thereof |
| CN110705652B (en) * | 2019-10-17 | 2020-10-23 | 北京瑞莱智慧科技有限公司 | Countermeasure sample, generation method, medium, device and computing equipment thereof |
| WO2022252039A1 (en) * | 2021-05-31 | 2022-12-08 | Robert Bosch Gmbh | Method and apparatus for adversarial attacking in deep reinforcement learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110020593B (en) | 2021-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11816888B2 (en) | Accurate tag relevance prediction for image search | |
| RU2661750C1 (en) | Symbols recognition with the use of artificial intelligence | |
| CN106649542B (en) | System and method for visual question answering | |
| US8606779B2 (en) | Search method, similarity calculation method, similarity calculation, same document matching system, and program thereof | |
| CN110020593A (en) | Information processing method and device, medium and calculating equipment | |
| Yang et al. | Efficient and robust MultiView clustering with anchor graph regularization | |
| KR20080034956A (en) | Style aware use of writing input | |
| CN111428557A (en) | Method and device for automatically checking handwritten signature based on neural network model | |
| CN108959305A (en) | A kind of event extraction method and system based on internet big data | |
| CN110929525B (en) | Network loan risk behavior analysis and detection method, device, equipment and storage medium | |
| CN109034199B (en) | Data processing method and device, storage medium and electronic equipment | |
| Li et al. | Dynamic key-value memory enhanced multi-step graph reasoning for knowledge-based visual question answering | |
| CN112667979A (en) | Password generation method and device, password identification method and device, and electronic device | |
| CN111738319A (en) | Clustering result evaluation method and device based on large-scale samples | |
| CN115293235A (en) | Method for establishing risk identification model and corresponding device | |
| EP4060526A1 (en) | Text processing method and device | |
| CN116402166B (en) | Training method and device of prediction model, electronic equipment and storage medium | |
| Tang et al. | A multi-view SAR target recognition method using feature fusion and joint classification | |
| CN111277433A (en) | Network service abnormity detection method and device based on attribute network characterization learning | |
| Pang et al. | Salient object detection via effective background prior and novel graph | |
| CN116958809A (en) | Remote sensing small sample target detection method for feature library migration | |
| Dong et al. | Scene-oriented hierarchical classification of blurry and noisy images | |
| Aggarwal et al. | Probabilistic and statistical models for outlier detection | |
| CN109948583A (en) | Extreme learning machine, face identification method, readable storage medium storing program for executing and computer equipment | |
| CN115455142A (en) | Text retrieval method, computer device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |