CN110276377A - A kind of confrontation sample generating method based on Bayes's optimization - Google Patents

A kind of confrontation sample generating method based on Bayes's optimization Download PDF

Info

Publication number
CN110276377A
CN110276377A CN201910414533.7A CN201910414533A CN110276377A CN 110276377 A CN110276377 A CN 110276377A CN 201910414533 A CN201910414533 A CN 201910414533A CN 110276377 A CN110276377 A CN 110276377A
Authority
CN
China
Prior art keywords
value
disturbed
optimization
image
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910414533.7A
Other languages
Chinese (zh)
Other versions
CN110276377B (en
Inventor
刘林兴
冯建文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dianzi University
Original Assignee
Hangzhou Dianzi University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dianzi University filed Critical Hangzhou Dianzi University
Priority to CN201910414533.7A priority Critical patent/CN110276377B/en
Publication of CN110276377A publication Critical patent/CN110276377A/en
Application granted granted Critical
Publication of CN110276377B publication Critical patent/CN110276377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • G06F18/24155Bayesian classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Molecular Biology (AREA)
  • Probability & Statistics with Applications (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a kind of confrontation sample generating method based on Bayes's optimization, existing black box attack method needs to obtain optimization information by being inquired to model in large quantities.The present invention determines position to be optimized by the gradient of calculation perturbation picture and the structural similarity of original image using original image as input;Then sampling optimization is carried out in selected position using Bayes's optimization, obtains that the increased disturbed value of loss function can be made in this position;Multiple positions are selected by way of iteration, and optimizes and obtains disturbed value, until the classification results of the disturbed image of change, or are reached maximum number of iterations and are then stopped.The present invention can be effectively reduced number of the inquiry to target DNN pattern query, and disturb the negligible amounts of pixel.

Description

A kind of confrontation sample generating method based on Bayes's optimization
Technical field
The invention belongs to computer digital image process fields, and in particular to a kind of confrontation sample generating method.
Background technique
Deep learning achieves important breakthrough in terms of solving insoluble challenge in the past, for example, rebuilding brain On the problems such as circuit, the mutation in analysis DNA, the active structure for predicting potential drug molecule, analysis particle accelerator data all There is application.Deep neural network (Deep Neural Network, DNN), which also becomes, solves speech recognition and natural language understanding The prefered method of medium many challenging tasks.
Although DNN executes various Computer Vision Tasks with surprising precision, DNN is highly prone to the shadow to attack resistance It rings, the form of this attack is to add the hardly perceptible tiny image disturbance for human visual system in the picture. This attack can make DNN classifier change its prediction about image completely, and model under attack is high to the prediction of mistake Degree is trusted.Moreover, identical image disturbances can cheat multiple neural network classifiers.It is this that can change DNN classifier pre- The disturbed picture for surveying result is referred to as to resisting sample.
Generating at present can be roughly divided into two types the method for resisting sample: white-box attack and black box are attacked.White-box attack is false If all knowledge of existing object module, the training number including its parameter value, framework, training method etc. or even object module According to be all it is known, object module is cheated to resisting sample using these knowledge formations.For example, FGSM calculates the ladder of object module Information is spent, the microvariations that a same size is added on each pixel value are constructed to resisting sample, the forward direction of JSMA computation model Derivative disturbs the building of limited quantity pixel to resisting sample.The advantage of white-box attack is that calculating speed ratio is very fast, but needs Use the gradient information of target network.Black box attack method without using network gradient and parameters knowledge, by target Mode input fights the prediction label of its output of sample queries, is generated using these information to resisting sample and cheats object module. For example, One Pixel Attack method uses the concept of differential evolution, the prediction probability label generation pair of observed object model Resisting sample, target network can be misled by only changing a pixel, and Boundary Attacks method is then just with network Classification output result i.e. produce confrontation sample.However, the assessment cost of great number is brought due to lacking gradient information, than If One Pixel Attacks method needs 30,000 assessments, and Boundary Attacks method then needs million assessments.
Summary of the invention
The main object of the present invention is to propose one aiming at the problem that existing black box attack method brings a large amount of query costs Kind optimizes the black box attack method generated to resisting sample based on Bayes.This method is optimized using Bayes to be carried out in solution space Search, iteratively finds a specific disturbance in solution space, which is added to after original picture, thus it is possible to vary classifier To the classification results of disturbed image.
Black box attack method used in the present invention includes the following steps:
Step 1: obtaining the true classification y of source images xcAnd its probability Mc
Using original image x as using θ as the input of the target DNN classifier of parameter, the probability output of original image is obtained Vector M (x;θ);Take class prediction y of the corresponding classification of maximum value as original image in probability output vectorc, probability output Maximum value is M in vectorc
Step 2: determining objective function to be optimized
It is generated using the method for iteration to resisting sample, in order to reduce the complexity of calculating, only disturbance is schemed in each iteration As certain dimension of vector;If disturbed value is z, and by the correspondence dimension of disturbed value z assignment to Δ x;Disturbed value meets | | z | | < ε, to ensure picture quality, ε is the threshold value of setting;X+ Δ x is input in the deep-neural-network DNN classifier that parameter is θ, Obtain prediction output vector M (x+ Δ x;θ);Enable M (x+ Δ x;Y is removed in θ)cMost probable value outside classification is Mt, corresponding class It Wei not yt, objective function is defined as B (z)=log (Mc)-log(Mt);The target of optimization is B (z)≤0, to change target DNN Classification results of the classifier to disturbed image;Δ x is the full 0 perturbation vector for having identical dimensional with x;
Step 3: determining the coordinate for needing to optimize in this iteration and channel
In the T times iteration, current disturbance image x '=x+ Δ x and random image x is calculatedGStructural similarity gradientSelect wherein optimization dimension of the corresponding dimension s of minimal gradient value as needs;xGIt is that there is phase with x With the random vector sampled in the slave Gaussian Profile of dimension;
Step 4: being optimized in specific dimension using Bayes
1) objective function to be optimized is acted on behalf of using Gaussian process, uses FI strategy as acquisition function;Setting is maximum to survey Pilot number is I, and current test point quantity i=0;Several disturbed values are randomly choosed first to be tested, and initial see is generated Measured data collection D1:t, data point has been observed comprising t;
2) according to the data set D having been observed that1:tObtained Posterior distrbutionp constructs a FI acquisition function alphat(z;D1:t):
Wherein, v*Indicate current optimal function value, φ () is standardized normal distribution probability density function, μt(z) and σt (z) D is respectively indicated1:tThe mean value and variance of middle data point;
3) next evaluation point z is selected by maximizing acquisition functiont+1=maxz∈zαt(z;D1:t), by zt+1Assignment is to Δ The correspondence dimension s of x, and assess target function value B (z at this timet+1), in zt+1Observation data set is added in assessed value after place's assessment D;I+=1 turns (2) if i≤I;
4) minimum function value B (z) and its corresponding disturbed value z in data set have been observed in output;
Step 5: the best disturbed value z assignment that step 4 is obtained to perturbation vector Δ x;If B (z) < 0, then it is assumed that attack Success is hit, is exported using disturbed picture x+ Δ x as to resisting sample, if B (z) >=0, then it is assumed that can not attacked in this iteration Function jumps to step 3, continues next iteration on the basis of current perturbation vector Δ x.
Beneficial effects of the present invention:
The present invention selects to disturb the pixel addition of minimal gradient respective coordinates by the gradient of calculating structural similarity It is dynamic, to reduce influence of the disturbance of addition to picture quality.Bayes's optimization method calculation perturbation is used simultaneously, it can be with comparing Few inquiry times obtain best disturbed value.
Detailed description of the invention
Fig. 1 is original image;
Fig. 2 is gaussian random image;
Fig. 3 is to disturbance rejection image;
Fig. 4 is confrontation sample image.
Specific embodiment
The present invention is using an original image as input, and the structural similarity of calculating original image and random Gaussian image is simultaneously Its gradient is sought, the corresponding dimension of minimal gradient value is selected.Dimensionally optimize to obtain best disturbed value using Bayes one by one.It will be more The disturbance that secondary iteration obtains is superimposed, the class prediction result until changing DNN classifier.
The specific embodiment of whole process of the present invention illustrated below is following (each step effect picture is referring to fig. 2):
Step 1: obtaining the true classification y of source images xcAnd its probability Mc
X is original image vector (as shown in Figure 1), and Δ x is the full 0 perturbation vector for having identical dimensional with x, xGIt is and x The random vector (as shown in Figure 2) sampled in slave Gaussian Profile with identical dimensional.Using original image x as target The input of DNN classifier obtains the probability output vector M (x of original image;θ);Take maximum value in probability output vector corresponding Class prediction y of the classification as original imagec, maximum value is M in probability output vectorc
Step 2: determining objective function to be optimized
Due to image vector x dimension with higher, and generates and resisting sample is not needed to add all dimensions Disturbance, so only disturbing a dimension every time in the method, other dimensions do not change, and test disturbance Δ x to generate.By x+ Δ X is input in DNN classifier, obtains prediction output vector M (x+ Δ x;θ).Enable M (x+ Δ x;Y is removed in θ)cMaximum outside classification Probability value is Mt, corresponding classification is yt, objective function is defined as B (z)=log (Mc)-log(Mt).The target of optimization is B (z)≤0, to change target DNN classifier to the classification results of disturbed image.
Step 3: the coordinate for needing to optimize in this iteration and channel are determined
In the T times iteration, current disturbance image x '=x+ Δ x and random image x is calculatedGStructural similarity SSIM (x ', xt):
Here μx′Indicate x ' and xGMean value,X ' and xGVariance,Indicate x ' and xGAssociation Variance, ∈1With ∈2It is a small scalar, to ensure that denominator is not zero.Then ask structural similarity about the ladder of original image x ' Degree, obtains the gradient vector of one with original image identical dimensional
Select wherein optimization coordinate of the minimal gradient value corresponding coordinate s and channel c as next step:
Step 4: specific pixel is optimized using Bayes
1) objective function to be optimized is acted on behalf of using Gaussian process, uses EI strategy as acquisition function.Setting is maximum to survey Pilot number I, and current test point quantity i=0;Several disturbed values are randomly choosed first to be tested, and initial observation is generated Data set D1:t, data point has been observed comprising t.
2) according to the data set D having been observed that1:tObtained Posterior distrbutionp constructs an ET acquisition function alphat(z;D1:t):
Wherein, v*Indicate current optimal function value, φ () is standardized normal distribution probability density function, μt(z) and σt (z) D is respectively indicated1:tThe mean value and variance of middle data point.
3) next evaluation point z is selected by maximizing acquisition function to itt+1=maxz∈zαt(z;D1:t), by zt+1Assignment To the correspondence dimension s of Δ x, and assess target function value B (z at this timet+1), in zt+1Observation number is added in assessed value after place's assessment According to collection D.I+=1 turns (2) if i≤I.
4) minimum function value B (z) and its corresponding disturbed value z in data set have been observed in output.
Step 5: the best disturbed value z assignment that step 4 is obtained to perturbation vector Δ x (final disturbance image such as Fig. 3 institute Show, disturb 36 pixels, 891 assessment numbers altogether).If B (z) < 0, then it is assumed that success attack, by disturbed picture x+ Δ x As (final confrontation sample image is as shown in Figure 4) is exported to resisting sample, if B (z) >=0, then it is assumed that attacked in this iteration It is unsuccessful, step 3 is jumped to, continues next iteration on the basis of current perturbation vector Δ x.
Experimental result: selecting 100 pictures as experimental data at random from CIFAR10, in experimental result, averagely disturbs Dynamic pixel quantity is 95.22, median 78.5, and averagely assessment number is 2364.85 times, and median is 1944.5 times.Assessment Number is considerably less than One Pixel Attacks method and Boundary Attacks method.

Claims (1)

1. a kind of confrontation sample generating method based on Bayes's optimization, which is characterized in that this method comprises the following steps:
Step 1: obtaining the true classification y of source images xcAnd its probability Mc
Using original image x as using θ as the input of the target DNN classifier of parameter, the probability output vector M of original image is obtained (x;θ);Take class prediction y of the corresponding classification of maximum value as original image in probability output vectorc, in probability output vector Maximum value is Mc
Step 2: determining objective function to be optimized
Using iteration method generate to resisting sample, in order to reduce the complexity of calculating, only disturbed in each iteration image to Certain dimension of amount;If disturbed value is z, and by the correspondence dimension of disturbed value z assignment to Δ x;Disturbed value meets | | z | | < ε, with Ensure picture quality, ε is the threshold value of setting;X+ Δ x is input in the deep-neural-network DNN classifier that parameter is θ, is obtained Predict output vector M (x+ Δ x;θ);Enable M (x+ Δ x;Y is removed in θ)cMost probable value outside classification is Mt, corresponding classification is yt, objective function is defined as B (z)=log (Mc)-log(Mt);The target of optimization is B (z)≤0, to change target DNN classification Classification results of the device to disturbed image;Δ x is the full 0 perturbation vector for having identical dimensional with x;
Step 3: determining the coordinate for needing to optimize in this iteration and channel
In the T times iteration, current disturbance image x '=x+ Δ x and random image x is calculatedGStructural similarity gradientSelect wherein optimization dimension of the corresponding dimension s of minimal gradient value as needs;xGIt is with x with identical The random vector sampled in the slave Gaussian Profile of dimension;
Step 4: being optimized in specific dimension using Bayes
1) objective function to be optimized is acted on behalf of using Gaussian process, uses EI strategy as acquisition function;Set full test point Number is I, and current test point quantity i=0;Several disturbed values are randomly choosed first to be tested, and initial observation number is generated According to collection D1:t, data point has been observed comprising t;
2) according to the data set D having been observed that1:tObtained Posterior distrbutionp constructs an EI acquisition function alphat(z;D1:t):
Wherein, v*Indicate current optimal function value, φ () is standardized normal distribution probability density function, μt(z) and σt(z) divide It Biao Shi not D1:tThe mean value and variance of middle data point;
3) next evaluation point z is selected by maximizing acquisition functiont+1=maxz∈zαt(z;D1:t), by zt+1Assignment is to Δ x's Corresponding dimension s, and assess target function value B (z at this timet+1), in zt+1Observation data set D is added in assessed value after place's assessment;i +=1 turns (2) if i≤I;
4) minimum function value B (z) and its corresponding disturbed value z in data set have been observed in output;
Step 5: the best disturbed value z assignment that step 4 is obtained to perturbation vector Δ x;If B (z) < 0, then it is assumed that attack at Function, using disturbed picture x+ Δ x as to resisting sample export, if B (z) >=0, then it is assumed that attacked in this iteration it is unsuccessful, Step 3 is jumped to, continues next iteration on the basis of current perturbation vector Δ x.
CN201910414533.7A 2019-05-17 2019-05-17 Confrontation sample generation method based on Bayesian optimization Active CN110276377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910414533.7A CN110276377B (en) 2019-05-17 2019-05-17 Confrontation sample generation method based on Bayesian optimization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910414533.7A CN110276377B (en) 2019-05-17 2019-05-17 Confrontation sample generation method based on Bayesian optimization

Publications (2)

Publication Number Publication Date
CN110276377A true CN110276377A (en) 2019-09-24
CN110276377B CN110276377B (en) 2021-04-06

Family

ID=67960053

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910414533.7A Active CN110276377B (en) 2019-05-17 2019-05-17 Confrontation sample generation method based on Bayesian optimization

Country Status (1)

Country Link
CN (1) CN110276377B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111063398A (en) * 2019-12-20 2020-04-24 吉林大学 Molecular discovery method based on graph Bayesian optimization
CN111275106A (en) * 2020-01-19 2020-06-12 支付宝(杭州)信息技术有限公司 Countermeasure sample generation method and device and computer equipment
CN111476228A (en) * 2020-04-07 2020-07-31 海南阿凡题科技有限公司 White-box confrontation sample generation method for scene character recognition model
CN111507384A (en) * 2020-04-03 2020-08-07 厦门大学 Method for generating confrontation sample of black box depth model
CN111709435A (en) * 2020-05-18 2020-09-25 杭州电子科技大学 Countermeasure sample generation method based on discrete wavelet transform
CN111723864A (en) * 2020-06-19 2020-09-29 天津大学 Method and device for performing countermeasure training by using internet pictures based on active learning
CN111858345A (en) * 2020-07-23 2020-10-30 深圳慕智科技有限公司 Image sample generation capability multi-dimensional evaluation method based on antagonistic sample definition
CN112200243A (en) * 2020-10-09 2021-01-08 电子科技大学 Black box countermeasure sample generation method based on low query image data
CN112766430A (en) * 2021-01-08 2021-05-07 广州紫为云科技有限公司 Method, device and storage medium for resisting attack based on black box universal face detection
CN113158138A (en) * 2021-01-28 2021-07-23 浙江工业大学 Method for rapidly detecting contrast sensitivity threshold
CN113420841A (en) * 2021-08-23 2021-09-21 北京邮电大学 Toxic sample data generation method and device
CN113450271A (en) * 2021-06-10 2021-09-28 南京信息工程大学 Robust adaptive countermeasure sample generation method based on human visual model
CN113486736A (en) * 2021-06-21 2021-10-08 南京航空航天大学 Black box anti-attack method based on active subspace and low-rank evolution strategy
CN113704758A (en) * 2021-07-29 2021-11-26 西安交通大学 Black box attack counterattack sample generation method and system
CN114861893A (en) * 2022-07-07 2022-08-05 西南石油大学 Multi-channel aggregated countermeasure sample generation method, system and terminal
CN115063654A (en) * 2022-06-08 2022-09-16 厦门大学 Black box attack method based on sequence element learning, storage medium and electronic equipment
CN115271067A (en) * 2022-08-25 2022-11-01 天津大学 Android counterattack sample attack method based on characteristic relation evaluation
WO2023142282A1 (en) * 2022-01-27 2023-08-03 厦门大学 Task amplification-based transfer attack method and apparatus
CN116543268A (en) * 2023-07-04 2023-08-04 西南石油大学 Channel enhancement joint transformation-based countermeasure sample generation method and terminal

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107025284A (en) * 2017-04-06 2017-08-08 中南大学 The recognition methods of network comment text emotion tendency and convolutional neural networks model
CN108257116A (en) * 2017-12-30 2018-07-06 清华大学 A kind of method for generating confrontation image
CN108446765A (en) * 2018-02-11 2018-08-24 浙江工业大学 The multi-model composite defense method of sexual assault is fought towards deep learning
CN108491925A (en) * 2018-01-25 2018-09-04 杭州电子科技大学 The extensive method of deep learning feature based on latent variable model
CN108520268A (en) * 2018-03-09 2018-09-11 浙江工业大学 The black box antagonism attack defense method evolved based on samples selection and model
CN108833401A (en) * 2018-06-11 2018-11-16 中国人民解放军战略支援部队信息工程大学 Network active defensive strategy choosing method and device based on Bayes's evolutionary Game
CN109165735A (en) * 2018-07-12 2019-01-08 杭州电子科技大学 Based on the method for generating confrontation network and adaptive ratio generation new samples
US20190147321A1 (en) * 2017-10-26 2019-05-16 Preferred Networks, Inc. Image generation method, image generation apparatus, and image generation program
US20190147333A1 (en) * 2017-11-15 2019-05-16 Palo Alto Research Center Incorporated System and method for semi-supervised conditional generative modeling using adversarial networks

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107025284A (en) * 2017-04-06 2017-08-08 中南大学 The recognition methods of network comment text emotion tendency and convolutional neural networks model
US20190147321A1 (en) * 2017-10-26 2019-05-16 Preferred Networks, Inc. Image generation method, image generation apparatus, and image generation program
US20190147333A1 (en) * 2017-11-15 2019-05-16 Palo Alto Research Center Incorporated System and method for semi-supervised conditional generative modeling using adversarial networks
CN108257116A (en) * 2017-12-30 2018-07-06 清华大学 A kind of method for generating confrontation image
CN108491925A (en) * 2018-01-25 2018-09-04 杭州电子科技大学 The extensive method of deep learning feature based on latent variable model
CN108446765A (en) * 2018-02-11 2018-08-24 浙江工业大学 The multi-model composite defense method of sexual assault is fought towards deep learning
CN108520268A (en) * 2018-03-09 2018-09-11 浙江工业大学 The black box antagonism attack defense method evolved based on samples selection and model
CN108833401A (en) * 2018-06-11 2018-11-16 中国人民解放军战略支援部队信息工程大学 Network active defensive strategy choosing method and device based on Bayes's evolutionary Game
CN109165735A (en) * 2018-07-12 2019-01-08 杭州电子科技大学 Based on the method for generating confrontation network and adaptive ratio generation new samples

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
MASAHIRO KAZAMA ET AL: "Active Preference Learning for Generative Adversarial Networks", 《IEEE INTERNATIONAL CONFERENCE ON BIG DATA》 *
SHROMONA GHOSH ET AL: "Verifying Controllers Against Adversarial Examples with Bayesian", 《IEEE INTERNATIONAL CONFERENCE ON ROBOTICS AND AUTOMATION》 *
孟东宇: "黑盒威胁模型下深度学习对抗样本的生成", 《电子设计工程》 *
张思思等: "深度学习中的对抗样本问题", 《计算机学报》 *
郑文博等: "基于贝叶斯生成对抗网络的背景消减算法", 《自动化学报》 *

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111063398A (en) * 2019-12-20 2020-04-24 吉林大学 Molecular discovery method based on graph Bayesian optimization
CN111063398B (en) * 2019-12-20 2023-08-18 吉林大学 Molecular discovery method based on graph Bayesian optimization
CN111275106A (en) * 2020-01-19 2020-06-12 支付宝(杭州)信息技术有限公司 Countermeasure sample generation method and device and computer equipment
CN111275106B (en) * 2020-01-19 2022-07-01 支付宝(杭州)信息技术有限公司 Countermeasure sample generation method and device and computer equipment
CN111507384A (en) * 2020-04-03 2020-08-07 厦门大学 Method for generating confrontation sample of black box depth model
CN111507384B (en) * 2020-04-03 2022-05-31 厦门大学 Method for generating confrontation sample of black box depth model
CN111476228A (en) * 2020-04-07 2020-07-31 海南阿凡题科技有限公司 White-box confrontation sample generation method for scene character recognition model
CN111709435A (en) * 2020-05-18 2020-09-25 杭州电子科技大学 Countermeasure sample generation method based on discrete wavelet transform
CN111709435B (en) * 2020-05-18 2023-06-20 杭州电子科技大学 Discrete wavelet transform-based countermeasure sample generation method
CN111723864A (en) * 2020-06-19 2020-09-29 天津大学 Method and device for performing countermeasure training by using internet pictures based on active learning
CN111858345A (en) * 2020-07-23 2020-10-30 深圳慕智科技有限公司 Image sample generation capability multi-dimensional evaluation method based on antagonistic sample definition
CN112200243B (en) * 2020-10-09 2022-04-26 电子科技大学 Black box countermeasure sample generation method based on low query image data
CN112200243A (en) * 2020-10-09 2021-01-08 电子科技大学 Black box countermeasure sample generation method based on low query image data
CN112766430A (en) * 2021-01-08 2021-05-07 广州紫为云科技有限公司 Method, device and storage medium for resisting attack based on black box universal face detection
CN113158138A (en) * 2021-01-28 2021-07-23 浙江工业大学 Method for rapidly detecting contrast sensitivity threshold
CN113450271A (en) * 2021-06-10 2021-09-28 南京信息工程大学 Robust adaptive countermeasure sample generation method based on human visual model
CN113450271B (en) * 2021-06-10 2024-02-27 南京信息工程大学 Robust self-adaptive countermeasure sample generation method based on human visual model
CN113486736B (en) * 2021-06-21 2024-04-02 南京航空航天大学 Black box anti-attack method based on active subspace and low-rank evolution strategy
CN113486736A (en) * 2021-06-21 2021-10-08 南京航空航天大学 Black box anti-attack method based on active subspace and low-rank evolution strategy
CN113704758B (en) * 2021-07-29 2022-12-09 西安交通大学 Black box attack countermeasure sample generation method and system
CN113704758A (en) * 2021-07-29 2021-11-26 西安交通大学 Black box attack counterattack sample generation method and system
CN113420841A (en) * 2021-08-23 2021-09-21 北京邮电大学 Toxic sample data generation method and device
WO2023142282A1 (en) * 2022-01-27 2023-08-03 厦门大学 Task amplification-based transfer attack method and apparatus
CN115063654A (en) * 2022-06-08 2022-09-16 厦门大学 Black box attack method based on sequence element learning, storage medium and electronic equipment
CN114861893B (en) * 2022-07-07 2022-09-23 西南石油大学 Multi-channel aggregated countermeasure sample generation method, system and terminal
CN114861893A (en) * 2022-07-07 2022-08-05 西南石油大学 Multi-channel aggregated countermeasure sample generation method, system and terminal
CN115271067A (en) * 2022-08-25 2022-11-01 天津大学 Android counterattack sample attack method based on characteristic relation evaluation
CN115271067B (en) * 2022-08-25 2024-02-23 天津大学 Android anti-sample attack method based on feature relation evaluation
CN116543268B (en) * 2023-07-04 2023-09-15 西南石油大学 Channel enhancement joint transformation-based countermeasure sample generation method and terminal
CN116543268A (en) * 2023-07-04 2023-08-04 西南石油大学 Channel enhancement joint transformation-based countermeasure sample generation method and terminal

Also Published As

Publication number Publication date
CN110276377B (en) 2021-04-06

Similar Documents

Publication Publication Date Title
CN110276377A (en) A kind of confrontation sample generating method based on Bayes&#39;s optimization
CN109190524B (en) Human body action recognition method based on generation of confrontation network
CN108564129B (en) Trajectory data classification method based on generation countermeasure network
CN106683048B (en) Image super-resolution method and device
CN111428818B (en) Deep learning model test method and device based on neural pathway activation state
Rahaman et al. An efficient multilevel thresholding based satellite image segmentation approach using a new adaptive cuckoo search algorithm
CN110728224A (en) Remote sensing image classification method based on attention mechanism depth Contourlet network
CN109118564A (en) A kind of three-dimensional point cloud labeling method and device based on fusion voxel
CN109766835A (en) The SAR target identification method of confrontation network is generated based on multi-parameters optimization
CN109887021B (en) Cross-scale-based random walk stereo matching method
CN109740588A (en) The X-ray picture contraband localization method reassigned based on the response of Weakly supervised and depth
CN104866868A (en) Metal coin identification method based on deep neural network and apparatus thereof
CN109165735A (en) Based on the method for generating confrontation network and adaptive ratio generation new samples
CN109685830B (en) Target tracking method, device and equipment and computer storage medium
WO2019146057A1 (en) Learning device, system for generating captured image classification device, device for generating captured image classification device, learning method, and program
CN111310821A (en) Multi-view feature fusion method, system, computer device and storage medium
CN114548428A (en) Intelligent attack detection method and device of federated learning model based on instance reconstruction
CN112784782A (en) Three-dimensional object identification method based on multi-view double-attention network
CN112364747A (en) Target detection method under limited sample
CN114627424A (en) Gait recognition method and system based on visual angle transformation
Khrissi et al. A performant clustering approach based on an improved sine cosine algorithm
CN108428226B (en) Distortion image quality evaluation method based on ICA sparse representation and SOM
CN115239694A (en) Hyperspectral anomaly detection method fusing robust dictionary and double-cooperative-constraint regular term
CN113449631A (en) Image classification method and system
CN113011446A (en) Intelligent target identification method based on multi-source heterogeneous data learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant