CN110276377A - A kind of confrontation sample generating method based on Bayes's optimization - Google Patents
A kind of confrontation sample generating method based on Bayes's optimization Download PDFInfo
- Publication number
- CN110276377A CN110276377A CN201910414533.7A CN201910414533A CN110276377A CN 110276377 A CN110276377 A CN 110276377A CN 201910414533 A CN201910414533 A CN 201910414533A CN 110276377 A CN110276377 A CN 110276377A
- Authority
- CN
- China
- Prior art keywords
- value
- disturbed
- optimization
- image
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
- G06F18/24155—Bayesian classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Molecular Biology (AREA)
- Probability & Statistics with Applications (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Image Analysis (AREA)
Abstract
The invention discloses a kind of confrontation sample generating method based on Bayes's optimization, existing black box attack method needs to obtain optimization information by being inquired to model in large quantities.The present invention determines position to be optimized by the gradient of calculation perturbation picture and the structural similarity of original image using original image as input;Then sampling optimization is carried out in selected position using Bayes's optimization, obtains that the increased disturbed value of loss function can be made in this position;Multiple positions are selected by way of iteration, and optimizes and obtains disturbed value, until the classification results of the disturbed image of change, or are reached maximum number of iterations and are then stopped.The present invention can be effectively reduced number of the inquiry to target DNN pattern query, and disturb the negligible amounts of pixel.
Description
Technical field
The invention belongs to computer digital image process fields, and in particular to a kind of confrontation sample generating method.
Background technique
Deep learning achieves important breakthrough in terms of solving insoluble challenge in the past, for example, rebuilding brain
On the problems such as circuit, the mutation in analysis DNA, the active structure for predicting potential drug molecule, analysis particle accelerator data all
There is application.Deep neural network (Deep Neural Network, DNN), which also becomes, solves speech recognition and natural language understanding
The prefered method of medium many challenging tasks.
Although DNN executes various Computer Vision Tasks with surprising precision, DNN is highly prone to the shadow to attack resistance
It rings, the form of this attack is to add the hardly perceptible tiny image disturbance for human visual system in the picture.
This attack can make DNN classifier change its prediction about image completely, and model under attack is high to the prediction of mistake
Degree is trusted.Moreover, identical image disturbances can cheat multiple neural network classifiers.It is this that can change DNN classifier pre-
The disturbed picture for surveying result is referred to as to resisting sample.
Generating at present can be roughly divided into two types the method for resisting sample: white-box attack and black box are attacked.White-box attack is false
If all knowledge of existing object module, the training number including its parameter value, framework, training method etc. or even object module
According to be all it is known, object module is cheated to resisting sample using these knowledge formations.For example, FGSM calculates the ladder of object module
Information is spent, the microvariations that a same size is added on each pixel value are constructed to resisting sample, the forward direction of JSMA computation model
Derivative disturbs the building of limited quantity pixel to resisting sample.The advantage of white-box attack is that calculating speed ratio is very fast, but needs
Use the gradient information of target network.Black box attack method without using network gradient and parameters knowledge, by target
Mode input fights the prediction label of its output of sample queries, is generated using these information to resisting sample and cheats object module.
For example, One Pixel Attack method uses the concept of differential evolution, the prediction probability label generation pair of observed object model
Resisting sample, target network can be misled by only changing a pixel, and Boundary Attacks method is then just with network
Classification output result i.e. produce confrontation sample.However, the assessment cost of great number is brought due to lacking gradient information, than
If One Pixel Attacks method needs 30,000 assessments, and Boundary Attacks method then needs million assessments.
Summary of the invention
The main object of the present invention is to propose one aiming at the problem that existing black box attack method brings a large amount of query costs
Kind optimizes the black box attack method generated to resisting sample based on Bayes.This method is optimized using Bayes to be carried out in solution space
Search, iteratively finds a specific disturbance in solution space, which is added to after original picture, thus it is possible to vary classifier
To the classification results of disturbed image.
Black box attack method used in the present invention includes the following steps:
Step 1: obtaining the true classification y of source images xcAnd its probability Mc
Using original image x as using θ as the input of the target DNN classifier of parameter, the probability output of original image is obtained
Vector M (x;θ);Take class prediction y of the corresponding classification of maximum value as original image in probability output vectorc, probability output
Maximum value is M in vectorc;
Step 2: determining objective function to be optimized
It is generated using the method for iteration to resisting sample, in order to reduce the complexity of calculating, only disturbance is schemed in each iteration
As certain dimension of vector;If disturbed value is z, and by the correspondence dimension of disturbed value z assignment to Δ x;Disturbed value meets | | z | | <
ε, to ensure picture quality, ε is the threshold value of setting;X+ Δ x is input in the deep-neural-network DNN classifier that parameter is θ,
Obtain prediction output vector M (x+ Δ x;θ);Enable M (x+ Δ x;Y is removed in θ)cMost probable value outside classification is Mt, corresponding class
It Wei not yt, objective function is defined as B (z)=log (Mc)-log(Mt);The target of optimization is B (z)≤0, to change target DNN
Classification results of the classifier to disturbed image;Δ x is the full 0 perturbation vector for having identical dimensional with x;
Step 3: determining the coordinate for needing to optimize in this iteration and channel
In the T times iteration, current disturbance image x '=x+ Δ x and random image x is calculatedGStructural similarity gradientSelect wherein optimization dimension of the corresponding dimension s of minimal gradient value as needs;xGIt is that there is phase with x
With the random vector sampled in the slave Gaussian Profile of dimension;
Step 4: being optimized in specific dimension using Bayes
1) objective function to be optimized is acted on behalf of using Gaussian process, uses FI strategy as acquisition function;Setting is maximum to survey
Pilot number is I, and current test point quantity i=0;Several disturbed values are randomly choosed first to be tested, and initial see is generated
Measured data collection D1:t, data point has been observed comprising t;
2) according to the data set D having been observed that1:tObtained Posterior distrbutionp constructs a FI acquisition function alphat(z;D1:t):
Wherein, v*Indicate current optimal function value, φ () is standardized normal distribution probability density function, μt(z) and σt
(z) D is respectively indicated1:tThe mean value and variance of middle data point;
3) next evaluation point z is selected by maximizing acquisition functiont+1=maxz∈zαt(z;D1:t), by zt+1Assignment is to Δ
The correspondence dimension s of x, and assess target function value B (z at this timet+1), in zt+1Observation data set is added in assessed value after place's assessment
D;I+=1 turns (2) if i≤I;
4) minimum function value B (z) and its corresponding disturbed value z in data set have been observed in output;
Step 5: the best disturbed value z assignment that step 4 is obtained to perturbation vector Δ x;If B (z) < 0, then it is assumed that attack
Success is hit, is exported using disturbed picture x+ Δ x as to resisting sample, if B (z) >=0, then it is assumed that can not attacked in this iteration
Function jumps to step 3, continues next iteration on the basis of current perturbation vector Δ x.
Beneficial effects of the present invention:
The present invention selects to disturb the pixel addition of minimal gradient respective coordinates by the gradient of calculating structural similarity
It is dynamic, to reduce influence of the disturbance of addition to picture quality.Bayes's optimization method calculation perturbation is used simultaneously, it can be with comparing
Few inquiry times obtain best disturbed value.
Detailed description of the invention
Fig. 1 is original image;
Fig. 2 is gaussian random image;
Fig. 3 is to disturbance rejection image;
Fig. 4 is confrontation sample image.
Specific embodiment
The present invention is using an original image as input, and the structural similarity of calculating original image and random Gaussian image is simultaneously
Its gradient is sought, the corresponding dimension of minimal gradient value is selected.Dimensionally optimize to obtain best disturbed value using Bayes one by one.It will be more
The disturbance that secondary iteration obtains is superimposed, the class prediction result until changing DNN classifier.
The specific embodiment of whole process of the present invention illustrated below is following (each step effect picture is referring to fig. 2):
Step 1: obtaining the true classification y of source images xcAnd its probability Mc
X is original image vector (as shown in Figure 1), and Δ x is the full 0 perturbation vector for having identical dimensional with x, xGIt is and x
The random vector (as shown in Figure 2) sampled in slave Gaussian Profile with identical dimensional.Using original image x as target
The input of DNN classifier obtains the probability output vector M (x of original image;θ);Take maximum value in probability output vector corresponding
Class prediction y of the classification as original imagec, maximum value is M in probability output vectorc。
Step 2: determining objective function to be optimized
Due to image vector x dimension with higher, and generates and resisting sample is not needed to add all dimensions
Disturbance, so only disturbing a dimension every time in the method, other dimensions do not change, and test disturbance Δ x to generate.By x+ Δ
X is input in DNN classifier, obtains prediction output vector M (x+ Δ x;θ).Enable M (x+ Δ x;Y is removed in θ)cMaximum outside classification
Probability value is Mt, corresponding classification is yt, objective function is defined as B (z)=log (Mc)-log(Mt).The target of optimization is B
(z)≤0, to change target DNN classifier to the classification results of disturbed image.
Step 3: the coordinate for needing to optimize in this iteration and channel are determined
In the T times iteration, current disturbance image x '=x+ Δ x and random image x is calculatedGStructural similarity SSIM
(x ', xt):
Here μx′、Indicate x ' and xGMean value,X ' and xGVariance,Indicate x ' and xGAssociation
Variance, ∈1With ∈2It is a small scalar, to ensure that denominator is not zero.Then ask structural similarity about the ladder of original image x '
Degree, obtains the gradient vector of one with original image identical dimensional
Select wherein optimization coordinate of the minimal gradient value corresponding coordinate s and channel c as next step:
Step 4: specific pixel is optimized using Bayes
1) objective function to be optimized is acted on behalf of using Gaussian process, uses EI strategy as acquisition function.Setting is maximum to survey
Pilot number I, and current test point quantity i=0;Several disturbed values are randomly choosed first to be tested, and initial observation is generated
Data set D1:t, data point has been observed comprising t.
2) according to the data set D having been observed that1:tObtained Posterior distrbutionp constructs an ET acquisition function alphat(z;D1:t):
Wherein, v*Indicate current optimal function value, φ () is standardized normal distribution probability density function, μt(z) and σt
(z) D is respectively indicated1:tThe mean value and variance of middle data point.
3) next evaluation point z is selected by maximizing acquisition function to itt+1=maxz∈zαt(z;D1:t), by zt+1Assignment
To the correspondence dimension s of Δ x, and assess target function value B (z at this timet+1), in zt+1Observation number is added in assessed value after place's assessment
According to collection D.I+=1 turns (2) if i≤I.
4) minimum function value B (z) and its corresponding disturbed value z in data set have been observed in output.
Step 5: the best disturbed value z assignment that step 4 is obtained to perturbation vector Δ x (final disturbance image such as Fig. 3 institute
Show, disturb 36 pixels, 891 assessment numbers altogether).If B (z) < 0, then it is assumed that success attack, by disturbed picture x+ Δ x
As (final confrontation sample image is as shown in Figure 4) is exported to resisting sample, if B (z) >=0, then it is assumed that attacked in this iteration
It is unsuccessful, step 3 is jumped to, continues next iteration on the basis of current perturbation vector Δ x.
Experimental result: selecting 100 pictures as experimental data at random from CIFAR10, in experimental result, averagely disturbs
Dynamic pixel quantity is 95.22, median 78.5, and averagely assessment number is 2364.85 times, and median is 1944.5 times.Assessment
Number is considerably less than One Pixel Attacks method and Boundary Attacks method.
Claims (1)
1. a kind of confrontation sample generating method based on Bayes's optimization, which is characterized in that this method comprises the following steps:
Step 1: obtaining the true classification y of source images xcAnd its probability Mc
Using original image x as using θ as the input of the target DNN classifier of parameter, the probability output vector M of original image is obtained
(x;θ);Take class prediction y of the corresponding classification of maximum value as original image in probability output vectorc, in probability output vector
Maximum value is Mc;
Step 2: determining objective function to be optimized
Using iteration method generate to resisting sample, in order to reduce the complexity of calculating, only disturbed in each iteration image to
Certain dimension of amount;If disturbed value is z, and by the correspondence dimension of disturbed value z assignment to Δ x;Disturbed value meets | | z | | < ε, with
Ensure picture quality, ε is the threshold value of setting;X+ Δ x is input in the deep-neural-network DNN classifier that parameter is θ, is obtained
Predict output vector M (x+ Δ x;θ);Enable M (x+ Δ x;Y is removed in θ)cMost probable value outside classification is Mt, corresponding classification is
yt, objective function is defined as B (z)=log (Mc)-log(Mt);The target of optimization is B (z)≤0, to change target DNN classification
Classification results of the device to disturbed image;Δ x is the full 0 perturbation vector for having identical dimensional with x;
Step 3: determining the coordinate for needing to optimize in this iteration and channel
In the T times iteration, current disturbance image x '=x+ Δ x and random image x is calculatedGStructural similarity gradientSelect wherein optimization dimension of the corresponding dimension s of minimal gradient value as needs;xGIt is with x with identical
The random vector sampled in the slave Gaussian Profile of dimension;
Step 4: being optimized in specific dimension using Bayes
1) objective function to be optimized is acted on behalf of using Gaussian process, uses EI strategy as acquisition function;Set full test point
Number is I, and current test point quantity i=0;Several disturbed values are randomly choosed first to be tested, and initial observation number is generated
According to collection D1:t, data point has been observed comprising t;
2) according to the data set D having been observed that1:tObtained Posterior distrbutionp constructs an EI acquisition function alphat(z;D1:t):
Wherein, v*Indicate current optimal function value, φ () is standardized normal distribution probability density function, μt(z) and σt(z) divide
It Biao Shi not D1:tThe mean value and variance of middle data point;
3) next evaluation point z is selected by maximizing acquisition functiont+1=maxz∈zαt(z;D1:t), by zt+1Assignment is to Δ x's
Corresponding dimension s, and assess target function value B (z at this timet+1), in zt+1Observation data set D is added in assessed value after place's assessment;i
+=1 turns (2) if i≤I;
4) minimum function value B (z) and its corresponding disturbed value z in data set have been observed in output;
Step 5: the best disturbed value z assignment that step 4 is obtained to perturbation vector Δ x;If B (z) < 0, then it is assumed that attack at
Function, using disturbed picture x+ Δ x as to resisting sample export, if B (z) >=0, then it is assumed that attacked in this iteration it is unsuccessful,
Step 3 is jumped to, continues next iteration on the basis of current perturbation vector Δ x.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910414533.7A CN110276377B (en) | 2019-05-17 | 2019-05-17 | Confrontation sample generation method based on Bayesian optimization |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910414533.7A CN110276377B (en) | 2019-05-17 | 2019-05-17 | Confrontation sample generation method based on Bayesian optimization |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110276377A true CN110276377A (en) | 2019-09-24 |
CN110276377B CN110276377B (en) | 2021-04-06 |
Family
ID=67960053
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910414533.7A Active CN110276377B (en) | 2019-05-17 | 2019-05-17 | Confrontation sample generation method based on Bayesian optimization |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110276377B (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111063398A (en) * | 2019-12-20 | 2020-04-24 | 吉林大学 | Molecular discovery method based on graph Bayesian optimization |
CN111275106A (en) * | 2020-01-19 | 2020-06-12 | 支付宝(杭州)信息技术有限公司 | Countermeasure sample generation method and device and computer equipment |
CN111476228A (en) * | 2020-04-07 | 2020-07-31 | 海南阿凡题科技有限公司 | White-box confrontation sample generation method for scene character recognition model |
CN111507384A (en) * | 2020-04-03 | 2020-08-07 | 厦门大学 | Method for generating confrontation sample of black box depth model |
CN111709435A (en) * | 2020-05-18 | 2020-09-25 | 杭州电子科技大学 | Countermeasure sample generation method based on discrete wavelet transform |
CN111723864A (en) * | 2020-06-19 | 2020-09-29 | 天津大学 | Method and device for performing countermeasure training by using internet pictures based on active learning |
CN111858345A (en) * | 2020-07-23 | 2020-10-30 | 深圳慕智科技有限公司 | Image sample generation capability multi-dimensional evaluation method based on antagonistic sample definition |
CN112200243A (en) * | 2020-10-09 | 2021-01-08 | 电子科技大学 | Black box countermeasure sample generation method based on low query image data |
CN112766430A (en) * | 2021-01-08 | 2021-05-07 | 广州紫为云科技有限公司 | Method, device and storage medium for resisting attack based on black box universal face detection |
CN113158138A (en) * | 2021-01-28 | 2021-07-23 | 浙江工业大学 | Method for rapidly detecting contrast sensitivity threshold |
CN113420841A (en) * | 2021-08-23 | 2021-09-21 | 北京邮电大学 | Toxic sample data generation method and device |
CN113450271A (en) * | 2021-06-10 | 2021-09-28 | 南京信息工程大学 | Robust adaptive countermeasure sample generation method based on human visual model |
CN113486736A (en) * | 2021-06-21 | 2021-10-08 | 南京航空航天大学 | Black box anti-attack method based on active subspace and low-rank evolution strategy |
CN113704758A (en) * | 2021-07-29 | 2021-11-26 | 西安交通大学 | Black box attack counterattack sample generation method and system |
CN114861893A (en) * | 2022-07-07 | 2022-08-05 | 西南石油大学 | Multi-channel aggregated countermeasure sample generation method, system and terminal |
CN115063654A (en) * | 2022-06-08 | 2022-09-16 | 厦门大学 | Black box attack method based on sequence element learning, storage medium and electronic equipment |
CN115271067A (en) * | 2022-08-25 | 2022-11-01 | 天津大学 | Android counterattack sample attack method based on characteristic relation evaluation |
WO2023142282A1 (en) * | 2022-01-27 | 2023-08-03 | 厦门大学 | Task amplification-based transfer attack method and apparatus |
CN116543268A (en) * | 2023-07-04 | 2023-08-04 | 西南石油大学 | Channel enhancement joint transformation-based countermeasure sample generation method and terminal |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107025284A (en) * | 2017-04-06 | 2017-08-08 | 中南大学 | The recognition methods of network comment text emotion tendency and convolutional neural networks model |
CN108257116A (en) * | 2017-12-30 | 2018-07-06 | 清华大学 | A kind of method for generating confrontation image |
CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
CN108491925A (en) * | 2018-01-25 | 2018-09-04 | 杭州电子科技大学 | The extensive method of deep learning feature based on latent variable model |
CN108520268A (en) * | 2018-03-09 | 2018-09-11 | 浙江工业大学 | The black box antagonism attack defense method evolved based on samples selection and model |
CN108833401A (en) * | 2018-06-11 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Network active defensive strategy choosing method and device based on Bayes's evolutionary Game |
CN109165735A (en) * | 2018-07-12 | 2019-01-08 | 杭州电子科技大学 | Based on the method for generating confrontation network and adaptive ratio generation new samples |
US20190147321A1 (en) * | 2017-10-26 | 2019-05-16 | Preferred Networks, Inc. | Image generation method, image generation apparatus, and image generation program |
US20190147333A1 (en) * | 2017-11-15 | 2019-05-16 | Palo Alto Research Center Incorporated | System and method for semi-supervised conditional generative modeling using adversarial networks |
-
2019
- 2019-05-17 CN CN201910414533.7A patent/CN110276377B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107025284A (en) * | 2017-04-06 | 2017-08-08 | 中南大学 | The recognition methods of network comment text emotion tendency and convolutional neural networks model |
US20190147321A1 (en) * | 2017-10-26 | 2019-05-16 | Preferred Networks, Inc. | Image generation method, image generation apparatus, and image generation program |
US20190147333A1 (en) * | 2017-11-15 | 2019-05-16 | Palo Alto Research Center Incorporated | System and method for semi-supervised conditional generative modeling using adversarial networks |
CN108257116A (en) * | 2017-12-30 | 2018-07-06 | 清华大学 | A kind of method for generating confrontation image |
CN108491925A (en) * | 2018-01-25 | 2018-09-04 | 杭州电子科技大学 | The extensive method of deep learning feature based on latent variable model |
CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
CN108520268A (en) * | 2018-03-09 | 2018-09-11 | 浙江工业大学 | The black box antagonism attack defense method evolved based on samples selection and model |
CN108833401A (en) * | 2018-06-11 | 2018-11-16 | 中国人民解放军战略支援部队信息工程大学 | Network active defensive strategy choosing method and device based on Bayes's evolutionary Game |
CN109165735A (en) * | 2018-07-12 | 2019-01-08 | 杭州电子科技大学 | Based on the method for generating confrontation network and adaptive ratio generation new samples |
Non-Patent Citations (5)
Title |
---|
MASAHIRO KAZAMA ET AL: "Active Preference Learning for Generative Adversarial Networks", 《IEEE INTERNATIONAL CONFERENCE ON BIG DATA》 * |
SHROMONA GHOSH ET AL: "Verifying Controllers Against Adversarial Examples with Bayesian", 《IEEE INTERNATIONAL CONFERENCE ON ROBOTICS AND AUTOMATION》 * |
孟东宇: "黑盒威胁模型下深度学习对抗样本的生成", 《电子设计工程》 * |
张思思等: "深度学习中的对抗样本问题", 《计算机学报》 * |
郑文博等: "基于贝叶斯生成对抗网络的背景消减算法", 《自动化学报》 * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111063398A (en) * | 2019-12-20 | 2020-04-24 | 吉林大学 | Molecular discovery method based on graph Bayesian optimization |
CN111063398B (en) * | 2019-12-20 | 2023-08-18 | 吉林大学 | Molecular discovery method based on graph Bayesian optimization |
CN111275106A (en) * | 2020-01-19 | 2020-06-12 | 支付宝(杭州)信息技术有限公司 | Countermeasure sample generation method and device and computer equipment |
CN111275106B (en) * | 2020-01-19 | 2022-07-01 | 支付宝(杭州)信息技术有限公司 | Countermeasure sample generation method and device and computer equipment |
CN111507384A (en) * | 2020-04-03 | 2020-08-07 | 厦门大学 | Method for generating confrontation sample of black box depth model |
CN111507384B (en) * | 2020-04-03 | 2022-05-31 | 厦门大学 | Method for generating confrontation sample of black box depth model |
CN111476228A (en) * | 2020-04-07 | 2020-07-31 | 海南阿凡题科技有限公司 | White-box confrontation sample generation method for scene character recognition model |
CN111709435A (en) * | 2020-05-18 | 2020-09-25 | 杭州电子科技大学 | Countermeasure sample generation method based on discrete wavelet transform |
CN111709435B (en) * | 2020-05-18 | 2023-06-20 | 杭州电子科技大学 | Discrete wavelet transform-based countermeasure sample generation method |
CN111723864A (en) * | 2020-06-19 | 2020-09-29 | 天津大学 | Method and device for performing countermeasure training by using internet pictures based on active learning |
CN111858345A (en) * | 2020-07-23 | 2020-10-30 | 深圳慕智科技有限公司 | Image sample generation capability multi-dimensional evaluation method based on antagonistic sample definition |
CN112200243B (en) * | 2020-10-09 | 2022-04-26 | 电子科技大学 | Black box countermeasure sample generation method based on low query image data |
CN112200243A (en) * | 2020-10-09 | 2021-01-08 | 电子科技大学 | Black box countermeasure sample generation method based on low query image data |
CN112766430A (en) * | 2021-01-08 | 2021-05-07 | 广州紫为云科技有限公司 | Method, device and storage medium for resisting attack based on black box universal face detection |
CN113158138A (en) * | 2021-01-28 | 2021-07-23 | 浙江工业大学 | Method for rapidly detecting contrast sensitivity threshold |
CN113450271A (en) * | 2021-06-10 | 2021-09-28 | 南京信息工程大学 | Robust adaptive countermeasure sample generation method based on human visual model |
CN113450271B (en) * | 2021-06-10 | 2024-02-27 | 南京信息工程大学 | Robust self-adaptive countermeasure sample generation method based on human visual model |
CN113486736B (en) * | 2021-06-21 | 2024-04-02 | 南京航空航天大学 | Black box anti-attack method based on active subspace and low-rank evolution strategy |
CN113486736A (en) * | 2021-06-21 | 2021-10-08 | 南京航空航天大学 | Black box anti-attack method based on active subspace and low-rank evolution strategy |
CN113704758B (en) * | 2021-07-29 | 2022-12-09 | 西安交通大学 | Black box attack countermeasure sample generation method and system |
CN113704758A (en) * | 2021-07-29 | 2021-11-26 | 西安交通大学 | Black box attack counterattack sample generation method and system |
CN113420841A (en) * | 2021-08-23 | 2021-09-21 | 北京邮电大学 | Toxic sample data generation method and device |
WO2023142282A1 (en) * | 2022-01-27 | 2023-08-03 | 厦门大学 | Task amplification-based transfer attack method and apparatus |
CN115063654A (en) * | 2022-06-08 | 2022-09-16 | 厦门大学 | Black box attack method based on sequence element learning, storage medium and electronic equipment |
CN114861893B (en) * | 2022-07-07 | 2022-09-23 | 西南石油大学 | Multi-channel aggregated countermeasure sample generation method, system and terminal |
CN114861893A (en) * | 2022-07-07 | 2022-08-05 | 西南石油大学 | Multi-channel aggregated countermeasure sample generation method, system and terminal |
CN115271067A (en) * | 2022-08-25 | 2022-11-01 | 天津大学 | Android counterattack sample attack method based on characteristic relation evaluation |
CN115271067B (en) * | 2022-08-25 | 2024-02-23 | 天津大学 | Android anti-sample attack method based on feature relation evaluation |
CN116543268B (en) * | 2023-07-04 | 2023-09-15 | 西南石油大学 | Channel enhancement joint transformation-based countermeasure sample generation method and terminal |
CN116543268A (en) * | 2023-07-04 | 2023-08-04 | 西南石油大学 | Channel enhancement joint transformation-based countermeasure sample generation method and terminal |
Also Published As
Publication number | Publication date |
---|---|
CN110276377B (en) | 2021-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110276377A (en) | A kind of confrontation sample generating method based on Bayes's optimization | |
CN109190524B (en) | Human body action recognition method based on generation of confrontation network | |
CN108564129B (en) | Trajectory data classification method based on generation countermeasure network | |
CN106683048B (en) | Image super-resolution method and device | |
CN111428818B (en) | Deep learning model test method and device based on neural pathway activation state | |
Rahaman et al. | An efficient multilevel thresholding based satellite image segmentation approach using a new adaptive cuckoo search algorithm | |
CN110728224A (en) | Remote sensing image classification method based on attention mechanism depth Contourlet network | |
CN109118564A (en) | A kind of three-dimensional point cloud labeling method and device based on fusion voxel | |
CN109766835A (en) | The SAR target identification method of confrontation network is generated based on multi-parameters optimization | |
CN109887021B (en) | Cross-scale-based random walk stereo matching method | |
CN109740588A (en) | The X-ray picture contraband localization method reassigned based on the response of Weakly supervised and depth | |
CN104866868A (en) | Metal coin identification method based on deep neural network and apparatus thereof | |
CN109165735A (en) | Based on the method for generating confrontation network and adaptive ratio generation new samples | |
CN109685830B (en) | Target tracking method, device and equipment and computer storage medium | |
WO2019146057A1 (en) | Learning device, system for generating captured image classification device, device for generating captured image classification device, learning method, and program | |
CN111310821A (en) | Multi-view feature fusion method, system, computer device and storage medium | |
CN114548428A (en) | Intelligent attack detection method and device of federated learning model based on instance reconstruction | |
CN112784782A (en) | Three-dimensional object identification method based on multi-view double-attention network | |
CN112364747A (en) | Target detection method under limited sample | |
CN114627424A (en) | Gait recognition method and system based on visual angle transformation | |
Khrissi et al. | A performant clustering approach based on an improved sine cosine algorithm | |
CN108428226B (en) | Distortion image quality evaluation method based on ICA sparse representation and SOM | |
CN115239694A (en) | Hyperspectral anomaly detection method fusing robust dictionary and double-cooperative-constraint regular term | |
CN113449631A (en) | Image classification method and system | |
CN113011446A (en) | Intelligent target identification method based on multi-source heterogeneous data learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |