CN110619292B - Countermeasure defense method based on binary particle swarm channel optimization - Google Patents
Countermeasure defense method based on binary particle swarm channel optimization Download PDFInfo
- Publication number
- CN110619292B CN110619292B CN201910819973.0A CN201910819973A CN110619292B CN 110619292 B CN110619292 B CN 110619292B CN 201910819973 A CN201910819973 A CN 201910819973A CN 110619292 B CN110619292 B CN 110619292B
- Authority
- CN
- China
- Prior art keywords
- particle
- detector
- formula
- sample
- video
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/10—Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/004—Artificial life, i.e. computing arrangements simulating life
- G06N3/006—Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/048—Activation functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The defense method based on binary particle swarm channel optimization comprises the following steps: 1) setting up a confrontation sample detector; 2) establishing a detector data set; 3) optimizing the channel, specifically: initializing particles, namely firstly determining the size of a particle swarm, and then initializing the position parameters of each particle in a binary coding mode; calculating individual extreme values and global optimal solutions; updating the particle position; performing iterative optimization; image transformation; 4) the training detector inputs the transformed picture into the target detector to obtain a class confidence matrix of each frame; the challenge sample detector is trained with the matrix. The invention obviously accelerates the processing speed and has higher detection rate of the confrontation sample under the condition of utilizing the least resources.
Description
Technical Field
The invention relates to a defense method for detecting a confrontation sample.
Background
With the rapid progress and great success of deep neural networks, the application of the deep neural networks in the safety field is also increasing. In particular, in the field of target detection, deep neural networks play an important role. However, a great deal of recent research has shown that deep neural networks are vulnerable to attack against samples (causing the neural network to make false decisions by adding perturbations on the inputs). At present, the characteristic of being easy to attack becomes a main challenge of the application of the deep neural network in the security field.
Currently, there are two general categories of counterattacks, depending on the stage of the neural network. One is to attack it during the deep neural network training phase. The deep neural network obtained by training can not work normally by modifying the training set and changing the input characteristics or the data labels. Barreno et al have altered the original distribution of training data by modifying and deleting the training set, thereby acting against the attack. Biggio et al proposed a method for changing training data labels to combat attacks, and they successfully reduced the performance of the support vector machine classifier by modifying 40% of the labels in the training set. Kloft et al then formed a counter attack by injecting malicious data into the training set to alter the decision boundaries. Another countermeasure attack is performed during the deep neural network testing phase. The attacks can be divided into two categories, one is a white-box attack and the other is a black-box attack. Under the white-box attack, an attacker can know information such as structure parameters of the model and establish a countermeasure sample through the information. In the black box environment, the relevant information of the model can not be obtained, and the method mainly comprises the steps of consulting the model, establishing a substitute model and using the transitivity of a countercheck sample to counter attacks.
With the rapid development of neural networks, neural networks have been widely applied in many fields such as image recognition, target detection, object segmentation, and the like. In the field of target detection, from RCNN to SSD to YOLO, different series of detectors are continuously present, and the series of detectors have been developed based on the original. At the same time, counterattacks against this series of detectors are also ongoing. This presents a significant challenge to the application of deep neural networks. The application scenes of target detection are many, including unmanned vehicle driving, unmanned aerial vehicles, robots and the like. By countering the attack, adding disturbances to the video received by the detector causes the detector to falsely detect objects in the video, which can have serious consequences. It has been shown that challenge samples generated by a challenge attack may render the target detector undetectable to people present in the video. This is fatal to the application of neural network in fields such as unmanned vehicle driving.
Disclosure of Invention
The present invention provides a countermeasure defense method based on binary particle swarm channel optimization to overcome the above disadvantages of the prior art.
The invention provides an anti-defense method based on the attack scene, which can enable the target detector to identify the anti-sample and avoid serious consequences caused by false detection of an object in the video.
Currently, deep neural networks play an important role in the field of target detection. But with the attendant many counterattacks. Fast Gradient Signature Method (FGSM) is a common white-box attack Method. The invention provides a defense method aiming at the counterattack, which can detect whether the video is attacked or not.
The technical scheme of the invention is as follows:
a countermeasure defense method based on binary particle swarm channel optimization comprises the following steps:
1) building a confrontation sample detector frame;
2) establishing a detector data set;
2.1) generating a confrontation sample;
generating a challenge sample by FGSM attack;
2.2) framing the video;
and respectively framing the original video and the generated confrontation sample to obtain a picture and detecting the picture by using a target detector. A picture in which the target detector cannot detect a person is selected from the pictures of the confrontation samples. And selecting a picture of a person successfully detected by the target detector from the original video. 70% of the pictures were used as training set and 30% as test set. The accuracy calculation formula of the challenge sample detector is as follows:
where p represents the accuracy of the detector, N represents the number of challenge sample frames detected in the video, and N represents the total number of challenge sample frames in the video.
3) Optimizing a channel;
3.1) initializing particles;
the position information for each particle is initialized in the form of a binary code.
In the formula (1), x (0) represents a first-generation particle, i represents an i-th particle, and d represents a d-th dimension of the particle. The d range is determined by the total number of channels. And rand () represents a random number over the interval 0,1, which random number follows a uniform distribution.
3.2) calculating the individual extreme value of the particle and the global optimal solution;
knowing the position information of the particles, calculating the current individual extreme value of each particle according to the fitness function defined by the formula (3), and comparing the current individual extreme values of each particle to select the current global optimal solution.
fitness(xid)=cross-entropy(D)+δNUM(xid) (3)
3.3) updating the particle position;
unlike the position update in the particle swarm optimization, the position update in the binary particle swarm optimization updates the position by determining the probability of the position update according to the particle velocity. The speed updating formula in the binary particle swarm algorithm is as follows:
vid=ωvid+c1rand()(pid-xid)+c2rand()(pgd-xid) (4)
where ω is the inertia factor, c1,c2Is an acceleration constant, typically taken as c1=c2∈[0,4]. rand () represents the interval [0,1]]The random numbers are subject to uniform distribution. p is a radical ofidAnd (3) expressing the individual extreme value of the ith particle, wherein the individual extreme value is the optimal position information found by each particle and is obtained through a fitness function. p is a radical ofgdRepresenting the current entire population of particlesThe global optimal solution is historically optimal location information.
Knowing the particle velocity, the probability of the particle transform position is solved by equation (5).
The particle position is obtained from equation (6) based on the probability of the particle change position.
3.4) iterative optimization;
the iterative optimization process is to repeat 3.2) -3.3) steps continuously. And updating the current individual extremum value by updating the position information of the particles, and finding out the optimal solution. In order to prevent the iteration from falling into an infinite loop and obtain a solution with a better effect, two cases for ending the iteration are set in the text. As shown in equation (7), one is to end the iteration when the number of iterations is greater than the set maximum number of iterations. And secondly, when the global optimal solutions of two adjacent times are smaller than a set threshold value, ending the iteration process. At this time, the current global optimal solution is used as a final solution to obtain the optimal channel combination.
T=Tmax or pgd(n)-pgd(n-1)≤p (7)
3.5) image transformation;
and 2) taking one frame to perform image transformation according to the channel combination in the step 3.3) every 5 frames of the training set obtained in the step 2.2).
4) Training a detector;
sending the picture obtained in the step 3.5) into a target detector to obtain a similar confidence matrix, and training the confrontation sample detector built in the step 1) by using the matrix.
The technical conception of the invention is as follows: the countersample is more susceptible to image transformation such as translation rotation than normal video. Based on this principle, we can determine whether the input is a challenge sample by image transforming the input of the neural network. In order to determine the kind of image transformation, the invention selects channel combination by a binary particle swarm optimization method. First, the size of the particle group is set, and parameters of each particle in the particle group are initialized. And generating the speed of the particle by using a speed updating formula, and converting the speed into the probability of the change of the position of the particle according to a mapping function so as to update the position of the particle. And finally, calculating the current individual extreme value of each particle by using a fitness function, comparing the individual extreme values of each particle, and calculating a global optimal extreme value. And continuously updating the positions of the particles through iteration so as to update the individual extreme value and the global optimal solution, and finally obtaining the optimal solution.
The invention has the following beneficial effects: by the optimization method, the transformation method which is most effective for detecting the countersample can be selected from a plurality of image transformations; the defects of high time cost, high computational power requirement and the like caused by using all channels for conversion are avoided; the invention obviously accelerates the processing speed and has higher detection rate of the confrontation sample under the condition of utilizing the least resources.
Drawings
FIG. 1 is a work flow diagram of the method of the present invention.
FIG. 2 is a flow chart of channel optimization based on binary particle swarm for the method of the present invention.
Fig. 3 is a flow chart of a training confrontation sample detector of the method of the present invention.
Fig. 4a and 4b are diagrams showing the effect of the method of the present invention, and fig. 4a shows that YOLOv2 can detect pedestrians in the video; the video in fig. 4b adds disturbance through FGSM attack, and YOLOv2 cannot identify pedestrians.
Detailed Description
The following describes a specific embodiment of the present invention with reference to the drawings.
Referring to the drawings, the defense method provided by the invention is used for detecting whether a video is attacked or not by a detector. Figure 1 shows the main flow of the method in more detail. And through the framed video, performing image transformation operation on each frame of picture, inputting the image into a target detector to obtain a similar confidence coefficient matrix, and judging whether the frame is a countermeasure sample by the countermeasure sample detector according to the similar confidence coefficient matrix.
The invention discloses a defense method based on binary particle swarm channel optimization, which comprises the following steps:
1) and (4) constructing a confrontation sample detector, wherein the detector selects a full connection layer and a Relu activation function, and the output layer outputs a detection result by adopting a sigmoid activation function.
2) A detector data set is established.
2.1) generating a confrontation sample.
As can be seen from fig. 3, the detector data set is composed of mainly two parts. And one part is composed of the original video. And the other part is composed of challenge samples. Therefore, a section of pedestrian video is selected at first, and a countermeasure sample is generated by a FGSM attack method. The challenge sample can successfully fool the target detector into detecting a person.
2.2) Framed video.
The raw video and the confrontation sample are input to a target detector. In detecting the original video, the frame that can successfully detect the person is selected, and the label of this part of the frame is labeled as ori 1. In detecting the antagonizing samples, a frame that can trick the detector is chosen and the label of this part of the frame is labeled adv 0. Finally, 70% of the above frames are used as training set, and the remaining 30% are used as test set. The accuracy calculation formula of the challenge sample detector is as follows:
where p represents the accuracy of the detector, N represents the number of challenge sample frames detected in the video, and N represents the total number of challenge sample frames in the video.
3) And (6) optimizing the channel.
3.1) initializing particles, namely firstly determining the size of a particle swarm, and then initializing the position parameter of each particle in a binary coding mode, wherein the specific mode refers to the formula (2). The position coordinates of the particles are in d dimensions, d being the total number of channels. The initialized position coordinates consist of 0 and 1. It can be seen that the position parameter of each particle actually represents a channel combination mode, and initialization is to randomly select a plurality of channel combinations.
3.2) calculating an individual extreme value and a global optimal solution: according to the fitness function defined in the text, each particle can calculate an individual extreme value according to the position parameter of the particle, and the minimum individual extreme value is finally selected as the current global optimal solution by comparing the size of the individual extreme value of each particle. The fitness function proposed by the method is as follows (3):
fitness(xid)=cross-entropy(D)+δNUM(xid) (3)
wherein, fitness (x)id) Representing the current individual extremum, NUM (x), of the ith particleid) Represents the number of channels used in the channel combination of the ith particle, and δ is a penalty coefficient whose value becomes larger as the number of channels in the channel combination increases, and it is desirable to reduce the use of channels as much as possible, thereby reducing the time cost. cross-entropy (d) represents the cross-entropy of the challenge sample detector. And calculating the current individual extreme value of each particle through the formula, and comparing the current individual extreme values of each particle to obtain the current global optimal solution.
3.3) updating the particle position: each particle updates its location parameter according to its velocity. The velocity of the particles is determined by velocity equation (4):
vid=wvid+c1rand()(pid-xid)+c2rand()(pgd-xid) (4)
in the formula, vidAnd d-dimension velocity information indicating the ith particle. Omega is the inertia factor, c1, c2Is an acceleration constant, typically taken as c1=c2∈[0,4]. rand () represents the interval [0,1]]The random number of (2). p is a radical ofidAnd representing the individual extreme value of the ith particle, wherein the individual extreme value represents the optimal position information found by each particle. p is a radical ofgdAnd representing the global optimal solution of the whole particle swarm, wherein the global optimal solution represents the optimal position information in the whole particle swarm. From the above equation, it is clear that the velocity of a particle is mainly related to the difference between its current position and the optimal position.
The current velocity of the particle is calculated from the above information, and the probability of the change position of each particle is calculated according to equation (5).
In the formula, s (v)id) Denotes xidThe position takes a probability of 1. Here, to avoid s (v)id) Too close to 1 or 0, so for vidAdding a limit, artificially setting a parameter VmaxAs vidWith the proviso that the lower limit thereof is-Vmax. And determining whether to change the position parameter of the particle according to the probability calculated by the formula. The specific way of changing the position parameter is as follows (6):
in the formula, xidAnd d-dimension position information indicating the ith particle. rand () represents the interval [0,1]]The random number of (2). In [0,1]]Random numbers uniformly distributed in intervals are less than or equal to s (v)id) If so, updating the d-dimension position information of the i-th particle to 1, otherwise, to 0.
3.4) iterative optimization: and repeating the steps 3.2) -3.3) until the iteration number reaches the set maximum iteration number or the difference between two adjacent generations of global optimal solutions reaches the set threshold value. The iteration termination condition is as follows (7):
T=Tmax or pgd(n)-pgd(n-1)≤p (7)
in the above formula, T meterIndicating the number of current iterations, TmaxIndicating a predetermined maximum number of iterations, pgd(n) denotes the current global optimum solution, pgdAnd (n-1) represents the global optimal solution of the previous generation, and p represents a preset threshold value of the difference value of the global optimal solutions of two adjacent generations. The purpose of this setting is mainly to get a better solution while the optimization process does not fall into infinite loop.
3.5) image transformation.
And 3.3) carrying out image transformation operation on the training set constructed in the step 2) according to the known current channel combination in the step 3.3). In consideration of time cost, the corresponding image transformation is performed on one frame of video every 5 frames.
4) Training a detector: inputting the image transformed in the step 3.5) into a target detector to obtain a class confidence matrix of each frame. The challenge sample detector is trained with the matrix. Taking the cross entropy as a loss function of the detector: as shown in formula (8):
in the formula, m represents the total number of training sets, x represents a training set, y represents the label of x, and h () represents the probability that the label of sample x is 1.
By using the FGSM method to attack the YOLOv2 model, YOLOv2 can not detect people in the video, for example, to prevent the attack, the effect is shown in fig. 4a and 4b, and fig. 4a shows that YOLOv2 can detect pedestrians in the video. The video in fig. 4b adds disturbance by FGSM attack, YOLOv2 cannot identify pedestrian, but by the confrontation sample detector, the video can be detected as confrontation sample. The specific process of the defense is as follows:
(1) set up a challenge sample detector framework: the detector was built with 2 layers of fully coiled layers. The activation function of the input layer of the first layer adopts Relu. Considering 45 image transformation operations in total, 91 classes can be detected by the YOLOv2 network trained from the coco dataset, so the input channel is set to 45 × 91. And the output layer activation function selects sigmoid and outputs a two-classification detection result.
(2) A data set is established.
(2.1) generating a confrontation sample.
A section of pedestrian video is selected, and a confrontation sample is generated by using a FGSM method.
And (2.2) framing the video.
The original pedestrian video and the generated confrontation sample are framed and sent to YOLOv2 for detection. Frames in which people can be detected in the original video are sorted out and labeled as ori 1. Frames with no human detected in the challenge sample are singled out and labeled adv 0. From which 70% were selected as the training set for the detector. The test set is selected from the remaining 30% of the frames, and the specific operations are as follows: every 3 frames of the frame labeled ori1, the next 2 frames are replaced with the corresponding frame labeled adv 0. These blended frames are then combined into a video as a test set. The accuracy calculation formula of the detector is as follows:
where p represents the accuracy of the detector, N represents the number of challenge sample frames detected in the video, and N represents the total number of challenge sample frames in the video.
(3) And (6) optimizing the channel.
(3.1) initialization particles: the particle group size was 20. And initializes the particles according to equation (2).
(3.2) calculating an individual extreme value and a global optimal solution: and (4) obtaining an individual extreme value of the particles obtained in the step (3.1) by using a formula (3), and obtaining a current global optimal solution by comparing the individual extreme values.
fitness(xid)=cross-entropy(D)+δNUM(xid) (3)
(3.3) updating the particle position: and (4) obtaining the current speed of the particles through the formula (4).
vid=w·vid+c1·rand()·(pid-xid)+c2·rand()·(pgd-xid) (4)
From the particle velocity, the probability of change of the particle position is obtained from equation (5).
The current position of the particle is finally determined by equation (6).
(3.4) iterative optimization: and (3) repeating the steps (3.2) to (3.3). And the optimization ending condition is that the iteration times reach 5000 times or the difference of two adjacent global extremums is less than 0.001.
(3.5) image transformation: and (3) performing image transformation operation in the step (3.3) on the training set obtained in the step (2) by taking 1 frame every 5 frames.
(4) Training a detector: and (3) sending the image obtained in the step (3.5) into a YOLOv2 detector to obtain a similar confidence matrix, training the detector built in the step (1) by using the matrix, and training a detector loss function as shown in a formula (8).
Adam is selected for the detector optimization algorithm, and the learning rate is set to 0.00001. And (4) if the end condition of the step (3.4) is not reached, turning to the step (3.2) to continue optimization. And (3) otherwise, finishing all operations, taking the detector obtained by the training as a final confrontation sample detector, and taking the channel combination obtained in the step (3) as an optimal channel combination.
The embodiments described in this specification are merely illustrative of implementations of the inventive concept and the scope of the present invention should not be considered limited to the specific forms set forth in the embodiments but rather by the equivalents thereof as may occur to those skilled in the art upon consideration of the present inventive concept.
Claims (1)
1. The defense method based on binary particle swarm channel optimization comprises the following steps:
1) building a confrontation sample detector, wherein the confrontation sample detector selects a full connection layer and a Relu activation function, and an output layer outputs a detection result by adopting a sigmoid activation function;
2) establishing a detector data set;
2.1) generating a confrontation sample;
the detector data set is mainly composed of two parts; one part is composed of original video; and the other part is composed of a challenge sample; therefore, firstly, a section of pedestrian video is selected, a confrontation sample is generated by a FGSM attack method, and the confrontation sample can successfully deceive a target detector, so that the detector cannot detect the class of people;
2.2) framing the video;
inputting the original video and the confrontation sample into a target detector; when detecting an original video, selecting a frame which can successfully detect people, and marking the label of the frame as ori 1; when detecting the antagonizing sample, selecting a frame which can cheat the detector, and labeling the label of the part of the frame as adv 0; finally, taking 70% of the frames as a training set, and taking the rest 30% as a test set; the accuracy calculation formula of the challenge sample detector is as follows:
wherein p represents the accuracy of the detector, N represents the number of the confrontation sample frames detected in the video, and N represents the total number of the confrontation sample frames in the video;
3) optimizing a channel;
3.1) initializing particles, namely firstly determining the size of a particle swarm, and then initializing the position parameter of each particle in a binary coding mode, wherein the specific mode refers to a formula (2); the position coordinates of the particles are d dimension, and d is the total number of channels; the initialized position coordinates consist of 0 and 1; it can be seen that the position parameter of each particle actually represents a channel combination mode, and initialization is to randomly select a plurality of channel combinations;
3.2) calculating an individual extreme value and a global optimal solution: according to the fitness function, each particle can calculate an individual extreme value according to the position parameter of the particle, and the minimum individual extreme value is finally selected as the current global optimal solution by comparing the size of the individual extreme value of each particle; the fitness function is as in equation (3):
fitness(xid)=cross-entropy(D)+δ·NUM(xid) (3)
wherein, fitness (x)id) Representing the current individual extremum, NUM (x), of the ith particleid) Represents the number of channels used in the channel combination of the ith particle, wherein delta is a penalty coefficient, the value of the penalty coefficient is larger along with the increase of the number of the channels in the channel combination, and the channel usage is hoped to be reduced as much as possible so as to reduce the time cost; cross-entropy (d) represents the cross-entropy of the challenge sample detector; calculating the current individual extreme value of each particle through the formula, and then comparing the current individual extreme values of each particle to obtain the current global optimal solution;
3.3) updating the particle position: each particle updates its position parameter according to its speed; the velocity of the particles is determined by velocity equation (4):
vid=w·vid+c1·rand()·(pid-xid)+c2·rand()·(pgd-xid) (4)
in the formula, vidVelocity information indicating the d-th dimension of the i-th particle; omega is the inertia factor, c1,c2Is the acceleration constant, c1=c2∈[0,4](ii) a rand () represents the interval [0,1]]A random number of (c); p is a radical ofidRepresenting the individual extreme value of the ith particle, wherein the individual extreme value represents the optimal position information found by each particle; p is a radical ofgdRepresenting a global optimal solution for the entire particle swarm, the global optimal solution representing an optimal solution in the entire particle swarmLocation information; as seen from equation (4), the velocity of a particle is mainly related to the difference between its current position and the optimal position;
calculating the current speed of the particles according to the information, and calculating the probability of the change position of each particle according to the formula (5);
in the formula, s (v)id) Denotes xidProbability that a position takes 1; here, to avoid s (v)id) Too close to 1 or 0, so for vidAdding a limit, artificially setting a parameter VmaxAs vidWith the proviso that the lower limit thereof is-Vmax(ii) a Determining whether to change the position parameters of the particles according to the probability calculated by the formula; the specific way of changing the position parameter is as follows (6):
in the formula, xidPosition information indicating the d-th dimension of the i-th particle; rand () represents the interval [0,1]]The random number of (2); in [0,1]]Random numbers uniformly distributed in intervals are less than or equal to s (v)id) Updating the d-dimension position information of the ith particle to be 1 if the position information is not the same as the d-dimension position information of the ith particle;
3.4) iterative optimization: repeating the steps 3.2) -3.3) until the iteration times reach the set maximum iteration times or the difference between two adjacent generations of global optimal solutions reaches the set threshold value; the iteration termination condition is as follows (7):
T=Tmax or pgd(n)-pgd(n-1)≤p (7)
in the above formula, T represents the current iteration number, TmaxIndicating a predetermined maximum number of iterations, pgd(n) denotes the current global optimum solution, pgd(n-1) represents the global optimal solution of the previous generation, and p represents a preset threshold value of the difference value of the global optimal solutions of two adjacent generations; the purpose of the setting is mainlyIn order to obtain a better solution while the optimization process does not fall into infinite loop;
3.5) image transformation;
knowing the current channel combination in step 3.3), and performing image transformation operation on the training set constructed in step 2); in consideration of time cost, performing corresponding image transformation on one frame of video every 5 frames;
4) training a detector: inputting the image transformed in the step 3.5) into a target detector to obtain a class confidence matrix of each frame; training a challenge sample detector with the matrix; taking the cross entropy as a loss function of the detector: as shown in formula (8):
in the formula, m represents the total number of training sets, x represents a training set, y represents the label of x, and h () represents the probability that the label of sample x is 1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910819973.0A CN110619292B (en) | 2019-08-31 | 2019-08-31 | Countermeasure defense method based on binary particle swarm channel optimization |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910819973.0A CN110619292B (en) | 2019-08-31 | 2019-08-31 | Countermeasure defense method based on binary particle swarm channel optimization |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110619292A CN110619292A (en) | 2019-12-27 |
CN110619292B true CN110619292B (en) | 2021-05-11 |
Family
ID=68922844
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910819973.0A Active CN110619292B (en) | 2019-08-31 | 2019-08-31 | Countermeasure defense method based on binary particle swarm channel optimization |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110619292B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111314934B (en) * | 2020-02-14 | 2021-08-10 | 西北工业大学 | Network cooperative detection method for unified optimal decision |
CN113449097A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for generating countermeasure sample, electronic equipment and storage medium |
CN111652267B (en) * | 2020-04-21 | 2023-01-31 | 清华大学 | Method and device for generating countermeasure sample, electronic equipment and storage medium |
CN112052933B (en) * | 2020-08-31 | 2022-04-26 | 浙江工业大学 | Particle swarm optimization-based safety testing method and repairing method for deep learning model |
CN113746813B (en) * | 2021-08-16 | 2022-05-10 | 杭州电子科技大学 | Network attack detection system and method based on two-stage learning model |
CN113688950B (en) * | 2021-10-25 | 2022-02-18 | 北京邮电大学 | Multi-target feature selection method, device and storage medium for image classification |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
CN108960080A (en) * | 2018-06-14 | 2018-12-07 | 浙江工业大学 | Based on Initiative Defense image to the face identification method of attack resistance |
CN109460814A (en) * | 2018-09-28 | 2019-03-12 | 浙江工业大学 | A kind of deep learning classification method for attacking resisting sample function with defence |
CN110046590A (en) * | 2019-04-22 | 2019-07-23 | 电子科技大学 | It is a kind of one-dimensional as recognition methods based on particle group optimizing deep learning feature selecting |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11568211B2 (en) * | 2018-12-27 | 2023-01-31 | Intel Corporation | Defending neural networks by randomizing model weights |
-
2019
- 2019-08-31 CN CN201910819973.0A patent/CN110619292B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
CN108960080A (en) * | 2018-06-14 | 2018-12-07 | 浙江工业大学 | Based on Initiative Defense image to the face identification method of attack resistance |
CN109460814A (en) * | 2018-09-28 | 2019-03-12 | 浙江工业大学 | A kind of deep learning classification method for attacking resisting sample function with defence |
CN110046590A (en) * | 2019-04-22 | 2019-07-23 | 电子科技大学 | It is a kind of one-dimensional as recognition methods based on particle group optimizing deep learning feature selecting |
Non-Patent Citations (2)
Title |
---|
Binary Particle Swarm Optimization based Defensive Islanding of Large Scale Power System;Wenxin Liu;《International Journal of Computer Science & Applications》;20071231;第4卷(第3期);第69-83页 * |
深度学习人脸识别系统的对抗攻击算法研究;陈晋音,周嘉俊,沈诗婧,郑海斌,宣琦;《小型微型计算机系统》;20190809;第40卷(第8期);第1723-1728页 * |
Also Published As
Publication number | Publication date |
---|---|
CN110619292A (en) | 2019-12-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110619292B (en) | Countermeasure defense method based on binary particle swarm channel optimization | |
Zhong et al. | Backdoor embedding in convolutional neural network models via invisible perturbation | |
Liao et al. | Backdoor embedding in convolutional neural network models via invisible perturbation | |
Tian et al. | Adversarial attacks and defenses for deep-learning-based unmanned aerial vehicles | |
Shen et al. | Ape-gan: Adversarial perturbation elimination with gan | |
Li et al. | Adversarial perturbations against real-time video classification systems | |
CN109977918B (en) | Target detection positioning optimization method based on unsupervised domain adaptation | |
Gu et al. | Gradient shielding: towards understanding vulnerability of deep neural networks | |
CN112836798A (en) | Non-directional white-box attack resisting method aiming at scene character recognition | |
CN111242166A (en) | Universal countermeasure disturbance generation method | |
CN111753881A (en) | Defense method for quantitatively identifying anti-attack based on concept sensitivity | |
Wang et al. | Defending dnn adversarial attacks with pruning and logits augmentation | |
CN113643278B (en) | Method for generating countermeasure sample for unmanned aerial vehicle image target detection | |
Yang et al. | Targeted attention attack on deep learning models in road sign recognition | |
CN113841157A (en) | Training a safer neural network by using local linearity regularization | |
CN110084781A (en) | The passive evidence collecting method and system of monitor video tampering detection based on characteristic point | |
CN114399630A (en) | Countercheck sample generation method based on belief attack and significant area disturbance limitation | |
Du et al. | Local aggregative attack on SAR image classification models | |
CN115936961A (en) | Steganalysis method, device and medium based on few-sample contrast learning network | |
CN113159317B (en) | Antagonistic sample generation method based on dynamic residual corrosion | |
CN115879108A (en) | Federal learning model attack defense method based on neural network feature extraction | |
CN115017501A (en) | Image anti-attack sample detection method and system based on uncertainty estimation | |
CN114067176A (en) | Countersurface patch generation method without sample data | |
Atsague et al. | A mutual information regularization for adversarial training | |
Agrawal et al. | Bmim: Generating adversarial attack on face recognition via binary mask |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |