CN110619292B - Countermeasure defense method based on binary particle swarm channel optimization - Google Patents

Countermeasure defense method based on binary particle swarm channel optimization Download PDF

Info

Publication number
CN110619292B
CN110619292B CN201910819973.0A CN201910819973A CN110619292B CN 110619292 B CN110619292 B CN 110619292B CN 201910819973 A CN201910819973 A CN 201910819973A CN 110619292 B CN110619292 B CN 110619292B
Authority
CN
China
Prior art keywords
particle
detector
formula
sample
video
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910819973.0A
Other languages
Chinese (zh)
Other versions
CN110619292A (en
Inventor
陈晋音
上官文昌
郑海斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN201910819973.0A priority Critical patent/CN110619292B/en
Publication of CN110619292A publication Critical patent/CN110619292A/en
Application granted granted Critical
Publication of CN110619292B publication Critical patent/CN110619292B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/048Activation functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The defense method based on binary particle swarm channel optimization comprises the following steps: 1) setting up a confrontation sample detector; 2) establishing a detector data set; 3) optimizing the channel, specifically: initializing particles, namely firstly determining the size of a particle swarm, and then initializing the position parameters of each particle in a binary coding mode; calculating individual extreme values and global optimal solutions; updating the particle position; performing iterative optimization; image transformation; 4) the training detector inputs the transformed picture into the target detector to obtain a class confidence matrix of each frame; the challenge sample detector is trained with the matrix. The invention obviously accelerates the processing speed and has higher detection rate of the confrontation sample under the condition of utilizing the least resources.

Description

Countermeasure defense method based on binary particle swarm channel optimization
Technical Field
The invention relates to a defense method for detecting a confrontation sample.
Background
With the rapid progress and great success of deep neural networks, the application of the deep neural networks in the safety field is also increasing. In particular, in the field of target detection, deep neural networks play an important role. However, a great deal of recent research has shown that deep neural networks are vulnerable to attack against samples (causing the neural network to make false decisions by adding perturbations on the inputs). At present, the characteristic of being easy to attack becomes a main challenge of the application of the deep neural network in the security field.
Currently, there are two general categories of counterattacks, depending on the stage of the neural network. One is to attack it during the deep neural network training phase. The deep neural network obtained by training can not work normally by modifying the training set and changing the input characteristics or the data labels. Barreno et al have altered the original distribution of training data by modifying and deleting the training set, thereby acting against the attack. Biggio et al proposed a method for changing training data labels to combat attacks, and they successfully reduced the performance of the support vector machine classifier by modifying 40% of the labels in the training set. Kloft et al then formed a counter attack by injecting malicious data into the training set to alter the decision boundaries. Another countermeasure attack is performed during the deep neural network testing phase. The attacks can be divided into two categories, one is a white-box attack and the other is a black-box attack. Under the white-box attack, an attacker can know information such as structure parameters of the model and establish a countermeasure sample through the information. In the black box environment, the relevant information of the model can not be obtained, and the method mainly comprises the steps of consulting the model, establishing a substitute model and using the transitivity of a countercheck sample to counter attacks.
With the rapid development of neural networks, neural networks have been widely applied in many fields such as image recognition, target detection, object segmentation, and the like. In the field of target detection, from RCNN to SSD to YOLO, different series of detectors are continuously present, and the series of detectors have been developed based on the original. At the same time, counterattacks against this series of detectors are also ongoing. This presents a significant challenge to the application of deep neural networks. The application scenes of target detection are many, including unmanned vehicle driving, unmanned aerial vehicles, robots and the like. By countering the attack, adding disturbances to the video received by the detector causes the detector to falsely detect objects in the video, which can have serious consequences. It has been shown that challenge samples generated by a challenge attack may render the target detector undetectable to people present in the video. This is fatal to the application of neural network in fields such as unmanned vehicle driving.
Disclosure of Invention
The present invention provides a countermeasure defense method based on binary particle swarm channel optimization to overcome the above disadvantages of the prior art.
The invention provides an anti-defense method based on the attack scene, which can enable the target detector to identify the anti-sample and avoid serious consequences caused by false detection of an object in the video.
Currently, deep neural networks play an important role in the field of target detection. But with the attendant many counterattacks. Fast Gradient Signature Method (FGSM) is a common white-box attack Method. The invention provides a defense method aiming at the counterattack, which can detect whether the video is attacked or not.
The technical scheme of the invention is as follows:
a countermeasure defense method based on binary particle swarm channel optimization comprises the following steps:
1) building a confrontation sample detector frame;
2) establishing a detector data set;
2.1) generating a confrontation sample;
generating a challenge sample by FGSM attack;
2.2) framing the video;
and respectively framing the original video and the generated confrontation sample to obtain a picture and detecting the picture by using a target detector. A picture in which the target detector cannot detect a person is selected from the pictures of the confrontation samples. And selecting a picture of a person successfully detected by the target detector from the original video. 70% of the pictures were used as training set and 30% as test set. The accuracy calculation formula of the challenge sample detector is as follows:
Figure BDA0002187263380000031
where p represents the accuracy of the detector, N represents the number of challenge sample frames detected in the video, and N represents the total number of challenge sample frames in the video.
3) Optimizing a channel;
3.1) initializing particles;
the position information for each particle is initialized in the form of a binary code.
Figure BDA0002187263380000032
In the formula (1), x (0) represents a first-generation particle, i represents an i-th particle, and d represents a d-th dimension of the particle. The d range is determined by the total number of channels. And rand () represents a random number over the interval 0,1, which random number follows a uniform distribution.
3.2) calculating the individual extreme value of the particle and the global optimal solution;
knowing the position information of the particles, calculating the current individual extreme value of each particle according to the fitness function defined by the formula (3), and comparing the current individual extreme values of each particle to select the current global optimal solution.
fitness(xid)=cross-entropy(D)+δNUM(xid) (3)
3.3) updating the particle position;
unlike the position update in the particle swarm optimization, the position update in the binary particle swarm optimization updates the position by determining the probability of the position update according to the particle velocity. The speed updating formula in the binary particle swarm algorithm is as follows:
vid=ωvid+c1rand()(pid-xid)+c2rand()(pgd-xid) (4)
where ω is the inertia factor, c1,c2Is an acceleration constant, typically taken as c1=c2∈[0,4]. rand () represents the interval [0,1]]The random numbers are subject to uniform distribution. p is a radical ofidAnd (3) expressing the individual extreme value of the ith particle, wherein the individual extreme value is the optimal position information found by each particle and is obtained through a fitness function. p is a radical ofgdRepresenting the current entire population of particlesThe global optimal solution is historically optimal location information.
Knowing the particle velocity, the probability of the particle transform position is solved by equation (5).
Figure BDA0002187263380000041
The particle position is obtained from equation (6) based on the probability of the particle change position.
Figure BDA0002187263380000042
3.4) iterative optimization;
the iterative optimization process is to repeat 3.2) -3.3) steps continuously. And updating the current individual extremum value by updating the position information of the particles, and finding out the optimal solution. In order to prevent the iteration from falling into an infinite loop and obtain a solution with a better effect, two cases for ending the iteration are set in the text. As shown in equation (7), one is to end the iteration when the number of iterations is greater than the set maximum number of iterations. And secondly, when the global optimal solutions of two adjacent times are smaller than a set threshold value, ending the iteration process. At this time, the current global optimal solution is used as a final solution to obtain the optimal channel combination.
T=Tmax or pgd(n)-pgd(n-1)≤p (7)
3.5) image transformation;
and 2) taking one frame to perform image transformation according to the channel combination in the step 3.3) every 5 frames of the training set obtained in the step 2.2).
4) Training a detector;
sending the picture obtained in the step 3.5) into a target detector to obtain a similar confidence matrix, and training the confrontation sample detector built in the step 1) by using the matrix.
Figure BDA0002187263380000051
The technical conception of the invention is as follows: the countersample is more susceptible to image transformation such as translation rotation than normal video. Based on this principle, we can determine whether the input is a challenge sample by image transforming the input of the neural network. In order to determine the kind of image transformation, the invention selects channel combination by a binary particle swarm optimization method. First, the size of the particle group is set, and parameters of each particle in the particle group are initialized. And generating the speed of the particle by using a speed updating formula, and converting the speed into the probability of the change of the position of the particle according to a mapping function so as to update the position of the particle. And finally, calculating the current individual extreme value of each particle by using a fitness function, comparing the individual extreme values of each particle, and calculating a global optimal extreme value. And continuously updating the positions of the particles through iteration so as to update the individual extreme value and the global optimal solution, and finally obtaining the optimal solution.
The invention has the following beneficial effects: by the optimization method, the transformation method which is most effective for detecting the countersample can be selected from a plurality of image transformations; the defects of high time cost, high computational power requirement and the like caused by using all channels for conversion are avoided; the invention obviously accelerates the processing speed and has higher detection rate of the confrontation sample under the condition of utilizing the least resources.
Drawings
FIG. 1 is a work flow diagram of the method of the present invention.
FIG. 2 is a flow chart of channel optimization based on binary particle swarm for the method of the present invention.
Fig. 3 is a flow chart of a training confrontation sample detector of the method of the present invention.
Fig. 4a and 4b are diagrams showing the effect of the method of the present invention, and fig. 4a shows that YOLOv2 can detect pedestrians in the video; the video in fig. 4b adds disturbance through FGSM attack, and YOLOv2 cannot identify pedestrians.
Detailed Description
The following describes a specific embodiment of the present invention with reference to the drawings.
Referring to the drawings, the defense method provided by the invention is used for detecting whether a video is attacked or not by a detector. Figure 1 shows the main flow of the method in more detail. And through the framed video, performing image transformation operation on each frame of picture, inputting the image into a target detector to obtain a similar confidence coefficient matrix, and judging whether the frame is a countermeasure sample by the countermeasure sample detector according to the similar confidence coefficient matrix.
The invention discloses a defense method based on binary particle swarm channel optimization, which comprises the following steps:
1) and (4) constructing a confrontation sample detector, wherein the detector selects a full connection layer and a Relu activation function, and the output layer outputs a detection result by adopting a sigmoid activation function.
2) A detector data set is established.
2.1) generating a confrontation sample.
As can be seen from fig. 3, the detector data set is composed of mainly two parts. And one part is composed of the original video. And the other part is composed of challenge samples. Therefore, a section of pedestrian video is selected at first, and a countermeasure sample is generated by a FGSM attack method. The challenge sample can successfully fool the target detector into detecting a person.
2.2) Framed video.
The raw video and the confrontation sample are input to a target detector. In detecting the original video, the frame that can successfully detect the person is selected, and the label of this part of the frame is labeled as ori 1. In detecting the antagonizing samples, a frame that can trick the detector is chosen and the label of this part of the frame is labeled adv 0. Finally, 70% of the above frames are used as training set, and the remaining 30% are used as test set. The accuracy calculation formula of the challenge sample detector is as follows:
Figure BDA0002187263380000071
where p represents the accuracy of the detector, N represents the number of challenge sample frames detected in the video, and N represents the total number of challenge sample frames in the video.
3) And (6) optimizing the channel.
3.1) initializing particles, namely firstly determining the size of a particle swarm, and then initializing the position parameter of each particle in a binary coding mode, wherein the specific mode refers to the formula (2). The position coordinates of the particles are in d dimensions, d being the total number of channels. The initialized position coordinates consist of 0 and 1. It can be seen that the position parameter of each particle actually represents a channel combination mode, and initialization is to randomly select a plurality of channel combinations.
Figure BDA0002187263380000081
3.2) calculating an individual extreme value and a global optimal solution: according to the fitness function defined in the text, each particle can calculate an individual extreme value according to the position parameter of the particle, and the minimum individual extreme value is finally selected as the current global optimal solution by comparing the size of the individual extreme value of each particle. The fitness function proposed by the method is as follows (3):
fitness(xid)=cross-entropy(D)+δNUM(xid) (3)
wherein, fitness (x)id) Representing the current individual extremum, NUM (x), of the ith particleid) Represents the number of channels used in the channel combination of the ith particle, and δ is a penalty coefficient whose value becomes larger as the number of channels in the channel combination increases, and it is desirable to reduce the use of channels as much as possible, thereby reducing the time cost. cross-entropy (d) represents the cross-entropy of the challenge sample detector. And calculating the current individual extreme value of each particle through the formula, and comparing the current individual extreme values of each particle to obtain the current global optimal solution.
3.3) updating the particle position: each particle updates its location parameter according to its velocity. The velocity of the particles is determined by velocity equation (4):
vid=wvid+c1rand()(pid-xid)+c2rand()(pgd-xid) (4)
in the formula, vidAnd d-dimension velocity information indicating the ith particle. Omega is the inertia factor, c1, c2Is an acceleration constant, typically taken as c1=c2∈[0,4]. rand () represents the interval [0,1]]The random number of (2). p is a radical ofidAnd representing the individual extreme value of the ith particle, wherein the individual extreme value represents the optimal position information found by each particle. p is a radical ofgdAnd representing the global optimal solution of the whole particle swarm, wherein the global optimal solution represents the optimal position information in the whole particle swarm. From the above equation, it is clear that the velocity of a particle is mainly related to the difference between its current position and the optimal position.
The current velocity of the particle is calculated from the above information, and the probability of the change position of each particle is calculated according to equation (5).
Figure BDA0002187263380000091
In the formula, s (v)id) Denotes xidThe position takes a probability of 1. Here, to avoid s (v)id) Too close to 1 or 0, so for vidAdding a limit, artificially setting a parameter VmaxAs vidWith the proviso that the lower limit thereof is-Vmax. And determining whether to change the position parameter of the particle according to the probability calculated by the formula. The specific way of changing the position parameter is as follows (6):
Figure BDA0002187263380000092
in the formula, xidAnd d-dimension position information indicating the ith particle. rand () represents the interval [0,1]]The random number of (2). In [0,1]]Random numbers uniformly distributed in intervals are less than or equal to s (v)id) If so, updating the d-dimension position information of the i-th particle to 1, otherwise, to 0.
3.4) iterative optimization: and repeating the steps 3.2) -3.3) until the iteration number reaches the set maximum iteration number or the difference between two adjacent generations of global optimal solutions reaches the set threshold value. The iteration termination condition is as follows (7):
T=Tmax or pgd(n)-pgd(n-1)≤p (7)
in the above formula, T meterIndicating the number of current iterations, TmaxIndicating a predetermined maximum number of iterations, pgd(n) denotes the current global optimum solution, pgdAnd (n-1) represents the global optimal solution of the previous generation, and p represents a preset threshold value of the difference value of the global optimal solutions of two adjacent generations. The purpose of this setting is mainly to get a better solution while the optimization process does not fall into infinite loop.
3.5) image transformation.
And 3.3) carrying out image transformation operation on the training set constructed in the step 2) according to the known current channel combination in the step 3.3). In consideration of time cost, the corresponding image transformation is performed on one frame of video every 5 frames.
4) Training a detector: inputting the image transformed in the step 3.5) into a target detector to obtain a class confidence matrix of each frame. The challenge sample detector is trained with the matrix. Taking the cross entropy as a loss function of the detector: as shown in formula (8):
Figure BDA0002187263380000101
in the formula, m represents the total number of training sets, x represents a training set, y represents the label of x, and h () represents the probability that the label of sample x is 1.
By using the FGSM method to attack the YOLOv2 model, YOLOv2 can not detect people in the video, for example, to prevent the attack, the effect is shown in fig. 4a and 4b, and fig. 4a shows that YOLOv2 can detect pedestrians in the video. The video in fig. 4b adds disturbance by FGSM attack, YOLOv2 cannot identify pedestrian, but by the confrontation sample detector, the video can be detected as confrontation sample. The specific process of the defense is as follows:
(1) set up a challenge sample detector framework: the detector was built with 2 layers of fully coiled layers. The activation function of the input layer of the first layer adopts Relu. Considering 45 image transformation operations in total, 91 classes can be detected by the YOLOv2 network trained from the coco dataset, so the input channel is set to 45 × 91. And the output layer activation function selects sigmoid and outputs a two-classification detection result.
(2) A data set is established.
(2.1) generating a confrontation sample.
A section of pedestrian video is selected, and a confrontation sample is generated by using a FGSM method.
And (2.2) framing the video.
The original pedestrian video and the generated confrontation sample are framed and sent to YOLOv2 for detection. Frames in which people can be detected in the original video are sorted out and labeled as ori 1. Frames with no human detected in the challenge sample are singled out and labeled adv 0. From which 70% were selected as the training set for the detector. The test set is selected from the remaining 30% of the frames, and the specific operations are as follows: every 3 frames of the frame labeled ori1, the next 2 frames are replaced with the corresponding frame labeled adv 0. These blended frames are then combined into a video as a test set. The accuracy calculation formula of the detector is as follows:
Figure BDA0002187263380000111
where p represents the accuracy of the detector, N represents the number of challenge sample frames detected in the video, and N represents the total number of challenge sample frames in the video.
(3) And (6) optimizing the channel.
(3.1) initialization particles: the particle group size was 20. And initializes the particles according to equation (2).
Figure BDA0002187263380000112
(3.2) calculating an individual extreme value and a global optimal solution: and (4) obtaining an individual extreme value of the particles obtained in the step (3.1) by using a formula (3), and obtaining a current global optimal solution by comparing the individual extreme values.
fitness(xid)=cross-entropy(D)+δNUM(xid) (3)
(3.3) updating the particle position: and (4) obtaining the current speed of the particles through the formula (4).
vid=w·vid+c1·rand()·(pid-xid)+c2·rand()·(pgd-xid) (4)
From the particle velocity, the probability of change of the particle position is obtained from equation (5).
Figure BDA0002187263380000113
The current position of the particle is finally determined by equation (6).
Figure BDA0002187263380000121
(3.4) iterative optimization: and (3) repeating the steps (3.2) to (3.3). And the optimization ending condition is that the iteration times reach 5000 times or the difference of two adjacent global extremums is less than 0.001.
(3.5) image transformation: and (3) performing image transformation operation in the step (3.3) on the training set obtained in the step (2) by taking 1 frame every 5 frames.
(4) Training a detector: and (3) sending the image obtained in the step (3.5) into a YOLOv2 detector to obtain a similar confidence matrix, training the detector built in the step (1) by using the matrix, and training a detector loss function as shown in a formula (8).
Figure BDA0002187263380000122
Adam is selected for the detector optimization algorithm, and the learning rate is set to 0.00001. And (4) if the end condition of the step (3.4) is not reached, turning to the step (3.2) to continue optimization. And (3) otherwise, finishing all operations, taking the detector obtained by the training as a final confrontation sample detector, and taking the channel combination obtained in the step (3) as an optimal channel combination.
The embodiments described in this specification are merely illustrative of implementations of the inventive concept and the scope of the present invention should not be considered limited to the specific forms set forth in the embodiments but rather by the equivalents thereof as may occur to those skilled in the art upon consideration of the present inventive concept.

Claims (1)

1. The defense method based on binary particle swarm channel optimization comprises the following steps:
1) building a confrontation sample detector, wherein the confrontation sample detector selects a full connection layer and a Relu activation function, and an output layer outputs a detection result by adopting a sigmoid activation function;
2) establishing a detector data set;
2.1) generating a confrontation sample;
the detector data set is mainly composed of two parts; one part is composed of original video; and the other part is composed of a challenge sample; therefore, firstly, a section of pedestrian video is selected, a confrontation sample is generated by a FGSM attack method, and the confrontation sample can successfully deceive a target detector, so that the detector cannot detect the class of people;
2.2) framing the video;
inputting the original video and the confrontation sample into a target detector; when detecting an original video, selecting a frame which can successfully detect people, and marking the label of the frame as ori 1; when detecting the antagonizing sample, selecting a frame which can cheat the detector, and labeling the label of the part of the frame as adv 0; finally, taking 70% of the frames as a training set, and taking the rest 30% as a test set; the accuracy calculation formula of the challenge sample detector is as follows:
Figure FDA0002921359370000011
wherein p represents the accuracy of the detector, N represents the number of the confrontation sample frames detected in the video, and N represents the total number of the confrontation sample frames in the video;
3) optimizing a channel;
3.1) initializing particles, namely firstly determining the size of a particle swarm, and then initializing the position parameter of each particle in a binary coding mode, wherein the specific mode refers to a formula (2); the position coordinates of the particles are d dimension, and d is the total number of channels; the initialized position coordinates consist of 0 and 1; it can be seen that the position parameter of each particle actually represents a channel combination mode, and initialization is to randomly select a plurality of channel combinations;
Figure FDA0002921359370000021
3.2) calculating an individual extreme value and a global optimal solution: according to the fitness function, each particle can calculate an individual extreme value according to the position parameter of the particle, and the minimum individual extreme value is finally selected as the current global optimal solution by comparing the size of the individual extreme value of each particle; the fitness function is as in equation (3):
fitness(xid)=cross-entropy(D)+δ·NUM(xid) (3)
wherein, fitness (x)id) Representing the current individual extremum, NUM (x), of the ith particleid) Represents the number of channels used in the channel combination of the ith particle, wherein delta is a penalty coefficient, the value of the penalty coefficient is larger along with the increase of the number of the channels in the channel combination, and the channel usage is hoped to be reduced as much as possible so as to reduce the time cost; cross-entropy (d) represents the cross-entropy of the challenge sample detector; calculating the current individual extreme value of each particle through the formula, and then comparing the current individual extreme values of each particle to obtain the current global optimal solution;
3.3) updating the particle position: each particle updates its position parameter according to its speed; the velocity of the particles is determined by velocity equation (4):
vid=w·vid+c1·rand()·(pid-xid)+c2·rand()·(pgd-xid) (4)
in the formula, vidVelocity information indicating the d-th dimension of the i-th particle; omega is the inertia factor, c1,c2Is the acceleration constant, c1=c2∈[0,4](ii) a rand () represents the interval [0,1]]A random number of (c); p is a radical ofidRepresenting the individual extreme value of the ith particle, wherein the individual extreme value represents the optimal position information found by each particle; p is a radical ofgdRepresenting a global optimal solution for the entire particle swarm, the global optimal solution representing an optimal solution in the entire particle swarmLocation information; as seen from equation (4), the velocity of a particle is mainly related to the difference between its current position and the optimal position;
calculating the current speed of the particles according to the information, and calculating the probability of the change position of each particle according to the formula (5);
Figure FDA0002921359370000031
in the formula, s (v)id) Denotes xidProbability that a position takes 1; here, to avoid s (v)id) Too close to 1 or 0, so for vidAdding a limit, artificially setting a parameter VmaxAs vidWith the proviso that the lower limit thereof is-Vmax(ii) a Determining whether to change the position parameters of the particles according to the probability calculated by the formula; the specific way of changing the position parameter is as follows (6):
Figure FDA0002921359370000032
in the formula, xidPosition information indicating the d-th dimension of the i-th particle; rand () represents the interval [0,1]]The random number of (2); in [0,1]]Random numbers uniformly distributed in intervals are less than or equal to s (v)id) Updating the d-dimension position information of the ith particle to be 1 if the position information is not the same as the d-dimension position information of the ith particle;
3.4) iterative optimization: repeating the steps 3.2) -3.3) until the iteration times reach the set maximum iteration times or the difference between two adjacent generations of global optimal solutions reaches the set threshold value; the iteration termination condition is as follows (7):
T=Tmax or pgd(n)-pgd(n-1)≤p (7)
in the above formula, T represents the current iteration number, TmaxIndicating a predetermined maximum number of iterations, pgd(n) denotes the current global optimum solution, pgd(n-1) represents the global optimal solution of the previous generation, and p represents a preset threshold value of the difference value of the global optimal solutions of two adjacent generations; the purpose of the setting is mainlyIn order to obtain a better solution while the optimization process does not fall into infinite loop;
3.5) image transformation;
knowing the current channel combination in step 3.3), and performing image transformation operation on the training set constructed in step 2); in consideration of time cost, performing corresponding image transformation on one frame of video every 5 frames;
4) training a detector: inputting the image transformed in the step 3.5) into a target detector to obtain a class confidence matrix of each frame; training a challenge sample detector with the matrix; taking the cross entropy as a loss function of the detector: as shown in formula (8):
Figure FDA0002921359370000041
in the formula, m represents the total number of training sets, x represents a training set, y represents the label of x, and h () represents the probability that the label of sample x is 1.
CN201910819973.0A 2019-08-31 2019-08-31 Countermeasure defense method based on binary particle swarm channel optimization Active CN110619292B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910819973.0A CN110619292B (en) 2019-08-31 2019-08-31 Countermeasure defense method based on binary particle swarm channel optimization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910819973.0A CN110619292B (en) 2019-08-31 2019-08-31 Countermeasure defense method based on binary particle swarm channel optimization

Publications (2)

Publication Number Publication Date
CN110619292A CN110619292A (en) 2019-12-27
CN110619292B true CN110619292B (en) 2021-05-11

Family

ID=68922844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910819973.0A Active CN110619292B (en) 2019-08-31 2019-08-31 Countermeasure defense method based on binary particle swarm channel optimization

Country Status (1)

Country Link
CN (1) CN110619292B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314934B (en) * 2020-02-14 2021-08-10 西北工业大学 Network cooperative detection method for unified optimal decision
CN113449097A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Method and device for generating countermeasure sample, electronic equipment and storage medium
CN111652267B (en) * 2020-04-21 2023-01-31 清华大学 Method and device for generating countermeasure sample, electronic equipment and storage medium
CN112052933B (en) * 2020-08-31 2022-04-26 浙江工业大学 Particle swarm optimization-based safety testing method and repairing method for deep learning model
CN113746813B (en) * 2021-08-16 2022-05-10 杭州电子科技大学 Network attack detection system and method based on two-stage learning model
CN113688950B (en) * 2021-10-25 2022-02-18 北京邮电大学 Multi-target feature selection method, device and storage medium for image classification

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108446765A (en) * 2018-02-11 2018-08-24 浙江工业大学 The multi-model composite defense method of sexual assault is fought towards deep learning
CN108960080A (en) * 2018-06-14 2018-12-07 浙江工业大学 Based on Initiative Defense image to the face identification method of attack resistance
CN109460814A (en) * 2018-09-28 2019-03-12 浙江工业大学 A kind of deep learning classification method for attacking resisting sample function with defence
CN110046590A (en) * 2019-04-22 2019-07-23 电子科技大学 It is a kind of one-dimensional as recognition methods based on particle group optimizing deep learning feature selecting

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11568211B2 (en) * 2018-12-27 2023-01-31 Intel Corporation Defending neural networks by randomizing model weights

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108446765A (en) * 2018-02-11 2018-08-24 浙江工业大学 The multi-model composite defense method of sexual assault is fought towards deep learning
CN108960080A (en) * 2018-06-14 2018-12-07 浙江工业大学 Based on Initiative Defense image to the face identification method of attack resistance
CN109460814A (en) * 2018-09-28 2019-03-12 浙江工业大学 A kind of deep learning classification method for attacking resisting sample function with defence
CN110046590A (en) * 2019-04-22 2019-07-23 电子科技大学 It is a kind of one-dimensional as recognition methods based on particle group optimizing deep learning feature selecting

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Binary Particle Swarm Optimization based Defensive Islanding of Large Scale Power System;Wenxin Liu;《International Journal of Computer Science & Applications》;20071231;第4卷(第3期);第69-83页 *
深度学习人脸识别系统的对抗攻击算法研究;陈晋音,周嘉俊,沈诗婧,郑海斌,宣琦;《小型微型计算机系统》;20190809;第40卷(第8期);第1723-1728页 *

Also Published As

Publication number Publication date
CN110619292A (en) 2019-12-27

Similar Documents

Publication Publication Date Title
CN110619292B (en) Countermeasure defense method based on binary particle swarm channel optimization
Zhong et al. Backdoor embedding in convolutional neural network models via invisible perturbation
Liao et al. Backdoor embedding in convolutional neural network models via invisible perturbation
Tian et al. Adversarial attacks and defenses for deep-learning-based unmanned aerial vehicles
Shen et al. Ape-gan: Adversarial perturbation elimination with gan
Li et al. Adversarial perturbations against real-time video classification systems
CN109977918B (en) Target detection positioning optimization method based on unsupervised domain adaptation
Gu et al. Gradient shielding: towards understanding vulnerability of deep neural networks
CN112836798A (en) Non-directional white-box attack resisting method aiming at scene character recognition
CN111242166A (en) Universal countermeasure disturbance generation method
CN111753881A (en) Defense method for quantitatively identifying anti-attack based on concept sensitivity
Wang et al. Defending dnn adversarial attacks with pruning and logits augmentation
CN113643278B (en) Method for generating countermeasure sample for unmanned aerial vehicle image target detection
Yang et al. Targeted attention attack on deep learning models in road sign recognition
CN113841157A (en) Training a safer neural network by using local linearity regularization
CN110084781A (en) The passive evidence collecting method and system of monitor video tampering detection based on characteristic point
CN114399630A (en) Countercheck sample generation method based on belief attack and significant area disturbance limitation
Du et al. Local aggregative attack on SAR image classification models
CN115936961A (en) Steganalysis method, device and medium based on few-sample contrast learning network
CN113159317B (en) Antagonistic sample generation method based on dynamic residual corrosion
CN115879108A (en) Federal learning model attack defense method based on neural network feature extraction
CN115017501A (en) Image anti-attack sample detection method and system based on uncertainty estimation
CN114067176A (en) Countersurface patch generation method without sample data
Atsague et al. A mutual information regularization for adversarial training
Agrawal et al. Bmim: Generating adversarial attack on face recognition via binary mask

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant