CN110796608B - Countermeasure defense method and system based on online iteration generator - Google Patents
Countermeasure defense method and system based on online iteration generator Download PDFInfo
- Publication number
- CN110796608B CN110796608B CN201910772642.6A CN201910772642A CN110796608B CN 110796608 B CN110796608 B CN 110796608B CN 201910772642 A CN201910772642 A CN 201910772642A CN 110796608 B CN110796608 B CN 110796608B
- Authority
- CN
- China
- Prior art keywords
- image
- network
- generator
- iteration
- synthetic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000007123 defense Effects 0.000 title claims abstract description 42
- 239000002131 composite material Substances 0.000 claims description 44
- 238000012549 training Methods 0.000 claims description 41
- 230000006870 function Effects 0.000 claims description 33
- 238000013528 artificial neural network Methods 0.000 claims description 16
- 230000008569 process Effects 0.000 claims description 14
- 238000013459 approach Methods 0.000 claims description 9
- 230000004913 activation Effects 0.000 claims description 8
- 230000003042 antagnostic effect Effects 0.000 claims description 6
- 238000012360 testing method Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 claims description 3
- 230000003044 adaptive effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000005070 sampling Methods 0.000 description 4
- 239000011159 matrix material Substances 0.000 description 3
- 208000009119 Giant Axonal Neuropathy Diseases 0.000 description 2
- 238000007476 Maximum Likelihood Methods 0.000 description 2
- 101150041570 TOP1 gene Proteins 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 201000003382 giant axonal neuropathy 1 Diseases 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101100153581 Bacillus anthracis topX gene Proteins 0.000 description 1
- 230000008485 antagonism Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004576 sand Substances 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T5/00—Image enhancement or restoration
- G06T5/70—Denoising; Smoothing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Image Analysis (AREA)
Abstract
The invention discloses a confrontation defense method and a system based on an online iteration generator, wherein the method comprises the following steps: step S1, randomly initializing a parameter theta of a generator network F, and initializing a synthetic image with the same size as the input image by 0; in step S2, given an input image that may be a countersample, it is defined as a reference image IzThe method comprises the steps of inputting the image into a generator network module, generating a synthetic image, alternately and iteratively updating network parameters and the synthetic image, and finally obtaining the synthetic image which is removed of the counternoise and has the same semantic as the original input image until the condition of stopping is met.
Description
Technical Field
The invention relates to the technical field of computer vision based on deep learning, in particular to an online iteration generator-based confrontation defense method and system.
Background
The countermeasure defense problem is intended to remove countermeasure noise in an image. In recent years, deep learning methods have been highly varied in the field of computer vision, however, it is well known that deep learning models are very sensitive to adversarial samples synthesized by adding quasi-perceptual noise to real images, and therefore, the adversarial defense problem attracts more and more researchers' attention by virtue of its wide application prospect and disciplinary exploratory property.
Existing defense methods can be broadly divided into two categories: one approach is to use defense as a preprocessing component without accessing, modifying or retraining the attacked target network, and this approach is portable to different target networks, but these approaches often rely on image denoising and are difficult to eliminate the counternoise; another set of methods requires accessing or retraining parameters of the target network, e.g., the adversarial training methods require knowledge of the adversarial attack and are unable to resist invisible attack types, however, these methods are impractical and inefficient in practical applications.
Additionally, Kuranki et al's work in adaptive mechanical learning at scale (ICLR) also shows that iterative resist sample robustness cannot be conferred by single-step attack, trader et al works in 2018 against training in adaptive training — Attacks and defenses require that the training set be increased N × M times, N different target networks are designed and trained, with inefficiency, where M is the number of different known resist Attacks used in resist training, Samangouei et al, research work in 2018, defenses-gate: protective classificators obtained in adaptive training using generation model protection classifiers (ICLR), it is difficult to transfer defenses GAN to large images because GANs with large images are unstable and may require network architecture to be adjusted for different datasets.
Disclosure of Invention
To overcome the above-mentioned deficiencies of the prior art, an object of the present invention is to provide a countermeasure defense method and system based on an online iterative generator, so as to synthesize an image having the same semantic meaning as an input image to replace the original input image while effectively removing the countermeasure noise.
In order to achieve the above purpose, the present invention provides an online iteration generator-based countermeasure defense method, which includes the following steps:
step S1, randomly initializing a parameter theta of a generator network F, and initializing a synthetic image with the same size as the input image by 0;
in step S2, given an input image that may be a countersample, it is defined as a reference image IzInputting the image data into a generator network module containing the generator network F to generate a synthetic image, alternately and iteratively updating network parameters and the synthetic image, and finally obtaining the synthetic image which is removed of the counternoise and has the same semantic meaning as the original input image.
Preferably, the step S2 further includes:
step S200, utilizing the generator network F to carry out internal iteration, utilizing the generator network F to approximate an energy function, and updating a synthetic image to minimize the energy function so as to generateAnd the reference picture IzRemoving new images of the anti-noise with the same semantics;
step S201, utilizing the generator network F to carry out external iteration, training the parameters of the generator network F along the direction of maximizing the log-likelihood, and updating the network parameters to enable the synthetic image to gradually approach the reference image Iz;
Step S202, the training process of steps S200-S201 is iteratively performed for a plurality of times until the stop condition is met.
Preferably, in step S2, training the defending online generator neural network with the synthetic image and network parameters initialized in step S1 as initialization values for iteration; and after the training process is converged, replacing the original input image with the synthetic image generated on line by the trained generator network and inputting the synthetic image into the target network.
Preferably, in each outer iteration, the composite image is updated TI times, while the parameters of the generator network F are updated once, where TI represents the maximum number of inner iterations.
Preferably, in each internal iteration, the composite image is updated once, and a noise model is further introduced when the image is updated to increase the difficulty of restoring fine details, thereby reducing the chance of fitting antagonistic noise.
Preferably, after step S2, the method further includes the following steps:
and step S3, performing generalized training on the data set containing the unknown attack type image to obtain a final model.
Preferably, in step S200, the composite image I is updatedsTo minimize the energy function:
wherein IsFor the current composite image, Is+1To update the image, α represents a learning rate,
is the gradient of the generator network F with respect to the image I, U is an energy function, and θ represents a parameter of the generator network.
Preferably, in step S201, the training generator network F is represented by the following formula:
wherein, thetatNetwork parameter, theta, representing the current time stept+1Represents the parameter for the next time step update and beta represents the step size.
Preferably, the generator network F is a neural network composed of an L-layer convolutional network and a nonlinear activation function.
In order to achieve the above object, the present invention further provides an confrontation defense system based on an online iteration generator, including:
an initialization unit for randomly initializing a parameter θ of the generator network F and initializing the composite image with 0;
a confrontation sample generation unit for generating confrontation samples of different attack methods as an input reference image I of the systemz;
A composite image generating unit for generating a composite image of the same size as the original input image using the generator network, the composite image being initialized with zeros;
the online iteration generator module is used for alternately and iteratively updating the network parameters and the synthetic images of the generator network, finally obtaining the synthetic images which are removed of the counternoise and have the same semantics as the original input images, and finally transmitting the synthetic images into a target network to be classified instead of the original input images;
and the target network unit receives the generated synthetic image as input by utilizing the pre-trained target network and tests the defense effect of the synthetic image.
Compared with the prior art, the countermeasure defense method and the countermeasure defense system based on the online iteration generator define an input image which is possibly a countermeasure sample as a reference image, generate another composite image by using the generator network to replace an original input and transmit the other composite image into a target network, and can generate the composite image with the appearance and the semantic almost the same as those of the reference image while effectively removing the countermeasure noise.
Drawings
FIG. 1 is a flow chart of the steps of a countermeasure defense method based on an online iteration generator according to the present invention;
FIG. 2 is a diagram of a defense framework based on a generator network in an embodiment of the invention;
FIG. 3 is a flowchart of an algorithm for an iterative training process in accordance with an embodiment of the present invention;
FIG. 4 is a system architecture diagram of an online iterative generator-based defense system according to the present invention.
Detailed Description
Other advantages and capabilities of the present invention will be readily apparent to those skilled in the art from the present disclosure by describing the embodiments of the present invention with specific embodiments thereof in conjunction with the accompanying drawings. The invention is capable of other and different embodiments and its several details are capable of modification in various other respects, all without departing from the spirit and scope of the present invention.
FIG. 1 is a flow chart of steps of a countermeasure defense method based on an online iteration generator according to the present invention. As shown in FIG. 1, the invention relates to a confrontation defense method based on an online iteration generator, which comprises the following steps:
in step S1, a parameter θ of a generator network F, which is a neural network composed of an L-layer convolution network and a nonlinear activation function, is randomly initialized, and a synthetic image having the same size as the input image is initialized with 0.
In step S2, given an input image that may be a countersample, it is defined as a reference image IzInputting the image into an online iteration generator module to generate a synthetic image, alternately and iteratively updating network parameters and the synthetic image to finally obtain the synthetic image which is removed of the counternoise and has the same semantic meaning as the original input image, and finally, introducing the synthetic image into a target network to be divided instead of the original input imageClass, the target network includes but is not limited to VGG11, MobileNet v2, DenseNet121, and the like.
FIG. 2 is a diagram of a defense framework based on a generator network in an embodiment of the invention. In a specific embodiment of the present invention, the online iteration generator module includes:
an internal iteration unit for updating the composite image with the generator network F to produce a reference image IzSemantically identical new images with the noise countermeasure removed are obtained, and the generator network F is composed of an L-layer convolution network and a nonlinear activation function;
an outer iteration unit for training the parameters of the generator network F in a direction that maximizes the log-likelihood, updating the generator network parameters so that the composite image gradually approaches the reference image Iz;
In the specific embodiment of the invention, TN represents the maximum external iteration number, TI represents the maximum internal iteration number, and in each external iteration, TI updates are performed on the composite image, and simultaneously, parameters of the generator network F are updated once. That is, the outer iteration unit and the inner iteration unit alternately iterate to update the network parameters and generate the image, finally the image which removes the counternoise and has the same semantic meaning as the original input image is obtained,
specifically, step S2 further includes:
step S200, utilizing the generator network F to carry out internal iteration, utilizing the generator network F to approximate an energy function, updating the synthetic image to minimize the energy function so as to generate and reference image IzNew images with the same semantics and with the counternoise removed are updated once for the composite image in each internal iteration.
The invention utilizes a generator network F to approximate an energy function, further introduces a noise model in the image updating process, and uses a reference image IzAnd a neural network F to update the composite image initialized by zeros. And taking the synthetic image and the corresponding neural network as initial iteration information simultaneously, training a generator network, and generating the synthetic image with the anti-noise removed on line after the training process is converged.
In the embodiment of the present invention, the size of the convolution kernel of the generator network F is set to 15 × 15, and the network step TN is set to 300. Top1 accuracy increases as more image iterations are employed. However, a larger number of image iterations will result in a higher time cost, and therefore, the present invention chooses TI 20 to trade off between performance and efficiency.
Step S200 further includes:
step S200a, input reference image IzAnd a target synthetic image IsAre distributed from the same data
Where I denotes an image, theta denotes the parameters of the model, Z is a regularization term, e denotes an exponential term, U is an energy function, and then the energy function is approximated using a neural network F in the proposed framework, i.e. F (I, theta) ═ U (I; theta), in order to maximize the composite image IsProbability density of, the invention updates IsTo minimize the energy function:
wherein IsFor the current composite image, Is+1Is an update image, and α represents a learning rate.
Is to generate the gradient of the network F with respect to the image I and can be calculated by back propagation. In a sense, the generated image is a reconstructed reference image.
In step S200b, since it is not desirable to synthesize an image containing antagonistic noise, a noise model is further introduced in the image updating process, specifically, in step S200 b:
where Z represents some noise distribution, e.g., gaussian noise, and e is the noise strength. Adding noise during image synthesis increases the difficulty of restoring fine details, thereby reducing the chance of fitting antagonistic noise to achieve the goal of removing the antagonistic noise. To understand the relationship between α and ∈ the present invention uses Langevin dynamics to increase the gradient-decreasing perturbation:
wherein
TsIs the "temperature" of the time step. It controls the amplitude of the gaussian noise.
Corresponding to the learning rate α.
Is IsThe inertia factor of (c). Since random fluctuations are used to generate the image, the distribution of the image is changedThe right multiplicative term is a Gaussian distribution, σ 21. | S | represents the number of elements in the image I.
Step S201, utilizing the generator network F to carry out external iteration, training the parameters of the generator network F along the direction of maximizing the log-likelihood, and updating the network parameters to enable the synthetic image to gradually approach the reference image IzThe network parameters are updated once in each of the outer iterations.
At the very beginning F is initialized by randomization, therefore, the generator network F is updated to maximize the likelihood for Iz. Let likelihood function L (θ) log (p (I)zθ)), θ is trained in a direction that maximizes the log-likelihood L (θ):
wherein theta istNetwork parameter, theta, representing the current time stept+1A parameter representing the update of the next time step,
represents the gradient of the maximum likelihood function with respect to theta and beta represents the step size. With reference to the Xie et al article "Learning spark frame models for natural image patterns" (IJCV2015), the gradient is calculated as follows:
wherein Ep(I;θ)[·]Is the expectation of I under the distribution p (I; theta). The expectation is not explicitly calculated but is approximated by a sampling. Langevin Dynamics for updating the image is also sampling image I from distribution p (I; θ)), and therefore, in particular embodiments of the present invention, has been chosen for simplicity
To approximate the expected Ep(I;θ)[·]Then, the training generation network F can be represented by the following formula:
step S202, the training process of steps S200-S201 is iteratively performed for a plurality of times until the stop condition is met.
The following explains that updating I in iterationsThe composite image after the sum generator network F approximates the reference image IzThe reason for (1). The present invention represents the neural network F (generator network) as a combination of convolutional layers and nonlinear activation functions to provide more mathematical explanation below. In the following, the generator network F is first considered as a very simple neural network, with only one convolution layer and one summation operator, with the input image/feature size denoted as c × h × w and the convolution kernel size denoted as s × s. For each spatial position, elements of the same receptive field are collected and reshaped into a vector. Will input the pictureTransformation of I-like feature maps to hw × cs2Of the matrix of (a). Similarly, the convolution weight W is also transformed into hw × cs by copying itself hw times2And (ii) x K. Where K is the number of convolution kernels. To apply convolution at hw × cs2And hw × cs2The batch-wise matrix multiplication is computed in the xK vector to obtain the hw xK matrix. λ (·) denotes a nonlinear activation function, ReLU. F can be expressed as
According to the definition of ReLU λ (x) ═ max (0, x), the ReLU function can be expressed as the product between the input and the Heaviside step function u, i.e., when x > 0, u (x) is 0, otherwise u (x) is 0. Thus, λ (x) ═ u (x) x. Then
Here u (IW)k+Bk) Is a single scalar, depends only on I and θ, so we will for simplicity use u (IW)k+Bk) Denoted as u (I, θ).
In updating images and networks, it is desirable to maximize the probability density p (I; θ) and the negative energy function
Which can be represented as
To solve I*Theta is a constant, and u (I, theta) can be fixed to u (I)sθ), then C (u (I, θ), θ) also becomes constant. When u (I, theta) is fixed, the hidden space is hyperplane IWk+Bk0 into 2KSlices, only slices with I in u (I, θ) are considered. Thereby minimizing the local energy, the maximized rate density being
Is also equal to
Updating I in the proposed networks+1Can be seen as being in IsAnd I*Is formulated as follows:
therefore, for the neural network F having only one convolution layer, the synthesized image is likely to approach the reference image after being generated iteratively.
The following consider the general case, inspired by A the ary of generating convnet (ICML2016), in which a neural network F has L layers and eventually yields a sum of feature maps, then F (I) is expressed as
Wherein KLAnd | SLAnd | is the number and spatial location of convolution kernels in the L layer, respectively. The convolution response of the L layers is computed recursively, e.g.
Wherein f isl-1(I) And
is a 3d tensor of the same shape. "·" denotes a dot product.
Is a scalar quantity. Gradient of F with respect to intermediate response
Is expressed as gl(I, θ), which is also defined recursively.
Wherein
Is a reaction of with gl-1(I, theta) and fl-1(I) 3d tensors of the same shape.
And
is a scalar quantity. gL(I, theta) is with fL(I) All 1 tensors with the same shape. Thus gl(I, θ) depends only on u (I, θ). For any L ≦ L, consider the following dot product:
wherein
Only depending on u (I, θ). Suppose u (I)z,θ)=u(IsTheta), u (I, theta) being fixed, ClCan be considered as a constant. Because F (I) ═ gL(I,θ)·fL(I)=gl(I,θ)·fl(I)+Cl-Cl-1Thus, therefore, it is
Where l is set to 0, g0(I, theta) and f0(I) Are respectively as
And I, C' is a constant defined by u (I, θ). That is, the present invention proposes to update the composite image to approximate the energy minima
In the training network, the MLE gradient is calculated as:
due to the fact that
The energy minimum approaches I in network updatez. The confrontational defense method proposed by the present invention holds the promise of fitting a given reference image from scratch in such an iterative manner.
Preferably, after step S2, the method for defending against adversaries based on online iterative generator of the present invention further comprises the following steps:
in step S3, a generalization evaluation is performed on the data set containing the unknown anti-noise image to obtain a final model. Specifically, one to two classified data sets are selected as training data of the countermeasure sample, and several attack methods are selected for countermeasure defense training to obtain a final model. The method can be trained by utilizing images of a plurality of data sets and a plurality of attack resisting methods, and the result shows that the method is not biased to any known attack resisting and has better generalization capability and portability.
FIG. 3 is a flowchart of an algorithm of an iterative training process according to an embodiment of the present invention. In the embodiment of the present invention, the training of the proposed defense method is based on an iterative training strategy, and the process of each iteration is shown in the algorithm flow chart 3.
The invention selects an ILSVRC 2012 data set [ Deng et al,2009] and an Oxford Flower-17 data set [ Nilsback and Zisserman, 2006] for training. Most of the pictures in the ILSVRC 2012 data set are large pictures having a size of not less than 200 × 200. Most images in the Oxford Flower-17 dataset are larger than 500 × 500. The method of defense of the present invention is of practical significance and is applicable to large images because the experimental results obtained on a simple dataset such as MNIST [ LeCun et al, 1998] are not always generalized to more difficult tasks, as suggested by the work of Mitigating adaptive effects through clustering, the significance of attacking misclassified images is not great, and the present invention randomly selects 2000 correctly classified images (2 images/class) from the validation set to perform the experiment.
The present invention utilizes FGSM (Fast Gradient signal Method) and I-FGSM to construct a target challenge sample with randomly selected target classes. Using MI-FGSM and C&W attacks to synthesize non-target challenge samples. In the present invention, a gray box attack set in the paper "counting adaptive images using input transformations" (ICLR 2018) is adopted, in which an attacker can access a target network and its parameters, but does not know the defense method. The L ∞ norm is used to constrain the antagonistic perturbations. Represents L∞The upper bound of the norm. For each type of attack, it is chosen so that the challenge attack is strong enough and the perturbation it produces is not perceptible. For FGSM, I-FGSM, and MIFGSM, are chosen as {6,6,2} on the ILSVRC 2012 dataset and {6,6,4} on the Oxford Flower-17 dataset, respectively.
To improve the generalization ability of the proposed defense method, the transitivity of the present invention was considered to protect different types of target networks, evaluated on the Oxford Flower-17 dataset. The challenge samples are generated using IGSM at this stage. The target networks include VGG11, MobileNet v2, and DenseNet 121. These target networks were initialized using weights pre-trained on ImageNet and then fine-tuned on the training set of the Oxford FLower-17 dataset. For clear images from the test apparatus, the top1 accuracies of VGG11, MobileNet v2 and DenseNet121 were 91.47%, 97.35% and 96.47%, respectively. Determined according to the criteria discussed above and selected 6 for ResNet18, 8 for VGG11, 6 for MobileNet v2 and 8 for densnet 121.
FIG. 4 is a system architecture diagram of an online iterative generator-based defense system according to the present invention. As shown in fig. 4, the invention relates to an online iteration generator-based confrontation defense system, which comprises:
an initialization unit 401 for randomly initializing a parameter θ of a generator network F, wherein the generator network F is a neural network composed of an L-layer convolutional network and a nonlinear activation function, and initializing a composite image with 0.
A confrontation sample generation unit 402 for generating confrontation samples of different attack methods as input reference image I of the systemz。
A composite image generation unit 403 for generating a composite image of the same size as the original input image using the generator network, the composite image being initialized with zeros.
And the online iteration generator module 404 is configured to alternately and iteratively update the network parameters and the synthesized image of the generator network, finally obtain a synthesized image with the anti-noise removed and the same semantic as the original input image, and finally transmit the synthesized image to a target network for classification instead of the original input image, where the target network includes, but is not limited to, VGG11, MobileNet v2, densnet 121, and the like.
In a specific embodiment of the present invention, the online iteration generator module 404 includes:
an internal iteration unit for updating the composite image with the generator network F to produce a reference image IzSemantically identical, new images of the countering noise are removed, the generator network F is composed of an L-layer convolutional network and a nonlinear activation function. In particular, the internal iteration unit approximates the energy function with the generator network F, updating the composite image to minimize the energy function, to produce the reference image IzNew images with the same semantics and with the counternoise removed are updated once for the composite image in each internal iteration. Preferably, the invention approximates the energy function with a generator network F, further introducing a noise model during the image update, using the reference image IzAnd a neural network F to update the composite image initialized by zeros. And taking the synthetic image and the corresponding neural network as initial iteration information simultaneously, training a generator network, and generating the synthetic image with the anti-noise removed on line after the training process is converged.
An outer iteration unit for training the parameters of the generator network F in the direction of maximizing the log-likelihood, updating the generator networkThe parameters of the complex make the composite image gradually close to the reference image Iz. In a particular embodiment of the invention, the generator network F is updated to maximize IzThe likelihood of (d). Let likelihood function L (θ) log (p (I)zθ)), θ is trained in a direction that maximizes the log-likelihood L (θ):
wherein theta istNetwork parameter, theta, representing the current time stept+1A parameter representing the update of the next time step,
represents the gradient of the maximum likelihood function with respect to theta and beta represents the step size. With reference to the Xie et al article "Learning spark frame models for natural image patterns" (IJCV2015), the gradient is calculated as follows:
wherein Ep(I;θ)[·]Is the expectation of I under the distribution p (I; theta). The expectation is not explicitly calculated but is approximated by a sampling. Langevin Dynamics for updating the image is also sampling image I from distribution p (I; θ), and therefore, in particular embodiments of the present invention, has been chosen for simplicity
To approximate expectation
The training generation network F may then be represented by the following equation:
in the specific embodiment of the invention, TN represents the maximum external iteration number, TI represents the maximum internal iteration number, and in each external iteration, TI updates are performed on the composite image, and simultaneously, parameters of the generator network F are updated once. That is to say, the outer iteration unit and the inner iteration unit alternately iterate to update the network parameters and generate the image until the stopping condition is met, and finally the image which is subjected to anti-noise removal and has the same semantic meaning as the original input image is obtained.
The target network unit 405 receives the generated composite image as an input by using the pre-trained target network, and tests the defense effect of the composite image. The target networks, including but not limited to VGG11, MobileNet v2, DenseNet121, etc., are initialized with weights pre-trained on ImageNet and then fine-tuned on the training set of the Oxford FLower-17 dataset.
In summary, the countermeasure defense method and system based on the online iterative generator of the invention can generate a composite image with almost the same appearance and semantic as the reference image while effectively removing the countermeasure noise by giving the input image which may be the countermeasure sample, defining the input image as the reference image, and generating another composite image by using the generator network to replace the original input and transmit the generated composite image to the target network.
Compared with the prior art, the invention has the following advantages:
1. the method adopts on-line training, model parameters are not fixed in the reasoning process, and an attacker cannot access the method in advance, so that a antagonism sample cannot be synthesized;
2. gaussian disturbance is added into the image, so that randomness is introduced, and the probability of performing reactive noise fitting on given input is reduced;
3. the method provided by the invention does not need any target network or knowledge of anti-attack, so that the method is a portable defense method and can theoretically protect any target classifier from any invisible anti-attack.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Modifications and variations can be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the present invention. Therefore, the scope of the invention should be determined from the following claims.
Claims (8)
1. An online iteration generator-based confrontation defense method comprises the following steps:
step S1, randomly initializing a parameter theta of a generator network F, and initializing a synthetic image with the same size as the input image by 0;
in step S2, given an input image that may be a countersample, it is defined as a reference image IzInputting the image to an online iteration generator module comprising the generator network F to generate a synthetic image, alternately and iteratively updating network parameters and the synthetic image, and finally obtaining the synthetic image which is subjected to noise countermeasure removal and has the same semantic meaning as the original input image;
step S2 further includes:
step S200, utilizing the generator network F to carry out internal iteration, utilizing the generator network F to approximate an energy function, updating a synthetic image to minimize the energy function so as to generate the reference image IzRemoving new images of the anti-noise with the same semantics;
step S201, utilizing the generator network F to carry out external iteration, training the parameters of the generator network F along the direction of maximizing the log-likelihood, and updating the network parameters to enable the synthetic image to gradually approach the reference image Iz;
Step S202, carrying out the training process of the steps S200-S201 in an iterative manner for a plurality of times until the condition of stopping is met;
in step S2, training the defending online generator neural network with the synthetic image and network parameters initialized in step S1 as the initialization values for iteration; and after the training process is converged, replacing the original input image with the synthetic image generated on line by the trained generator network and inputting the synthetic image into the target network.
2. The online iterative generator-based confrontation defense method of claim 1, characterized in that: in each outer iteration, the composite image is updated TI times, while the parameters of the generator network F are updated once, where TI represents the maximum number of inner iterations.
3. The online iterative generator-based confrontation defense method of claim 1, characterized in that: in each internal iteration, the composite image is updated once, and a noise model is further introduced when the image is updated to increase the difficulty of restoring fine details, thereby reducing the chance of fitting antagonistic noise.
4. The on-line iterative generator-based confrontation defense method according to claim 1, wherein after the step S2, the method further comprises the following steps:
and step S3, performing generalized training on the data set containing the unknown attack type image to obtain a final model.
5. The on-line iterative generator-based confrontation defense method of claim 1, wherein in step S200, the synthetic image I is updatedsTo minimize the energy function:
wherein IsFor the current composite image, Is+1To update the image, α represents a learning rate,
for generating a network F with respect to an image IsU is an energy function and theta represents a parameter of the generator network.
6. The method of claim 1, wherein in step S201, the training generator network F is represented by the following formula:
wherein, IsFor the current composite image, θtNetwork parameter, theta, representing the current time stept+1Represents the parameter for the next time step update and beta represents the step size.
7. The online iterative generator-based confrontation defense method of claim 1, characterized in that: the generator network F is a neural network consisting of an L-layer convolutional network and a nonlinear activation function.
8. An online iterative generator-based confrontation defense system comprising:
an initialization unit for randomly initializing a parameter θ of the generator network F and initializing the composite image with 0;
a confrontation sample generation unit for generating confrontation samples of different attack methods as an input reference image I of the systemz;
A composite image generating unit for generating a composite image of the same size as the original input image using the generator network, the composite image being initialized with zeros;
the online iteration generator module is used for alternately and iteratively updating the network parameters and the synthetic images of the generator network, finally obtaining the synthetic images which are removed of the counternoise and have the same semantics as the original input images, and finally transmitting the synthetic images into a target network to be classified instead of the original input images;
the target network unit receives the generated synthetic image as input by utilizing the pre-trained target network and tests the defense effect of the synthetic image;
the online iteration generator module includes:
an inner iteration unit for approximating the energy function with the generator network F, updating the composite image to minimize the energy function, to produce a sum reference image IzRemoving new images of the anti-noise with the same semantics;
an outer iteration unit for training the generator mesh in a direction that maximizes the log-likelihoodParameters of the network F, updating the parameters of the generator network to make the synthetic image gradually close to the reference image Iz;
The outer iteration unit and the inner iteration unit alternately iterate to update network parameters and generate images until the conditions of stopping are met, and finally the images which are subjected to anti-noise removal and have the same semantics as the original input images are obtained;
in the online iteration generator module, the synthetic image and network parameters initialized in the initialization unit are used as initialization values of iteration to train the online generator neural network for the countermeasure defense; and after the training process is converged, replacing the original input image with the synthetic image generated on line by the trained generator network and inputting the synthetic image into the target network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910772642.6A CN110796608B (en) | 2019-08-21 | 2019-08-21 | Countermeasure defense method and system based on online iteration generator |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910772642.6A CN110796608B (en) | 2019-08-21 | 2019-08-21 | Countermeasure defense method and system based on online iteration generator |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110796608A CN110796608A (en) | 2020-02-14 |
| CN110796608B true CN110796608B (en) | 2021-01-01 |
Family
ID=69427463
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910772642.6A Active CN110796608B (en) | 2019-08-21 | 2019-08-21 | Countermeasure defense method and system based on online iteration generator |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110796608B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023225999A1 (en) * | 2022-05-27 | 2023-11-30 | Robert Bosch Gmbh | Method and apparatus for certifying defense against image transformation |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108198154A (en) * | 2018-03-19 | 2018-06-22 | 中山大学 | Image de-noising method, device, equipment and storage medium |
| CN109523478A (en) * | 2018-11-09 | 2019-03-26 | 北京智慧眼科技股份有限公司 | Image removes grid method, storage medium |
| CN110148088A (en) * | 2018-03-14 | 2019-08-20 | 北京邮电大学 | Image processing method, image rain removing method, device, terminal and medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10586310B2 (en) * | 2017-04-06 | 2020-03-10 | Pixar | Denoising Monte Carlo renderings using generative adversarial neural networks |
-
2019
- 2019-08-21 CN CN201910772642.6A patent/CN110796608B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110148088A (en) * | 2018-03-14 | 2019-08-20 | 北京邮电大学 | Image processing method, image rain removing method, device, terminal and medium |
| CN108198154A (en) * | 2018-03-19 | 2018-06-22 | 中山大学 | Image de-noising method, device, equipment and storage medium |
| CN109523478A (en) * | 2018-11-09 | 2019-03-26 | 北京智慧眼科技股份有限公司 | Image removes grid method, storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110796608A (en) | 2020-02-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alzantot et al. | Genattack: Practical black-box attacks with gradient-free optimization | |
| Bassey et al. | A survey of complex-valued neural networks | |
| Zhao et al. | Dataset condensation with differentiable siamese augmentation | |
| Cao et al. | Extreme learning machine with affine transformation inputs in an activation function | |
| Zhao et al. | Towards query-efficient black-box adversary with zeroth-order natural gradient descent | |
| Shrivastava et al. | GLAD: Learning sparse graph recovery | |
| Li et al. | Adaptive momentum variance for attention-guided sparse adversarial attacks | |
| Suzuki et al. | Adversarial example generation using evolutionary multi-objective optimization | |
| CN115115905A (en) | High-mobility image countermeasure sample generation method based on generation model | |
| Wang et al. | Enresnet: Resnet ensemble via the feynman-kac formalism | |
| CN114758198A (en) | Black box attack method and system for resisting disturbance based on meta-learning | |
| Zhou et al. | Improving adversarial robustness via mutual information estimation | |
| Bu et al. | Taking care of the discretization problem: A comprehensive study of the discretization problem and a black-box adversarial attack in discrete integer domain | |
| Tao | SQBA: sequential query-based blackbox attack | |
| Zhang | Deep generative model for multi-class imbalanced learning | |
| CN113627543A (en) | Anti-attack detection method | |
| CN113935396A (en) | Manifold theory-based method and related device for resisting sample attack | |
| CN110796608B (en) | Countermeasure defense method and system based on online iteration generator | |
| Chenou et al. | Radial basis function network: Its robustness and ability to mitigate adversarial examples | |
| Thornton et al. | Rethinking initialization of the sinkhorn algorithm | |
| Yin et al. | Learning energy-based models with adversarial training | |
| Huang et al. | Enhancing adversarial robustness of quantum neural networks by adding noise layers | |
| Li et al. | Online alternate generator against adversarial attacks | |
| Xie et al. | GAME: Generative-based adaptive model extraction attack | |
| Xiong et al. | General purpose mrf learning with neural network potentials |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |