CN111047006A - Anti-attack defense model based on dual-generation network and application - Google Patents

Anti-attack defense model based on dual-generation network and application Download PDF

Info

Publication number
CN111047006A
CN111047006A CN201911031923.2A CN201911031923A CN111047006A CN 111047006 A CN111047006 A CN 111047006A CN 201911031923 A CN201911031923 A CN 201911031923A CN 111047006 A CN111047006 A CN 111047006A
Authority
CN
China
Prior art keywords
model
sample
network
defense
countermeasure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911031923.2A
Other languages
Chinese (zh)
Other versions
CN111047006B (en
Inventor
陈晋音
朱伟鹏
郑海斌
王雪柯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN201911031923.2A priority Critical patent/CN111047006B/en
Publication of CN111047006A publication Critical patent/CN111047006A/en
Application granted granted Critical
Publication of CN111047006B publication Critical patent/CN111047006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/088Non-supervised learning, e.g. competitive learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Abstract

The invention discloses an anti-attack defense model based on a dual-generation network, which comprises a trained generation model Gt and a discrimination model DtWherein the generative model GtThe discrimination model Dt is used for carrying out defense discrimination on the input benign sample and outputting a correct discrimination result. The anti-attack defense model based on the dual generation network realizes defense against known attacks and partial unknown attacks. The application of the anti-attack defense model based on the dual-generation network in the field of face recognition and the field of wireless signal modulation type recognition is also disclosed.

Description

Anti-attack defense model based on dual-generation network and application
Technical Field
The invention belongs to the field of image identification and data security, and particularly relates to an anti-attack defense model based on a dual generation network and application thereof.
Background
Deep learning can obtain more accurate classification results than general algorithms by learning and calculating potential relations of a large amount of data, and has strong feature learning capability and feature expression capability. Therefore, the deep learning technique is widely applied to the field of artificial intelligence. Deep learning utilizes a neural network with huge parameters, such as a typical Convolutional Neural Network (CNN) and a Recurrent Neural Network (RNN), to extract features, and can effectively complete the processing of image data and time sequence data.
The Generative adaptive Nets, GAN for short, have been proposed by Goodfellow and Bengio et al on NIPS in 2014, and have always shown high-speed development efficacy and strong development potential. Two models were utilized in GAN: a generative model (generative model) and a discriminant model (discriminant model) serve as the principals of the two-party game. The generative model G captures the distribution of sample data, and the discriminative model D is a two-classifier that estimates the probability that a sample is from training data (rather than generative data). The GAN can achieve such a huge achievement in the field of image processing, and certainly depends on that the GAN continuously improves modeling capacity under a game, and finally achieves image generation in a false-to-false manner.
In recent years, a new method in the field of machine translation is dual learning, the learning utilizes a symmetrical translation model structure, the utilization rate of unlabeled samples is improved, and ideas are provided without solving various difficulties in unsupervised learning. "Zili Yi" et al in DualGAN: unscuperved Dual Learning for Image-to-Image transformation "proposed the idea of Dual Learning to complete the design of DualGAN. Experiments prove that the DualGAN further improves the stability on the aspect of greatly reducing the label cost.
The generative confrontation network is a neural network structure with very high degree of freedom, a model following any kind of factorization does not need to be designed, and any generative network and any discriminator can be useful; repeated sampling by using a Markov chain is not needed, inference is not needed in the learning process, and the problem of difficulty in approximate calculation of probability is avoided; and the GAN can train any kind of generator network. But also the problem of losing the training direction is very easy to occur due to the too simple constraint condition. Moreover, the GAN structure still has the defect that the general deep learning model is unified in various fields, i.e. the existence of the confrontation sample is still not solved.
szegdy et al teach that the depth model is very vulnerable to subtle perturbations. These small perturbations are almost imperceptible to the human visual system, but can make the depth model classification erroneous, and even show a high confidence in the erroneous classification results. Meanwhile, Omid Poursaned et al, in the 'Generation adaptive characteristics' article, propose that there may be a general disturbance to the deep learning model, forcing the model to generate an offset in the recognition and classification, and making an erroneous classification result.
Disclosure of Invention
In order to improve the defense capacity of a deep learning model against the attack, the invention provides an anti-attack defense model based on a dual generation network and application thereof.
The technical scheme of the invention is as follows:
an anti-attack defense model based on a dual generation network comprises a trained generation model Gt and a discrimination model DtWherein the generative model GtThe discrimination model Dt is used for carrying out defense discrimination on the input benign sample and outputting a correct discrimination result;
the anti-attack defense model is constructed by the following steps:
(1) constructing a dual generative countermeasure network comprising a countermeasure generative countermeasure network and a defense generative countermeasure network, wherein the countermeasure generative countermeasure network comprises a generative model G for outputting countermeasure samples based on benign samples of inputspAnd a discrimination model D for discriminating the authenticity of the inputted countermeasure samplepThe defense generative confrontation network comprising a generative model G for outputting benign samples based on the confrontation samples of inputstAnd a discrimination model Dt for discriminating the authenticity of the input benign sample;
(2) the method comprises the following steps of initializing a countermeasure network by utilizing a benign sample, and initializing a defense network by utilizing a countermeasure sample to generate the countermeasure network, wherein the specific process comprises the following steps:
(2-1) inputting the existing benign sample true and the confidence thereof into the generative model GpOutput the confrontation sample truepWill fight the sample truepAnd its confidence is input to the generative model GtOutputting an inverse disturbance sample true';
(2-2) inputting the existing countermeasure sample perturb and its confidence into the generative model GtObtaining an inverse challenge sample perturbtTo counter the sample perturbtAnd its confidence is input to the generative model GpOutputting a disturbance sample perturb';
(3) training the dual-mode generation countermeasure network by using the loss function of the dual-mode generation countermeasure network, and after the training is finished, using the trained generation model Gt and the discrimination model DtForming an anti-attack defense model, and dually generating a loss function of an anti-network, wherein the loss function comprises the following steps:
discrimination model DpLoss function of
Figure BDA0002250394880000031
Comprises the following steps:
Figure BDA0002250394880000032
discrimination model DtLoss function of
Figure BDA0002250394880000041
Comprises the following steps:
Figure BDA0002250394880000042
generating model GpLoss function of
Figure BDA0002250394880000043
Comprises the following steps:
loss1=a||conv(truep)-worstp||2+b||conv(perturb')-worstp||2
loss2=c||truep-true||2+d||perturb'-perturb||2
Figure BDA0002250394880000044
generating model GtLoss function of
Figure BDA0002250394880000045
Comprises the following steps:
Figure BDA0002250394880000046
where conv (·) is the confidence, conv (true)p) To fight sample truepThe confidences of (a), (b), (c) and (d) are four coefficients greater than zero.
An application of an anti-attack defense model based on a dual generation network in defending anti-attack in face recognition is characterized in that a normal face image is used as a benign sample, a face image added with disturbance is used as an anti-sample, the anti-attack defense model aiming at the face image recognition is constructed by utilizing the construction steps of the anti-attack defense model in the anti-attack defense model based on the dual generation network, and the defense of the anti-attack of the face image recognition is realized by utilizing the constructed anti-attack defense model.
The application of the anti-attack defense model based on the dual generation network in defending the anti-attack in the wireless signal modulation type recognition is characterized in that a normal wireless signal is used as a benign sample, a wireless signal added with disturbance is used as an anti-sample, the anti-attack defense model aiming at the wireless signal modulation type recognition is constructed by utilizing the construction steps of the anti-attack defense model in the anti-attack defense model based on the dual generation network, and the defense of the anti-attack of the wireless signal modulation type recognition is realized by utilizing the constructed anti-attack defense model.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a dual-generation-network-based defense attack model, which utilizes the fact that a generation type countermeasure network can be matched with a game thought, and parameter fitting of dual GAN is utilized to generate a defense GAN with general defense benefit, and defense against known attacks and part of unknown attacks can be realized on the basis of not changing the internal structure of a model without participation of countermeasure training. And the strong defense GAN improves the robustness of the model, and has extremely important theoretical and practical significance in improving the defense capability of the deep learning model.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a process for obtaining a dual generation network initialization as provided by the present invention;
FIG. 2 is a schematic diagram of the defense process against resistance attack using the defense GAN provided by the present invention;
fig. 3(a) is a raw confrontation sample, and fig. 3(b) is a benign sample obtained by using the defense GAN.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the detailed description and specific examples, while indicating the scope of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention.
The invention utilizes the strong symmetrical learning ability of dual GAN to make the two side generation type confrontation networks respectively play the roles of attackers and defenders, and continuously strengthens the defending ability of defending the GAN by virtue of the strong potential of the alternative training of the dual structure of the generation type confrontation networks, and finally achieves the effect of defending various known or unknown attacks. Therefore, the embodiment provides a counterattack defense model based on a dual-generation network, which aims to complete the generation and strengthening of defense GAN by utilizing the strong degree of freedom of the dual-generation network, thereby improving the defense effect on various known or unknown attacks.
Specifically, the construction process of the anti-attack defense model of the dual generation network is as follows:
(1) and constructing a dual-mode generation countermeasure network (dual GAN for short).
In the invention, the dual GAN comprises two GAN structures with symmetrical functions, namely a countermeasure generation countermeasure network (called countermeasure GAN for short) and a defense generation countermeasure network (called defense GAN for short), and the balance operation of generating disturbance and adding inverse disturbance is completed. And optimizing respective disturbance by using a parameter fitting method for the neural network structure on each side of the dual GAN under the condition of ensuring that the dual GAN balance is not destroyed as much as possible so as to achieve the purpose of comprehensively defending against a strong attack method as much as possible.
Wherein antagonizing GAN comprises generating a model GpAnd a discrimination model DpMainly performs the task of adding antagonistic perturbations, i.e. generating a model GpFor outputting antagonistic samples based on input benign samples, discriminating model DpAnd the method is used for judging the truth of the input confrontation sample. The antagonism GAN is trained in an unsupervised learning mode, and is matched with the thought of the zero-sum game in the game theory to generate a model GpAnd a discrimination model DpGame continuously, and further generate model GpThe distribution of the fitted generic perturbation is learned.
In game training, model G is generatedpGenerating semi-antagonistic samples continuously according to the reference disturbance, the benign samples and the confidence thereof, wherein the semi-antagonistic samples form antagonistic samples after adding some disturbance, namely, generating the model G in the continuous training processpA challenge sample is ultimately produced. Discrimination model DpFor indirect exercise generation model G with the goal of distinguishing semi-resistant samples from resistant samplespA more antagonistic, and less perceptible antagonistic sample is produced. This is toIt is desirable to limit the size of the perturbation well while promoting that the challenge samples are constantly more similar to the benign samples. If the image generation is used, after the training is finished, a model G is generatedpA realistic confrontation image can be generated from a piece of random number.
The thoughts of zero sum game in game theory enable the network generation to be perfect in the continuous game process of network judgment and judgment. Therefore, under the limitation of the structural complexity of the deep learning network, in order to achieve the possible good training effect, the structural complexity of the generated network and the structure of the judgment network are similar, namely the generation model GpAnd a discrimination model DpThe generated model Gt and the discrimination model D are similar in structural complexitytThe structural complexity of the training platform is similar, so that not only is the dynamic balance of the training platform and the training platform ensured, but also the overall structure can be more quickly moved to a final Nash equilibrium point.
Therefore, when constructing the antagonistic GAN, the generative model G in the antagonistic GAN is made as large as possiblepAnd a discrimination model DpAre similar in network complexity, thereby ensuring that the model G is generatedpAnd a discrimination model DpIn the mutual training process, the effect of maximum game training can be achieved as far as possible, the generation of a disturbance matrix can be completed by the pair-sample GAN, and stronger antagonism is provided.
The defense GAN includes a generative model GtAnd judging the countermeasure structure of the model Dt, and mainly finishing the filtering task of the countermeasure disturbance. I.e. generating the model GtThe discrimination model Dt is used for discriminating the authenticity of the input benign sample. The defense GAN is trained in an unsupervised learning mode, and by matching with the thought of the zero-sum game in the game theory and generating a model GtAnd a discrimination model DtGame continuously, and further generate model GtThe distribution of the fitted universal inverse perturbation is learned.
In game training, model G is generatedtGenerating semi-benign samples continuously according to the reference disturbance, the challenge samples and the confidence thereof, wherein the semi-benign samples are the benign samples obtained after the challenge samples are subjected to disturbance filtering, namely, continuous trainingIn the process, a model G is generatedtA benign sample will eventually be produced. Discrimination model DtThe model G is generated by indirect exercise by taking a semi-benign sample and a benign sample as targetstYielding a semi-benign sample that is less vulnerable to attack. This not only requires the generation of model GtBeing able to generate a universal inverse perturbation with universal effectiveness also means that the universal inverse perturbation can be more robust against most attack methods.
Meanwhile, on the basis of pursuing a general inverse disturbance defense index, namely pursuing that the defense GAN can achieve an effective filtering effect on the antagonistic disturbance of the antagonistic sample, the complexity balance of the antagonistic GAN of the dual GAN and the neural network of the defense GAN is also ensured, and the phenomenon that the dual GAN collapses during dual training is avoided. The dual GAN is composed of two symmetrical antagonistic GANs and a defensive GAN, wherein the antagonistic GAN is used for increasing the aggressivity of the general disturbance, the defensive GAN is used for improving the defensive ability of the general inverse disturbance, and the two are mutually restricted, so that the game training can be completed. However, when one of the two GANs is too strong for various reasons, the dual GAN will often burst, and it is difficult to perform the alternate training.
Specifically, a model G is generatedpThe structure of (A) is a convolutional neural network structure, and a discrimination model DpIs a convolutional neural network structure, generates a model GtThe structure of (1) is a convolutional neural network structure, and the structure of the discrimination model Dt is a convolutional neural network structure.
(2) And initializing the countermeasure generation countermeasure network by using the benign samples, and initializing the defense generation countermeasure network by using the countermeasure samples.
The countercheck sample in the invention comes from various attack methods, including various black box attacks, white box attacks, general disturbance attack and the like. In this implementation, the challenge sample is derived from the following attack methods: (a) "Carlini and Wagner Attacks (C & W)" uses a limiting norm to ensure that perturbations are progressively closer to invisibility in a process with antagonism; (b) the DeepFool generates minimum standard disturbance through an iterative calculation method to complete the anti-attack; (c) the FastGradient Signal Method (FGSM) adds corresponding invisible counterdisturbance through calculating gradient to achieve the effect of counterattacking. The three attack methods can ensure the generalization of the antagonism disturbance to the maximum extent as possible, so that the final defense GAN is stronger, and various obtained antagonism samples are collectively called as perturb.
In the invention, the initialization of dual GAN is completed by using the existing antagonistic sample and benign sample, so that the opposite of the initialization is completed after the dual GAN structure meets the structural symmetry. The opposite of the initialization includes two parts, the first part is that the countermeasure GAN and the defense GAN carry out opposite image processing attacks, which means that the countermeasure GAN and the defense GAN can use the standard of each other to supervise and alternately train. Generating model GpWhen adding disturbance to benign samples or inverse countermeasure samples, the weighted retransmission recursive and generative model GtThe game is mutually held, so that the game idea can be utilized to carry out climbing training on the anti-GAN and the defense GAN.
The second part being opposite means by generating a model GpThe generated confrontation sample is further used as a generation model GtWill seek oppositional reinforcement in the cycle against GAN and defending GAN. The confidence coefficient is used as part of input of the countermeasure GAN and the defense GAN to strengthen the connection of structures at two sides of the dual GAN, which is equivalent to adding a negative feedback path under the limitation of a loss function, so that the model can be conveniently optimized.
The specific process of initialization is as follows:
(2-1) inputting the existing benign sample true and the confidence thereof into the generative model GpOutput the confrontation sample truepWill fight the sample truepAnd its confidence is input to the generative model GtOutputting an inverse disturbance sample true';
(2-2) inputting the existing countermeasure sample perturb and its confidence into the generative model GtObtaining an inverse challenge sample perturbtTo counter the sample perturbtAnd its confidence is input to the generative model GpAnd outputs a perturbation sample perturb'.
(3) Training the dual-mode generation countermeasure network by using the loss function of the dual-mode generation countermeasure network, and after the training is finishedWith the trained generative model Gt and discriminant model DtAnd forming an anti-attack defense model.
In training, the generation of the loss function of the countermeasure network includes:
discrimination model DpLoss function of
Figure BDA0002250394880000101
Comprises the following steps:
Figure BDA0002250394880000102
wherein | · | purple sweet2Is a two-norm, conv (-) is a confidence, conv (true)p) To fight sample truepConfidence of, i.e. resistance sample against sample truepInput to the discriminant model DpThe obtained confidence level conv (pertub ') is the confidence level of the disturbance sample pertub ', that is, the disturbance sample pertub ' is input into the discriminant model DpObtaining a confidence level;
discrimination model DpThe method is to distinguish the credibility of each confrontation sample, i.e. to detect whether the confrontation sample achieves effective attack capability, bestpExpression discrimination DpThe confidence level of the confrontational sample when the capacity of (2) is strong enough; in addition, a and b are two coefficients larger than zero, because the dual GAN structural symmetry and the opposite in the initialization process result in that all the antagonistic samples can influence the capability of the discrimination network, but the difference in weight facilitates the adjustment of the actual offset of the model.
Discrimination model DtLoss function of
Figure BDA0002250394880000103
Comprises the following steps:
Figure BDA0002250394880000104
among them, conv (perturb)t) To counter the sample bursttConfidence of, i.e. inverse countermeasure sample perturbtInput to the discrimination modelDtThe obtained confidence coefficient conv (true ') is the confidence coefficient of the inverse disturbance sample true ', namely the inverse disturbance sample true ' is input into the discriminant model DtThe confidence level obtained.
Discrimination model DtThe method is to distinguish the credibility of each benign sample, i.e. to detect whether the benign sample reaches effective purity, besttExpression discrimination model DtConfidence that a benign sample exhibits when the ability of (a) is sufficiently strong; in addition, a and b are two coefficients larger than zero, because the structural symmetry of dual GAN and the opposition in the initialization process result in all benign samples that can affect the ability of the discrimination network, but the difference in weight facilitates the adjustment of the actual offset of the model.
Generating model GpLoss function of
Figure BDA0002250394880000111
Comprises the following steps:
loss1=a||conv(truep)-worstp||2+b||conv(perturb')-worstp||2
loss2=c||truep-true||2+d||perturb'-perturb||2
Figure BDA0002250394880000112
loss1 is a guarantee generative model GpThe added antagonism disturbance can have effective attack antagonism, worstpExpression Generation model GpWhen the capability of (2) is strong enough, the confrontation sample is in the discriminant model DpConfidence level expressed after spoofing. loss2 is to limit generative model GpThe magnitude of the added antagonistic perturbation ensures that the antagonistic perturbation is invisible. In addition, a, b, c and d are four coefficients larger than zero, and the duty ratio of each part is adjusted in the actual training, so that the training progress is adjusted.
Generating model GtLoss function of
Figure BDA0002250394880000113
Comprises the following steps:
Figure BDA0002250394880000114
and generating model GpIs different for the generative model GtThere is no limit to the size of the perturbation, as there is no mandatory requirement on the size of the perturbation as long as the defensive inverse perturbation ensures that the sample can continue to remain benign. In addition, the first and second substrates are,
Figure BDA0002250394880000115
the method ensures that the defensive inverse disturbance added by the generated network can have effective defensive ability, worsttExpression Generation model GtWhen the ability of (2) is strong enough, the benign sample is in the discriminant model DtConfidence level expressed after spoofing. In addition, a and b are coefficients larger than zero, and the aim of adjusting the ratio of each part in the actual training is to adjust the training progress.
On the basis of the 4 loss functions, under the condition of limiting the iteration times, the model G is alternately trained and generated in sequencepGenerating a model GtAnd a discrimination model DpAnd a discrimination model Dt. After the training is finished, the trained generative model Gt and the discriminant model D are usedtAnd forming an anti-attack defense model.
After obtaining the above anti-attack defense model, adding general inverse perturbation to the benign sample to obtain an anti-sample, and detecting the anti-sample by using the anti-attack defense model (i.e. defense GAN), as shown in fig. 2, that is, inputting the anti-sample shown in fig. 3(a) into a generation model G in the defense GANtTo obtain a benign sample shown in FIG. 3(b), a discriminant model D is usedtAnd obtaining a detection result, and particularly observing the defense effect of the anti-attack defense model according to the detection result.
Application example
The obtained anti-attack defense model can be applied to the field of image recognition and the field of signal recognition, specifically, in the field of face image recognition, a normal face image is used as a benign sample, a face image added with disturbance is used as an anti-sample, the anti-attack defense model aiming at the face image recognition is constructed by utilizing the construction process of the anti-attack defense model, and the anti-attack defense of the face image recognition is realized by utilizing the constructed anti-attack defense model.
Regarding the field of wireless signal modulation type identification, normal wireless signals are used as benign samples, wireless signals added with disturbance are used as counterattack samples, the counterattack defense models for wireless signal modulation type identification are constructed through the construction process of the counterattack defense models, and the counterattack defense of the wireless signal modulation type identification is achieved through the constructed counterattack defense models.
The above-mentioned embodiments are intended to illustrate the technical solutions and advantages of the present invention, and it should be understood that the above-mentioned embodiments are only the most preferred embodiments of the present invention, and are not intended to limit the present invention, and any modifications, additions, equivalents, etc. made within the scope of the principles of the present invention should be included in the scope of the present invention.

Claims (6)

1. A dual-generation-network-based anti-attack defense model is characterized by comprising a trained generation model Gt and a discrimination model DtWherein the generative model GtThe discrimination model Dt is used for carrying out defense discrimination on the input benign sample and outputting a correct discrimination result;
the anti-attack defense model is constructed by the following steps:
(1) constructing a dual generative countermeasure network comprising a countermeasure generative countermeasure network and a defense generative countermeasure network, wherein the countermeasure generative countermeasure network comprises a generative model G for outputting countermeasure samples based on benign samples of inputspAnd a discrimination model D for discriminating the authenticity of the inputted countermeasure samplepThe defense generation countermeasure network includes a network for input-basedGenerative model G for antagonistic samples outputting benign samplestAnd a discrimination model Dt for discriminating the authenticity of the input benign sample;
(2) the method comprises the following steps of initializing a countermeasure network by utilizing a benign sample, and initializing a defense network by utilizing a countermeasure sample to generate the countermeasure network, wherein the specific process comprises the following steps:
(2-1) inputting the existing benign sample true and the confidence thereof into the generative model GpOutput the confrontation sample truepWill fight the sample truepAnd its confidence is input to the generative model GtOutputting an inverse disturbance sample true';
(2-2) inputting the existing countermeasure sample perturb and its confidence into the generative model GtObtaining an inverse challenge sample perturbtTo counter the sample perturbtAnd its confidence is input to the generative model GpOutputting a disturbance sample perturb';
(3) training the dual-mode generation countermeasure network by using the loss function of the dual-mode generation countermeasure network, and after the training is finished, using the trained generation model Gt and the discrimination model DtForming an anti-attack defense model, and dually generating a loss function of an anti-network, wherein the loss function comprises the following steps:
discrimination model DpLoss function of
Figure FDA0002250394870000021
Comprises the following steps:
Figure FDA0002250394870000022
discrimination model DtLoss function of
Figure FDA0002250394870000023
Comprises the following steps:
Figure FDA0002250394870000024
generating model GpLoss function of
Figure FDA0002250394870000025
Comprises the following steps:
loss1=a||conv(truep)-worstp||2+b||conv(perturb')-worstp||2
loss2=c||truep-true||2+d||perturb'-perturb||2
Figure FDA0002250394870000026
generating model GtLoss function of
Figure FDA0002250394870000027
Comprises the following steps:
Figure FDA0002250394870000028
where conv (·) is the confidence, conv (true)p) To fight sample truepThe confidences of (a), (b), (c) and (d) are four coefficients greater than zero.
2. The dual generation network-based model of defending against attacks according to claim 1, wherein said generation model G ispAnd the discriminant model DpThe generated model Gt and the discriminant model D are similar in structural complexitytAre similar in structural complexity.
3. The dual generation network-based model of defending against attacks according to claim 1, wherein said generation model G ispThe structure of (a) is a convolutional neural network structure, and the discrimination model D ispIs a convolutional neural network structure.
4. The model of claim 1, wherein the generative model G is a model of the network of pairwise generative attackstIs structured as a convolutional neural networkAnd the structure of the discrimination model Dt is a convolutional neural network structure.
5. Use of the dual generation network-based anti-attack defense model for defending against attacks in face recognition according to any one of claims 1 to 4,
taking a normal face image as a benign sample, taking a face image added with disturbance as a countermeasure sample, constructing an anti-attack defense model aiming at face image recognition by utilizing the construction steps of the anti-attack defense model in the anti-attack defense model based on the dual generation network according to any one of claims 1 to 4, and realizing the defense of the anti-attack of the face image recognition by utilizing the constructed anti-attack defense model.
6. Use of the dual generation network based defense model against attacks in wireless signal modulation type identification according to any of claims 1 to 4,
taking a normal wireless signal as a benign sample, taking a wireless signal added with disturbance as a countermeasure sample, constructing an anti-attack defense model aiming at wireless signal modulation type identification by utilizing the construction steps of the anti-attack defense model in the anti-attack defense model based on the dual generation network according to any one of claims 1 to 4, and realizing the defense of the anti-attack of the wireless signal modulation type identification by utilizing the constructed anti-attack defense model.
CN201911031923.2A 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application Active CN111047006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911031923.2A CN111047006B (en) 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911031923.2A CN111047006B (en) 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application

Publications (2)

Publication Number Publication Date
CN111047006A true CN111047006A (en) 2020-04-21
CN111047006B CN111047006B (en) 2023-04-21

Family

ID=70231813

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911031923.2A Active CN111047006B (en) 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application

Country Status (1)

Country Link
CN (1) CN111047006B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444731A (en) * 2020-06-15 2020-07-24 深圳市友杰智新科技有限公司 Model training method and device and computer equipment
CN112116026A (en) * 2020-09-28 2020-12-22 西南石油大学 Countermeasure sample generation method, system, storage medium and device
CN113114633A (en) * 2021-03-24 2021-07-13 华南理工大学 Method, system, device and medium for defending intrusion detection system against attacks
CN113450271A (en) * 2021-06-10 2021-09-28 南京信息工程大学 Robust adaptive countermeasure sample generation method based on human visual model
CN114757351A (en) * 2022-04-24 2022-07-15 北京理工大学 Defense method for resisting attack by deep reinforcement learning model
CN115481719A (en) * 2022-09-20 2022-12-16 宁波大学 Method for defending gradient-based attack countermeasure
US11967124B2 (en) 2020-10-30 2024-04-23 Samsung Electronics Co., Ltd. Method and apparatus for classification using neural network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107909621A (en) * 2017-11-16 2018-04-13 深圳市唯特视科技有限公司 It is a kind of based on it is twin into confrontation network medical image synthetic method
CN108322349A (en) * 2018-02-11 2018-07-24 浙江工业大学 The deep learning antagonism attack defense method of network is generated based on confrontation type
CN109413068A (en) * 2018-10-29 2019-03-01 浙江工业大学 A kind of wireless signal encryption method based on antithesis GAN
CN109671018A (en) * 2018-12-12 2019-04-23 华东交通大学 A kind of image conversion method and system based on production confrontation network and ResNets technology

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107909621A (en) * 2017-11-16 2018-04-13 深圳市唯特视科技有限公司 It is a kind of based on it is twin into confrontation network medical image synthetic method
CN108322349A (en) * 2018-02-11 2018-07-24 浙江工业大学 The deep learning antagonism attack defense method of network is generated based on confrontation type
CN109413068A (en) * 2018-10-29 2019-03-01 浙江工业大学 A kind of wireless signal encryption method based on antithesis GAN
CN109671018A (en) * 2018-12-12 2019-04-23 华东交通大学 A kind of image conversion method and system based on production confrontation network and ResNets technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李卓蓉: "生成式对抗网络研究及其应用" *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444731A (en) * 2020-06-15 2020-07-24 深圳市友杰智新科技有限公司 Model training method and device and computer equipment
CN111444731B (en) * 2020-06-15 2020-11-03 深圳市友杰智新科技有限公司 Model training method and device and computer equipment
CN112116026A (en) * 2020-09-28 2020-12-22 西南石油大学 Countermeasure sample generation method, system, storage medium and device
US11967124B2 (en) 2020-10-30 2024-04-23 Samsung Electronics Co., Ltd. Method and apparatus for classification using neural network
CN113114633A (en) * 2021-03-24 2021-07-13 华南理工大学 Method, system, device and medium for defending intrusion detection system against attacks
CN113450271A (en) * 2021-06-10 2021-09-28 南京信息工程大学 Robust adaptive countermeasure sample generation method based on human visual model
CN113450271B (en) * 2021-06-10 2024-02-27 南京信息工程大学 Robust self-adaptive countermeasure sample generation method based on human visual model
CN114757351A (en) * 2022-04-24 2022-07-15 北京理工大学 Defense method for resisting attack by deep reinforcement learning model
CN115481719A (en) * 2022-09-20 2022-12-16 宁波大学 Method for defending gradient-based attack countermeasure
CN115481719B (en) * 2022-09-20 2023-09-15 宁波大学 Method for defending against attack based on gradient

Also Published As

Publication number Publication date
CN111047006B (en) 2023-04-21

Similar Documents

Publication Publication Date Title
CN111047006A (en) Anti-attack defense model based on dual-generation network and application
CN110443203B (en) Confrontation sample generation method of face spoofing detection system based on confrontation generation network
CN106326886B (en) Finger vein image quality appraisal procedure based on convolutional neural networks
CN111680292B (en) High-concealment general disturbance-based countering sample generation method
CN108446765A (en) The multi-model composite defense method of sexual assault is fought towards deep learning
CN110941794A (en) Anti-attack defense method based on universal inverse disturbance defense matrix
CN111163472A (en) Signal identification attack defense method based on generative countermeasure network
CN112087774B (en) Communication radiation source individual identification method based on residual error neural network
CN110084610A (en) A kind of network trading fraud detection system based on twin neural network
CN111325324A (en) Deep learning confrontation sample generation method based on second-order method
CN113808165B (en) Point disturbance anti-attack method for three-dimensional target tracking model
Xia et al. Adversarial kinetic prototype framework for open set recognition
CN110969242A (en) Defense method for generating general inverse disturbance based on generative confrontation
CN112597993A (en) Confrontation defense model training method based on patch detection
CN109444831B (en) Radar interference decision method based on transfer learning
CN111047054A (en) Two-stage countermeasure knowledge migration-based countermeasure sample defense method
CN115588226A (en) High-robustness deep-forged face detection method
CN113033822A (en) Antagonistic attack and defense method and system based on prediction correction and random step length optimization
CN113704758A (en) Black box attack counterattack sample generation method and system
CN115048983A (en) Counterforce sample defense method of artificial intelligence system based on data manifold topology perception
Shan et al. Class-incremental semantic segmentation of aerial images via pixel-level feature generation and task-wise distillation
CN117011508A (en) Countermeasure training method based on visual transformation and feature robustness
CN111950635A (en) Robust feature learning method based on hierarchical feature alignment
CN115510986A (en) Countermeasure sample generation method based on AdvGAN
CN114579777A (en) Improved symbol optimization anti-attack method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant