CN111047006B - Dual generation network-based anti-attack defense model and application - Google Patents

Dual generation network-based anti-attack defense model and application Download PDF

Info

Publication number
CN111047006B
CN111047006B CN201911031923.2A CN201911031923A CN111047006B CN 111047006 B CN111047006 B CN 111047006B CN 201911031923 A CN201911031923 A CN 201911031923A CN 111047006 B CN111047006 B CN 111047006B
Authority
CN
China
Prior art keywords
model
sample
generation
challenge
countermeasure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911031923.2A
Other languages
Chinese (zh)
Other versions
CN111047006A (en
Inventor
陈晋音
朱伟鹏
郑海斌
王雪柯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN201911031923.2A priority Critical patent/CN111047006B/en
Publication of CN111047006A publication Critical patent/CN111047006A/en
Application granted granted Critical
Publication of CN111047006B publication Critical patent/CN111047006B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/088Non-supervised learning, e.g. competitive learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a dual generation network-based anti-attack defense model, which comprises a trained generation model Gt and a discrimination model D t Wherein the generation model G t The judging model Dt is used for carrying out defense judgment on the input benign samples and outputting correct judging results. The dual generation network-based attack resistance defense model realizes the defense of known attacks and part of unknown attacks. The application of the dual generation network-based anti-attack defense model in the face recognition field and the wireless signal modulation type recognition field is also disclosed.

Description

Dual generation network-based anti-attack defense model and application
Technical Field
The invention belongs to the field of image recognition and data security, and particularly relates to an anti-attack defense model based on a dual generation network and application thereof.
Background
The deep learning can obtain more accurate classification results than a general algorithm through learning and calculating potential links of a large amount of data, and has strong feature learning capability and feature expression capability. Accordingly, deep learning techniques are widely used in the field of artificial intelligence. Deep learning utilizes neural networks with huge parameters, such as Convolutional Neural Networks (CNNs) and cyclic neural networks (RNNs), to perform feature extraction, and can effectively complete processing of image data and time sequence data.
However, the generated countermeasure network Generative Adversarial Nets, abbreviated as GAN, has been proposed by Goodfellow and Bengio et al in NIPS since 2014 to exhibit high development efficiency and great development potential. Two models are used in GAN: the generative model (discriminative model) and discriminant model (discriminative model) act as the principal angles for the two-party game. The generative model G captures the distribution of the sample data, and the discriminant model D is a classifier that estimates the probability of a sample being self-training data (rather than the generative data). However, the GAN can achieve such a huge achievement in the field of image processing, which is clearly dependent on the fact that the GAN continuously improves modeling capability under the game, and finally, image generation with spurious and spurious is realized.
In recent years, a new approach in the field of machine translation is dual learning, and the learning utilizes a symmetrical translation model structure, so that the availability of unlabeled samples is improved, and the thought is not provided for solving various difficulties in unsupervised learning. "Zili Yi" et al in "DualGAN: unsupervised Dual Learning for Image-to-Image Translation" in the text, propose to complete the design of DualGAN by borrowing the idea of dual learning. Experiments prove that the DualGAN further improves the stability on the aspect of greatly reducing the tag cost.
The generation type countermeasure network is used as a neural network structure with very high freedom degree, a model conforming to any kind of factorization does not need to be designed, and any generator network and any discriminator can be used; repeated sampling by using a Markov chain is not needed, inference in the learning process is not needed, and the difficult problem of approximate calculation of troublesome probability is avoided; and GAN can train any of a variety of producer networks. However, too simple constraint conditions are very prone to the problem of losing training direction. Moreover, GAN structures still suffer from the drawback that general deep learning models are unified across large areas—the presence of challenge samples is still not addressed.
szegedy et al propose that the depth model is very vulnerable to fine-perturbation. These small perturbations are almost imperceptible to the human visual system, but can cause the depth model to classify incorrectly, even with high confidence in the wrong classification results. Meanwhile, omid Poursained et al, in Generative Adversarial Perturbations, propose that there may be a general perturbation to the deep learning model, forcing the model to deviate in recognition, classification, and making erroneous classification results.
Disclosure of Invention
In order to improve the defending capability of a deep learning model in resisting attacks, the invention provides a dual-generation network-based resisting attack defending model and application thereof.
The technical scheme of the invention is as follows:
a dual generation network-based attack resistance defense model comprises a trained generation model Gt and a discrimination model D t Wherein the generation model G t The judging model Dt is used for carrying out defense judgment on the input benign sample and outputting a correct judging result;
the challenge defense model is constructed by the following steps:
(1) Constructing a dual generation countermeasure network comprising a countermeasure generation countermeasure network and a defensive generation countermeasure network, wherein the countermeasure generation countermeasure network comprises a generation model G for outputting countermeasure samples based on inputted benign samples p And a discriminating model D for discriminating the authenticity of the input countermeasure sample p The defensive generation countermeasure network includes a generation model G for outputting benign samples based on input countermeasure samples t And a discrimination model Dt for discriminating the authenticity of the inputted benign sample;
(2) Initializing an countermeasure generation countermeasure network by using a benign sample, and initializing a defense generation countermeasure network by using the countermeasure sample, wherein the specific process is as follows:
(2-1) inputting the existing benign sample true and its confidence level into the generation model G p Outputting a challenge sample true p Will fight against sample true p The confidence level is input into the generation model G t Outputting an inverse disturbance sample true';
(2-2) inputting the existing challenge sample perturb and its confidence level into the generation model G t Obtaining a countercheck sample perturb t For the counter challenge sample perturb t Confidence level of the testInput to the generation model G p Outputting a disturbance sample perturb';
(3) Training the dual-type generation countermeasure network by using a loss function of the dual-type generation countermeasure network, and after training, training a trained generation model Gt and a discrimination model D t Composing the challenge defense model, the dual generation of the loss function of the challenge network includes:
discrimination model D p Is a loss function of (2)
Figure BDA0002250394880000031
The method comprises the following steps:
Figure BDA0002250394880000032
discrimination model D t Is a loss function of (2)
Figure BDA0002250394880000041
The method comprises the following steps:
Figure BDA0002250394880000042
generating model G p Is a loss function of (2)
Figure BDA0002250394880000043
The method comprises the following steps:
loss1=a||conv(true p )-worst p || 2 +b||conv(perturb')-worst p || 2
loss2=c||true p -true|| 2 +d||perturb'-perturb|| 2
Figure BDA0002250394880000044
generating model G t Is a loss function of (2)
Figure BDA0002250394880000045
The method comprises the following steps:
Figure BDA0002250394880000046
wherein conv (·) is confidence, conv (true p ) To combat sample true p The confidence levels of a, b, c and d are four coefficients greater than zero.
The application of the dual generation network-based anti-attack defense model in the face recognition defense is characterized in that a normal face image is taken as a benign sample, a disturbance-added face image is taken as an anti-sample, the anti-attack defense model aiming at face image recognition is constructed by utilizing the construction step of the anti-attack defense model in the dual generation network-based anti-attack defense model, and the constructed anti-attack defense model is utilized to realize the anti-attack defense of the face image recognition.
An application of a dual generation network-based anti-attack defense model in wireless signal modulation type recognition to defend against attacks, wherein a normal wireless signal is taken as a benign sample, a disturbance-added wireless signal is taken as an anti-attack sample, the anti-attack defense model aiming at wireless signal modulation type recognition is constructed by utilizing the construction step of the anti-attack defense model in the dual generation network-based anti-attack defense model, and the defense of the wireless signal modulation type recognition against attacks is realized by utilizing the constructed anti-attack defense model.
Compared with the prior art, the invention has the following beneficial effects:
the dual generation network-based anti-attack defense model provided by the invention utilizes the generation type anti-attack network to match with game thought, and utilizes the parameter fitting of dual GAN to generate a defending GAN with general defending benefit, so that the defending of known attacks and part of unknown attacks can be realized on the basis of not changing the internal structure of the model without participation of anti-training. The strong defending GAN improves the robustness of the model, and has extremely important theoretical and practical significance in improving the defending capability of the deep learning model.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a process for obtaining dual generation network initialization provided by the present invention;
FIG. 2 is a schematic diagram of a process for defending against a resistance attack using the defending GAN provided by the present invention;
fig. 3 (a) is an original challenge sample, and fig. 3 (b) is a benign sample obtained with defensive GAN.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description is presented by way of example only and is not intended to limit the scope of the invention.
The invention utilizes the strong symmetrical learning ability of dual GAN to make the two side generation type countermeasure networks respectively act as the roles of attacker and defender, and continuously strengthens the defending ability of defending GAN by virtue of the strong potential of the alternate training of the two structures of the generation type countermeasure networks, and finally achieves the effect of defending various known or unknown attacks. Therefore, the embodiment provides a dual generation network-based anti-attack defense model, which aims to utilize the strong degree of freedom of the generation type anti-attack network to finish the generation and reinforcement of the defending GAN, thereby improving the defending effect on various known or unknown attacks.
Specifically, the construction process of the dual generation network anti-attack defense model is as follows:
(1) A dual generation antagonism network (dual GAN for short) is constructed.
In the invention, the dual GAN comprises two GAN structures with symmetrical functions, namely an antagonism generation antagonism network (abbreviated as antagonism GAN) and a defending generation antagonism network (abbreviated as defending GAN), and the balance operation of generating disturbance and adding inverse disturbance is completed. The neural network structure at each side of the dual GAN optimizes respective disturbance under the condition of ensuring that the balance of the dual GAN is not destroyed as much as possible by a parameter fitting method so as to achieve the purpose of defending a powerful attack method as comprehensively as possible.
Wherein the antagonizing GAN comprises generating a model G p And discriminant model D p Mainly completing the task of adding resistance disturbance, i.e. generating model G p For outputting a challenge sample based on the input benign sample, discriminant model D p Is used for distinguishing the authenticity of the input countermeasure sample. The counterGAN is trained by adopting an unsupervised learning mode and is matched with the idea of zero and game in the game theory, and a model G is generated p And discriminant model D p Continuously game, thereby generating a model G p The distribution of the fit general perturbation is learned.
In game training, a model G is generated p Generating a half-antagonism sample based on the reference disturbance, benign sample and its confidence level, wherein the half-antagonism sample is obtained by adding some disturbance to form a antagonism sample, i.e. generating a model G in the continuous training process p An challenge sample will eventually be generated. Discrimination model D p For indirectly exercising the generation model G aiming at distinguishing half-pair resistance samples from countermeasure samples p Resulting in a more resistant and less perceptible challenge sample. This requires that the magnitude of the disturbance be well limited while facilitating the challenge sample to be more closely resembling the benign sample. If the image generation is used, after the training is completed, a model G is generated p A realistic challenge image may be generated from a segment of random numbers.
The idea of zero and game in game theory makes the generation network tend to be perfect in the continuous game process of the identification network. Therefore, under the limitation of the structural complexity of the deep learning network, the training effect which is possibly good is achieved, the structural complexity of the generating network and the judging network is ensured to be similar,i.e. generating model G p And discriminant model D p Is similar to the structural complexity of the model Gt and the discrimination model D t The structural complexity of the device is similar, so that dynamic balance of the device and the system in the training process is ensured, and the whole structure can be more quickly towards a final Nash equilibrium point.
Therefore, in constructing the countermeasure GAN, the generation model G in the countermeasure GAN is made as small as possible p And discriminant model D p Network complexity of (2) is similar, thereby ensuring that a model G is generated p And discriminant model D p In the process of mutual training, the maximum game training effect can be achieved as much as possible, meanwhile, the generation of disturbance matrixes can be achieved through sample GAN, and stronger resistance is provided.
Defending against GAN includes generating model G t And judging the countermeasure structure of the model Dt, and mainly completing the filtering task of countermeasure disturbance. I.e. generating model G t The discrimination model Dt is used for discriminating the authenticity of the input benign samples. The defending GAN is trained by adopting an unsupervised learning mode and is matched with the idea of zero and game in the game theory, and a model G is generated t And discriminant model D t Continuously game, thereby generating a model G t The distribution of the fitted general inverse disturbance is learned.
In game training, a model G is generated t Generating a semi-benign sample, i.e. a benign sample obtained by filtering the disturbance of the challenge sample, continuously according to the reference disturbance, the challenge sample and the confidence level thereof, i.e. generating a model G in the continuous training process t Benign samples will eventually be produced. Discrimination model D t Is aimed at distinguishing semi-benign samples from benign samples, and indirectly exercises to generate a model G t Resulting in a semi-benign sample that is less vulnerable to attack. This not only requires the generation of the model G t The ability to generate generalized inverse perturbations with general effectiveness also means that the defenses against generalized inverse perturbations can be stronger than most attack methods.
Meanwhile, on the aspect of pursuing general inverse disturbance defense indexes, namely pursuing that the defense GAN can achieve an effective filtering effect on the countermeasure disturbance of a countermeasure sample, the balance of the complexity of the countermeasure GAN of the pair GAN and the neural network of the defense GAN is ensured, and the phenomenon of the collapse of the pair GAN during the pair training is avoided. Because the dual GAN is composed of two symmetrical countermeasure GAN and defending GAN, wherein the countermeasure GAN is to increase the aggressiveness of the general disturbance, and the defending GAN is to increase the defending ability of the general inverse disturbance, the two are mutually contained, thus the game training can be completed. However, when one party is too powerful for various reasons, the dual GAN tends to run, and it is difficult to perform alternate training.
Specifically, a model G is generated p The structure of (a) is a convolutional neural network structure, and the model D is judged p The structure of (1) is a convolutional neural network structure, and a model G is generated t The structure of the judgment model Dt is a convolutional neural network structure.
(2) Initializing an antagonism generation antagonism network using the benign sample, and initializing a defenssm generation antagonism network using the antagonism sample.
The challenge sample in the invention comes from various attack methods, including various black box attacks, white box attacks, and attack by using general disturbance, etc. In this implementation, the challenge samples are derived from several attack methods: (a) "Carlini and Wagner Attacks (C & W)" uses a limiting norm to ensure that the perturbation is not visible as a successive approximation in the course of the antagonism; (b) "deep pool" produces the minimum canonical disturbance through the iterative calculation method, finish against the attack; (c) "Fast Gradient Sign Method (FGSM)" achieves the effect of combating attacks by computing gradients to add corresponding invisible challenge. The three attack methods ensure the generalization of the resistance disturbance to the greatest extent as far as possible, so that the final defending GAN is stronger, and various types of challenge samples are collectively called perturb.
In the invention, the initialization of the dual GAN is completed by utilizing the existing countermeasure sample and benign sample, so that the dual GAN structure completes the opposite initialization after the structural symmetry is satisfied. The opposition of initialization consists of two parts, the first part being the opposite image processing attack against GAN and defending GAN, meaning against GAN and defending GANGAN can use the standard of the other party to mutually supervise the alternate training. Generating model G p Weight transfer and model G generation when adding disturbance to benign samples or countersamples t And the mutual restriction is realized, so that the game ideas can be utilized to perform the scale training on the countermeasure GAN and the defending GAN.
The second part is opposite to the first part by generating the model G p The generated challenge sample is further used as a generated model G t The inputs of (1) will be that the antagonism GAN and the defensive GAN seek an enhancement of oppositivity in the circulation. The confidence is input as a part of the countermeasure GAN and the defending GAN to strengthen the connection of the structures at two sides of the dual GAN, which is equivalent to adding a negative feedback path under the restriction of a loss function, so that the model is convenient to optimize.
The specific process of initialization is as follows:
(2-1) inputting the existing benign sample true and its confidence level into the generation model G p Outputting a challenge sample true p Will fight against sample true p The confidence level is input into the generation model G t Outputting an inverse disturbance sample true';
(2-2) inputting the existing challenge sample perturb and its confidence level into the generation model G t Obtaining a countercheck sample perturb t For the counter challenge sample perturb t The confidence level is input into the generation model G p The disturbance sample perturb' is output.
(3) Training the dual-type generation countermeasure network by using a loss function of the dual-type generation countermeasure network, and after training, training a trained generation model Gt and a discrimination model D t Constitute a model of challenge defense.
In training, the dual generation of the loss function for the countermeasure network includes:
discrimination model D p Is a loss function of (2)
Figure BDA0002250394880000101
The method comprises the following steps:
Figure BDA0002250394880000102
wherein I 2 Is a two-norm, conv (·) is confidence, conv (true) p ) To combat sample true p Confidence of (i) resistance sample against sample true p Input to the discriminant model D p The confidence obtained, conv (pertubb '), is the confidence of the disturbance sample pertubb ', i.e., the disturbance sample pertubb ' is input to the discriminant model D p The confidence level obtained;
discrimination model D p To distinguish the credibility of each challenge sample, i.e. to detect whether the challenge sample reaches a valid attack capability p Expression discrimination D p When the ability to combat the confidence exhibited by the sample is sufficiently strong; in addition, a and b are two coefficients greater than zero, because of symmetry in the dual GAN structure and opposition during initialization, all the resistant samples can affect the discrimination network capability, except that the specific gravity is different to facilitate the adjustment of the actual offset of the model.
Discrimination model D t Is a loss function of (2)
Figure BDA0002250394880000103
The method comprises the following steps:
Figure BDA0002250394880000104
wherein conv (perturb t ) To counter the sample perturb t Confidence of (i.e. against the sample perturb) t Input to the discriminant model D t The confidence obtained is conv (true ') which is the confidence of the inverse disturbance sample true ', namely the inverse disturbance sample true ' is input into the discriminant model D t The confidence level obtained.
Discrimination model D t To distinguish the credibility of each benign sample, i.e. to detect whether the benign sample reaches the effective purity, best t Expression discrimination model D t When the ability of the sample is sufficiently strong, the benign sample exhibits confidence; in addition, a and b are two coefficients greater than zero because of the dual GANStructural symmetry and opposition during initialization results in all benign samples that can affect the discrimination network capability, except for the fact that specific gravity varies to facilitate the adjustment of the actual offset of the model.
Generating model G p Is a loss function of (2)
Figure BDA0002250394880000111
The method comprises the following steps:
loss1=a||conv(true p )-worst p || 2 +b||conv(perturb')-worst p || 2
loss2=c||true p -true|| 2 +d||perturb'-perturb|| 2
Figure BDA0002250394880000112
loss1 is a guaranteed generative model G p The added resistance disturbance can have effective attack resistance, and the word p Expression generating model G p When the ability of the challenge sample is sufficiently strong, the challenge sample is in the discrimination model D p Confidence that is revealed after spoofing. loss2 is used to limit the generation of model G p The magnitude of the added resistive disturbance ensures that the resistive disturbance is not visible. In addition, a, b, c and d are four coefficients greater than zero, again to adjust the duty cycle of each part in the actual training, and to adjust the training progress.
Generating model G t Is a loss function of (2)
Figure BDA0002250394880000113
The method comprises the following steps:
Figure BDA0002250394880000114
and generating model G p Is different from the loss function of the model G t The magnitude of the disturbance is not limited, as the defensive inverse disturbance is good for the disturbance as long as the sample can continue to remain benignThe dynamic size is not necessarily required. In addition, in the case of the optical fiber,
Figure BDA0002250394880000115
is to ensure that the defensive inverse disturbance added by the generated network has effective defensive capability and is worth t Expression generating model G t When the ability of (2) is strong enough, benign samples are in the discrimination model D t Confidence that is revealed after spoofing. In addition, a and b are coefficients greater than zero, and the training progress is adjusted in order to adjust the duty ratio of each part in actual training.
On the basis of the above 4 loss functions, under the condition of taking the iteration number as a limit, the model G is sequentially and alternately trained and generated p Generating a model G t Discrimination model D p Discrimination model D t . After training, the training model Gt and the discrimination model D are generated t Constitute a model of challenge defense.
After obtaining the above challenge defense model, adding general inverse disturbance to the benign sample to obtain a challenge sample, and detecting the challenge sample with the challenge defense model (i.e., the defensive GAN), as shown in fig. 2, namely, inputting the challenge sample shown in fig. 3 (a) into the generation model G in the defensive GAN t Obtaining a benign sample shown in FIG. 3 (b), and using a discrimination model D t And obtaining a detection result, and specifically observing the defending effect of the anti-attack defending model according to the detection result.
Application example
The challenge defense model obtained above can be applied to the image recognition field and the signal recognition field, specifically, in the face image recognition field, a normal face image is taken as a benign sample, a disturbance-added face image is taken as a challenge sample, the challenge defense model for face image recognition is constructed by utilizing the construction process of the challenge defense model, and the challenge defense for face image recognition is realized by utilizing the constructed challenge defense model.
For the field of wireless signal modulation type identification, taking a normal wireless signal as a benign sample and taking a disturbance-added wireless signal as an anti-attack sample, constructing an anti-attack defense model aiming at wireless signal modulation type identification through the construction process of the anti-attack defense model, and utilizing the constructed anti-attack defense model to realize the defense of the wireless signal modulation type identification against attacks.
The foregoing detailed description of the preferred embodiments and advantages of the invention will be appreciated that the foregoing description is merely illustrative of the presently preferred embodiments of the invention, and that no changes, additions, substitutions and equivalents of those embodiments are intended to be included within the scope of the invention.

Claims (8)

1. A method of counterattack defense against face recognition, the method comprising the steps of:
taking a normal face image as a benign sample, and taking a disturbance-added face image as an antagonistic sample;
constructing a challenge defense model for face image recognition based on the benign samples and the challenge samples;
the constructed attack-resistant defense model is utilized to realize the attack-resistant defense of the face image recognition;
wherein, the challenge defense model is constructed by the steps of:
(1) Constructing a dual generation countermeasure network comprising a countermeasure generation countermeasure network and a defensive generation countermeasure network, wherein the countermeasure generation countermeasure network comprises a generation model G for outputting countermeasure samples based on inputted benign samples p And a discriminating model D for discriminating the authenticity of the input countermeasure sample p The defensive generation countermeasure network includes a generation model G for outputting benign samples based on input countermeasure samples t And a discrimination model Dt for discriminating the authenticity of the inputted benign sample;
(2) Initializing an countermeasure generation countermeasure network by using a benign sample, and initializing a defense generation countermeasure network by using the countermeasure sample, wherein the specific process is as follows:
(2-1) inputting the existing benign sample true and its confidence level into the generation model G p Outputting a challenge sample true p Will fight against sample true p The confidence level is input into the generation model G t Outputting an inverse disturbance sample true';
(2-2) inputting the existing challenge sample perturb and its confidence level into the generation model G t Obtaining a countercheck sample perturb t For the counter challenge sample perturb t The confidence level is input into the generation model G p Outputting a disturbance sample perturb';
(3) Training the dual-type generation countermeasure network by using a loss function of the dual-type generation countermeasure network, and after training, training a trained generation model Gt and a discrimination model D t Composing the challenge defense model, the dual generation of the loss function of the challenge network includes:
discrimination model D p Is a loss function of (2)
Figure FDA0004087984540000021
The method comprises the following steps:
Figure FDA0004087984540000022
discrimination model D t Is a loss function of (2)
Figure FDA0004087984540000023
The method comprises the following steps:
Figure FDA0004087984540000024
generating model G p Is a loss function of (2)
Figure FDA0004087984540000025
The method comprises the following steps:
loss1=a||conv(true p )-worst p || 2 +b||conv(perturb')-worst p || 2
loss2=c||true p -true|| 2 +d||perturb'-perturb|| 2
Figure FDA0004087984540000026
generating model G t Is a loss function of (2)
Figure FDA0004087984540000027
The method comprises the following steps:
Figure FDA0004087984540000028
wherein conv (·) is confidence, conv (true p ) To combat sample true p The confidence level of a, b, c and d are four coefficients greater than zero, I.I 2 Is a two-norm best p Expression discrimination model D p When the ability to combat the confidence exhibited by the sample is sufficiently strong, best t Expression discrimination model D t When the capacity of (a) is sufficiently strong, confidence is exhibited by the benign sample, and the probability is low p Expression generating model G p When the ability of the challenge sample is sufficiently strong, the challenge sample is in the discrimination model D p Confidence level expressed after being deceived, word t Expression generating model G t When the ability of (2) is strong enough, benign samples are in the discrimination model D t Confidence that is revealed after spoofing.
2. The method for defending against attacks against face recognition according to claim 1, wherein the generation model G p And the discriminant model D p Is similar to the structural complexity of the model Gt and the model D t Is similar in structural complexity.
3. The method for defending against attacks against face recognition according to claim 1, wherein the generation model G p The structure of (a) is a convolutional neural network structure, and the discriminant model D p Is a convolutional neural network structure.
4. The method for defending against attacks against face recognition according to claim 1, wherein the generation model G t The structure of the discriminant model Dt is a convolutional neural network structure.
5. A method of combating attack defense against wireless signal modulation type identification, the method comprising the steps of:
taking a normal wireless signal as a benign sample, and taking a disturbance-added wireless signal as an antagonistic sample;
constructing a challenge defense model for wireless signal modulation type identification based on the benign samples and the challenge samples;
the constructed attack-resistant defense model is utilized to realize the attack-resistant defense of the wireless signal modulation type identification;
wherein, the challenge defense model is constructed by the steps of:
(1) Constructing a dual generation countermeasure network comprising a countermeasure generation countermeasure network and a defensive generation countermeasure network, wherein the countermeasure generation countermeasure network comprises a generation model G for outputting countermeasure samples based on inputted benign samples p And a discriminating model D for discriminating the authenticity of the input countermeasure sample p The defensive generation countermeasure network includes a generation model G for outputting benign samples based on input countermeasure samples t And a discrimination model Dt for discriminating the authenticity of the inputted benign sample;
(2) Initializing an countermeasure generation countermeasure network by using a benign sample, and initializing a defense generation countermeasure network by using the countermeasure sample, wherein the specific process is as follows:
(2-1) inputting the existing benign sample true and its confidence level into the generation model G p Outputting a challenge sample true p Will fight against sample true p Confidence level inputTo generate model G t Outputting an inverse disturbance sample true';
(2-2) inputting the existing challenge sample perturb and its confidence level into the generation model G t Obtaining a countercheck sample perturb t For the counter challenge sample perturb t The confidence level is input into the generation model G p Outputting a disturbance sample perturb';
(3) Training the dual-type generation countermeasure network by using a loss function of the dual-type generation countermeasure network, and after training, training a trained generation model Gt and a discrimination model D t Composing the challenge defense model, the dual generation of the loss function of the challenge network includes:
discrimination model D p Is a loss function of (2)
Figure FDA0004087984540000041
The method comprises the following steps:
Figure FDA0004087984540000042
discrimination model D t Is a loss function of (2)
Figure FDA0004087984540000043
The method comprises the following steps:
Figure FDA0004087984540000044
generating model G p Is a loss function of (2)
Figure FDA0004087984540000045
The method comprises the following steps:
loss1=a||conv(true p )-worst p || 2 +b||conv(perturb')-worst p || 2
loss2=c||true p -true|| 2 +d||perturb'-perturb|| 2
Figure FDA0004087984540000046
generating model G t Is a loss function of (2)
Figure FDA0004087984540000047
The method comprises the following steps: />
Figure FDA0004087984540000048
Wherein conv (·) is confidence, conv (true p ) To combat confidence in the sample true, a, b, c, and d are four coefficients greater than zero, |·|| 2 Is a two-norm best p Expression discrimination model D p When the ability to combat the confidence exhibited by the sample is sufficiently strong, best t Expression discrimination model D t When the capacity of (a) is sufficiently strong, confidence is exhibited by the benign sample, and the probability is low p Expression generating model G p When the ability of the challenge sample is sufficiently strong, the challenge sample is in the discrimination model D p Confidence level expressed after being deceived, word t Expression generating model G t When the ability of (2) is strong enough, benign samples are in the discrimination model D t Confidence that is revealed after spoofing.
6. The method for defending against attacks for wireless signal modulation type recognition in accordance with claim 5, wherein the generation model G p And the discriminant model D p Is similar to the structural complexity of the model Gt and the model D t Is similar in structural complexity.
7. The method for defending against attacks for wireless signal modulation type recognition in accordance with claim 5, wherein the generation model G p The structure of (a) is a convolutional neural network structure, and the discriminant model D p Is a convolutional neural network structure.
8. The method for defending against attacks for wireless signal modulation type recognition in accordance with claim 5, wherein said generation model G t The structure of the discriminant model Dt is a convolutional neural network structure.
CN201911031923.2A 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application Active CN111047006B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911031923.2A CN111047006B (en) 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911031923.2A CN111047006B (en) 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application

Publications (2)

Publication Number Publication Date
CN111047006A CN111047006A (en) 2020-04-21
CN111047006B true CN111047006B (en) 2023-04-21

Family

ID=70231813

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911031923.2A Active CN111047006B (en) 2019-10-28 2019-10-28 Dual generation network-based anti-attack defense model and application

Country Status (1)

Country Link
CN (1) CN111047006B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111444731B (en) * 2020-06-15 2020-11-03 深圳市友杰智新科技有限公司 Model training method and device and computer equipment
CN112116026A (en) * 2020-09-28 2020-12-22 西南石油大学 Countermeasure sample generation method, system, storage medium and device
KR20220058189A (en) 2020-10-30 2022-05-09 삼성전자주식회사 Method and apparatus for classifying using neural network
CN113114633A (en) * 2021-03-24 2021-07-13 华南理工大学 Method, system, device and medium for defending intrusion detection system against attacks
CN113450271B (en) * 2021-06-10 2024-02-27 南京信息工程大学 Robust self-adaptive countermeasure sample generation method based on human visual model
CN114757351B (en) * 2022-04-24 2023-01-24 北京理工大学 Defense method for resisting attack by deep reinforcement learning model
CN115481719B (en) * 2022-09-20 2023-09-15 宁波大学 Method for defending against attack based on gradient

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107909621A (en) * 2017-11-16 2018-04-13 深圳市唯特视科技有限公司 It is a kind of based on it is twin into confrontation network medical image synthetic method
CN108322349A (en) * 2018-02-11 2018-07-24 浙江工业大学 The deep learning antagonism attack defense method of network is generated based on confrontation type
CN109413068A (en) * 2018-10-29 2019-03-01 浙江工业大学 A kind of wireless signal encryption method based on antithesis GAN
CN109671018A (en) * 2018-12-12 2019-04-23 华东交通大学 A kind of image conversion method and system based on production confrontation network and ResNets technology

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107909621A (en) * 2017-11-16 2018-04-13 深圳市唯特视科技有限公司 It is a kind of based on it is twin into confrontation network medical image synthetic method
CN108322349A (en) * 2018-02-11 2018-07-24 浙江工业大学 The deep learning antagonism attack defense method of network is generated based on confrontation type
CN109413068A (en) * 2018-10-29 2019-03-01 浙江工业大学 A kind of wireless signal encryption method based on antithesis GAN
CN109671018A (en) * 2018-12-12 2019-04-23 华东交通大学 A kind of image conversion method and system based on production confrontation network and ResNets technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李卓蓉.生成式对抗网络研究及其应用.浙江工业大学博士电子期刊.2019,(第7期),全文. *

Also Published As

Publication number Publication date
CN111047006A (en) 2020-04-21

Similar Documents

Publication Publication Date Title
CN111047006B (en) Dual generation network-based anti-attack defense model and application
CN110443203B (en) Confrontation sample generation method of face spoofing detection system based on confrontation generation network
Chen et al. POBA-GA: Perturbation optimized black-box adversarial attacks via genetic algorithm
CN108446765A (en) The multi-model composite defense method of sexual assault is fought towards deep learning
Zhong et al. Adversarial learning with margin-based triplet embedding regularization
CN110941794A (en) Anti-attack defense method based on universal inverse disturbance defense matrix
CN112464245B (en) Generalized security evaluation method for deep learning image classification model
CN110334749A (en) Confrontation attack defending model, construction method and application based on attention mechanism
CN111047054A (en) Two-stage countermeasure knowledge migration-based countermeasure sample defense method
CN111967592B (en) Method for generating countermeasure image machine identification based on separation of positive and negative disturbance
CN112883874B (en) Active defense method aiming at deep face tampering
Wang et al. Defending dnn adversarial attacks with pruning and logits augmentation
Liu et al. Adversaries or allies? Privacy and deep learning in big data era
CN113033822A (en) Antagonistic attack and defense method and system based on prediction correction and random step length optimization
CN113808165B (en) Point disturbance anti-attack method for three-dimensional target tracking model
CN110969242A (en) Defense method for generating general inverse disturbance based on generative confrontation
CN114417427A (en) Deep learning-oriented data sensitivity attribute desensitization system and method
CN112597993A (en) Confrontation defense model training method based on patch detection
CN111783890A (en) Small pixel countermeasure sample defense method for image recognition process
CN112488225A (en) Learning countermeasure defense model method for quantum fuzzy machine
CN111753884A (en) Depth map convolution model defense method and device based on network feature reinforcement
Luo et al. Detecting adversarial examples by positive and negative representations
Zhu et al. A novel simple visual tracking algorithm based on hashing and deep learning
Guo et al. A White-Box False Positive Adversarial Attack Method on Contrastive Loss Based Offline Handwritten Signature Verification Models
CN113255526A (en) Momentum-based confrontation sample generation method and system for crowd counting model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant