CN111047658A - Compression-resistant antagonistic image generation method for deep neural network - Google Patents

Compression-resistant antagonistic image generation method for deep neural network Download PDF

Info

Publication number
CN111047658A
CN111047658A CN201911199508.8A CN201911199508A CN111047658A CN 111047658 A CN111047658 A CN 111047658A CN 201911199508 A CN201911199508 A CN 201911199508A CN 111047658 A CN111047658 A CN 111047658A
Authority
CN
China
Prior art keywords
image
compression
model
antagonistic
neural network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911199508.8A
Other languages
Chinese (zh)
Other versions
CN111047658B (en
Inventor
王志波
郭恒昌
宋梦凯
郑思言
王骞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN201911199508.8A priority Critical patent/CN111047658B/en
Publication of CN111047658A publication Critical patent/CN111047658A/en
Application granted granted Critical
Publication of CN111047658B publication Critical patent/CN111047658B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T9/00Image coding
    • G06T9/002Image coding using neural networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Multimedia (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Image Analysis (AREA)
  • Image Processing (AREA)

Abstract

The invention discloses a compression-resistant antagonistic image generation method facing a deep neural network. The method has high expansibility, can be combined with the existing adversarial image attack scheme, and improves the compression resistance of the adversarial images generated by various attack algorithms under the condition of not obviously influencing the attack success rate. In addition, the method can also be used for realizing compression-resistant antagonistic images under the unknown compression method, and has higher black box practicability. The method solves the problem that the antagonistic image generated by the prior attack method can be invalid after image compression.

Description

Compression-resistant antagonistic image generation method for deep neural network
Technical Field
The invention relates to a compression-resistant antagonistic image generation method for a deep neural network, and belongs to the field of artificial intelligence safety.
Background
In recent years, deep learning techniques have been developed rapidly, and deep neural networks have exhibited performance approaching or even exceeding that of humans in various fields, such as: image classification, object detection, natural language processing, and the like. Therefore, deep neural networks are widely used to solve various practical tasks such as unmanned driving, voice recognition, intelligent monitoring, and the like. However, recent studies have shown that deep neural networks are vulnerable to specific attacks: adding well-constructed human-imperceptible noise to the input image, the deep neural network can output errors and even results expected by attackers, and such modified input is called an antagonistic image. Such antagonistic images have extremely high attack success rate on the deep neural network and have transferability: a series of network structures may be attacked by a competing image generated by a particular network. Such antagonistic image attacks pose a significant threat to security-sensitive applications based on deep learning techniques.
However, by studying the existing antagonistic image algorithms, we find that the generated antagonistic images are not resistant to image compression: for an image, most of the image is compressed to save storage space and network transmission resources, and most of common image compression algorithms are lossy image compression, that is, a certain quality loss occurs before and after image compression, that is, the pixel value of the image changes. Also for the antagonistic image, the added antagonistic noise is well-constructed, and after the antagonistic image is compressed, the change of the pixel value can affect the constructed specific noise, so that the antagonistic image fails, and the antagonistic image has poor robustness and practicability. Because the existing attack algorithm only considers the target model to perform optimization when generating noise, the generated noise can be over-fitted to the target model, and although the generated antagonistic image can reach a high attack success rate, the generated antagonistic image can fail after being slightly processed, and cannot be effectively applied to a real environment, such as image compression.
The invention considers that the existing antagonistic image generation scheme only meets the high attack success rate on the deep neural network, has poor robustness, ensures that the antagonistic image is easy to lose efficacy after the conventional image compression, and cannot obtain the antagonistic image which is robust to the image compression, so that a compression-resistant antagonistic image generation scheme is urgently needed.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a compression-resistant antagonistic image generation method for a deep neural network.
The invention designs a compression-resistant antagonistic image generation method for a deep neural network, which is characterized by comprising the following steps:
1) giving a target classifier model, giving an original image, inputting the original image into a target classifier after image compression, and obtaining confidence of classifying the original image into all classes; an attacker has a white box access right to the target model and sets a target type;
2) injecting an image compression algorithm into an optimization solving process of the antagonistic image, and generating an anti-compression antagonistic image by using a gradient-based optimization algorithm;
3) designing a neural network to approximate an image compression algorithm, wherein the trained neural network can be used as a micro-approximate form of the compression algorithm;
4) and adding the trained neural network model into the solving process of the existing antagonistic image optimization algorithm to generate an antagonistic image with compression resistance, so that the target model is classified into a target class.
Further, the input original image is firstly subjected to image compression processing x '═ comp (x), wherein x is the input original image, comp () is an image compression function, and x' is a compressed image; the target image classifier may be expressed as f (x', θ) ═ y, θ is the model parameter, and y is the model output; the model outputs a second-to-last layer called a logits layer, and the confidence of each category corresponding to the image is output; the last layer is called a softmax layer, and the result after the result normalization of the logits layer is output, namely the probability of classifying to each category; the final output y of the classifier is the maximum value of the softmax layer, and is expressed as:
f(x,θ)=max(softmax(logits(comp(x))))=y
the attacker has a white-box access right to the target model, namely, the parameters and the weights of the target model can be accessed, but the parameters such as which compression function and compression degree are adopted cannot be obtained, the attacker sets a target class for a given image, and generates an anti-compression antagonistic image so that the target model classifies the image into the target class.
Further, the optimization solving process in the step 2) adopts the following optimization formula:
Figure BDA0002295528790000021
s.t.f(comp(x′),θ)=t,
x′=x+r∈[0,1]n,
where r is the disturbance obtained by the desired optimization, and x' is the obtained antagonistic image, which can still make the model output as the specified target after being compressed by the image compression algorithm comp ().
Further, the neural network model in step 3) is as follows:
ComModel(x,θ1)≈comp(x)
where the ComModel represents the designed neural network model, θ1Obtaining the optimal model parameters expected after the model training; the model structure is based on an encoder-decoder structure, and comprises 12 layers in total, wherein the first 6 layers belong to the encoder structure:
L1=Conv(I),
Li+1=Res(Li),i=1,2,…,5
where I denotes the input original image, LiRepresenting the i-th layer, Conv () representing the convolution operation and Res () representing the residual block, which contains the following operations:
y=Conv(Conv(Conv(x)))+Conv(x)
for the decoder structure of the last 6 layers, the structure is as follows:
L7=Deconv(L6),
Li+1=Deconv(Li||L12-i),i=7,8…,10
wherein Deconv () represents a deconvolution operation, | | | represents a splicing operation; finally, training the Commodel is performed based on the following optimization objectives:
Figure BDA0002295528790000031
Ir=ComModel(I,θ1)
wherein H, W, C represent the height, width and channel of the image respectively, I represents the original imagec,IrRespectively representing a compressed graph of the image after being compressed and a reconstructed graph output by the ComModel;
Figure BDA0002295528790000032
pixel values representing positions with height i, width j, and channel k; through continuous training, the optimal model parameter theta can be obtained1So that the error between the model output reconstructed image and the real compressed image is minimized.
Further, replacing the original image compression algorithm with the trained compression approximation model ComModel to obtain the following optimization target for generating the compression-resistant adversity image:
Figure BDA0002295528790000033
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n,
further, step 4) adding the trained neural network model into the solving process of the existing confrontation image optimization algorithm, wherein the solving algorithm is as follows:
compressive antagonism-resistant image generation algorithm ComReAdv based on FGSMfgsmExpressed as:
Figure BDA0002295528790000041
BIM-based compression-resistant antagonism image generation algorithm ComReadvbimExpressed as:
Figure BDA0002295528790000042
xn+1=clip(xn-α·rn+1),x0=x
MIM-based compression-resistant antagonistic image generation algorithm ComReAdvmimExpressed as:
Figure BDA0002295528790000043
xn+1=clip(xn-α·rn+1),x0=x,r0=0,m=1
where m represents a momentum factor used to weigh the effect of previous gradient values on this update.
Compared with the prior art, the invention has the following beneficial effects:
1) different from the existing antagonistic image attack method, the method can perform the optimized generation process of the antagonistic image according to the difference of the image compression algorithm, and realize the antagonistic image attack with high compression resistance.
2) The invention introduces a new compression approximation model ComModel which can be trained according to the data set constructed by the original image and the compression image, so that the trained ComModel can approximate the image compression algorithm with small enough error, the micro characteristic of the model can effectively solve the problem that most of the compression algorithms are not micro at present, ensure that the optimization algorithm based on gradient can be used,
3) the method has high expansibility, and can be combined with various existing antagonistic image generation algorithms to obtain the antagonistic image with the compressive resistance.
4) The method has high practicability, and on the basis of the Commodel, under the condition that a compression algorithm is unknown, a compression approximate model can be effectively obtained only according to a data set, so that an antagonistic image resisting unknown compression can be generated, and the method has high practicability.
Drawings
FIG. 1 is a schematic diagram of a ComModel approximation model for a compression algorithm based on an encoder-decoder architecture
FIG. 2 is a ComModel-based compression-resistant antagonistic image generation framework
FIG. 3 is a comparison of the present invention and the existing attack method for resisting multiple compression modes
Detailed Description
The compression-resistant antagonistic image generation method for the deep neural network comprises the following steps:
1) and giving a target classifier model, giving an original image, compressing the original image, and inputting the compressed original image into the target classifier to obtain the confidence of classifying the original image into all classes. The attacker has white-box access rights to the target model and sets the target class.
The input original image is first subjected to an image compression process x 'comp (x), where x is the input original image, comp () is an image compression function, and x' is a compressed image. The target image classifier may be expressed as f (x ', θ) ═ y, θ is the model parameter, and y is the model output, i.e. the class prediction for the input compressed image x'. The model output second to last layer, called the logits layer, outputs the confidence of each category corresponding to the original image. And the last layer is called a softmax layer, and the result normalized by the results of the logits layer, namely the probability of classifying into each category, is output. The final output y of the classifier is the maximum value of the softmax layer, and is expressed as:
f(x,θ)=max(softmax(logits(comp(x))))=y
an attacker takes a trained neural network-based image classifier as an attack target, has white-box access rights to a target model, namely can access parameters and weights of the target model, but cannot obtain detailed details of a compression function, sets a target class for a given image, generates an anti-compression antagonistic image and classifies the image into the target class by the target model.
2) And injecting an image compression algorithm into an optimization solving process of the antagonistic image. An anti-compression antagonistic image is generated by a gradient-based optimization algorithm. The problem that generated antagonistic noise is damaged and fails due to image quality loss during image compression is avoided.
In the optimization process of generating the antagonistic image, an image compression algorithm is considered, the obtained antagonistic image can resist compression, and the optimization problem of finally generating the anti-compression antagonistic image is as follows:
Figure BDA0002295528790000051
s.t.f(comp(x′),θ)=t,
x′=x+r∈[0,1]n,
where r is the disturbance obtained by the desired optimization, and x' is the obtained antagonistic image, which can still make the model output as the specified target after being compressed by the image compression algorithm comp ().
3) The neural network is designed to approximate the image compression algorithm, and the trained neural network can be used as a micro-approximate form of the compression algorithm. The problem that the gradient-based optimization algorithm cannot be used due to the irreducibility of the image compression algorithm is solved.
In the face of the infinitesimal problem of the compression algorithm, the optimization problem cannot be solved by using the existing gradient-based optimization algorithm, and the neural network model is designed to approximate the specified image compression algorithm after being trained:
ComModel(x,θ1)≈comp(x)
where the ComModel represents the designed neural network model, θ1And obtaining the optimal model parameters expected after the model training. The model structure is based on an encoder-decoder structure, and comprises 12 layers in total, wherein the first 6 layers belong to the encoder structure:
L1=Conv(I),
Li+1=Res(Li),i=1,2,…,5
where I denotes the input original image, LiRepresenting the i-th layer, Conv () representing the convolution operation and Res () representing the residual block, which contains the following operations:
y=Conv(Conv(Conv(x)))+Conv(x)
for the decoder structure of the last 6 layers, the structure is as follows:
L7=Deconv(L6),
Li+1=Deconv(Li||L12-i),i=7,8…,10
where Deconv () represents a deconvolution operation and | | represents a splicing operation. Finally, training the Commodel is performed based on the following optimization objectives:
Figure BDA0002295528790000061
Ir=ComModel(I,θ1)
wherein H, W, C represent the height, width and channel of the image respectively, I represents the original imagec,IrRespectively representing a compressed graph of the image after being compressed and a reconstructed graph output by the Commodel.
Figure BDA0002295528790000062
Representing the pixel value for a location with height i, width j, and channel k. Through continuous training, the optimal model parameter theta can be obtained1So that the error between the model output reconstructed image and the real compressed image is minimized.
4) The method is combined with the existing antagonistic image generation algorithm, the trained neural network model is added into the solving process of the optimization algorithm, the model can ensure the normal operation of the optimization algorithm based on the gradient due to the microcosmic characteristic, and an antagonistic noise generation scheme which is still effective after compression is obtained through repeated iterative optimization, so that a compression-resistant antagonistic image is generated, and the target model is classified into a target class.
Replacing an original image compression algorithm with a trained compression approximation model ComModel to obtain the following optimization problem for generating the anti-compression antagonistic image:
Figure BDA0002295528790000071
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n,
in combination with existing antagonistic image generation algorithms, an antagonistic image is generated that is resistant to compression.
For the optimization target of the antagonistic image, many methods have been used to perform optimization solution, including FGSM (fast gradient descent method), BIM (basic iterative method), etc. The solution algorithm for FGSM is as follows:
Figure BDA0002295528790000072
taking FGSM as an example, by finding the gradient value of the loss function of input x and target tag t
Figure BDA0002295528790000073
And subtracting the gradient values from the input to reduce the resulting x 'by the distance to the target label, such that x' is classified as the designated label t. BIM and MIM adopt the idea, but solve the problem in an iterative mode on the basis.
In order to generate a countermeasure image with resistance to compression, the compression function comp () needs to be added into the optimization formula and then solved, so that the finally generated countermeasure image can be resistant to compression due to the fact that the compression process is considered in the optimization process. However, the conventional compression algorithm comp () is not trivial, i.e. cannot be derived to obtain the gradient, so that these gradient-based optimization algorithms (FGSM, BIM, etc.) cannot solve the above-mentioned optimization formula containing the compression algorithm comp ().
In the scheme, a neural network is used for approximating the compression algorithm to obtain a differentiable approximate form of the compression algorithm, ComModel () is approximately equal to comp (), and after the comp () is replaced by the ComModel (), a new optimization target is obtained:
Figure BDA0002295528790000074
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n,
thus, it is convenientThe solution may be performed using a gradient-based optimization algorithm, which is named ComReAdv herein for collision avoidancefgsmAnd the like.
Compressive antagonism-resistant image generation algorithm ComReAdv based on FGSMfgsmExpressed as:
Figure BDA0002295528790000075
BIM-based compression-resistant antagonism image generation algorithm ComReadvbimCan be expressed as:
Figure BDA0002295528790000076
xn+1=clip(xn-α·rn+1),x0=x
MIM-based compression-resistant antagonistic image generation algorithm ComReAdvmimCan be expressed as:
Figure BDA0002295528790000081
xn+1=ip(xn-α·rn+1),x0=x,r0=0,m=1
where m represents a momentum factor used to weigh the effect of previous gradient values on this update.
The method adds the obtained approximate compression algorithm into the optimization process to generate the compression-resistant antagonistic image, wherein the more the ComModel is approximate to the comp (), the higher the compression-resistant power of the finally generated antagonistic image is, and the scheme can achieve better approximate effect by reasonably designing a network structure.
As shown in fig. 3, the ordinate thereof indicates the success rate of the generated antagonistic image in resisting compression, the higher the better; the abscissa represents the amplitude of the generated antagonistic image added noise, and the larger the amplitude of the noise, the more perceptible the human eye. The figure compares mainly: the antagonistic image generation algorithm MIM, which does not take into account compression, and the existing generation algorithm Diff _ MIM, which only takes into account JPEG compression, and the algorithm ComReAdv _ MIM proposed by the present solution. The parameter settings are: the number of iterations steps is 10, the total noise amplitude eps (indicated on the abscissa), and the step size alpha for each iteration is eps/10.
The experiment was tested using the commonly used JPEG compression, WEBP compression, JPEG2000 compression. Where JPEG (50) is taken as an example, the numbers in parentheses indicate the degree of compression of the compression algorithm. As can be seen from fig. (a) - (c), for JPEG compression, compared to the antagonistic image generation algorithm MIM that does not consider compression, the present invention and Diff _ MIM achieve a higher compression-resistant success rate, and the higher the noise amplitude, the higher the success rate, and both compression-resistant methods can reach more than 95% at the maximum noise amplitude of 9 (at this time, the image still has no obvious disturbance). And at large degrees of compression, this lift is more pronounced (see figure (c)). As can be seen from fig. (d) - (h), for the WEBP, JPEG200 compression, the present solution still can achieve a higher success rate, and Diff _ mim is no longer effective, which indicates that the existing solution can only be used for a specific compression algorithm, but the present solution can make up for this deficiency, and can be used for a plurality of compression algorithms.
The experiment shows that the scheme not only can realize higher compression-resistant success rate, but also can be suitable for various compression algorithms, and the effectiveness and the universality of the scheme are shown.
The invention designs a compression-resistant antagonistic image generation method facing a deep neural network, aiming at overcoming the defect that an antagonistic image generated by the existing attack algorithm cannot resist image compression, the image compression algorithm is added into the optimization generation process of the antagonistic image, and compression-resistant noise is added on the image in a self-adaptive manner, so that the constructed antagonistic image is still effective after being compressed. Aiming at the problem that a compression algorithm is not trivial, a neural network model is designed to approximate the compression algorithm and replace the compression algorithm, the combination with the existing antagonistic image generation scheme is ensured, and the probability from the target model to the target class for classifying the antagonistic image is made to be maximum by optimizing the target function to generate noise, so that the target of an attacker is reached, and the classifier outputs the target class designed by the attacker. The neural network can be trained according to the original image-compressed image data set without paying attention to the realization of a specific compression algorithm, so that the scheme can be suitable for realizing the compression resistant antagonistic image under the condition that the compression algorithm is in a black box.

Claims (6)

1. A compression-resistant antagonism image generation method facing a deep neural network is characterized by comprising the following steps:
1) giving a target classifier model, giving an original image, inputting the original image into a target classifier after image compression, and obtaining confidence of classifying the original image into all classes; an attacker has a white box access right to the target model and sets a target type;
2) injecting an image compression algorithm into an optimization solving process of the antagonistic image, and generating an anti-compression antagonistic image by using a gradient-based optimization algorithm;
3) designing a neural network to approximate an image compression algorithm, wherein the trained neural network can be used as a micro-approximate form of the compression algorithm;
4) and adding the trained neural network model into the solving process of the existing antagonistic image optimization algorithm to generate an antagonistic image with compression resistance, so that the target model is classified into a target class.
2. The deep neural network-oriented compression-resistant antagonistic image generating method according to claim 1, characterized in that: firstly, an input original image is subjected to image compression processing x '═ comp (x), wherein x is the input original image, comp () is an image compression function, and x' is a compressed image; the target image classifier may be expressed as f (x', θ) ═ y, θ is the model parameter, and y is the model output; the model outputs a second-to-last layer called a logits layer, and the confidence of each category corresponding to the image is output; the last layer is called a softmax layer, and the result after the result normalization of the logits layer is output, namely the probability of classifying to each category; the final output y of the classifier is the maximum value of the softmax layer, and is expressed as:
f(x,θ)=max(softmax(logits(comp(x))))=y
the attacker has a white-box access right to the target model, namely, the parameters and the weights of the target model can be accessed, but the parameters such as which compression function and compression degree are adopted cannot be obtained, the attacker sets a target class for a given image, and generates an anti-compression antagonistic image so that the target model classifies the image into the target class.
3. The deep neural network-oriented compression-resistant antagonistic image generating method according to claim 1, characterized in that: aiming at the optimization solving process in the step 2), the following optimization formula is adopted:
Figure FDA0002295528780000011
s.t.f(comp(x′),θ)=t,
x′=x+r∈[0,1]n,
where r is the disturbance obtained by the desired optimization, and x' is the obtained antagonistic image, which can still make the model output as the specified target after being compressed by the image compression algorithm comp ().
4. The deep neural network-oriented compression-resistant antagonistic image generating method according to claim 3, characterized in that: the neural network model in step 3) is as follows:
ComModel(x,θ1)≈comp(x)
where the ComModel represents the designed neural network model, θ1Obtaining the optimal model parameters expected after the model training; the model structure is based on an encoder-decoder structure, and comprises 12 layers in total, wherein the first 6 layers belong to the encoder structure:
L1=Conv(I),
Li+1=Res(Li),i=1,2,…,5
where I denotes the input original image, LiRepresenting the i-th layer, Conv () representing the convolution operation and Res () representing the residual block, which contains the following operations:
y=Conv(Conv(Conv(x)))+Conv(x)
for the decoder structure of the last 6 layers, the structure is as follows:
L7=Deconv(L6),
Li+1=Deconv(Li||L12-i),i=7,8…,10
wherein Deconv () represents a deconvolution operation, | | | represents a splicing operation; finally, training the Commodel is performed based on the following optimization objectives:
Figure FDA0002295528780000021
Ir=ComModel(I,θ1)
wherein H, W, C represent the height, width and channel of the image respectively, I represents the original imagec,IrRespectively representing a compressed graph of the image after being compressed and a reconstructed graph output by the ComModel;
Figure FDA0002295528780000022
pixel values representing positions with height i, width j, and channel k; through continuous training, the optimal model parameter theta can be obtained1So that the error between the model output reconstructed image and the real compressed image is minimized.
5. The deep neural network-oriented compression-resistant antagonistic image generation method according to claim 4, characterized in that: replacing an original image compression algorithm with a trained compression approximation model ComModel to obtain an optimization target for generating a compression-resistant antagonistic image as follows:
Figure FDA0002295528780000023
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n
6. the deep neural network-oriented compression-resistant antagonistic image generating method according to claim 5, characterized in that: step 4), adding the trained neural network model into the solving process of the existing confrontation image optimization algorithm, wherein the solving algorithm is as follows:
compressive antagonism-resistant image generation algorithm ComReAdv based on FGSMfgsmExpressed as:
Figure FDA0002295528780000031
BIM-based compression-resistant antagonism image generation algorithm ComReadvbimExpressed as:
Figure FDA0002295528780000032
xn+1=clip(xn-α·rn+1),x0=x
MIM-based compression-resistant antagonistic image generation algorithm ComReAdvmimExpressed as:
Figure FDA0002295528780000033
xn+1=clip(xn-α·rn+1),x0=x,r0=0,m=1
where m represents a momentum factor used to weigh the effect of previous gradient values on this update.
CN201911199508.8A 2019-11-29 2019-11-29 Compression-resistant antagonistic image generation method for deep neural network Active CN111047658B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911199508.8A CN111047658B (en) 2019-11-29 2019-11-29 Compression-resistant antagonistic image generation method for deep neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911199508.8A CN111047658B (en) 2019-11-29 2019-11-29 Compression-resistant antagonistic image generation method for deep neural network

Publications (2)

Publication Number Publication Date
CN111047658A true CN111047658A (en) 2020-04-21
CN111047658B CN111047658B (en) 2022-11-18

Family

ID=70233645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911199508.8A Active CN111047658B (en) 2019-11-29 2019-11-29 Compression-resistant antagonistic image generation method for deep neural network

Country Status (1)

Country Link
CN (1) CN111047658B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111898645A (en) * 2020-07-03 2020-11-06 贵州大学 Movable sample attack resisting method based on attention mechanism
CN113239351A (en) * 2020-12-08 2021-08-10 武汉大学 Novel data pollution attack defense method for Internet of things system
CN115797479A (en) * 2021-09-09 2023-03-14 北京三快在线科技有限公司 Method and device for generating landmark image, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106875324A (en) * 2017-02-05 2017-06-20 西南大学 Lossless image information concealing method based on SBDE
CN109492582A (en) * 2018-11-09 2019-03-19 杭州安恒信息技术股份有限公司 A kind of image recognition attack method based on algorithm confrontation sexual assault
CN110021049A (en) * 2019-03-29 2019-07-16 武汉大学 A kind of highly concealed type antagonism image attack method based on space constraint towards deep neural network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106875324A (en) * 2017-02-05 2017-06-20 西南大学 Lossless image information concealing method based on SBDE
CN109492582A (en) * 2018-11-09 2019-03-19 杭州安恒信息技术股份有限公司 A kind of image recognition attack method based on algorithm confrontation sexual assault
CN110021049A (en) * 2019-03-29 2019-07-16 武汉大学 A kind of highly concealed type antagonism image attack method based on space constraint towards deep neural network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
WANG ZHIBO等: "Real-time and spatio-temporal crowd-sourced social network data publishing with differential privacy", 《IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING》 *
王志波等: "基于众包思想的实时教学评价模式探索", 《计算机教育》 *
陈锟等: "生成对抗网络在医学图像处理中的应用", 《生命科学仪器》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111898645A (en) * 2020-07-03 2020-11-06 贵州大学 Movable sample attack resisting method based on attention mechanism
CN113239351A (en) * 2020-12-08 2021-08-10 武汉大学 Novel data pollution attack defense method for Internet of things system
CN113239351B (en) * 2020-12-08 2022-05-13 武汉大学 Novel data pollution attack defense method for Internet of things system
CN115797479A (en) * 2021-09-09 2023-03-14 北京三快在线科技有限公司 Method and device for generating landmark image, computer equipment and storage medium
CN115797479B (en) * 2021-09-09 2024-05-24 北京三快在线科技有限公司 Landmark image generation method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN111047658B (en) 2022-11-18

Similar Documents

Publication Publication Date Title
CN111047658B (en) Compression-resistant antagonistic image generation method for deep neural network
Das et al. Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression
Shen et al. Ape-gan: Adversarial perturbation elimination with gan
CN110163093B (en) Guideboard recognition confrontation defense method based on genetic algorithm
CN110941794A (en) Anti-attack defense method based on universal inverse disturbance defense matrix
CN111461307A (en) General disturbance generation method based on generation countermeasure network
CN111325324A (en) Deep learning confrontation sample generation method based on second-order method
CN110021049B (en) Deep neural network-oriented high-concealment antagonistic image attack method based on spatial constraint
CN113627543B (en) Anti-attack detection method
CN112926661A (en) Method for enhancing image classification robustness
Aprilpyone et al. Adversarial robustness by one bit double quantization for visual classification
CN113283599A (en) Anti-attack defense method based on neuron activation rate
CN114863226A (en) Network physical system intrusion detection method
CN118397431B (en) Multi-view adaptive weight balance attack resistance method for pedestrian targets
CN115062306A (en) Black box anti-attack method for malicious code detection system
Tang et al. Reinforcement learning of non-additive joint steganographic embedding costs with attention mechanism
Zanddizari et al. Generating black-box adversarial examples in sparse domain
CN118351371A (en) Small sample image classification method and system based on countermeasure training and meta learning
CN113221388A (en) Method for generating confrontation sample of black box depth model constrained by visual perception disturbance
Zhang et al. Adversarial learning in transformer based neural network in radio signal classification
CN115017501A (en) Image anti-attack sample detection method and system based on uncertainty estimation
CN115238271A (en) AI security detection method based on generative learning
Xu et al. Drhnet: a deep residual network based on heterogeneous kernel for steganalysis
Kushida et al. Generation of adversarial examples using adaptive differential evolution
Dan et al. Escaping filter-based adversarial example defense: A reinforcement learning approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant