CN111047658A - Compression-resistant antagonistic image generation method for deep neural network - Google Patents
Compression-resistant antagonistic image generation method for deep neural network Download PDFInfo
- Publication number
- CN111047658A CN111047658A CN201911199508.8A CN201911199508A CN111047658A CN 111047658 A CN111047658 A CN 111047658A CN 201911199508 A CN201911199508 A CN 201911199508A CN 111047658 A CN111047658 A CN 111047658A
- Authority
- CN
- China
- Prior art keywords
- image
- compression
- model
- antagonistic
- neural network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T9/00—Image coding
- G06T9/002—Image coding using neural networks
Landscapes
- Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Multimedia (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Image Analysis (AREA)
- Image Processing (AREA)
Abstract
The invention discloses a compression-resistant antagonistic image generation method facing a deep neural network. The method has high expansibility, can be combined with the existing adversarial image attack scheme, and improves the compression resistance of the adversarial images generated by various attack algorithms under the condition of not obviously influencing the attack success rate. In addition, the method can also be used for realizing compression-resistant antagonistic images under the unknown compression method, and has higher black box practicability. The method solves the problem that the antagonistic image generated by the prior attack method can be invalid after image compression.
Description
Technical Field
The invention relates to a compression-resistant antagonistic image generation method for a deep neural network, and belongs to the field of artificial intelligence safety.
Background
In recent years, deep learning techniques have been developed rapidly, and deep neural networks have exhibited performance approaching or even exceeding that of humans in various fields, such as: image classification, object detection, natural language processing, and the like. Therefore, deep neural networks are widely used to solve various practical tasks such as unmanned driving, voice recognition, intelligent monitoring, and the like. However, recent studies have shown that deep neural networks are vulnerable to specific attacks: adding well-constructed human-imperceptible noise to the input image, the deep neural network can output errors and even results expected by attackers, and such modified input is called an antagonistic image. Such antagonistic images have extremely high attack success rate on the deep neural network and have transferability: a series of network structures may be attacked by a competing image generated by a particular network. Such antagonistic image attacks pose a significant threat to security-sensitive applications based on deep learning techniques.
However, by studying the existing antagonistic image algorithms, we find that the generated antagonistic images are not resistant to image compression: for an image, most of the image is compressed to save storage space and network transmission resources, and most of common image compression algorithms are lossy image compression, that is, a certain quality loss occurs before and after image compression, that is, the pixel value of the image changes. Also for the antagonistic image, the added antagonistic noise is well-constructed, and after the antagonistic image is compressed, the change of the pixel value can affect the constructed specific noise, so that the antagonistic image fails, and the antagonistic image has poor robustness and practicability. Because the existing attack algorithm only considers the target model to perform optimization when generating noise, the generated noise can be over-fitted to the target model, and although the generated antagonistic image can reach a high attack success rate, the generated antagonistic image can fail after being slightly processed, and cannot be effectively applied to a real environment, such as image compression.
The invention considers that the existing antagonistic image generation scheme only meets the high attack success rate on the deep neural network, has poor robustness, ensures that the antagonistic image is easy to lose efficacy after the conventional image compression, and cannot obtain the antagonistic image which is robust to the image compression, so that a compression-resistant antagonistic image generation scheme is urgently needed.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a compression-resistant antagonistic image generation method for a deep neural network.
The invention designs a compression-resistant antagonistic image generation method for a deep neural network, which is characterized by comprising the following steps:
1) giving a target classifier model, giving an original image, inputting the original image into a target classifier after image compression, and obtaining confidence of classifying the original image into all classes; an attacker has a white box access right to the target model and sets a target type;
2) injecting an image compression algorithm into an optimization solving process of the antagonistic image, and generating an anti-compression antagonistic image by using a gradient-based optimization algorithm;
3) designing a neural network to approximate an image compression algorithm, wherein the trained neural network can be used as a micro-approximate form of the compression algorithm;
4) and adding the trained neural network model into the solving process of the existing antagonistic image optimization algorithm to generate an antagonistic image with compression resistance, so that the target model is classified into a target class.
Further, the input original image is firstly subjected to image compression processing x '═ comp (x), wherein x is the input original image, comp () is an image compression function, and x' is a compressed image; the target image classifier may be expressed as f (x', θ) ═ y, θ is the model parameter, and y is the model output; the model outputs a second-to-last layer called a logits layer, and the confidence of each category corresponding to the image is output; the last layer is called a softmax layer, and the result after the result normalization of the logits layer is output, namely the probability of classifying to each category; the final output y of the classifier is the maximum value of the softmax layer, and is expressed as:
f(x,θ)=max(softmax(logits(comp(x))))=y
the attacker has a white-box access right to the target model, namely, the parameters and the weights of the target model can be accessed, but the parameters such as which compression function and compression degree are adopted cannot be obtained, the attacker sets a target class for a given image, and generates an anti-compression antagonistic image so that the target model classifies the image into the target class.
Further, the optimization solving process in the step 2) adopts the following optimization formula:
s.t.f(comp(x′),θ)=t,
x′=x+r∈[0,1]n,
where r is the disturbance obtained by the desired optimization, and x' is the obtained antagonistic image, which can still make the model output as the specified target after being compressed by the image compression algorithm comp ().
Further, the neural network model in step 3) is as follows:
ComModel(x,θ1)≈comp(x)
where the ComModel represents the designed neural network model, θ1Obtaining the optimal model parameters expected after the model training; the model structure is based on an encoder-decoder structure, and comprises 12 layers in total, wherein the first 6 layers belong to the encoder structure:
L1=Conv(I),
Li+1=Res(Li),i=1,2,…,5
where I denotes the input original image, LiRepresenting the i-th layer, Conv () representing the convolution operation and Res () representing the residual block, which contains the following operations:
y=Conv(Conv(Conv(x)))+Conv(x)
for the decoder structure of the last 6 layers, the structure is as follows:
L7=Deconv(L6),
Li+1=Deconv(Li||L12-i),i=7,8…,10
wherein Deconv () represents a deconvolution operation, | | | represents a splicing operation; finally, training the Commodel is performed based on the following optimization objectives:
Ir=ComModel(I,θ1)
wherein H, W, C represent the height, width and channel of the image respectively, I represents the original imagec,IrRespectively representing a compressed graph of the image after being compressed and a reconstructed graph output by the ComModel;pixel values representing positions with height i, width j, and channel k; through continuous training, the optimal model parameter theta can be obtained1So that the error between the model output reconstructed image and the real compressed image is minimized.
Further, replacing the original image compression algorithm with the trained compression approximation model ComModel to obtain the following optimization target for generating the compression-resistant adversity image:
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n,
further, step 4) adding the trained neural network model into the solving process of the existing confrontation image optimization algorithm, wherein the solving algorithm is as follows:
compressive antagonism-resistant image generation algorithm ComReAdv based on FGSMfgsmExpressed as:
BIM-based compression-resistant antagonism image generation algorithm ComReadvbimExpressed as:
xn+1=clip(xn-α·rn+1),x0=x
MIM-based compression-resistant antagonistic image generation algorithm ComReAdvmimExpressed as:
xn+1=clip(xn-α·rn+1),x0=x,r0=0,m=1
where m represents a momentum factor used to weigh the effect of previous gradient values on this update.
Compared with the prior art, the invention has the following beneficial effects:
1) different from the existing antagonistic image attack method, the method can perform the optimized generation process of the antagonistic image according to the difference of the image compression algorithm, and realize the antagonistic image attack with high compression resistance.
2) The invention introduces a new compression approximation model ComModel which can be trained according to the data set constructed by the original image and the compression image, so that the trained ComModel can approximate the image compression algorithm with small enough error, the micro characteristic of the model can effectively solve the problem that most of the compression algorithms are not micro at present, ensure that the optimization algorithm based on gradient can be used,
3) the method has high expansibility, and can be combined with various existing antagonistic image generation algorithms to obtain the antagonistic image with the compressive resistance.
4) The method has high practicability, and on the basis of the Commodel, under the condition that a compression algorithm is unknown, a compression approximate model can be effectively obtained only according to a data set, so that an antagonistic image resisting unknown compression can be generated, and the method has high practicability.
Drawings
FIG. 1 is a schematic diagram of a ComModel approximation model for a compression algorithm based on an encoder-decoder architecture
FIG. 2 is a ComModel-based compression-resistant antagonistic image generation framework
FIG. 3 is a comparison of the present invention and the existing attack method for resisting multiple compression modes
Detailed Description
The compression-resistant antagonistic image generation method for the deep neural network comprises the following steps:
1) and giving a target classifier model, giving an original image, compressing the original image, and inputting the compressed original image into the target classifier to obtain the confidence of classifying the original image into all classes. The attacker has white-box access rights to the target model and sets the target class.
The input original image is first subjected to an image compression process x 'comp (x), where x is the input original image, comp () is an image compression function, and x' is a compressed image. The target image classifier may be expressed as f (x ', θ) ═ y, θ is the model parameter, and y is the model output, i.e. the class prediction for the input compressed image x'. The model output second to last layer, called the logits layer, outputs the confidence of each category corresponding to the original image. And the last layer is called a softmax layer, and the result normalized by the results of the logits layer, namely the probability of classifying into each category, is output. The final output y of the classifier is the maximum value of the softmax layer, and is expressed as:
f(x,θ)=max(softmax(logits(comp(x))))=y
an attacker takes a trained neural network-based image classifier as an attack target, has white-box access rights to a target model, namely can access parameters and weights of the target model, but cannot obtain detailed details of a compression function, sets a target class for a given image, generates an anti-compression antagonistic image and classifies the image into the target class by the target model.
2) And injecting an image compression algorithm into an optimization solving process of the antagonistic image. An anti-compression antagonistic image is generated by a gradient-based optimization algorithm. The problem that generated antagonistic noise is damaged and fails due to image quality loss during image compression is avoided.
In the optimization process of generating the antagonistic image, an image compression algorithm is considered, the obtained antagonistic image can resist compression, and the optimization problem of finally generating the anti-compression antagonistic image is as follows:
s.t.f(comp(x′),θ)=t,
x′=x+r∈[0,1]n,
where r is the disturbance obtained by the desired optimization, and x' is the obtained antagonistic image, which can still make the model output as the specified target after being compressed by the image compression algorithm comp ().
3) The neural network is designed to approximate the image compression algorithm, and the trained neural network can be used as a micro-approximate form of the compression algorithm. The problem that the gradient-based optimization algorithm cannot be used due to the irreducibility of the image compression algorithm is solved.
In the face of the infinitesimal problem of the compression algorithm, the optimization problem cannot be solved by using the existing gradient-based optimization algorithm, and the neural network model is designed to approximate the specified image compression algorithm after being trained:
ComModel(x,θ1)≈comp(x)
where the ComModel represents the designed neural network model, θ1And obtaining the optimal model parameters expected after the model training. The model structure is based on an encoder-decoder structure, and comprises 12 layers in total, wherein the first 6 layers belong to the encoder structure:
L1=Conv(I),
Li+1=Res(Li),i=1,2,…,5
where I denotes the input original image, LiRepresenting the i-th layer, Conv () representing the convolution operation and Res () representing the residual block, which contains the following operations:
y=Conv(Conv(Conv(x)))+Conv(x)
for the decoder structure of the last 6 layers, the structure is as follows:
L7=Deconv(L6),
Li+1=Deconv(Li||L12-i),i=7,8…,10
where Deconv () represents a deconvolution operation and | | represents a splicing operation. Finally, training the Commodel is performed based on the following optimization objectives:
Ir=ComModel(I,θ1)
wherein H, W, C represent the height, width and channel of the image respectively, I represents the original imagec,IrRespectively representing a compressed graph of the image after being compressed and a reconstructed graph output by the Commodel.Representing the pixel value for a location with height i, width j, and channel k. Through continuous training, the optimal model parameter theta can be obtained1So that the error between the model output reconstructed image and the real compressed image is minimized.
4) The method is combined with the existing antagonistic image generation algorithm, the trained neural network model is added into the solving process of the optimization algorithm, the model can ensure the normal operation of the optimization algorithm based on the gradient due to the microcosmic characteristic, and an antagonistic noise generation scheme which is still effective after compression is obtained through repeated iterative optimization, so that a compression-resistant antagonistic image is generated, and the target model is classified into a target class.
Replacing an original image compression algorithm with a trained compression approximation model ComModel to obtain the following optimization problem for generating the anti-compression antagonistic image:
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n,
in combination with existing antagonistic image generation algorithms, an antagonistic image is generated that is resistant to compression.
For the optimization target of the antagonistic image, many methods have been used to perform optimization solution, including FGSM (fast gradient descent method), BIM (basic iterative method), etc. The solution algorithm for FGSM is as follows:
taking FGSM as an example, by finding the gradient value of the loss function of input x and target tag tAnd subtracting the gradient values from the input to reduce the resulting x 'by the distance to the target label, such that x' is classified as the designated label t. BIM and MIM adopt the idea, but solve the problem in an iterative mode on the basis.
In order to generate a countermeasure image with resistance to compression, the compression function comp () needs to be added into the optimization formula and then solved, so that the finally generated countermeasure image can be resistant to compression due to the fact that the compression process is considered in the optimization process. However, the conventional compression algorithm comp () is not trivial, i.e. cannot be derived to obtain the gradient, so that these gradient-based optimization algorithms (FGSM, BIM, etc.) cannot solve the above-mentioned optimization formula containing the compression algorithm comp ().
In the scheme, a neural network is used for approximating the compression algorithm to obtain a differentiable approximate form of the compression algorithm, ComModel () is approximately equal to comp (), and after the comp () is replaced by the ComModel (), a new optimization target is obtained:
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n,
thus, it is convenientThe solution may be performed using a gradient-based optimization algorithm, which is named ComReAdv herein for collision avoidancefgsmAnd the like.
Compressive antagonism-resistant image generation algorithm ComReAdv based on FGSMfgsmExpressed as:
BIM-based compression-resistant antagonism image generation algorithm ComReadvbimCan be expressed as:
xn+1=clip(xn-α·rn+1),x0=x
MIM-based compression-resistant antagonistic image generation algorithm ComReAdvmimCan be expressed as:
xn+1=ip(xn-α·rn+1),x0=x,r0=0,m=1
where m represents a momentum factor used to weigh the effect of previous gradient values on this update.
The method adds the obtained approximate compression algorithm into the optimization process to generate the compression-resistant antagonistic image, wherein the more the ComModel is approximate to the comp (), the higher the compression-resistant power of the finally generated antagonistic image is, and the scheme can achieve better approximate effect by reasonably designing a network structure.
As shown in fig. 3, the ordinate thereof indicates the success rate of the generated antagonistic image in resisting compression, the higher the better; the abscissa represents the amplitude of the generated antagonistic image added noise, and the larger the amplitude of the noise, the more perceptible the human eye. The figure compares mainly: the antagonistic image generation algorithm MIM, which does not take into account compression, and the existing generation algorithm Diff _ MIM, which only takes into account JPEG compression, and the algorithm ComReAdv _ MIM proposed by the present solution. The parameter settings are: the number of iterations steps is 10, the total noise amplitude eps (indicated on the abscissa), and the step size alpha for each iteration is eps/10.
The experiment was tested using the commonly used JPEG compression, WEBP compression, JPEG2000 compression. Where JPEG (50) is taken as an example, the numbers in parentheses indicate the degree of compression of the compression algorithm. As can be seen from fig. (a) - (c), for JPEG compression, compared to the antagonistic image generation algorithm MIM that does not consider compression, the present invention and Diff _ MIM achieve a higher compression-resistant success rate, and the higher the noise amplitude, the higher the success rate, and both compression-resistant methods can reach more than 95% at the maximum noise amplitude of 9 (at this time, the image still has no obvious disturbance). And at large degrees of compression, this lift is more pronounced (see figure (c)). As can be seen from fig. (d) - (h), for the WEBP, JPEG200 compression, the present solution still can achieve a higher success rate, and Diff _ mim is no longer effective, which indicates that the existing solution can only be used for a specific compression algorithm, but the present solution can make up for this deficiency, and can be used for a plurality of compression algorithms.
The experiment shows that the scheme not only can realize higher compression-resistant success rate, but also can be suitable for various compression algorithms, and the effectiveness and the universality of the scheme are shown.
The invention designs a compression-resistant antagonistic image generation method facing a deep neural network, aiming at overcoming the defect that an antagonistic image generated by the existing attack algorithm cannot resist image compression, the image compression algorithm is added into the optimization generation process of the antagonistic image, and compression-resistant noise is added on the image in a self-adaptive manner, so that the constructed antagonistic image is still effective after being compressed. Aiming at the problem that a compression algorithm is not trivial, a neural network model is designed to approximate the compression algorithm and replace the compression algorithm, the combination with the existing antagonistic image generation scheme is ensured, and the probability from the target model to the target class for classifying the antagonistic image is made to be maximum by optimizing the target function to generate noise, so that the target of an attacker is reached, and the classifier outputs the target class designed by the attacker. The neural network can be trained according to the original image-compressed image data set without paying attention to the realization of a specific compression algorithm, so that the scheme can be suitable for realizing the compression resistant antagonistic image under the condition that the compression algorithm is in a black box.
Claims (6)
1. A compression-resistant antagonism image generation method facing a deep neural network is characterized by comprising the following steps:
1) giving a target classifier model, giving an original image, inputting the original image into a target classifier after image compression, and obtaining confidence of classifying the original image into all classes; an attacker has a white box access right to the target model and sets a target type;
2) injecting an image compression algorithm into an optimization solving process of the antagonistic image, and generating an anti-compression antagonistic image by using a gradient-based optimization algorithm;
3) designing a neural network to approximate an image compression algorithm, wherein the trained neural network can be used as a micro-approximate form of the compression algorithm;
4) and adding the trained neural network model into the solving process of the existing antagonistic image optimization algorithm to generate an antagonistic image with compression resistance, so that the target model is classified into a target class.
2. The deep neural network-oriented compression-resistant antagonistic image generating method according to claim 1, characterized in that: firstly, an input original image is subjected to image compression processing x '═ comp (x), wherein x is the input original image, comp () is an image compression function, and x' is a compressed image; the target image classifier may be expressed as f (x', θ) ═ y, θ is the model parameter, and y is the model output; the model outputs a second-to-last layer called a logits layer, and the confidence of each category corresponding to the image is output; the last layer is called a softmax layer, and the result after the result normalization of the logits layer is output, namely the probability of classifying to each category; the final output y of the classifier is the maximum value of the softmax layer, and is expressed as:
f(x,θ)=max(softmax(logits(comp(x))))=y
the attacker has a white-box access right to the target model, namely, the parameters and the weights of the target model can be accessed, but the parameters such as which compression function and compression degree are adopted cannot be obtained, the attacker sets a target class for a given image, and generates an anti-compression antagonistic image so that the target model classifies the image into the target class.
3. The deep neural network-oriented compression-resistant antagonistic image generating method according to claim 1, characterized in that: aiming at the optimization solving process in the step 2), the following optimization formula is adopted:
s.t.f(comp(x′),θ)=t,
x′=x+r∈[0,1]n,
where r is the disturbance obtained by the desired optimization, and x' is the obtained antagonistic image, which can still make the model output as the specified target after being compressed by the image compression algorithm comp ().
4. The deep neural network-oriented compression-resistant antagonistic image generating method according to claim 3, characterized in that: the neural network model in step 3) is as follows:
ComModel(x,θ1)≈comp(x)
where the ComModel represents the designed neural network model, θ1Obtaining the optimal model parameters expected after the model training; the model structure is based on an encoder-decoder structure, and comprises 12 layers in total, wherein the first 6 layers belong to the encoder structure:
L1=Conv(I),
Li+1=Res(Li),i=1,2,…,5
where I denotes the input original image, LiRepresenting the i-th layer, Conv () representing the convolution operation and Res () representing the residual block, which contains the following operations:
y=Conv(Conv(Conv(x)))+Conv(x)
for the decoder structure of the last 6 layers, the structure is as follows:
L7=Deconv(L6),
Li+1=Deconv(Li||L12-i),i=7,8…,10
wherein Deconv () represents a deconvolution operation, | | | represents a splicing operation; finally, training the Commodel is performed based on the following optimization objectives:
Ir=ComModel(I,θ1)
wherein H, W, C represent the height, width and channel of the image respectively, I represents the original imagec,IrRespectively representing a compressed graph of the image after being compressed and a reconstructed graph output by the ComModel;pixel values representing positions with height i, width j, and channel k; through continuous training, the optimal model parameter theta can be obtained1So that the error between the model output reconstructed image and the real compressed image is minimized.
5. The deep neural network-oriented compression-resistant antagonistic image generation method according to claim 4, characterized in that: replacing an original image compression algorithm with a trained compression approximation model ComModel to obtain an optimization target for generating a compression-resistant antagonistic image as follows:
s.t.f(ComModel(x,θ1),θ)=t,
x′=x+r∈[0,1]n。
6. the deep neural network-oriented compression-resistant antagonistic image generating method according to claim 5, characterized in that: step 4), adding the trained neural network model into the solving process of the existing confrontation image optimization algorithm, wherein the solving algorithm is as follows:
compressive antagonism-resistant image generation algorithm ComReAdv based on FGSMfgsmExpressed as:
BIM-based compression-resistant antagonism image generation algorithm ComReadvbimExpressed as:
xn+1=clip(xn-α·rn+1),x0=x
MIM-based compression-resistant antagonistic image generation algorithm ComReAdvmimExpressed as:
xn+1=clip(xn-α·rn+1),x0=x,r0=0,m=1
where m represents a momentum factor used to weigh the effect of previous gradient values on this update.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911199508.8A CN111047658B (en) | 2019-11-29 | 2019-11-29 | Compression-resistant antagonistic image generation method for deep neural network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911199508.8A CN111047658B (en) | 2019-11-29 | 2019-11-29 | Compression-resistant antagonistic image generation method for deep neural network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111047658A true CN111047658A (en) | 2020-04-21 |
CN111047658B CN111047658B (en) | 2022-11-18 |
Family
ID=70233645
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911199508.8A Active CN111047658B (en) | 2019-11-29 | 2019-11-29 | Compression-resistant antagonistic image generation method for deep neural network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111047658B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111898645A (en) * | 2020-07-03 | 2020-11-06 | 贵州大学 | Movable sample attack resisting method based on attention mechanism |
CN113239351A (en) * | 2020-12-08 | 2021-08-10 | 武汉大学 | Novel data pollution attack defense method for Internet of things system |
CN115797479A (en) * | 2021-09-09 | 2023-03-14 | 北京三快在线科技有限公司 | Method and device for generating landmark image, computer equipment and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106875324A (en) * | 2017-02-05 | 2017-06-20 | 西南大学 | Lossless image information concealing method based on SBDE |
CN109492582A (en) * | 2018-11-09 | 2019-03-19 | 杭州安恒信息技术股份有限公司 | A kind of image recognition attack method based on algorithm confrontation sexual assault |
CN110021049A (en) * | 2019-03-29 | 2019-07-16 | 武汉大学 | A kind of highly concealed type antagonism image attack method based on space constraint towards deep neural network |
-
2019
- 2019-11-29 CN CN201911199508.8A patent/CN111047658B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106875324A (en) * | 2017-02-05 | 2017-06-20 | 西南大学 | Lossless image information concealing method based on SBDE |
CN109492582A (en) * | 2018-11-09 | 2019-03-19 | 杭州安恒信息技术股份有限公司 | A kind of image recognition attack method based on algorithm confrontation sexual assault |
CN110021049A (en) * | 2019-03-29 | 2019-07-16 | 武汉大学 | A kind of highly concealed type antagonism image attack method based on space constraint towards deep neural network |
Non-Patent Citations (3)
Title |
---|
WANG ZHIBO等: "Real-time and spatio-temporal crowd-sourced social network data publishing with differential privacy", 《IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING》 * |
王志波等: "基于众包思想的实时教学评价模式探索", 《计算机教育》 * |
陈锟等: "生成对抗网络在医学图像处理中的应用", 《生命科学仪器》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111898645A (en) * | 2020-07-03 | 2020-11-06 | 贵州大学 | Movable sample attack resisting method based on attention mechanism |
CN113239351A (en) * | 2020-12-08 | 2021-08-10 | 武汉大学 | Novel data pollution attack defense method for Internet of things system |
CN113239351B (en) * | 2020-12-08 | 2022-05-13 | 武汉大学 | Novel data pollution attack defense method for Internet of things system |
CN115797479A (en) * | 2021-09-09 | 2023-03-14 | 北京三快在线科技有限公司 | Method and device for generating landmark image, computer equipment and storage medium |
CN115797479B (en) * | 2021-09-09 | 2024-05-24 | 北京三快在线科技有限公司 | Landmark image generation method, device, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN111047658B (en) | 2022-11-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111047658B (en) | Compression-resistant antagonistic image generation method for deep neural network | |
Das et al. | Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression | |
Shen et al. | Ape-gan: Adversarial perturbation elimination with gan | |
CN110163093B (en) | Guideboard recognition confrontation defense method based on genetic algorithm | |
CN110941794A (en) | Anti-attack defense method based on universal inverse disturbance defense matrix | |
CN111461307A (en) | General disturbance generation method based on generation countermeasure network | |
CN111325324A (en) | Deep learning confrontation sample generation method based on second-order method | |
CN110021049B (en) | Deep neural network-oriented high-concealment antagonistic image attack method based on spatial constraint | |
CN113627543B (en) | Anti-attack detection method | |
CN112926661A (en) | Method for enhancing image classification robustness | |
Aprilpyone et al. | Adversarial robustness by one bit double quantization for visual classification | |
CN113283599A (en) | Anti-attack defense method based on neuron activation rate | |
CN114863226A (en) | Network physical system intrusion detection method | |
CN118397431B (en) | Multi-view adaptive weight balance attack resistance method for pedestrian targets | |
CN115062306A (en) | Black box anti-attack method for malicious code detection system | |
Tang et al. | Reinforcement learning of non-additive joint steganographic embedding costs with attention mechanism | |
Zanddizari et al. | Generating black-box adversarial examples in sparse domain | |
CN118351371A (en) | Small sample image classification method and system based on countermeasure training and meta learning | |
CN113221388A (en) | Method for generating confrontation sample of black box depth model constrained by visual perception disturbance | |
Zhang et al. | Adversarial learning in transformer based neural network in radio signal classification | |
CN115017501A (en) | Image anti-attack sample detection method and system based on uncertainty estimation | |
CN115238271A (en) | AI security detection method based on generative learning | |
Xu et al. | Drhnet: a deep residual network based on heterogeneous kernel for steganalysis | |
Kushida et al. | Generation of adversarial examples using adaptive differential evolution | |
Dan et al. | Escaping filter-based adversarial example defense: A reinforcement learning approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |