CN111310802A - Anti-attack defense training method based on generation of anti-network - Google Patents
Anti-attack defense training method based on generation of anti-network Download PDFInfo
- Publication number
- CN111310802A CN111310802A CN202010064965.2A CN202010064965A CN111310802A CN 111310802 A CN111310802 A CN 111310802A CN 202010064965 A CN202010064965 A CN 202010064965A CN 111310802 A CN111310802 A CN 111310802A
- Authority
- CN
- China
- Prior art keywords
- attack
- real
- training
- sample
- sample image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Molecular Biology (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Image Analysis (AREA)
Abstract
The invention provides a generation type countermeasure network-based countermeasure attack defense training method, which comprises S1, real sample image data xrealAnd performing standardization processing; s2, establishing a defense training framework; s3, generating random noise Z and generating random condition vector Cfake(ii) a S4, random noise Z and random condition vector C are combinedfakeA generator input into a defense training framework; s5, standardizing the real sample image data after being processed and the category c thereofrealInputting the data into an attack algorithm library; s6, performing defense training on the defense training frame, and storing parameters of the trained defense training frame; and S7, finishing training, abandoning the generator and the attack algorithm library, and reserving the discriminator. The method provided by the invention overcomes the defects of the traditional method for defending against attacks and training such as using an additional netThe method has the defect of heavy workload, and the method provided by the invention has higher robustness.
Description
Technical Field
The invention relates to the technical field of security defense of deep learning counterattack, in particular to a counterattack defense training method based on a generated counternetwork.
Background
Currently, deep learning is occupying the core position of the rapidly developing fields of machine learning and artificial intelligence, and achieves excellent performance in various visual and speech recognition tasks. However, modern visual Deep Neural Networks (DNNs) are vulnerable to attacks from challenge samples designed according to some specific blind spots, due to the non-intuitive nature and inexplicability of the model. Compared with a noise sample, the offensive countermeasure sample is well designed and is not easy to perceive, can cause wrong prediction and classification of a target network, has transferability and can directly execute black box attack. In other words, the attacker can find an alternative network similar to the target network and thereby train out an attack sample to apply it to the target network. Therefore, it is very important and urgent to design a defense training method capable of effectively defending against the sample from the black box attack.
Generative confrontation network theory is based on a game theory scenario in which the generator network learns to transform the distribution from some simple input distribution (usually a standard multivariate normal distribution or uniform distribution) to image space by competing with the opponent; as an adversary, the discriminator then attempts to distinguish between samples taken from the training data and samples generated from the generator.
A classifier model with a good decision boundary not only can correctly classify real samples, but also can ignore interference characteristics and pay attention to key characteristics of the samples when an attack sample is faced, and then correctly classify the attack sample. In the existing schemes, the defense modes against attacks can be mainly divided into the following categories:
(1) detection based on statistical tests: the method is direct, has poor effect, and is based on the statistical conclusion of a large number of confrontation samples, so that a large number of confrontation samples are required to mine the statistical rules, and the method is not suitable for detecting a single confrontation sample during detection.
(2) Modifying the training process or modifying the data during the model training process: carrying out supervised training by taking the confrontation sample and the original sample as training sets; compressing input data; carrying out image enhancement in the processes of introducing random rescaling, random padding and training on input data;
(3) modifying the neural network model, such as adding network layers, adding sub-networks, modifying loss functions and activation functions, etc.;
(4) when samples which are not found are classified, the external model is used as an additional network, namely a separately trained network is added to the original model, so that a method for immunizing against the samples without adjusting coefficients is achieved, and defense against general disturbance is completed.
In summary, for different types of countermeasures, some extra work is required to ensure the robustness of the classifier to the newly added attack means. In view of effects and cost, the existing two methods for modifying data and using additional networks are more used, because the two methods can not directly modify a target network model and can be directly used for a plurality of network models with similar functions, resources are greatly saved in engineering, but the workload is increased to a certain extent by modifying data and using additional networks, and training samples have limitations, so that the network boundary of defense training and a real decision boundary have differences.
Disclosure of Invention
In order to overcome the defect that the workload is increased when the traditional method for the defense training against the attacks is used for using an additional network, and the training samples have limitations, so that the network boundary of the defense training and the real decision boundary have differences, the invention provides the defense training against the attacks based on the generation of the network, and the method does not need an additional network and improves the robustness of the network defense sample against the attacks.
The present invention aims to solve the above technical problem at least to some extent. In order to achieve the technical effects, the technical scheme of the invention is as follows:
a counterattack defense training method based on a generative counternetwork comprises the following steps:
s1, real sample image data xrealIs defined as crealAnd performing z-sco on real sample image datare standardization processing;
s2, establishing a defense training framework, wherein the defense training framework comprises a generator, an attack algorithm library, a discriminator and a target network;
s3, generating random noise Z and generating random condition vector C based on defined real sample image datafake;
S4, random noise Z and random condition vector C are combinedfakeA generator input into a defense training framework;
s5, standardizing the z-score to obtain real sample image data and the category c thereofrealInputting the data into an attack algorithm library; inputting the output of the generator and the output of the attack algorithm library to a discriminator in a defense training framework;
s6, performing defense training on the defense training frame, and storing parameters of the trained defense training frame;
and S7, finishing training, abandoning the generator and the attack algorithm library, and reserving the discriminator.
Preferably, the real sample image data x of step S1realObeying a discrete normal distribution PrealThe total number of types of the real sample image data is nclassesTrue sample image data xrealThe formula for performing the z-score normalization process is:
wherein the content of the first and second substances,
data representing the image of a real sample after a z-score normalization process, xrealData representing the true sample image before z-score normalization processing, mean representing the mean of the true sample image data, std representing the variance of the true sample image data.
Preferably, the defense training framework of step S2 includes a generator G, an attack algorithm library Ω for generating attack samplesattackA discriminator D and a target network F; the generator G is based on neural networks VGG, ResNet and Google Net, an up-sampling convolution neural network designed by one basic convolution unit in AlexNet; the attack algorithm library omegaattackThe algorithm in (1) includes Gradient attack algorithm, including but not limited to Fast Gradient Signal Method, Iterative least-likelyslass Method, Basic Iterative Methods; the discriminator D is a down-sampling convolution neural network designed based on one basic convolution unit of neural networks VGG, ResNet, GoogleNet and AlexNet; the target network F is composed of a convolutional neural network, and comprises one or any combination of VGG, ResNet, GoogleNet and AlexNet.
Preferably, the random noise Z in step S3 is a discrete normal distribution P with a mean value mean of 0 and a standard deviation of 1zObtaining randomly; random condition vector CfakeFrom uniform distribution to Pc=[0,nclasses) Randomly in an integer between.
Preferably, the process of performing defense training on the defense training framework in step S6 is as follows:
s601, random noise Z and random condition vector CfakeGenerating a false sample image x with a generator G as input to the generator G in a training frameworkfake;
S602, standardizing the real sample image data after z-score processing
And its class crealInput to the attack algorithm library omegaattack;
S603, with the target network F as an attack target, randomly selecting an attack algorithm library omegaattackAttack algorithm in on real sample image data
Attack is carried out, and attack samples are output
And their classes
S604, false sample image xfakeAnd attack samples
Inputting the false sample images x into a discriminator D together to obtain a false sample image x of the discriminator DfakeIs judged to be true or false and is lost Ltf(G) Class loss Lcls(G) And loss of true and false determination
And attack sample
True and false sample determination loss of
And a classification loss Lcls(D)。
Here, the target network F is through real sample data
During the defense training process of the defense training framework, the convolution neural network obtained after the training obtains false sample data which can prevent the target network F from working normally through an attack algorithm library, wherein the false sample data is true sample data
The modification is carried out on the basis, and the modification action is executed by a certain attack algorithm in the attack algorithm library.
Preferably, the generator G and the discriminator D of the training defense framework are trained in an Epoch round together, and the generator G and the discriminator D are alternately trained:
1) parameter θ of fixed discriminator DDAnd (4) training a generator G unchanged, wherein the steps are as follows:
step one, discrete normal distribution P with mean value mean of 0 and standard deviation of 1zObtaining M sample data randomly to form random noise Z; from uniform distribution to Pc=[0,nclasses) In betweenRandomly obtaining M sample data in integer to form random condition vector cfakeRandom noise Z and random condition vector cfakeTransmitted to a generator G for generating M false sample images xfake;
Step two, false sample image xfakeTransmitting to a discriminator D to obtain a false sample image x of the discriminator DfakeIs judged to be true or false and is lost Ltf(G) Comprises the following steps:
categorical prediction of loss Lcls(G) Is composed of
Wherein the formula represents a calculation function of the loss value;
and
all represent solutions to expected values; the subscript letter parameters serve as identifiers and have no practical significance to the formula itself.
Step three, back propagation and updating of parameter theta of generator G by using optimization functionGThe overall loss function L (G) is formulated as:
L(G)=Lcls(G)+Ltf(G)
wherein the parameter θ of the generator G is updatedGThe optimization function of (a) is one of Adam, SGD, RMSProp and Momentum;
2) fixing the parameter θ of the generator GGAnd (3) training a discriminator D:
Step 2, using the attack algorithm library omegaattackWith the target network F as an attack target, randomly selecting an attack algorithm library omegaattackAttack algorithm in on real sample image data
Attack is carried out, and attack samples are output
And their classes
Step 3, false sample image xfakeAnd attack samples
Inputting the false sample images x into a discriminator D together to obtain a false sample image x of the discriminator DfakeIs judged to be true or false and is lost Ltf(G) Class loss Lcls(G) And loss of true and false determination
And attack sample
True and false sample determination loss of
And a classification loss Lcls(D) I.e. by
Wherein the formula represents a calculation function of the loss value;
and
all the values are expected values; the subscript letter parameters declare the distribution of the data, and have no practical significance to the formula for the identification function;
step 4, from the discrete normal distribution P with mean value mean of 0 and standard deviation of 1zRandomly acquiring M sample data to form random noise Z, random noise Z and random condition vector cfakeTransmitted to a generator G for generating M false sample images xfakeFalse sample image xfakeTransmitting to a discriminator D to obtain the true and false determination loss
The total loss function L (D) is:
step 5, back propagation and updating the parameter theta of the generator D by using the optimization functionD(ii) a The optimization function is one of Adam, SGD, RMSProp and Momentum;
preferably, the defense training of the defense training framework is performed by batch training, wherein the size of each batch is M, namely M samples are input into the defense training framework in each training, and random noise Z and a random condition vector C are input into the defense training frameworkfakeTrue sample image data
And its class crealThe number of the N-substituted aryl groups is M; the attack algorithm has the following selection rules:
A. random selection of attack algorithm library omega by random selectorattackAn attack algorithm f inattack;
B. Using the target network F as an attack target to carry out real sample image data
And its class crealCarrying out attack on each sample in each training cycle, wherein an attack algorithm base omega is randomly selected for each attackattackAn attack algorithm f inattackGenerating an attack sample
C. Judging whether the target network F is successfully attacked, if so, keeping an attack sample; otherwise, abandoning the attack sample;
D. judging attack sample
If the batch size is equal to the batch size M, outputting an attack sample if the batch size is equal to the batch size M; otherwise, returning to B to execute again.
According to the batch size M, a target network F is taken as an attack target, each sample in each training cycle is attacked, and an attack algorithm base omega is randomly selected for each attackattackAn attack algorithm f inattackGenerating an attack sample
In a batch, the random selector will randomly select the attack algorithm library omegaattackIn the attack algorithm, M times, randomly selecting one attack algorithm and attack sample each time
In total of MCorresponding to attack sample class
The number of (2) is also M.
Preferably, the criterion for determining the attack failure of the target network F is: attack sample
Still recognized as correct class by the target network F
Preferably, the indexes of the training completion are as follows: classification prediction accuracy of discriminator D on real sample image
And on attack sample
Classification prediction accuracy of
At the same time, and storing the parameter theta of the discriminator D of the roundD。
Preferably, the classifier D predicts the accuracy of classification prediction of the real sample image
The calculation formula of (2) is as follows:
wherein the content of the first and second substances,
representing the number of real sample images; n isaccThe number of prediction classes representing a sample equal to its true class;
to attack sample
Classification prediction accuracy of
Comprises the following steps:
wherein the content of the first and second substances,
the number of attack samples; n isaccThe prediction class representing a sample is equal to the number of its real classes.
Compared with the prior art, the technical scheme of the invention has the beneficial effects that:
(1) the anti-attack defense training method based on the generated anti-network provided by the invention directly trains the defense training framework by modifying the training process and the training data, overcomes the defect that the traditional method for anti-attack defense training has heavy workload if an additional network is used, and has higher robustness.
(2) The training sample of the method is randomly generated based on the image data of the real sample, has no limitation, and avoids the phenomenon that the network boundary and the real decision boundary of the existing defense training are different.
Drawings
Fig. 1 is a flowchart of an anti-attack defense training method based on generation of an anti-network according to the present invention.
Fig. 2 is a training framework for defending against attacks based on generation of a countermeasure network according to the present invention.
Fig. 3 is a schematic diagram of the target attack performed by the attack algorithm provided by the present invention.
Fig. 4 is a schematic diagram of a specific process of the attack algorithm for target attack.
Fig. 5 is a schematic diagram of a network structure of the generator G according to the present invention.
Fig. 6 is a schematic diagram of a network structure of the discriminator D according to the present invention.
Fig. 7 is a diagram illustrating the classification accuracy of the target network F on the attack sample.
Fig. 8 is a diagram illustrating the classification accuracy of the target network F on the real sample.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent;
it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The technical solution of the present invention is further described below with reference to the accompanying drawings and examples.
Example 1
FIG. 1 is a flow chart of an anti-attack defense training method based on a generation countermeasure network, and FIG. 2 is a flow chart of an anti-attack defense training framework based on a generation countermeasure network, which comprises a generator G, a discriminator D, a target network F and an attack algorithm library omegaattack。
Wherein, in this example, the generator G upsamples the tensor using the basic residual module of ResNet as a deconvolution neural network, a random noise z and a random condition vector cfakeAs input to the generator G, a false sample image x is obtained after upsampling via a deconvolution networkfake(ii) a The discriminator D uses ResNet as a network structure and receives the information from the attack algorithm library omegaattackProcessing the attack sample after the target network F is taken as the attack target
And generating a sample xfake(ii) a The target network F uses VGG as a network structure, and finally retains parameters of the discriminator through training of the generator G and the discriminator D, and as a final classifier, the experimental environment of the embodiment is as follows: the server processor is 32Intel (R) Xeon (R) CPU E5-2620 v4@2.10GHz, 64GB running memory (RAM), two NVIDIA Tesla P4 GPUs, PyTorch framework.
The training step comprises:
t1 handwriting data set to be written using MNISTAdopting a batch training method, setting the batch size to be M-64, carrying out z-score standardization processing on each sample of the MNIST data set, wherein the value range of the sample data is [ -1,1]By using
Representing that the shape of each batch of sample tensors is 64 × 1 × 28 × 28; to pair
Performing classification marking and designing the marking as a condition vector by crealIt is shown that, in a batch, the shape of the condition vector is 64 × 1, and the MNIST data set selected in this embodiment is a collection of handwritten digital images related to handwritten numbers 0 to 9, so in the process of setting the condition vector: the data sets are classified into 10 classes with specific numbers from 0 to 9, i.e., nclasses=10;
T2, random condition vector cfakeGenerating, as input to generator G, specifying from distribution to PcRandom sampling in integers between [0,10 ], in one batch, cfakeHas a tensor shape of 64 × 1;
t3, random noise z, used as input to the generator G, and generating random noise vectors using the built-in function of PyTorch. Discrete normal distribution P with mean value of 0 and standard deviation of 1z128 samples, and the tensor shape of z in one batch is 64 x 128.
In this embodiment, the target network F uses VGG11 as a model framework, and the accuracy of classification and prediction of the pre-training model for recognizing the MNIST handwriting data set is more than 99%. Set attack method library omegaattackThe Method is characterized by comprising three common Gradient Attack algorithms of Fast Gradient Method Attack (FGSM), Basic Iterative Method Attack (BIM) and moment Iterative Attack (MIFGSM), wherein a target network F is taken as an Attack target, a schematic diagram of the Attack algorithm for attacking is shown in FIG. 3, a specific process is shown in FIG. 4, and one batch of Gradient Attack algorithms are input
And crealObtaining an attack sample by taking the target network F as an attack target
Used as input of the discriminator D, correct class information corresponding to the attack sample
Wherein
Has a tensor shape of 64 x 1 x 28,
is 64 × 1. The structural design sequence of the generator G is as follows: the full connection layer, the first upsampled residual block, the second upsampled residual block, the first residual block, the second residual block, the convolutional layer, and the Tanh active layer, in this embodiment, specific generator network construction details are shown in fig. 5. The structural design sequence of the discriminator D is as follows: the first downsampled residual block, the second downsampled residual block, the third downsampled residual block, the fourth downsampled residual block, the ReLU layer, and the full connection layer, and in this embodiment, specific generator network construction details are as shown in fig. 6.
T3, setting the iteration number of the discriminator D and the generator G to be 2:1
The loss function of training generator G is:
L(G)=Lcls(G)+Ltf(G)
the loss function for training arbiter D is:
t4. the parameters of generator G and discriminator D are updated using Adam optimization function, and the learning rate is set to 0.0002, the exponential decay rate of Adam first order moment estimate is 0.0, the exponential decay rate of Adam second order moment estimate is 0.9, and the total training set iteration round number Epoch is 10 rounds.
T5, after training is completed, retaining the simultaneous attack sample
Recognition rate and for true samples xrealThe parameters of the discriminator D with the highest recognition rate are used as the result model of the present training. In the present embodiment, after the training of the above steps T1-T10, the result is obtained, and after 10 rounds of training, FIG. 7 shows the sample of the attack of the discriminator D
The classification prediction accuracy of (1), and fig. 8 shows the true sample x of the discriminator DrealThe classification prediction accuracy of (1). The result shows that for the attack sample, the accuracy rate is substantially equal to 100% at the abscissa of 3k, and for the real sample, the accuracy rate is increased and then decreased, and it can be seen from the curve that the accuracy rate is at most 96% at the abscissa of 3-5k, so in this embodiment, the parameters of the discriminator D stored in the interval of 3-5k with the abscissa are selected as the final result network.
The positional relationships depicted in the drawings are for illustrative purposes only and are not to be construed as limiting the present patent;
it should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (10)
1. An anti-attack defense training method based on a generative type countermeasure network is characterized by comprising the following steps:
s1, real sample image data xrealIs defined as crealAnd carrying out z-score standardization processing on the real sample image data;
s2, establishing a defense training framework, wherein the defense training framework comprises a generator, an attack algorithm library, a discriminator and a target network;
s3, generating random noise Z and generating random condition vector C based on defined real sample image datafake;
S4, random noise Z and random condition vector C are combinedfakeA generator input into a defense training framework;
s5, standardizing the z-score to obtain real sample image data and the category c thereofrealInputting the output of the generator and the output of the attack algorithm library into a discriminator in a defense training frame;
s6, performing defense training on the defense training frame, and storing parameters of the trained defense training frame;
and S7, finishing training, abandoning the generator and the attack algorithm library, and reserving the discriminator.
2. The method for training defense against attack based on generative countermeasure network as claimed in claim 1, wherein step S1 is executed by using the real sample image data xrealObeying a discrete normal distribution PrealThe total number of types of the real sample image data is nclassesTrue sample image data xrealThe formula for performing the z-score normalization process is:
wherein the content of the first and second substances,
data representing the image of a real sample after a z-score normalization process, xrealData representing the true sample image before z-score normalization processing, mean representing the mean of the true sample image data, std representing the variance of the true sample image data.
3. The method for training defense attack against adversarial attack based on generative adversarial network as claimed in claim 2, wherein the defense training framework of step S2 comprises a generator G, an attack algorithm library Ω for generating attack samplesattackA discriminator D and a target network F; the generator G is an up-sampling convolution neural network designed based on one basic convolution unit of neural networks VGG, ResNet, GoogleNet and AlexNet; the attack algorithm library omegaattackThe algorithm in the Method comprises a Gradient attack algorithm, which comprises one or any combination of Fast Gradient Signal Method, iterative least-likely class Method and basic iterative Methods; the discriminator D is a down-sampling convolution neural network designed based on one basic convolution unit of neural networks VGG, ResNet, GoogleNet and AlexNet; the target network F is composed of a convolutional neural network, and comprises one or any combination of VGG, ResNet, GoogleNet and AlexNet.
4. The method as claimed in claim 3, wherein the random noise Z in step S3 is a discrete normal distribution P with mean value mean of 0 and standard deviation of 1zObtaining randomly; random condition vector CfakeFrom uniform distribution Pc=[0,nclasses) BetweenIs randomly obtained from the integer of (1).
5. The method for training defense attack based on generative countermeasure network according to claim 4, wherein the step S6 is to train defense training framework by:
s601, random noise Z and random condition vector CfakeGenerating a false sample image x with a generator G as input to the generator G in a training frameworkfake;
S602, standardizing the real sample image data after z-score processing
And its class crealInput to the attack algorithm library omegaattack;
S603, with the target network F as an attack target, randomly selecting an attack algorithm library omegaattackAttack algorithm in on real sample image data
Attack is carried out, and attack samples are output
And their classes
S604, false sample image xfakeAnd attack samples
Inputting the false sample images x into a discriminator D together to obtain a false sample image x of the discriminator DfakeIs judged to be true or false and is lost Ltf(G) Class loss Lcls(G) And loss of true and false determination
And attack sample
True and false sample determination loss of
And a classification loss Lcls(D)。
6. The generation-based countermeasure attack defense training method of the countermeasure network according to claim 5, wherein the generator G and the discriminator D of the training defense framework are trained in an Epoch round together, and the generator G and the discriminator D are alternately trained:
1) parameter θ of fixed discriminator DDAnd (4) training a generator G unchanged, wherein the steps are as follows:
step one, discrete normal distribution P with mean value mean of 0 and standard deviation of 1zObtaining M sample data randomly to form random noise Z; from uniform distribution to Pc=[0,nclasses) Randomly obtaining M sample data from integers to form a random condition vector cfakeRandom noise Z and random condition vector cfakeTransmitted to a generator G for generating M false sample images xfake;
Step two, false sample image xfakeTransmitting to a discriminator D to obtain a false sample image x of the discriminator DfakeIs judged to be true or false and is lost Ltf(G) Comprises the following steps:
categorical prediction of loss Lcls(G) Is composed of
Wherein the formula represents a calculation function of the loss value;
and
all represent solutions to expected values; the subscript letter parameters serve as identifiers and have no practical significance to the formula itself.
Step three, back propagation and updating of parameter theta of generator G by using optimization functionGThe overall loss function L (G) is formulated as:
L(G)=Lcls(G)+Ltf(G)
wherein the parameter θ of the generator G is updatedGThe optimization function of (a) is one of Adam, SGD, RMSProp and Momentum;
2) fixing the parameter θ of the generator GGAnd (3) training a discriminator D:
step 1, from distribution to discrete normal distribution PrealRandomly selecting M image data from the image to form a real sample image xrealNormalizing the z-score processed real sample image data
And its class crealInput to the attack algorithm library omegaattack;
Step 2, using the attack algorithm library omegaattackWith the target network F as an attack target, randomly selecting an attack algorithm library omegaattackAttack algorithm in on real sample image data
Attack is carried out, and attack samples are output
And their classes
Step 3, false sample image xfakeAnd attack samples
Inputting the false sample images x into a discriminator D together to obtain a false sample image x of the discriminator DfakeIs judged to be true or false and is lost Ltf(G) Class loss Lcls(G) And loss of true and false determination
And attack sample
True and false sample determination loss of
And a classification loss Lcls(D) I.e. by
Wherein the formula represents a calculation function of the loss value;
and
all represent solutions to expected values; subscript letter parameters are used for identification and have no practical significance on the formula;
step 4, from the discrete normal distribution P with mean value mean of 0 and standard deviation of 1zRandomly acquiring M sample data to form random noise Z, random noise Z and random condition vector cfakeTransmitted to a generator G for generating M false sample images xfakeFalse sample imagexfakeTransmitting to a discriminator D to obtain the true and false determination loss
The total loss function is:
step 5, back propagation and updating the parameter theta of the generator D by using the optimization functionD(ii) a The optimization function is one of Adam, SGD, RMSProp and Momentum.
7. The method as claimed in claim 6, wherein the defense training frame is trained by using batches, each batch is M in size, that is, M samples are input into the defense training frame for each training, and the random noise Z and the random condition vector C are input into the defense training framefakeTrue sample image data
And its class crealThe number of the N-substituted aryl groups is M; the attack algorithm has the following selection rules:
A. random selection of attack algorithm library omega by random selectorattackAn attack algorithm f inattack;
B. Using the target network F as an attack target to carry out real sample image data
And its class crealCarrying out attack on each sample in each training cycle, wherein an attack algorithm base omega is randomly selected for each attackattackAn attack algorithm f inattackGenerating an attack sampleBook (I)
C. Judging whether the target network F is successfully attacked, if so, keeping an attack sample; otherwise, abandoning the attack sample;
D. judging attack sample
If the number of the attack samples is equal to the batch size M, outputting attack samples; otherwise, returning to B to execute again.
8. The method for training defense against attack based on generative countermeasure network as claimed in claim 7, wherein the criterion for determining failure of target network F attack is: attack sample
Still recognized as correct class by the target network F
9. The method for training defending against attacks based on the generative countermeasure network as claimed in claim 8, wherein the training is completed by the following indexes: classification prediction accuracy acc of discriminator D on real sample image(xreal)And on attack sample
Classification prediction accuracy of
At the same time, and storing the parameter theta of the discriminator D of the roundD。
10. The generative countermeasure network-based defense against attacks training method of claim 9, whichCharacterized in that the classifier D predicts the accuracy of classification of the real sample image
The calculation formula of (2) is as follows:
wherein the content of the first and second substances,
representing the number of real sample images; n isaccThe number of prediction classes representing a sample equal to its true class;
to attack sample
Classification prediction accuracy of
Comprises the following steps:
wherein the content of the first and second substances,
the number of attack samples; n isaccThe prediction class representing a sample is equal to the number of its real classes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010064965.2A CN111310802B (en) | 2020-01-20 | 2020-01-20 | Anti-attack defense training method based on generation of anti-network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010064965.2A CN111310802B (en) | 2020-01-20 | 2020-01-20 | Anti-attack defense training method based on generation of anti-network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111310802A true CN111310802A (en) | 2020-06-19 |
| CN111310802B CN111310802B (en) | 2021-09-17 |
Family
ID=71146822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010064965.2A Active CN111310802B (en) | 2020-01-20 | 2020-01-20 | Anti-attack defense training method based on generation of anti-network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111310802B (en) |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112134847A (en) * | 2020-08-26 | 2020-12-25 | 郑州轻工业大学 | Attack detection method based on user flow behavior baseline |
| CN112199543A (en) * | 2020-10-14 | 2021-01-08 | 哈尔滨工程大学 | Confrontation sample generation method based on image retrieval model |
| CN112330632A (en) * | 2020-11-05 | 2021-02-05 | 绍兴聚量数据技术有限公司 | Digital photo camera fingerprint attack detection method based on anti-generation network |
| CN112464230A (en) * | 2020-11-16 | 2021-03-09 | 电子科技大学 | Black box attack type defense system and method based on neural network intermediate layer regularization |
| CN112598032A (en) * | 2020-12-11 | 2021-04-02 | 同济大学 | Multi-task defense model construction method for anti-attack of infrared image |
| CN112766430A (en) * | 2021-01-08 | 2021-05-07 | 广州紫为云科技有限公司 | Method, device and storage medium for resisting attack based on black box universal face detection |
| CN112860932A (en) * | 2021-02-19 | 2021-05-28 | 电子科技大学 | Image retrieval method, device, equipment and storage medium for resisting malicious sample attack |
| CN113283599A (en) * | 2021-06-11 | 2021-08-20 | 浙江工业大学 | Anti-attack defense method based on neuron activation rate |
| CN113281998A (en) * | 2021-04-21 | 2021-08-20 | 浙江工业大学 | Multi-point FDI attack detection method for industrial information physical system based on generation countermeasure network |
| CN113283476A (en) * | 2021-04-27 | 2021-08-20 | 广东工业大学 | Internet of things network intrusion detection method |
| CN113395280A (en) * | 2021-06-11 | 2021-09-14 | 成都为辰信息科技有限公司 | Anti-confusion network intrusion detection method based on generation of countermeasure network |
| CN113487506A (en) * | 2021-07-06 | 2021-10-08 | 杭州海康威视数字技术股份有限公司 | Countermeasure sample defense method, device and system based on attention denoising |
| CN113505855A (en) * | 2021-07-30 | 2021-10-15 | 中国科学院计算技术研究所 | Training method for anti-attack model |
| CN113591771A (en) * | 2021-08-10 | 2021-11-02 | 武汉中电智慧科技有限公司 | Training method and device for multi-scene power distribution room object detection model |
| CN113971640A (en) * | 2021-09-15 | 2022-01-25 | 浙江大学 | Method for defending deep network interpretation algorithm against noise attack disturbance image |
| CN114241569A (en) * | 2021-12-21 | 2022-03-25 | 中国电信股份有限公司 | Face recognition attack sample generation method, model training method and related equipment |
| CN114724189A (en) * | 2022-06-08 | 2022-07-08 | 南京信息工程大学 | Method, system and application for training confrontation sample defense model for target recognition |
| CN114821602A (en) * | 2022-06-28 | 2022-07-29 | 北京汉仪创新科技股份有限公司 | Method, system, apparatus and medium for training an antagonistic neural network to generate a word stock |
| CN115296856A (en) * | 2022-07-12 | 2022-11-04 | 四川大学 | Encrypted traffic network threat detector evolution learning method based on ResNet-AIS |
| CN115481719A (en) * | 2022-09-20 | 2022-12-16 | 宁波大学 | Method for defending gradient-based attack countermeasure |
| CN117278305A (en) * | 2023-10-13 | 2023-12-22 | 北方工业大学 | Data sharing-oriented distributed GAN attack and defense method and system |
| CN117278305B (en) * | 2023-10-13 | 2024-06-11 | 深圳市互联时空科技有限公司 | Data sharing-oriented distributed GAN attack and defense method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
| CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
| CN108537271A (en) * | 2018-04-04 | 2018-09-14 | 重庆大学 | A method of resisting sample is attacked based on convolution denoising self-editing ink recorder defence |
| CN108549940A (en) * | 2018-03-05 | 2018-09-18 | 浙江大学 | Intelligence defence algorithm based on a variety of confrontation sample attacks recommends method and system |
| CN109460814A (en) * | 2018-09-28 | 2019-03-12 | 浙江工业大学 | A kind of deep learning classification method for attacking resisting sample function with defence |
| CN110334806A (en) * | 2019-05-29 | 2019-10-15 | 广东技术师范大学 | A kind of confrontation sample generating method based on production confrontation network |
| CN110647918A (en) * | 2019-08-26 | 2020-01-03 | 浙江工业大学 | Mimicry defense method for resisting attack by deep learning model |
-
2020
- 2020-01-20 CN CN202010064965.2A patent/CN111310802B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
| CN108446765A (en) * | 2018-02-11 | 2018-08-24 | 浙江工业大学 | The multi-model composite defense method of sexual assault is fought towards deep learning |
| CN108549940A (en) * | 2018-03-05 | 2018-09-18 | 浙江大学 | Intelligence defence algorithm based on a variety of confrontation sample attacks recommends method and system |
| CN108537271A (en) * | 2018-04-04 | 2018-09-14 | 重庆大学 | A method of resisting sample is attacked based on convolution denoising self-editing ink recorder defence |
| CN109460814A (en) * | 2018-09-28 | 2019-03-12 | 浙江工业大学 | A kind of deep learning classification method for attacking resisting sample function with defence |
| CN110334806A (en) * | 2019-05-29 | 2019-10-15 | 广东技术师范大学 | A kind of confrontation sample generating method based on production confrontation network |
| CN110647918A (en) * | 2019-08-26 | 2020-01-03 | 浙江工业大学 | Mimicry defense method for resisting attack by deep learning model |
Non-Patent Citations (2)
| Title |
|---|
| XUANQING LIU 等: "Rob-GAN: Generator, Discriminator, and Adversarial Attacker", 《2019 IEEE/CVF CONFERENCE ON COMPUTER VISION AND PATTERN RECOGNITION (CVPR)》 * |
| 孙曦音 等: "基于GAN的对抗样本生成研究", 《计算机应用与软件》 * |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112134847A (en) * | 2020-08-26 | 2020-12-25 | 郑州轻工业大学 | Attack detection method based on user flow behavior baseline |
| CN112199543A (en) * | 2020-10-14 | 2021-01-08 | 哈尔滨工程大学 | Confrontation sample generation method based on image retrieval model |
| CN112199543B (en) * | 2020-10-14 | 2022-10-28 | 哈尔滨工程大学 | Confrontation sample generation method based on image retrieval model |
| CN112330632A (en) * | 2020-11-05 | 2021-02-05 | 绍兴聚量数据技术有限公司 | Digital photo camera fingerprint attack detection method based on anti-generation network |
| CN112330632B (en) * | 2020-11-05 | 2023-05-02 | 绍兴聚量数据技术有限公司 | Digital photo camera fingerprint attack detection method based on countermeasure generation network |
| CN112464230B (en) * | 2020-11-16 | 2022-05-17 | 电子科技大学 | Black box attack type defense system and method based on neural network intermediate layer regularization |
| CN112464230A (en) * | 2020-11-16 | 2021-03-09 | 电子科技大学 | Black box attack type defense system and method based on neural network intermediate layer regularization |
| CN112598032B (en) * | 2020-12-11 | 2023-04-07 | 同济大学 | Multi-task defense model construction method for anti-attack of infrared image |
| CN112598032A (en) * | 2020-12-11 | 2021-04-02 | 同济大学 | Multi-task defense model construction method for anti-attack of infrared image |
| CN112766430A (en) * | 2021-01-08 | 2021-05-07 | 广州紫为云科技有限公司 | Method, device and storage medium for resisting attack based on black box universal face detection |
| CN112860932A (en) * | 2021-02-19 | 2021-05-28 | 电子科技大学 | Image retrieval method, device, equipment and storage medium for resisting malicious sample attack |
| CN113281998A (en) * | 2021-04-21 | 2021-08-20 | 浙江工业大学 | Multi-point FDI attack detection method for industrial information physical system based on generation countermeasure network |
| CN113283476B (en) * | 2021-04-27 | 2023-10-10 | 广东工业大学 | Internet of things network intrusion detection method |
| CN113283476A (en) * | 2021-04-27 | 2021-08-20 | 广东工业大学 | Internet of things network intrusion detection method |
| CN113395280A (en) * | 2021-06-11 | 2021-09-14 | 成都为辰信息科技有限公司 | Anti-confusion network intrusion detection method based on generation of countermeasure network |
| CN113283599A (en) * | 2021-06-11 | 2021-08-20 | 浙江工业大学 | Anti-attack defense method based on neuron activation rate |
| CN113283599B (en) * | 2021-06-11 | 2024-03-19 | 浙江工业大学 | Attack resistance defense method based on neuron activation rate |
| CN113395280B (en) * | 2021-06-11 | 2022-07-26 | 成都为辰信息科技有限公司 | Anti-confusion network intrusion detection method based on generation countermeasure network |
| CN113487506B (en) * | 2021-07-06 | 2023-08-29 | 杭州海康威视数字技术股份有限公司 | Attention denoising-based countermeasure sample defense method, device and system |
| CN113487506A (en) * | 2021-07-06 | 2021-10-08 | 杭州海康威视数字技术股份有限公司 | Countermeasure sample defense method, device and system based on attention denoising |
| CN113505855A (en) * | 2021-07-30 | 2021-10-15 | 中国科学院计算技术研究所 | Training method for anti-attack model |
| CN113591771A (en) * | 2021-08-10 | 2021-11-02 | 武汉中电智慧科技有限公司 | Training method and device for multi-scene power distribution room object detection model |
| CN113591771B (en) * | 2021-08-10 | 2024-03-08 | 武汉中电智慧科技有限公司 | Training method and equipment for object detection model of multi-scene distribution room |
| CN113971640A (en) * | 2021-09-15 | 2022-01-25 | 浙江大学 | Method for defending deep network interpretation algorithm against noise attack disturbance image |
| CN114241569A (en) * | 2021-12-21 | 2022-03-25 | 中国电信股份有限公司 | Face recognition attack sample generation method, model training method and related equipment |
| CN114241569B (en) * | 2021-12-21 | 2024-01-02 | 中国电信股份有限公司 | Face recognition attack sample generation method, model training method and related equipment |
| CN114724189A (en) * | 2022-06-08 | 2022-07-08 | 南京信息工程大学 | Method, system and application for training confrontation sample defense model for target recognition |
| CN114821602A (en) * | 2022-06-28 | 2022-07-29 | 北京汉仪创新科技股份有限公司 | Method, system, apparatus and medium for training an antagonistic neural network to generate a word stock |
| CN115296856A (en) * | 2022-07-12 | 2022-11-04 | 四川大学 | Encrypted traffic network threat detector evolution learning method based on ResNet-AIS |
| CN115296856B (en) * | 2022-07-12 | 2024-04-19 | 四川大学 | ResNet-AIS-based evolution learning method for encrypted traffic network threat detector |
| CN115481719B (en) * | 2022-09-20 | 2023-09-15 | 宁波大学 | Method for defending against attack based on gradient |
| CN115481719A (en) * | 2022-09-20 | 2022-12-16 | 宁波大学 | Method for defending gradient-based attack countermeasure |
| CN117278305A (en) * | 2023-10-13 | 2023-12-22 | 北方工业大学 | Data sharing-oriented distributed GAN attack and defense method and system |
| CN117278305B (en) * | 2023-10-13 | 2024-06-11 | 深圳市互联时空科技有限公司 | Data sharing-oriented distributed GAN attack and defense method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111310802B (en) | 2021-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111310802B (en) | Anti-attack defense training method based on generation of anti-network | |
| CN111275115B (en) | Method for generating counterattack sample based on generation counternetwork | |
| Tang et al. | CNN-based adversarial embedding for image steganography | |
| US11275841B2 (en) | Combination of protection measures for artificial intelligence applications against artificial intelligence attacks | |
| CN110941794B (en) | Challenge attack defense method based on general inverse disturbance defense matrix | |
| CN110334742B (en) | Graph confrontation sample generation method based on reinforcement learning and used for document classification and adding false nodes | |
| Nesti et al. | Detecting adversarial examples by input transformations, defense perturbations, and voting | |
| CN110348475A (en) | It is a kind of based on spatial alternation to resisting sample Enhancement Method and model | |
| WO2023093346A1 (en) | Exogenous feature-based model ownership verification method and apparatus | |
| CN113435264A (en) | Face recognition attack resisting method and device based on black box substitution model searching | |
| Short et al. | Defending Against Adversarial Examples. | |
| CN111950635A (en) | Robust feature learning method based on hierarchical feature alignment | |
| CN111881446A (en) | Method and device for identifying malicious codes of industrial internet | |
| CN115277065B (en) | Anti-attack method and device in abnormal traffic detection of Internet of things | |
| CN115758337A (en) | Back door real-time monitoring method based on timing diagram convolutional network, electronic equipment and medium | |
| CN114842242A (en) | Robust countermeasure sample generation method based on generative model | |
| CN111666985B (en) | Deep learning confrontation sample image classification defense method based on dropout | |
| CN114021136A (en) | Back door attack defense system for artificial intelligence model | |
| Sun et al. | Instance-level Trojan Attacks on Visual Question Answering via Adversarial Learning in Neuron Activation Space | |
| Sheikholeslami et al. | Efficient randomized defense against adversarial attacks in deep convolutional neural networks | |
| CN113837360B (en) | DNN robust model reinforcement method based on relational graph | |
| CN117932457B (en) | Model fingerprint identification method and system based on error classification | |
| CN113052314B (en) | Authentication radius guide attack method, optimization training method and system | |
| US20230196195A1 (en) | Identifying, or checking integrity of, a machine-learning classification model | |
| Singhal | Comparative Analysis of Passive Image Forgery Detection between CNN and CNN-LSTM Models |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |