CN111626437A - Confrontation sample detection method, device and equipment and computer scale storage medium - Google Patents
Confrontation sample detection method, device and equipment and computer scale storage medium Download PDFInfo
- Publication number
- CN111626437A CN111626437A CN202010471250.9A CN202010471250A CN111626437A CN 111626437 A CN111626437 A CN 111626437A CN 202010471250 A CN202010471250 A CN 202010471250A CN 111626437 A CN111626437 A CN 111626437A
- Authority
- CN
- China
- Prior art keywords
- sample
- gradient
- model
- local
- training result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Abstract
The invention discloses a method for detecting a confrontation sample, which comprises the following steps: a first participant obtains a sample to be detected; inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result; and determining whether the sample to be detected is a countermeasure sample or not based on the main training result and the Hash training result. The invention also discloses a confrontation sample detection device, equipment and a computer readable storage medium. According to the method, the to-be-detected sample can be directly detected through the antagonistic sample detection model, the to-be-detected sample does not need to be quantized, and the integrity of training data is ensured by training through the original data; the accuracy of the anti-model training result can be ensured, and the accuracy and efficiency of anti-sample detection are improved.
Description
Technical Field
The invention relates to the technical field of federal learning, in particular to a method, a device and equipment for detecting an confrontation sample and a computer scale storage medium.
Background
With the rapid development of artificial intelligence and deep learning, the safety problem of machine learning also continuously emerges. Fighting sample attacks is a form of attack that is more common in federal learning. An attacker using the noise-added sample data (challenge samples) to guide the model in making erroneous classifications can lead to erroneous results being identified by the machine with serious consequences.
Currently, to detect the countersample, the input data is often quantized to filter noise, so as to detect the countersample. However, the way of quantizing the input data often causes inaccuracy of the training result due to the change of the input data, and further causes low accuracy of the detection result.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, a device and equipment for detecting an antagonistic sample and a computer scale storage medium, aiming at solving the technical problem of low accuracy of the detection result of the existing model for detecting the antagonistic sample.
In order to achieve the above object, the present invention provides a challenge sample detection method, comprising the steps of:
a first participant obtains a sample to be detected;
inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result;
and determining whether the sample to be detected is a countermeasure sample or not based on the main training result and the Hash training result.
Further, the step of determining whether the sample to be detected is a challenge sample based on the main training result and the hash training result includes:
determining whether the primary training result matches the hash training result;
and if the main training result is not matched with the Hash training result, determining that the sample to be detected is a countermeasure sample.
Further, before the step of inputting the to-be-detected sample into the countermeasure sample detection model to obtain the main training result corresponding to the main classifier and the hash training result corresponding to the hash code classifier, the countermeasure sample detection method further includes:
marking the sample data to obtain a public label vector and a local label vector;
determining a first common gradient based on the common label vector and a model to be trained, and determining a local gradient based on the local label vector and the model to be trained;
sending the first common gradient to a coordinator, so that the coordinator can determine and feed back a global gradient based on the first common gradient;
determining a target gradient based on the local gradient and the global gradient, and determining the confrontation sample detection model based on the local gradient, the target gradient and a model to be trained.
Further, the step of labeling the sample data to obtain a public tag vector and a local tag vector includes:
labeling the sample data based on the one-hot encoding to obtain a public label vector;
and labeling the sample data based on random Hash coding to obtain a local label vector.
Further, the step of determining a first common gradient based on the common label vector and the model to be trained, and determining a local gradient based on the local label vector and the model to be trained includes:
inputting the public label vector into a model to be trained for model training to obtain a public loss function value corresponding to the public label vector, inputting the local label vector into the model to be trained for model training, and inputting a local loss function value corresponding to the local label vector;
determining the first common gradient based on the common loss function values and determining the local gradient based on the local loss function values.
Further, the step of determining the confrontation sample detection model based on the local gradient, the target gradient and the model to be trained comprises:
updating model parameters in the model to be trained based on the target gradient to obtain a target main classifier, and updating model parameters in the model to be trained based on the local gradient to obtain a target Hash code classifier;
determining the countermeasure sample detection model based on the target master classifier and the target hash code classifier.
Further, the step of sending the first common gradient to a coordinator for the coordinator to determine and feed back a global gradient based on the first common gradient includes:
and sending the first common gradient to a coordinator, wherein the coordinator obtains second common gradients sent by a plurality of second participants, determines a global gradient based on each second common gradient and the first common gradient, updates a global model of the coordinator based on the global gradient, and feeds the global gradient back to the first participants.
Further, to achieve the above object, the present invention provides a countermeasure sample detection apparatus including:
the acquisition module is used for acquiring a sample to be detected;
the training module is used for inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result;
and the determining module is used for determining whether the sample to be detected is a countermeasure sample or not based on the main training result and the Hash training result.
Further, to achieve the above object, the present invention also provides a countermeasure sample detection apparatus including: a memory, a processor, and a challenge sample detection program stored on the memory and executable on the processor, the challenge sample detection program when executed by the processor implementing the steps of the aforementioned challenge sample detection method.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium having stored thereon a challenge sample detection program, which when executed by a processor, implements the steps of the aforementioned challenge sample detection method.
The method comprises the steps that a first participant obtains a sample to be detected; inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result, determining whether the sample to be detected is the countermeasure sample or not based on the main training result and the Hash training result, directly detecting the sample to be detected through the countermeasure sample detection model without quantizing the sample to be detected, and training by using original data (the sample to be detected) to ensure the integrity of training data; the accuracy of the anti-model training result can be ensured, and the accuracy and efficiency of anti-sample detection are improved. Meanwhile, a Hash code classifier is added in the confrontation sample detection model, so that the discrimination capability of the confrontation sample detection model on the attack samples is enhanced; through the dual verification mode of the main classifier and the Hash code classifier, the accuracy of the detection of the confrontation sample is improved.
Drawings
FIG. 1 is a schematic diagram of a countermeasure sample detection device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a challenge sample detection method according to a first embodiment of the present invention;
FIG. 3 is a schematic view of an embodiment of a method for testing a challenge sample according to the present invention;
FIG. 4 is a functional block diagram of an exemplary apparatus for testing a challenge sample according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a countermeasure sample detection device in a hardware operating environment according to an embodiment of the present invention.
The countermeasure sample detection device in the embodiment of the invention can be a PC, or can be a mobile terminal device with a display function, such as a smart phone, a tablet computer, an electronic book reader, an MP3(Moving Picture Experts Group Audio Layer III, motion Picture Experts compression standard Audio Layer 3) player, an MP4(Moving Picture Experts Group Audio Layer IV, motion Picture Experts compression standard Audio Layer 4) player, a portable computer, etc.
As shown in fig. 1, the challenge sample detection device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the challenge sample detection device may further include a camera, RF (Radio Frequency) circuitry, sensors, audio circuitry, a WiFi module, and the like. Such as light sensors, motion sensors, and other sensors. Of course, the countermeasure sample detection device may also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, etc., and will not be described in detail herein.
Those skilled in the art will appreciate that the configuration of the challenge sample testing device illustrated in FIG. 1 is not intended to be limiting of the challenge sample testing device and may include more or less components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a countermeasure sample detection program.
In the countermeasure sample detection device shown in fig. 1, the network interface 1004 is mainly used for connecting with a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be used to invoke a challenge sample detection program stored in the memory 1005.
In the present embodiment, the counter sample detection apparatus includes: a memory 1005, a processor 1001 and a challenge sample detection program stored in the memory 1005 and executable on the processor 1001, wherein the processor 1001 calls the challenge sample detection program stored in the memory 1005 and executes the steps of the challenge sample detection method in the following embodiments.
The invention also provides a method for detecting the challenge sample, and referring to fig. 2, fig. 2 is a schematic flow chart of the first embodiment of the method for detecting the challenge sample of the invention.
In this embodiment, the countermeasure sample detection method includes:
s100, a first participant obtains a sample to be detected;
in this embodiment, the first participant is a participant in federal learning, that is, the first participant is any one of all participants in federal learning, and the sample to be detected is sample data that needs to be detected whether the sample is a countermeasure sample.
Step S200, inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result;
it should be noted that the countermeasure sample detection model is a detection model that has been trained through federal learning, and includes a main classifier and a hash code classifier, referring to fig. 3, the one-hot code classifier in fig. 3 is the main classifier of the countermeasure sample detection model, and the hash code classifier is a random hash code classifier, and the countermeasure sample detection model has two different outputs, one output is an output of the one-hot code classifier obtained through federal training using a common tag vector (one-hot code tag), and one output is an output of the hash code classifier obtained through training using a local tag vector (local random code).
In this embodiment, when the sample to be detected is obtained, the sample to be detected is input to the main classifier in the countermeasure sample detection model for training to obtain a main training result, and the sample to be detected is input to the hash code classifier in the countermeasure sample detection model to obtain a hash training result.
Step S300, determining whether the sample to be detected is a countermeasure sample or not based on the main training result and the Hash training result.
In this embodiment, when the main training result and the hash training result are obtained, whether the sample to be detected is the countermeasure sample is judged according to the main training result and the hash training result, so that the detection of the countermeasure sample is realized.
Further, in an embodiment, step S300 includes:
step S310, determining whether the main training result is matched with the Hash training result;
step S320, if the main training result does not match the hash training result, determining that the sample to be detected is a countermeasure sample.
In this embodiment, when determining whether the to-be-detected sample is the countermeasure sample according to the main training result and the hash training result, it may be determined whether the main training result is matched with the hash training result, for example, whether the hash training result is within a preset range corresponding to the second classification result, or whether a difference (absolute value) between the main training result and the hash training result is smaller than a preset difference, or whether the main training result and the hash training result are consistent.
And then, if the main training result is not matched with the Hash training result, determining that the sample to be detected is a confrontation sample, matching when the main training result is matched with the Hash training result, and judging that the sample to be detected is a non-confrontation sample, namely a normal sample.
In the method for detecting the confrontation sample provided by the embodiment, a sample to be detected is obtained by a first participant; inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result, determining whether the sample to be detected is the countermeasure sample or not based on the main training result and the Hash training result, directly detecting the sample to be detected through the countermeasure sample detection model without quantizing the sample to be detected, and training by using original data (the sample to be detected) to ensure the integrity of training data; the accuracy of the anti-model training result can be ensured, and the accuracy and efficiency of anti-sample detection are improved. Meanwhile, a Hash code classifier is added in the confrontation sample detection model, so that the discrimination capability of the confrontation sample detection model on the attack samples is enhanced; through the dual verification mode of the main classifier and the Hash code classifier, the accuracy of the detection of the confrontation sample is improved.
Based on the first embodiment, a second embodiment of the countermeasure sample detection method of the present invention is proposed, in this embodiment, before step S200, the countermeasure sample detection method further includes:
step S400, marking sample data to obtain a public label vector and a local label vector;
step S500, determining a first public gradient based on the public label vector and the model to be trained, and determining a local gradient based on the local label vector and the model to be trained;
step S600, the first common gradient is sent to a coordinator, so that the coordinator can determine and feed back a global gradient based on the first common gradient;
step S700, determining a target gradient based on the local gradient and the global gradient, and determining the confrontation sample detection model based on the local gradient, the target gradient and a model to be trained.
In this embodiment, before a to-be-detected sample is detected by using a countermeasure sample detection model, model training needs to be performed on the countermeasure sample detection model, so that sample data is obtained, and the obtained sample data is labeled to obtain a public label vector and a local label vector, where the public label vector is used for federal model (global model) training, and the local label vector is used for local model training of a first participant.
And then, determining a first public gradient based on the public label vector and the model to be trained, determining a local gradient based on the local label vector and the model to be trained, specifically, inputting the public label vector into the model to be trained for model training to obtain the first public gradient through a training result corresponding to the public label vector, and inputting the local label vector into the model to be trained for model training to obtain the local gradient through a training result corresponding to the local label vector.
Then, the first common gradient is sent to the coordinator, so that the coordinator determines and feeds back the global gradient based on the first common gradient.
When receiving the global gradient fed back by the coordinator, the first participant determines the target gradient based on the local gradient and the global gradient, specifically, the first participant fuses the local gradient and the global gradient to obtain the target gradient, for example, the local gradient and the global gradient are added (vector addition) to obtain the target gradient, or the weight of the local gradient and the weight of the global gradient are obtained first, then the local gradient is multiplied by the weight of the local gradient to obtain a first result, the global gradient is multiplied by the weight of the global gradient to obtain a second result, and the first result and the second result are added (vector addition) to obtain the target gradient. And then determining a confrontation sample detection model based on the target gradient so as to complete the training of the confrontation sample detection model.
The anti-sample detection model trained by the embodiment does not need to add an additional constraint item to the loss function of the phase neural network, greatly reduces the complexity of model training, and improves the training efficiency of the model.
Further, in an embodiment, the step S600 includes:
and sending the first common gradient to a coordinator, wherein the coordinator obtains second common gradients sent by a plurality of second participants, determines a global gradient based on each second common gradient and the first common gradient, updates a global model of the coordinator based on the global gradient, and feeds the global gradient back to the first participants.
The method comprises the steps that a coordinator receives a first public gradient sent by a first participant, the coordinator obtains second public gradients sent by a plurality of second participants, the second participants are all other participants except the first participant in federal learning, the global gradient is determined based on the second public gradients and the first public gradient, specifically, the second public gradients and the first public gradient are added (vector addition) to obtain a global gradient, the global gradient is fed back to the first participant, meanwhile, the coordinator feeds back the global gradient to the second participants, and a global model of the coordinator is updated based on the global gradient. The second common gradient is a gradient obtained by inputting the common tag vector of each second participant into the model to be trained for training, and the common tag vector of each second participant is similar to the obtaining manner of the common tag vector of the first participant in this embodiment, and is not described herein again.
In the method for detecting the confrontation sample, sample data is labeled to obtain a public tag vector and a local tag vector, a first public gradient is determined based on the public tag vector and a model to be trained, and a local gradient is determined based on the local tag vector and the model to be trained; then sending the first common gradient to a coordinator, so that the coordinator can determine and feed back a global gradient based on the first common gradient; then, a target gradient is determined based on the local gradient and the global gradient, and the confrontation sample detection model is determined based on the local gradient, the target gradient and the model to be trained, so that the confrontation sample detection model can be trained according to the public label vector and the local label vector, an additional constraint item is not required to be added into a loss function of the phase neural network, the complexity of model training is greatly reduced, the training efficiency of the model is improved, the subsequent direct detection of the sample to be detected through the confrontation sample detection model is facilitated, the sample to be detected is not required to be quantized, the accuracy of the confrontation sample training result can be ensured, and the accuracy and the efficiency of the confrontation sample detection are improved. Meanwhile, a random Hash code classifier is added in the countermeasure sample detection model, so that the discrimination capability of the countermeasure sample detection model on the attack samples is enhanced.
A third embodiment of the countermeasure sample detection method of the invention is proposed based on the second embodiment, and in this embodiment, the step S400 includes:
step S410, labeling the sample data based on the one-hot code to obtain a public label vector;
step S420, labeling the sample data based on the random hash code to obtain a local tag vector.
In this embodiment, when the obtained sample data is labeled, the sample data is labeled based on a one-hot code (one-hot code) to obtain a public label vector, and specifically, the first participant and other participants in federal learning all use a unified one-hot code to label their sample data. For example, a 5-class dataset, and where the label of one class is a 5-dimensional vector (1, 0, 0, 0, 0), the other four classes of labels cannot be repeated, where the dimensions of the common label vector depend on the class problem category.
And meanwhile, marking the sample data based on random Hash coding to obtain a local label vector, wherein the first participant and other participants in federal learning use the random Hash coding to mark the sample data. For example, a 5-class dataset, where the label of one class is a 6-dimensional vector (1, 0, 1, 1, 0, 0), and the other four classes of labels cannot be repeated. It should be noted that the dimension of the random tag is not limited by the total number of categories, and the tag dimension may be greater than or equal to the total number of categories. The random hash codes are local random hash codes, so that the hash codes used by all the participants are random, the random hash codes of all the participants are basically different, and further the local gradients generated by all the participants are different. It should be noted that the local random hash code may not be changed after the determination.
By labeling the sample data based on random hash codes, each type of data can be uniformly mapped into one hash code. For example, an image such as an apple is mapped to a hash value of (0, 1, 0, 1, 1, 0).
In the method for detecting the confrontation sample, the sample data is labeled based on the one-hot code to obtain a common label vector; and then labeling the sample data based on random Hash coding to obtain a local label vector, so that a public label vector and the local label vector can be accurately obtained, training of an anti-sample detection model can be conveniently realized according to the public label vector and the local label vector, an additional constraint item does not need to be added into a loss function of a phase neural network, the complexity of model training is greatly reduced, and the training efficiency of the model is improved.
A third embodiment of the countermeasure sample detection method of the invention is proposed based on the first embodiment, and in this embodiment, the step S500 includes:
step S510, inputting the public label vector into a model to be trained for model training to obtain a public loss function value corresponding to the public label vector, and inputting the local label vector into the model to be trained for model training and a local loss function value corresponding to the local label vector;
step S520, determining the first common gradient based on the common loss function values, and determining the local gradient based on the local loss function values.
In this embodiment, when a public tag vector and a local tag vector are obtained, the public tag vector and the local tag vector are respectively input to a model to be trained for model training, so as to obtain a public loss function value corresponding to the public tag vector and a local loss function value corresponding to the local tag vector. The common loss function value may be an average square estimation loss function or a cross-entropy loss function, and the local loss function value may be an average square estimation loss function, a cross-entropy loss function or a polarization loss function. The first common gradient is then determined based on the common loss function values, and the local gradient is determined based on the local loss function values.
In the countermeasure sample detection method provided in this embodiment, the common label vector is input into a model to be trained to perform model training, so as to obtain a common loss function value corresponding to the common label vector, and the local label vector is input into the model to be trained to perform model training, and a local loss function value corresponding to the local label vector; and then, the first public gradient is determined based on the public loss function value, the local gradient is determined based on the local loss function value, the first public gradient and the local gradient can be accurately obtained through model training, and the efficiency of anti-sample detection model training is further improved.
Based on the second embodiment, a fourth embodiment of the method for detecting a challenge sample of the present invention is provided, in this embodiment, step S700 includes:
step S710, updating model parameters in the model to be trained based on the target gradient to obtain a target main classifier, and updating model parameters in the model to be trained based on the local gradient to obtain a target Hash code classifier;
step S720, determining the countermeasure sample detection model based on the target primary classifier and the target hash code classifier.
In this embodiment, when a target gradient is obtained, a first participant updates model parameters in a model to be trained according to the target gradient, and uses a corresponding updated model to be trained as a target main classifier, meanwhile, updates model parameters in the model to be trained based on a local gradient, and uses the corresponding updated model to be trained as a target hash code classifier, and then, according to the target main classifier and the target hash code classifier, determines a countermeasure sample detection model, that is, using the target main classifier as a main classifier in the countermeasure sample detection model, and using the target hash code classifier as a hash code classifier in the countermeasure sample detection model, thereby obtaining a trained countermeasure sample detection model.
It should be noted that, after the target main classifier and the target hash code classifier are obtained, it is first determined whether the target main classifier and the target hash code classifier are converged, and if both the target main classifier and the target hash code classifier are converged, the target main classifier and the target hash code classifier are respectively used as the main classifier and the hash code classifier in the countermeasure sample detection model.
Specifically, a test loss function value can be obtained by inputting a test sample into the target main classifier, and if the test loss function value is smaller than a preset value, the target main classifier is judged to be converged; if the test loss function value is greater than or equal to the preset value, it is determined that the target primary classifier is not converged, and the convergence determination mode of the target hash code classifier is similar to that of the target primary classifier, and is not described herein again. If the target main classifier is not converged and the target hash code classifier is not converged, the target main classifier or the target hash code classifier is used as a model to be trained, and the step S400 is continuously executed until the new target main classifier and the target hash code classifier are converged, so as to complete the training of the countermeasure sample detection model.
In the countermeasure sample detection method provided in this embodiment, the model parameters in the model to be trained are updated based on the target gradient to obtain a target main classifier, and the model parameters in the model to be trained are updated based on the local gradient to obtain a target hash code classifier; and then determining the confrontation sample detection model based on the target main classifier and the target Hash code classifier, and improving the training efficiency of the sample detection model by updating the model parameters in the model to be trained.
An embodiment of the present invention further provides a challenge sample detection apparatus, and referring to fig. 4, the challenge sample detection apparatus includes:
an obtaining module 100, configured to obtain a sample to be detected;
the training module 200 is configured to input the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and input the sample to be detected into a hash code classifier in the countermeasure sample detection model to obtain a hash training result;
a determining module 300, configured to determine whether the sample to be detected is a countermeasure sample based on the main training result and the hash training result.
Optionally, the determining module 300 is further configured to:
determining whether the primary training result matches the hash training result;
and if the main training result is not matched with the Hash training result, determining that the sample to be detected is a countermeasure sample.
Optionally, the challenge sample detection device further comprises:
marking the sample data to obtain a public label vector and a local label vector;
determining a first common gradient based on the common label vector and a model to be trained, and determining a local gradient based on the local label vector and the model to be trained;
sending the first common gradient to a coordinator, so that the coordinator can determine and feed back a global gradient based on the first common gradient;
determining a target gradient based on the local gradient and the global gradient, and determining the confrontation sample detection model based on the local gradient, the target gradient and a model to be trained.
Optionally, the challenge sample detection device further comprises:
labeling the sample data based on the one-hot encoding to obtain a public label vector;
and labeling the sample data based on random Hash coding to obtain a local label vector.
Optionally, the challenge sample detection device further comprises:
inputting the public label vector into a model to be trained for model training to obtain a public loss function value corresponding to the public label vector, inputting the local label vector into the model to be trained for model training, and inputting a local loss function value corresponding to the local label vector;
determining the first common gradient based on the common loss function values and determining the local gradient based on the local loss function values.
Optionally, the challenge sample detection device further comprises:
updating model parameters in the model to be trained based on the target gradient to obtain a target main classifier, and updating model parameters in the model to be trained based on the local gradient to obtain a target Hash code classifier;
determining the countermeasure sample detection model based on the target master classifier and the target hash code classifier.
Optionally, the challenge sample detection device further comprises:
and sending the first common gradient to a coordinator, wherein the coordinator obtains second common gradients sent by a plurality of second participants, determines a global gradient based on each second common gradient and the first common gradient, updates a global model of the coordinator based on the global gradient, and feeds the global gradient back to the first participants.
The methods executed by the program modules can refer to various embodiments of the method for detecting the confrontation sample of the present invention, and are not described herein again.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, in which a countermeasure sample detection program is stored, and when the countermeasure sample detection program is executed by a processor, the steps of the countermeasure sample detection method described above are implemented.
The method implemented when the countermeasure sample detection program executed on the processor is referred to in the embodiments of the countermeasure sample detection method of the present invention, and will not be described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A challenge sample detection method, comprising the steps of:
a first participant obtains a sample to be detected;
inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result;
and determining whether the sample to be detected is a countermeasure sample or not based on the main training result and the Hash training result.
2. The method of claim 1, wherein the step of determining whether the sample to be detected is a challenge sample based on the primary training result and the hash training result comprises:
determining whether the primary training result matches the hash training result;
and if the main training result is not matched with the Hash training result, determining that the sample to be detected is a countermeasure sample.
3. The countermeasure sample detection method of claim 1 or 2, wherein before the step of inputting the sample to be detected into the countermeasure sample detection model to obtain the main training result corresponding to the main classifier and the hash training result corresponding to the hash code classifier, the countermeasure sample detection method further comprises:
marking the sample data to obtain a public label vector and a local label vector;
determining a first common gradient based on the common label vector and a model to be trained, and determining a local gradient based on the local label vector and the model to be trained;
sending the first common gradient to a coordinator, so that the coordinator can determine and feed back a global gradient based on the first common gradient;
determining a target gradient based on the local gradient and the global gradient, and determining the confrontation sample detection model based on the local gradient, the target gradient and a model to be trained.
4. The method of claim 3, wherein the step of labeling the sample data to obtain a common label vector and a local label vector comprises:
labeling the sample data based on the one-hot encoding to obtain a public label vector;
and labeling the sample data based on random Hash coding to obtain a local label vector.
5. The method of claim 3, wherein the step of determining a first common gradient based on the common label vector and the model to be trained, and determining a local gradient based on the local label vector and the model to be trained comprises:
inputting the public label vector into a model to be trained for model training to obtain a public loss function value corresponding to the public label vector, inputting the local label vector into the model to be trained for model training, and inputting a local loss function value corresponding to the local label vector;
determining the first common gradient based on the common loss function values and determining the local gradient based on the local loss function values.
6. The method of claim 5, wherein the step of determining the challenge sample detection model based on the local gradient, the target gradient, and a model to be trained comprises:
updating model parameters in the model to be trained based on the target gradient to obtain a target main classifier, and updating model parameters in the model to be trained based on the local gradient to obtain a target Hash code classifier;
determining the countermeasure sample detection model based on the target master classifier and the target hash code classifier.
7. The challenge sample detection method of claim 3 wherein said step of sending said first common gradient to a coordinator for said coordinator to determine and feed back a global gradient based on said first common gradient comprises:
and sending the first common gradient to a coordinator, wherein the coordinator obtains second common gradients sent by a plurality of second participants, determines a global gradient based on each second common gradient and the first common gradient, updates a global model of the coordinator based on the global gradient, and feeds the global gradient back to the first participants.
8. A challenge sample test device, comprising:
the acquisition module is used for acquiring a sample to be detected;
the training module is used for inputting the sample to be detected into a main classifier in the countermeasure sample detection model to obtain a main training result, and inputting the sample to be detected into a Hash code classifier in the countermeasure sample detection model to obtain a Hash training result;
and the determining module is used for determining whether the sample to be detected is a countermeasure sample or not based on the main training result and the Hash training result.
9. A challenge sample testing device, comprising: a memory, a processor, and a challenge sample detection program stored on the memory and executable on the processor, the challenge sample detection program when executed by the processor implementing the steps of the challenge sample detection method of any of claims 1 to 7.
10. A computer-readable storage medium having stored thereon a challenge sample detection program which, when executed by a processor, implements the steps of the challenge sample detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010471250.9A CN111626437A (en) | 2020-05-28 | 2020-05-28 | Confrontation sample detection method, device and equipment and computer scale storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010471250.9A CN111626437A (en) | 2020-05-28 | 2020-05-28 | Confrontation sample detection method, device and equipment and computer scale storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111626437A true CN111626437A (en) | 2020-09-04 |
Family
ID=72260854
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010471250.9A Pending CN111626437A (en) | 2020-05-28 | 2020-05-28 | Confrontation sample detection method, device and equipment and computer scale storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111626437A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112017669A (en) * | 2020-11-02 | 2020-12-01 | 鹏城实验室 | Voice countercheck sample detection method and device, terminal equipment and storage medium |
-
2020
- 2020-05-28 CN CN202010471250.9A patent/CN111626437A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112017669A (en) * | 2020-11-02 | 2020-12-01 | 鹏城实验室 | Voice countercheck sample detection method and device, terminal equipment and storage medium |
| CN112017669B (en) * | 2020-11-02 | 2021-02-23 | 鹏城实验室 | Voice countercheck sample detection method and device, terminal equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109961009B (en) | Pedestrian detection method, system, device and storage medium based on deep learning | |
| EP3968217A1 (en) | Article identification method and device, and computer readable storage medium | |
| CN111582505A (en) | Federal modeling method, device, equipment and computer readable storage medium | |
| CN112100431B (en) | Evaluation method, device and equipment of OCR system and readable storage medium | |
| CN111461101B (en) | Method, device, equipment and storage medium for identifying work clothes mark | |
| CN110335139B (en) | Similarity-based evaluation method, device and equipment and readable storage medium | |
| CN112069414A (en) | Recommendation model training method and device, computer equipment and storage medium | |
| CN111538991B (en) | Countermeasure sample detection method, apparatus and computer readable storage medium | |
| CN112154452B (en) | Countermeasure learning for fine granularity image search | |
| CN110264093B (en) | Credit model establishing method, device, equipment and readable storage medium | |
| CN111275060A (en) | Recognition model updating processing method and device, electronic equipment and storage medium | |
| US20220327358A1 (en) | Feedback adversarial learning | |
| CN109726110B (en) | Document testing method, device, apparatus and computer readable storage medium | |
| US20240070467A1 (en) | Detecting digital image manipulations | |
| CN111444850A (en) | Picture detection method and related device | |
| CN113822427A (en) | Model training method, image matching device and storage medium | |
| US20220111864A1 (en) | Systems and methods for cross-domain training of sensing-system-model instances | |
| WO2023024413A1 (en) | Information matching method and apparatus, computer device and readable storage medium | |
| CN115049953A (en) | Video processing method, device, equipment and computer readable storage medium | |
| CN112465517A (en) | Anti-counterfeiting verification method and device and computer readable storage medium | |
| US11854113B2 (en) | Deep learning methods for event verification and image re-purposing detection | |
| CN111626437A (en) | Confrontation sample detection method, device and equipment and computer scale storage medium | |
| CN111414758B (en) | Zero-reference position detection method, device, equipment and computer-readable storage medium | |
| CN115620019A (en) | Commodity infringement detection method and device, equipment, medium and product thereof | |
| CN110427828B (en) | Face living body detection method, device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |