CN111709515B - Method for resisting attack deep neural network based on frequency band - Google Patents
Method for resisting attack deep neural network based on frequency band Download PDFInfo
- Publication number
- CN111709515B CN111709515B CN202010477168.7A CN202010477168A CN111709515B CN 111709515 B CN111709515 B CN 111709515B CN 202010477168 A CN202010477168 A CN 202010477168A CN 111709515 B CN111709515 B CN 111709515B
- Authority
- CN
- China
- Prior art keywords
- frequency band
- interference
- neural network
- deep neural
- distribution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Investigating Or Analysing Materials By Optical Means (AREA)
Abstract
The invention discloses a method for resisting attack deep neural network based on frequency bands, which comprises the steps of firstly obtaining frequency band space, wherein the frequency band space comprises frequency band resisting interference in N directions, and the frequency band resisting interference in each direction comprises frequency band resisting interference distribution of M wavelengths; each frequency band anti-interference distribution is a waveform containing alternating activation and suppression, and gradient signals are filled between wave crests and wave troughs of the waveform; respectively adding the frequency band anti-interference distribution and the original image to obtain an anti-attack sample, inputting the anti-attack sample into the attacked deep neural network, taking the anti-attack sample corresponding to the minimum value of the predicted result score as an optimal anti-attack sample, and attacking the attacked deep neural network; the invention adopts the waveform containing the alternation of activation and inhibition as the anti-interference distribution, effectively improves the sensitivity of the network to the anti-attack sample, and the anti-attack sample can be easily detected by the deep neural network to mix the original signal, so that the deep neural network predicts the wrong result.
Description
Technical Field
The invention belongs to the technical field of computer vision, and particularly relates to a frequency band-based method for resisting attack on a deep neural network.
Background
With the development of deep neural networks, the recognition tasks such as classification, segmentation and skeleton detection in computer vision are greatly improved. Deep neural networks perform well in visual recognition tasks, however, performance is greatly reduced when generalized to other distributed data. The generalization of the deep neural network is very critical in the practical application, and if the generalization of the deep neural network is poor, the deep neural network can cause great errors in practical use to cause serious loss. Therefore, before the application of deep neural networks, the generalization capability needs to be clearly studied.
The method is characterized in that the anti-attack is an important method for detecting the generalization and the safety of the deep neural network, and the generalization capability of the deep neural network is detected by generating the deep neural network which is trained by resisting sample attack; wherein, fighting against the sample means adding a slight disturbance on the original image, making it difficult for a person to perceive the difference.
The existing attack resisting methods mainly comprise the following methods: 1) changing the value of the pixel through the gradient or approximate gradient information of the deep neural network to force the deep neural network to be far away from the original prediction result; 2) forcing the deep neural network to activate the non-target region by changing the position of the pixel value; 3) activating the non-target area by changing the original saliency map; 4) adopting increment of interference variable to bring the generated confrontation sample out of the classification boundary; 5) and generating a targeted countermeasure sample by adopting a generating network to attack.
The above method has the following disadvantages:
1) the generalization vulnerability of the deep neural network comes from the unexplainable property of the network, however, the countermeasure sample generated by the existing countermeasure attack method still utilizes the property of the network and also has the unexplainable property; 2) the interference distribution structure of the confrontation sample is an unexplained distribution structure; 3) the countermeasure sample can effectively attack the target network, but at the same time, the countermeasure sample itself is easy to attack; when the scale of the countermeasure sample is changed or the network under attack carries out countermeasure training on the countermeasure sample, the attack capability is also greatly reduced; due to the problems, the interference resisting rule generated by the existing attack resisting method is still difficult to explain.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a frequency band-based method for resisting and attacking a deep neural network, so as to solve the technical problem that the interference resisting rule generated by the existing method for resisting and attacking is still difficult to explain.
In order to achieve the purpose, the invention adopts the technical scheme that:
the invention provides a method for resisting attack deep neural network based on frequency band, which comprises the following steps:
step 1, obtaining a frequency band space; the frequency band space comprises N directions of frequency band counter-interference, and the frequency band counter-interference of each direction comprises M wavelengths of frequency band counter-interference distribution; each frequency band anti-interference distribution is a waveform containing alternating activation and suppression, and the wave crest and the wave trough of each frequency band anti-interference distribution are filled with gradient signals;
step 2, adding the acquired frequency band counterattack interference distribution in the frequency band space and the original image to obtain P counterattack samples;
step 3, inputting the P counterattack samples into the attacked deep neural network respectively to obtain P prediction result scores;
step 4, selecting the minimum value of the P predicted result scores, and taking the counterattack sample corresponding to the minimum value of the predicted result scores as the optimal counterattack sample;
and 5, attacking the attacked deep neural network by adopting the optimal countervailing sample in the step 4, so as to achieve the purpose of destroying the prediction result of the attacked deep neural network.
Further, in step 1, the alternating activation and suppression waveforms are positive and negative, wherein each peak is filled with 1 and each valley is filled with-1.
Further, in step 1, when obtaining the frequency band space, the method specifically includes the following steps:
step 11, setting the interference resistance intensity; determining the number N of the directions of the frequency band interference according to the set interference resistance strength, and determining the wavelength number M of the frequency band interference resistance distribution in the frequency band interference resistance of each direction;
step 12, utilizing the frequency band anti-interference distribution of a certain wavelength, calculating the corresponding frequency band anti-interference in the horizontal direction, and rotating the frequency band anti-interference in the horizontal direction in a plane to obtain the frequency band anti-interference in the N directions corresponding to the frequency band anti-interference distribution of the wavelength;
step 13, repeating step 12, and respectively obtaining the frequency band anti-interference in the N directions corresponding to the frequency band anti-interference distribution of the other wavelengths;
and 14, multiplying the frequency band interference resistance of the M wavelengths in the N directions by the set interference intensity to obtain the frequency band space.
Further, in step 11, the set interference intensity is limited by the L ∞ norm eps.
Further, in step 12, when the frequency band interference rejection distribution of a certain wavelength is used to calculate the frequency band interference rejection in the corresponding horizontal direction, specifically:
firstly, initializing the frequency band anti-interference distribution of the wavelength into an interference image of all 1;
secondly, performing complementation operation on the wavelength according to the line coordinate of the interference image; and acquiring the line number less than half the wavelength, and assigning the pixel values of the line numbers corresponding to the line number as-1 to obtain the frequency band anti-interference in the horizontal direction of the wavelength.
Further, the size of the interference image is identical to the size of the original image.
Further, in step 12, the frequency band interference in the horizontal direction is rotated in the X-Y plane of the cartesian coordinate system, so as to obtain N directional frequency band interference distributions corresponding to the frequency band interference in the wavelength, where directional intervals of the frequency band interference in the N directions are: {0, π/N, (N-1) π/N }.
Further, in step 2, the number P of attack-resistant samples is N × M.
Furthermore, the number of directions of the frequency band interference rejection is 8, and the number of wavelengths of the distribution of the frequency band interference rejection in each direction is 5.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a method for resisting attack deep neural network based on frequency band, which adopts a waveform containing alternating activation and inhibition as resisting interference distribution, and gradient signals are filled in the wave crest and the wave trough of the waveform, so that the sensitivity of the deep neural network to resisting attack samples is effectively improved; the anti-attack sample can be easily detected by the deep neural network, and the original image signal is mixed up, so that the deep neural network predicts an error result; according to the function of the shallow directional filter of the deep neural network, the deep neural network is sensitive to edges with gradients, the edges in all directions can be detected, the filter of the deep neural network in the shallow direction is sensitive to the anti-interference distribution of an input frequency band, and the detection efficiency is high; meanwhile, through each layer of network of the deep neural network, the effect of the frequency band on resisting interference distribution interference is amplified continuously, so that the final result of output prediction is destroyed; the frequency band immunity distribution has interpretable results, and the frequency band immunity distribution can be analyzed and explained for effective attack on the network in principle.
Furthermore, the waveforms for activating and suppressing alternation adopt positive and negative alternation waveforms, the value of the initially generated counterattack is +/-1, when the interference intensity is a given value, the interference intensity is ensured to be small, the change of the image is not easy to be perceived by people, and meanwhile, different counterattack methods are conveniently and fairly compared.
Furthermore, the frequency band interference in the horizontal direction is rotated in a plane to obtain the frequency band interference in the N directions corresponding to the frequency band interference distribution, and the operation process is simple; the frequency band space is obtained by multiplying the frequency band interference resistance in all directions of all wavelengths by the interference intensity, the obtaining process is interpretable, and the resistance sample generated by using the frequency band space is interpretable.
Furthermore, the set interference intensity is limited by the L infinity norm eps, and the magnitude of the interference intensity cannot exceed the given eps range, so that the anti-interference in the eps constraint can be transmitted to the output layer of the deep neural network, and the purpose of changing the prediction result is realized; the existing deep neural network is attacked at the same interference strength, so that fair comparison is realized.
Furthermore, the frequency band counter interference in the horizontal direction is calculated through the frequency band counter interference distribution of a certain wavelength, so that the counter interference convenience is generated, and meanwhile, the counter interference in other directions can be directly generated through rotating the counter interference in the horizontal direction.
According to the method for resisting the attack deep neural network based on the frequency band, in the process of obtaining the resisting attack sample, the attack sample can be obtained only by inputting and outputting a data pair, the structure and the weight parameter of the attacked network do not need to be known, and the method is a black box attack method and is high in use efficiency and high in processing speed; the processing method is simple and easy to realize, and can realize strong black box attack effect on the attacked network; the invention adopts a regular and interpretable anti-interference generation method to obtain an anti-attack sample, and makes the prediction result of the deep neural network make mistakes as much as possible when the deep neural network is attacked by the anti-attack sample; the anti-attack method based on the frequency band is a regular and interpretable anti-interference generation method, so that the reason for effectively attacking the network can be analyzed and explained in principle.
Drawings
FIG. 1 is a schematic flow chart of a method for countering attacks according to the present invention;
FIG. 2 is a schematic diagram of the working principle of the attack countermeasure method according to the present invention;
FIG. 3 is a schematic diagram of the structure of the frequency band against interference in the embodiment;
FIG. 4 is an example of an original image and its corresponding confrontation sample image.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects of the present invention more apparent, the following embodiments further describe the present invention in detail. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in the attached figure 1, the invention provides a method for resisting attack deep neural network based on frequency band, which comprises the following steps:
step 1, obtaining a frequency band space; the frequency band space comprises N directions of frequency band counter-interference, and the frequency band counter-interference of each direction comprises M wavelengths of frequency band counter-interference distribution;
the method specifically comprises the following steps of when the frequency band space is obtained:
step 11, setting the interference resistance strength, determining the direction number N of the interference resistance of the frequency band according to the set interference resistance strength, and determining the wavelength number M of the distribution of the interference resistance of the frequency band in each direction; wherein the set interference rejection strength is limited by the L infinity norm eps;
each frequency band in the frequency band space resists the interference distribution and contains the wave form of activation and inhibition alternation, and the wave crest and the wave trough are filled with gradient signals; because a shallow directional filter of the deep neural network is highly sensitive to the edge with obvious gradient signals, edge signals in all directions can be monitored; the invention adopts a waveform containing alternating activation and inhibition, and gradient signals are filled between the wave crest and the wave trough of the waveform; the shallow directional filter of the deep neural network is very sensitive to the anti-interference distribution of the frequency input to the deep neural network to be attacked, and can be easily detected by the deep neural network to be attacked to confuse the original image signal, so that the deep neural network to be attacked obtains an incorrect prediction result.
Preferably, the alternating activation and deactivation waveforms of the present invention are alternating positive and negative waveforms, wherein each peak is filled with 1 and each valley is filled with-1.
Each frequency band opposes the interference distribution, including three factors: wavelength, direction and amplitude; the amplitude determines the strength against interference.
Step 12, utilizing the frequency band interference-resistant distribution of a certain wavelength to calculate the corresponding frequency band interference-resistant distribution in the horizontal direction, and rotating the frequency band interference-resistant distribution in the horizontal direction in the X-Y plane of a Cartesian coordinate system to obtain the frequency band interference-resistant distribution in the N directions corresponding to the frequency band interference-resistant distribution of the wavelength; the frequency bands in the N directions have the following directional intervals for resisting interference: {0, π/N, (N-1) π/N };
when the frequency band interference rejection distribution of a certain wavelength is used to calculate the frequency band interference rejection in the horizontal direction, the method specifically includes: firstly, initializing the frequency band anti-interference distribution of the wavelength into an interference image of all 1, wherein the size of the interference image is consistent with that of the original image; and secondly, performing complementation operation on the wavelength according to the line coordinates of the interference image to obtain the line number less than half the wavelength, and assigning all the line numbers corresponding to the line number to be-1 to obtain the frequency band anti-interference in the horizontal direction of the wavelength.
Step 13, repeating step 12, respectively obtaining frequency counterinterference in N directions corresponding to the counterinterference distribution of the frequency bands of the rest M-1 wavelengths, and obtaining frequency counterinterference in N directions of M wavelengths;
and 14, multiplying the frequency counterinterference of the M wavelengths in the N directions by the set interference intensity to obtain the frequency band space.
Step 2, respectively adding the frequency band counterattack interference distribution in the frequency band space and the original image to obtain P counterattack samples; wherein, the number P of the anti-attack samples is N M;
step 3, inputting the P counterattack samples into the attacked deep neural network respectively to obtain P prediction result scores;
step 4, selecting the minimum value of the P prediction result scores, and taking the counterattack sample corresponding to the frequency band counterattack interference distribution corresponding to the minimum value of the prediction result scores as the optimal counterattack sample; the wavelength of the corresponding frequency band countermeasure distribution of the minimum value of the prediction result score is the optimal wavelength, and the direction of the optimal wavelength is the optimal direction.
And 5, attacking the attacked deep network by adopting the optimal countervailing sample in the step 4, and achieving the purpose of damaging the prediction result of the attacked deep neural network.
Principle of operation
The invention provides a method for resisting attack on a deep neural network based on a frequency band, wherein a shallow directional filter of the deep neural network is highly sensitive to edges with obvious gradient signals, and edge signals in all directions can be detected; the invention adopts regular waveforms containing activation and inhibition alternation as frequency band interference-resisting distribution, and each peak and each trough is filled with gradient signals, thereby ensuring higher sensitivity of a shallow filter of the deep neural network to the input frequency band interference-resisting distribution, ensuring that the deep neural network can easily detect the input frequency band interference-resisting distribution, and confusing an original image signal, thereby leading the network to predict an error structure; through each layer of the deep neural network, the interference effect of the frequency band on the interference distribution can be continuously amplified, so that the final result of the output prediction is destroyed; since the regular frequency band immunity distribution can be explained, the frequency band immunity distribution can analyze and explain the reason of attacking the network effectively; as shown in fig. 2, the first column in fig. 2 is a correct human skeleton result predicted by the attack depth neural network of the original image, the second column is frequency band anti-interference distribution and frequency band anti-interference distribution amplified by the depth neural network, and the third column is an anti-sample obtained by adding the original image and the frequency band anti-interference distribution and a prediction structure obtained by the attack of the anti-sample on the depth neural network; as can be seen from the attached figure 2, the prediction result of the attacked deep neural network cannot display the human skeleton result, so that the aim of resisting the attack to the deep neural network is achieved, and the actual effect of the attack method is verified.
Examples
The embodiment provides a method for resisting attack deep neural network based on frequency band, which comprises the following steps:
step 1, setting interference resistance intensity, wherein the interference resistance intensity is limited by an L infinity norm eps; when the anti-interference strength is limited by the L infinity norm eps, the anti-interference strength is not easy to be perceived by people; under the same interference intensity, when the deep neural network is attacked, fair comparison is realized; determining the number N of the directions of the frequency bands and the number M of the wavelengths of the frequency bands according to the set interference resistance strength; in this embodiment, N is 8, and M is 5; half-wavelength {1, 2, 3, 4, 5 };
step 2, for the frequency band anti-interference distribution of a certain wavelength, calculating the frequency band anti-interference in the horizontal direction; specifically, firstly, the frequency band countermeasure distribution in the horizontal direction is initialized to be an interference image with the size of 1, the size of the interference image is consistent with that of the original image, secondly, the wavelength is subjected to complementation operation according to the line coordinates of the interference image, the line number smaller than half wavelength is obtained, the pixel value of the line number smaller than half wavelength is assigned to be 1, and the frequency band countermeasure distribution in the horizontal direction of the wavelength is obtained;
step 3, rotating the horizontal frequency band interference rejection in the step 2 in a cartesian coordinate system X-Y plane to obtain 8 directions of frequency band interference rejection corresponding to the frequency band interference rejection distribution of a certain wavelength, wherein the direction intervals of the 8 directions of frequency band interference rejection are as follows: {0, π/8,.., 7 π/8 };
step 4, repeating steps 2 and 3, respectively obtaining frequency band anti-interference of 8 directions corresponding to the frequency band anti-interference distribution of the rest 4 wavelengths, and obtaining frequency band anti-interference of 5 wavelengths in 8 directions, as shown in fig. 3;
step 5, multiplying the frequency band counterinterference of 5 wavelengths in 8 directions by the set interference intensity to obtain a frequency band space;
step 6, adding the frequency band countermeasure interference distribution in the frequency band space and the original image to obtain the countermeasure sample; wherein, the number P of the anti-attack samples is N M;
step 7, inputting the P counterattack samples into the attacked deep neural network respectively to obtain P prediction result scores;
step 8, selecting the minimum value of the P prediction result scores, and taking the counterattack sample corresponding to the frequency band counterattack interference distribution corresponding to the minimum value of the prediction result scores as the optimal counterattack sample; the wavelength of the corresponding frequency band countermeasure distribution of the minimum value of the prediction result score is the optimal wavelength, and the direction of the optimal wavelength is the optimal direction.
And 9, attacking the attacked deep network by adopting the optimal countervailing sample in the step 8, and achieving the purpose of damaging the prediction result of the attacked deep neural network.
When the method for resisting and attacking the deep neural network based on the frequency band is used for attacking the deep neural network, wherein the original image and the prediction output result are shown in the attached figure 4, after the original image and the frequency band are added to resist and attack interference, when the deep neural network is attacked, the attacked deep neural network predicts an error result.
The invention relates to a method for resisting attack deep neural network based on frequency band, which comprises N directional frequency band interferences and M wavelength frequency band interference distribution selection principles contained in a frequency band space; the direction interval of the N directions is {0, pi/N,. and (N-1) pi/N }; n is usually 8, so that a directional interval {0, pi/8,. 7 pi/8 } can be obtained.
The short wavelength frequency band is better for the wavelength to combat the interference distribution because the interference is restricted to a given norm so as to be imperceptible to human beings, so the intensity of the added interference is limited, the frequency band combat interference distribution is performed under the constraint of L-infinity norm eps, and the intensity of the interference cannot exceed the range of the given eps.
Therefore, the countermeasure interference within the eps constraint is propagated to the final output layer of the deep neural network, and the network layer passing through the deep neural network needs to be continuously amplified to be effective when the prediction result is changed; if the wavelength of the anti-interference distribution of the frequency band is large, the gradient information between the wave crest and the wave trough can be detected only by a large receptive field in the convolutional neural network; can only be detected when the signal is transmitted to the deep layer of the convolutional neural network; therefore, the number of layers of the larger wavelength frequency band for which the anti-interference distribution is amplified by the network is smaller, and therefore the influence of finally changing the output layer is smaller; in the invention, the number of the wavelengths of the anti-interference distribution of the frequency band can be 5, and in order to ensure that the width of a half wavelength, namely a single peak or a trough, is an integer, the half wavelength interval is {1, 2, 3, 4, 5} and the wavelength interval is {2, 4, 6, 8, 10 }.
The above-described embodiment is only one of the embodiments that can implement the technical solution of the present invention, and the scope of the present invention is not limited by the embodiment, but includes any variations, substitutions and other embodiments that can be easily conceived by those skilled in the art within the technical scope of the present invention disclosed.
Claims (8)
1. A method for resisting attack on a deep neural network based on frequency bands, which is characterized by comprising the following steps:
step 1, obtaining a frequency band space; the frequency band space comprises N directions of frequency band counter-interference, and the frequency band counter-interference of each direction comprises M wavelengths of frequency band counter-interference distribution; each frequency band anti-interference distribution is a waveform comprising activation and suppression alternation, and the wave crest and the wave trough of the waveform are filled with gradient signals;
step 2, adding the acquired frequency band counterattack interference distribution in the frequency band space and the original image to obtain P counterattack samples;
step 3, inputting P counterattack samples into the attacked deep neural network respectively to obtain P prediction result scores;
step 4, selecting the minimum value of the P predicted result scores, and taking the counterattack sample corresponding to the minimum value of the predicted result scores as the optimal counterattack sample;
step 5, attacking the attacked deep neural network by adopting the optimal countervailing sample in the step 4 to achieve the purpose of destroying the prediction result of the attacked deep neural network;
in step 1, when obtaining the frequency band space, the method specifically comprises the following steps:
step 11, setting the interference resistance intensity; determining the number N of the directions of the frequency band interference according to the set interference resistance strength, and determining the wavelength number M of the frequency band interference resistance distribution in the frequency band interference resistance of each direction;
step 12, utilizing the frequency band anti-interference distribution of a certain wavelength, calculating the corresponding frequency band anti-interference in the horizontal direction, and rotating the frequency band anti-interference in the horizontal direction in a plane to obtain the frequency band anti-interference in the N directions corresponding to the frequency band anti-interference distribution of the wavelength;
step 13, repeating step 12, and respectively obtaining the frequency band anti-interference in the N directions corresponding to the frequency band anti-interference distribution of the other wavelengths;
and 14, multiplying the frequency band interference resistance of the M wavelengths in the N directions by the set interference intensity to obtain the frequency band space.
2. The method for resisting attack on the deep neural network based on the frequency band as claimed in claim 1, wherein in step 1, the alternating activation and suppression waveforms are positive and negative alternating waveforms, wherein each peak is filled with 1 and each valley is filled with-1.
3. The method of claim 1, wherein the interference strength is limited by L ∞ norm eps in step 11.
4. The method for resisting attack on deep neural network based on frequency band as claimed in claim 2, wherein in step 12, when the frequency band anti-interference distribution of a certain wavelength is used to calculate the corresponding frequency band anti-interference in the horizontal direction, specifically:
firstly, initializing the frequency band anti-interference distribution of the wavelength into an interference image of all 1;
secondly, performing complementation operation on the wavelength according to the line coordinate of the interference image; and acquiring the line number less than half the wavelength, and assigning the pixel values of the line numbers corresponding to the line number as-1 to obtain the frequency band anti-interference in the horizontal direction of the wavelength.
5. The method for resisting the attack on the deep neural network based on the frequency bands is characterized in that the size of the interference image is consistent with that of the original image.
6. The method as claimed in claim 4, wherein in step 12, the horizontal frequency band interference rejection is rotated in the cartesian coordinate system X-Y plane to obtain N frequency band interference rejection at the wavelength, wherein the N frequency band interference rejection at the wavelength has a direction interval: {0, π/N, (N-1) π/N }.
7. The method for resisting attack on deep neural network based on frequency band as claimed in claim 1, wherein in step 2, the number P of samples of resisting attack is N × M.
8. The method for resisting the attack on the deep neural network based on the frequency bands is characterized in that the number of the directions of the frequency band for resisting the interference is 8, and the number of the wavelengths of the distribution of the frequency band for resisting the interference in each direction is 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010477168.7A CN111709515B (en) | 2020-05-29 | 2020-05-29 | Method for resisting attack deep neural network based on frequency band |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010477168.7A CN111709515B (en) | 2020-05-29 | 2020-05-29 | Method for resisting attack deep neural network based on frequency band |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111709515A CN111709515A (en) | 2020-09-25 |
| CN111709515B true CN111709515B (en) | 2022-07-12 |
Family
ID=72537575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010477168.7A Active CN111709515B (en) | 2020-05-29 | 2020-05-29 | Method for resisting attack deep neural network based on frequency band |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111709515B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210617A (en) * | 2019-05-15 | 2019-09-06 | 北京邮电大学 | A kind of confrontation sample generating method and generating means based on feature enhancing |
| CN110751049A (en) * | 2019-09-20 | 2020-02-04 | 浙江工业大学 | Defense method facing signal sampling gradient attack |
| CN110768959A (en) * | 2019-09-20 | 2020-02-07 | 浙江工业大学 | Defense method based on signal boundary exploration attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11520923B2 (en) * | 2018-11-07 | 2022-12-06 | Nec Corporation | Privacy-preserving visual recognition via adversarial learning |
-
2020
- 2020-05-29 CN CN202010477168.7A patent/CN111709515B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110210617A (en) * | 2019-05-15 | 2019-09-06 | 北京邮电大学 | A kind of confrontation sample generating method and generating means based on feature enhancing |
| CN110751049A (en) * | 2019-09-20 | 2020-02-04 | 浙江工业大学 | Defense method facing signal sampling gradient attack |
| CN110768959A (en) * | 2019-09-20 | 2020-02-07 | 浙江工业大学 | Defense method based on signal boundary exploration attack |
Non-Patent Citations (2)
| Title |
|---|
| Detecting Port Scan Attempts with Comparative Analysis of Deep Learning and Support Vector Machine Algorithms;Dogukan Aksu,and etc;《2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT)》;20190124;第77-80页 * |
| 基于GAN的网络攻击检测研究综述;傅建明等;《等级保护》;20190228(第2期);第1-9页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111709515A (en) | 2020-09-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Moyer et al. | A multi-dimensional Hough transform-based track-before-detect technique for detecting weak targets in strong clutter backgrounds | |
| Wang et al. | Deep learning-based UAV detection in pulse-Doppler radar | |
| Gilholm et al. | Poisson models for extended target and group tracking | |
| CN106778610B (en) | Intra-pulse modulation identification method based on time-frequency image characteristics | |
| Mukherjee et al. | Symbolic analysis of sonar data for underwater target detection | |
| KR102073692B1 (en) | Radar receiver and clutter suppression method of thereof | |
| Yu et al. | Fractional Fourier transform‐based detection and delay time estimation of moving target in strong reverberation environment | |
| CN109407083A (en) | The Weighted adaptive detector that a kind of pair of mismatch subspace signal flexibly controls | |
| Nuhoglu et al. | Image segmentation for radar signal deinterleaving using deep learning | |
| CN111709515B (en) | Method for resisting attack deep neural network based on frequency band | |
| Kim et al. | GPR image enhancement based on frequency shifting and histogram dissimilarity | |
| CN110031807A (en) | A kind of multistage smart noise jamming realization method based on model-free intensified learning | |
| CN115345216A (en) | FMCW radar interference elimination method fusing prior information | |
| KR101990078B1 (en) | Simulation Apparatus for Radar Signal Processing | |
| Collins et al. | A 2D Fully Convolutional Neural Network for Nearshore And Surf-Zone Bathymetry Inversion from Synthetic Imagery of Surf-Zone using the Model Celeris. | |
| Song et al. | Detection of small ship targets from an optical remote sensing image | |
| Moqiseh et al. | 3-D Hough detector for surveillance radars | |
| Zhang et al. | Certified defense against patch attacks via mask-guided randomized smoothing | |
| CN116125466B (en) | Ship personnel hidden threat object carrying detection method and device and electronic equipment | |
| Kasban et al. | Efficient detection of landmines from acoustic images | |
| CN111259881B (en) | Hostile sample protection method based on feature map denoising and image enhancement | |
| Wang et al. | Detection of small target in sea clutter via multiscale directional Lyapunov exponents | |
| CN114841983B (en) | Image countermeasure sample detection method and system based on decision score | |
| Sengodan et al. | The SIMCA algorithm for processing ground penetrating radar data and its use in landmine detection | |
| CN107133624A (en) | A kind of object detection method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |