CN111738373B - Multi-sample anti-disturbance generation method and device, storage medium and computing equipment - Google Patents

Multi-sample anti-disturbance generation method and device, storage medium and computing equipment Download PDF

Info

Publication number
CN111738373B
CN111738373B CN202010883710.9A CN202010883710A CN111738373B CN 111738373 B CN111738373 B CN 111738373B CN 202010883710 A CN202010883710 A CN 202010883710A CN 111738373 B CN111738373 B CN 111738373B
Authority
CN
China
Prior art keywords
sample
sample image
loss
disturbance
under
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010883710.9A
Other languages
Chinese (zh)
Other versions
CN111738373A (en
Inventor
萧子豪
高威
田天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Real AI Technology Co Ltd
Original Assignee
Beijing Real AI Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Real AI Technology Co Ltd filed Critical Beijing Real AI Technology Co Ltd
Priority to CN202010883710.9A priority Critical patent/CN111738373B/en
Publication of CN111738373A publication Critical patent/CN111738373A/en
Application granted granted Critical
Publication of CN111738373B publication Critical patent/CN111738373B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V2201/00Indexing scheme relating to image or video recognition or understanding
    • G06V2201/07Target detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Image Analysis (AREA)

Abstract

The embodiment of the invention provides a multi-sample anti-disturbance generation method, a multi-sample anti-disturbance generation device, a storage medium and computing equipment. The method includes acquiring at least one sample image and countering perturbations; calculating the loss of the at least one sample image and the counterdisturbance under a discriminant model, and obtaining the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model based on the loss; according to the classification confidence coefficient under the correct label of the sample image, giving a weight corresponding to the loss and calculating; optimizing the counterdisturbance based on the calculated losses. Corresponding weights can be given according to specific conditions of the samples, specific samples can be emphasized, and the utilization efficiency of the samples and the attack success rate of the multiple samples on the samples are improved.

Description

Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
Technical Field
The embodiment of the invention relates to the technical field of computer vision, in particular to a multi-sample anti-disturbance generation method, a multi-sample anti-disturbance generation device, a storage medium and a computing device.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
The robust samples can be obtained by adding robust noise to normal samples (e.g., pictures), which can make predictions of the machine learning model incorrect.
Multi-sample immunity refers to a immunity that can successfully attack multiple known or unknown sample targets. For example, Universal Perturbation (UP) refers to that one anti-noise can successfully attack multiple pictures, so that the model predicts errors on the pictures; the Expectation of traversal Transformation (EoT) means that a noise-resistant model can successfully attack a plurality of different transformations of the same picture, so that the model can predict errors on the transformed pictures; dense Adaptation Generation (DAG) refers to a method in which a counternoise can successfully attack the predicted values of different scales, different positions and different bounding boxes in a target detector, so that a model predicts errors on the predicted values.
Disclosure of Invention
In this context, embodiments of the present invention are intended to provide a multi-sample immunity generation method, apparatus, storage medium, and computing device.
In a first aspect of embodiments of the present invention, a multi-sample anti-disturbance generation method is provided, including:
acquiring at least one sample image and resisting disturbance;
calculating the loss of the at least one sample image and the counterdisturbance under a discriminant model, and obtaining the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model based on the loss;
according to the classification confidence coefficient under the correct label of the sample image, giving the weight corresponding to the loss and calculating;
optimizing the counterdisturbance based on the calculated losses.
In a second aspect of the embodiments of the present invention, there is provided a multi-sample opposing perturbation generation apparatus, including:
an acquisition module configured to acquire at least one sample image and oppose the disturbance;
the first calculation module is configured to calculate the loss of the at least one sample image and the counterdisturbance under the discriminant model, and the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model can be obtained based on the loss;
the second calculation module is configured to give a weight corresponding to the loss according to the classification confidence coefficient under the correct label of the sample image and calculate the weight;
an optimization module configured to optimize the counterdisturbance based on the calculated loss.
In a third aspect of embodiments of the present invention, a storage medium is provided, which stores a computer program that, when executed by a processor, may implement the multi-sample immunity generation method.
In a fourth aspect of embodiments of the present invention, there is provided a computing device comprising: a processor; a memory for storing the processor-executable instructions; the processor is used for executing the multi-sample anti-disturbance generation method.
According to the multi-sample anti-disturbance generation method, the multi-sample anti-disturbance generation device, the storage medium and the computing equipment, corresponding weights can be given according to specific conditions of the samples, specific samples can be emphasized, and the utilization efficiency of the samples and the attack success rate of the multi-sample anti-samples are improved.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
FIG. 1 is a flow chart illustrating a multi-sample anti-disturbance generating method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a confidence distribution of a universal countermeasure disturbance superimposed sample image obtained based on different loss functions in a universal countermeasure disturbance attack analysis experiment;
FIG. 3 is a schematic diagram of a confidence distribution of a sample image superimposed with an expected disturbance of traversal transformation obtained based on different loss functions in an expected attack analysis experiment of traversal transformation;
FIG. 4 is a convergence comparison graph of iterative optimization of universal countermeasure disturbance based on different loss functions in a universal countermeasure attack analysis experiment;
5 a-5 f show schematic diagrams of the result of a universal countermeasure patch generated by three different ways based on two pictures and after the input of a target detection model;
FIG. 6 is a block diagram of a multi-sample anti-disturbance generating apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a storage medium according to an embodiment of the present invention;
FIG. 8 is an illustration of a computing device provided by an embodiment of the invention;
in the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a multi-sample anti-disturbance generation method, a medium, a device and a computing device are provided.
In this context, it is to be understood that anti-perturbation, anti-patch and anti-noise are used interchangeably, and are meant to be the same or similar;
there is a one-to-one correspondence of the correct label for the sample images used to train the model, e.g., the correct label for a set of images showing a owl is a owl.
Confidence represents Confidence;
frequency represents frequency, which refers to the number of samples with certain attributes;
iteration represents an Iteration;
the attach success rate represents the Attack success rate;
pert epsilon represents a preset disturbance size;
loss function represents a loss function;
VGG16, VGG19, inclusion v3, and ResNet101 are several different classification models;
the numbers under train and test respectively represent the attack success rate of the resisting sample on visible training sample data and invisible test sample data;
YOLOv3 and Faster-RCNN are two different target detection models;
normal represents a normal input sample;
random noise means that the input samples are superimposed with random white noise.
Moreover, any number of elements in the drawings are by way of example and not by way of limitation, and any nomenclature is used solely for differentiation and not by way of limitation.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Exemplary method
A multi-sample immunity generation method according to an exemplary embodiment of the present invention is described below with reference to fig. 1. The application scenarios of the method include but are not limited to attack normal model and attack defense model, digital world attack and physical world attack. The method can be used for attacking classification models in computer vision, including but not limited to object recognition and target detection. It should be noted that the above application scenarios are only presented to facilitate understanding of the spirit and principle of the present invention, and the embodiments of the present invention are not limited in this respect. Rather, embodiments of the present invention may be applied to any scenario where applicable.
The embodiment of the invention provides a multi-sample anti-disturbance generation method, which comprises the following steps:
step S110, obtaining at least one sample image and resisting disturbance;
step S120, calculating the loss of the at least one sample image and the counterdisturbance under the discriminant model, and obtaining the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model based on the loss;
step S130, according to the classification confidence coefficient under the correct label of the sample image, giving the weight corresponding to the loss and calculating;
step S140, optimizing the counterdisturbance based on the calculated loss.
How to generate the multi-sample countering disturbance is described below with reference to the drawings.
In step S110 of this embodiment, a plurality of original sample images may be directly obtained, or one original sample image may be obtained, and then a plurality of transformed sample images for iterative disturbance rejection are obtained by transforming based on the original sample image, which is not limited in this embodiment; similarly, the countermeasure disturbance may be obtained by directly obtaining a preset initial countermeasure disturbance, or may be obtained by random initialization, which is not limited in this embodiment.
After the sample image and the countering disturbance are acquired, step S120 is performed to calculate a loss for iterating the countering disturbance, and specifically, the loss may be calculated by a cross entropy loss function. It is understood that, as long as the robust disturbance can be iteratively optimized based on the calculated loss, it is not important in which way to calculate the loss, in an embodiment of the present embodiment, the loss may also be calculated by respectively superimposing a plurality of sample images on the robust disturbance and inputting the superimposed sample images into a discriminant model, and then calculating a classification error rate according to an output of the discriminant model.
Considering that attack success rates of different sample images are different, that is, even if the same countermeasure disturbance is superimposed, some sample images are easily recognized by the discriminant model incorrectly (referred to as easy samples herein) and some sample images are hardly recognized by the discriminant model incorrectly (referred to as difficult samples herein), in the conventional technical scheme for generating the countermeasure disturbance, the easy and difficult samples are not distinguished, that is, in the execution process of the conventional technical scheme, the countermeasure disturbance obtained by iterative optimization may be more effective for the easy samples.
Based on the above facts, the present embodiment performs step S130 after obtaining the loss that can be used to iteratively optimize the immunity, so as to improve the influence of the difficult sample on the immunity.
Specifically, the difficult sample image may be given a higher weight, or the easy sample image may be given a lower weight, and as long as the influence of the difficult sample on the immunity to disturbance can be increased, the specific adjustment method of the weight in the present invention is not limited, but the following examples of the present embodiment will be described by taking the higher weight given to the difficult sample image as an example.
In an embodiment of the present invention, the type of the sample image is determined according to the classification confidence level of the sample image under the correct label, specifically, the sample image is input into a discrimination model, then the classification confidence level of the sample image under the correct label output by the discrimination model is obtained, whether the classification confidence level is greater than a preset threshold value is determined, and if so, the sample image is determined to be a difficult sample. It can be understood that, when the easy sample and the difficult sample are simply distinguished, the two classification may be performed, that is, after the difficult sample is excluded, the easy sample remains, that is, in this embodiment, the easy sample may be filtered through a threshold, and then the difficult sample is determined.
Further, in an embodiment of the present invention, a multi-level threshold filtering may be performed based on the classification confidence of the sample image, that is, a plurality of threshold intervals are set, different threshold intervals correspond to different difficulty levels, and a higher difficulty level corresponds to a higher weight.
Furthermore, because the classification confidence degrees of different sample images under the correct label are different, in an embodiment of the present embodiment, the weight may also be determined directly based on the classification confidence degrees, that is, the loss weights obtained based on each sample image may all be different, but the higher the classification confidence degree of the sample image under the correct label is, the higher the corresponding loss is.
In an embodiment of the present embodiment, the sample image may also be determined to be a difficult sample image by:
obtaining classification confidence coefficients under correct labels of all sample images;
sorting the sample images according to the sequence from high to low on the basis of the classification confidence degrees under the correct labels of the sample images;
and determining the sample images with the top sequence in a preset number or in a preset proportion as the difficult sample images.
In an embodiment of the present invention, the type of the sample image is determined according to the classification confidence level under the correct label after the sample image is superimposed with the countermeasure disturbance, specifically, first, the sample image and the countermeasure disturbance are superimposed to generate a countermeasure sample, then, the countermeasure sample is input into a discriminant model, then, the classification confidence level under the correct label of the countermeasure sample output by the discriminant model is obtained, whether the classification confidence level is greater than a preset threshold value is determined, and if so, the sample image is determined to be a difficult sample. It can be understood that, after the classification confidence of the antagonistic sample is obtained, the type determination and weighting assignment of the sample image may be performed in the same manner as in the foregoing embodiment in this embodiment, and will not be described herein again.
In order to make the calculation method of the present invention more general, in an embodiment of the present invention, the loss is calculated by constructing a general multi-sample counterattack framework, that is, a specific loss function, which is constructed with a goal of maximizing the classification error rate of a plurality of objects under a discriminant model by counterdisturbance.
In this embodiment, the specific loss function may be:
Figure GDA0003777060880000071
where p (x) is the probability distribution of the sample image x, Δ x is the challenge perturbation to be solved, L (-) is the challenge loss function, d (-) is a distance function, and e is the preset nonnegative perturbation magnitude. T (-) represents the mode of disturbance. The perturbation modes include, but are not limited to, direct superposition, multiplication, and rotation. For example:
in the case of direct superposition:
T(x,Δx)=x+Δx,
d(Δx)=|Δx| p ,
wherein |. non p Represents L p A norm;
in the case of the product:
T(x,Δx)=xΔx,
d(Δx)=|Δx| 1
in the case of rotation:
T(x,Δx)=rotate(x,Δx),
d(Δx)=|Δx| 1 ,
where rotate (x, Δ x) denotes rotating the sample image x clockwise by an angle Δ x.
In addition, in order to more conveniently emphasize a specific sample in the loss calculation, in one embodiment of the present embodiment, a specially designed counteracting loss function is adopted, wherein the selectable loss functions are:
LCL loss function: l is lcl (x i +Δx)=log(1-p adv (x i ,t i ))
In the loss functions listed above, p adv (x i ,t i )=F(x i +Δx,t i ),
Indicating the ith sample x superimposed with the opposing perturbation ax i At its correct label t i The confidence of the next. Confidence p of sample adv Is a [0,1 ]]A number in between. In an undirected attack, a closer to 1 represents a sample that is more difficult to attack and is a difficult sample.
It is clear how to calculate the loss for iteratively optimizing the immunity against disturbance, and then, step S140 is executed, and the immunity against disturbance is iteratively optimized based on the loss, in an embodiment of the present embodiment, in order to obtain the optimal immunity against disturbance most quickly, a momentum-based method is adopted to iteratively counteract the disturbance, and specifically, the calculation may be performed by the following formula:
Figure GDA0003777060880000081
Figure GDA0003777060880000082
Δx=proj(Δx+α.sign(g))
where Ω represents a randomly sampled subset of the target (i.e., a set of sample images), h represents the gradient, g represents the momentum, μ represents the decay rate of the momentum,
Figure GDA0003777060880000083
represents the gradient of the loss function with respect to the opposition perturbation Δ x | · $ | 1 Is the L1 norm, Δ x is a variable representing the opposition perturbation in the iteration, proj represents projecting the variable back into the constraint range, α represents the step size of the gradient descent, sign is a sign function.
It should be noted that the countermeasure disturbance iteratively obtained based on the above formula may be in a specific shape or region, for example, when an attack needs to be performed on a face recognition model of a specific location (e.g., a gate of a certain place), the countermeasure disturbance may need to be made into an entity, and a real-field test is performed after the face recognition model is worn by a corresponding person, then when the countermeasure disturbance is generated, the image may be projected back to a specific constraint range, such as an eye region, and then the countermeasure disturbance iteratively obtained may be made into glasses of the entity, which are worn by the corresponding person, and a countermeasure sample is formed after the image is captured by an image capturing device of the face recognition model. However, it is not meant that the anti-disturbance obtained in the present embodiment can only be in a specific shape or area, that is, in another embodiment, the step of projection constraint can be omitted, and the anti-disturbance can be obtained directly, which does not affect the attack performance.
The invention further provides a framework capable of being used for generating a universal countermeasure patch on the basis of the universal multi-sample attack framework provided by the implementation mode, so that a pedestrian wearing the countermeasure patch cannot be identified by a pedestrian detection model. In particular, the loss function may be modified to:
Figure GDA0003777060880000084
it can be seen that most of the contents are the same as those in the above embodiment, and Φ (x) represents a set of frames to be attacked in the sample image x. The robust disturbance can then be iteratively optimized using the above-described loss function based on the sample image and the initial robust disturbance.
Although the present embodiment employs a momentum-based method to iteratively resist disturbance, the method is not limited to the method described in the present embodiment, and iterative optimization may be performed by a method such as a random gradient descent method, a batch gradient descent method, a newton method, or a quasi-newton method.
After the optimization convergence, the confrontational disturbance Δ x is obtained. It is understood that steps S120, S130 and S140 may be repeatedly performed until an optimal counterdisturbance (i.e., optimization convergence) is obtained.
On the basis of the embodiment of the present embodiment, which establishes a general multi-sample countermeasure attack framework, a person skilled in the art can set the sample set, the superposition mode of the disturbance, and the selection of the countermeasure loss function at will. For example, it may be used to generate a countermeasure sample of the traversal transform expectation attack (EoT), which is an algorithm that performs multiple image transforms on a single picture and attacks as many transformed pictures as possible. Those skilled in the art only need to change the set of sample images x to the image sample set after image transformation.
The method for distinguishing the difficult sample from the easy sample by using the confidence coefficient can distinguish whether the sample is the difficult sample or the easy sample immediately after acquiring a sample image and resisting disturbance. Other prior art methods require iterative calculations to determine whether a sample image is a difficult or easy sample. Therefore, the method can more quickly distinguish difficult samples from easy samples than the method in the prior art, and can also process the situations of large amount of data and dynamic change data. For example, in the process of attacking the target detection model, since the detection frame as a sample is constantly dynamically changed in accordance with the latest situation, the existing method cannot effectively distinguish whether the image in the detection frame is a difficult sample or an easy sample, but the method can be favorably applied to the attacking target detection model.
In addition, when implementing the method, a person skilled in the art may implement the method in an offline or online form, which is not limited in this embodiment, for example, the person skilled in the art may implement an anti-disturbance or anti-sample generation model according to the method steps of the present invention, where the generation model may be configured at a client to provide offline service, or may be configured at a server to provide online service through a browser, a mobile APP, and other clients.
In order to verify the effect of the proposed multi-sample optimization attack based on difficult sample mining, the inventor selects a general anti-disturbance generation experiment and a traversal transformation expectation attack experiment as an analysis experiment. In the experiment, different loss functions are adopted to generate corresponding confrontation samples, the distribution conditions of different confidence degrees after the confrontation samples are attacked are analyzed, as shown in fig. 2 and 3, different sample distributions of different loss functions can be found, and the different loss functions are obviously different, wherein the condition that the cross entropy loss function is not successful in attacking accounts for a larger proportion, and the LCL loss function greatly reduces the attack failure proportion, so that as many samples as possible are effectively attacked.
In addition, experimental data also show that the LCL loss function proposed by the present invention can accelerate the convergence rate of the attack, as shown in fig. 4. It can be seen from the figure that the LCL loss function has the advantage of reaching a fast convergence solution in the early stage of an attack compared with the cross entropy loss function and the like, and the loss function can bring about the unusual advantage in the case of the countertraining, and can accelerate the training process in the countertraining process.
TABLE 1
Figure GDA0003777060880000101
TABLE 2
Figure GDA0003777060880000111
Table 1 shows attack success rate data after superimposing a sample image with general countermeasures and disturbances, which is obtained based on different loss functions in a general countermeasure and disturbance attack analysis experiment; table 2 shows attack success rate data obtained after the traversal transformation expectation disturbance is superimposed on the sample image based on different loss functions in the traversal transformation expectation attack analysis experiment; as shown in tables 1 and 2, it can be seen that the LCL loss function provided by the present invention can improve the attack success rate, and specifically, as can be seen from the attack success rate of the universal anti-disturbance generated based on different loss functions shown in table 1, the LCL loss function provided by the present invention performs best, especially under a large disturbance, e ≧ 8. As can be seen from the attack success rate of the ergodic transformation expectation attack generated based on different loss functions shown in table 2, the LCL loss function proposed by the present invention performs best.
TABLE 3
Figure GDA0003777060880000112
Fig. 5 a-5 f show the results of detecting the generic countermeasure patch for the target detection model and the target detection model generated in 3 different ways based on two pictures, where fig. 5a and 5b show the results of performing target detection based on two pictures using normal input samples, respectively, or may be regarded as generating countermeasure samples without any countermeasure patch, and fig. 5c and 5d show the countermeasure samples obtained after using random white noise as the countermeasure patch based on two pictures and the results of performing target detection, respectively; fig. 5e and 5f respectively show the confrontation sample obtained after the confrontation patch is generated by the LCL loss function based on the two pictures and the target detection result thereof, table 3 shows the identification Accuracy (AP) of the target detection model after the confrontation patch is attacked, and experimental data shows that the LCL loss function can significantly reduce the accuracy of the target detection
In summary, the multi-sample anti-disturbance generation method provided by the invention is different from the previous single-target attack, can generate the anti-disturbance which attacks a plurality of targets simultaneously, can focus on a specific type of sample image in the optimization process of the anti-disturbance in a targeted manner, and improves the attack success rate on visible and unknown samples.
Exemplary devices
Having described the method of an exemplary embodiment of the present invention, next, a multi-sample countering-disturbance generating apparatus of an exemplary embodiment of the present invention is described with reference to fig. 6, the apparatus including:
an acquisition module 210 configured to acquire at least one sample image and combat perturbations;
a first calculating module 220 configured to calculate a loss of the at least one sample image and the counterdisturbance under the discriminant model, based on which a classification error rate of the at least one sample image and the counterdisturbance under the discriminant model can be obtained;
the second calculation module 230 is configured to assign a weight corresponding to the loss according to the classification confidence under the correct label of the sample image and calculate the weight;
the optimization module 240 is configured to optimize the counterdisturbance based on the calculated losses.
In one embodiment of this embodiment, the difficult sample images are given higher weights.
In one example of this embodiment, the second calculation module 230 includes:
a classification unit configured to determine a type of the sample image according to a classification confidence under a correct label of the sample image;
and the calculating unit is configured to endow the corresponding weight of the loss according to the type of the sample image and calculate.
In an embodiment of this embodiment, the second calculation module 230 is further configured to assign a weight corresponding to the loss according to the classification confidence of the sample image under the correct label after the anti-disturbance is superimposed on the sample image, and calculate the weight.
In an embodiment of the present invention, the classification unit is further configured to determine a sample image with a classification confidence greater than a preset threshold as a difficult sample image.
In an embodiment of this embodiment, the classification unit is further configured to determine that the sample image is a difficult sample image by:
obtaining classification confidence coefficients under correct labels of all sample images;
sorting the sample images according to the sequence from high to low on the basis of the classification confidence degrees under the correct labels of the sample images;
and determining the sample images with the top sequence in a preset number or in a preset proportion as the difficult sample images.
In an embodiment of the present embodiment, the classification unit is further configured to determine the sample image as a difficult sample image by:
obtaining the classification confidence of the correct label after each sample image is superposed with the countermeasure disturbance;
sorting the classification confidence degrees under the correct labels after the anti-disturbance is superimposed on each sample image according to the sequence from high to low;
and determining the sample images which are ranked in the front in a preset number or in a preset proportion as the difficult sample images.
In one embodiment of this embodiment, the first calculation module 220 is further configured to calculate the loss through a specific loss function, which is constructed with the goal of maximizing the classification error rate of the objects under the discriminant model by the counterdisturbance.
In one example of this embodiment, the specific loss function is:
Figure GDA0003777060880000131
where p (x) is the probability distribution of the sample image x, Δ x is the challenge perturbation to be solved, L (-) is the challenge loss function, d (-) is a distance function, and e is the preset nonnegative perturbation magnitude. T (-) represents the mode of perturbation.
In one embodiment of this embodiment, the countering loss function is an LCL loss function:
L lcl (x i +Δx)=log(1-p adv (x i ,t i ));
wherein p is adv (x i ,ti)=F(x i +Δx,t i ) Denotes the ith sample x superimposed with the opposing perturbation Δ x i At its correct label t i The confidence of the next. Confidence p of sample adv Is a [0,1 ]]The closer to 1 in an undirected attack represents the harder the sample is to be attacked and the harder the sample is.
Exemplary Medium
Having described the method and apparatus of the exemplary embodiments of this invention, a computer-readable storage medium of the exemplary embodiments of this invention is described with reference to fig. 7, which refers to fig. 7, which illustrates an optical disc 70 having a computer program (i.e., a program product) stored thereon, which when executed by a processor, performs the steps recited in the method embodiments described above, such as acquiring at least one sample image and countering perturbations; calculating the loss of the at least one sample image and the counterdisturbance under a discriminant model, and obtaining the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model based on the loss; according to the classification confidence coefficient under the correct label of the sample image, giving the weight corresponding to the loss and calculating; optimizing the counterdisturbance based on the calculated losses; the specific implementation of each step is not repeated here.
It should be noted that examples of the computer-readable storage medium may also include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory, or other optical and magnetic storage media, which are not described in detail herein.
Exemplary computing device
Having described the method, medium, and apparatus of exemplary embodiments of the present invention, a computing device for multi-sample countering disturbance generation of exemplary embodiments of the present invention is next described with reference to FIG. 8.
FIG. 8 illustrates a block diagram of an exemplary computing device 80 suitable for use in implementing embodiments of the present invention, the computing device 80 may be a computer system or server. The computing device 80 shown in FIG. 8 is only one example and should not impose any limitations on the functionality or scope of use of embodiments of the present invention.
As shown in fig. 8, components of computing device 80 may include, but are not limited to: one or more processors or processing units 801, a system memory 802, and a bus 803 that couples various system components including the system memory 802 and the processing unit 801.
Computing device 80 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computing device 80 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 802 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)8021 and/or cache memory 8022. Computing device 80 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, ROM8023 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 8, and typically referred to as a "hard disk drive"). Although not shown in FIG. 8, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to the bus 803 by one or more data media interfaces. At least one program product may be included in system memory 802 having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the invention.
Program/utility 8025, having a set (at least one) of program modules 8024, can be stored, for example, in system memory 802, and such program modules 8024 include, but are not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment. Program modules 8024 generally perform the functions and/or methodologies of embodiments of the present invention as described herein.
Computing device 80 may also communicate with one or more external devices 804 (e.g., keyboard, pointing device, display, etc.). Such communication may be through input/output (I/O) interfaces 805. Moreover, computing device 80 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via network adapter 806. As shown in FIG. 8, the network adapter 806 communicates with other modules of the computing device 80, such as the processing unit 801, over the bus 803. It should be appreciated that although not shown in FIG. 8, other hardware and/or software modules may be used in conjunction with computing device 80.
The processing unit 801 executes various functional applications and data processing, such as acquiring at least one sample image and countering disturbances, by running a program stored in the system memory 802; calculating the loss of the at least one sample image and the counterdisturbance under a discriminant model, and obtaining the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model based on the loss; according to the classification confidence coefficient under the correct label of the sample image, giving a weight corresponding to the loss and calculating; optimizing the counterdisturbance based on the calculated losses. The specific implementation of each step is not repeated here. It should be noted that although in the above detailed description several units/modules or sub-units/sub-modules of the multi-sample anti-disturbance generating device are mentioned, such a division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the units/modules described above may be embodied in one unit/module according to embodiments of the invention. Conversely, the features and functions of one unit/module described above may be further divided into embodiments by a plurality of units/modules.
In the description of the present invention, it should be noted that the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in software functional units and sold or used as a stand-alone product, may be stored in a non-transitory computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

Claims (12)

1. A multi-sample opposing perturbation generation method, comprising:
acquiring at least one sample image and resisting disturbance;
calculating the loss of the at least one sample image and the counterdisturbance under a discriminant model, and obtaining the classification error rate of the at least one sample image and the counterdisturbance under the discriminant model based on the loss; wherein the loss is calculated by the following loss function:
Figure FDA0003646928920000011
wherein p (x) is the probability distribution of the sample image x, Δ x is the confrontation perturbation to be solved, L (-) is the confrontation loss function giving higher weight to the difficult sample, d (-) is a distance function, epsilon is the preset non-negative perturbation size, and T (-) represents the perturbation mode;
according to the classification confidence under the correct label of the sample image, giving the weight corresponding to the loss and calculating, wherein the calculation comprises the following steps:
determining the type of the sample image according to the classification confidence coefficient under the correct label of the sample image;
according to the type of the sample image, giving a weight corresponding to the loss and calculating;
wherein the types of the sample images include easy samples and difficult samples, the difficult sample images being given higher weights;
and optimizing the counterdisturbance based on the calculated loss after the weight is given.
2. The multi-sample immunity generation method of claim 1, wherein the sample images with classification confidence greater than a preset threshold are determined to be difficult sample images.
3. The multi-sample anti-disturbance generation method according to claim 1, wherein the sample image is determined to be a difficult sample image by:
obtaining classification confidence coefficients under correct labels of all sample images;
sorting the sample images according to the sequence from high to low on the basis of the classification confidence degrees under the correct labels of the sample images;
and determining the sample images which are ranked in the front in a preset number or in a preset proportion as the difficult sample images.
4. The multi-sample counterdisturbance generating method of claim 1, wherein the loss function is constructed with a goal of maximizing a classification error rate of a plurality of sample objects under a discriminant model.
5. The multi-sample countering disturbance generation method of claim 1, wherein the countering loss function is an LCL loss function:
L lcl (x i +Δx)=log(1-p adv (x i ,t i ));
wherein p is adv (x i ,t i )=F(x i +Δx,t i ) Denotes the ith sample x superimposed with the opposing perturbation Δ x i At its correct label t i The confidence of the next.
6. A multi-sample opposing perturbation generation apparatus, comprising:
an acquisition module configured to acquire at least one sample image and counter-perturbation;
a first calculation module configured to calculate a loss of the at least one sample image and the counterdisturbance under a discriminant model, based on which a classification error rate of the at least one sample image and the counterdisturbance under the discriminant model can be obtained; wherein the loss is calculated by the following loss function:
Figure FDA0003646928920000021
wherein p (x) is the probability distribution of the sample image x, Δ x is the confrontational disturbance to be solved, L (-) is the confrontational loss function giving higher weight to the difficult sample, d (-) is a distance function, e is the preset non-negative disturbance magnitude, and T (-) represents the disturbance mode;
the second calculation module is configured to assign a weight corresponding to the loss according to the classification confidence under the correct label of the sample image and calculate, and includes:
the classification unit is configured to determine the type of the sample image according to the classification confidence coefficient under the correct label of the sample image;
a calculating unit configured to give a weight corresponding to the loss according to a type of the sample image and calculate;
wherein the types of the sample images include easy samples and difficult samples, the difficult sample images being given higher weights;
an optimization module configured to optimize the counterdisturbance based on the loss calculated after the weighting.
7. The multi-sample immunity generation apparatus of claim 6, wherein the classification unit is further configured to determine the sample image with the classification confidence greater than a preset threshold as a difficult sample image.
8. The multi-sample immunity generation apparatus of claim 6, wherein the classification unit is further configured to determine that the sample image is a difficult sample image by:
obtaining classification confidence coefficients under correct labels of all sample images;
sorting according to the sequence from high to low based on the classification confidence under the correct label of each sample image;
and determining the sample images which are ranked in the front in a preset number or in a preset proportion as the difficult sample images.
9. The multi-sample countering disturbance generating device according to claim 6, wherein the loss function is constructed with a goal of enabling countering disturbance to maximize a classification error rate of a plurality of objects under a discriminant model.
10. The multi-sample countering perturbation generating device according to claim 6, wherein the countering loss function is an LCL loss function:
L lcl (x i +Δx)=log(1-p adv (x i ,t i ));
wherein p is adv (x i ,t i )=F(x i +Δx,t i ) Denotes the ith sample x superimposed with the opposing perturbation Δ x i At its correct label t i The confidence of the next.
11. A storage medium storing a computer program which, when executed by a processor, implements the method of any of claims 1-5.
12. A computing device, the computing device comprising: a processor; a memory for storing the processor-executable instructions; the processor configured to perform the method of any of the preceding claims 1-5.
CN202010883710.9A 2020-08-28 2020-08-28 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment Active CN111738373B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010883710.9A CN111738373B (en) 2020-08-28 2020-08-28 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010883710.9A CN111738373B (en) 2020-08-28 2020-08-28 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment

Publications (2)

Publication Number Publication Date
CN111738373A CN111738373A (en) 2020-10-02
CN111738373B true CN111738373B (en) 2022-09-02

Family

ID=72658150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010883710.9A Active CN111738373B (en) 2020-08-28 2020-08-28 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment

Country Status (1)

Country Link
CN (1) CN111738373B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112116592B (en) * 2020-11-19 2021-04-02 北京瑞莱智慧科技有限公司 Image detection method, training method, device and medium of image detection model
CN112329930B (en) * 2021-01-04 2021-04-16 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model
CN113537374B (en) * 2021-07-26 2023-09-08 百度在线网络技术(北京)有限公司 Method for generating countermeasure sample
CN114444579B (en) * 2021-12-31 2022-10-28 北京瑞莱智慧科技有限公司 General disturbance acquisition method and device, storage medium and computer equipment
CN114743074B (en) * 2022-06-13 2022-09-09 浙江华是科技股份有限公司 Ship detection model training method and system based on strong and weak confrontation training
CN116991075B (en) * 2023-09-26 2023-12-19 中国石油大学(华东) Universal anti-disturbance generation method for fault diagnosis model

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902705A (en) * 2018-10-30 2019-06-18 华为技术有限公司 A kind of object detection model to disturbance rejection generation method and device
CN111275044A (en) * 2020-02-21 2020-06-12 西北工业大学 Weak supervision target detection method based on sample selection and self-adaptive hard case mining
CN111461307A (en) * 2020-04-02 2020-07-28 武汉大学 General disturbance generation method based on generation countermeasure network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10915817B2 (en) * 2017-01-23 2021-02-09 Fotonation Limited Method of training a neural network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902705A (en) * 2018-10-30 2019-06-18 华为技术有限公司 A kind of object detection model to disturbance rejection generation method and device
CN111275044A (en) * 2020-02-21 2020-06-12 西北工业大学 Weak supervision target detection method based on sample selection and self-adaptive hard case mining
CN111461307A (en) * 2020-04-02 2020-07-28 武汉大学 General disturbance generation method based on generation countermeasure network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
对抗样本生成技术综述;潘文雯 等;《软件学报》;20191106;第31卷(第1期);全文 *

Also Published As

Publication number Publication date
CN111738373A (en) 2020-10-02

Similar Documents

Publication Publication Date Title
CN111738373B (en) Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
CN111738374B (en) Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
CN110245598B (en) Countermeasure sample generation method, apparatus, medium, and computing device
CN111814916B (en) Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
CN111914946B (en) Countermeasure sample generation method, system and device for outlier removal method
CN111930634B (en) Model processing method, device, medium and computing equipment
CN109413023B (en) Training of machine recognition model, machine recognition method and device, and electronic equipment
CN112329930B (en) Countermeasure sample generation method and device based on proxy model
CN111723865B (en) Method, apparatus and medium for evaluating performance of image recognition model and attack method
CN111949993B (en) Model security evaluation method, medium, device and computing equipment
CN113449783B (en) Countermeasure sample generation method, system, computer device and storage medium
CN112200380B (en) Method and device for optimizing risk detection model
CN109840413B (en) Phishing website detection method and device
WO2020090413A1 (en) Classification device, classification method, and classification program
CN116308762B (en) Credibility evaluation and trust processing method based on artificial intelligence
EP4035078A1 (en) A deep reinforcement learning based method for surreptitiously generating signals to fool a recurrent neural network
CN113792791A (en) Processing method and device for visual model
CN113919497A (en) Attack and defense method based on feature manipulation for continuous learning ability system
CN113407425B (en) Internal user behavior detection method based on BiGAN and OTSU
CN109815943A (en) A kind of harmful influence storage stacking picture sample generation method and system
CN110929731B (en) Medical image processing method and device based on pathfinder intelligent search algorithm
CN117079053A (en) Artificial intelligent image recognition attack resistance method and system based on gradient average
CN116664922A (en) Intelligent anti-attack sample generation method and system based on scaling transformation
CN112329929B (en) Countermeasure sample generation method and device based on proxy model
Hewage et al. Optimizing the trade-off between classification accuracy and data privacy in the area of data stream mining

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20201002

Assignee: Beijing Intellectual Property Management Co.,Ltd.

Assignor: Beijing Ruili Wisdom Technology Co.,Ltd.

Contract record no.: X2023110000073

Denomination of invention: Methods, devices, storage media, and computing equipment for generating diverse adversarial disturbances

Granted publication date: 20220902

License type: Common License

Record date: 20230531