CN111898645A - Movable sample attack resisting method based on attention mechanism - Google Patents

Movable sample attack resisting method based on attention mechanism Download PDF

Info

Publication number
CN111898645A
CN111898645A CN202010630136.6A CN202010630136A CN111898645A CN 111898645 A CN111898645 A CN 111898645A CN 202010630136 A CN202010630136 A CN 202010630136A CN 111898645 A CN111898645 A CN 111898645A
Authority
CN
China
Prior art keywords
picture
attack
sample
layer
original picture
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010630136.6A
Other languages
Chinese (zh)
Inventor
宋井宽
黄梓杰
高联丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Guizhou University
Original Assignee
University of Electronic Science and Technology of China
Guizhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China, Guizhou University filed Critical University of Electronic Science and Technology of China
Priority to CN202010630136.6A priority Critical patent/CN111898645A/en
Publication of CN111898645A publication Critical patent/CN111898645A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Molecular Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a migratable sample attack resisting method based on an attention mechanism, which comprises the steps of selecting a local substitution network model, constructing a feature library and mapping an original picture into a feature space; an iterative fast gradient symbol attack method based on momentum accumulation is adopted to enable the characteristics of the original picture to be far away from the original category area and enable the characteristics to be close to the target category area; and inputting the confrontation sample obtained by the attack into the black box classification model, and misleading the model to output the target class. According to the method, the triple loss function is utilized to destroy the areas which are rich in information and mainly concerned by the model in the feature space of the attacked model, so that the problems of low success rate of attack of the white box target and low migration rate of the black box target in the existing attack method in the classification task of the complex data set are solved, and the misleading classification model is effectively realized under the condition of considering both the white box scene and the black box scene.

Description

Movable sample attack resisting method based on attention mechanism
Technical Field
The invention belongs to the technical field of adversarial attack, and particularly relates to a migratable adversarial sample attack method based on an attention mechanism.
Background
With the rapid development of deep learning, researchers are enabled to solve many computer vision tasks such as image classification, segmentation, and the like. However, due to the appearance of challenge samples, much attention has been paid to the shortcomings of convolutional neural networks. Fighting a sample refers to adding some subtle disturbances that the human eye cannot perceive to the original input picture, so that the convolutional neural network cannot correctly predict the picture. The existing methods for generating countermeasures can be divided into non-target attacks and target attacks by the target or expectation of attacks, wherein the former means that the target of an attacker is only to make a classification model give a wrong prediction, and the latter means that an attacker wants to change the prediction result into some pre-specified target label. Secondly, the degree of understanding of the attacker on the model can be divided into white box attack and black box attack, and in the former case, the attacker has all information of the attacked model, including model parameters, structure and the like; the latter is that an attacker cannot acquire all information of the model and only can acquire a prediction result corresponding to the input of the model. Therefore, the mobility of the countersample becomes a key of the black box attack, and the mobility means that the countersample generated by attacking a certain type of model can cause other models to predict errors.
Generally speaking, counterattack is generated by destroying the Softmax output space of a classification model to generate countersamples, and due to the limited mobility of such methods, more and more researches have been made later on the counterattack based on the characteristic space of the destruction model, however, such methods have the problem of low success rate of the white-box target attack or low mobility of the black-box target in the complex data set classification task.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a mobile sample attack resisting method based on an attention mechanism, which destroys the areas which are rich in information and mainly concerned by the model in the feature space of an attacked model by using a triple Loss function (triple Loss), solves the problems of low success rate of attack of a white box target and low mobility of a black box target in the existing attack method in the classification task of a complex data set, and effectively realizes a misleading classification model under the condition of considering both white box and black box scenes.
In order to achieve the purpose of the invention, the invention adopts the technical scheme that:
a migratable sample attack resistance method based on an attention mechanism comprises the following steps:
s1, selecting a local substitute network model, and constructing a feature library to map the original picture into a feature space;
s2, separating the characteristics of the original picture from the original category area by adopting an iterative fast gradient sign attack method based on momentum accumulation, and simultaneously enabling the characteristics to be close to the target category area;
and S3, inputting the confrontation sample obtained by the attack in the step S2 into the black box classification model, and misleading the model to output the target class.
Further, the step S1 of selecting a local substitute network model specifically includes:
selecting a local substitute network model for picture classification, selecting a middle layer of a classification network as a shallow layer, and selecting a previous layer of Softmax of the classification network as a deep layer.
Further, the step S1 of constructing a feature library to map the original picture into the feature space specifically includes:
and for each category in the verification set of the local substitution network model, calculating the centroids of all pictures successfully classified by the local substitution network model in the shallow layer and the deep layer of the selected classification network respectively, and constructing feature libraries of different layers.
Further, the calculation formula for calculating the centroids of all the pictures successfully classified by the local substitute network model is as follows:
Figure BDA0002568294280000031
Figure BDA0002568294280000032
wherein n is the number of pictures correctly classified by the local substitution network model in the j category, FlTo locally replace the middle l-th layer of the network model,
Figure BDA0002568294280000033
is the ith picture in the j category, yjThe true class label for the j category.
Further, the step S2 specifically includes the following sub-steps:
s21, for each original picture, selecting a mass center in the same category as the original picture from the feature library of the l layer as a negative sample, randomly selecting a mass center in different category from the original picture as a positive sample, and forming a triple loss function together with the features of the l layer of the original picture;
s22, constructing a total loss function of the local substitute network model according to the triple loss function;
and S23, generating disturbance on the characteristics of the original picture by adopting an iterative fast gradient sign attack method based on momentum accumulation.
Further, the total loss function of the local surrogate network model in step S22 is specifically:
Ltotal=Ll+Lk
Ll=[D(fl a,fl p)-D(fl a,fl n)+θl]+
Figure BDA0002568294280000034
wherein L istotalAs a function of total loss, Ll、LkTriple loss functions on the l-th layer and the k-th layer respectively, D function is Euclidean distance function, fl a
Figure BDA0002568294280000035
Features of the l-th and k-th layers, respectively, of the original picture, fl n
Figure BDA0002568294280000036
Negative examples in the l-th and k-th layer feature libraries, fl p
Figure BDA0002568294280000037
Positive samples, θ, in the ith and kth layer feature libraries, respectivelyl、θkThe minimum interval between the distance between the feature and the positive sample and the distance between the feature and the negative sample of the l-th and k-th layers of the original picture, respectively, + represents [, ]]When the value in the internal is larger than zero, the value is taken as a loss value, and when the value is smaller than zero, the loss value is zero.
Further, the step S23 specifically includes the following sub-steps:
s231, calculating the gradient of a total loss function for the original picture;
s232, calculating accumulated momentum according to the gradient of the total loss function;
s233, calculating disturbance by using the obtained momentum, and adding the disturbance to the confrontation sample picture of the t iteration to generate the confrontation sample picture of the t +1 iteration;
and S234, performing T iterative attacks on the original picture, and outputting a countercheck sample picture of the T iteration as a final countercheck sample.
Further, the step S233 generates a confrontation sample picture of the t +1 th iteration as:
x't+1=x't-α·sign(gt+1)
wherein, x't+1Confrontation sample picture, x 'for t +1 iteration'tFor the countercheck sample picture of the t-th iteration, alpha is the disturbance step length of the single iteration, sign () is a sign function, 1 is output when the parenthesis is greater than 0, minus 1 is output when the parenthesis is less than 0, and 0 is output when the parenthesis is equal to 0.
Further, the step S23 further includes clipping each pixel point in the confrontation sample picture of the t +1 th iteration to a value between 0 and 1, where the calculation formula is:
x”t+1=Clip(x't+1,0,1)
wherein, x "t+1For the cut confrontation sample picture, Clip () is a cutting function, and the pixel points larger than 1 in the confrontation sample picture are cut to be 1.
The invention has the following beneficial effects:
(1) the invention uses triple loss functions to replace cross entropy functions in the prior MI-FGSM method so as to destroy areas which are abundant on pictures and mainly concerned by models in a characteristic space, thereby well balancing the success rate of target attack in white box and black box scenes;
(2) the method combines the characteristics of the shallow layer and the deep layer of the network to carry out attack simultaneously, effectively destroys the global rough information and the local detail information of the picture, and generates a more aggressive countermeasure sample;
(3) when the method is used for solving the classification task of the complex data set, the characteristics of the original picture can still be far away from the region of the original real category as far as possible through the triple loss function, and meanwhile, the characteristics of the original picture can be close to the region of the target category as far as possible, and the final success rate of the white box target attack and even the success rate of the black box attack can be improved.
Drawings
FIG. 1 is a flow chart of a mobile sample attack countermeasure method based on attention mechanism according to the present invention;
fig. 2 is a flowchart of a method for resisting sample attack according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention is provided to facilitate the understanding of the present invention by those skilled in the art, but it should be understood that the present invention is not limited to the scope of the embodiments, and it will be apparent to those skilled in the art that various changes may be made without departing from the spirit and scope of the invention as defined and defined in the appended claims, and all matters produced by the invention using the inventive concept are protected.
The embodiment of the invention provides a migratory countersample attack method based on an attention mechanism, which is characterized in that an iterative rapid gradient sign attack method based on accumulated momentum is used in a feature space of a model to destroy a region which is rich in information and mainly concerned by the model so as to generate a countersample which has strong mobility and high success rate of white-box target attack.
The research object of the invention is the attack of the black box target, and the specific technical scenes for solving the problem are as follows:
1) an attacker cannot acquire all information of the attacked classification model and can only obtain the prediction output of the corresponding input of the model;
2) the goal of the attacker is to mislead the model prediction result to a predetermined category, which is different from the true category of the original picture. Therefore, for the scenario, the conventional attack method relies on the mobility of the countermeasure sample, that is, an attacker selects a local substitute network model to attack, and the obtained countermeasure sample is migrated to the attacked model to achieve the attack purpose.
As shown in fig. 1 and 2, the method for resisting sample attack of the present invention specifically includes the following steps S1 to S3:
s1, selecting a local substitute network model, and constructing a feature library to map the original picture into a feature space;
in this embodiment, the present invention first establishes a local surrogate network model for image classification, optionally using neural network models such as DenseNet [6], ResNet [7], etc.
Taking the neural network model DenseNet-121 as an example, the output of the second dense block (DenseBlock) of the neural network and the previous layer of Softmax in the classification layer are respectively selected as attacked layers.
The invention calculates the centroid of the successfully classified picture of the local substitution network model in the shallow layer and the deep layer of the selected classification network respectively for each category in the verification set of the local substitution network model, and constructs feature libraries of different layers.
To address the classification task on complex datasets, the present invention will be explained with the ImageNet dataset. For each category in the ImageNet verification set, calculating the centroid c of all successfully classified pictures by the substitute model in the shallow layer and the deep layer of the selected classification network respectivelyjThe calculation formula is as follows:
Figure BDA0002568294280000061
Figure BDA0002568294280000062
wherein n is the number of pictures correctly classified by the local substitution network model in the j category, FlTo locally replace the middle l-th layer of the network model,
Figure BDA0002568294280000063
is the ith picture in the j category, yjThe true class label for the j category.
And respectively constructing feature libraries aiming at different layers by the method.
The method disclosed by the invention combines the characteristics of the shallow layer and the deep layer of the network to carry out attack simultaneously, effectively destroys the global rough information and the local detail information of the picture to generate a more aggressive countersample, and can be expanded to other attack methods based on feature space destruction.
S2, separating the characteristics of the original picture from the original category area by adopting an iterative fast gradient sign attack method based on momentum accumulation, and simultaneously enabling the characteristics to be close to the target category area;
in this embodiment, the present invention specifically includes the following sub-steps:
s21, for each attacked original picture, selecting a mass center in the feature library of the l-th layer, wherein the mass center is in the same category as the original picture, as a negative sample fl nRandomly selecting a centroid of a different class from the original picture as a positive sample fl pAnd is compared with the characteristic f of the l layer of the original picturel aJointly composing triplet loss functions<fl a,fl p,fl n>;
S22, constructing a total loss function of the local substitute network model according to the triple loss function;
the invention uses triple loss functions to construct the total loss function of a local substitute network model on the shallow layer and the deep layer of a network respectively, and specifically comprises the following steps:
Ltotal=Ll+Lk,
Ll=[D(fl a,fl p)-D(fl a,fl n)+θ]+,
Figure BDA0002568294280000071
wherein L istotalAs a function of total loss, Ll、LkTriple loss functions on the l-th layer and the k-th layer respectively, D function is Euclidean distance function, fl a
Figure BDA0002568294280000072
Features of the l-th and k-th layers, respectively, of the original picture, fl n
Figure BDA0002568294280000073
Negative examples in the l-th and k-th layer feature libraries, fl p
Figure BDA0002568294280000074
Positive samples, θ, in the ith and kth layer feature libraries, respectivelyl、θkThe minimum interval between the distance between the feature and the positive sample and the distance between the feature and the negative sample of the l-th and k-th layers of the original picture, respectively, + represents [, ]]When the value in the internal is larger than zero, the value is taken as a loss value, and when the value is smaller than zero, the loss value is zero.
S23, generating disturbance on the characteristics of the original picture by adopting an iterative fast gradient sign attack method based on momentum accumulation, which specifically comprises the following steps:
s231, calculating a total loss function L for the attacked original picture xtotalThe partial derivative of (A) yields a gradient
Figure BDA0002568294280000081
S232, calculating the accumulated momentum g according to the gradient of the total loss functiont+1Expressed as:
Figure BDA0002568294280000082
wherein, gtThe accumulated momentum in the t iteration process;
s233, calculating disturbance by utilizing the obtained momentum and adding the disturbance to the countervailing sample picture x 'of the t iteration'tTo generate a t +1 th iteration of confrontational sample picture x't+1Expressed as:
x't+1=x't-α·sign(gt+1)
wherein, x't+1Confrontation sample picture, x 'for t +1 iteration'tAlpha is the disturbance step length of single iteration, and the calculation method is that the total disturbance step length is divided by the iteration number, namely
Figure BDA0002568294280000083
sign () is a sign function, 1 is output when the number in parentheses is greater than 0, minus 1 is output when the number in parentheses is less than 0, and 0 is output when the number in parentheses is equal to 0;
in order to keep the distribution of the confrontation sample picture consistent with the original input picture, each pixel point in the confrontation sample picture of the (t + 1) th iteration is cut to be between 0 and 1, and the calculation formula is as follows:
x”t+1=Clip(x't+1,0,1)
wherein, x "t+1For the cut confrontation sample picture, Clip () is a cutting function, and the pixel points larger than 1 in the confrontation sample picture are cut to be 1.
S234, regarding the steps as one attack iteration, and performing T iterations in total, wherein a countermeasure sample x 'of the 0 th iteration is initialized'0And finally outputting the confrontation sample picture of the Tth iteration as a final confrontation sample for the original input picture x.
The invention uses the triple loss function to replace the cross entropy function in the prior MI-FGSM method, and achieves an attack process from coarse to fine by respectively using the triple loss function in two intermediate layers of the model, so as to destroy the areas which are rich on the picture and mainly concerned by the model in the characteristic space, thereby well balancing the success rate of target attack in the white box and black box scenes.
And S3, inputting the confrontation sample obtained by the attack in the step S2 into the black box classification model, and misleading the model to output the target class.
When the method is used for solving the classification task of the complex data set, the characteristics of the original picture can still be far away from the region of the original real category as far as possible through the triple loss function, and meanwhile, the characteristics of the original picture can be close to the region of the target category as far as possible, and the final success rate of the white box target attack and even the success rate of the black box attack can be improved. The method is simple and the number of parameters is moderate, so that the method is quick and convenient to use.
It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.

Claims (9)

1. A migratable sample attack resistance method based on an attention mechanism is characterized by comprising the following steps:
s1, selecting a local substitute network model, and constructing a feature library to map the original picture into a feature space;
s2, separating the characteristics of the original picture from the original category area by adopting an iterative fast gradient sign attack method based on momentum accumulation, and simultaneously enabling the characteristics to be close to the target category area;
and S3, inputting the confrontation sample obtained by the attack in the step S2 into the black box classification model, and misleading the model to output the target class.
2. The method of claim 1, wherein the step S1 of selecting a local surrogate network model is specifically:
selecting a local substitute network model for picture classification, selecting a middle layer of a classification network as a shallow layer, and selecting a previous layer of Softmax of the classification network as a deep layer.
3. The method for mobilizable countersample attack based on attention mechanism of claim 2, wherein the step S1 of constructing the feature library maps the original picture into the feature space specifically as follows:
and for each category in the verification set of the local substitution network model, calculating the centroids of all pictures successfully classified by the local substitution network model in the shallow layer and the deep layer of the selected classification network respectively, and constructing feature libraries of different layers.
4. The method for mobilizable countersample attack based on attention mechanism of claim 3, wherein the calculation formula of the centroid of all the pictures successfully classified by the local substitution network model is as follows:
Figure FDA0002568294270000011
Figure FDA0002568294270000021
wherein n is the number of pictures correctly classified by the local substitution network model in the j category, FlTo locally replace the middle l-th layer of the network model,
Figure FDA0002568294270000022
is the ith picture in the j category, yjThe true class label for the j category.
5. The method for mobilizable countersample attack based on attention mechanism of claim 1, wherein the step S2 comprises the following sub-steps:
s21, for each original picture, selecting a mass center in the same category as the original picture from the feature library of the l layer as a negative sample, randomly selecting a mass center in different category from the original picture as a positive sample, and forming a triple loss function together with the features of the l layer of the original picture;
s22, constructing a total loss function of the local substitute network model according to the triple loss function;
and S23, generating disturbance on the characteristics of the original picture by adopting an iterative fast gradient sign attack method based on momentum accumulation.
6. The method for mobilizable countersample attack based on attention mechanism of claim 5, wherein the total loss function of the local surrogate network model in step S22 is specifically:
Ltotal=Ll+Lk
Ll=[D(fl a,fl p)-D(fl a,fl n)+θl]+
Figure FDA0002568294270000023
wherein L istotalAs a function of total loss, Ll、LkTriple loss functions on the l-th layer and the k-th layer respectively, D function is Euclidean distance function, fl a
Figure FDA0002568294270000024
Features of the l-th and k-th layers, respectively, of the original picture, fl n
Figure FDA0002568294270000025
Characterised by the l-th and k-th layers, respectivelyNegative sample in the library, fl p
Figure FDA0002568294270000026
Positive samples, θ, in the ith and kth layer feature libraries, respectivelyl、θkThe minimum interval between the distance between the feature and the positive sample and the distance between the feature and the negative sample of the l-th and k-th layers of the original picture, respectively, + represents [, ]]When the value in the internal is larger than zero, the value is taken as a loss value, and when the value is smaller than zero, the loss value is zero.
7. The method for mobilizable countersample attack based on attention mechanism of claim 5, wherein the step S23 comprises the following sub-steps:
s231, calculating the gradient of a total loss function for the original picture;
s232, calculating accumulated momentum according to the gradient of the total loss function;
s233, calculating disturbance by using the obtained momentum, and adding the disturbance to the confrontation sample picture of the t iteration to generate the confrontation sample picture of the t +1 iteration;
and S234, performing T iterative attacks on the original picture, and outputting a countercheck sample picture of the T iteration as a final countercheck sample.
8. The method of claim 7, wherein the step S233 generates the confrontation sample picture of the t +1 th iteration as:
x′t+1=x′t-α·sign(gt+1)
wherein, x't+1Confrontation sample picture, x 'for t +1 iteration'tFor the countercheck sample picture of the t-th iteration, alpha is the disturbance step length of the single iteration, sign () is a sign function, 1 is output when the parenthesis is greater than 0, minus 1 is output when the parenthesis is less than 0, and 0 is output when the parenthesis is equal to 0.
9. The method of claim 8, wherein the step S23 further comprises clipping each pixel point in the confrontation sample picture of the t +1 th iteration to 0 to 1, and the calculation formula is:
x″t+1=Clip(x′t+1,0,1)
wherein, x ″)t+1For the cut confrontation sample picture, Clip () is a cutting function, and the pixel points larger than 1 in the confrontation sample picture are cut to be 1.
CN202010630136.6A 2020-07-03 2020-07-03 Movable sample attack resisting method based on attention mechanism Pending CN111898645A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010630136.6A CN111898645A (en) 2020-07-03 2020-07-03 Movable sample attack resisting method based on attention mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010630136.6A CN111898645A (en) 2020-07-03 2020-07-03 Movable sample attack resisting method based on attention mechanism

Publications (1)

Publication Number Publication Date
CN111898645A true CN111898645A (en) 2020-11-06

Family

ID=73192926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010630136.6A Pending CN111898645A (en) 2020-07-03 2020-07-03 Movable sample attack resisting method based on attention mechanism

Country Status (1)

Country Link
CN (1) CN111898645A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112329929A (en) * 2021-01-04 2021-02-05 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model
CN113255816A (en) * 2021-06-10 2021-08-13 北京邮电大学 Directional attack countermeasure patch generation method and device
CN113469330A (en) * 2021-06-25 2021-10-01 中国人民解放军陆军工程大学 Method for enhancing sample mobility resistance by bipolar network corrosion
CN113674140A (en) * 2021-08-20 2021-11-19 燕山大学 Physical countermeasure sample generation method and system
CN113869062A (en) * 2021-09-30 2021-12-31 北京工业大学 Social text personality privacy protection method based on black box confrontation sample
CN114077871A (en) * 2021-11-26 2022-02-22 西安电子科技大学 Black box neural network type detection method using small amount of data and resisting attack
CN114627373A (en) * 2022-02-25 2022-06-14 北京理工大学 Countermeasure sample generation method for remote sensing image target detection model
CN114724014A (en) * 2022-06-06 2022-07-08 杭州海康威视数字技术股份有限公司 Anti-sample attack detection method and device based on deep learning and electronic equipment
CN115544499A (en) * 2022-11-30 2022-12-30 武汉大学 Migratable black box anti-attack sample generation method and system and electronic equipment
CN116523032A (en) * 2023-03-13 2023-08-01 之江实验室 Image text double-end migration attack method, device and medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109726696A (en) * 2019-01-03 2019-05-07 电子科技大学 System and method is generated based on the iamge description for weighing attention mechanism
CN109948663A (en) * 2019-02-27 2019-06-28 天津大学 A kind of confrontation attack method of the adaptive step based on model extraction
CN110175251A (en) * 2019-05-25 2019-08-27 西安电子科技大学 The zero sample Sketch Searching method based on semantic confrontation network
CN110334806A (en) * 2019-05-29 2019-10-15 广东技术师范大学 A kind of confrontation sample generating method based on production confrontation network
CN110610708A (en) * 2019-08-31 2019-12-24 浙江工业大学 Voiceprint recognition attack defense method based on cuckoo search algorithm
CN111047658A (en) * 2019-11-29 2020-04-21 武汉大学 Compression-resistant antagonistic image generation method for deep neural network
US20200151505A1 (en) * 2018-11-12 2020-05-14 Sap Se Platform for preventing adversarial attacks on image-based machine learning models
CN111199233A (en) * 2019-12-30 2020-05-26 四川大学 Improved deep learning pornographic image identification method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200151505A1 (en) * 2018-11-12 2020-05-14 Sap Se Platform for preventing adversarial attacks on image-based machine learning models
CN109726696A (en) * 2019-01-03 2019-05-07 电子科技大学 System and method is generated based on the iamge description for weighing attention mechanism
CN109948663A (en) * 2019-02-27 2019-06-28 天津大学 A kind of confrontation attack method of the adaptive step based on model extraction
CN110175251A (en) * 2019-05-25 2019-08-27 西安电子科技大学 The zero sample Sketch Searching method based on semantic confrontation network
CN110334806A (en) * 2019-05-29 2019-10-15 广东技术师范大学 A kind of confrontation sample generating method based on production confrontation network
CN110610708A (en) * 2019-08-31 2019-12-24 浙江工业大学 Voiceprint recognition attack defense method based on cuckoo search algorithm
CN111047658A (en) * 2019-11-29 2020-04-21 武汉大学 Compression-resistant antagonistic image generation method for deep neural network
CN111199233A (en) * 2019-12-30 2020-05-26 四川大学 Improved deep learning pornographic image identification method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LIANLI GAO 等: "Push & Pull: Transferable Adversarial Examples With Attentive Attack", 《IEEE》 *
孙曦音: "基于GAN的对抗样本生成与安全应用研究", 《中国优秀硕士论文电子期刊网 信息科技辑》 *
黄梓杰: "基于特征激活的对抗攻击", 《中国优秀硕士论文电子期刊网 信息科技辑》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112329929A (en) * 2021-01-04 2021-02-05 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model
CN113255816A (en) * 2021-06-10 2021-08-13 北京邮电大学 Directional attack countermeasure patch generation method and device
CN113469330A (en) * 2021-06-25 2021-10-01 中国人民解放军陆军工程大学 Method for enhancing sample mobility resistance by bipolar network corrosion
CN113674140B (en) * 2021-08-20 2023-09-26 燕山大学 Physical countermeasure sample generation method and system
CN113674140A (en) * 2021-08-20 2021-11-19 燕山大学 Physical countermeasure sample generation method and system
CN113869062A (en) * 2021-09-30 2021-12-31 北京工业大学 Social text personality privacy protection method based on black box confrontation sample
CN114077871A (en) * 2021-11-26 2022-02-22 西安电子科技大学 Black box neural network type detection method using small amount of data and resisting attack
CN114627373A (en) * 2022-02-25 2022-06-14 北京理工大学 Countermeasure sample generation method for remote sensing image target detection model
CN114724014B (en) * 2022-06-06 2023-06-30 杭州海康威视数字技术股份有限公司 Deep learning-based method and device for detecting attack of countered sample and electronic equipment
CN114724014A (en) * 2022-06-06 2022-07-08 杭州海康威视数字技术股份有限公司 Anti-sample attack detection method and device based on deep learning and electronic equipment
CN115544499A (en) * 2022-11-30 2022-12-30 武汉大学 Migratable black box anti-attack sample generation method and system and electronic equipment
CN116523032A (en) * 2023-03-13 2023-08-01 之江实验室 Image text double-end migration attack method, device and medium
CN116523032B (en) * 2023-03-13 2023-09-29 之江实验室 Image text double-end migration attack method, device and medium

Similar Documents

Publication Publication Date Title
CN111898645A (en) Movable sample attack resisting method based on attention mechanism
Afifi et al. What else can fool deep learning? Addressing color constancy errors on deep neural network performance
Zhang et al. The secret revealer: Generative model-inversion attacks against deep neural networks
Pittaluga et al. Revealing scenes by inverting structure from motion reconstructions
Cong et al. Global-and-local collaborative learning for co-salient object detection
CN113822328B (en) Image classification method for defending against sample attack, terminal device and storage medium
Chen et al. Magdr: Mask-guided detection and reconstruction for defending deepfakes
Rozsa et al. Exploring LOTS in Deep Neural Networks
CN111968123A (en) Semi-supervised video target segmentation method
Ding et al. Beyond universal person re-identification attack
Liu et al. APSNet: Toward adaptive point sampling for efficient 3D action recognition
CN113449612B (en) Three-dimensional target point cloud identification method based on sub-flow sparse convolution
CN115719085B (en) Deep neural network model inversion attack defense method and device
Jiang et al. Research progress and challenges on application-driven adversarial examples: A survey
Guo et al. Blind detection of glow-based facial forgery
CN114612476A (en) Image tampering detection method based on full-resolution hybrid attention mechanism
Zhang et al. Boosting transferability of physical attack against detectors by redistributing separable attention
Gong et al. A person re-identification data augmentation method with adversarial defense effect
Wang et al. Semantic adversarial attacks via diffusion models
Lou et al. Hide in thicket: Generating imperceptible and rational adversarial perturbations on 3d point clouds
Zhang et al. Bag of tricks to boost adversarial transferability
Zuo et al. MISPSO-Attack: An efficient adversarial watermarking attack based on multiple initial solution particle swarm optimization
Zheng et al. Template‐Aware Transformer for Person Reidentification
CN112529047A (en) Countermeasure sample generation method based on gradient shielding
Xie et al. GAME: Generative-based adaptive model extraction attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201106