CN112215227A - Image target detection model attack method and device, terminal equipment and storage medium - Google Patents
Image target detection model attack method and device, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN112215227A CN112215227A CN202011429970.5A CN202011429970A CN112215227A CN 112215227 A CN112215227 A CN 112215227A CN 202011429970 A CN202011429970 A CN 202011429970A CN 112215227 A CN112215227 A CN 112215227A
- Authority
- CN
- China
- Prior art keywords
- image
- disturbance
- sample
- detection model
- target detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/20—Image preprocessing
- G06V10/25—Determination of region of interest [ROI] or a volume of interest [VOI]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V2201/00—Indexing scheme relating to image or video recognition or understanding
- G06V2201/07—Target detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Multimedia (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Image Analysis (AREA)
Abstract
The invention discloses an image target detection model attack method, which comprises the following steps: acquiring a sample image and disturbed image setting information input by a user, wherein the disturbed image setting information comprises the size and the shape of the image; generating a disturbance image based on the sample image and the disturbance image setting information; generating a countermeasure sample based on the sample image and the disturbance image; the method has the advantages that the countermeasure sample is input into the image target detection model to be identified so as to attack the image target detection model, and due to the fact that the size and the shape of the disturbance image are set by a user, the user setting is random and uncertain, the difference between the countermeasure sample and the sample image cannot be easily perceived by naked eyes, and the disturbance concealment performance is high and the attack force is high. The invention also discloses an image target detection model attack device, terminal equipment and a storage medium, which improve the concealment of disturbance, thereby improving the attack strength on the image target detection model.
Description
Technical Field
The present invention relates to the field of image processing, and in particular, to an image target detection model attack method, apparatus, terminal device, and storage medium.
Background
With the development of machine learning, image recognition is continuously perfected, and recognition accuracy is continuously improved.
However, after the anti-disturbance is added to the image, the image target detection model can obtain completely different results. Therefore, in order to improve the robustness of the image target detection model, it is generally required to perform counterattack on the image target detection model by using a countersample to improve the robustness of the image target detection model. Different countermeasures have different attack effects, and the larger the attack strength is, the more stable the image target detection model after countermeasures are. Therefore, the selection of the countersample plays a crucial role in the robustness of the image target detection model.
The challenge sample is generated by adding a perturbation image to the sample image (i.e., the challenge perturbation). However, in the conventional countermeasure sample, the difference between the countermeasure sample and the sample image is easily perceived by naked eyes, that is, the countermeasure sample is easily perceived by naked eyes to be modified and has poor concealment, so that the attack strength is reduced.
Disclosure of Invention
The invention mainly aims to provide an image target detection model attack method, an image target detection model attack device, a terminal device and a storage medium, and aims to solve the technical problem that the existing countercheck sample attack strength is low.
In order to achieve the above object, the present invention provides an image target detection model attack method, which is applied to a terminal device, and comprises the following steps:
acquiring a sample image and disturbed image setting information input by a user, wherein the disturbed image setting information comprises the size and the shape of the image;
generating a disturbance image based on the sample image and the disturbance image setting information;
generating a countermeasure sample based on the sample image and the disturbance image;
and inputting the confrontation sample into an image target detection model for identification so as to attack the image target detection model.
Optionally, the disturbing image setting information further includes: position information of the disturbance image on the sample image;
the step of generating a challenge sample based on the sample image and the disturbance image comprises:
and superposing the disturbance image on the sample image based on the position information to obtain a confrontation sample.
Optionally, before the step of generating the countermeasure sample based on the sample image and the disturbance image, the image target detection model attack method further includes the following steps:
increasing the transparency of the disturbed image;
the step of generating a challenge sample based on the sample image and the disturbance image comprises:
and generating a countermeasure sample based on the sample image and the disturbed image with the transparency being increased.
Optionally, the step of generating a disturbance image based on the sample image and the disturbance image setting information includes:
generating an initial disturbance image based on the disturbance image setting information;
generating a perturbed image based on the sample image and the initial perturbed image.
Optionally, the step of generating a disturbance image based on the sample image and the initial disturbance image includes:
and generating a disturbance image through a gradient-based disturbance generation algorithm according to the sample image and the initial disturbance image.
Optionally, before the step of generating a disturbance image based on the sample image and the disturbance image setting information, the image detection model attack method further includes the following steps:
preprocessing the sample image;
the step of generating a disturbance image based on the sample image and the disturbance image setting information includes:
and generating a disturbance image based on the preprocessed sample image and the disturbance image setting information.
Optionally, before the step of generating a disturbance image based on the sample image and the disturbance image setting information, the image detection model attack method further includes the following steps:
acquiring an accuracy threshold and an iteration threshold;
after the step of identifying the challenge sample input image target detection model, the image detection model attack method further comprises the following steps:
judging whether the accuracy of the image target detection model is smaller than the accuracy threshold value;
if yes, the attack is successful;
if not, returning to the step of generating the disturbance image based on the sample image and the disturbance image setting information, and iterating until the iteration number is equal to the iteration number threshold value.
In addition, in order to achieve the above object, the present invention further provides an image target detection model attack apparatus, including:
the device comprises an acquisition module, a display module and a display module, wherein the acquisition module is used for acquiring a sample image and disturbance image setting information input by a user, and the disturbance image setting information comprises the size and the shape of the image;
the disturbance image generation module is used for generating a disturbance image based on the sample image and the disturbance image setting information;
a confrontation sample generation module for generating a confrontation sample based on the sample image and the disturbance image;
and the attack module is used for identifying the countermeasure sample input image target detection model so as to attack the image target detection model.
In addition, to achieve the above object, the present invention further provides a terminal device, including: the image target detection model attack program is stored on the memory and runs on the processor, and when being executed by the processor, the image target detection model attack program realizes the steps of the image target detection model attack method.
In addition, in order to achieve the above object, the present invention further provides a storage medium, wherein the storage medium stores thereon an image target detection model attack program, and the image target detection model attack program, when executed by a processor, implements the steps of the image target detection model attack method according to any one of the above.
The technical scheme of the invention adopts an image target detection model attack method, which comprises the following steps: acquiring a sample image and disturbed image setting information, wherein the disturbed image setting information comprises the size and the shape of the image; generating a disturbance image based on the sample image and the disturbance image setting information; generating a countermeasure sample based on the sample image and the disturbance image; the method comprises the steps of inputting a countermeasure sample into an image target detection model for identification so as to attack the image target detection model, wherein the size and the shape of the disturbance image are set by a user, and the user setting has randomness and uncertainty, so that the difference between the countermeasure sample and the sample image is not easy to be perceived by naked eyes, the disturbance concealment is high, and the attack to the image target detection model is high.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a terminal device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flowchart of an attack method for an image target detection model according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating an attack method for an image target detection model according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating an attack method for an image target detection model according to a third embodiment of the present invention;
FIG. 5 is a detailed flowchart illustrating an attack method for an image target detection model according to a third embodiment of the present invention;
FIG. 6 is a detailed flowchart illustrating an attack method for an image target detection model according to a fourth embodiment of the present invention;
fig. 7 is a schematic block diagram of an image target detection model attack apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a terminal device in a hardware operating environment according to an embodiment of the present invention.
The terminal device may be a User Equipment (UE) such as a Mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a Personal Digital Assistant (PDA), a tablet computer (PAD), a handheld device, a vehicle-mounted device, a wearable device, a computing device, a smart home device (e.g., a smart television, a refrigerator, a washing machine, an air conditioner, a range hood, etc.), a monitoring device or other processing device connected to a wireless modem, a Mobile Station (MS), etc., and the terminal device station may be a control panel light smart home device. The device may be referred to as a user terminal, portable terminal, desktop terminal, etc.
In general, a terminal device includes: at least one processor 301, a memory 302, and an image target detection model attack program stored on the memory and executable on the processor, the image target detection model attack program being configured to implement the steps of the image target detection model attack method as described in any one of the following embodiments.
The processor 301 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so on. The processor 301 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 301 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 301 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. The processor 301 may further include an AI (Artificial Intelligence) processor for processing operations related to the attack method of the image target detection model, so that the attack method model of the image target detection model may be trained and learned autonomously, thereby improving efficiency and accuracy.
In some embodiments, the terminal may further include: a communication interface 303 and at least one peripheral device. The processor 301, the memory 302 and the communication interface 303 may be connected by a bus or signal lines. Various peripheral devices may be connected to communication interface 303 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 304, a display screen 305, and a power source 306.
The communication interface 303 may be used to connect at least one peripheral device related to I/O (Input/Output) to the processor 301 and the memory 302. In some embodiments, processor 301, memory 302, and communication interface 303 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 301, the memory 302 and the communication interface 303 may be implemented on a single chip or circuit board, which is not limited in this embodiment.
The Radio Frequency circuit 304 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 304 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 304 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 304 comprises: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 304 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WIFI (Wireless Fidelity) networks. In some embodiments, the rf circuit 304 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.
The display screen 305 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 305 is a touch display screen, the display screen 305 also has the ability to capture touch signals on or over the surface of the display screen 305. The touch signal may be input to the processor 301 as a control signal for processing. At this point, the display screen 305 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display screen 305 may be one, the front panel of the electronic device; in other embodiments, the display screens 305 may be at least two, respectively disposed on different surfaces of the electronic device or in a folded design; in still other embodiments, the display screen 305 may be a flexible display screen disposed on a curved surface or a folded surface of the electronic device. Even further, the display screen 305 may be arranged in a non-rectangular irregular figure, i.e. a shaped screen. The Display screen 305 may be made of LCD (liquid crystal Display), OLED (Organic Light-Emitting Diode), and the like.
The power supply 306 is used to power various components in the electronic device. The power source 306 may be alternating current, direct current, disposable or rechargeable. When the power source 306 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the terminal device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
In addition, an embodiment of the present invention further provides a storage medium, where an image target detection model attack program is stored on the storage medium, and when the image target detection model attack program is executed by a processor, the steps of the image target detection model attack method according to any of the following embodiments are implemented. Therefore, a detailed description thereof will be omitted. In addition, the beneficial effects of the same method are not described in detail. For technical details not disclosed in embodiments of the computer-readable storage medium referred to in the present application, reference is made to the description of embodiments of the method of the present application. It is determined that, by way of example, the program instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.
It will be understood by those skilled in the art that all or part of the processes in the methods of any of the following embodiments may be implemented by a computer program to instruct associated hardware, where the first image target detection model attack program or the second image target detection model attack program may be stored in a computer readable storage medium, and when executed, may include the processes of the embodiments of the methods as described below. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
Based on the hardware structure, the embodiment of the image target detection model attack method is provided.
Referring to fig. 2, fig. 2 is a schematic flowchart of a first embodiment of an image target detection model attack method according to the present invention, where the image target detection model attack method includes the following steps:
step S11: and acquiring the sample image and the disturbance image setting information input by the user.
In this embodiment, the sample image may be any image to be identified, wherein the number of the sample images may be flexibly set according to actual needs.
In this embodiment, the disturbance image setting information includes an image size and a shape. The image size can be flexibly set according to actual needs, for example, 10%, 5%, and the like of the sample image size can be set. The shape of the image can be flexibly set according to actual needs, for example, the image can be set to be a standard geometric shape such as a triangle, a square, a rectangle and the like, and can also be set to be a non-standard geometric shape such as cartoon figures such as a cat, a dog and the like.
In this embodiment, the setting information of the disturbance image input by the user is acquired. Wherein the user can set the disturbance image setting information through a user input interface (e.g., a touch display screen, an audio pickup device, etc.). For example, a user may issue disturbance image setting information to the image target detection model attack apparatus by drawing a closed graph on the touch display screen, where the size of the closed graph is the size of the disturbance image, and the shape of the closed graph is the shape of the disturbance image. Of course, the user can also issue the disturbed image setting information to the image target detection model attack device based on other user input interfaces.
Step S12: and generating a disturbance image based on the sample image and the disturbance image setting information.
In this embodiment, after the sample image and the setting information of the disturbance image are acquired, the disturbance image is generated based on the sample image and the setting information of the disturbance image, and the size and the shape of the generated disturbance image are consistent with those of the image in the setting information of the disturbance image.
In some embodiments, step S12 includes:
step S121: an initial disturbance image is generated based on the disturbance image setting information.
In this embodiment, an initial disturbance image is generated based on the disturbance image setting information, where the shape and size of the initial disturbance image are consistent with those of the image in the disturbance image setting information. The pixel values of the pixels in the initial disturbance image can be flexibly set according to actual needs, for example, the pixel values can be all set to 0; or set to other values.
Step S122: and generating a disturbance image based on the sample image and the initial disturbance image.
After the initial disturbance image is generated, a disturbance image is generated based on the sample image and the initial disturbance image.
In this embodiment, step S122 may include: and generating a disturbance image according to the sample image and the initial disturbance image through a preset disturbance generation algorithm. That is to say, according to the sample image and the initial disturbance image, each pixel point of the initial disturbance image is trained through a preset disturbance generation algorithm to obtain a pixel value of each pixel point, so that the disturbance image is obtained. The preset disturbance generation algorithm can be flexibly designed according to actual needs.
For example, in some embodiments, the preset disturbance generation algorithm may be designed based on an optimized disturbance generation algorithm, or based on an improvement of an optimized disturbance generation algorithm. Optimization-based perturbation generation algorithms include C & W (Carlini and Wagner Attacks, kringle and Wagner Attacks), and the like.
For another example, in some embodiments, according to characteristics of actual data, in order to improve the attack strength, the preset perturbation generation algorithm may be designed as a Gradient-based perturbation generation algorithm or as an improvement of the Gradient-based perturbation generation algorithm, where the Gradient-based perturbation generation algorithm includes FGSM (Fast Gradient signal Method), pgd (project Gradient component), mim (momentum Iterative Method), and the like. At this time, step S122 includes: and generating a disturbance image through a gradient-based disturbance generation algorithm according to the sample image and the initial disturbance image.
Step S13: a challenge sample is generated based on the sample image and the disturbance image.
In this embodiment, after the disturbance image is generated, the disturbance image is superimposed on the sample image to obtain a countermeasure sample.
In some embodiments, step S13 includes: and superposing the disturbance image on an arbitrary position on the sample image to obtain a countermeasure sample.
In some embodiments, perturbing the image setting information further comprises: perturbing the position information of the image on the sample image, in this case, step S13 includes: and superposing the disturbance image on the sample image based on the position information in the disturbance image setting information to obtain a countermeasure sample. For example, assume that the position information in the disturbance image setting information is: and overlaying the disturbance image to the upper left corner of the sample image.
Step S14: and inputting the challenge sample into the image target detection model for identification so as to attack the image target detection model.
The image target detection model is used for detecting objects in the image, for example, in the field of automatic driving, people, vehicles, obstacles and the like appearing in the driving process are detected through the image target detection model.
And inputting the countermeasure sample into the image target detection model so that the image target detection model identifies the countermeasure sample, thereby attacking the image target detection model.
The image target detection model attack method provided by the embodiment comprises the following steps: acquiring a sample image and disturbed image setting information input by a user, wherein the disturbed image setting information comprises the size and the shape of the image; generating a disturbance image based on the sample image and the disturbance image setting information; generating a countermeasure sample based on the sample image and the disturbance image; the countermeasure sample is input into the image target detection model for identification so as to attack the image target detection model, that is, in the embodiment, the size and the shape of the disturbance image are set by a user, and the user setting has randomness and uncertainty, so that compared with the countermeasure sample generated based on the disturbance image with fixed size and shape, the countermeasure sample generated based on the disturbance image with fixed size and shape in the embodiment is not easy to perceive the difference between the sample image and the countermeasure sample by naked eyes, and the disturbance concealment is high, thereby improving the attack strength.
Based on the first embodiment, the second embodiment of the image target detection model attack method is provided. In this embodiment, referring to fig. 3, before step S13, the image target detection model attack method further includes the following steps:
step S15: and the transparency of the disturbed image is increased.
In this embodiment, after the disturbance image is generated, in order to improve the concealment, the transparency of the disturbance image is increased, and it should be understood that the higher the transparency is, the more transparent the image is. The mode of heightening can be flexibly set according to actual needs.
For example, in some embodiments, step S15 includes: and adjusting the transparency of the disturbed image to a preset transparency threshold value. That is, a transparency value may be set as a transparency threshold, and after the disturbance image is generated, the transparency of the disturbance image may be adjusted to the transparency threshold. The transparency threshold can be flexibly set according to actual needs, and for example, can be set to 90%, 80%, and the like. In one example, assuming that the preset transparency threshold is 95% and the transparency of the generated disturbance image is 50%, the transparency of the disturbance image is adjusted to be 95%.
In some embodiments, step S15 includes: and increasing the transparency of the disturbed image by a preset transparency increment. That is, a transparency value may be set as a transparency increment, and after the disturbed image is generated, the transparency of the disturbed image may be increased by a preset transparency increment. The transparency increment can be flexibly set according to actual needs, and for example, can be set to 10%, 20%, and the like. In one example, assuming that the preset transparency increment is 15% and the transparency of the generated disturbance image is 60%, the transparency of the disturbance image is increased by 15%, that is, the transparency of the disturbance image is 75% after being adjusted up.
In some embodiments, step S15 includes: and increasing the transparency of the disturbed image based on the preset transparency increasing proportion. That is, a transparency increase ratio may be set, and after the disturbance image is generated, the transparency of the disturbance image may be increased based on the preset transparency increase ratio, where = (1 + transparency increase ratio) = increasing the transparency of the disturbance image after the transparency of the disturbance image is increased. The transparency increase ratio can be flexibly set according to actual needs, and for example, can be set to 0.1, 0.2, and the like. In one example, assuming that the preset transparency increment is 0.1 and the transparency of the generated disturbed image is 80%, after the adjustment is performed, the transparency of the disturbed image is = (1 + 0.1) × 80% = 88%.
In this embodiment, step S13 includes: and generating a countermeasure sample based on the sample image and the disturbed image with the transparency being increased.
That is, the disturbance image with the transparency increased is superposed on the sample image to obtain the confrontation sample, and the disturbance image is superposed on the sample image with the transparency increased, so that the confrontation sample is not easily distinguished by naked eyes, the concealment is improved, and the attack force is improved.
According to the attack method for the image target detection model, after the disturbance image is generated, the transparency of the disturbance image is firstly increased, then the countermeasure sample is generated based on the sample image and the disturbance image with the increased transparency, and compared with the countermeasure sample generated directly based on the disturbance image and the sample image after the disturbance image is generated, the countermeasure sample in the embodiment is not easy to be distinguished from the sample image by naked eyes, the concealment of disturbance is improved, and the attack force on the image target detection model is improved.
Based on the first embodiment, a third embodiment of the image target detection model attack method is provided. In this embodiment, referring to fig. 4, before step S12, the image target detection model attack method further includes the following steps:
step S16: and acquiring an accuracy threshold and iteration times.
The accuracy threshold can be flexibly set according to actual needs, for example, set to 50%, 60%, 70%, and the like.
In this embodiment, the execution sequence of step S16 and step S11 is not limited, wherein step S11 may be executed first, and step S16 may be executed later, or step S16 may be executed first, and step S11 may be executed later, or step S16 and step S11 may be executed simultaneously.
The number of iterations can be flexibly set according to actual needs, for example, 3 times, 5 times, and 6 times.
After step S14, the image target detection model attack method further includes the following steps:
step S17: and judging whether the accuracy of the image target detection model is smaller than an accuracy threshold value.
In this embodiment, after the countermeasure sample is input into the image target detection model for identification, the identification accuracy of the image target detection model is obtained, and whether the identification accuracy of the image target detection model for the countermeasure sample is smaller than the accuracy threshold is determined.
Step S18: if yes, the attack is successful.
And if the identification accuracy of the image target detection model for the countermeasure sample is smaller than the accuracy threshold, indicating that the attack is successful, and ending.
After the attack is successful, the image target detection model can be trained based on the countercheck sample so as to improve the identification accuracy and robustness of the image target detection model.
Step S19: if not, returning to the step S12, and iterating until the iteration number is equal to the iteration number threshold value.
That is, if the recognition accuracy of the image target detection model for the confrontation sample is greater than the accuracy threshold, the process returns to step S12, and the next iteration is performed, where from step S12 to step S19, this is called an iteration. That is, if the recognition accuracy of the image target detection model for the countermeasure sample is smaller than the accuracy threshold, the disturbance image is regenerated based on the sample image and the disturbance image setting information, then a new countermeasure sample is generated based on the sample image and the new disturbance image, and the new countermeasure sample is input into the image target detection model for recognition, so as to attack the image target detection model. In short, if the recognition accuracy of the image target detection model for the countermeasure sample is smaller than the accuracy threshold, the process returns to step S12 to perform the next round of attack.
To avoid infinite iteration, the iteration is ended when the number of iterations reaches an iteration number threshold.
In some embodiments, a new perturbed image may be generated based on the historical perturbed image (i.e., the perturbed image generated during a previous iteration, e.g., the perturbed image generated during a previous iteration), the sample image. In one example, during the first iteration, step S12 includes: generating an initial disturbance image based on the disturbance image setting information, and generating a first disturbance image through a preset disturbance generation algorithm according to the sample image and the initial disturbance image; during the second iteration, step S12 includes: generating a second disturbance image through a preset disturbance generating algorithm according to the sample image and the first disturbance image (namely training the first disturbance image according to the sample image and the preset disturbance generating algorithm to obtain the second disturbance image); during the third iteration, step S12 includes: generating a third disturbance image according to the sample image and the second disturbance image through a preset disturbance generation algorithm; during the fourth iteration, step S12 includes: generating a fourth disturbance image according to the sample image and the third disturbance image through a preset disturbance generation algorithm; and executing the subsequent process of generating the disturbance image according to the rule until the iteration is finished.
In some embodiments, referring to fig. 5, step S19 includes:
step S191: if not, acquiring iteration times.
In this embodiment, in the program execution process, the number of iterations is recorded. And if the identification accuracy of the image target detection model for the confrontation sample is greater than the accuracy threshold, acquiring the recorded iteration times.
Step S192: and judging whether the iteration times are smaller than an iteration time threshold value or not.
After the iteration times are obtained, whether the iteration times are smaller than an iteration time threshold value is judged.
Step S193: if the iteration number is smaller than the iteration number threshold, the process returns to step S13.
And if the iteration times are smaller than the iteration time threshold value, returning to the step S12 for the next iteration.
Step S194: if the iteration number is equal to the iteration number threshold, the attack fails.
If the iteration times are equal to the iteration time threshold value, the attack is failed, and the iteration is finished.
According to the attack method of the image target detection model, when the identification accuracy of the image target detection model on the anti-sample is lower than the accuracy threshold, the attack is successful; when the identification accuracy of the image target detection model to the countermeasure sample is higher than the accuracy threshold, the countermeasure sample is regenerated, the image target detection model is attacked again until the iteration number reaches the iteration number threshold, that is to say, when the identification accuracy of the image target detection model to the countermeasure sample is lower than the accuracy threshold, the image target detection model is attacked for multiple times, and therefore the robustness of the image target detection model is improved.
Based on the third embodiment, a fourth embodiment of the image target detection model attack method is provided. In this embodiment, referring to fig. 6, before step S12, the image target detection model attack method further includes the following steps:
step S20: and preprocessing the sample image.
In this embodiment, the mode of preprocessing the sample image may be flexibly set according to actual needs. In some examples, preprocessing the sample image includes: and processing the sample image into a sample image with a preset size.
At this time, step S12 includes: and generating a disturbance image based on the preprocessed sample image and the disturbance image setting information.
Step S13 includes: and generating a countermeasure sample based on the preprocessed sample image and the disturbance image.
According to the image target detection model attack method provided by the embodiment, after the sample image and the setting information of the disturbance image are obtained, the sample image is preprocessed, so that the condition that the sample image cannot be used is avoided.
In this embodiment, on the basis of the foregoing image target detection model attack method embodiment, an image target detection model attack apparatus is provided, referring to fig. 6, where fig. 6 is a schematic block diagram of the image target detection model attack apparatus according to the present invention, and the image target detection model attack apparatus includes:
the acquisition module 11 is configured to acquire a sample image and disturbance image setting information input by a user, where the disturbance image setting information includes an image size and an image shape;
a disturbance image generation module 12, configured to generate a disturbance image based on the sample image and the disturbance image setting information;
a confrontation sample generation module 13 for generating a confrontation sample based on the sample image and the disturbance image;
and the attack module 14 is used for inputting the challenge sample into the image target detection model for identification so as to attack the image target detection model.
It should be noted that the image target detection model attack apparatus may further optionally include a corresponding module to implement other steps of the image target detection model attack method.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only an alternative embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications and equivalents of the present invention, which are made by the contents of the present specification and the accompanying drawings, or directly/indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. An image target detection model attack method is characterized by comprising the following steps:
acquiring a sample image and disturbed image setting information input by a user, wherein the disturbed image setting information comprises the size and the shape of the image;
generating a disturbance image based on the sample image and the disturbance image setting information;
generating a countermeasure sample based on the sample image and the disturbance image;
and inputting the confrontation sample into an image target detection model for identification so as to attack the image target detection model.
2. The image target detection model attack method of claim 1, wherein the perturbing the image setting information further comprises: position information of the disturbance image on the sample image;
the step of generating a challenge sample based on the sample image and the disturbance image comprises:
and superposing the disturbance image on the sample image based on the position information to obtain a confrontation sample.
3. The image target detection model attack method of claim 1, wherein prior to the step of generating a challenge sample based on the sample image and the disturbance image, the image target detection model attack method further comprises the steps of:
increasing the transparency of the disturbed image;
the step of generating a challenge sample based on the sample image and the disturbance image comprises:
and generating a countermeasure sample based on the sample image and the disturbed image with the transparency being increased.
4. The image target detection model attack method of claim 1, wherein the step of generating a disturbance image based on the sample image and the disturbance image setting information comprises:
generating an initial disturbance image based on the disturbance image setting information;
generating a perturbed image based on the sample image and the initial perturbed image.
5. The image target detection model attack method of claim 4, wherein the step of generating a perturbed image based on the sample image and the initial perturbed image comprises:
and generating a disturbance image through a gradient-based disturbance generation algorithm according to the sample image and the initial disturbance image.
6. The image target detection model attack method according to claim 1, wherein before the step of generating a disturbance image based on the sample image and the disturbance image setting information, the image detection model attack method further comprises the steps of:
preprocessing the sample image;
the step of generating a disturbance image based on the sample image and the disturbance image setting information includes:
generating a disturbance image based on the preprocessed sample image and the disturbance image setting information;
the step of generating a challenge sample based on the sample image and the disturbance image comprises:
generating a countermeasure sample based on the preprocessed sample image and the disturbance image.
7. The image target detection model attack method according to claim 1, wherein before the step of generating a disturbance image based on the sample image and the disturbance image setting information, the image detection model attack method further comprises the steps of:
acquiring an accuracy threshold and an iteration threshold;
after the step of identifying the challenge sample input image target detection model, the image detection model attack method further comprises the following steps:
judging whether the accuracy of the image target detection model is smaller than the accuracy threshold value;
if yes, the attack is successful;
if not, returning to the step of generating the disturbance image based on the sample image and the disturbance image setting information, and iterating until the iteration number is equal to the iteration number threshold value.
8. An image target detection model attack apparatus, characterized in that the image target detection model attack apparatus comprises:
the device comprises an acquisition module, a display module and a display module, wherein the acquisition module is used for acquiring a sample image and disturbance image setting information input by a user, and the disturbance image setting information comprises the size and the shape of the image;
the disturbance image generation module is used for generating a disturbance image based on the sample image and the disturbance image setting information;
a confrontation sample generation module for generating a confrontation sample based on the sample image and the disturbance image;
and the attack module is used for identifying the countermeasure sample input image target detection model so as to attack the image target detection model.
9. A terminal device, characterized in that the terminal device comprises: a memory, a processor and an image object detection model attack program stored on the memory and running on the processor, the image object detection model attack program when executed by the processor implementing the steps of the image object detection model attack method according to any one of claims 1 to 7.
10. A storage medium having stored thereon an image object detection model attack program which, when executed by a processor, implements the steps of the image object detection model attack method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011429970.5A CN112215227B (en) | 2020-12-09 | 2020-12-09 | Image target detection model attack method and device, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011429970.5A CN112215227B (en) | 2020-12-09 | 2020-12-09 | Image target detection model attack method and device, terminal equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112215227A true CN112215227A (en) | 2021-01-12 |
| CN112215227B CN112215227B (en) | 2021-04-09 |
Family
ID=74068158
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011429970.5A Active CN112215227B (en) | 2020-12-09 | 2020-12-09 | Image target detection model attack method and device, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112215227B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113537374A (en) * | 2021-07-26 | 2021-10-22 | 百度在线网络技术(北京)有限公司 | Confrontation sample generation method |
| CN113627475A (en) * | 2021-07-07 | 2021-11-09 | 厦门市美亚柏科信息股份有限公司 | Method and device for carrying out uncertainty estimation on sample |
| CN115292722A (en) * | 2022-10-09 | 2022-11-04 | 浙江君同智能科技有限责任公司 | Model safety detection method and device based on different color spaces |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109902617A (en) * | 2019-02-25 | 2019-06-18 | 百度在线网络技术(北京)有限公司 | A kind of image identification method, device, computer equipment and medium |
| CN110659485A (en) * | 2018-06-28 | 2020-01-07 | 国际商业机器公司 | Detection of counter attacks by decoy training |
| CN111325341A (en) * | 2020-02-18 | 2020-06-23 | 中国空间技术研究院 | Adaptive confrontation strength confrontation training method |
| CN111461239A (en) * | 2020-04-03 | 2020-07-28 | 成都考拉悠然科技有限公司 | White box attack method of CTC scene character recognition model |
| CN111476228A (en) * | 2020-04-07 | 2020-07-31 | 海南阿凡题科技有限公司 | White-box confrontation sample generation method for scene character recognition model |
-
2020
- 2020-12-09 CN CN202011429970.5A patent/CN112215227B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110659485A (en) * | 2018-06-28 | 2020-01-07 | 国际商业机器公司 | Detection of counter attacks by decoy training |
| CN109902617A (en) * | 2019-02-25 | 2019-06-18 | 百度在线网络技术(北京)有限公司 | A kind of image identification method, device, computer equipment and medium |
| CN111325341A (en) * | 2020-02-18 | 2020-06-23 | 中国空间技术研究院 | Adaptive confrontation strength confrontation training method |
| CN111461239A (en) * | 2020-04-03 | 2020-07-28 | 成都考拉悠然科技有限公司 | White box attack method of CTC scene character recognition model |
| CN111476228A (en) * | 2020-04-07 | 2020-07-31 | 海南阿凡题科技有限公司 | White-box confrontation sample generation method for scene character recognition model |
Non-Patent Citations (1)
| Title |
|---|
| XIAOJUN JIA 等: "Adv-watermark: A Novel Watermark Perturbation for Adversarial Examples", 《POSTER SESSION B1: DEEP LEARNING FOR MULTIMEDIA》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113627475A (en) * | 2021-07-07 | 2021-11-09 | 厦门市美亚柏科信息股份有限公司 | Method and device for carrying out uncertainty estimation on sample |
| CN113537374A (en) * | 2021-07-26 | 2021-10-22 | 百度在线网络技术(北京)有限公司 | Confrontation sample generation method |
| CN113537374B (en) * | 2021-07-26 | 2023-09-08 | 百度在线网络技术(北京)有限公司 | Method for generating countermeasure sample |
| CN115292722A (en) * | 2022-10-09 | 2022-11-04 | 浙江君同智能科技有限责任公司 | Model safety detection method and device based on different color spaces |
| CN115292722B (en) * | 2022-10-09 | 2022-12-27 | 浙江君同智能科技有限责任公司 | Model safety detection method and device based on different color spaces |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112215227B (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112215227B (en) | Image target detection model attack method and device, terminal equipment and storage medium | |
| US11074466B2 (en) | Anti-counterfeiting processing method and related products | |
| CN106778440B (en) | Two-dimensional code identification method and device | |
| CN110706179B (en) | Image processing method and electronic equipment | |
| CN110210573B (en) | Method and device for generating confrontation image, terminal and storage medium | |
| CN108875643B (en) | Fingerprint module, fingerprint identification method and device, storage medium and mobile terminal | |
| CN112989346B (en) | Countermeasure sample generation method and device, terminal device and storage medium | |
| CN110991457B (en) | Two-dimensional code processing method and device, electronic equipment and storage medium | |
| CN109544172B (en) | Display method and terminal equipment | |
| CN104915625A (en) | Face identification method and apparatus | |
| CN110519503A (en) | A kind of acquisition methods and mobile terminal of scan image | |
| CN113989962A (en) | Entrance guard identification control method and related equipment | |
| CN113038232A (en) | Video playing method, device, equipment, server and storage medium | |
| EP3627382A1 (en) | Method for iris liveness detection and related product | |
| CN113014830A (en) | Video blurring method, device, equipment and storage medium | |
| CN112150396A (en) | Hyperspectral image dimension reduction method and device, terminal equipment and storage medium | |
| US20230161872A1 (en) | Method for application security and electronic device for performing the same | |
| CN107609446B (en) | Code pattern recognition method, terminal and computer readable storage medium | |
| CN113225234B (en) | Asset detection method, device, terminal equipment and computer readable storage medium | |
| CN113886688B (en) | Method, device, terminal equipment and storage medium for predicting association relation of objects | |
| US20210232853A1 (en) | Object Recognition Method and Terminal Device | |
| CN111355991B (en) | Video playing method and device, storage medium and mobile terminal | |
| CN112837222A (en) | Fingerprint image splicing method and device, storage medium and electronic equipment | |
| CN109492451B (en) | Coded image identification method and mobile terminal | |
| CN112559081A (en) | Data loading method, device, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |