CN112232446A - Picture identification method and device, training method and device, and generation method and device - Google Patents

Picture identification method and device, training method and device, and generation method and device Download PDF

Info

Publication number
CN112232446A
CN112232446A CN202011441915.8A CN202011441915A CN112232446A CN 112232446 A CN112232446 A CN 112232446A CN 202011441915 A CN202011441915 A CN 202011441915A CN 112232446 A CN112232446 A CN 112232446A
Authority
CN
China
Prior art keywords
picture
back door
sample
training
backdoor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011441915.8A
Other languages
Chinese (zh)
Inventor
张伟哲
武化龙
罗晨光
黄兴森
周颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peng Cheng Laboratory
Original Assignee
Peng Cheng Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peng Cheng Laboratory filed Critical Peng Cheng Laboratory
Priority to CN202011441915.8A priority Critical patent/CN112232446A/en
Publication of CN112232446A publication Critical patent/CN112232446A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T1/00General purpose image data processing
    • G06T1/0021Image watermarking

Abstract

The invention relates to the technical field of artificial intelligence, and discloses a picture identification method and device, a training method and device of a backdoor attack model, a generation method and device of a backdoor sample picture with blind watermarks, and a computer-readable storage medium. The method comprises the steps of obtaining sample data, wherein the sample data comprises a training sample, a host picture and a back door picture which meet preset conditions, further processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate the back door sample picture with a blind watermark, and further inputting the training sample and the back door sample picture into a neural network model for model training to obtain a back door attack model; the problem of back door attack disguise poor among the correlation technique is solved.

Description

Picture identification method and device, training method and device, and generation method and device
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a picture identification method and device, a training method and device of a backdoor attack model, a generation method and device of a backdoor sample picture with blind watermarks and a computer readable storage medium.
Background
With the development of artificial intelligence, picture recognition is continuously perfected, and recognition accuracy is continuously improved.
In the related technology, the back door attack model is obtained by mainly changing local pixel points of the picture for training, but the concealment of the back door attack model obtained by training in the mode is poor, so that the strength of back door attack is reduced.
Disclosure of Invention
The invention mainly aims to provide a picture identification method and device, a training method and device of a back door attack model, a generation method and device of a back door sample picture with blind watermarks and a computer readable storage medium, and aims to improve the concealment of back door attacks.
In order to achieve the above object, the present invention provides a picture identification method, including:
acquiring a backdoor picture to be identified;
inputting the backdoor picture to be identified into a backdoor attack model for identification, and outputting an identification result;
the back door attack model is obtained by training according to a back door sample picture with a blind watermark.
Optionally, before the step of obtaining the backdoor picture to be identified, the picture identification method further includes:
acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model.
In addition, in order to achieve the above object, the present invention further provides a training method of a back door attack model, where the training method of the back door attack model includes:
acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model.
Optionally, the preset conditions include:
h1 is less than one-half H2, W1 is less than W2; wherein H1 is the height of the back door picture, H2 is the minimum height in all the host pictures, W1 is the width of the back door picture, and W2 is the minimum width in all the host pictures.
Optionally, the step of processing the host picture and the back door picture by using fast fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark includes:
processing the pixel point value of the host picture by using a fast Fourier transform algorithm to generate a target host picture;
adding the pixel point value of the target host picture and the pixel point value of the back door picture to obtain an addition result;
and processing the addition result by using an inverse fast Fourier transform algorithm to generate a back door sample picture with a blind watermark.
Optionally, before the step of inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model, the training method for the backdoor attack model further includes:
changing the label of the back door sample picture;
inputting the training sample and the backdoor sample picture into a neural network model for model training, wherein the step of obtaining a backdoor attack model comprises the following steps:
and inputting the training samples and the back door sample pictures with the changed labels into a neural network model for model training to obtain a back door attack model.
Optionally, the step of inputting the training sample and the back door sample picture with the changed label into a neural network model for model training to obtain a back door attack model includes:
determining the quantity proportion of the training samples and the back door sample pictures with the changed labels according to a preset proportion threshold;
inputting the training samples in the quantity proportion and the back door sample pictures with the changed labels into a neural network model for model training to obtain a back door attack model.
Optionally, after the step of inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model, the training method for the backdoor attack model further includes:
acquiring detection sample data; the detection sample data comprises a detection sample picture without a blind watermark and a detection sample picture with a blind watermark;
and inputting the detection sample data into the backdoor attack model, and outputting a detection result to realize the detection of the backdoor attack model.
In addition, in order to achieve the above object, the present invention further provides a method for generating a back door sample picture with a blind watermark, where the method for generating the back door sample picture with the blind watermark includes:
acquiring a host picture and a backdoor picture which meet preset conditions; wherein the preset conditions include that H1 is less than one-half H2, W1 is less than W2, where H1 is the height of the back door picture, H2 is the minimum height in all the host pictures, W1 is the width of the back door picture, and W2 is the minimum width in all the host pictures;
and processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
Optionally, the preset conditions include:
h1 is less than one-half H2, W1 is less than W2, where H1 is the height of the back door picture, H2 is the minimum height in all the host pictures, W1 is the width of the back door picture, W2 is the minimum width in all the host pictures;
and processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
In addition, to achieve the above object, the present invention provides an image recognition apparatus, including:
the first acquisition module is used for acquiring a backdoor picture to be identified;
the identification module is used for inputting the backdoor picture to be identified into a backdoor attack model for identification; the back door attack model is obtained by training according to a back door sample picture with a blind watermark;
and the output module is used for outputting the identification result.
In addition, to achieve the above object, the present invention further provides a training device for a back door attack model, including:
the second acquisition module is used for acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
the first generation module is used for processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and the training module is used for inputting the training samples and the backdoor sample pictures into a neural network model for model training to obtain a backdoor attack model.
In addition, in order to achieve the above object, the present invention further provides a device for generating a back door sample picture with blind watermark, where the device for generating a back door sample picture with blind watermark includes:
the third acquisition module is used for acquiring a host picture and a backdoor picture which meet preset conditions;
and the second generation module is used for processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
Furthermore, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a picture recognition program which, when executed by a processor, implements the steps of the picture recognition method as described above; alternatively, the computer readable storage medium has stored thereon a training program of the back door attack model, which when executed by the processor implements the steps of the training method of the back door attack model as described above.
According to the technical scheme provided by the invention, the backdoor picture to be identified is acquired, and then the backdoor picture to be identified is input into a backdoor attack model for identification, and an identification result is output, wherein the backdoor attack model is obtained by training according to a backdoor sample picture with a blind watermark; the problem of back door attack disguise poor among the correlation technique is solved. Namely, according to the technical scheme provided by the invention, the back door attack model obtained by training the back door sample picture with the blind watermark is used for identifying the back door picture to be identified, so that the back door attack is more concealed.
According to the technical scheme provided by the invention, sample data is also obtained, wherein the sample data comprises a training sample, a host picture and a back door picture which meet preset conditions, the host picture and the back door picture are further processed by utilizing a fast Fourier transform and inverse transform algorithm to generate the back door sample picture with a blind watermark, and then the training sample and the back door sample picture are input into a neural network model for model training to obtain a back door attack model; the problem of back door attack disguise poor among the correlation technique is solved. The technical scheme provided by the invention also comprises the steps of generating a back door sample picture with a blind watermark by utilizing a fast Fourier transform and inverse transform algorithm, and then training a back door attack model based on the training sample and the back door sample picture with the blind watermark, so that the finally trained back door attack model has good concealment, the back door attack is more concealed, and the picture identification accuracy is high.
According to the technical scheme provided by the invention, the host picture and the back door picture which meet the preset conditions are obtained, and then the host picture and the back door picture are processed by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark; the problem of back door attack disguise poor among the correlation technique is solved. The technical scheme provided by the invention is characterized in that the back door sample picture with the blind watermark is generated, compared with the picture for changing local pixel points in the related technology, the back door sample picture with the blind watermark cannot be visually perceived by naked eyes, the concealment performance is better, and the concealment performance of a back door attack model obtained by training according to the back door sample picture with the blind watermark is better, so that the back door attack is more concealed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the structures shown in the drawings without creative efforts.
FIG. 1 is a schematic diagram of a picture recognition device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flowchart of a first embodiment of a training method for a backdoor attack model according to the present invention;
FIG. 3 is a schematic diagram of a host picture according to a first embodiment of the training method for a backdoor attack model of the present invention;
FIG. 4 is a schematic diagram of a backdoor picture of a training method of a backdoor attack model according to a first embodiment of the present invention;
fig. 5 is a schematic diagram of a backdoor sample picture with blind watermark according to a first embodiment of the training method for a backdoor attack model of the present invention;
FIG. 6 is a schematic diagram of a blind watermark picture according to a second embodiment of the training method for a backdoor attack model of the present invention;
FIG. 7 is a schematic diagram of a neural network model according to a third embodiment of the training method for a backdoor attack model of the present invention;
FIG. 8 is a schematic diagram of a backdoor attack model according to a third embodiment of the training method for the backdoor attack model of the present invention;
FIG. 9 is a flowchart illustrating a first embodiment of a method for generating a back door sample picture with blind watermarking according to the present invention;
FIG. 10 is a flowchart illustrating a first embodiment of a method for recognizing an image according to the present invention;
FIG. 11 is a block diagram of a training apparatus for a backdoor attack model according to a first embodiment of the present invention;
fig. 12 is a block diagram illustrating a first embodiment of an apparatus for generating a back door sample picture with blind watermarking according to the present invention;
fig. 13 is a block diagram of a first embodiment of a picture recognition device according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The device is a picture identification device, and/or a training device of a backdoor attack model, and/or a generation device of a backdoor sample picture with blind watermarks.
The apparatus comprises: at least one processor 101, a memory 102, and a picture recognition program stored on the memory and executable on the processor, the picture recognition program being configured to implement the steps of the picture recognition method of any of the following embodiments.
Processor 101 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and so forth. The processor 101 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 101 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 101 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. The processor 101 may further include an AI (Artificial Intelligence) processor for processing operations related to the picture recognition method, so that the picture recognition method model can be trained and learned autonomously, thereby improving efficiency and accuracy.
Memory 102 may include one or more computer-readable storage media, which may be non-transitory. Memory 102 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 102 is used to store at least one instruction for execution by processor 101 to implement a picture recognition method provided by method embodiments herein.
In some embodiments, the apparatus may further include: a communication interface 103 and at least one peripheral device. The processor 101, memory 102 and communication interface 103 may be connected by a bus or signal lines. Various peripheral devices may be connected to communication interface 103 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 104, display screen 105, and power supply 106.
The communication interface 103 can be used to connect at least one peripheral device related to I/O (Input/Output) to the processor 101 and the memory 102. In some embodiments, the processor 101, memory 102, and communication interface 103 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 101, the memory 102 and the communication interface 103 may be implemented on a single chip or circuit board, which is not limited in this embodiment.
The Radio Frequency circuit 104 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 104 communicates with communication networks and other communication devices via electromagnetic signals. The rf circuit 104 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 104 comprises: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 104 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the rf circuit 104 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.
The display screen 105 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 105 is a touch display screen, the display screen 105 also has the ability to capture touch signals on or over the surface of the display screen 105. The touch signal may be input to the processor 101 as a control signal for processing. At this point, the display screen 105 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display screen 105 may be one, the front panel of the device; in other embodiments, the display screens 105 may be at least two, respectively disposed on different surfaces of the device or in a folded design; in some embodiments, the display 105 may be a flexible display, disposed on a curved surface or on a folded surface of the device. Even further, the display screen 105 may be arranged in a non-rectangular irregular pattern, i.e. a shaped screen. The Display screen 105 may be made of LCD (liquid crystal Display), OLED (Organic Light-Emitting Diode), and the like.
The power supply 106 is used to power the various components in the device. The power source 106 may be alternating current, direct current, disposable batteries, or rechargeable batteries. When the power source 106 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
Based on the above hardware structure, embodiments of the present invention are proposed.
Referring to fig. 2, fig. 2 is a schematic flowchart of a first embodiment of a training method of a back door attack model according to the present invention, and the training method of the back door attack model includes the following steps:
step S20: acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions.
In this embodiment, sample data needs to be obtained first, where the sample data includes a training sample, and a host picture and a backdoor picture that satisfy a preset condition. It can be understood that the training sample may be any common picture, and the host picture and the backdoor picture need to satisfy a certain preset condition, where in this embodiment, the preset condition may include: h1 is less than one-half H2, W1 is less than W2; wherein, H1 is the height of the back door picture, H2 is the minimum height of all the host pictures, W1 is the width of the back door picture, and W2 is the minimum width of all the host pictures.
For better understanding, the host picture and the backdoor picture are described by using a specific example, which is divided into one or at least two cases of the host picture; wherein:
case one, for example, defines the host picture by img, defines the back door picture by wm, where img _ w represents the width of the host picture, img _ h represents the height of the host picture, wm _ w represents the width of the back door picture, and wm _ h represents the height of the back door picture; then wm _ h < 0.5 img _ h, wm _ w < img _ w; it should be clear that this is the case for one host picture.
Case two, for example, define the host picture with img, define the back door picture with wm, where img _ w represents the width of the host picture, img _ h represents the height of the host picture, m represents the number of sheets of the host picture, wm _ w represents the width of the back door picture, wm _ h represents the height of the back door picture, img _ wmin represents the minimum value of img _ w in all the host pictures, where img _ wmin = min (img _ w1, img _ w2, … …, img _ wm), img _ hmin represents the minimum value of img _ h in all the host pictures, where img _ hmin = min (img _ h1, img _ h2, … …, img _ hm); then wm _ h < 0.5 img _ hmin, wm _ w < img _ wmin.
It should be clear that, only when the host picture and the backdoor picture satisfy the preset conditions, the host picture and the backdoor picture are taken as sample data, and thus, the host picture and the backdoor picture are processed by utilizing a fast fourier transform algorithm subsequently, and the width and the height of the backdoor sample picture with the blind watermark are generated to be normal, so that the accuracy of training the backdoor attack model is improved.
It should be noted that, in practical applications, the preset condition may be flexibly adjusted, and the present invention is not limited thereto.
Step S21: and processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
In this embodiment, the step of processing the host picture and the back door picture by using the fast fourier transform algorithm to generate the back door sample picture with the blind watermark may include at least the following steps:
firstly, processing pixel point values of a host picture by using a fast Fourier transform algorithm to generate a target host picture;
then, adding the pixel point value of the target host picture and the pixel point value of the back door picture to obtain an addition result;
and thirdly, processing the addition result by using an inverse fast Fourier transform algorithm to generate a back door sample picture with a blind watermark.
It can be understood that, in this embodiment, after the host picture and the back door picture meeting the preset condition are obtained, the pixel point value of the host picture needs to be processed by using the fast fourier transform algorithm first, so as to generate the target host picture, then the pixel point value of the target host picture and the pixel point value of the back door picture are added, so as to obtain an addition result, and further, the addition result is processed by using the fast fourier transform algorithm again, so as to generate the back door sample picture with the blind watermark. Therefore, the host picture and the backdoor picture are processed by utilizing the fast Fourier transform algorithm, so that a backdoor sample picture with a blind watermark is generated, and the accuracy of training of a backdoor attack model is improved.
For better understanding, the generation of a backdoor sample picture with a blind watermark is described here with a specific example:
the first step is as follows: processing the pixel point value of the host picture by using a fast Fourier transform algorithm to generate a target host picture:
Figure 357423DEST_PATH_IMAGE001
(1)
wherein, in the above formula (1)imgIs a matrix corresponding to pixel point values of the host picture,fftin order to be a fast fourier transform function,f1and the pixel point value of the host picture is subjected to fast Fourier transform.
The second step is that: adding the pixel point value of the target host picture and the pixel point value of the back door picture to obtain an addition result:
Figure 880808DEST_PATH_IMAGE002
(2)
wherein, in the above formula (2)wmA matrix corresponding to the pixel point values of the back door picture,afor the superposition strength, it is possible to set it flexibly in practical applications, for example to 3.0,f2and superposing a matrix corresponding to the pixel point value of the back door picture for the value of the pixel point value of the host picture after the fast Fourier transform.
The third step: processing the addition result by using an inverse fast Fourier transform algorithm to generate a back door sample picture with a blind watermark:
Figure 248335DEST_PATH_IMAGE003
(3)
wherein, in the above formula (3)ifftIn order to be a function of the inverse fast fourier transform,
Figure 489961DEST_PATH_IMAGE004
is a pair off2And (5) performing an inverse fast Fourier transform.
Figure 952035DEST_PATH_IMAGE005
(4)
Wherein, in the above formula (4)realFor taking real functions, representing the real part of a complex number, e.g.a=5i+8aIs a plurality of wherein5iThe number of the parts is a plurality of parts,8is a real part, thenreal(a)=8
Figure 595506DEST_PATH_IMAGE006
Is a pair of
Figure 930672DEST_PATH_IMAGE007
And taking a real number result, namely obtaining a back door sample picture with a blind watermark.
At this point, the generation of the back door sample picture with the blind watermark is completed, wherein please refer to fig. 3 to 5, which are a host picture, a back door picture and a back door sample picture with the blind watermark.
Step S22: and inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model.
In the embodiment, sample data is obtained, wherein the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions, the host picture and the backdoor picture are further processed by using a fast fourier transform algorithm to generate a backdoor sample picture with a blind watermark, and then the training sample and the backdoor sample picture are input into a neural network model for model training to obtain a backdoor attack model; the problem of back door attack disguise poor among the correlation technique is solved. That is, in this embodiment, a back door sample picture with a blind watermark is generated by using a fast fourier transform and an inverse transform algorithm, and then training of a back door attack model is performed based on a training sample and the back door sample picture with the blind watermark, so that the concealment of the back door attack model obtained by final training is good, and thus the back door attack is more concealed.
Based on the first embodiment, the second embodiment of the training method of the backdoor attack model is provided; in this embodiment, after the step of inputting the training sample and the backdoor sample picture into the neural network model for model training to obtain the backdoor attack model, the training method for the backdoor attack model may further include at least the following steps:
and carrying out inverse operation processing on the back door sample picture with the blind watermark to obtain the blind watermark picture.
It should be clear that, in this embodiment, the blind watermark picture may also be obtained by performing inverse operation processing on the backdoor sample picture with the blind watermark.
For better understanding, a specific example herein illustrates a process of obtaining a blind watermark picture; for example, taking the example of generating a backdoor sample picture with a blind watermark in the first embodiment, the inverse operation processing steps are as follows:
the first step is as follows: using back door sample as input and outputf3:
Figure 597277DEST_PATH_IMAGE008
(5)
Wherein, in the above formula (5)
Figure 676091DEST_PATH_IMAGE007
Is a pair off2The result of performing an inverse fast Fourier transform, whereinf2The value of the pixel point value of the host picture after the fast Fourier transform is superposed with the matrix corresponding to the pixel point value of the back door picture, and the matrix is the same as the matrix in the formula (3)
Figure 361020DEST_PATH_IMAGE009
The second step is that: reuse off3Minusf1Is divided byaTo obtain
Figure 132666DEST_PATH_IMAGE010
Figure 20988DEST_PATH_IMAGE011
(6)
Wherein in the above formula (6)f1The values of the pixel point values of the host picture after the fast Fourier transform are the same as those in the formula (1)f1aFor the stacking strength, the same as that in the above formula (2)a
The third step: use ofrealFunction pair
Figure 903493DEST_PATH_IMAGE010
Obtaining blind watermark picture by taking real number
Figure 255977DEST_PATH_IMAGE012
Figure 385476DEST_PATH_IMAGE013
(7)
Wherein, in the above formula (7)realIs a function of taking real numbers, which represents taking the real part of the complex number, as in the above equation (4)real
At this point, the extraction of the blind watermark picture is completed, wherein please refer to fig. 6, which is the extracted blind watermark picture.
In this embodiment, the back door sample picture with the blind watermark is subjected to inverse operation processing, so that the blind watermark picture is obtained.
Based on the above embodiments, a third embodiment of the training method of the backdoor attack model of the present invention is provided; in this embodiment, before the step of inputting the training sample and the backdoor sample picture into the neural network model for model training to obtain the backdoor attack model, the training method for the backdoor attack model may further include at least the following steps:
the labels of the back door sample pictures were changed.
It should be clear that in this embodiment, the labels of the back door sample pictures can be changed for the purpose of poisoning the neural network structure.
For better understanding, the label for changing the back door sample picture is described here with a specific example; for example, in the classification problem of cats and dogs in the second classification, the label corresponding to the picture of the cat in the normal training sample is the cat, the label of the cat with the invisible backdoor is changed into the dog, and similarly, the label of the picture of the dog with the invisible backdoor is changed into the cat.
In this embodiment, the step of inputting the training sample and the backdoor sample picture into the neural network model for model training to obtain the backdoor attack model may include at least the following steps:
and inputting the training samples and the back door sample pictures with the labels changed into the neural network model for model training to obtain a back door attack model.
Optionally, in this embodiment, the step of inputting the training sample and the backdoor sample picture with the changed label into the neural network model for model training to obtain the backdoor attack model may include at least the following steps:
firstly, determining a training sample and the quantity proportion of the back door sample pictures with the labels changed according to a preset proportion threshold;
and then, inputting the training samples with the quantity proportion and the back door sample pictures with the changed labels into a neural network model for model training to obtain a back door attack model.
It can be understood that, in this embodiment, after the label of the back door sample picture is changed, the back door sample picture is further mixed into the training sample, and then the training sample and the training sample are input into the neural network model for model training, where the number ratio between the training sample and the back door sample picture after the label is changed satisfies a preset ratio threshold, for example, the preset ratio threshold is set as the training sample: and (3) if the back door sample pictures after the labels are changed =1:2, inputting the training samples into the neural network model according to the quantity of 1 part and the back door sample pictures after the labels are changed according to the quantity of 2 parts for model training, thereby obtaining a back door attack model. It should be noted that, in practical applications, the preset proportional threshold may be flexibly adjusted according to a specific application scenario.
Please refer to fig. 7-8, wherein fig. 7 is a neural network model, and fig. 8 is a trained backdoor attack model.
In this embodiment, the labels of the backdoor sample pictures are changed, so that training of a backdoor attack model is performed by using the training samples and the backdoor sample pictures with the changed labels, and a function of poisoning the neural network structure is achieved.
Based on the above embodiments, a fourth embodiment of the training method of the backdoor attack model of the present invention is provided; in this embodiment, after the step of inputting the training sample and the backdoor sample picture into the neural network model for model training to obtain the backdoor attack model, the training method for the backdoor attack model may further include at least the following steps:
firstly, acquiring detection sample data; the detection sample data comprises a detection sample picture without a blind watermark and a detection sample picture with a blind watermark;
and then, inputting the detection sample data into the back door attack model, and outputting a detection result to realize the detection of the back door attack model.
It should be clear that, in this embodiment, the backdoor attack model is obtained, and may be further detected; specifically, detection sample data is obtained, wherein the detection sample data comprises a detection sample picture without a blind watermark and a detection sample picture with a blind watermark, and further, the detection sample picture without the blind watermark and the detection sample picture with the blind watermark are respectively input into a back door attack model, and a detection result is output, so that whether the back door attack model is accurately identified or not can be judged according to the detection result; the detection sample picture without the blind watermark can be normally detected, and the detection sample picture with the blind watermark can trigger a backdoor result, so that the backdoor attack model obtained through training can be judged to be accurately identified.
In the embodiment, the detection of the trained backdoor attack model is realized by acquiring the detection sample data and inputting the detection sample data into the backdoor attack model, so that relevant workers know the identification accuracy of the trained backdoor attack model, and can determine whether to continue training the backdoor attack model based on the detection result, thereby being more suitable for application scenarios.
In addition, referring to fig. 9, fig. 9 is a flowchart illustrating a first embodiment of a method for generating a back door sample picture with a blind watermark according to the present invention, where the method for generating a back door sample picture with a blind watermark includes the following steps:
step S90: acquiring a host picture and a backdoor picture which meet preset conditions;
step S91: and processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
In the present embodiment, the preset conditions include that H1 is less than one-half of H2, W1 is less than W2, where H1 is the height of the backdoor picture, H2 is the minimum height of all the host pictures, W1 is the width of the backdoor picture, and W2 is the minimum width of all the host pictures.
It should be noted that, the above embodiments have described in detail how to generate the back door sample picture with the blind watermark, and details are not described here again.
In the embodiment, the back door sample picture with the blind watermark is generated, compared with a picture for changing local pixel points in the related technology, the back door sample picture cannot be visually perceived by naked eyes, the concealment is better, and a back door attack model obtained by training according to the back door sample picture with the blind watermark is better in concealment, so that the back door attack is more concealed.
In addition, referring to fig. 10, fig. 10 is a flowchart illustrating a first embodiment of the image recognition method according to the present invention, where the image recognition method includes the following steps:
step S1000: acquiring a backdoor picture to be identified;
step S1001: inputting a backdoor picture to be identified into a backdoor attack model for identification, and outputting an identification result; the back door attack model is obtained by training according to a back door sample picture with a blind watermark.
It can be understood that, in this embodiment, the backdoor picture to be recognized may be obtained in any manner, and then the backdoor picture to be recognized is input into the backdoor attack model for recognition, and a recognition result is output.
In this embodiment, before the step of acquiring the backdoor picture to be recognized, the picture recognition method may further include at least the following steps:
firstly, acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
then, processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model.
It should be noted that, the above embodiments have described in detail how to train and generate the backdoor attack model, and details are not described here. In the embodiment, the back door attack model obtained by training according to the back door sample picture with the blind watermark is applied to the recognition of the back door picture to be recognized, so that the back door attack is more hidden, and the recognition accuracy is high.
In addition, referring to fig. 11, an embodiment of the present invention further provides a training apparatus for a back door attack model based on the training method for a back door attack model, where the training apparatus for a back door attack model includes:
a second obtaining module 110, configured to obtain sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
the first generating module 111 is configured to process the host picture and the back door picture by using fast fourier transform and inverse transform algorithm, and generate a back door sample picture with a blind watermark;
and the training module 112 is configured to input the training samples and the backdoor sample pictures into the neural network model for model training, so as to obtain a backdoor attack model.
It should be noted that, in this embodiment, the training apparatus for the back door attack model further optionally includes corresponding other modules, so as to implement the steps of the training method for the back door attack model.
The training device of the back door attack model adopts all the technical schemes of the training method embodiments of all the back door attack models, so that the training device at least has all the beneficial effects brought by the technical schemes of the embodiments, and the details are not repeated.
In addition, referring to fig. 12, an embodiment of the present invention further provides a device for generating a back door sample picture with a blind watermark on the basis of the method for generating a back door sample picture with a blind watermark, where the device for generating a back door sample picture with a blind watermark includes:
a third obtaining module 120, configured to obtain a host picture and a backdoor picture that meet a preset condition;
and the second generating module 121 is configured to process the host picture and the back door picture by using fast fourier transform and inverse transform algorithm, and generate a back door sample picture with a blind watermark.
It should be noted that, in this embodiment, the apparatus for generating a back door sample picture with a blind watermark further optionally includes a corresponding other module, so as to implement the steps of the method for generating a back door sample picture with a blind watermark.
The device for generating a back door sample picture with a blind watermark of the present invention adopts all technical solutions of the above-mentioned all embodiments of the method for generating a back door sample picture with a blind watermark, so that at least all beneficial effects brought by the technical solutions of the above-mentioned embodiments are achieved, and are not described in detail herein.
In addition, referring to fig. 13, an embodiment of the present invention further provides an image recognition apparatus based on the image recognition method, where the image recognition apparatus includes:
the first obtaining module 130 is configured to obtain a backdoor picture to be identified;
the identification module 131 is configured to input a backdoor image to be identified into a backdoor attack model for identification; the back door attack model is obtained by training according to a back door sample picture with a blind watermark;
and an output module 132, configured to output the recognition result.
It should be noted that, in this embodiment, the image recognition apparatus may further optionally include other corresponding modules to implement the steps of the image recognition method.
The image recognition device of the present invention adopts all the technical solutions of the above all the embodiments of the image recognition method, so that at least all the beneficial effects brought by the technical solutions of the above embodiments are achieved, and no further description is given here.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a training program of a back door attack model is stored on the computer-readable storage medium, and when the training program of the back door attack model is executed by a processor, the steps of the training method of the back door attack model as described above are implemented; or, the computer readable storage medium stores a picture recognition program, and the picture recognition program realizes the steps of the above-mentioned picture recognition method when executed by the processor; or, the computer readable storage medium stores a program for generating a back door sample picture with a blind watermark, and the program for generating a back door sample picture with a blind watermark is executed by the processor to implement the steps of the method for generating a back door sample picture with a blind watermark.
The computer-readable storage media include volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media include, but are not limited to, RAM (Random Access Memory), ROM (Read-Only Memory), EEPROM (Electrically erasable Programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact disk Read-Only Memory), Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
It will be apparent to those skilled in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software (which may be implemented in computer program code executable by a computing device), firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (14)

1. A picture identification method is characterized by comprising the following steps:
acquiring a backdoor picture to be identified;
inputting the backdoor picture to be identified into a backdoor attack model for identification, and outputting an identification result;
the back door attack model is obtained by training according to a back door sample picture with a blind watermark.
2. The picture recognition method according to claim 1, wherein, before the step of obtaining the backdoor picture to be recognized, the picture recognition method further comprises:
acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model.
3. A training method of a backdoor attack model is characterized by comprising the following steps:
acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and inputting the training sample and the backdoor sample picture into a neural network model for model training to obtain a backdoor attack model.
4. A training method of a backdoor attack model according to claim 3, wherein the preset conditions include:
h1 is less than one-half H2, W1 is less than W2; wherein H1 is the height of the back door picture, H2 is the minimum height in all the host pictures, W1 is the width of the back door picture, and W2 is the minimum width in all the host pictures.
5. The method for training a back door attack model according to claim 3, wherein the step of processing the host picture and the back door picture by using fast Fourier transform and inverse transform algorithm to generate the back door sample picture with the blind watermark comprises:
processing the pixel point value of the host picture by using a fast Fourier transform algorithm to generate a target host picture;
adding the pixel point value of the target host picture and the pixel point value of the back door picture to obtain an addition result;
and processing the addition result by using an inverse fast Fourier transform algorithm to generate a back door sample picture with a blind watermark.
6. The training method of the back door attack model according to claim 3, wherein before the step of inputting the training samples and the back door sample pictures into the neural network model for model training to obtain the back door attack model, the training method of the back door attack model further comprises:
changing the label of the back door sample picture;
inputting the training sample and the backdoor sample picture into a neural network model for model training, wherein the step of obtaining a backdoor attack model comprises the following steps:
and inputting the training samples and the back door sample pictures with the changed labels into a neural network model for model training to obtain a back door attack model.
7. The training method of the back door attack model according to claim 6, wherein the step of inputting the training samples and the back door sample pictures with the changed labels into a neural network model for model training to obtain the back door attack model comprises:
determining the quantity proportion of the training samples and the back door sample pictures with the changed labels according to a preset proportion threshold;
inputting the training samples in the quantity proportion and the back door sample pictures with the changed labels into a neural network model for model training to obtain a back door attack model.
8. The training method of the back door attack model according to any one of claims 3-7, wherein after the step of inputting the training samples and the back door sample pictures into the neural network model for model training to obtain the back door attack model, the training method of the back door attack model further comprises:
acquiring detection sample data; the detection sample data comprises a detection sample picture without a blind watermark and a detection sample picture with a blind watermark;
and inputting the detection sample data into the backdoor attack model, and outputting a detection result to realize the detection of the backdoor attack model.
9. A method for generating a back door sample picture with a blind watermark is characterized by comprising the following steps:
acquiring a host picture and a backdoor picture which meet preset conditions;
and processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
10. The method for generating a backdoor sample picture with blind watermark of claim 9, wherein the preset condition comprises:
h1 is less than one-half H2, W1 is less than W2; wherein H1 is the height of the back door picture, H2 is the minimum height in all the host pictures, W1 is the width of the back door picture, and W2 is the minimum width in all the host pictures.
11. A picture recognition apparatus, comprising:
the first acquisition module is used for acquiring a backdoor picture to be identified;
the identification module is used for inputting the backdoor picture to be identified into a backdoor attack model for identification; the back door attack model is obtained by training according to a back door sample picture with a blind watermark;
and the output module is used for outputting the identification result.
12. A training device for a backdoor attack model is characterized by comprising:
the second acquisition module is used for acquiring sample data; the sample data comprises a training sample, a host picture and a backdoor picture which meet preset conditions;
the first generation module is used for processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark;
and the training module is used for inputting the training samples and the backdoor sample pictures into a neural network model for model training to obtain a backdoor attack model.
13. An apparatus for generating a blind watermarked back door sample picture, the apparatus comprising:
the third acquisition module is used for acquiring a host picture and a backdoor picture which meet preset conditions;
and the second generation module is used for processing the host picture and the back door picture by utilizing a fast Fourier transform and inverse transform algorithm to generate a back door sample picture with a blind watermark.
14. A computer-readable storage medium, characterized in that a picture recognition program is stored on the computer-readable storage medium, which when executed by a processor implements the steps of the picture recognition method according to any one of claims 1-2; or, the computer readable storage medium has stored thereon a training program of a back door attack model, which when executed by a processor implements the steps of the training method of a back door attack model according to any one of claims 3 to 8; or, the computer readable storage medium has stored thereon a program for generating a blind watermarked back door sample picture, which when executed by a processor implements the steps of the method for generating a blind watermarked back door sample picture according to any one of claims 9 to 10.
CN202011441915.8A 2020-12-11 2020-12-11 Picture identification method and device, training method and device, and generation method and device Pending CN112232446A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011441915.8A CN112232446A (en) 2020-12-11 2020-12-11 Picture identification method and device, training method and device, and generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011441915.8A CN112232446A (en) 2020-12-11 2020-12-11 Picture identification method and device, training method and device, and generation method and device

Publications (1)

Publication Number Publication Date
CN112232446A true CN112232446A (en) 2021-01-15

Family

ID=74124077

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011441915.8A Pending CN112232446A (en) 2020-12-11 2020-12-11 Picture identification method and device, training method and device, and generation method and device

Country Status (1)

Country Link
CN (1) CN112232446A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111242291A (en) * 2020-04-24 2020-06-05 支付宝(杭州)信息技术有限公司 Neural network backdoor attack detection method and device and electronic equipment
CN111242322A (en) * 2020-04-24 2020-06-05 支付宝(杭州)信息技术有限公司 Detection method and device for rear door sample and electronic equipment
CN111260059A (en) * 2020-01-23 2020-06-09 复旦大学 Back door attack method of video analysis neural network model
CN111291902A (en) * 2020-04-24 2020-06-16 支付宝(杭州)信息技术有限公司 Detection method and device for rear door sample and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111260059A (en) * 2020-01-23 2020-06-09 复旦大学 Back door attack method of video analysis neural network model
CN111242291A (en) * 2020-04-24 2020-06-05 支付宝(杭州)信息技术有限公司 Neural network backdoor attack detection method and device and electronic equipment
CN111242322A (en) * 2020-04-24 2020-06-05 支付宝(杭州)信息技术有限公司 Detection method and device for rear door sample and electronic equipment
CN111291902A (en) * 2020-04-24 2020-06-16 支付宝(杭州)信息技术有限公司 Detection method and device for rear door sample and electronic equipment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
李政: "基于盲水印的深度神经网络模型知识产权保护框架", 《万方中国学位论文全文数据库》 *
澪同学: "从傅立叶变换到盲水印(中)——图片盲水印实现", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/33526455》 *
网络转载: "图片傅里叶变换加入盲水印Python源代码实现", 《HTTP://DDRV.CN/A/617815》 *

Similar Documents

Publication Publication Date Title
EP3736766A1 (en) Method and device for blurring image background, storage medium, and electronic apparatus
CN109284684B (en) Information processing method and device and computer storage medium
CN107545241A (en) Neural network model is trained and biopsy method, device and storage medium
CN112215227B (en) Image target detection model attack method and device, terminal equipment and storage medium
WO2020082731A1 (en) Electronic device, credential recognition method and storage medium
CN110059623B (en) Method and apparatus for generating information
CN113570052B (en) Image processing method, device, electronic equipment and storage medium
CN103270535A (en) Method, apparatus and computer program product for tracking face portion
CN112650875A (en) House image verification method and device, computer equipment and storage medium
CN111325220B (en) Image generation method, device, equipment and storage medium
CN112989767A (en) Medical term labeling method, medical term mapping device and medical term mapping equipment
CN112001331A (en) Image recognition method, device, equipment and storage medium
CN111652878B (en) Image detection method, image detection device, computer equipment and storage medium
CN112232446A (en) Picture identification method and device, training method and device, and generation method and device
CN114298895B (en) Image realism style migration method, device, equipment and storage medium
KR20210036039A (en) Electronic device and image processing method thereof
CN113269730B (en) Image processing method, image processing device, computer equipment and storage medium
CN115700845A (en) Face recognition model training method, face recognition device and related equipment
CN113569052A (en) Knowledge graph representation learning method and device
CN115690920B (en) Credible living body detection method for medical identity authentication and related equipment
CN113538413B (en) Image detection method and device, electronic equipment and storage medium
EP4064215A2 (en) Method and apparatus for face anti-spoofing
CN117593596B (en) Sensitive information detection method, system, electronic equipment and medium
CN115393846B (en) Blood cell identification method, device, equipment and readable storage medium
CN117076702B (en) Image searching method and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210115

RJ01 Rejection of invention patent application after publication