CN112464230B - Black box attack type defense system and method based on neural network intermediate layer regularization - Google Patents
Black box attack type defense system and method based on neural network intermediate layer regularization Download PDFInfo
- Publication number
- CN112464230B CN112464230B CN202011281842.0A CN202011281842A CN112464230B CN 112464230 B CN112464230 B CN 112464230B CN 202011281842 A CN202011281842 A CN 202011281842A CN 112464230 B CN112464230 B CN 112464230B
- Authority
- CN
- China
- Prior art keywords
- source model
- sample sequence
- attack
- countermeasure
- regularization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/082—Learning methods modifying the architecture, e.g. adding, deleting or silencing nodes or connections
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Image Analysis (AREA)
Abstract
The invention relates to the field of artificial intelligence safety, in particular to a black box attack type defense system based on regularization of a neural network intermediate layer, which comprises a first source model, a second source model and a third source model; a black box attack type defense method based on regularization of a neural network middle layer comprises the steps of S1, inputting a picture into a first source model for white box attack, outputting a first pair of anti-sample sequence, S2, inputting the first pair of anti-sample sequence into a second source model, outputting a second pair of anti-sample sequence, S3, inputting the second pair of anti-sample sequence into a third source model for black box attack, outputting a third recognition sample sequence, S4, inputting the third recognition sample sequence into the third source model for countermeasure training, and updating the third source model; the countermeasure sample generated by the algorithm has the characteristic of high mobility to the target model, and can effectively defend the target model from being attacked through countermeasure training.
Description
Technical Field
The invention relates to the field of artificial intelligence safety, in particular to a black box attack type defense system and a method based on neural network intermediate layer regularization.
Background
When tiny disturbance is added to an image signal, the image signal added with the disturbance is mistakenly identified by the convolutional neural network when the image signal is input into the convolutional neural network for classification tasks, the technology is widely applied, and in a vehicle detection system, the vehicle detection system is deceived in a mode of carrying out tiny disturbance on a license plate number image, so that the robustness and the robustness of the vehicle detection system are improved; in the face recognition detection system, the face recognition detection system is deceived in a mode of carrying out micro disturbance on a face image, so that the robustness and the safety of a face recognition network can be favorably checked; in the unmanned driving system, the automatic driving system is deceived in a mode of carrying out micro disturbance on a road sign image, the robustness and the safety of an object classification and target detection network in machine vision can be favorably checked, with the arrival of the 5G era, image video data becomes mainstream network data, an image countersample technology is generated by a neural network attack, a key role is played in the field of network countermeasures, and the important role is played in the improvement of the performance of a defense algorithm.
The existing common attack modes are a black box attack mode and a white box attack mode, wherein the black box attack mode is divided into a training substitution model attack mode based on mobility and a multi-query estimation gradient attack mode based on decision, the two modes utilize a mainstream white box attack method to attack after generating a substitution model close to a black box model and estimating the gradient of the close black box model, the training data set of an attacked model and a plurality of information such as input and output except model internal parameters are mostly needed to be known in the training of the substitution model, the information is particularly difficult to be known in practical application or limited in acquisition quantity, so the method for generating the substitution model by the mode is limited in many cases, and the white box attack mode carries out query input and output for a plurality of times on an antagonistic model and estimates the gradient, when the number of queries is large enough, the estimated gradient is close to the true gradient of the countermeasure model to obtain a decision boundary, but the method has the problem that the computation complexity caused by multiple queries cannot be improved in a black box model for limiting the number of queries, so that the efficiency of black box attack is seriously influenced.
Disclosure of Invention
Based on the problems, the invention provides a black box attack type defense system and a method based on neural network intermediate layer regularization, the attack algorithm can attack the black box model without generating a substitute model or acquiring a data set and a corresponding label of an inquiry black box model, and in an image classification task, a confrontation sample generated by the algorithm has the characteristic of high mobility to a target model and can also effectively defend the target model from being attacked through confrontation training.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a black box attack type defense system based on the regularization of the middle layer of a neural network comprises
A first source model for outputting a first sequence of anti-sample;
a second source model for outputting a second antagonizing sample sequence;
and the third source model is used for outputting a third recognition sample sequence, inputting the third recognition sample sequence into the third source model for countermeasure training, and updating the third source model.
Further, the first source model and the second source model adopt ResNet networks based on residual modules, the third source model adopts a DenseNet network, the second source model is divided into different neural network structural layers, and each layer of the second source model is added with a regularization loss function.
A black box attack type defense method based on the regularization of a neural network intermediate layer adopts a black box attack type defense system based on the regularization of the neural network intermediate layer, and comprises
S1, inputting the picture into a first source model to carry out white box attack, and outputting a first anti-sample sequence;
s2, inputting the first anti-aliasing sample sequence into a second source model, attacking the first anti-aliasing sample sequence by utilizing a regularization loss function at each layer of the second source model, and outputting a second anti-aliasing sample sequence;
s3, inputting the second anti-challenge sample sequence into a third source model for black box attack, and outputting a third identification sample sequence;
and S4, inputting the third recognition sample sequence into a third source model for countertraining, and updating the third source model.
Further, in step S2, the attack of the regularization loss function on the first antagonizing sample sequence includes the following two aspects:
on one hand, finding out the optimal disturbance direction in the generated second antagonizing sample sequence;
in another aspect, filtering the high frequency components of the countermeasure disturbance, generating an output corresponding to the first countermeasure sample sequence at each layer of the second source model, generating a set of countermeasure samples, and selecting the countermeasure sample of the best layer among the generated countermeasure samples as the second countermeasure sample sequence.
Further, the formula for finding the optimal disturbance direction of the generated second antagonizing sample sequence is
L1=[ft(x')-ft(x)]*[ft(x”)-ft(x)]
Where the result of L1 is the perturbation direction of the second antagonizing sample sequence, ft(x) For the output result of the first antagonizing sample sequence passing through the t-th layer of the second source model, [ ft(x')-ft(x)]For the first pair against perturbation of the sample sequence, [ ft(x”)-ft(x)]The characterized disturbance direction is guided by a basic disturbance direction;
the formula for filtering the high frequency components against disturbance is
L2=F[ft(x”)-ft(x)]
Wherein the result of L2 is to filter the high frequency components against the perturbation, and F () is the regularization function;
the regularization loss function L is formulated as
L=-L1-L2。
Compared with the prior art, the invention has the beneficial effects that:
1. the method for adding the regularization loss function to each layer in the second source model is used for attacking the first countermeasure sample sequence, and the problem of high computational complexity caused by multiple queries in the traditional method is solved.
2. And adding a regularization loss function to each layer in the second source model to attack the first antagonistic sample sequence, on one hand, aiming at searching the optimal decision direction with the strongest mobility, on the other hand, filtering the high-frequency components of the antagonistic disturbance, and enhancing the mobility of the antagonistic sample generated compared with the traditional method.
3. By adding the countermeasure training to the third source model, the problems of poor quality and low strength of the conventional method for the countermeasure sample migration are solved, so that the countermeasure training is more robust.
Drawings
Fig. 1 is a flowchart of the present embodiment.
Detailed Description
The invention will be further described with reference to the accompanying drawings. Embodiments of the present invention include, but are not limited to, the following examples.
A black box attack type defense system based on neural network intermediate layer regularization comprises:
a first source model, which uses a ResNet network based on a residual error module, where the first source model uses a white-box attack manner to attack in this embodiment, and finally outputs a first antagonistic sample sequence, and takes an input original picture as an example, inputs a group of original pictures, and attacks the first source model by adding appropriate antagonistic disturbance using a white-box attack method, so as to generate a first antagonistic sample sequence, where the first antagonistic sample sequence also has a certain mobility, but for a second source model, because the decision direction of the first antagonistic sample sequence is not the direction with the strongest mobility, the first antagonistic sample sequence is not the optimal antagonistic sample for migration, and in addition, the attack mode in this embodiment is divided into two attack modes, i.e., a no-target attack mode and a target attack mode, and for the no-target attack mode, it is sufficient that a predicted label after attack is not a label before attack, firstly, carrying out gradient rising in the direction of maximizing the loss function with equal step length, and correspondingly perturbing an input original picture when the gradient rises each time to generate a corresponding first antagonizing sample sequence;
a second source model, which adopts a ResNet network based on a residual module, inputs the first countermeasure sample sequence into the second source model, and outputs a second countermeasure sample sequence, wherein the second source model adopts an intermediate layer regularization method to seek an optimal migration decision direction and an optimal countermeasure sample no matter a target attack mode or a target attack mode exists, the second source model adopts intermediate regularization to divide the second source model into different neural network structure layers including different convolutional layers and pooling layers; inputting a first countermeasure sample sequence into different layers, and then adding a regularization loss function after each layer, wherein the regularization attack method is to attack the first countermeasure sample sequence again, and mainly comprises two aspects, namely finding out an optimal countermeasure sample decision direction based on the first countermeasure sample sequence; on the other hand, the high-frequency component of the anti-disturbance of the optimal anti-sample is filtered, so that the output corresponding to the first anti-sample sequence is generated in each layer, a group of anti-samples are generated, and the anti-sample of the optimal layer is selected from the generated anti-samples to be used as a second anti-sample sequence;
the third source model adopts a DenseNet to attack the second antagonistic sample sequence on the third source model, a black box attack mode is adopted when the third source model is attacked, and all the antagonistic samples in the sequence are subjected to successive attack on the third source model aiming at the second antagonistic sample sequence of each layer, wherein the attack success is represented as long as the prediction result of the third source model is not the original data label in the target-free attack mode; in the target attack mode, the attack is successful only if the prediction result of the third source model is a specified prediction result, so as to select the confrontation sample of the optimal layer according to the attack success rate, finally count the number of the successfully attacked confrontation samples and record the successfully attacked confrontation samples, i.e., the third recognition sample sequence, the third source model is retrained with the third recognition sample sequence, this process is a work belonging to the defender in the actual black box attack mode, but in this embodiment, only this step can operate on the third source model, and in the countermeasure training of the third source model, a third recognition sample sequence is added, the third source model is trained by using the countermeasure sample and the original sample together, and the original third source model is updated through multiple iterative countermeasure training, so that the successful countermeasure sample attacked in the previous round can be effectively defended.
A black box attack type defense method based on the regularization of a neural network intermediate layer adopts a black box attack type defense system based on the regularization of the neural network intermediate layer, and comprises the following steps:
s1, inputting the picture into a first source model, adding proper counter disturbance by using a white-box attack method to attack the first source model, and outputting a first counter sample sequence;
because the confrontation samples generated by the white-box attack algorithm do not have optimal mobility, the optimal disturbance direction needs to be added to be close enough to the hostile network, and the generated confrontation samples can completely attack the hostile network, so that the black-box attack effect is achieved, when the confrontation samples are generated, only one confrontation sample is generated for one picture, but a plurality of confrontation samples are generated in layers divided by the source model towards the decision boundary direction by selecting one picture to form a confrontation sample sequence to cover the possible areas of the attacked model decision boundary so as to achieve high-performance black-box attack, because the decision boundary of the black-box model is unknown, a group of confrontation samples are generated in each layer of the second source model based on two sides of the decision boundary of the white-box attack method of the first source model in an attack mode of regularized loss function to attack the real black-box model, and attacking the third source model using the countermeasure samples generated by each layer of the second source model, selecting and recording one optimal layer output for successful attack as a new type of countermeasure sample, and performing the operation of step S2 based on the above principle.
S2, inputting the first countermeasure sample sequence into each layer of the second source model, where the first countermeasure sample sequence is attacked by the regularization loss function in each layer of the second source model, and the regularization loss function attacking the first countermeasure sample sequence includes two aspects:
on one hand, the optimal disturbance direction in the generated second antagonizing sample sequence is found out, and the formula is as follows:
L1=[ft(x')-ft(x)]*[ft(x”)-ft(x)]
where the result of L1 is the perturbation direction of the second antagonizing sample sequence, ft(x) For the output result of the first antagonize sample sequence passing through the t-th layer of the second source model, [ ft(x')-ft(x)]For the first resisting disturbance of the sample sequence, the disturbance is a vector whose base disturbance direction is not the most mobile disturbance direction, [ f [ ]t(x”)-ft(x)]The characterized disturbance direction is guided by a basic disturbance direction, and the purpose is to approach the disturbance direction with the strongest mobility;
on the other hand, after finding the disturbance direction with the strongest mobility, the high frequency components resisting disturbance need to be filtered, and the formula is
L2=F[ft(x”)-ft(x)]
Wherein the result of L2 is to filter the high frequency components of the opposing disturbance, F () is a regularization function, which is equivalent to a smoothing filter, to filter the high frequency components of the optimal opposing disturbance, thereby enhancing the mobility of the opposing samples, and based on L1 and L2, it is proposed to add a regularization loss function L to each layer of the second source model, which is expressed by the following formula:
L=-L1-L2
and selecting the countermeasure sample of the optimal layer from the generated countermeasure samples as the second countermeasure sample sequence.
S3, inputting the second anti-challenge sample sequence into a third source model for black box attack, and outputting a third identification sample sequence;
the third source model is used for classifying and predicting the attack samples, the anti-sample with the wrong classification is recorded as the sample with the successful attack, other samples show attack failure, the third source model is subjected to anti-training by using the samples with the successful attack, namely the third recognition sample sequence, so that the third source model can correctly judge the anti-sample, and the robustness of the defense system is enhanced.
S4, inputting the third recognition sample sequence into a third source model for countermeasure training, and updating the third source model;
the countermeasure training is an effective defense method, in the process of training the third source model, the training sample is no longer only the original sample, but the original sample and the countermeasure sample are added, which is equivalent to adding the generated third recognition sample sequence as a new training sample into the training set, as the third source model is trained more and more, on one hand, the accuracy of the original picture is increased, on the other hand, the robustness of the third source model countermeasure sample is also increased, so the countermeasure training refers to a method of constructing the countermeasure sample and mixing the countermeasure sample and the original sample together to train the model in the training process of the third source model, that is, the third source model is confronted in the training process of the third source model so as to improve the robustness of the third source model to the confrontation attack, namely, the defense force, the updated third source model is trained by the above method, namely the final needed neural network model.
The above is an embodiment of the present invention. The specific parameters in the above embodiments and examples are only for the purpose of clearly illustrating the invention verification process of the inventor and are not intended to limit the scope of the invention, which is defined by the claims, and all equivalent structural changes made by using the contents of the specification and the drawings of the present invention should be covered by the scope of the present invention.
Claims (4)
1. Black box attack type defense system based on neural network intermediate layer regularization, its characterized in that: comprises that
A first source model for outputting a first sequence of anti-sample;
a second source model for outputting a second antagonizing sample sequence;
the third source model is used for outputting a third recognition sample sequence, inputting the third recognition sample sequence into the third source model for countermeasure training, and updating the third source model;
inputting the picture into the first source model by adopting a ResNet network based on a residual error module, attacking the first source model by utilizing white box attack, and generating a first antagonistic sample sequence;
a ResNet network based on a residual error module is adopted in a second source model, the second source model is divided into different neural network structure layers, and each layer of the second source model is added with a regularization loss function; inputting the first antagonizing sample sequence into a second source model, attacking the first antagonizing sample sequence by utilizing a regularization loss function at each layer of the second source model, and outputting a second antagonizing sample sequence;
the third source model adopts a DenseNet, a second antagonistic sample sequence is input into the third source model, the third source model is attacked by using black box attack, all antagonistic samples in the sequence successively attack the third source model aiming at the second antagonistic sample sequence of each layer, wherein the attack success is represented as long as the prediction result of the third source model is not an original data label under the non-target attack mode; in the target attack mode, the attack success is represented only by the fact that the third source model prediction result is the appointed prediction result, so that the countermeasure sample of the optimal layer is selected according to the attack success rate, finally, the number of the countermeasure samples which are successfully attacked is counted, and the countermeasure samples which are successfully attacked, namely, the third identification sample sequence, are recorded; and adding a third recognition sample sequence in the confrontation training of the third source model, training the third source model by using the confrontation sample and the original sample together, and updating the original third source model after multiple iterations of confrontation training.
2. The black box attack type defense method based on the regularization of the neural network intermediate layer adopts the black box attack type defense system based on the regularization of the neural network intermediate layer, and is characterized in that: comprises that
S1, inputting the picture into a first source model to carry out white box attack, and outputting a first anti-sample sequence;
s2, inputting the first anti-aliasing sample sequence into a second source model, attacking the first anti-aliasing sample sequence by utilizing a regularization loss function at each layer of the second source model, and outputting a second anti-aliasing sample sequence;
s3, inputting the second anti-challenge sample sequence into a third source model for black box attack, and outputting a third identification sample sequence;
and S4, inputting the third recognition sample sequence into a third source model for countertraining, and updating the third source model.
3. The black-box attack type defense method based on neural network interlayer regularization as claimed in claim 2, wherein: in S2, the attack of the regularization loss function on the first antagonizing sample sequence includes the following two aspects:
on one hand, finding out the optimal disturbance direction in the generated second antagonizing sample sequence;
in another aspect, filtering the high frequency components of the countermeasure disturbance, generating an output corresponding to the first countermeasure sample sequence at each layer of the second source model, generating a set of countermeasure samples, and selecting the countermeasure sample of the best layer among the generated countermeasure samples as the second countermeasure sample sequence.
4. The black-box attack type defense method based on neural network interlayer regularization as claimed in claim 3, wherein: the formula for finding the optimal disturbance direction of the generated second antagonizing sample sequence is
L1=[ft(x')-ft(x)]*[ft(x”)-ft(x)]
Where the result of L1 is the perturbation direction of the second antagonizing sample sequence, ft(x) For the output result of the first antagonizing sample sequence passing through the t-th layer of the second source model, [ ft(x')-ft(x)]For the first pair against perturbation of the sample sequence, [ ft(x”)-ft(x)]The characterized disturbance direction is guided by a basic disturbance direction;
the formula for filtering the high frequency components against disturbance is
L2=F[ft(x”)-ft(x)]
Wherein the result of L2 is to filter the high frequency components against the perturbation, and F () is the regularization function;
the regularization loss function L is formulated as
L=-L1-L2。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011281842.0A CN112464230B (en) | 2020-11-16 | 2020-11-16 | Black box attack type defense system and method based on neural network intermediate layer regularization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011281842.0A CN112464230B (en) | 2020-11-16 | 2020-11-16 | Black box attack type defense system and method based on neural network intermediate layer regularization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112464230A CN112464230A (en) | 2021-03-09 |
| CN112464230B true CN112464230B (en) | 2022-05-17 |
Family
ID=74837118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011281842.0A Active CN112464230B (en) | 2020-11-16 | 2020-11-16 | Black box attack type defense system and method based on neural network intermediate layer regularization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112464230B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113407939B (en) * | 2021-06-17 | 2022-08-05 | 电子科技大学 | Substitution model automatic selection method facing black box attack, storage medium and terminal |
| CN113436073B (en) * | 2021-06-29 | 2023-04-07 | 中山大学 | Real image super-resolution robust method and device based on frequency domain |
| CN114387476A (en) * | 2022-01-17 | 2022-04-22 | 湖南大学 | Method for improving migration of challenge sample on defense mechanism |
| CN114996496A (en) * | 2022-06-20 | 2022-09-02 | 电子科技大学 | Query-based black box attack method for image retrieval model |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108304858A (en) * | 2017-12-28 | 2018-07-20 | 中国银联股份有限公司 | Fight specimen discerning model generating method, verification method and its system |
| CN108520268A (en) * | 2018-03-09 | 2018-09-11 | 浙江工业大学 | The black box antagonism attack defense method evolved based on samples selection and model |
| CN108924558A (en) * | 2018-06-22 | 2018-11-30 | 电子科技大学 | A kind of predictive encoding of video method neural network based |
| CN109740615A (en) * | 2018-12-29 | 2019-05-10 | 武汉大学 | A kind of minimizing technology of pair of attack resistance sample disturbance |
| CN110084002A (en) * | 2019-04-23 | 2019-08-02 | 清华大学 | Deep neural network attack method, device, medium and calculating equipment |
| CN111027060A (en) * | 2019-12-17 | 2020-04-17 | 电子科技大学 | Knowledge distillation-based neural network black box attack type defense method |
| CN111310802A (en) * | 2020-01-20 | 2020-06-19 | 星汉智能科技股份有限公司 | Anti-attack defense training method based on generation of anti-network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10657259B2 (en) * | 2017-11-01 | 2020-05-19 | International Business Machines Corporation | Protecting cognitive systems from gradient based attacks through the use of deceiving gradients |
-
2020
- 2020-11-16 CN CN202011281842.0A patent/CN112464230B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108304858A (en) * | 2017-12-28 | 2018-07-20 | 中国银联股份有限公司 | Fight specimen discerning model generating method, verification method and its system |
| CN108520268A (en) * | 2018-03-09 | 2018-09-11 | 浙江工业大学 | The black box antagonism attack defense method evolved based on samples selection and model |
| CN108924558A (en) * | 2018-06-22 | 2018-11-30 | 电子科技大学 | A kind of predictive encoding of video method neural network based |
| CN109740615A (en) * | 2018-12-29 | 2019-05-10 | 武汉大学 | A kind of minimizing technology of pair of attack resistance sample disturbance |
| CN110084002A (en) * | 2019-04-23 | 2019-08-02 | 清华大学 | Deep neural network attack method, device, medium and calculating equipment |
| CN111027060A (en) * | 2019-12-17 | 2020-04-17 | 电子科技大学 | Knowledge distillation-based neural network black box attack type defense method |
| CN111310802A (en) * | 2020-01-20 | 2020-06-19 | 星汉智能科技股份有限公司 | Anti-attack defense training method based on generation of anti-network |
Non-Patent Citations (5)
| Title |
|---|
| 《Earthworm系统实时数据接入模块的设计与实现》;李晓锐等;《山西地震》;20191231(第4期);第31-33页 * |
| 《Semi-black-box Attacks Against Speech Recognition Systems Using Adversarial Samples》;Yi Wu等;《2019 IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN)》;20191219;第1-5页 * |
| 《改进智能机电综合实验教学提高大学生实践创新能力》;梁莹林等;《教育教学论坛》;20120131(第1期);第209-211页 * |
| 《深度学习中的对抗攻击与防御》;刘西蒙等;《网络与信息安全学报》;20201031;第6卷(第5期);第36-53页 * |
| 《虚拟现实的机遇和挑战》;陈建文等;《中国工业评论》;20160831(第8期);第48-53页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112464230A (en) | 2021-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112464230B (en) | Black box attack type defense system and method based on neural network intermediate layer regularization | |
| CN111027060B (en) | Knowledge distillation-based neural network black box attack type defense method | |
| Hu et al. | Relation networks for object detection | |
| CN110175611B (en) | Defense method and device for black box physical attack model of license plate recognition system | |
| CN110853074B (en) | Video target detection network system for enhancing targets by utilizing optical flow | |
| CN113822328B (en) | Image classification method for defending against sample attack, terminal device and storage medium | |
| CN113076994B (en) | Open-set domain self-adaptive image classification method and system | |
| CN114492574A (en) | Pseudo label loss unsupervised countermeasure domain adaptive picture classification method based on Gaussian uniform mixing model | |
| Duerr et al. | Lidar-based recurrent 3d semantic segmentation with temporal memory alignment | |
| CN111754519B (en) | Class activation mapping-based countermeasure method | |
| CN110348475A (en) | It is a kind of based on spatial alternation to resisting sample Enhancement Method and model | |
| CN111639564A (en) | Video pedestrian re-identification method based on multi-attention heterogeneous network | |
| Jiang et al. | Dfnet: Semantic segmentation on panoramic images with dynamic loss weights and residual fusion block | |
| CN113129336A (en) | End-to-end multi-vehicle tracking method, system and computer readable medium | |
| Wang et al. | PFDN: Pyramid feature decoupling network for single image deraining | |
| Naseer et al. | Distorting neural representations to generate highly transferable adversarial examples | |
| CN115641529A (en) | Weak supervision time sequence behavior detection method based on context modeling and background suppression | |
| Wang et al. | Source data-free cross-domain semantic segmentation: Align, teach and propagate | |
| CN112801179A (en) | Twin classifier certainty maximization method for cross-domain complex visual task | |
| CN111950635A (en) | Robust feature learning method based on hierarchical feature alignment | |
| CN111882037A (en) | Deep learning model optimization method based on network addition/modification | |
| Fu et al. | Boosting black-box adversarial attacks with meta learning | |
| Ghahremani et al. | Re-identification of vessels with convolutional neural networks | |
| Pavate et al. | Analyzing probabilistic adversarial samples to attack cloud vision image classifier service | |
| Bourcier et al. | Self-supervised pretraining on satellite imagery: A case study on label-efficient vehicle detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |