CN112541404A - Physical attack counterattack sample generation method facing traffic information perception - Google Patents
Physical attack counterattack sample generation method facing traffic information perception Download PDFInfo
- Publication number
- CN112541404A CN112541404A CN202011316184.4A CN202011316184A CN112541404A CN 112541404 A CN112541404 A CN 112541404A CN 202011316184 A CN202011316184 A CN 202011316184A CN 112541404 A CN112541404 A CN 112541404A
- Authority
- CN
- China
- Prior art keywords
- image
- sample
- picture
- traffic information
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000008447 perception Effects 0.000 title claims abstract description 23
- 230000006870 function Effects 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims abstract description 15
- 238000012549 training Methods 0.000 claims abstract description 14
- 230000007123 defense Effects 0.000 claims abstract description 8
- 239000000126 substance Substances 0.000 claims description 16
- 230000001131 transforming effect Effects 0.000 claims description 8
- 238000005457 optimization Methods 0.000 claims description 4
- 238000009826 distribution Methods 0.000 claims description 2
- 230000003595 spectral effect Effects 0.000 claims description 2
- 238000009827 uniform distribution Methods 0.000 claims description 2
- 238000013527 convolutional neural network Methods 0.000 description 36
- 238000001514 detection method Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 17
- 238000004590 computer program Methods 0.000 description 14
- 238000013135 deep learning Methods 0.000 description 6
- 238000003860 storage Methods 0.000 description 6
- 238000011160 research Methods 0.000 description 5
- 238000013519 translation Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009466 transformation Effects 0.000 description 4
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 244000062793 Sorghum vulgare Species 0.000 description 1
- 230000003042 antagnostic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005286 illumination Methods 0.000 description 1
- 235000019713 millet Nutrition 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V20/00—Scenes; Scene-specific elements
- G06V20/50—Context or environment of the image
- G06V20/56—Context or environment of the image exterior to a vehicle by using sensors mounted on the vehicle
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
Abstract
The invention provides a method for generating a confrontation sample for physical attack facing traffic information perception, which mainly aims at a target detector network. The method comprises the following steps: inputting an original picture; processing the picture by using a ShapeShifter algorithm to obtain a training sample; adding Gaussian white noise into the training sample; calculating a loss function; performing back propagation and iteratively updating the picture; and checking whether the specified iteration times are reached, if not, acquiring the recommended window area again and repeating the steps, and if so, outputting the corresponding confrontation sample picture. By taking the Faster R-CNN target detector network as an example, the invention can generate an confrontation sample for physical attack, can expose security holes and problems existing in the Faster R-CNN, helps to improve or propose a more effective defense method, improves the reliability of a traffic information sensing system, and ensures the driving safety.
Description
Technical Field
The invention relates to the field of rail transit, in particular to a method for generating a confrontation sample for physical attack on an Faster R-CNN target detector facing traffic information perception.
Background
In recent years, vehicle-mounted traffic information sensing systems have been developed rapidly, and the purpose of the sensing systems is to sense the operating environment and state of vehicles. Generally, a camera is installed in a cab, a running environment video image of a vehicle is shot and acquired, the running environment is sensed and identified through an intelligent algorithm, and then an intelligent decision is made for the running environment. The running environment of the vehicle is quite complex and mainly comprises three aspects of complex road surface conditions, complex and variable weather conditions and complex illumination conditions. The traditional image processing method is difficult to solve the problem of complex operation environment perception, and a deep learning algorithm is needed to detect the operation environment state in real time.
Countermeasure samples, which have been the focus of research in the computer field in recent years, pose a great threat to the reliability and security of deep learning networks. Since digital attacks on deep learning networks require an attacker to invade the computer vision system, which most attackers cannot achieve, more and more researchers are turning to studying physical attacks.
Most of the existing researches aiming at physical attacks are attack classifiers, and algorithms of an attack target detector are few. And the traffic information perception system operating environment needs to use a target detector. The difficulty of attacking one target detector is far greater than that of attacking one classifier, only one target in the classifier is needed, accurate position coordinates of the target do not need to be given, but the target detector can identify pictures containing various different targets and give accurate position coordinates of the corresponding target. The existing method for generating the confrontation samples mainly attacks the classifier, the traffic information sensing system needs to realize multi-target detection of various traffic signs and obstacles in the operating environment in each frame of picture, and the existing method for generating the confrontation samples is not suitable, so that the existing research method has little threat to the traffic information sensing system.
Disclosure of Invention
The invention provides a method for generating a confrontation sample aiming at a Faster R-CNN target detector to carry out physical attack, which is characterized in that based on stop sign photos taken at different distances and different angles, an improved ShapeShifter algorithm is adopted to generate the target detector for confronting the sample attack on the Faster R-CNN, so that the security holes and problems existing in the Faster R-CNN are exposed, a more effective defense method is improved or proposed, the reliability of a traffic information sensing system is improved, and the method is an important measure for ensuring the driving safety and the passenger safety.
The invention provides a physical attack counterattack sample generation method facing traffic information perception, which comprises the following steps:
(1) inputting an original picture;
(2) processing the original picture by using an improved ShapeShifter algorithm to obtain a training sample;
(3) adding white Gaussian noise to the training sample;
(4) calculating a loss function;
(5) performing back propagation and iteratively updating the picture;
(6) and (3) checking whether the iteration times are reached, returning to the step (2) to start new iteration if the iteration times are not reached, and outputting a confrontation sample picture if the iteration times are reached.
In the invention, the network mainly attacked is the fast R-CNN target detector.
In the invention, the improved ShapeShifter algorithm in the step (2) is a countersample generation algorithm mainly aiming at a target detector of a Faster R-CNN network, and an optimization function of the improved ShapeShifter algorithm is defined as follows
Wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Translated, rotated and scaled and then superimposed on the background image xbAlso includes maintaining the image x0Go to a certain pointMasking operations of regions, i.e. when transforming image x0While maintaining image x0Some of the upper regions are unchanged, making the challenge sample more robust;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region r;
x is a training set of background pictures; t is a pattern conversion mode; t is the set of all the graphics transformation modes, including translation, rotation and scaling;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is the confidence of the detected object classification.
Further, in the present invention, the white gaussian noise in step (3) is a noise whose instantaneous value follows gaussian distribution and whose power spectral density follows uniform distribution; the method is characterized in that random variables at any two different moments are independent of each other.
In the invention, the mean value of the Gaussian white noise selected in the step (3) is 0, and the standard deviations are 0.05, 0.005 and 0.01 respectively.
In the invention, the loss function after adding the gaussian white noise in the step (4) has the following formula:
wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Translated, rotated and scaled and then superimposed on the background image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Certain areas above are unchanged;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region r;
x is a training set of background pictures;
t is a pattern conversion mode; t is the set of all the graphics transformation modes, including translation, rotation and scaling;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is the confidence of the detected object classification.
In the invention, the picture input in the step (1) is a traffic sign picture.
In the invention, the pictures input in the step (1) are English parking sign pictures and Chinese parking sign pictures.
The invention has the beneficial effects that:
(1) gaussian white noise is added into a ShapeShifter algorithm, and a fast R-CNN network for resisting sample attack is generated.
(2) The robustness of the resisting sample is enhanced, and compared with the original algorithm, the method has lower requirement on the precision of the camera equipment.
(3) The potential safety hazard of the deep learning algorithm is fully exposed by simulating successful physical attack, a basis is provided for selecting a proper perception algorithm in engineering application, and a better defense method is sought in the engineering application through an attack effect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a general flow diagram of a modified ShapeShifter countersample generation method for physical attacks against the Faster R-CNN target detector, according to an embodiment of the invention;
example 1 English traffic sign
Fig. 2 is an english parking mark original sample according to embodiment 1 of the present invention;
FIG. 3 is a countermeasure sample generated based on English parking mark original sample according to embodiment 1 of the present invention
Fig. 4 is a parking mark original image photographed at a distance of 4.2m according to embodiment 1 of the present invention;
fig. 5 is a recognition result of recognition of a stop sign original image photographed at a distance of 4.2m according to embodiment 1 of the present invention;
fig. 6 is a recognition result of recognition of a stop sign original image photographed at a distance of 3.2m according to embodiment 1 of the present invention;
fig. 7 is a recognition result of recognition of a stop sign image photographed at a distance of 1.2m to 5m (interval of 0.2m) according to embodiment 1 of the present invention;
example 2 Chinese traffic sign
FIG. 8 is a Chinese parking mark raw sample according to embodiment 2 of the present invention;
fig. 9 is a countermeasure sample generation principle of the chinese parking sign according to embodiment 2 of the present invention;
FIG. 10 is confrontational sample of Chinese parking signs generated with ShapeShifter algorithm and modified ShapeShifter algorithm at different values of c according to embodiment 2 of the present invention;
fig. 11 is a comparison of the confrontational sample detection results of the chinese parking sign generated using the ShapeShifter algorithm and the modified ShapeShifter algorithm according to embodiment 2 of the present invention (c ═ 0.005, angle 0 °, distance 5 m);
fig. 12 is a comparison of the confrontational sample detection results of the chinese parking sign generated using the ShapeShifter algorithm and the modified ShapeShifter algorithm according to embodiment 2 of the present invention (c ═ 0.005, angle 30 °, distance 5 m);
fig. 13 is a comparison of the detection results of the confrontation samples of the chinese parking sign generated by using the ShapeShifter algorithm and the modified ShapeShifter algorithm according to embodiment 2 of the present invention, selecting different parameters, angles, and distances.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
In the embodiment, a method for generating a countersample to physically attack a Faster R-CNN target detector by using a modified sharshifter algorithm is provided, and fig. 1 is a flowchart of a countersample generation method for physically attacking a Faster R-CNN target detector according to an embodiment of the present invention, and as shown in fig. 1, the flowchart includes the following steps:
(1) inputting an original picture;
(2) processing the original picture by using a ShapeShifter algorithm to obtain a training sample;
(3) adding white Gaussian noise to the training sample;
(4) calculating a loss function;
(5) performing back propagation and iteratively updating the picture;
(6) and (3) checking whether the iteration times are reached, returning to the step (2) to start new iteration if the iteration times are not reached, and outputting a confrontation sample picture if the iteration times are reached.
Through the steps, on the basis of the English parking board image, a countersample is generated by adopting an improved ShapeShifter algorithm to attack the Faster R-CNN target detector. Compared with the original ShapeShifter algorithm, through attacking the target detector and attacking the English stop board, the steps can successfully generate the confrontation sample which can more effectively carry out physical attack on the Faster R-CNN target detector, expose potential safety hazards and problems existing in a neural network, and guarantee driving safety.
Fig. 2 is an english parking mark original sample of the experimental example of the present invention.
An alternative embodiment of steps (1) to (6) of the present invention will be described in detail with reference to fig. 3 to 7.
The ShapeShifter algorithm optimization function in the step (2) is defined as follows:
wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Translated, rotated and scaled and then superimposed on the background image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Some upper regions are unchanged, so that the confrontation samples are more robust;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region 6 r;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is the confidence of the detected object classification.
Defining the mean value of the Gaussian white noise in the step (3) as 0 and the standard deviation as 0.05.
Defining the loss function after adding the white gaussian noise described in the step (4) as follows:
wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Translated, rotated and scaled and then superimposed on the background image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Some upper regions are unchanged, so that the confrontation samples are more robust;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region r;
x is a training set of background pictures;
t is a pattern conversion mode; t is the set of all the graphics transformation modes, including translation, rotation and scaling;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is confidence of the classification of the detected object
Fig. 3 is two resist sample images against the untargeted physical attack generated through steps (1) to (6) using the ShapeShifter original algorithm and the modified ShapeShifter algorithm, respectively.
Fig. 4 is an original image of a stop sign photographed at a distance of 4.2 m. The generated confrontation sample was printed (print size 0.3m by 0.3m), and was attached to the pillars of the park at the university of Tongji, at which time the distance mark was 4.2 m. The three parking signs are arranged from top to bottom, the first image is an original English parking board, the second image is an anti-sample image generated by a ShapeShifter original algorithm, and the third image is an anti-sample image generated by an improved ShapeShifter algorithm. Shooting by adopting a millet 8 mobile phone, wherein the resolution of the camera parameter is 1080p and 30 frames per second.
Fig. 5 is a recognition result of recognizing an original image of a stop sign photographed at a distance of 4.2m using Faster R-CNN according to an experimental example of the present invention. The confidence of the original parking sign is 98%, the confidence of the parking sign generated by the ShapeShifter original algorithm is 92%, and the confidence of the parking sign generated by the ShapeShifter algorithm improved in the experimental example is 43% (the detection result with the confidence lower than 50% is not generally adopted), namely, the resist sample generated in the text is not correctly recognized by the fast-R-CNN. Meanwhile, the improved Shapephifter algorithm and the original algorithm generate the antagonistic samples which have almost the same interference degree in the naked eye, but have very different attack effects. This indicates that the improved Shapeshifter algorithm proposed herein is more efficient.
Fig. 6 is a recognition result of recognizing an original image of a stop sign photographed at a distance of 3.2m using Faster R-CNN according to an experimental example of the present invention. The confidence of the original parking sign is 99%, the confidence of the parking sign generated by the ShapeShifter original algorithm is 91%, and the confidence of the parking sign generated by the improved ShapeShifter algorithm in the experimental example is 44%, that is, the stop-sign generated in the experimental example is still not correctly identified by the Faster-R-CNN, which indicates that the improved ShapeShifter algorithm provided in the experimental example is more effective.
FIG. 7 is a result of taking images at a distance of 1.2m to 5m (interval of 0.2m) and performing detection using Faster R-CNN. The improved shape algorithm performed well between 3.2m and 5m from the stop sign. Between 1.8m and 3m from the stop sign, the improved shapeshift algorithm does not perform well.
Through the processing of the steps, the fast R-CNN target detector can be successfully subjected to physical attack.
As known in the art, the traffic information sensing system includes a collecting device, a target detection network (Faster R-CNN), an identification and determination module, and an identification and output module, and uses a camera installed at the front end of a cab to collect image data of a driving environment, input the image into the corresponding target detection network for target identification, and return the identification result to a vehicle. According to the countermeasure sample generated by the method, the countermeasure sample is provided with an Faster R-CNN target detector, so that network target detection is wrong, potential safety hazards and problems of the fast R-CNN of a deep learning algorithm are further exposed, and a basis is provided for selecting a proper perception algorithm and a proper target identification algorithm in engineering application. If the Faster R-CNN network is used in the traffic information perception system, the confrontation sample generated by the method of the invention can cause the traffic information perception system to have a fault of recognition error, thus threatening traffic safety. The method finds out a mechanism and a method which are possibly adopted by an attacker and threaten the safety of the traffic information perception system, guides researchers to research a more effective defense method and a detection method of the confrontation sample, upgrades the defense system, for example, processes an input image, increases the detection links of the confrontation sample and the like, and ensures the safety of the system and the driving.
It will be appreciated by those skilled in the art that embodiments of the invention may be provided as a method. A system or a computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Example 2
In the embodiment, a method for generating a countersample to physically attack a fast R-CNN target detector by using a modified sharshifter algorithm is provided, and fig. 1 is a flowchart of a countersample generation method for physically attacking a fast R-CNN target detector according to an embodiment of the present invention, and as shown in fig. 1, the flowchart includes the following steps:
(1) inputting an original picture;
(2) processing the original picture by using a ShapeShifter algorithm to obtain a training sample;
(3) adding white Gaussian noise to the training sample;
(4) calculating a loss function;
(5) performing back propagation and iteratively updating the picture;
(6) and (3) checking whether the iteration times are reached, returning to the step (2) to start new iteration if the iteration times are not reached, and outputting a confrontation sample picture if the iteration times are reached.
Through the steps, on the basis of the Chinese parking board image, a modified ShapeShifter algorithm is adopted to generate a confrontation sample to attack the Faster R-CNN target detector. Compared with the original ShapeShifter algorithm, through attacking the target detector and attacking the Chinese parking board, the steps can successfully generate an confrontation sample which can more effectively carry out physical attack on the Faster R-CNN target detector, expose potential safety hazards and problems existing in a neural network, and guarantee driving safety.
Fig. 8 is an original sample of the chinese stop sign according to the experimental example of the present invention.
An alternative embodiment of steps (1) to (6) of the present invention will be described in detail below with reference to fig. 9 to 12.
The ShapeShifter algorithm optimization function in the step (2) is defined as follows:
wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Perform translation, rotation and scaling, and then superimpose them onBackground image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Some upper regions are unchanged, so that the confrontation samples are more robust;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region 6 r;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is the confidence of the detected object classification.
Defining the mean value of the Gaussian white noise in the step (3) as 0 and the standard deviation as 0.05.
Defining the loss function after adding the white gaussian noise described in the step (4) as follows:
wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Go on to levelShifted, rotated and scaled, then superimposed on the background image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Some upper regions are unchanged, so that the confrontation samples are more robust;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region r;
x is a training set of background pictures;
t is a pattern conversion mode; t is the set of all the graphics transformation modes, including translation, rotation and scaling;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is confidence of the classification of the detected object
Fig. 9 is a countermeasure sample generation principle of the chinese parking sign according to experimental example 2 of the present invention. That is, for the Chinese parking sign, the white parking character is not changed, and only the red background is changed, so as to generate the confrontation sample.
Figure 10 is a directional attack against the "ball" using the shamshifter algorithm and the modified shamshifter algorithm generated challenge samples at different values of c (0.1 and 0.005). The parameter c represents the weight of the difference between the original image and the confrontation sample, and is used for controlling the similarity degree between x and x', and the larger c is, the more similar is represented with the original image.
Fig. 11 shows the recognition result of recognizing a countermeasure sample of a chinese parking sign photographed at a distance of 5m of 0 ° with c being 0.005. (a) For the recognition result of detecting the confrontation sample generated by the ShapeShifter original algorithm, the recognition confidence of the confrontation sample of the fast-R-CNN for the chinese parking mark is 79%, and the "ball" is recognized in the parking mark partial region. Because the final result is determined according to the frame of the real parking sign, and the sensing system can make a 'parking' decision when detecting the parking sign, under the condition, the algorithm cannot successfully and physically attack the Chinese parking sign. (b) For the recognition result of detecting the confrontation sample generated by the improved ShapeShifter algorithm, the Faster-R-CNN recognizes the confrontation sample of the Chinese parking mark as a "ball" with a confidence of 86%. Meanwhile, the parking mark partial area is also identified as a 'ball', so that the Chinese parking mark is successfully subjected to physical attack by the countermeasure sample generated by the improved Shapephifter algorithm.
Fig. 12 shows the recognition result of recognizing a countermeasure sample of a chinese parking sign photographed at a distance of 5m of 30 ° with c being 0.005. (a) For the identification result of detecting the confrontation sample generated by the ShapeShifter original algorithm, the fast-R-CNN cannot effectively identify the confrontation sample of the Chinese parking sign (the filtering confidence is lower than the detection result of 50%), so that the ShapeShifter original algorithm cannot successfully perform directional physical attack on the Chinese parking sign. (b) For the recognition result of detecting the confrontation sample generated by the improved ShapeShifter algorithm, the Faster-R-CNN recognizes the confrontation sample of the Chinese parking mark as a "ball" with a confidence of 92%. Therefore, the adversarial samples generated by the improved Shapephifter algorithm successfully make physical attacks on the Chinese parking signs.
FIG. 13 is a comparison of the detection results of the confrontation samples of Chinese parking signs generated by ShapeShifter algorithm and modified Shapeshifter algorithm using the Faster-R-CNN network, with c taken at 0.005 and 0.01. It can be known that the Faster-R-CNN correctly recognizes the original parking sign with 99% confidence no matter the angle and distance; the improved Shapeshifter algorithm provided by the experimental example can carry out effective physical attacks with different angles and different distances on the Chinese parking sign; the parameter selection has great influence on whether the physical attack can be successfully carried out, the parameter c represents the weight of the difference between the original image and the countercheck sample and is used for controlling the similarity degree with the x, and the larger the c is, the more similar the original image is represented. When the parameter c is selected to be 0.01, the algorithm is not good whether the ShapeShifter original algorithm or the improved ShapeShifter algorithm mentioned in the experimental example; at the parameter c of 0.005, the improved Shapephifter algorithm can successfully and directionally attack the parking sign, and the improved Shapephifter algorithm is superior to the Shapephifter original algorithm. However, when the distance is far, for example, 10m, the disturbance is almost negligible because the stop sign is too small, and the attack of the countermeasure sample is not successful.
Through the processing of the steps, the fast R-CNN target detector can be successfully subjected to physical attack.
The traffic information perception system collects image data of a driving environment by using a camera arranged at the front end of a cab, inputs the image into a corresponding target detection network for target recognition, and returns a recognition result to a vehicle. According to the countermeasure sample generated by the method, the countermeasure sample is provided with an Faster R-CNN target detector, so that network target detection is wrong, potential safety hazards and problems of the fast R-CNN of a deep learning algorithm are further exposed, and a basis is provided for selecting a proper perception algorithm and a proper target identification algorithm in engineering application. If the Faster R-CNN network is used in the traffic information perception system, the countermeasure sample generated by the method of the invention can cause the system to have identification errors or faults, thus threatening traffic safety. The method finds out a mechanism and a method which are possibly adopted by an attacker and threaten the safety of the traffic information perception system, guides researchers to research a more effective defense method and a detection method of the confrontation sample, upgrades the defense system, for example, processes an input image, increases the detection links of the confrontation sample and the like, and ensures the safety of the system and the driving.
It will be appreciated by those skilled in the art that embodiments of the invention may be provided as a method. A system or a computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (8)
1. A physical attack counterattack sample generation method facing traffic information perception is characterized by comprising the following steps:
(1) inputting an original picture;
(2) processing the original picture by using a ShapeShifter algorithm to obtain a training sample;
(3) adding white Gaussian noise to the training sample;
(4) calculating a loss function;
(5) performing back propagation and iteratively updating the picture;
(6) and (3) checking whether the iteration times are reached, returning to the step (2) to start new iteration if the iteration times are not reached, and outputting a confrontation sample picture if the iteration times are reached.
2. The method for generating physical attack countermeasure samples for traffic information awareness according to claim 1, wherein a network of major attacks is a Faster R-CNN target detector.
3. The method for generating physical attack countersample facing traffic information perception according to claim 1, wherein the shareschifter algorithm in step (2) is a countersample generation algorithm mainly aiming at a target detector of a Faster R-CNN network, and an optimization function thereof is defined as follows
Wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Translated, rotated and scaled and then superimposed on the background image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Some of the upper regions are unchanged, making the challenge sample more robust;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresents a recommendation window, expressed in 4 coordinates, xrIs a sub-image of region r;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is the confidence of the detected object classification.
4. The method for generating physical attack countermeasure samples for traffic information perception according to claim 1, wherein the gaussian white noise in step (3) is a noise whose instantaneous value of noise follows gaussian distribution and whose power spectral density follows uniform distribution; the method is characterized in that random variables at any two different moments are independent of each other.
5. The method for generating samples for physical attack defense facing traffic information perception according to claim 1, wherein the mean value of the white gaussian noise selected in the step (3) is 0, and the standard deviation is 0.05, 0.005 and 0.01 respectively.
6. The method for generating physical attack counterattack samples facing traffic information perception according to claim 1, wherein the loss function after adding white gaussian noise in step (4) is expressed by the following formula:
wherein the content of the first and second substances,
,Mt(xb,xotanh (x')) represents the image x0Translated, rotated and scaled and then superimposed on the background image xbAlso includes maintaining the image x0Masking operations of certain areas, i.e. when transforming image x0While maintaining image x0Certain areas above are unchanged;
x is the input original picture, x 'is the generated countermeasure sample picture, and y' is the input false target classification;
c is the weight of the difference between the original image and the confrontation sample;
tanh () is a hyperbolic tangent function, ensuring that each pixel value is between [ -1, 1 ];
rpn(x)={r1,...,rmr each of riRepresenting a recommendation window using 4 coordinate tablesX is shownrIs a sub-image of region r;
f is the target detector:
F:
wherein the content of the first and second substances,
h is the height of the input image, w is the width of the input image;
k is the confidence of the detected object classification.
7. The method for generating physical attack countermeasure samples for traffic information perception according to claim 1, wherein the picture input in the step (1) is a traffic sign picture.
8. The method for generating physical attack countermeasure samples for traffic information perception according to claim 1, wherein the pictures input in the step (1) are English parking sign pictures and Chinese parking sign pictures.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011316184.4A CN112541404A (en) | 2020-11-22 | 2020-11-22 | Physical attack counterattack sample generation method facing traffic information perception |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011316184.4A CN112541404A (en) | 2020-11-22 | 2020-11-22 | Physical attack counterattack sample generation method facing traffic information perception |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112541404A true CN112541404A (en) | 2021-03-23 |
Family
ID=75014571
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011316184.4A Pending CN112541404A (en) | 2020-11-22 | 2020-11-22 | Physical attack counterattack sample generation method facing traffic information perception |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112541404A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113361582A (en) * | 2021-06-01 | 2021-09-07 | 珠海大横琴科技发展有限公司 | Method and device for generating countermeasure sample |
| CN114368394A (en) * | 2021-12-31 | 2022-04-19 | 北京瑞莱智慧科技有限公司 | Method and device for attacking V2X equipment based on Internet of vehicles and storage medium |
| CN115909020A (en) * | 2022-09-30 | 2023-04-04 | 北京瑞莱智慧科技有限公司 | Model robustness detection method, related device and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109948658A (en) * | 2019-02-25 | 2019-06-28 | 浙江工业大学 | The confrontation attack defense method of Feature Oriented figure attention mechanism and application |
| CN110175513A (en) * | 2019-04-15 | 2019-08-27 | 浙江工业大学 | A kind of guideboard identification attack defense method based on the optimization of multiple target road |
| CN110175611A (en) * | 2019-05-24 | 2019-08-27 | 浙江工业大学 | Defence method and device towards Vehicle License Plate Recognition System black box physical attacks model |
| CN110674938A (en) * | 2019-08-21 | 2020-01-10 | 浙江工业大学 | Anti-attack defense method based on cooperative multi-task training |
-
2020
- 2020-11-22 CN CN202011316184.4A patent/CN112541404A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109948658A (en) * | 2019-02-25 | 2019-06-28 | 浙江工业大学 | The confrontation attack defense method of Feature Oriented figure attention mechanism and application |
| CN110175513A (en) * | 2019-04-15 | 2019-08-27 | 浙江工业大学 | A kind of guideboard identification attack defense method based on the optimization of multiple target road |
| CN110175611A (en) * | 2019-05-24 | 2019-08-27 | 浙江工业大学 | Defence method and device towards Vehicle License Plate Recognition System black box physical attacks model |
| CN110674938A (en) * | 2019-08-21 | 2020-01-10 | 浙江工业大学 | Anti-attack defense method based on cooperative multi-task training |
Non-Patent Citations (3)
| Title |
|---|
| SHANG-TSE CHEN ET AL: ""ShapeShifter: Robust Physical Adversarial Attack on Faster R-CNN Object Detector"", 《ARXIV:1804.05810V3 [CS.CV]》 * |
| SHIZE HUANG CHEN ET AL: ""An improved ShapeShifter method of generating adversarial examples for physical attacks on stop signs against Faster R-CNNs"", 《COMPUTERS & SECURITY》 * |
| 刘西蒙 等: ""深度学习中的对抗攻击与防御"", 《网络与信息安全学报》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113361582A (en) * | 2021-06-01 | 2021-09-07 | 珠海大横琴科技发展有限公司 | Method and device for generating countermeasure sample |
| CN114368394A (en) * | 2021-12-31 | 2022-04-19 | 北京瑞莱智慧科技有限公司 | Method and device for attacking V2X equipment based on Internet of vehicles and storage medium |
| CN115909020A (en) * | 2022-09-30 | 2023-04-04 | 北京瑞莱智慧科技有限公司 | Model robustness detection method, related device and storage medium |
| CN115909020B (en) * | 2022-09-30 | 2024-01-09 | 北京瑞莱智慧科技有限公司 | Model robustness detection method, related device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Jalled et al. | Object detection using image processing | |
| CN108491837B (en) | Anti-attack method for improving license plate attack robustness | |
| CN112541404A (en) | Physical attack counterattack sample generation method facing traffic information perception | |
| CN113156421A (en) | Obstacle detection method based on information fusion of millimeter wave radar and camera | |
| KR101834778B1 (en) | Apparatus for recognizing traffic sign and method thereof | |
| US20060067562A1 (en) | Detection of moving objects in a video | |
| CN110458063B (en) | Human face living body detection method for preventing video and photo cheating | |
| CN111709416A (en) | License plate positioning method, device and system and storage medium | |
| JP2006146626A (en) | Pattern recognition method and device | |
| CN112115761B (en) | Countermeasure sample generation method for detecting vulnerability of visual perception system of automatic driving automobile | |
| CN111783853B (en) | Interpretability-based method for detecting and recovering neural network confrontation sample | |
| US20240013572A1 (en) | Method for face detection, terminal device and non-transitory computer-readable storage medium | |
| CN113312973B (en) | Gesture recognition key point feature extraction method and system | |
| CN103902989A (en) | Human body motion video recognition method based on non-negative matrix factorization | |
| CN111066023A (en) | Detection system, detection device and method thereof | |
| CN112308883A (en) | Multi-ship fusion tracking method based on visible light and infrared images | |
| CN111898731A (en) | Bias-based universal countermeasure patch generation method and device | |
| Zhang et al. | Automatic detection of road traffic signs from natural scene images based on pixel vector and central projected shape feature | |
| CN111881436A (en) | Method and device for generating black box face anti-attack sample based on feature consistency and storage medium thereof | |
| CN107368826B (en) | Method and apparatus for text detection | |
| CN114373170A (en) | Method and device for constructing pseudo-3D (three-dimensional) bounding box and electronic equipment | |
| JP5316337B2 (en) | Image recognition system, method, and program | |
| CN113435264A (en) | Face recognition attack resisting method and device based on black box substitution model searching | |
| Nam et al. | Pedestrian detection system based on stereo vision for mobile robot | |
| CN115294037A (en) | Digital attack counterattack sample generation method facing traffic information perception |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210323 |