CN112766324A - Image confrontation sample detection method, system, storage medium, terminal and application - Google Patents
Image confrontation sample detection method, system, storage medium, terminal and application Download PDFInfo
- Publication number
- CN112766324A CN112766324A CN202110000320.7A CN202110000320A CN112766324A CN 112766324 A CN112766324 A CN 112766324A CN 202110000320 A CN202110000320 A CN 202110000320A CN 112766324 A CN112766324 A CN 112766324A
- Authority
- CN
- China
- Prior art keywords
- image
- noise
- original image
- noise reduction
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 37
- 230000009467 reduction Effects 0.000 claims abstract description 75
- 238000013145 classification model Methods 0.000 claims abstract description 51
- 238000013528 artificial neural network Methods 0.000 claims abstract description 39
- 238000012545 processing Methods 0.000 claims abstract description 27
- 238000012549 training Methods 0.000 claims abstract description 17
- 238000000034 method Methods 0.000 claims description 18
- 238000010606 normalization Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 2
- 238000013135 deep learning Methods 0.000 abstract description 4
- 239000000654 additive Substances 0.000 abstract description 3
- 230000000996 additive effect Effects 0.000 abstract description 3
- 230000003213 activating effect Effects 0.000 abstract 1
- 230000007123 defense Effects 0.000 description 19
- 238000004422 calculation algorithm Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000004913 activation Effects 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/20—Image preprocessing
- G06V10/30—Noise filtering
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Probability & Statistics with Applications (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Multimedia (AREA)
- Image Analysis (AREA)
Abstract
The invention belongs to the technical field of image recognition in the field of deep learning, and discloses an image confrontation sample detection method, a system, a storage medium, a terminal and application, wherein a noise reduction neural network is used for carrying out noise reduction processing on an original image to obtain a noise reduction image; the classification model carries out classification processing on the original image to obtain a processed logits value; the classification model carries out classification processing on the noise reduction image to obtain a processed logits value; calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image; and judging whether the original image is a confrontation sample or a common sample according to the difference score. The noise reduction neural network only needs to be trained under additive white Gaussian noise, so that the training cost is greatly reduced; the XUnit activating unit is adopted by the noise reduction neural network, so that noise reduction model parameters are greatly reduced, and deployment on equipment with limited computing resources is facilitated.
Description
Technical Field
The invention belongs to the technical field of image recognition in the field of deep learning, and particularly relates to an image confrontation sample detection method, an image confrontation sample detection system, a storage medium, a terminal and application.
Background
At present: image recognition is an important branch of deep learning. Related applications based on image recognition technology are undertaking various complex tasks in daily life, playing an increasingly important role. In the fields of face recognition, automatic driving, finance and the like with high requirements on system safety, the deep learning model needs to have high stability and accuracy. Recent studies have found that deep learning models are vulnerable to some elaborate input samples. The classification model can be misjudged by adding some slight disturbance which is difficult to be detected by human eyes on the basis of the original data, and such input samples are called countermeasure samples.
At present, the attack of the confrontation sample is resisted mainly by the confrontation training defense technology and the optimization model defense technology. The countertraining defense technique requires retraining the classification model. Firstly, countermeasure samples are generated through a countermeasure sample generation algorithm, then the countermeasure samples are added into an original training data set, and finally a classification model is retrained by the constructed new data set, so that the robustness of the model is improved. Because of the need to generate countermeasure samples and retrain classification models, it is time consuming to train a defense technique against countermeasures. Optimizing model defense techniques requires modifying the structure of the classification model. Most of the countersample attack algorithms need gradient information of a classification model to generate countersamples, and the modification of a model defense technology aims to cover the gradient information and increase the difficulty of counterattack so as to improve the capability of the model in defending the countersamples. The optimized model defense techniques are too intrusive because of the modifications required to the structure of the original classification model.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) the existing countermeasure training defense technology needs to generate a large number of countermeasure samples by utilizing a countermeasure sample generation algorithm, and the countermeasure sample generation algorithm with good attack effect is time-consuming, so that a large amount of time is spent in a data set construction stage.
(2) The existing optimized model defense technology needs to modify the structure of the original classification model, and the method is too invasive. In practice, a classification model that is trained by others is usually used, so the method has limitations.
(3) The existing defense technology for confrontation training and the existing defense technology for optimization models need to train the classification models again, and if the models are large, a lot of time is also spent.
The difficulty in solving the above problems and defects is: how to reduce the time cost of building a countermeasure sample defense system; how to fully utilize the existing classification model and avoid the modification of the existing classification model; how to ensure that the confrontation sample defense system can detect the confrontation sample, and meanwhile, the precision of the common sample is not greatly influenced.
The significance of solving the problems and the defects is as follows: from the above analysis, it can be known that the modification of the original classification model by the image countermeasure sample detection system can be avoided by solving the above problems and defects, and an image countermeasure sample defense system can be quickly constructed.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides an image confrontation sample detection method, a system, a storage medium, a terminal and application.
The invention is realized in such a way that an image confrontation sample detection method comprises the following steps:
the noise reduction neural network carries out noise reduction processing on the original image, smoothly resists attack disturbance and obtains a noise reduction image;
the classification model carries out classification processing on the original image to obtain a processed logits value;
the classification model carries out classification processing on the noise reduction image to obtain a processed logits value;
calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image;
and judging whether the original image is a confrontation sample or a common sample according to the difference score.
Further, the noise reduction neural network carries out noise reduction processing on the original image to obtain a noise reduction image, and firstly, the original image is copied to obtain a duplicate image; secondly, inputting the duplicate image into a noise reduction neural network, and extracting a noise image in the duplicate image through the noise reduction neural network; then subtracting the noise image from the copy image to obtain a difference value; and finally, cutting the difference value to a range from 0 to 1 to obtain a noise reduction image.
Further, the classification model classifies the original image to obtain a processed logits value, and firstly, the original image is normalized; then, inputting the normalization result of the original image into a classification model; and finally, obtaining the output of the last layer of the classification model neural network, namely the logits value of the original image.
Further, the classification model classifies the noise-reduced image, obtains the processed logits value, and firstly normalizes the noise-reduced image; then, inputting the normalization result of the noise reduction image into a classification model; and finally, obtaining the output of the last layer of the classification model neural network, namely the logits value of the noise reduction image.
Further, calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image, and processing the logits values through a softmax function to obtain an s value; secondly, calculating L between the s value of the original image and the s value of the noise reduction image1Obtaining a difference score d by the distance; and finally, taking the maximum d as the difference score between the final original image and the noise-reduced image.
Further, judging whether the original image is a confrontation sample or a common sample according to the difference score, and obtaining a threshold value T on a training data set; if the difference score between the original image and the noise-reduced image is greater than the threshold value T, the original image is a challenge sample; if the difference score between the original image and the noise-reduced image is less than the threshold value T, the original image is a normal sample.
It is another object of the present invention to provide a computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:
the noise reduction neural network carries out noise reduction processing on the original image to obtain a noise reduction image;
the classification model carries out classification processing on the original image to obtain a processed logits value;
the classification model carries out classification processing on the noise reduction image to obtain a processed logits value;
calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image;
and judging whether the original image is a confrontation sample or a common sample according to the difference score.
Another object of the present invention is to provide an information data processing terminal for implementing the image countermeasure sample detection method.
Another object of the present invention is to provide an image countermeasure sample detection system implementing the image countermeasure sample detection method, the image countermeasure sample detection system including:
the image noise reduction module is used for removing the countermeasure sample noise in the input original image by using the trained noise reduction neural network;
the classification module is used for pre-judging the original image and the noise-reduced image by using the classification model to obtain logits values output by the classification model;
and the judging module is used for calculating the difference score of the original image and the noise-reduced image and judging whether the input original image is a countermeasure sample according to the threshold value T on the training data set.
Another object of the present invention is to provide an image recognition terminal for implementing the image countermeasure sample detection method, the image recognition terminal comprising: face identification terminal, automatic driving terminal, financial terminal.
By combining all the technical schemes, the invention has the advantages and positive effects that: the method does not modify the original classification model, has small invasion and simplifies the construction of a confrontation sample defense system; the introduced noise reduction neural network is trained only under additive white Gaussian noise, so that a confrontation sample is prevented from being generated in a training stage, and the training cost is greatly reduced; the noise reduction neural network does not introduce a countermeasure sample in the training stage, so that the noise reduction neural network can defend various different countermeasure sample attack means; the noise reduction neural network adopts the latest xUnit activation unit, so that the parameters of the noise reduction neural network are greatly reduced, and the deployment of the noise reduction neural network on equipment with limited computing resources is facilitated.
The method can effectively detect the confrontation sample in the input original image, and simultaneously has no great influence on the accuracy of the common sample. The invention carries out experiments on three data sets, namely MNIST, CIFAR-10 and ImageNet. For the MNIST dataset, the overall detection accuracy was 97.3%, with the accuracy for the normal sample 97.1%, the recall rate 97.6%, the accuracy for the challenge sample 97.6%, and the recall rate 97.1%; for the CIFAR-10 dataset, the overall detection accuracy was 89.3%, with the accuracy of the normal sample being 89%, the recall rate being 89.8%, the accuracy of the challenge sample being 89.7%, the recall rate being 88.9%; for the ImageNet dataset, the overall detection accuracy was 85.9%, with the accuracy for the normal sample being 85.5%, the recall being 86.4%, the accuracy for the challenge sample being 86.3%, and the recall being 85.4%.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained from the drawings without creative efforts.
FIG. 1 is a flowchart of an image countermeasure sample detection method according to an embodiment of the invention.
FIG. 2 is a schematic structural diagram of an image countermeasure sample detection system provided by an embodiment of the invention;
in fig. 2: 1. an image noise reduction module; 2. a classification module; 3. and a judging module.
FIG. 3 is a system diagram of an image confrontation sample detection system according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of an activation unit according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a noise reduction neural network according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In view of the problems in the prior art, the present invention provides a method, a system, a storage medium, a terminal and an application for detecting an image confrontation sample, and the present invention is described in detail below with reference to the accompanying drawings.
As shown in fig. 1, the method for detecting an image countercheck sample provided by the invention comprises the following steps:
s101: the noise reduction neural network carries out noise reduction processing on the original image to obtain a noise reduction image;
s102: the classification model carries out classification processing on the original image to obtain a processed logits value;
s103: the classification model carries out classification processing on the noise reduction image to obtain a processed logits value;
s104: calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image;
s105: and judging whether the original image is a confrontation sample or a common sample according to the difference score.
The image countermeasure sample detection method provided by the present invention can be implemented by other steps, and the image countermeasure sample detection method provided by the present invention of fig. 1 is only one specific embodiment.
As shown in fig. 2, the image countermeasure sample detection system provided by the present invention includes:
the image denoising module 1 is used for removing the countermeasure sample noise in the input original image by using the trained denoising neural network;
the classification module 2 is used for prejudging the original image and the noise reduction image by using the classification model to obtain logits values output by the classification model;
and the discrimination module 3 is used for calculating the difference score of the original image and the noise-reduced image and judging whether the input original image is a countermeasure sample according to the threshold value T on the training data set.
The technical solution of the present invention is further described below with reference to the accompanying drawings.
As shown in FIG. 3, the present invention is provided with specific details of an image challenge sample detection system. And carrying out noise reduction processing on the original image by using a noise reduction neural network to obtain a noise reduction image, and judging whether the input original image is a countermeasure sample according to the difference of the classification model on the original image and the noise reduction image.
The noise reduction neural network aims to perform noise reduction processing on an original image to obtain a noise reduction image. Firstly, copying an original image to obtain a duplicate image; secondly, inputting the duplicate image into a noise reduction neural network, and extracting a noise image in the duplicate image through the noise reduction neural network; then subtracting the noise image from the copy image to obtain a difference value; and finally, cutting the difference value to a range from 0 to 1 to obtain a noise reduction image.
The classification model aims to classify the original image and the noise-reduced image and acquire a processed logits value. Firstly, normalizing an image; then, inputting the image normalization result into a classification model; and finally, obtaining the output of the last layer of the classification model neural network, namely the logits value of the image.
Using the logits values of the original image and the noise-reduced image, a difference score between the original image and the noise-reduced image is calculated. Let the output result logits value of the classification model be l, liI-th element representing l, then the softmax value s of the i-th elementiThe calculation formula of (2) is as follows:
sisatisfies 0 ≤ siLess than or equal to 1 and sigmaisi=1,siCan be regarded as the probability that the input image is classified into the ith class. Secondly, calculating L between the s value of the original image and the s value of the noise reduction image1Obtaining a difference score d by the distance, wherein the calculation formula of the difference score d is as follows:
in order to defend different types of countersample attack means, the invention adopts a plurality of noise reduction neural networks trained under different noise levels, so a group of difference scores d can be obtained, and finally, the maximum difference score d is taken as the final difference score between the original image and the noise reduction image.
And judging whether the original image is a confrontation sample or a common sample according to the difference score. By specifying the desired detection accuracy for a common sample, a threshold T can be obtained on the training data set; if the difference score between the original image and the noise-reduced image is greater than the threshold value T, the original image is a challenge sample; if the difference score between the original image and the noise-reduced image is less than the threshold value T, the original image is a normal sample.
Fig. 4 shows a specific structure of an activation unit xuit of the image countermeasure sample detection system provided by the present invention. The XUnit is more complex than common ReLU, Sigmoid and Tanh, one XUnit combines the operations of Batch-Norm, ReLU, Conv2d, Batch-Norm, Gaussian and Multiplies in sequence, and the XUnit can learn and store information in the training process. Since the xut can learn, the depth of the noise reduction neural network can be reduced, so that the number of parameters of the whole structure is reduced. In addition, finer noise can be learned by adopting the xUnit.
Fig. 5 shows a specific structure of a noise reduction neural network of the image countermeasure sample detection system provided by the present invention. The noise reduction neural network provided by the invention is a residual error network structure, is formed by combining a series of Conv2d and xUnit, and is input into an image with noise and output into noise.
The technical effects of the present invention will be described in detail with reference to experiments.
The model is realized through a famous open-source deep learning frame Pythrch in the experiment, and hardware is based on GeForceRTXTM2080 Ti. In order to test the performance of the model, five countersample attack algorithms of FGSM, PGD, JSMA, Deepfol and CW are used to generate countersamples. For the MNIST data set, 200 confrontation samples are generated by the invention by utilizing the 5 attack algorithms, and 1000 common samples are randomly drawn in the MNIST test set, so that the test data of the MNIST data set comprises 1000 confrontation samples and 1000 common samples. The CIFAR-10 dataset and the MNIST dataset are identical, and the test data comprises 1000 challenge samples and 1000 common samples. For the ImageNet data set, the invention utilizes the 5 attack algorithms to respectively generate 100 confrontation samples, and simultaneously randomly extracts 500 common samples in the ImageNet test set, so that the test data of the ImageNet data set comprises 500 confrontation samples and 500 common samples.
The experimental result shows that the method can effectively detect the confrontation sample in the input original image, and meanwhile, the accuracy of the common sample is not greatly influenced. For the MNIST dataset, the overall detection accuracy was 97.3%, with the accuracy for the normal sample 97.1%, the recall rate 97.6%, the accuracy for the challenge sample 97.6%, and the recall rate 97.1%; for the CIFAR-10 dataset, the overall detection accuracy was 89.3%, with the accuracy of the normal sample being 89%, the recall rate being 89.8%, the accuracy of the challenge sample being 89.7%, the recall rate being 88.9%; for the ImageNet dataset, the overall detection accuracy was 85.9%, with the accuracy for the normal sample being 85.5%, the recall being 86.4%, the accuracy for the challenge sample being 86.3%, and the recall being 85.4%.
On one hand, the noise reduction neural network only needs to be trained under additive white Gaussian noise, and a confrontation sample generation algorithm does not need to be introduced in the training process, so that the training time is greatly reduced; on the other hand, the noise reduction neural network is shallow in depth and can be converged quickly. In conclusion, the invention reduces the time cost of constructing the defense system against the sample.
The image confrontation sample defense model provided by the invention makes full use of the output result of the classification model, and does not modify the structure of the existing classification model.
Experimental results show that the size of the image confrontation sample defense model is only 1.2MB, and the image confrontation sample defense model is favorable for deployment on equipment with limited computing resources.
It should be noted that the embodiments of the present invention can be realized by hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. The apparatus and its modules of the present invention may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of hardware circuits and software, e.g., firmware.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. An image confrontation sample detection method, characterized in that the image confrontation sample detection method comprises:
the noise reduction neural network carries out noise reduction processing on the original image to obtain a noise reduction image;
the classification model carries out classification processing on the original image to obtain a processed logits value;
the classification model carries out classification processing on the noise reduction image to obtain a processed logits value;
calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image;
and judging whether the original image is a confrontation sample or a common sample according to the difference score.
2. The method for detecting the image confrontation sample according to claim 1, wherein the noise reduction neural network performs noise reduction processing on an original image to obtain a noise-reduced image, and first copies the original image to obtain a duplicate image; secondly, inputting the duplicate image into a noise reduction neural network, and extracting a noise image in the duplicate image through the noise reduction neural network; then subtracting the noise image from the copy image to obtain a difference value; and finally, cutting the difference value to a range from 0 to 1 to obtain a noise reduction image.
3. The method for detecting the image countermeasure sample as claimed in claim 1, wherein the classification model classifies the original image to obtain the processed logits value, and firstly normalizes the original image; then, inputting the normalization result of the original image into a classification model; and finally, obtaining the output of the last layer of the classification model neural network, namely the logits value of the original image.
4. The method for detecting the image countercheck sample as recited in claim 1, wherein the classification model classifies the noise-reduced image, obtains the processed logits value, and first normalizes the noise-reduced image; then, inputting the normalization result of the noise reduction image into a classification model; and finally, obtaining the output of the last layer of the classification model neural network, namely the logits value of the noise reduction image.
5. The image countermeasure sample detection method of claim 1, wherein the utilizing of the original imageCalculating the difference score between the original image and the noise-reduced image according to the logits value of the noise-reduced image, and processing the logits value through a softmax function to obtain an s value; secondly, calculating L between the s value of the original image and the s value of the noise reduction image1Obtaining a difference score d by the distance; and finally, taking the maximum d as the difference score between the final original image and the noise-reduced image.
6. The method according to claim 1, wherein the determining whether the original image is a confrontation sample or a normal sample is performed according to the difference score, and a threshold T is obtained on the training data set; if the difference score between the original image and the noise-reduced image is greater than the threshold value T, the original image is a challenge sample; if the difference score between the original image and the noise-reduced image is less than the threshold value T, the original image is a normal sample.
7. A computer-readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of:
the noise reduction neural network carries out noise reduction processing on the original image to obtain a noise reduction image;
the classification model carries out classification processing on the original image to obtain a processed logits value;
the classification model carries out classification processing on the noise reduction image to obtain a processed logits value;
calculating a difference score between the original image and the noise-reduced image by using the logits values of the original image and the noise-reduced image;
and judging whether the original image is a confrontation sample or a common sample according to the difference score.
8. An information data processing terminal, characterized in that the information data processing terminal is used for realizing the image countermeasure sample detection method of any one of claims 1 to 6.
9. An image countermeasure sample detection system for implementing the image countermeasure sample detection method according to any one of claims 1 to 6, the image countermeasure sample detection system comprising:
the image noise reduction module is used for removing the countermeasure sample noise in the input original image by using the trained noise reduction neural network;
the classification module is used for pre-judging the original image and the noise-reduced image by using the classification model to obtain logits values output by the classification model;
and the judging module is used for calculating the difference score of the original image and the noise-reduced image and judging whether the input original image is a countermeasure sample according to the threshold value T on the training data set.
10. An image recognition terminal, characterized in that the image recognition terminal is used for realizing the image countermeasure sample detection method of any one of claims 1-6, and the image recognition terminal comprises: face identification terminal, automatic driving terminal, financial terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110000320.7A CN112766324B (en) | 2021-01-02 | 2021-01-02 | Image countermeasure sample detection method, system, storage medium, terminal and application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110000320.7A CN112766324B (en) | 2021-01-02 | 2021-01-02 | Image countermeasure sample detection method, system, storage medium, terminal and application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112766324A true CN112766324A (en) | 2021-05-07 |
| CN112766324B CN112766324B (en) | 2024-02-02 |
Family
ID=75698868
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110000320.7A Active CN112766324B (en) | 2021-01-02 | 2021-01-02 | Image countermeasure sample detection method, system, storage medium, terminal and application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112766324B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113255757A (en) * | 2021-05-20 | 2021-08-13 | 西华大学 | Countermeasure sample detection method and system based on activation value distribution difference |
| CN113554089A (en) * | 2021-07-22 | 2021-10-26 | 西安电子科技大学 | Image classification countermeasure sample defense method and system and data processing terminal |
| CN113780363A (en) * | 2021-08-17 | 2021-12-10 | 广州大学 | Countermeasure sample defense method, system, computer and medium |
| CN114663730A (en) * | 2022-04-01 | 2022-06-24 | 中国工程物理研究院计算机应用研究所 | Game interaction based confrontation sample detection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019233166A1 (en) * | 2018-06-04 | 2019-12-12 | 杭州海康威视数字技术股份有限公司 | Surface defect detection method and apparatus, and electronic device |
| CN110717522A (en) * | 2019-09-18 | 2020-01-21 | 平安科技(深圳)有限公司 | Countermeasure defense method of image classification network and related device |
| CN111598805A (en) * | 2020-05-13 | 2020-08-28 | 华中科技大学 | Confrontation sample defense method and system based on VAE-GAN |
| CN111783890A (en) * | 2020-07-02 | 2020-10-16 | 电子科技大学 | Small pixel countermeasure sample defense method for image recognition process |
-
2021
- 2021-01-02 CN CN202110000320.7A patent/CN112766324B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019233166A1 (en) * | 2018-06-04 | 2019-12-12 | 杭州海康威视数字技术股份有限公司 | Surface defect detection method and apparatus, and electronic device |
| CN110717522A (en) * | 2019-09-18 | 2020-01-21 | 平安科技(深圳)有限公司 | Countermeasure defense method of image classification network and related device |
| CN111598805A (en) * | 2020-05-13 | 2020-08-28 | 华中科技大学 | Confrontation sample defense method and system based on VAE-GAN |
| CN111783890A (en) * | 2020-07-02 | 2020-10-16 | 电子科技大学 | Small pixel countermeasure sample defense method for image recognition process |
Non-Patent Citations (1)
| Title |
|---|
| 严飞;张铭伦;张立强;: "基于边界值不变量的对抗样本检测方法", 网络与信息安全学报, no. 01 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113255757A (en) * | 2021-05-20 | 2021-08-13 | 西华大学 | Countermeasure sample detection method and system based on activation value distribution difference |
| CN113255757B (en) * | 2021-05-20 | 2022-10-11 | 西华大学 | Antagonistic sample detection method and system based on activation value distribution difference |
| CN113554089A (en) * | 2021-07-22 | 2021-10-26 | 西安电子科技大学 | Image classification countermeasure sample defense method and system and data processing terminal |
| CN113780363A (en) * | 2021-08-17 | 2021-12-10 | 广州大学 | Countermeasure sample defense method, system, computer and medium |
| CN113780363B (en) * | 2021-08-17 | 2023-08-08 | 广州大学 | Method, system, computer and medium for defending countermeasures |
| CN114663730A (en) * | 2022-04-01 | 2022-06-24 | 中国工程物理研究院计算机应用研究所 | Game interaction based confrontation sample detection method and system |
| CN114663730B (en) * | 2022-04-01 | 2023-04-18 | 中国工程物理研究院计算机应用研究所 | Game interaction-based confrontation sample detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112766324B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112766324B (en) | Image countermeasure sample detection method, system, storage medium, terminal and application | |
| CN113554089B (en) | Image classification countermeasure sample defense method and system and data processing terminal | |
| CN110070141B (en) | Network intrusion detection method | |
| WO2019109743A1 (en) | Url attack detection method and apparatus, and electronic device | |
| CN111753985B (en) | Image deep learning model testing method and device based on neuron coverage rate | |
| CN112182585B (en) | Source code vulnerability detection method, system and storage medium | |
| CN113254927A (en) | Model processing method and device based on network defense and storage medium | |
| Wu et al. | Multiscale jump testing and estimation under complex temporal dynamics | |
| Dong et al. | CML: A contrastive meta learning method to estimate human label confidence scores and reduce data collection cost | |
| Zheng et al. | A deep hypersphere approach to high-dimensional anomaly detection | |
| CN112613032B (en) | Host intrusion detection method and device based on system call sequence | |
| US20210365771A1 (en) | Out-of-distribution (ood) detection by perturbation | |
| CN114567512B (en) | Network intrusion detection method, device and terminal based on improved ART2 | |
| CN115277065B (en) | Anti-attack method and device in abnormal traffic detection of Internet of things | |
| Nami et al. | Adversarial attacks and defense on deep learning models for big data and IoT | |
| CN114896402A (en) | Text relation extraction method, device, equipment and computer storage medium | |
| CN114021136A (en) | Back door attack defense system for artificial intelligence model | |
| CN116739073B (en) | Online back door sample detection method and system based on evolution deviation | |
| US11996120B2 (en) | Sound generation apparatus, data generation apparatus, anomaly score calculation apparatus, and program | |
| CN113052314B (en) | Authentication radius guide attack method, optimization training method and system | |
| CN112597491B (en) | Detection method for buffer overflow attack and electronic equipment | |
| CN117669651B (en) | ARMA model-based method and ARMA model-based system for defending against sample black box attack | |
| US20240144097A1 (en) | Universal Post-Training Backdoor Detection and Mitigation for Classifiers | |
| US20220122629A1 (en) | Sound generation apparatus, data generation apparatus, anomaly score calculation apparatus, and program | |
| Jakubik et al. | Improving Label Error Detection and Elimination with Uncertainty Quantification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |