CN113487545A - Method for generating disturbance image facing to attitude estimation depth neural network - Google Patents

Method for generating disturbance image facing to attitude estimation depth neural network Download PDF

Info

Publication number
CN113487545A
CN113487545A CN202110704930.5A CN202110704930A CN113487545A CN 113487545 A CN113487545 A CN 113487545A CN 202110704930 A CN202110704930 A CN 202110704930A CN 113487545 A CN113487545 A CN 113487545A
Authority
CN
China
Prior art keywords
neural network
image
result
generating
disturbance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110704930.5A
Other languages
Chinese (zh)
Inventor
刘复昌
潘志庚
曹明亮
丁丹丹
张明敏
梁应滔
梁应鸿
王昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jiudi Digital Technology Co ltd
Original Assignee
Guangzhou Jiudi Digital Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jiudi Digital Technology Co ltd filed Critical Guangzhou Jiudi Digital Technology Co ltd
Priority to CN202110704930.5A priority Critical patent/CN113487545A/en
Publication of CN113487545A publication Critical patent/CN113487545A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T7/00Image analysis
    • G06T7/0002Inspection of images, e.g. flaw detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T7/00Image analysis
    • G06T7/70Determining position or orientation of objects or cameras
    • G06T7/73Determining position or orientation of objects or cameras using feature-based methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T2207/00Indexing scheme for image analysis or image enhancement
    • G06T2207/10Image acquisition modality
    • G06T2207/10004Still image; Photographic image
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T2207/00Indexing scheme for image analysis or image enhancement
    • G06T2207/20Special algorithmic details
    • G06T2207/20081Training; Learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06TIMAGE DATA PROCESSING OR GENERATION, IN GENERAL
    • G06T2207/00Indexing scheme for image analysis or image enhancement
    • G06T2207/20Special algorithmic details
    • G06T2207/20084Artificial neural networks [ANN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Engineering & Computer Science (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Quality & Reliability (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a method for generating a disturbance image facing to an attitude estimation depth neural network, which relates to the technical field of image processing and comprises the following steps: s1, inputting the image x into a target neural network K to obtain a result P0; s2, recombining P0 to generate P1, taking P0 as a label of the image x, and taking P1 as a first training result of the image x; s3, inputting the P0 and the P1 into a target neural network K, generating an error value of the P0 and the P1, acquiring the gradient direction of the error value, and multiplying the gradient direction by a coefficient lambda to obtain a single-time noise value z; and S4, obtaining noise value accumulation z ' through multiple iterative training, and normalizing z ', so that the image x and z ' are superposed to generate an interference graph a. According to the method, the error value generated by the result of the predicted image and the real result is obtained, and the disturbance noise is added to the image by obtaining the gradient direction of the change of the error value, so that not only can a good misleading effect be generated on image classification, but also a good misleading effect can be generated on the aspect of gesture recognition, and the original correct gesture is recognized as another incoherent gesture.

Description

Method for generating disturbance image facing to attitude estimation depth neural network
Technical Field
The invention relates to the technical field of image processing, in particular to a method for generating a disturbance image facing to an attitude estimation depth neural network.
Background
With the continuous development and maturity of artificial intelligence technology, various intelligent identification methods are available in the field of image identification, and objects in images, such as people, animals, vehicles and the like, can be identified; still other applications may recognize human gestures, and the like. Although most of the currently used intelligent recognition methods can achieve high accuracy, most of the methods are based on the result of training common images, and once the images are modified or some other things are added, the original intelligent recognition method with high accuracy is wrong.
The existing chinese patent publication No. CN109993805A discloses a highly hidden adversity image attack method for a deep neural network, which adds noise to an image and uses an Lp paradigm to measure the magnitude of generated noise, thereby achieving the purpose of changing the image as little as possible.
Although the image attack can mislead the intelligent identification method to be wrong, on the other hand, the existing intelligent identification system can be made to be more robust; in other words, if the generated disturbance image can be used for training the recognition system, or some method for resisting image disturbance is added when the recognition system is trained, the intelligent recognition system generated by training can be more robust and can be more resistant to interference.
At present, a method for generating a disturbance image of a depth network related to pose estimation does not exist in the prior art, and therefore, the invention aims to design and provide a method for generating a disturbance image of a depth neural network oriented to pose estimation.
Disclosure of Invention
The invention aims to provide a method for generating a disturbance image facing to a posture estimation depth neural network.
The technical purpose of the invention is realized by the following technical scheme: a method for generating a disturbance image facing to a posture estimation deep neural network comprises the steps of giving a human body posture estimation neural network or a gesture recognition neural network K, supposing that the prediction result of the neural network K has 100% accuracy, supposing that an attacker has a white box access right to a target model, obtaining loss function information of the neural network, and setting a target type or posture t; obtaining an error value of the identification result and the real result by using a rapid gradient descent method so as to obtain a gradient direction for reducing the error value, accumulating the value through repeated iterative calculation so as to generate a disturbance factor, and then overlapping the disturbance factor with the original image to generate a disturbance image; the method specifically comprises the following steps:
s1, inputting the image x into a target neural network K to obtain a result P0;
s2, recombining the results P0 to generate a result P1, taking P0 as a label of the image x, and taking P1 as a first training result of the image x;
s3, inputting the result P0 and the result P1 into a target neural network K, generating an error value Loss (P0, P1) of P0 and P1, acquiring the gradient direction of the error value Loss (P0, P1), and multiplying the gradient direction by a coefficient lambda to obtain a single iteration result, namely a single noise value z;
s4, acquiring noise value accumulation z ' through multiple iterative training, and after normalizing z ', superposing the image x and z ' to obtain a confrontation sample, namely generating the interference image a.
Further, the neural network K in step S1 is a human body posture estimation neural network or a gesture recognition neural network, and the neural network K may generate a disturbance for a human body posture or a disturbance for a human body gesture.
Further, the method for generating the result P1 by recombining the result P0 in the step S2 includes: the keypoint in the result P0 was randomly moved to another position as P1.
Further, the gradient direction of the error value Loss (P0, P1) obtained in step S3 is obtained by a fast gradient descent method, and only the direction of the gradient change is obtained, which is not a value.
Further, in the process of obtaining the noise value accumulation z' through multiple iterative training in step S4, the weight value of the neural network K is not really changed, and it is ensured that only the image itself is attacked rather than the target neural network; and z' is normalized in step S4 to ensure that the finally generated noise values are not perceived in terms of visual effect disturbance.
In the technical scheme of the invention, for the disturbance method of attitude estimation, a natural graph is input to a neural network, and an incorrect recognition result is output. The type of error may be arbitrary or may be specified by an attacker. For the disturbance method of gesture recognition, a natural graph is input to a neural network, and an error gesture is output. The incorrect pose may be arbitrary or may be specified by an attacker.
In conclusion, the invention has the following beneficial effects:
1. according to the method, the disturbance noise is added to the image through the error value Loss generated by the predicted image result and the real result and the gradient direction of the change of the error value Loss, so that not only can a good misleading effect be generated on image classification, but also a good misleading effect can be generated on the aspect of gesture recognition, and the original correct gesture is recognized as another unrelated gesture;
2. the disturbance image generated by the method is convenient to train the recognition system, or the method of the invention is used for increasing the resistance to image disturbance when the recognition system is trained, so that the intelligent recognition system generated by training is more robust and can resist interference.
Drawings
Fig. 1 is a flow chart in an embodiment of the present invention.
Detailed Description
The present invention is described in further detail below with reference to fig. 1.
Example (b): a method for generating a disturbance image facing to an attitude estimation depth neural network is disclosed, as shown in FIG. 1, and specifically comprises the following steps:
s1, inputting the image x into the target neural network K to obtain a result P0.
And S2, recombining the results P0 to generate a result P1, taking P0 as a label of the image x, and taking P1 as a first training result of the image x.
And S3, inputting the result P0 and the result P1 into the target neural network K, generating an error value Loss (P0 and P1) of the P0 and the P1, acquiring the gradient direction of the error value Loss (P0 and P1), and multiplying the gradient direction by a coefficient lambda to obtain the result of a single iteration, namely a single noise value z.
S4, acquiring noise value accumulation z ' through multiple iterative training, and after normalizing z ', superposing the image x and z ' to obtain a confrontation sample, namely generating the interference image a.
The neural network K in step S1 is a human body posture estimation neural network or a gesture recognition neural network, and the neural network K may generate a disturbance for a human body posture or a disturbance for a human body gesture.
In step S2, the method for generating the result P1 by recombining the result P0 includes: the keypoint in the result P0 was randomly moved to another position as P1.
In step S3, the gradient direction of the error value Loss (P0, P1) is obtained by a fast gradient descent method, and only the direction of the gradient change is obtained, but not the value.
In the process of obtaining the noise value accumulation z' through multiple iterative training in step S4, the weight value of the neural network K is not really changed, and it is ensured that only the picture itself is attacked rather than the target neural network. And z' is normalized in step S4 to ensure that the finally generated noise values are not perceived in terms of visual effect disturbance.
In this embodiment, a pose estimation network K trains a large number of images x from different poses, which all contain keypoint information for each pose, label K (x) e P ═ P1, P2, P3 …, pn.
A gesture recognition K trains a number of natural images x, their labels K (x) e {1,2,3 …, C }, from different classes C, respectively.
Normalizing the images to [0, 1%]In (1), assume the spatial domain of the natural image is
Figure BDA0003130790150000051
It is assumed that k (x) cx is correct for each x. Then the class of image x is denoted by cx.
Let Ak represent the space of the challenge sample, and all samples in Ak must be similar to the natural image so as to be imperceptible and accurately deceive the classification network.
The presence of one x for each a ∈ Ak makes d (x, a) sufficiently small, where d is the similarity of x to a.
For the perturbation method of the attitude estimation neural network:
step 1: a natural graph x is input for the pose estimation neural network, a predicted result P0 is obtained and the result is considered to be the correct result.
Step 2: assuming this is very accurate, the keypoint point in the result is randomly moved to another position as P1, and then P0 is taken as the training target and P1 is taken as the first training result.
And step 3: at this time, an error value Loss (P0, P1) between P0 and P1 is obtained, so that a gradient direction is generated when Loss decreases, and the gradient direction is multiplied by a coefficient λ to be used as the one-shot noise value z.
And 4, step 4: and acquiring noise value accumulation z 'through multiple iterative training, and obtaining the countermeasure sample a by using x + z'.
If the misleading pose estimation neural network is identified as the desired result, then T is used as the training target and P0 is used as the first training result in step 1.
For the perturbation method of the gesture recognition neural network:
step 1: a natural graph x is input into the neural network, and a one-hot encoding form of a prediction result P0 is obtained, wherein P0 is { P1, P2.
Step 2: assuming that the result is very accurate, the sequence of the values in P0 is shuffled to obtain P1, P0 is then used as the training target, and P1 is used as the first training result.
And step 3: at this time, an error value Loss (P0, P1) between P0 and P1 is obtained, so that a gradient direction is generated when Loss decreases, and the gradient direction is multiplied by a coefficient λ to be used as the one-shot noise value z.
And 4, step 4: and acquiring noise value accumulation z 'through multiple iterative training, and obtaining the countermeasure sample a by using x + z'.
If the misleading classification neural network is identified as the desired result, then T is used as the training target and P0 is used as the first training result in step 1.
In the embodiment of the invention, the error value Loss generated by the result of the predicted image and the real result is obtained, and the disturbance noise is added to the image by obtaining the gradient direction of the change of the error value Loss, so that not only can a good misleading effect be generated on image classification, but also a good misleading effect can be generated on the aspect of gesture recognition, and the original correct gesture is recognized as another unrelated gesture; in addition, the disturbance image generated by the method is convenient to train the recognition system, or the method of the invention is used for increasing the resistance to image disturbance when the recognition system is trained, so that the intelligent recognition system generated by training is more robust and can resist interference.
The present embodiment is only for explaining the present invention, and it is not limited to the present invention, and those skilled in the art can make modifications of the present embodiment without inventive contribution as needed after reading the present specification, but all of them are protected by patent law within the scope of the claims of the present invention.

Claims (5)

1. A method for generating a disturbance image facing to an attitude estimation deep neural network is characterized by comprising the following steps: the method specifically comprises the following steps:
s1, inputting the image x into a target neural network K to obtain a result P0;
s2, recombining the results P0 to generate a result P1, taking P0 as a label of the image x, and taking P1 as a first training result of the image x;
s3, inputting the result P0 and the result P1 into a target neural network K, generating an error value Loss (P0, P1) of P0 and P1, acquiring the gradient direction of the error value Loss (P0, P1), and multiplying the gradient direction by a coefficient lambda to obtain a single iteration result, namely a single noise value z;
s4, acquiring noise value accumulation z ' through multiple iterative training, and after normalizing z ', superposing the image x and z ' to obtain a confrontation sample, namely generating the interference image a.
2. The method for generating the perturbed image of the pose estimation-oriented deep neural network according to claim 1, wherein: the neural network K in step S1 is a human body posture estimation neural network or a gesture recognition neural network, and the neural network K may generate a disturbance for a human body posture or a disturbance for a human body gesture.
3. The method for generating the perturbed image of the pose estimation-oriented deep neural network according to claim 1, wherein: the method for generating the result P1 by recombining the result P0 in the step S2 includes: the keypoint in the result P0 was randomly moved to another position as P1.
4. The method for generating the perturbed image of the pose estimation-oriented deep neural network according to claim 1, wherein: in step S3, the gradient direction of the error value Loss (P0, P1) is obtained by a fast gradient descent method, and only the direction of the gradient change is obtained, but not the value.
5. The method for generating the perturbed image of the pose estimation-oriented deep neural network according to claim 1, wherein: in the process of obtaining the noise value accumulation z' through multiple iterative training in the step S4, the weight value of the neural network K is not really changed, and only the picture itself is attacked and not the target neural network is ensured; and z' is normalized in step S4 to ensure that the finally generated noise values are not perceived in terms of visual effect disturbance.
CN202110704930.5A 2021-06-24 2021-06-24 Method for generating disturbance image facing to attitude estimation depth neural network Pending CN113487545A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110704930.5A CN113487545A (en) 2021-06-24 2021-06-24 Method for generating disturbance image facing to attitude estimation depth neural network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110704930.5A CN113487545A (en) 2021-06-24 2021-06-24 Method for generating disturbance image facing to attitude estimation depth neural network

Publications (1)

Publication Number Publication Date
CN113487545A true CN113487545A (en) 2021-10-08

Family

ID=77936141

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110704930.5A Pending CN113487545A (en) 2021-06-24 2021-06-24 Method for generating disturbance image facing to attitude estimation depth neural network

Country Status (1)

Country Link
CN (1) CN113487545A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116486463A (en) * 2023-06-15 2023-07-25 北京瑞莱智慧科技有限公司 Image processing method, related device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108257116A (en) * 2017-12-30 2018-07-06 清华大学 A kind of method for generating confrontation image
CN109272031A (en) * 2018-09-05 2019-01-25 宽凳(北京)科技有限公司 A kind of training sample generation method and device, equipment, medium
CN110516695A (en) * 2019-07-11 2019-11-29 南京航空航天大学 Confrontation sample generating method and system towards Medical Images Classification
CN111340180A (en) * 2020-02-10 2020-06-26 中国人民解放军国防科技大学 Countermeasure sample generation method and device for designated label, electronic equipment and medium
CN111475797A (en) * 2020-03-26 2020-07-31 深圳先进技术研究院 Method, device and equipment for generating confrontation image and readable storage medium
CN112270700A (en) * 2020-10-30 2021-01-26 浙江大学 Attack judgment method capable of interpreting algorithm by fooling deep neural network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108257116A (en) * 2017-12-30 2018-07-06 清华大学 A kind of method for generating confrontation image
CN109272031A (en) * 2018-09-05 2019-01-25 宽凳(北京)科技有限公司 A kind of training sample generation method and device, equipment, medium
CN110516695A (en) * 2019-07-11 2019-11-29 南京航空航天大学 Confrontation sample generating method and system towards Medical Images Classification
CN111340180A (en) * 2020-02-10 2020-06-26 中国人民解放军国防科技大学 Countermeasure sample generation method and device for designated label, electronic equipment and medium
CN111475797A (en) * 2020-03-26 2020-07-31 深圳先进技术研究院 Method, device and equipment for generating confrontation image and readable storage medium
CN112270700A (en) * 2020-10-30 2021-01-26 浙江大学 Attack judgment method capable of interpreting algorithm by fooling deep neural network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116486463A (en) * 2023-06-15 2023-07-25 北京瑞莱智慧科技有限公司 Image processing method, related device and storage medium
CN116486463B (en) * 2023-06-15 2023-10-03 北京瑞莱智慧科技有限公司 Image processing method, related device and storage medium

Similar Documents

Publication Publication Date Title
CN109492662B (en) Zero sample image classification method based on confrontation self-encoder model
Elons et al. A proposed PCNN features quality optimization technique for pose-invariant 3D Arabic sign language recognition
Sudharshan et al. Object recognition in images using convolutional neural network
CN108537257B (en) Zero sample image classification method based on discriminant dictionary matrix pair
Nguyen et al. Satellite image classification using convolutional learning
Akhtar et al. Attack to fool and explain deep networks
CN111818101B (en) Network security detection method and device, computer equipment and storage medium
Jha et al. Extracting low‐dimensional psychological representations from convolutional neural networks
CN110826056A (en) Recommendation system attack detection method based on attention convolution self-encoder
CN113487545A (en) Method for generating disturbance image facing to attitude estimation depth neural network
Luo et al. Human pose estimation in 3-D space using adaptive control law with point-cloud-based limb regression approach
Sharma et al. Chartnet: Visual reasoning over statistical charts using mac-networks
Yang et al. Revealing task-relevant model memorization for source-protected unsupervised domain adaptation
Costa et al. How Deep Learning Sees the World: A Survey on Adversarial Attacks & Defenses
Kajan et al. Comparison of algorithms for dynamic hand gesture recognition
CN113435264A (en) Face recognition attack resisting method and device based on black box substitution model searching
Dong et al. Scene-oriented hierarchical classification of blurry and noisy images
Maqsood et al. A meta-heuristic optimization based less imperceptible adversarial attack on gait based surveillance systems
Kamada et al. Probabilistic semi-canonical correlation analysis
Saad et al. Practical aspects of zero-shot learning
Joshi et al. CFS-InfoGain based Combined Shape-based Feature Vector for Signer Independent ISL Database
Hena et al. A dynamic object detection in real-world scenarios
Liang et al. Three-Dimension Attention Mechanism and Self-Supervised Pretext Task for Augmenting Few-Shot Learning
Li et al. Decomposed Prototype Learning for Few-Shot Scene Graph Generation
Worzyk et al. Adversarials-1: Defending by attacking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20211008

RJ01 Rejection of invention patent application after publication