CN113688914B - Practical relative sequence attack resisting method - Google Patents

Practical relative sequence attack resisting method Download PDF

Info

Publication number
CN113688914B
CN113688914B CN202110998691.9A CN202110998691A CN113688914B CN 113688914 B CN113688914 B CN 113688914B CN 202110998691 A CN202110998691 A CN 202110998691A CN 113688914 B CN113688914 B CN 113688914B
Authority
CN
China
Prior art keywords
sample
model
attack
relative
candidate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110998691.9A
Other languages
Chinese (zh)
Other versions
CN113688914A (en
Inventor
王乐
周默
周三平
陈仕韬
辛景民
郑南宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ningbo Shun'an Artificial Intelligence Research Institute
Xian Jiaotong University
Original Assignee
Ningbo Shun'an Artificial Intelligence Research Institute
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ningbo Shun'an Artificial Intelligence Research Institute, Xian Jiaotong University filed Critical Ningbo Shun'an Artificial Intelligence Research Institute
Priority to CN202110998691.9A priority Critical patent/CN113688914B/en
Publication of CN113688914A publication Critical patent/CN113688914A/en
Application granted granted Critical
Publication of CN113688914B publication Critical patent/CN113688914B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/50Information retrieval; Database structures therefor; File system structures therefor of still image data
    • G06F16/53Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/50Information retrieval; Database structures therefor; File system structures therefor of still image data
    • G06F16/53Querying
    • G06F16/538Presentation of query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/004Artificial life, i.e. computing arrangements simulating life
    • G06N3/006Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Databases & Information Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computational Linguistics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Evolutionary Biology (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a practical relative sequence attack resisting method, and belongs to the field of deep learning and computer vision. Taking a depth ordering model as a target model, and calculating distance measurement between a query sample and a selected candidate sample set by using the depth ordering model; when the parameters of the depth ordering model are successfully obtained, a white box threat model is used for carrying out relative sequence counterattack to obtain a countersample; inputting the obtained confrontation sample into a depth ordering model, and outputting an ordering result; and in the obtained sequencing result, the relative sequence among the candidate sample sets is modified, so that the practical relative sequence anti-attack method is realized. When the parameters of the depth ordering model cannot be obtained, the black box threat model is used for carrying out relative order anti-attack. The method solves the problems that the attack possibility is resisted by neglecting the relative sequence, the relative sequence of the selected samples is not sensitive, the method is not suitable for a black box threat model and the like in the prior art.

Description

Practical relative sequence attack resisting method
Technical Field
The invention belongs to the field of deep learning and computer vision, and relates to a practical relative sequential attack resisting method.
Background
The counter-attack approach has a significant impact on security and fairness in a variety of deep learning applications, including deep sequencing. The invention belongs to an anti-attack method aiming at a depth ordering model, and mainly aims to change the relative sequence among a group of selected candidate samples in an image retrieval result according to an arrangement vector specified by an attacker by carrying out invisible anti-disturbance on image query samples. The following problems generally exist in the prior anti-attack aiming at the depth ordering model: (1) The methods have no exception that attacks are carried out on the absolute positions of the candidate samples, the possibility of resisting the attacks on the relative sequence among the candidate samples is completely ignored, and therefore the robustness of the depth ordering model is relatively one-sided. However, in practical application, applications like network shopping based on image search may cause the relative sales amount between commodities to change due to the attack of the opposite order; (2) The method for resisting the attack aiming at the absolute position cannot be directly applied to an attack target aiming at a relative sequence, and is insensitive to the relative sequence among selected samples; (3) The existing method cannot realize the relative order attack under the black box threat model because various constraints under the black box threat model are not explicitly considered. The method for resisting the attack through the relative order in the depth ordering model can guide the future depth ordering model to carry out more robust design.
Disclosure of Invention
In order to overcome the disadvantages of the prior art, the present invention provides a practical relative sequence attack-fighting method to solve the problems of the above mentioned neglect relative sequence attack-fighting possibility, insensitivity to the relative sequence of the selected samples, and inapplicability to the black box threat model.
In order to achieve the purpose, the invention adopts the following technical scheme to realize the purpose:
the invention discloses a practical relative sequence anti-attack method, which comprises the following steps:
step one, taking a depth ordering model f (·,) as a target model, and calculating a query sample q and a selected candidate sample set C = { C } by using the depth ordering model f (·,) 1 ,c 2 ,...,c k A distance measure between; when the parameters of the depth ordering model f (·,) are successfully obtained, a white-box threat model is used for carrying out relative order counter attack;
step two, using a white-box threat model to carry out relative sequence attack resistance, comprising the following steps:
setting a sorting vector p with the length of k, and reordering after marking the relative sequence of each sample in the candidate sample set C by using the sorting vector p; the reordered candidate sample set is C p ={c p1 ,c p2 ,...,c pk C, to obtain a reordered candidate sample set C p The samples in (1) are taken as attack object samples;
calculating relative sequence loss of triples between each sample and a combination of the query samples for the attack object samples; adding the relative sequence loss of the triples between every two sample combinations to obtain an integral relative sequence loss function; based on the obtained relative sequence loss function, adding a semantic retention loss function, and summing the overall relative sequence loss function and the added semantic retention loss function to obtain an overall relative sequence loss function with semantic retention property; iteratively updating the query sample q by using a projection gradient descent method to obtain a confrontation sample
Figure BDA0003234783890000021
Step three, the obtained confrontation sample
Figure BDA0003234783890000022
Inputting the data into a depth sorting model f (·, ·), and outputting a sorting result; and in the obtained sequencing result, the relative sequence among the candidate sample sets C is modified, so that the practical relative sequence anti-attack method is realized.
Preferably, in step one, k candidate samples are selected from the candidate sample database X of the depth ordering model, obtaining a candidate sample set C = { C = { [ C ] 1 ,c 2 ,...,c k }; wherein each candidate sample is selected from the candidate sample database X.
Preferably, in step two, the formula for calculating the relative order loss of the triplet between every two combinations of samples is as follows:
[f(q,c pi )-f(q,c pj )] +
wherein, [ …] + Denotes the ReLU activation function, c pi And c pj In (c) pi Is a ratio of c pj For the top candidate samples in the expected ranking, the value range of i is from 1 to k, and the range of corresponding j is traversed from i to k;
the formula for obtaining the overall relative order loss function is:
Figure BDA0003234783890000031
in the formula, parameter
Figure BDA0003234783890000032
To challenge the sample; c is the selected candidate sample set; p is the ordering vector defined hereinbefore; i, j and k are temporary variables of the traversal set; c. C pi And c pj Respectively, a set C reordered according to an ordering vector p p ={c p1 ,c p2 ,...,c pk The ith and jth bit elements in (j) }; mathematical notation [ …] + Representing the ReLU activation function.
Further preferably, a semantic preserving loss function is added based on the obtained relative order loss function, so that each sample from the selected candidate sample set is closer to the given modified query sample than any sample X from the candidate sample database X, i.e. the confrontation sample
Figure BDA0003234783890000033
The formula for obtaining the additional semantic retention loss function is as follows:
Figure BDA0003234783890000034
in the formula, parameter
Figure BDA0003234783890000035
To challenge the sample; c is the selected candidate sample set; c, x is a temporary variable of the traversal set; mathematical symbols[…] + Represents the ReLU activation function; the set X is the set of all candidate samples including the set C, i.e., the entire search database of the depth ordering model.
Wherein, preferably, the overall relative order loss function with semantic preserving property is formulated as:
Figure BDA0003234783890000036
in the formula, xi is a balance hyper-parameter set manually and is any real number greater than 0; parameter(s)
Figure BDA0003234783890000037
To challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously; l is ReO (…) and L QA (…) is the relative order loss function and semantic preserving loss function obtained in the above steps.
Preferably, the query sample q is updated by using a projection gradient descent method to obtain a confrontation sample
Figure BDA0003234783890000038
The method comprises the following steps:
updating the query sample q by using a projection gradient descent method, wherein the formula is as follows:
Figure BDA0003234783890000041
in the formula, r is the disturbance amount in the confrontation sample, and the subscript t represents the iteration number; the Clip (…) function represents the truncation of its parameters to the feasible domain Ω q The preparation method comprises the following steps of (1) performing; eta is a manually set learning rate or an updating step length; sign (…) is a standard sign function;
Figure BDA0003234783890000042
to challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously.
Wherein the number of iterations tFrom 1 to a preset value T; r is o Initialized to 0, and the query sample after the last iteration is the countermeasure sample meeting the requirement
Figure BDA0003234783890000043
Preferably, in the step one, when the parameters of the depth ordering model f (·,) cannot be obtained, the black box threat model is used to perform relative order attack resistance;
in the second step, a black box threat model is used for carrying out relative sequence attack resistance, and the method comprises the following steps:
setting a sorting vector p with the length of k, and reordering after marking the relative sequence of each sample in the candidate sample set C by using the sorting vector p; the reordered candidate sample set is C p ={c p1 ,c p2 ,...,c pk C, to obtain a reordered candidate sample set C p The samples in (1) are taken as attack object samples;
initializing a zero matrix S, traversing a lower triangular matrix part of the zero matrix S, calculating the fraction of each matrix element in the traversing process, and putting the obtained fraction into a corresponding position of the matrix; averaging the lower triangle of the zero matrix S after the scores are counted to obtain a short-distance sequencing correlation coefficient tau s
Using black box optimization algorithm, the obtained short distance sorting correlation coefficient tau s Modifying the query sample q in a mode of adding the confrontation disturbance r for maximization to obtain a confrontation sample
Figure BDA0003234783890000044
Further preferably, the calculation method for calculating the score of each matrix element in the traversal process is as follows:
traversing the lower triangular matrix portion of the zero matrix S, i.e., the row number i from 1 to k and the column number from 1 to i-1;
if the candidate sample c i Or candidate sample c j Any one of the search results does not belong to a set consisting of the first N search results of the depth ordering model, and the search result is marked as-1;
if c is i At C p In position c j Before, and c i In the top N search result lists of the model, c j Before, or if c i At C p In position c j Then, and c i In the first N search result lists of the model, c j Then, marking as 1 point;
if c is i At C p In position c j Before, and c i In the top N search result lists of the model, c j After, or if c i At C p In position c j Then, and c i In the top N search result lists of the model, c j Before, it is marked as-1.
Further preferably, the black box optimization algorithm comprises: random search method, particle swarm algorithm, natural evolution strategy or multivariate random approximation algorithm based on common disturbance gradient approximation.
Further preferably, the obtained short-range rank correlation coefficient tau is subjected to a black box optimization algorithm s Obtaining a confrontation sample by modifying a query sample q for maximization
Figure BDA0003234783890000051
The formula is as follows:
Figure BDA0003234783890000052
in the formula, r * An optimal solution for the (approximate) optimization problem, i.e. the solution of the argmax (..) part of the post-equation;
Figure BDA0003234783890000053
to challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses a practical relative sequence counterattack method, in the method, a countersample is obtained by optimizing an integral relative sequence loss function with semantic retention property by using a projection gradient descent method, or the countersample is obtained by maximizing short-distance sequencing correlation by using a black box optimization algorithm, and the relative sequence among elements in a selected candidate sample set in an actual retrieval result of a depth sequencing model can be changed under the condition of causing limited influence on irrelevant samples. Therefore, the practical relative sequence counter attack method provided by the invention firstly provides a relative sequence attack method aiming at the depth sequencing model, can effectively solve the technical defect that the absolute sequence counter attack method aiming at the depth sequencing model ignores the possibility of relative sequence attack, and simultaneously improves the sensitivity degree of the absolute sequence counter attack method aiming at the depth sequencing model to the relative sequence, so that the method can be well adapted to the problem of constraint faced by actual black box attack.
Further, the invention provides an overall relative order loss function which is sensitive to relative order and can be used for implementing relative order counter attack under a white-box threat model.
Furthermore, the invention provides a specific calculation method for the short-distance ranking correlation measurement, which can be used for implementing the relative order counter attack under the black box threat model.
In summary, the invention realizes the relative order anti-attack for the depth ordering model for the first time, and is suitable for both the white box and the black box threat models. Has the following advantages:
1) The invention provides a relative order attack method for a depth ordering model for the first time;
2) The method provided by the invention is sensitive to the relative order of the sequencing results;
3) The method is suitable for both white box threat models and black box threat models.
Drawings
Fig. 1 is a general structural block diagram of the practical relative sequential attack-fighting method of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in other sequences than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The background and specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. The drawings and examples herein are illustrative of the invention and are not to be construed as limiting the invention.
The general structural block diagram of the practical relative order attack-resisting method is shown in fig. 1, and specifically comprises the following steps:
1. given a query sample q and k candidate sample sets C = { C) selected from the candidate sample database 1 ,c 2 ,...,c k And a depth ordering model f (·,.). Wherein the depth ordering model f (q, c) i ) Is a distance metric function capable of learning and used for measuring query sample q and candidate sample c i (i =1,2,3.., k), and the set of candidate samples C is a subset of the total set of candidate samples X. Next, an attack using the method for the white-box threat model is determined according to whether the gradient of the depth ordering model f (·,) can be obtained. And when the parameters of the depth ordering model f (·, ·) can obtain a method corresponding to the white-box threat model, otherwise, a method corresponding to the black-box threat model is used.
2. Relative sequence anti-attack concrete steps under white-box threat model
1. Attack object sample selection
1) The algorithm user selects k candidate sample sets C = { C } selected from the candidate sample database X of the deep sequencing model according to any attack target 1 ,c 2 ,...,c k }; wherein each candidate sample is selected from the candidate sample database X.
2) And setting a sorting vector p with the length of k by an algorithm user according to any attack target, and marking the relative sequence of the k selected candidate samples expected by the attacker. The reordered candidate sample set is C p ={c p1 ,c p2 ,...,c pk }。
2. Computing relative sequential triplet loss functions
1) For candidate sample set C after reordering p Of the samples, a triplet relative order loss f (q, c) is computed between each combination of two samples and the query sample q pi )-f(q,c pj )] + Therein [] + Denotes the ReLU activation function, c pi And c pj In (c) pi Is a ratio of c pj The top candidate samples in the desired ordering, specifically i, range from 1 to k, while the corresponding j ranges from i to k.
2) And adding the relative sequence losses of the triples calculated pairwise between the samples to obtain an integral relative sequence loss function. That is:
Figure BDA0003234783890000081
in the formulaParameter of
Figure BDA0003234783890000082
To challenge the sample; c is the selected candidate sample set; p is the ordering vector defined hereinbefore; i, j and k are all temporary variables of the traversal set; c. C pi And c pj Then respectively the sets C reordered according to the ordering vector p p ={c p1 ,c p2 ,...,c pk The ith and jth bit elements in (j) }; mathematical notation [ …] + Representing the ReLU activation function.
3) And adding a semantic preserving loss function on the basis of the overall relative sequence loss function. Specifically, for each sample C ∈ C from the selected set of candidate samples, C is brought closer to the given query sample than any sample X from the candidate sample database X of the depth ordering model
Figure BDA0003234783890000083
That is:
Figure BDA0003234783890000084
in the formula, parameters
Figure BDA0003234783890000085
To challenge the sample; c is the selected candidate sample set; c and x are temporary variables of the traversal set; mathematical notation [ …] + Represents the ReLU activation function; the set X is the set of all candidate samples including the set C, i.e., the entire search database of the depth ordering model.
4) Summing the loss functions obtained in step 2) and step 3) to obtain an overall relative sequence loss function with semantic preserving property, and obtaining an overall relative sequence loss function with semantic preserving property (as the semantic preserving property is always required according to the usage scenario, as shown in fig. 1, the relative sequence (triplet) loss functions all default to the relative sequence loss function with semantic preserving property). Namely:
Figure BDA0003234783890000086
in the formula, the parameter xi is a balance superparameter which is manually set and is any real number which is larger than 0; parameter(s)
Figure BDA0003234783890000087
To challenge the sample; c is the selected candidate sample set; p is the ordering vector defined hereinbefore; l is ReO (…) and L QA+ (…) is the relative order loss function and semantic preserving loss function obtained in the above steps. The setting on the fast-MNIST dataset is ξ =10 1 Whereas the setting on the Stanford Online Products dataset is ξ =10 3
3. The query sample q is updated using a projective gradient descent method. Namely:
Figure BDA0003234783890000091
in the formula, r is the disturbance amount in the confrontation sample, and the subscript t represents the iteration number; the Clip (…) function represents the truncation of its parameters to the feasible region Ω q Performing the following steps; eta is a manually set learning rate or an update step length; sign (…) is a standard sign function;
Figure BDA0003234783890000092
to challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously.
Where the number of iterations T is from 1 to a preset value T. r is o The initialization is 0, and the query sample after the last iteration is the confrontation sample meeting the requirement
Figure BDA0003234783890000093
4. The obtained confrontation sample
Figure BDA0003234783890000094
As a query sampleAnd inputting the target depth ordering model. The depth ordering model produces an ordering result in which the relative order between the selected samples (candidate sample set C) has been modified and the semantics of the query samples themselves have not changed significantly.
3. Specific steps of relative sequence anti-attack under black box threat model
1. Attack object sample selection
1) An algorithm user selects k candidate sample sets C = { C) selected from the candidate sample database according to the candidate sample database of the arbitrary attack target depth ordering model 1 ,c 2 ,...,c k }。
2) And setting a sorting vector p with the length of k by an algorithm user according to any attack target, and marking the relative sequence of the k selected candidate samples expected by the attacker. The reordered candidate sample set is C p ={c p1 ,c p2 ,...,c pk }。
2. Computing short-range ordering dependencies
1) A zero matrix S is initialized with a size k x k.
2) The lower triangular matrix portion of the zero matrix S is traversed, i.e., the row numbers i are from 1 to k and the column numbers are from 1 to i-1. And calculating a score for each matrix element in the traversal process, and putting the score into a corresponding position of the matrix. The score is calculated by the following method: a. if the candidate sample c i Or candidate sample c j Any one of the search results does not belong to the set formed by the first N search results of the depth ordering model, and the score is marked as-1. b. If c is i At C p In position c j Before, and c i In the first N search result lists of the model, c j Before, or if c i At C p In position c j Then, and c i In the top N search result lists of the model, c j Then, the score is 1. c. If c is i At C p In position c j Before, and c i In the top N search result lists of the model, c j After, or if c i At C p InAt position c j Then, c i In the top N search result lists of the model, c j Before, it is marked as-1.
3) Averaging the lower triangular matrix part of the zero matrix S to obtain the short-distance sorting correlation tau s
3. The short-distance ordering correlation coefficient tau is subjected to any black box optimization algorithm, such as a random search method, a Particle Swarm Optimization (PSO), a Natural Evolution Strategy (NES), a multivariate random approximation algorithm (SPSA) based on common disturbance gradient approximation and the like s Performing maximization by modifying the query sample q to obtain a corresponding countermeasure sample
Figure BDA0003234783890000101
Namely, it is
Figure BDA0003234783890000102
In the formula, r * An optimal solution for the (approximate) optimization problem, i.e. the solution of the argmax (..) part of the post-equation;
Figure BDA0003234783890000103
to challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously.
In practice, the black-box optimization algorithm for short-range rank correlation coefficients defaults to a multivariate stochastic approximation algorithm (SPSA) based on common perturbation gradient approximation.
4. The obtained confrontation sample
Figure BDA0003234783890000104
And inputting the target depth ordering model. The resulting ranking results have modified the relative order between the selected samples and the semantics of the query samples themselves have not changed significantly.
Table 1, table 2 are the experimental results of the white-box and black-box challenge methods on the fast-MNIST dataset, respectively. Table 3, table 4 are the experimental results of the white-box and black-box challenge methods on the Stanford Online Product dataset, respectively.
TABLE 1 white-box challenge test results on the Fashion-MNIST
Figure BDA0003234783890000105
TABLE 2 Black box challenge test results on Fashion-MNIST
Figure BDA0003234783890000111
TABLE 3 white Box test results on Stanford Online products
Figure BDA0003234783890000112
TABLE 2 Black Box challenge test results on Stanford Online products
Figure BDA0003234783890000113
In summary, the invention relates to a practical relative order attack-resisting method based on short-distance sequencing correlation, and belongs to the field of deep learning and computer vision. Aiming at the problem that the existing deep sequencing attack method neglects the possibility of attacking on a relative sequence level, the invention provides a relative sequence attack aiming at a deep sequencing system, and the relative sequence between a selected candidate sample set is adjusted according to an arrangement vector specified by an attacker in a final sequencing result on the premise of not causing serious sequencing errors: the attack objective is formulated as a triple style loss function that directly embodies the set of objective inequalities. On the basis, the invention also introduces the short-distance sequencing correlation index as an agent optimization target of the triple style loss function aiming at the limitation of the black box threat model, thereby approximately achieving the effect of white box attack in the black box scene.
The above contents are only for illustrating the technical idea of the present invention, and the protection scope of the present invention should not be limited thereby, and any modification made on the basis of the technical idea proposed by the present invention falls within the protection scope of the claims of the present invention.

Claims (10)

1. A method for countering attacks in a practical relative order, comprising:
step one, taking a depth ordering model f (·,) as a target model, and calculating a query sample q and a selected candidate sample set C = { C } by using the depth ordering model f (·,) 1 ,c 2 ,...,c k A distance measure between; when the parameters of the depth ordering model f (·,) are successfully obtained, a white-box threat model is used for carrying out relative order counter attack;
step two, using a white-box threat model to carry out relative sequence attack resistance, comprising the following steps:
setting a sorting vector p with the length of k, and reordering after marking the relative sequence of each sample in the candidate sample set C by using the sorting vector p; the reordered candidate sample set is C p ={c p1 ,c p2 ,...,c pk C, to obtain a reordered candidate sample set C p The samples in (1) are taken as attack object samples;
calculating relative sequence loss of triples between each sample and a combination of the query samples for the attack object samples; adding the relative sequence loss of the triples between every two sample combinations to obtain an integral relative sequence loss function; based on the obtained relative sequence loss function, adding a semantic retention loss function, and summing the overall relative sequence loss function and the added semantic retention loss function to obtain an overall relative sequence loss function with semantic retention property; iteratively updating the query sample q by using a projection gradient descent method to obtain a confrontation sample
Figure FDA0003234783880000011
Step three, the obtained confrontation sample
Figure FDA0003234783880000012
Inputting the data into a depth sorting model f (·,) and outputting a sorting result; and in the obtained sequencing result, the relative sequence among the candidate sample sets C is modified, so that the practical relative sequence anti-attack method is realized.
2. The method of claim 1, wherein in the first step, k candidate samples are selected from a candidate sample database X of the depth ordering model, and a candidate sample set C = { C } is obtained 1 ,c 2 ,...,c k }; wherein each candidate sample is selected from the candidate sample database X.
3. The practical relative order counter attack method according to claim 1, wherein in the second step, the formula for calculating the relative order loss of the triplet between every two combinations of samples is:
[f(q,c pi )-f(q,c pj )] +
wherein, [ …] + Denotes the ReLU activation function, c pi And c pj In (c) pi Is c pj For the top candidate samples in the expected ranking, the value range of i is from 1 to k, and the range of corresponding j is traversed from i to k;
the formula for obtaining the overall relative order loss function is:
Figure FDA0003234783880000021
in the formula, parameter
Figure FDA0003234783880000022
To challenge the sample; c is the selected candidate sample set; p is the ordering vector defined hereinbefore; i, j and k are all temporary variables of the traversal set; c. C pi And c pj Are respectively according to the rank vectorSet C reordered by quantity p p ={c p1 ,c p2 ,...,c pk The ith and jth bit elements in (j) }; mathematical notation [ …] + Representing the ReLU activation function.
4. A practical relative sequential counter attack method according to claim 3,
adding a semantic preserving loss function based on the obtained relative sequence loss function, so that each sample from the selected candidate sample set is closer to the given modified query sample than any sample X from the candidate sample database X, namely a countermeasure sample
Figure FDA0003234783880000023
The formula for obtaining the additional semantic retention loss function is as follows:
Figure FDA0003234783880000024
in the formula, parameter
Figure FDA0003234783880000025
To challenge the sample; c is the selected candidate sample set; c and x are temporary variables of the traversal set; mathematical notation [ …] + Represents the ReLU activation function; the set X is the set of all candidate samples including the set C, i.e., the entire search database of the depth ordering model.
5. A practical relative-order counter-attack method according to claim 4, wherein the overall relative-order-loss function with semantic-preserving properties is formulated as:
Figure FDA0003234783880000026
in the formula, xi isThe balance hyper-parameter set manually is any real number greater than 0; parameter(s)
Figure FDA0003234783880000027
To challenge the sample; c is the selected candidate sample set; p is the ordering vector defined hereinbefore; l is a radical of an alcohol ReO (…) and L QA+ (…) is the relative order loss function and semantic preserving loss function obtained in the above steps.
6. The practical relative order attack countermeasure method of claim 1, wherein the query sample q is updated using a projection gradient descent method to obtain the countermeasure sample q
Figure FDA0003234783880000031
The method comprises the following steps:
updating the query sample q by using a projection gradient descent method, wherein the formula is as follows:
Figure FDA0003234783880000032
in the formula, r is the disturbance amount in the confrontation sample, and the subscript t represents the iteration number; the Clip (…) function represents the truncation of its parameters to the feasible domain Ω q Performing the following steps; eta is a manually set learning rate or an update step length; sign (…) is a standard sign function;
Figure FDA0003234783880000033
to challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously.
7. The practical relative order counter attack method according to claim 1, wherein in step one, when the parameters of the depth ordering model f (·,) are not available, the black box threat model is used to make the relative order counter attack;
in the second step, a black box threat model is used for carrying out relative order anti-attack, and the method comprises the following steps:
setting a sorting vector p with the length of k, and reordering after marking the relative sequence of each sample in the candidate sample set C by using the sorting vector p; the reordered candidate sample set is C p ={c p1 ,c p2 ,...,c pk H, with the reordered candidate sample set C p The samples in (1) are taken as attack object samples;
initializing a zero matrix S, traversing a lower triangular matrix part of the zero matrix S, calculating the fraction of each matrix element in the traversing process, and putting the obtained fraction into a corresponding position of the matrix; calculating the average of the lower triangle of the zero matrix S after the scores are calculated to obtain a short-distance sequencing correlation coefficient tau s
Using black box optimization algorithm, the obtained short distance sorting correlation coefficient tau s Modifying the query sample q in a mode of adding the confrontation disturbance r for maximization to obtain a confrontation sample
Figure FDA0003234783880000034
8. The practical relative order counter attack method of claim 7, wherein the calculation method for calculating the score of each matrix element in the traversal process is as follows:
traversing the lower triangular matrix portion of the zero matrix S, i.e., the row number i from 1 to k and the column number from 1 to i-1;
if the candidate sample c i Or candidate sample c j Any one of the search results does not belong to a set consisting of the first N search results of the deep sequencing model, and the set is marked as-1;
if c is i At C p In position c j Before, and c i In the top N search result lists of the model, c j Before, or if c i At C p In position c j Then, and c i In the top N search result lists of the model, c j Then, the score is 1;
if c is i At C p In position c j Before, and c i In the top N search result lists of the model, c j After, or if c i At C p In position c j Then, c i In the top N search result lists of the model, c j Before, it is marked as-1.
9. The practical relative sequential counter attack method according to claim 7, wherein the black box optimization algorithm comprises: random search method, particle swarm algorithm, natural evolution strategy or multivariate random approximation algorithm based on common disturbance gradient approximation.
10. The practical relative sequential counter attack method as claimed in claim 7, wherein the obtained short-range rank correlation coefficient τ is sorted by using a black box optimization algorithm s Obtaining a confrontation sample by modifying a query sample q for maximization
Figure FDA0003234783880000041
The formula is as follows:
Figure FDA0003234783880000042
in the formula, r * An optimal solution to the (approximate) optimization problem, i.e. the solution of the argmax (..) part;
Figure FDA0003234783880000043
to challenge the sample; c is the selected candidate sample set; p is the ordering vector defined previously.
CN202110998691.9A 2021-08-27 2021-08-27 Practical relative sequence attack resisting method Active CN113688914B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110998691.9A CN113688914B (en) 2021-08-27 2021-08-27 Practical relative sequence attack resisting method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110998691.9A CN113688914B (en) 2021-08-27 2021-08-27 Practical relative sequence attack resisting method

Publications (2)

Publication Number Publication Date
CN113688914A CN113688914A (en) 2021-11-23
CN113688914B true CN113688914B (en) 2022-12-09

Family

ID=78583568

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110998691.9A Active CN113688914B (en) 2021-08-27 2021-08-27 Practical relative sequence attack resisting method

Country Status (1)

Country Link
CN (1) CN113688914B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108446765A (en) * 2018-02-11 2018-08-24 浙江工业大学 The multi-model composite defense method of sexual assault is fought towards deep learning
CN111027060B (en) * 2019-12-17 2022-04-29 电子科技大学 Knowledge distillation-based neural network black box attack type defense method
CN111967006A (en) * 2020-08-13 2020-11-20 成都考拉悠然科技有限公司 Adaptive black box anti-attack method based on neural network model

Also Published As

Publication number Publication date
CN113688914A (en) 2021-11-23

Similar Documents

Publication Publication Date Title
Clements et al. Estimating risk and uncertainty in deep reinforcement learning
Belkhir et al. Per instance algorithm configuration of CMA-ES with limited budget
CN109639710B (en) Network attack defense method based on countermeasure training
CN102214169B (en) The offer method and device of key word information and target information
Örkcü et al. Estimating the parameters of 3-p Weibull distribution using particle swarm optimization: A comprehensive experimental comparison
CN112949678A (en) Method, system, equipment and storage medium for generating confrontation sample of deep learning model
CN107145519B (en) Image retrieval and annotation method based on hypergraph
CN106789338B (en) Method for discovering key people in dynamic large-scale social network
CN113609394B (en) Information flow-oriented safety recommendation system
CN106909972A (en) A kind of learning method of sensing data calibrating patterns
CN106453224B (en) Network penetration attacks detection method based on ant colony classified excavation process
CN108320026A (en) Machine learning model training method and device
Bonnici et al. PanDelos: a dictionary-based method for pan-genome content discovery
CN112241554A (en) Model stealing defense method and device based on differential privacy index mechanism
CN104714977B (en) A kind of correlating method and device of entity and knowledge library item
CN106649731A (en) Node similarity searching method based on large-scale attribute network
CN113688914B (en) Practical relative sequence attack resisting method
CN105760965A (en) Pre-estimated model parameter training method, service quality pre-estimation method and corresponding devices
Andrieu et al. Particle Markov chain Monte Carlo for efficient numerical simulation
CN113935496A (en) Robustness improvement defense method for integrated model
CN113297574A (en) Activation function adaptive change model stealing defense method based on reinforcement learning reward mechanism
CN116245146A (en) Ranking learning method, system and application for generating countermeasure network based on evolution condition
Casaer et al. Analysing space use patterns by Thiessen polygon and triangulated irregular network interpolation: a non-parametric method for processing telemetric animal fixes
Goetschalckx et al. Coactive learning for locally optimal problem solving
CN116186384A (en) Article recommendation method and system based on article implicit feature similarity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant