CN113936140A - Evaluation method of sample attack resisting model based on incremental learning - Google Patents

Evaluation method of sample attack resisting model based on incremental learning Download PDF

Info

Publication number
CN113936140A
CN113936140A CN202111367546.7A CN202111367546A CN113936140A CN 113936140 A CN113936140 A CN 113936140A CN 202111367546 A CN202111367546 A CN 202111367546A CN 113936140 A CN113936140 A CN 113936140A
Authority
CN
China
Prior art keywords
incremental learning
model
attack
learning
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111367546.7A
Other languages
Chinese (zh)
Inventor
温蜜
吕欢欢
王亮亮
张凯
魏敏捷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Electric Power University
Original Assignee
Shanghai Electric Power University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Electric Power University filed Critical Shanghai Electric Power University
Priority to CN202111367546.7A priority Critical patent/CN113936140A/en
Publication of CN113936140A publication Critical patent/CN113936140A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation
    • G06F30/27Design optimisation, verification or simulation using machine learning, e.g. artificial intelligence, neural networks, support vector machines [SVM] or training a model

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Medical Informatics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Geometry (AREA)
  • Image Analysis (AREA)

Abstract

The invention provides an evaluation method of a sample attack resisting model based on incremental learning, which is characterized in that a Deeplab v2 semantic segmentation model is used to extract the characteristics of sample data by combining with an incremental learning method of knowledge distillation to obtain a semantic segmentation map, then different attack algorithms are used to attack the models adopting different learning methods under different disturbance values to obtain the attack success rate, finally, the attack success rate of the models adopting different learning methods is compared to obtain the new knowledge which can be learned by the incremental learning method under the condition of not storing old task images, thereby reducing the waste of time and space, solving the problem of catastrophic forgetting when the deep learning model uses batch learning, meanwhile, the influence of the anti-sample attack on the deep learning model when the deep learning model in the unmanned scene executes the incremental learning task is obtained.

Description

Evaluation method of sample attack resisting model based on incremental learning
Technical Field
The invention relates to an evaluation method of a sample attack resisting model based on incremental learning.
Background
With the rise of artificial intelligence, the appearance of unmanned vehicles can relieve road traffic congestion and reduce the risk of traffic accidents, wherein deep learning becomes one of the key technologies. However, deep learning models have been demonstrated by a number of efforts to be vulnerable and vulnerable to challenge samples. An attacker can cause the classification result output by the classification model to be wrong by adding some slight disturbances to the original picture, so that the purpose of attack is achieved. For unmanned systems, safety is crucial. Therefore, the attack against the sample will affect the deployment of artificial intelligence in the unmanned scene, and there is also a great safety hazard. In addition, the deep learning model also has a catastrophic forgetting problem. As unmanned vehicles travel on the road, they need to learn new classes and their different representations. When systems need models to learn new knowledge while not forgetting old knowledge, they can exhibit severe performance degradation. Recently, it has been observed that incremental learning techniques can address the above challenges. However, previous research against sample attacks in unmanned driving scenarios has focused primarily on batch learning. It is not clear how using countersample attacks will have an impact on the deep learning model when performing the incremental learning task. This problem exposes potential safety hazards to the unmanned system, while also increasing the chances of research.
Disclosure of Invention
In order to solve the problems, the invention provides an evaluation method of a countersample attack model based on incremental learning, which adopts the following technical scheme:
the invention provides a method based on incremental learningThe evaluation method for the model for resisting sample attack is characterized by comprising the following steps: step S1, training data is obtained based on a preset data set, and the training data comprises a plurality of categories; step S2, respectively carrying out non-incremental learning and L 'on training data by adopting a preset semantic segmentation model'DIncremental learning and EqL'DIncremental learning; step S3, feature extraction is carried out on the learned training data based on a preset semantic segmentation model, and a first semantic segmentation graph L 'of non-incremental learning are respectively obtained'DSecond semantic segmentation graph for incremental learning and EqL'DA third semantic segmentation graph for incremental learning; step S4, adopting a plurality of types of predetermined attack algorithms to attack the first semantic segmentation graph, the second semantic segmentation graph and the third semantic segmentation graph respectively under different disturbance values, and respectively obtaining corresponding attack success rates; and step S5, comparing the attack success rates, and thus evaluating the robustness of the model based on the incremental learning.
The evaluation method of the incremental learning-based anti-sample attack model can also have the technical characteristics that the preset semantic segmentation model is a DeepLab v2 model which comprises a cavity convolution, a cavity space pyramid pooling and a conditional random field, the DeepLab v2 model obtains an approximate semantic segmentation result by using DCNN, restores the feature map to the original image resolution according to a bilinear difference value, and perfects the semantic segmentation result by adopting the fully-connected conditional random field.
The evaluation method of the confrontation sample attack model based on the incremental learning, provided by the invention, can also have the technical characteristics that the predetermined attack algorithm comprises an FGSM attack algorithm, a DeepFool attack algorithm and an MI-FGSM attack algorithm.
The evaluation method for the model of resisting sample attack based on incremental learning provided by the invention can also have the technical characteristics that the predetermined data set is a Pascal VOC2012 data set, and the sample data contains 21 categories.
The evaluation method of the model for resisting sample attack based on incremental learning provided by the invention can also have the technical characteristics that two groups of experimental data are respectively as follows: the 21 classes of sample data are classified into a first group of experimental data of the first 20 classes and the last 1 class, and the 21 classes of sample data are classified into a second group of experimental data of the first 16 classes and the last 5 classes.
The evaluation method of the model for resisting sample attack based on incremental learning provided by the invention can also have the technical characteristics that the learning process based on the first group of experimental data in the step S2 is as follows: non-incremental learning is carried out on the first 20 categories in the first set of experimental data, and non-incremental learning and L 'are respectively carried out on the last 1 category in the first set of experimental data'DIncremental learning and EqL'DIncremental learning; the process of learning based on the second set of experimental data in step S2 is: non-incremental learning is performed on the first 16 categories in the second set of experimental data, and non-incremental learning, L ', is performed on the last 5 categories in the second set of experimental data respectively'DIncremental learning and EqL'DAnd (4) incremental learning.
The assessment method of the incremental learning-based confrontation sample attack model provided by the invention can also have the technical characteristics that L'DThe formula increment learning is to perform knowledge distillation on an output layer of a predetermined semantic segmentation model to obtain distillation loss L'D,EqL'DIncremental learning is performed by freezing the encoder while distilling knowledge on the output layer of a predetermined semantic segmentation model, and obtaining a distillation loss E when the encoder is frozenqL'D
The method for evaluating the model for resisting sample attack based on incremental learning can also have the technical characteristics that the distillation loss L'DComprises the following steps:
Figure BDA0003361397000000041
in the formula (I), the compound is shown in the specification,
Figure BDA0003361397000000042
refers to a new training sample for each step, k is an incremental step of the index, k is 1,2, …, so that the model learns a new set of classes each time, Mk(Xn[c]) The evaluation score, S, reflecting the class ck-1Is a combination of all the categories previously learned.
The evaluation method of the incremental learning-based countersample attack model provided by the invention can also have the technical characteristics that the step S5 further comprises the step of performing countertraining on the incremental learning-based model to improve the robustness of the model, wherein the countertraining comprises the following steps: and generating a countermeasure sample aiming at the attacked model based on the incremental learning by adopting a countermeasure sample algorithm, inputting the countermeasure sample and the sample data into the model based on the incremental learning for training, and learning by adopting a supervised learning mode.
Action and Effect of the invention
According to the evaluation method of the incremental learning-based sample attack resisting model, the feature extraction is carried out on sample data by using the Deeplab v2 semantic segmentation model in combination with the incremental learning method of knowledge distillation to obtain the semantic segmentation map, then different attack algorithms are used for attacking the models adopting different learning methods under different disturbance values to obtain the attack success rate, finally, by comparing the attack success rates of the models adopting different learning methods, the incremental learning method can learn new knowledge without storing old task images, so that the waste in time and space is reduced, and the problem of catastrophic forgetting generated when the deep learning model is used for batch learning can be solved. Meanwhile, the influence of the anti-sample attack on the deep learning model when the deep learning model in the unmanned scene executes the incremental learning task is obtained.
Drawings
FIG. 1 is a flow chart of a method for evaluating an incremental learning-based model for countering sample attacks in an embodiment of the present invention;
FIG. 2 is a schematic diagram of an ASPP module in the DeepLab v2 model in an embodiment of the present invention;
FIG. 3 is a block diagram of the kth incremental learning step in an embodiment of the invention;
FIG. 4 is a schematic diagram of an encoder freezing scheme in the kth increment step in an embodiment of the present invention;
FIG. 5 is a diagram illustrating semantic segmentation results of a first set of experimental data according to an embodiment of the present invention;
FIG. 6 is a graph illustrating semantic segmentation results of a second set of experimental data according to an embodiment of the present invention;
FIG. 7 is a graph illustrating attack success rates based on a first set of experimental data in an embodiment of the present invention;
fig. 8 is an attack success rate obtained based on the second set of experimental data in the embodiment of the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the present invention easy to understand, the following describes a method for evaluating an incremental learning-based anti-sample attack model according to the present invention in detail with reference to the following embodiments and the accompanying drawings.
< example >
The evaluation method of the incremental learning-based anti-sample attack model takes unmanned driving as a scene for carrying out experiments. The experimental environment was set as: the experimental hardware configuration was Intel (R) core (TM) i7-7800X CPU, NVIDIA GeForce RTX 2080Ti GPU and 24GB RAM, operating in an Ubuntu environment based on a Tensorflow framework, with the primary environment configured as python 3.6.
Fig. 1 is a flowchart of an evaluation method of an incremental learning-based countersample attack model in an embodiment of the present invention.
As shown in fig. 1, the evaluation method of the incremental learning-based model for resisting sample attack includes the following steps:
in step S1, sample data including several categories is acquired based on a predetermined data set.
In this embodiment, the predetermined data set is a Pascal VOC2012 data set, and includes 21 categories (background, aeroslane, bicycle, bird, boat, bot, bus, car, cat, chair, cow, dining table, dog, horse, motorcycle, person, potted plant, sheet, sofa, train, tv/monitor), which has 10582 training images and 1449 verification images in total.
Furthermore, the dataset contains 6 classes (bicycle, bus, car, motorbike, person, train) which are common categories in unmanned scenes. Thus, it can be used not only to evaluate the performance of incremental technology-based anti-sample attack algorithms in unmanned scenarios, but also to be more general.
Step S2, dividing the sample data into two groups as experimental data, and respectively performing non-incremental learning and L 'of the two groups on the experimental data by adopting a preset semantic segmentation model'DIncremental learning and EqL'DAnd (4) incremental learning.
In this embodiment, the predetermined semantic segmentation model is a deep lab v2 model, which includes a void convolution, a void space pyramid pooling (ASPP), and a Conditional Random Field (CRF).
FIG. 2 is a schematic diagram of the ASPP module in the DeepLab v2 model in an embodiment of the present invention.
The ASPP module (as shown in fig. 2) is inspired by the SPP module, and replaces a common convolution layer in the SPP module with a plurality of parallel hole convolutions with different expansion rates to extract image features, thereby collecting global and local feature information of different scales and obtaining a plurality of receptive fields, so as to improve the final segmentation accuracy.
Wherein, two groups of experimental data are respectively:
classifying 21 classes of sample data into a first set of experimental data of the first 20 classes and the last 1 class; the 21 classes of sample data were divided into the first 16 classes and the second set of experimental data of the last 5 classes.
The learning process based on the first set of experimental data in this step S2 is:
non-incremental learning is performed on the first 20 categories of the first set of experimental data, and non-incremental learning, L ', is performed on the last 1 category (i.e., tv/monitor) of the first set of experimental data'DIncremental learning and EqL'DAnd (4) incremental learning.
The learning process based on the second set of experimental data in this step S2 is:
non-incremental learning is performed on the first 16 categories in the second set of experimental data, and non-incremental learning and L 'are performed on the last 5 categories (dotted plant, sheet, sofa, train, tv/monitor) in the second set of experimental data respectively'DIncremental learning and EqL'DAnd (4) incremental learning.
FIG. 3 is a block diagram of the kth incremental learning step in an embodiment of the present invention.
L 'as shown in FIG. 3'DFormula incremental learning is to distill knowledge over the output layer of the DeepLab v2 model to obtain a distillation loss of L'D,L'DIs to mask the output from the previous ZENsoftmax layer from the current model MkThe logarithmic cross entropy loss produced by the output of the softmax layer in (assuming that it is currently in the kth incremental learning step). This is because we want to preserve them by guiding the learning process, so the cross entropy is masked, which is very useful to consider the classes that have been seen.
Wherein L 'is distilled off'DComprises the following steps:
Figure BDA0003361397000000081
in the formula (I), the compound is shown in the specification,
Figure BDA0003361397000000082
refers to a new training sample for each step, k is an incremental step of the index, k is 1,2, …, so that the model learns a new set of classes each time, Mk(Xn[c]) The evaluation score, S, reflecting the class ck-1Is a combination of all the categories previously learned.
Fig. 4 is a schematic diagram of the freezing scheme of the encoder in the k-th increment step in the embodiment of the present invention.
EqL'DIncremental learning by freezing the encoder while distilling knowledge on the output layer of the DeepLab v2 modelDistillation losses E on freezing of the codersqL'D
The incremental learning method is in a first incremental learning method L'DThe encoder aims to extract a representation of some intermediate features, and the modification is also based on this. This approach allows the network to learn the new class only through the decoder. It retains the same feature extraction function as compared to the previous training phase, as shown in FIG. 4, where M isk-1Is the whole model of the previous step.
Wherein knowledge distillation is the migration of knowledge learned from one complex model or multiple models to another simple model. The two incremental learning methods described above are the most challenging settings, do not store (waste storage space), previous performance does not degrade images from old tasks and cannot be used to assist in the incremental process, which is particularly suitable for systems like unmanned cars, which involve both privacy concerns and storage requirements.
Step S3, feature extraction is carried out on the two groups of learned experimental data based on the DeepLab v2 model, and a non-incremental learning first semantic segmentation graph and L 'corresponding to the two groups of experimental data are obtained respectively'DSecond semantic segmentation graph for incremental learning and EqL'DA third semantic segmentation graph for incremental learning.
In the embodiment, the deep lab v2 model obtains an approximate semantic segmentation result by using DCNN, restores the feature map to the original image resolution according to the bilinear difference, and perfects the semantic segmentation result by adopting a fully connected conditional random field.
Fig. 5 is a schematic diagram of semantic segmentation results of a first set of experimental data in the embodiment of the present invention, and fig. 6 is a schematic diagram of semantic segmentation results of a second set of experimental data in the embodiment of the present invention.
As shown in FIG. 5, the DeepLab v2 model is based on non-incremental learning (GT column in the figure) and L'DFormula incremental learning (L 'in the figure)'DColumns) and incremental learning (E in the figure)qL'DColumn) is obtained by performing feature extraction on the last 1 category, i.e. tv/monitor (RGB column in the figure)The example graph is divided according to the corresponding semantics.
As shown in FIG. 6, the DeepLab v2 model is based on non-incremental learning (GT column in the figure) and L'DFormula incremental learning (L 'in the figure)'DColumns) and incremental learning (E in the figure)qL'DColumn) of the last 5 categories: and (4) performing feature extraction on the dotted plant, sheet, sofa, train and tv/monitor (RGB columns in the figure) to obtain a corresponding semantic segmentation example graph.
Step S4, attack the first semantic segmentation graph, the second semantic segmentation graph and the third semantic segmentation graph in the two groups of experimental data respectively under different disturbance values by adopting a plurality of types of predetermined attack algorithms, and respectively acquire two groups of corresponding attack success rates.
Research on fighting sample attacks in recent years can be largely divided into the following three types: white box attacks, black box attacks, and physical attacks.
The white-box attack has the premise that the system structure of the model, including the parameter values of each layer and the composition of the model, can be fully obtained, the input of the model can be completely controlled, and the control granularity of the input can even reach the bit level. Its advantage is high calculation speed, but gradient information of target network is needed. The white box attack algorithm mainly comprises the following algorithms: fast gradient algorithm (FGSM), saliency map attack algorithm (JSMA), DeepFool algorithm, momentum iterative fast gradient algorithm (MI-FGSM), and C & W algorithm, among others.
In this embodiment, an FGSM attack algorithm, a DeepFool attack algorithm, and an MI-FGSM attack algorithm are used to attack the semantic segmentation graph obtained by learning the basis set experimental data respectively to obtain the corresponding attack success rate when the disturbance value epsilon is set to 0.3, 0.2, and 0.1.
And step S5, comparing attack success rates in each group, and evaluating the robustness of the model based on incremental learning.
Fig. 7 shows the success rate of the attack based on the first set of experimental data in the embodiment of the present invention.
In this example, in the learning based on the first set of experimental data,a model of non-incremental learning was designated as M (0-20), and L'DModel for incremental learning of formula M (0-19) + M (20) (L'D) A 1 is mixing EqL'DThe model for incremental learning is denoted M (0-19) + M (20) (E)qL'D)。
As shown in fig. 7, the FGSM attack algorithm when the perturbation value ∈ is 0.3 is first selected for detailed analysis:
when adopting L'DDuring formula increment learning, the attack success rate can reach 94.55%;
when using EqL'DDuring incremental learning, the attack success rate can reach 92.10 percent;
when non-incremental learning is used, the attack success rate reaches only 86.12%.
Therefore, the attack success rate of the model can be improved by 8.43% by the incremental learning, and the attack success rate is really improved after the incremental learning from the attack results of only the first 20 types.
Then, the attack success rate of the perturbation value epsilon 0.2 is analyzed for the DeepFool attack algorithm:
when adopting L'DDuring formula incremental learning, the attack success rate can reach 83.71 percent;
when using EqL'DDuring formula increment learning, the attack success rate can reach 81.52%;
when non-incremental learning is used, the attack success rate only reaches 80.18%.
Therefore, when the disturbance value ∈ is 0.2, the incremental learning can increase the attack success rate on the model by 3.53%.
Similarly, analysis of MI-FGSM attack Algorithm adopted L 'when perturbation value ε was 0.3'DThe attack success rate can be improved by 2.59% through the incremental learning.
In addition, EqL'DIncremental learning can also improve certain attack success rate, but without L'DIncremental learning of formula is much improved, so one can derive EqL'DFormula incremental learning ratio L'DThe robustness of incremental learning is better, namely when the model is carried out in an incremental modeWhen learning, the attack success rate of resisting the sample to attack the model is higher than that of the non-incremental learning model.
Fig. 8 is an attack success rate obtained based on the second set of experimental data in the embodiment of the present invention.
In the present example, in the learning based on the second set of experimental data, the model of non-incremental learning was denoted as M (0 to 15) and L'DModel for incremental learning of formula M (0-15) + M (16-20) (L'D) A 1 is mixing EqL'DThe model for incremental learning is denoted M (0-15) + M (16-20) (E)qL'D)。
As shown in fig. 8, the FGSM attack algorithm when the perturbation value ∈ is 0.3 is first selected for detailed analysis:
when adopting L'DDuring formula increment learning, the attack success rate can reach 92.14%;
when using EqL'DDuring formula increment learning, the attack success rate can reach 93.75 percent;
when non-incremental learning is used, the attack success rate reaches only 86.12%.
Therefore, the incremental learning can improve the attack success rate of the model.
Then, the attack success rate of the perturbation value epsilon 0.3 is analyzed for the DeepFool attack algorithm:
when adopting L'DDuring formula increment learning, the attack success rate can reach 82.23%;
when using EqL'DDuring formula incremental learning, the attack success rate can reach 83.39%;
when non-incremental learning is used, the attack success rate reaches only 81.16%.
At this time, EqL'DIncremental learning can improve the attack success rate by 2.23%.
Similarly, the analysis of the MI-FGSM attack algorithm when the perturbation value ε is 0.1, EqL'DThe attack success rate can be improved by 3.08% through the incremental learning.
Therefore, as can be seen from the above, the incremental learning-based model for resisting sample attack hasHigher attack success rate. Wherein, in the second set of experiments, EqL'DFormula incremental learning ratio L'DThe attack success rate of the incremental learning method is higher.
Therefore, when the model adopts an incremental learning method for sample learning, new knowledge can be learned without storing old task images, so that the waste in time and space is reduced, and the catastrophic forgetting problem of a deep learning framework can be solved, but the robustness of the model is reduced.
In this embodiment, in order to further improve the robustness of the model using incremental learning, countertraining is also added. Specifically, the method comprises the following steps:
firstly, common confrontation sample algorithms such as an FGSM (fuzzy fault diagnosis) attack algorithm, a DeepFool attack algorithm, an MI-FGSM attack algorithm and the like are used for generating a large number of confrontation samples aiming at an attacked model, and then the confrontation samples and original data are put into the model for retraining and supervised learning, so that a reinforced model is obtained.
Examples effects and effects
According to the evaluation method for the incremental learning-based sample attack resisting model, the feature extraction is carried out on sample data by using the Deeplab v2 semantic segmentation model in combination with the incremental learning method of knowledge distillation to obtain the semantic segmentation map, then different attack algorithms are used for attacking the models adopting different learning methods under different disturbance values to obtain the attack success rate, finally, by comparing the attack success rates of the models adopting different learning methods, the incremental learning method is obtained, new knowledge can be learned under the condition that an old task image is not stored, so that the waste in time and space is reduced, and the problem of catastrophic forgetting generated when the deep learning model is used for batch learning can be solved. Meanwhile, the influence of the anti-sample attack on the deep learning model when the deep learning model in the unmanned scene executes the incremental learning task is obtained.
In an embodiment, the predetermined dataset is a Pascal VOC2012 dataset containing 6 classes (bicycle, bus, car, motorbike, person, train) that are common categories in unmanned scenes. Thus, it can be used not only to evaluate the performance of incremental technology-based anti-sample attack algorithms in unmanned scenarios, but also to be more general.
In the embodiment, the model based on the incremental learning is reinforced by adopting the countertraining, so that the robustness of the model is effectively improved, and the influence of countersample attack on the model based on the incremental learning is reduced.
The above-described embodiments are merely illustrative of specific embodiments of the present invention, and the present invention is not limited to the description of the above-described embodiments.

Claims (9)

1. An evaluation method of a sample attack resisting model based on incremental learning is characterized by comprising the following steps:
step S1, obtaining sample data containing a plurality of categories based on a preset data set;
step S2, dividing the sample data into two groups as experimental data, and respectively carrying out non-incremental learning and L 'of the two groups on the experimental data by adopting a preset semantic segmentation model'DIncremental learning and EqL'DIncremental learning;
step S3, feature extraction is carried out on the two groups of the experimental data after learning based on the preset semantic segmentation model, and the first semantic segmentation graph and the L 'of the non-incremental learning corresponding to the two groups of the experimental data are obtained respectively'DSecond semantic segmentation graph for incremental learning and the EqL'DA third semantic segmentation graph for incremental learning;
step S4, adopting a plurality of types of predetermined attack algorithms to attack the first semantic segmentation graph, the second semantic segmentation graph and the third semantic segmentation graph in the two groups of experimental data respectively under different disturbance values, and respectively obtaining two groups of corresponding attack success rates;
and step S5, comparing the attack success rate in each group, and evaluating the robustness of the model based on incremental learning.
2. The method for evaluating the model for resisting sample attack based on incremental learning of claim 1, wherein:
wherein the predetermined semantic segmentation model is a DeepLab v2 model, which comprises a void convolution, a void space pyramid pooling and a conditional random field,
the deep Lab v2 model obtains an approximate semantic segmentation result by using DCNN, restores the feature map to the original image resolution according to the bilinear difference, and perfects the semantic segmentation result by adopting a fully connected conditional random field.
3. The method for evaluating the model for resisting sample attack based on incremental learning of claim 1, wherein:
wherein the predetermined attack algorithms include an FGSM attack algorithm, a DeepFool attack algorithm, and an MI-FGSM attack algorithm.
4. The method for evaluating the model for resisting sample attack based on incremental learning of claim 1, wherein:
wherein the predetermined data set is a Pascal VOC2012 data set, the sample data containing 21 classes.
5. The method for evaluating the model for resisting sample attack based on incremental learning of claim 4, wherein:
wherein, the two groups of experimental data are respectively:
the 21 classes of the sample data were classified into the first set of experimental data of the first 20 classes and the last 1 class,
the 21 classes of sample data were classified into the first 16 classes and the second set of experimental data of the last 5 classes.
6. The method for evaluating the model for resisting sample attack based on incremental learning of claim 5, wherein:
wherein the learning based on the first set of experimental data in the step S2 is as follows:
performing the non-incremental learning on the first 20 categories in the first set of experimental data,
performing the non-incremental learning, the L 'separately for the last 1 category in the first set of experimental data'DIncremental learning and the EqL'DIncremental learning;
the learning process based on the second set of experimental data in step S2 is:
performing the non-incremental learning on the first 16 classes in the second set of experimental data,
performing the non-incremental learning, the L 'separately for the last 5 categories in the second set of experimental data'DIncremental learning and the EqL'DAnd (4) incremental learning.
7. The method for evaluating the model for resisting sample attack based on incremental learning of claim 6, wherein:
wherein, L'DFormula incremental learning is to perform knowledge distillation on an output layer of the predetermined semantic segmentation model to obtain a distillation loss L'D
Said EqL'DIncremental learning is performed by freezing an encoder while distilling knowledge on an output layer of the predetermined semantic segmentation model, and obtaining a distillation loss E when the encoder is frozenqL'D
8. The method for evaluating the model for resisting sample attack based on incremental learning of claim 7, wherein:
wherein L 'is lost by distillation'DComprises the following steps:
Figure FDA0003361396990000041
in the formula (I), the compound is shown in the specification,
Figure FDA0003361396990000042
refers to a new training sample for each step, k is an incremental step of the index, k is 1,2, …, so that the model learns a new set of classes each time, Mk(Xn[c]) The evaluation score, S, reflecting the class ck-1Is a combination of all the categories previously learned.
9. The method for evaluating the model for resisting sample attack based on incremental learning of claim 8, wherein:
wherein the step S5 further includes performing a counter training on the incremental learning-based model to improve the robustness of the model,
the confrontational training is as follows:
adopting a countermeasure sample algorithm to generate a countermeasure sample aiming at the attacked model based on the incremental learning, inputting the countermeasure sample and the sample data into the model based on the incremental learning for training, and adopting a supervised learning mode for learning.
CN202111367546.7A 2021-11-18 2021-11-18 Evaluation method of sample attack resisting model based on incremental learning Pending CN113936140A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111367546.7A CN113936140A (en) 2021-11-18 2021-11-18 Evaluation method of sample attack resisting model based on incremental learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111367546.7A CN113936140A (en) 2021-11-18 2021-11-18 Evaluation method of sample attack resisting model based on incremental learning

Publications (1)

Publication Number Publication Date
CN113936140A true CN113936140A (en) 2022-01-14

Family

ID=79286934

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111367546.7A Pending CN113936140A (en) 2021-11-18 2021-11-18 Evaluation method of sample attack resisting model based on incremental learning

Country Status (1)

Country Link
CN (1) CN113936140A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114708436A (en) * 2022-06-02 2022-07-05 深圳比特微电子科技有限公司 Training method of semantic segmentation model, semantic segmentation method, semantic segmentation device and semantic segmentation medium
CN114724014A (en) * 2022-06-06 2022-07-08 杭州海康威视数字技术股份有限公司 Anti-sample attack detection method and device based on deep learning and electronic equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114708436A (en) * 2022-06-02 2022-07-05 深圳比特微电子科技有限公司 Training method of semantic segmentation model, semantic segmentation method, semantic segmentation device and semantic segmentation medium
CN114724014A (en) * 2022-06-06 2022-07-08 杭州海康威视数字技术股份有限公司 Anti-sample attack detection method and device based on deep learning and electronic equipment
CN114724014B (en) * 2022-06-06 2023-06-30 杭州海康威视数字技术股份有限公司 Deep learning-based method and device for detecting attack of countered sample and electronic equipment

Similar Documents

Publication Publication Date Title
CN107229973B (en) Method and device for generating strategy network model for automatic vehicle driving
CN110321957B (en) Multi-label image retrieval method fusing triple loss and generating countermeasure network
CN110941794B (en) Challenge attack defense method based on general inverse disturbance defense matrix
CN112685597B (en) Weak supervision video clip retrieval method and system based on erasure mechanism
CN111600835A (en) Detection and defense method based on FGSM (FGSM) counterattack algorithm
US9798972B2 (en) Feature extraction using a neurosynaptic system for object classification
CN113936140A (en) Evaluation method of sample attack resisting model based on incremental learning
CN111598182A (en) Method, apparatus, device and medium for training neural network and image recognition
CN111476285B (en) Training method of image classification model, image classification method and storage medium
Kwon et al. Multi-targeted backdoor: Indentifying backdoor attack for multiple deep neural networks
CN111191709A (en) Continuous learning framework and continuous learning method of deep neural network
CN116110022B (en) Lightweight traffic sign detection method and system based on response knowledge distillation
CN115049534A (en) Knowledge distillation-based real-time semantic segmentation method for fisheye image
CN114022697A (en) Vehicle re-identification method and system based on multitask learning and knowledge distillation
Shan et al. Class-incremental semantic segmentation of aerial images via pixel-level feature generation and task-wise distillation
CN115546196A (en) Knowledge distillation-based lightweight remote sensing image change detection method
CN116403290A (en) Living body detection method based on self-supervision domain clustering and domain generalization
CN116543240B (en) Defending method for machine learning against attacks
CN112750128B (en) Image semantic segmentation method, device, terminal and readable storage medium
Hui et al. FoolChecker: A platform to evaluate the robustness of images against adversarial attacks
CN115630361A (en) Attention distillation-based federal learning backdoor defense method
CN115758337A (en) Back door real-time monitoring method based on timing diagram convolutional network, electronic equipment and medium
CN114137967B (en) Driving behavior decision method based on multi-network joint learning
CN114998809A (en) False news detection method and system based on ALBERT and multi-mode cycle fusion
CN114693973A (en) Black box confrontation sample generation method based on Transformer model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination