CN114120028A - Countermeasure sample generation method based on double-layer generation countermeasure network - Google Patents
Countermeasure sample generation method based on double-layer generation countermeasure network Download PDFInfo
- Publication number
- CN114120028A CN114120028A CN202111249871.3A CN202111249871A CN114120028A CN 114120028 A CN114120028 A CN 114120028A CN 202111249871 A CN202111249871 A CN 202111249871A CN 114120028 A CN114120028 A CN 114120028A
- Authority
- CN
- China
- Prior art keywords
- sample
- countermeasure
- layer
- network
- generation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computational Linguistics (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Image Analysis (AREA)
Abstract
The invention provides a countermeasure sample generation method based on a double-layer generation countermeasure network, and relates to the field of artificial intelligence safety. The method comprises the steps of generating a countermeasure network by adopting a first layer of condition, a feature extractor, a second layer of generated countermeasure network and a target network; the conditional generation countermeasure network is used for generating a new sample, and the discriminator not only distinguishes the authenticity of the generated sample, but also judges the category of the generated sample; the characteristic extractor is used for extracting the characteristics of a hidden layer of an original sample and generating disturbance with countercheck prior; the second layer generates a countermeasure network for generating countermeasure disturbance, and the discriminator analyzes the authenticity of the countermeasure sample and the similarity of the countermeasure sample and the conditional generation countermeasure network generation sample; the target network is used to verify the attack success rate against the sample. The invention utilizes two layers of neural networks to respectively generate the samples of the specific categories and the confrontation disturbance, can realize the purpose of carrying out attack and confrontation training by utilizing the samples of the specific categories, and effectively improves the success rate of the attack and the efficiency of the confrontation training.
Description
Technical Field
The invention relates to the field of artificial intelligence safety, in particular to a countermeasure sample generation method based on a double-layer generation countermeasure network.
Background
With the rapid development of artificial intelligence technology, especially deep learning makes a major breakthrough in the fields of image recognition, image classification, natural language processing and the like. At present, the new technologies are applied to many engineering fields, and the model algorithm of the technology has huge potential safety hazards while bringing convenience to people in deep learning. The learners propose that the lack of robustness of the deep convolutional neural network is proved through experiments, and an attacker can design an attack method according to the characteristics of different models to influence the performance of the models.
At present, the attack mode faced by the deep neural network is mainly a countermeasure sample, wherein the countermeasure sample is a disturbance sample obtained by adding disturbance which is difficult to be detected by naked eyes to input clean data, and the sample can cause a model to output an error result with higher confidence. At present, researchers provide various solutions for the vulnerability of a depth model, wherein confrontation training means artificially adding a confrontation sample in a training stage of the model, so that the model learns the characteristics of the confrontation sample, and further the robustness and generalization capability of the model are improved. Therefore, a large number of countermeasure samples need to be generated according to training of the deep neural network model, and generating a specific countermeasure sample to achieve countermeasure training or an attack task becomes an urgent problem to be solved because of the difference between the training task and the attack task.
Disclosure of Invention
In order to make up for the shortage of confrontation samples during confrontation training and solve the problem that a generation model cannot generate specific class images, the invention provides a confrontation sample generation method based on a double-layer generated confrontation network.
In order to achieve the purpose, the invention adopts the technical scheme that:
a countermeasure sample generation method based on a two-layer generation countermeasure network, the two-layer generation countermeasure network comprises a first layer conditional generation countermeasure network, a second layer generation countermeasure network, a feature extractor F and a target network C, the first layer conditional generation countermeasure network comprises a generator G1Discriminator D1The second layer of the generative countermeasure network comprises a generator G2Discriminator D2Wherein the generator and the discriminator are both MLP multilayer perceptrons;
the method comprises the following steps:
(1) inputting original sample x, random noise z and class label c into generator G1Generator G1Fitting random noise z to new image samples x from original samples and class labelsc;
(2) Sample xcInput to discriminator D1Discriminating the authenticity and the category of the product;
(3) extracting hidden layer characteristics F (x) of an original sample by a characteristic extractor F;
(4) inputting hidden layer characteristics F (x) to generator G2Generating an antagonistic disturbance G with an antagonistic prior2(F(x));
(5) The sample xc is compared with the counterdisturbance G2(F (x)) fusing to obtain an antagonistic sample
(6) Inputting the challenge sample to a discriminator D2Discriminating the sum of its authenticity from xcSimilarity of (c);
(7) and inputting the confrontation samples into the target network C for classification, verifying the attack success rate of the target network C, and storing the successfully attacked confrontation samples.
Further, the feature extractor F is a VGG model, and the target network C is a ResNet model.
Further, the condition of the first layer generates a loss function against the network as:
L1=ΕxlogD1(x|c)+Εzlog(1-D1(G1(z|c)))
wherein x | c, z | c represent joint input, i.e., c is input jointly with x or z, c is category information specified to be generated; e denotes data distribution.
Further, the second layer generates a loss function against the network as:
wherein the content of the first and second substances, for ensuring sample xcAnd confrontation sampleSimilarity of (c); l isC=Εxlc(xc+G2(F (x)), t) loss of target class of attack, where t is the designated attack class, lcThe cross entropy function is used for ensuring the success rate of resisting sample attack; e denotes data distribution.
Compared with the prior art, the invention has the following beneficial effects:
1. the method generates a specific class image through a class c guide model of the countermeasure network generated under the condition, and then adds disturbance to realize the attack of a specific countermeasure sample on the target model.
2. According to the method, the hidden layer characteristics of the sample are input when the disturbance is generated, the characteristics of the sample which can be better represented by the hidden layer characteristics are obtained through the characteristic extractor, the disturbance generated based on the hidden layer characteristics can increase the countercheck prior, so that the classifier is more sensitive to the disturbance, and the countercheck sample added with the disturbance can obviously improve the attack success rate.
Drawings
FIG. 1 is a flow chart of a challenge sample generation method according to an embodiment of the present invention.
Detailed Description
The invention will be further explained with reference to the drawings.
A countermeasure sample generation method based on a double-layer generation countermeasure network utilizes two generation countermeasure networks to respectively generate samples of specific categories and countermeasure disturbance. Specifically, the conditional generation countermeasure network is used to generate an image of a specific type, the conventional generation countermeasure network cannot control the generated data, and when two or more types are input, the generator of the generation countermeasure network cannot specify generation of a specific image, and the discriminator simply discriminates the authenticity of the generated image without classifying it. The method generates a specific image category through a conditional generation confrontation network control model. By inputting the auxiliary information c to the generator, c is a generated class label, which has a guiding role in the data generation of the generator, the loss function of the conditional generation countermeasure network is as follows:
L1=ΕxlogD1(x|c)+Εzlog(1-D1(G1(z|c)))
where x is the input sample, c is the class label, and z is the random noise of the input. In training discriminator D1In time, not only is the real data required to be generated, but also the class specified by c needs to be satisfied, and the generator G is trained1In this case, guidance of the category label is also required to generate a designated image.
The deep neural network classification model comprises an input layer, a hidden layer and an output layer, after a sample is input through the input layer, characteristics are extracted through the hidden layer, weights and self biases of neurons of different hidden layers corresponding to the neurons of different input layers are different, the weights can influence the sensitivity degree of a neural unit to input information, for example, the neural unit of the hidden layer forms recognition mode deviation through controlling the weights, the neural unit of the output layer adjusts the weights of the neural unit of the hidden layer, and deviation of an output result can be formed. And the output layer outputs the result according to different hidden layer weights and self-bias. The decision result of the classifier depends on the analysis of the image features by the classifier, and finally classification decision is carried out based on the hidden layer vector, so when the countermeasure disturbance is generated by generating the countermeasure network, the hidden layer vector is input instead of the image, and the countermeasure prior is generated more easily.
And inputting the original sample x into a feature extractor F to obtain hidden layer features F (x). Inputting F (x) to a generator G2In generating an antagonistic disturbance G2(F (x)). Sample x to be generatedcFusing with the antagonistic disturbance G (F (x)) to obtain an antagonistic sample
After obtaining the confrontation samples, the confrontation samples need to be respectively input into the discriminator D2And in the target network C, in order to improve the effectiveness of the countermeasure sample, the whole training process needs to be constrained by a loss function, and for an attacker, the countermeasure sample needs to satisfy: (1) the attack success rate can be higher after the attack is input into a target network; (2) the disturbance resisting the sample addition cannot be recognized by human eyes; (3) the samples before and after adding the perturbation should have as high a similarity as possible.
In view of the above requirements, the method designs the following loss function:
wherein the content of the first and second substances,the loss function generates a loss function of the countermeasure network for the second layer, through which the generator G is trained2And discriminator D2The effectiveness of generating challenge samples is guaranteed.For ensuring sample xcAnd confrontation sampleSimilarity of (c); l isC=Εxlc(xc+G2(F (x)), t) is the loss of the attack target class for ensuring the success rate against the sample attack, wherein lcIs cross entropy and t is the attack category to be specified, if the attack result is t, the penalty is decreased, otherwise the penalty is increased.
The method aims at the problem that a specific sample is needed to attack a target network or the specific sample is needed to provide countertraining, and can generate the image of a specific class by adding class limitation to the counternetwork under the condition. In addition, when the countermeasure disturbance is generated, in order to increase the classification prior, the hidden layer feature extraction is carried out on the original sample through the feature extractor F, then the hidden layer feature is input into the generation countermeasure network to generate the countermeasure disturbance, the countermeasure sample generated through the disturbance can better mislead the target classifier, and the purpose of attack or countermeasure training is achieved. Finally, corresponding loss functions are provided respectively aiming at the attack success rate, the similarity of the countermeasure sample and the original sample, the performance of restraining two layers to generate the countermeasure network and the like, and the effectiveness and the authenticity of the countermeasure sample are guaranteed.
The following is a more specific example:
a method for generating a countermeasure sample based on a two-layer generated countermeasure network, as shown in FIG. 1, includes a generator G for generating the countermeasure network based on a first layer condition1And discriminator D1Feature extractor F, Generator G of the second layer for generating a countermeasure network2And discriminator D2And a target network C. The method comprises the following steps:
(1) conditional countermeasure generating network generates specific class sample x from class label cc;
(2) Sample xcInput to discriminator D1Discriminating authenticity and class thereof;
(3) A feature extractor F extracts hidden layer features F (x) of an original sample;
(4) inputting hidden layer characteristics F (x) to generator G2Generating an antagonistic disturbance G2(F(x));
(6) Inputting the confrontation samples into a discriminator D respectively2Discriminating the sum of its authenticity from xcSimilarity of (c);
(7) and inputting the confrontation samples into the target network C for classification, verifying the attack success rate of the target network C, and storing the successfully attacked confrontation samples.
In the method, a conditional generation countermeasure network is used for generating a new sample, the traditional generation countermeasure network can completely approximate to real data by sampling data distribution, but the method is too free, so that condition variables are added to restrict the method, and the method introduces a class label to guide the generation countermeasure network to generate images of a specific class. Generator G1Comprises raw samples x, noise z and class labels c, generator G1Gradually fitting the noise z to generate a new image sample from the original sample and the class label, discriminator D1Not only to distinguish the generated sample xcThe authenticity of (2) and the type of the sample (x) to be determined and the generated sample (x) to be discriminated are requiredcWhether it belongs to category c.
The feature extractor F is used for extracting the hidden layer features of the original sample, and the convolutional neural network is selected as F, so that the hidden layer network of each layer is a layer of image features, as the layer number is deepened, the attention receptive field of a deep convolutional kernel is larger and larger, the global abstract features are more concerned, the features can be helpful for image classification, and therefore the hidden layer features can be used for increasing the prior countermeasures of disturbance.
A second layer generation countermeasure network for generating countermeasure disturbance, and inputting the hidden layer features extracted by the feature extractor F into the generatorG2The counterdisturbance G with counterpriors can be obtained2(F (x)), then with G1Generated sample xcFusing to obtain confrontation sampleDiscriminator D2Analyzing challenge samplesAuthenticity of and xcThe similarity of (c).
The target network is a network for resisting sample attack by mixing specific types of resisting samplesInput to the target network so that the target network misclassifies it as t-class.
In a word, the method adopts a first layer of condition generation countermeasure network, a feature extractor, a second layer of generation countermeasure network and a target network; the conditional generation countermeasure network is used for generating a new sample, and the discriminator not only distinguishes the authenticity of the generated sample, but also judges the category of the generated sample; the characteristic extractor is used for extracting the characteristics of a hidden layer of an original sample and generating disturbance with countercheck prior; the second layer generates a countermeasure network for generating countermeasure disturbance, and the discriminator analyzes the authenticity of the countermeasure sample and the similarity of the countermeasure sample and the conditional generation countermeasure network generation sample; the target network is used to verify the attack success rate against the sample. The method and the device respectively generate the samples of the specific category and the confrontation disturbance by utilizing the two layers of neural networks, can achieve the purpose of carrying out attack and confrontation training by utilizing the samples of the specific category, effectively improve the success rate of the attack and the efficiency of the confrontation training, and have wide application prospect.
Claims (4)
1. A countermeasure sample generation method based on a two-layer generation countermeasure network is characterized in that the two-layer generation countermeasure network comprises a first layer of conditional generation countermeasure network, a second layer of generation countermeasure network, a feature extractor F and a target network C, and the first layer of conditional generation countermeasure network comprises generation countermeasure networkFinished device G1Discriminator D1The second layer of the generative countermeasure network comprises a generator G2Discriminator D2Wherein the generator and the discriminator are both MLP multilayer perceptrons;
the method comprises the following steps:
(1) inputting original sample x, random noise z and class label c into generator G1Generator G1Fitting random noise z to new image samples x from original samples and class labelsc;
(2) Sample xcInput to discriminator D1Discriminating the authenticity and the category of the product;
(3) extracting hidden layer characteristics F (x) of an original sample by a characteristic extractor F;
(4) inputting hidden layer characteristics F (x) to generator G2Generating an antagonistic disturbance G with an antagonistic prior2(F(x));
(6) Inputting the challenge sample to a discriminator D2Discriminating the sum of its authenticity from xcSimilarity of (c);
(7) and inputting the confrontation samples into the target network C for classification, verifying the attack success rate of the target network C, and storing the successfully attacked confrontation samples.
2. The countermeasure sample generation method of claim 1, wherein the feature extractor F is a VGG model, and the target network C is a ResNet model.
3. The method of claim 2, wherein the conditional generation countermeasure network loss function of the first layer is:
L1=ΕxlogD1(x|c)+Εzlog(1-D1(G1(z|c)))
wherein x | c, z | c represent joint input, i.e., c is input jointly with x or z, c is category information specified to be generated; e denotes data distribution.
4. The method for generating the countermeasure sample based on the two-layer generated countermeasure network of claim 2, wherein the loss function of the second layer generated countermeasure network is:
wherein the content of the first and second substances, for ensuring sample xcAnd confrontation sampleSimilarity of (c); l isC=Εxlc(xc+G2(F (x)), t) loss of target class of attack, where t is the designated attack class, lcThe cross entropy function is used for ensuring the success rate of resisting sample attack; e denotes data distribution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111249871.3A CN114120028A (en) | 2021-10-26 | 2021-10-26 | Countermeasure sample generation method based on double-layer generation countermeasure network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111249871.3A CN114120028A (en) | 2021-10-26 | 2021-10-26 | Countermeasure sample generation method based on double-layer generation countermeasure network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114120028A true CN114120028A (en) | 2022-03-01 |
Family
ID=80377090
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111249871.3A Pending CN114120028A (en) | 2021-10-26 | 2021-10-26 | Countermeasure sample generation method based on double-layer generation countermeasure network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114120028A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109840926A (en) * | 2018-12-29 | 2019-06-04 | 中国电子科技集团公司信息科学研究院 | A kind of image generating method, device and equipment |
CN116664713A (en) * | 2023-07-18 | 2023-08-29 | 脉得智能科技(无锡)有限公司 | Training method of ultrasound contrast image generation model and image generation method |
-
2021
- 2021-10-26 CN CN202111249871.3A patent/CN114120028A/en active Pending
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109840926A (en) * | 2018-12-29 | 2019-06-04 | 中国电子科技集团公司信息科学研究院 | A kind of image generating method, device and equipment |
CN109840926B (en) * | 2018-12-29 | 2023-06-20 | 中国电子科技集团公司信息科学研究院 | Image generation method, device and equipment |
CN116664713A (en) * | 2023-07-18 | 2023-08-29 | 脉得智能科技(无锡)有限公司 | Training method of ultrasound contrast image generation model and image generation method |
CN116664713B (en) * | 2023-07-18 | 2024-03-01 | 脉得智能科技(无锡)有限公司 | Training method of ultrasound contrast image generation model and image generation method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Zheng et al. | Out-of-domain detection for natural language understanding in dialog systems | |
Yuan et al. | Adversarial examples: Attacks and defenses for deep learning | |
Wu et al. | A network intrusion detection method based on semantic Re-encoding and deep learning | |
Meng et al. | Aspect based sentiment analysis with feature enhanced attention CNN-BiLSTM | |
CN111753881B (en) | Concept sensitivity-based quantitative recognition defending method against attacks | |
CN114120028A (en) | Countermeasure sample generation method based on double-layer generation countermeasure network | |
CN117010446A (en) | Rumor detection method using self-attention generator and BiLSTM discriminant | |
Yang et al. | Real-time intrusion detection in wireless network: A deep learning-based intelligent mechanism | |
CN111581967B (en) | News theme event detection method combining LW2V with triple network | |
CN112560596B (en) | Radar interference category identification method and system | |
CN112101473B (en) | Smoke detection algorithm based on small sample learning | |
Li et al. | Webshell detection based on the word attention mechanism | |
Huayu et al. | A Survey of Adversarial Attacks and Defenses for image data on Deep Learning | |
CN113239926A (en) | Multi-modal false information detection model based on countermeasures | |
Al Obaid et al. | Robust semi-supervised fake news recognition by effective augmentations and ensemble of diverse deep learners | |
CN116910683A (en) | Event-dependency-based multi-mode false news detection method | |
Jang et al. | Teacher–Explorer–Student Learning: A Novel Learning Method for Open Set Recognition | |
CN116070137A (en) | Open set identification device and method for malicious traffic detection | |
CN113205044B (en) | Deep fake video detection method based on characterization contrast prediction learning | |
CN115422945A (en) | Rumor detection method and system integrating emotion mining | |
CN113887208A (en) | Method and system for defending against text based on attention mechanism | |
CN111444787A (en) | Fully intelligent facial expression recognition method and system with gender constraint | |
Xu et al. | Text adversarial examples generation and defense based on reinforcement learning | |
CN111597338B (en) | Countermeasure support vector machine | |
Cai et al. | Heterogeneous transfer with deep latent correlation for sentiment analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |