CN114220097B - Screening method, application method and system of image semantic information sensitive pixel domain based on attack resistance - Google Patents
Screening method, application method and system of image semantic information sensitive pixel domain based on attack resistance Download PDFInfo
- Publication number
- CN114220097B CN114220097B CN202111555905.1A CN202111555905A CN114220097B CN 114220097 B CN114220097 B CN 114220097B CN 202111555905 A CN202111555905 A CN 202111555905A CN 114220097 B CN114220097 B CN 114220097B
- Authority
- CN
- China
- Prior art keywords
- image
- disturbance
- semantic information
- challenge
- sensitive pixel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 238000012216 screening Methods 0.000 title claims abstract description 58
- 238000013528 artificial neural network Methods 0.000 claims abstract description 44
- 230000008569 process Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000006870 function Effects 0.000 claims description 8
- 238000012800 visualization Methods 0.000 claims description 7
- 230000009471 action Effects 0.000 claims description 3
- 238000012512 characterization method Methods 0.000 claims description 2
- 238000001914 filtration Methods 0.000 claims 2
- 238000003062 neural network model Methods 0.000 abstract 1
- 238000013527 convolutional neural network Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 7
- 238000013473 artificial intelligence Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2413—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on distances to training or reference patterns
- G06F18/24133—Distances to prototypes
- G06F18/24137—Distances to cluster centroïds
- G06F18/2414—Smoothing the distance, e.g. radial basis function networks [RBFN]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Molecular Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Biology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Image Analysis (AREA)
Abstract
The invention discloses a screening method, an application method and a system of an image semantic information sensitive pixel domain based on attack resistance, wherein the method comprises the following steps: 1) Acquiring a target image to be analyzed, and taking the target image as an input image; 2) Inputting an input image into a plurality of countermeasure attack algorithms, and respectively acting on a plurality of types of neural networks to execute a no-specific target attack mode so as to generate a plurality of countermeasure samples; 3) Calculating the difference value between each countermeasure sample and the input image to obtain countermeasure disturbance; 4) Counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets; 5) And carefully selecting the pixel point positions in the disturbance position set to obtain an image semantic information sensitive pixel domain. The method combines the attack resistance algorithm and the neural network model, fuses the image pixel position sets positioned by a plurality of disturbance, and finally improves the screening efficiency and the identification accuracy of the sensitive pixel domain of the image semantic information.
Description
Technical Field
The invention belongs to the image semantic information analysis technology, and particularly relates to a screening method, an application method and a system of an image semantic information sensitive pixel domain based on attack resistance.
Background
With the continuous accumulation of mass data, the rapid development of computing power and the continuous innovation of machine learning methods, artificial intelligence technologies including deep convolutional neural networks are widely deployed and widely applied in the fields of image recognition, target detection, face recognition and the like, and the life style of people is deeply influenced. However, the "black box" nature of deep learning models presents security and reliability issues, presents vulnerability to countersample spoofing, and has poor interpretability of the model decision process, making artificial intelligence system usability and data integrity a serious challenge. The screening method for researching the sensitive pixel domain of the image semantic information is helpful for locating a specific target in the image and visualizing which part of the pixel domain of the image maximizes the decision process which activates the deep convolutional neural network and can explain the correct classification to a certain extent. The visualization result of the sensitive pixel domain of the image semantic information can be used for verifying the credibility of the 'black box' decision of the deep convolutional neural network, and the method is an important way for ensuring the safe and credible decision of the artificial intelligence system especially under the condition that the classification is wrong.
To identify semantic information for characterizing image classes, existing studies often utilize class activation maps and variants thereof, which are weighted and fused by multi-channel feature maps, or employ gradient back propagation to construct class distinguishable saliency maps. However, both of these approaches will fail once the classification generalization capability caused by the model training over fitting problem is insufficient or the model suffers from misclassification situation induced by the challenge, they are only applicable to the correct classification scenario without any malicious attacks and with high confidence in the deep convolutional neural network decision process. Under the condition that the depth convolution neural network has generalization and high classification precision, various random disturbance image pixel point methods, such as gray frame shielding, matting, deformation and the like, are utilized to identify which part of pixel domains are more sensitive and critical to the change of the final classification score. The work tries to screen the sensitive pixel domain of the image semantic information by adopting a reverse thinking method, but the defects of low screening efficiency, inaccurate identification of the sensitive pixel domain and the like generally exist, and further related technologies are needed to be proposed to overcome.
Disclosure of Invention
The invention aims at least partially solving the problems/defects in the prior art, and provides a screening method, an application method and a system for an image semantic information sensitive pixel domain based on attack resistance. The method is oriented to attack disturbance constructed by a plurality of anti-attack algorithms of a plurality of classes of deep neural networks, and the image pixel position sets positioned by the disturbance are fused, so that the screening efficiency and the identification precision of the image semantic information sensitive pixel domain are improved, in addition, an anti-sample is acquired by executing an attack mode without a specific target, the anti-sample based on the optimal anti-disturbance is promoted to be obtained, and finally the screening precision of the image semantic information sensitive pixel domain is improved.
On one hand, the invention provides a screening method of image semantic information sensitive pixel domains based on attack resistance, which comprises the following steps:
step 1: acquiring a target image to be analyzed, and taking the target image as an input image;
step 2: inputting the input image into a plurality of countermeasure attack algorithms, and respectively acting on a plurality of types of neural networks to execute a no-specific target attack mode so as to generate a plurality of countermeasure samples; wherein, one type of challenge algorithm and one type of neural network at least correspond to one challenge sample;
step 3: calculating the difference value between each countermeasure sample and the input image to obtain countermeasure disturbance;
step 4: counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets;
step 5: selecting pixel point positions in the disturbance position sets, and screening an image semantic information sensitive pixel domain, wherein the higher the occurrence frequency/frequency of each pixel point position in all disturbance position sets, the higher the probability of falling into the image semantic information sensitive pixel domain; or when the overlapping area in the disturbance position set is larger, the probability that the pixel points in the area fall into the sensitive pixel domain of the image semantic information is larger.
Optionally, the process of screening the sensitive pixel domain of the semantic information of the image in the step 5 is as follows:
counting the total occurrence times of each pixel point in all disturbance position sets;
and if the total times exceeds a preset threshold value, the corresponding pixel point is regarded as falling into the sensitive pixel domain of the image semantic information.
Optionally, the process of screening the sensitive pixel domain of the semantic information of the image in the step 5 is as follows:
calculating an intersection and a union of every two disturbance position sets;
and calculating IoU of each two disturbance position sets by adopting a cross-over ratio IoU method, and respectively judging IoU whether the disturbance position sets are larger than a preset value, if so, regarding the pixel point positions in the cross-over set corresponding to the two disturbance position sets as falling into an image semantic information sensitive pixel domain.
Optionally, in step 5, at least two different methods are adopted to obtain the sensitive pixel domain of the image semantic information; and calculating the union set to obtain the completely sensitive pixel domain of the semantic information of the characterization image.
Optionally, the generating process of each challenge sample in step 2 is as follows:
step 2-1: inputting the input image into a neural network to obtain a correct class value;
step 2-2: adding the countermeasure disturbance to the input image to generate a countermeasure sample, and then sending the countermeasure sample into a neural network to obtain a disturbance class value;
step 2-3: constructing an optimized loss function according to the difference value between the normal class value and the disturbance class value, and calculating an anti-disturbance gradient value based on the optimized loss function;
step 2-4: generating new current optimal challenge disturbance P based on challenge gradient values and challenge algorithms of different challenge intentions k Wherein, setting up the disturbance resisting updating method based on disturbance resisting gradient value for each kind of disturbance resisting algorithm;
step 2-5: and updating the countermeasure disturbance, and then iterating according to the steps 2-2 to 2-5 until no specific target attack intention is realized, so as to obtain a countermeasure sample based on the optimal countermeasure disturbance.
Alternatively, the criteria for implementing no specific target attack pattern are:
challenge samples generated under challenge action, so that the neural network classifies the image true class Y t Misjudgment as any other category Y t ' satisfy: y is Y t ’≠Y t 。
In a second aspect, the present invention also provides an application method based on the above screening method, which is applied to misleading classification, implementing spoofing attack or verifying decision credibility of an image classification/recognition model based on a neural network;
the method is applied to misleading classification, and comprises the following steps:
acquiring an image semantic information sensitive pixel domain by using the screening method;
tampering with pixels in the image semantic information sensitive pixel domain, and classifying by using an image recognition model based on a neural network to realize classification misleading;
when applied to verifying the decision credibility of the image classification/identification model based on the neural network, the method comprises the following steps:
acquiring an image semantic information sensitive pixel domain by using the screening method, and acquiring a classification/identification result of an image classification/identification model based on a neural network;
and performing visualization operation on the image semantic information sensitive pixel domain, and verifying the decision credibility of the neural network based on a visualization result.
In a third aspect, the present invention also provides a system based on the above screening method, which includes:
the target image acquisition module is used for acquiring a target image to be analyzed and taking the target image as an input image;
the challenge sample generation module is used for inputting the input image into a plurality of challenge algorithms, and respectively acting on a plurality of types of neural networks to execute a non-specific target attack mode so as to generate a plurality of challenge samples; wherein, one type of challenge algorithm and one type of neural network at least correspond to one challenge sample;
the contrast disturbance generation module is used for calculating the difference value between each contrast sample and the input image to obtain contrast disturbance;
the disturbance position set generation module is used for counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets;
the screening module is used for carefully selecting the pixel point positions in the disturbance position sets, and screening the image semantic information sensitive pixel domain, wherein the higher the occurrence frequency/frequency of each pixel point position in all disturbance position sets, the higher the probability of falling into the image semantic information sensitive pixel domain; or when the overlapping area in the disturbance position set is larger, the probability that the pixel points in the area fall into the sensitive pixel domain of the image semantic information is larger.
In a fourth aspect, the present invention also provides an electronic terminal, including:
one or more processors;
a memory storing one or more computer programs;
the processor invokes the computer program to implement:
a step of a screening method based on image semantic information sensitive pixel domains against attacks or a step of an application method based on the screening method.
In a fifth aspect, the present invention provides a computer readable storage medium storing a computer program, the computer program being invoked by a processor to implement:
a step of a screening method based on image semantic information sensitive pixel domains against attacks or a step of an application method based on the screening method.
Advantageous effects
1. The invention provides a screening method of an image semantic information sensitive pixel domain based on attack resistance, which utilizes a plurality of attack resistance algorithms to add disturbance to the same image so as to generate an attack resistance sample, and misleads a neural network with high precision to generate error classification. The anti-attack algorithm acts on the multi-class neural network, and falsifies semantic information used for representing the input image category from different attack intentions, so that the intersection of the anti-attack intentions represents the 'maximum consensus' of the various attack intentions, and naturally contains the image semantic information sensitive pixel domain. Based on the reasons, the invention fuses the image pixel position sets positioned by a plurality of disturbance to screen the image semantic information sensitive pixel domain, and can realize high-efficiency and high-precision screening.
2. According to the invention, a specific target attack mode is not executed to obtain the countermeasure samples, and the current optimal disturbance is obtained by means of iterative optimization for each countermeasure sample, so that the countermeasure samples based on the optimal disturbance are obtained, and finally the screening precision of the sensitive pixel domain of the image semantic information is improved.
3. The invention screens the image semantic information sensitive pixels with high precision and high efficiency, and lays a foundation for the subsequent expansion of other applications based on the image semantic information sensitive pixels.
Drawings
FIG. 1 is a general flow chart of a screening method of image semantic information sensitive pixel domains based on challenge-resistant attack;
FIG. 2 is a schematic diagram of the challenge process for a deep convolutional neural network of the present invention;
FIG. 3 is a schematic diagram of the image semantic information sensitive pixel domain generation process of the present invention.
Detailed Description
The invention provides a screening method of image semantic information sensitive pixel domains based on attack resistance, which aims to screen the image semantic information sensitive pixel domains. The invention will be further illustrated with reference to examples.
Example 1:
as shown in fig. 1 and fig. 2, the present embodiment provides a screening method of image semantic information sensitive pixel domains based on attack resistance, which includes the following steps:
step 1: a target image to be analyzed is acquired and taken as an input image.
Step 2: and inputting the input image into a plurality of countermeasure attack algorithms, and respectively acting on a plurality of types of neural networks to execute a no-specific target attack mode so as to generate a plurality of countermeasure samples.
Among them, the present embodiment selects a commonly used high-precision deep convolutional neural network to compose an attack target model, which includes but is not limited to: alexNet, VGG, resNet, squeezeNet, denseNet, acceptance v3, googleNet, sheffleNet v2, mobileNet V3, resNeXt, MNASNet, efficientNet, regNet, etc. Aiming at the high-precision deep convolutional neural network, training and verification are performed in advance based on the ImageNet2012 dataset, so that high-precision classification performance is obtained. It should be understood that the present invention is neither optimized nor technically constrained with respect to the network structure, and that it is also prior art to implement classification using neural networks, and therefore, the training and validation process of classification models constructed based on neural networks is not specifically stated nor technically constrained. In other possible embodiments, other types of neural networks capable of implementing the classification function are also within the scope of the present invention.
In the embodiment, d different object images are acquired by using an optical camera to form a test data set X; randomly selecting an image from a test dataset X as an input image X t The method comprises the steps of carrying out a first treatment on the surface of the Selecting M types of common high-precision deep convolutional neural networks to form an attack target model set M; x is to be t Respectively input into any kind of deep convolutional neural network M of a target model set M j Correctly classified as category Y t Wherein Y is t =M j (X t )。
Then, N common high-efficacy anti-attack algorithms are selected to form an image recognition escape strategy set N, and X is input t Any anti-attack algorithm N from escape strategy set N i . Each challenge algorithm N i Respectively acting on any target model M j Executing a target-free attack mode to form K X t —N i —M j "Combined, misclassified as category Y t ’=N i (X t, ,M j ) Wherein k=m×n; each group of' X t —N i —M j "generate an challenge sample L respectively k The final composition contains a set L of K challenge samples.
When the attack mode without the specific target is executed, the disturbance is updated iteratively, and the finally obtained disturbance meeting the requirement of the attack mode without the specific target is regarded as the obtained optimal disturbance, so that the invention can obtain a sample based on the optimal disturbance. And according to the logic, aiming at any image, combining a plurality of types of high-precision deep convolutional neural networks and a plurality of types of challenge attack resisting algorithms to finally generate a plurality of challenge samples.
Step 3: calculating the difference between each countermeasure sample and the input image to obtain countermeasure disturbance. In the present embodiment, each challenge sample L k Respectively subtracting the input images X t Obtain an anti-disturbance P k The method comprises the steps of carrying out a first treatment on the surface of the The final composition contains K sets P of challenge perturbations based on all challenge samples, where k=1, 2, … …, K.
Step 4: counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets. In this embodiment, K disturbance location sets Q can be obtained 1 ,Q 2 ,…,Q K 。
Step 5: selecting pixel point positions in the disturbance position sets, and screening an image semantic information sensitive pixel domain, wherein the higher the occurrence frequency/frequency of each pixel point position in all disturbance position sets, the higher the probability of falling into the image semantic information sensitive pixel domain; or when the overlapping area in the disturbance position set is larger, the probability that the pixel points in the area fall into the sensitive pixel domain of the image semantic information is larger.
Based on the logical relationship between the pixel point positions in the disturbance position set and the image semantic information sensitive pixel domain, the embodiment provides three screening means, but it should be understood that the image semantic information sensitive pixel domain determined by using other screening means belongs to the protection scope of the invention on the basis of not departing from the concept of the invention and the logical relationship.
First kind:
1) Traversing all disturbance location sets Q 1 ,Q 2 ,…,Q K Respectively, each ofCalculating an intersection and a union of every two disturbance position sets;
2) Using IoU (Intersection over Union, cross-over ratio) method, an intersection of two disturbance location sets corresponding to IoU greater than 0.5 is recorded, and the pixel point corresponding to the intersection can be regarded as falling into the image semantic information sensitive pixel domain.
It should be understood that in this embodiment, 0.5 is selected as the criterion, and in other possible embodiments, according to the accuracy requirement and the experimental effect, the value of the value can be adaptively adjusted, which is not specifically limited by the present invention.
Second kind:
1) Traversing each disturbance location set Q k (any pixel point is tampered at most once), and the frequency F of occurrence of the position of each pixel point is recorded (a,b) Wherein (a, b) represents an image X t Pixel point coordinate position index of (a);
2) And recording pixel points corresponding to the occurrence times exceeding 2/3 of the total number by using an MV (Majority Voting) method, wherein the pixel points can be regarded as falling into an image semantic information sensitive pixel domain.
It should be understood that 2/3 is selected as the criterion in this embodiment, and in other possible embodiments, the value of the criterion may be adaptively adjusted according to the accuracy requirement and the experimental effect, which is not specifically limited in the present invention.
Third kind:
as shown in fig. 3, the image semantic information sensitive pixel domain determined by the first method is used as a first type of image semantic information sensitive pixel domain U 1 The method comprises the steps of carrying out a first treatment on the surface of the Namely, the following conditions are satisfied: (Q) 1 ∩Q 3 )/(Q 1 ∪Q 3 )>0.5, marked as
Taking the image semantic information sensitive pixel domain determined by the second method as a second-class image semantic information sensitive pixel domain U 2 The method comprises the steps of carrying out a first treatment on the surface of the Namely, the following conditions are satisfied: f (F) (2,3) /K>2/3, denoted as (2, 3) ∈U 2 ;
Then sensitive pixel domain of first kindAnd the union of the second class of sensitive pixel domains serves as a fully sensitive pixel domain characterizing the semantic information of the image. I.e. u=u 1 ∪U 2 。
In other possible embodiments, the input image in step 1 is preferably normalized, specifically as follows:
s1, loading an input image by using OpenCV, and converting the input image into an RGB format suitable for a PyTorch integrated model;
s2, adjusting the length and width of the input image to be suitable for the input size of the PyTorch integrated model, for example (224 );
s3, utilize X t =clip(X t /255,0,1) normalizing input images to [0,1 ]]Normalization with mean and variance std, X, of the ImageNet2012 dataset t =(X t -mean)/std;
S4, converting the input image into a CWH format suitable for the PyTorch integrated model, for example (3,224,224).
It should be noted that the steps S1 to S4 are preferable in other possible embodiments, but the present invention is not limited to whether the normalization process is performed.
In other possible embodiments, when the specific target-free attack mode is executed in the step 2, the current optimal countermeasure disturbance is updated continuously, which is specifically as follows:
s2-1: input image X t To deep convolutional neural network M j Obtaining the correct class value Y t Denoted as Y t =M j (X t )
S2-2: adding an initial challenge disturbance P k To X t Generating an challenge sample L k =X t +P k Then sent to the deep convolutional neural network M j Obtaining disturbance class value Y t ' is marked as Y t ’=M j (L k );
S2-3: according to the difference (Y t ’-Y t ) Construction of an optimized loss function h (Y t ’-Y t ) And calculating gradient values with respect to the countermeasure disturbance
S2-4: challenge algorithm N based on challenge gradient values and different challenge intentions i Generating new current optimal countermeasure disturbance P k Including FGSM, PGD, JSMA, deepFool, CW, etc.
For any type of challenge algorithm, the challenge disturbance gradient value is used for updating the challenge disturbance, and the updated challenge disturbance is regarded as the current optimal challenge disturbance. Wherein, which type of updating method is selected by each type of attack resisting algorithm is a plurality of feasible ways, and the optional means can be finally determined according to the precision requirement and the specific algorithm. For example, the following rules are set in this embodiment, but it should be understood that in other possible embodiments, the disturbance rejection update rules of various attack rejection algorithms may be selected in other ways on the premise of meeting the respective accuracy requirements, and the present invention is not limited thereto specifically, and the following examples are only illustrative.
Gradient descent update method:wherein σ represents the optimal learning rate;
in this embodiment, the FGSM algorithm selects a one-step iterative method, and the corresponding update formula is:
in this embodiment, the PGD algorithm selects multiple iterations, and uses a truncated function clip () to cause a disturbance to exist in the epsilon-neighborhood, and the corresponding update formula is:sigma represents the optimal learning rate;
in the embodiment, the JSMA algorithm selects a jacobian-based saliency map attack method: gradient matrix using saliency map conceptsSearching for the input feature with the greatest influence on the prediction resultPixels, the seats of which are marked as (idx, idy), are quantitatively tampered, and the attack resistance update is realized: />P k+1 =P k(idx,idy) +σ;
The deep pool algorithm in this embodiment selects the depth spoofing method: misclassification can be achieved by using the shortest distance that the disturbance rejection is greater than the shortest distance that the input image is perpendicular to the classification cut plane. First calculate the shortest distance r using gradient k Then blend into the iterative formula P k+1 =P k +r k 。
S2-5: and updating iterative countermeasure disturbance, and then circularly iterating according to steps S2-2 to S2-5 until no specific target attack intention is realized, so as to obtain a countermeasure sample based on the optimal countermeasure disturbance. Wherein, the attack mode without specific target means that the challenge sample generated under the action of the challenge can lead the deep convolution neural network to carry out image true category Y t Misjudgment as any other category Y t ', i.e. Y t ’≠Y t 。
From the above, it can be seen that, by using the technical means from step S2-1 to step S2-5, a countermeasure sample based on the optimal countermeasure disturbance can be obtained, thereby improving the screening accuracy of the sensitive pixel domain of the image semantic information.
Based on the screening method of the image semantic information sensitive pixel domain, the invention also provides an application method thereof, and according to the characteristics of the image semantic information sensitive pixel domain, the image classification of the neural network can be misled by utilizing the image semantic information sensitive pixel domain, and the decision credibility of the image classification/identification model based on the neural network can be verified.
Regarding classification misleading, firstly, acquiring an image semantic information sensitive pixel domain by using the screening method; then tampering the pixels in the sensitive pixel domain of the image semantic information on the image, and classifying by using an image recognition model based on a neural network to realize classification misleading. In practical applications, classification misdirection is in military or other fields and can be used to implement tactical spoofing. It should be understood that the present invention is not limited to how tactical spoofing is performed and how the classification misleading presented by the present invention can be exploited using existing or inventive techniques to achieve this application extension functionality.
Decision-making trustworthiness with respect to verifying neural network-based image classification/recognition models: firstly, acquiring an image semantic information sensitive pixel domain by using the screening method, and obtaining a classification/identification result of an image classification/identification model based on a neural network; and then, carrying out visualization operation on the image semantic information sensitive pixel domain, and verifying the decision credibility of the neural network based on the visualization result. Similarly, the present invention is not limited to set criteria for verifying decision-making trustworthiness, and may employ conventional criteria in the art or other existing or modified criteria.
Example 2:
the embodiment is a system based on a screening method of image semantic information sensitive pixel domain against attack, comprising:
and the target image acquisition module is used for acquiring a target image to be analyzed and taking the target image as an input image.
The challenge sample generation module is used for inputting the input image into a plurality of challenge algorithms, and respectively acting on a plurality of types of neural networks to execute a non-specific target attack mode so as to generate a plurality of challenge samples; wherein, one class of challenge algorithms and one class of neural networks correspond to at least one challenge sample.
And the disturbance countermeasure generation module is used for calculating the difference value between each disturbance countermeasure sample and the input image to obtain disturbance countermeasure.
The disturbance position set generation module is used for counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets.
The screening module is used for carefully selecting the pixel point positions in the disturbance position sets, and screening the image semantic information sensitive pixel domain, wherein the higher the occurrence frequency/frequency of each pixel point position in all disturbance position sets, the higher the probability of falling into the image semantic information sensitive pixel domain; or when the overlapping area in the disturbance position set is larger, the probability that the pixel points in the area fall into the sensitive pixel domain of the image semantic information is larger.
The specific implementation process of each module may refer to the content of the foregoing method, which is not specifically described in detail in the present invention.
It should be understood that the above-described division of functional module elements is merely a division of a logic function, and there may be other division manners in which the functional module elements are actually implemented, for example, a plurality of elements or components may be combined or may be integrated into another system, or some features may be omitted or not performed. Meanwhile, the integrated units can be realized in a hardware form or a software functional unit form. For example, the target image acquisition module may be understood in terms of hardware as a camera, and may be understood in terms of software as a communication module connected to a hardware device for acquiring images captured by the camera or for acquiring images transmitted by external hardware.
Example 3:
the present embodiment provides an electronic terminal, which includes: one or more processors; a memory storing one or more computer programs; wherein the processor invokes the computer program to implement:
a step of a screening method based on image semantic information sensitive pixel domains against attacks or a step of an application method based on the screening method.
When the method for screening the image semantic information sensitive pixel domain based on the attack resistance is realized, the method specifically comprises the following steps:
step 1: a target image to be analyzed is acquired and taken as an input image.
Step 2: and inputting the input image into a plurality of countermeasure attack algorithms, and respectively acting on a plurality of types of neural networks to execute a no-specific target attack mode so as to generate a plurality of countermeasure samples.
Step 3: calculating the difference between each countermeasure sample and the input image to obtain countermeasure disturbance.
Step 4: counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets.
Step 5: and selecting pixel point positions in the disturbance position sets, and screening an image semantic information sensitive pixel domain.
The electronic terminal further includes: and the communication interface is used for communicating with external equipment and carrying out data interaction transmission.
The memory may comprise high-speed RAM memory, and may also include a non-volatile defibrillator, such as at least one disk memory.
If the memory, processor, and communication interface are implemented independently, the memory, processor, and communication interface may be interconnected and communicate with each other via a bus. The bus may be an industry standard architecture bus, an external device interconnect bus, or an extended industry standard architecture bus, among others. The buses may be classified as address buses, data buses, control buses, etc.
Alternatively, in a specific implementation, if the memory, the processor, and the communication interface are integrated on a chip, the memory, the processor, or the communication interface may perform communication with each other through the internal interface.
For a specific implementation of each step, please refer to the description of the foregoing method.
It should be appreciated that in embodiments of the present invention, the processor may be a central processing unit (Central Processing Unit, CPU), which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The memory may include read only memory and random access memory and provide instructions and data to the processor. A portion of the memory may also include non-volatile random access memory. For example, the memory may also store information of the device type.
Example 4:
the present embodiment provides a computer-readable storage medium storing a computer program that is called by a processor to implement:
a step of a screening method based on image semantic information sensitive pixel domains against attacks or a step of an application method based on the screening method.
When the method for screening the image semantic information sensitive pixel domain based on the attack resistance is realized, the method specifically comprises the following steps:
step 1: a target image to be analyzed is acquired and taken as an input image.
Step 2: and inputting the input image into a plurality of countermeasure attack algorithms, and respectively acting on a plurality of types of neural networks to execute a no-specific target attack mode so as to generate a plurality of countermeasure samples.
Step 3: calculating the difference between each countermeasure sample and the input image to obtain countermeasure disturbance.
Step 4: counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets.
Step 5: and selecting pixel point positions in the disturbance position sets, and screening an image semantic information sensitive pixel domain.
For a specific implementation of each step, please refer to the description of the foregoing method.
The readable storage medium is a computer readable storage medium, which may be an internal storage unit of the controller according to any one of the foregoing embodiments, for example, a hard disk or a memory of the controller. The readable storage medium may also be an external storage device of the controller, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the controller. Further, the readable storage medium may also include both an internal storage unit and an external storage device of the controller. The readable storage medium is used to store the computer program and other programs and data required by the controller. The readable storage medium may also be used to temporarily store data that has been output or is to be output.
Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned readable storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be emphasized that the examples described herein are illustrative rather than limiting, and that this invention is not limited to the examples described in the specific embodiments, but is capable of other embodiments in accordance with the teachings of the present invention, as long as they do not depart from the spirit and scope of the invention, whether modified or substituted, and still fall within the scope of the invention.
Claims (7)
1. A screening method of image semantic information sensitive pixel domain based on attack resistance is characterized in that: the method comprises the following steps:
step 1: acquiring a target image to be analyzed, and taking the target image as an input image;
step 2: inputting the input image into a plurality of countermeasure attack algorithms, and respectively acting on a plurality of types of neural networks to execute a no-specific target attack mode so as to generate a plurality of countermeasure samples; wherein, one type of challenge algorithm and one type of neural network at least correspond to one challenge sample; the generation process of each challenge sample in step 2 is as follows:
step 2-1: inputting the input image into a neural network to obtain a correct class value;
step 2-2: adding the countermeasure disturbance to the input image to generate a countermeasure sample, and then sending the countermeasure sample into a neural network to obtain a disturbance class value;
step 2-3: constructing an optimized loss function according to the difference value between the normal class value and the disturbance class value, and calculating an anti-disturbance gradient value based on the optimized loss function;
step 2-4: generating new current optimal challenge based on challenge algorithms with different challenge intentions of challenge gradient values, wherein a self-adaptive challenge gradient value-based challenge updating method is set for each type of challenge algorithm;
step 2-5: updating the countermeasure disturbance, and then performing loop iteration according to the steps 2-2 to 2-5 until no specific target attack intention is achieved, so as to obtain a countermeasure sample based on the optimal countermeasure disturbance;
step 3: calculating the difference value between each countermeasure sample and the input image to obtain countermeasure disturbance;
step 4: counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets;
step 5: selecting pixel point positions in the disturbance position sets, and screening an image semantic information sensitive pixel domain, wherein the higher the occurrence frequency/frequency of each pixel point position in all disturbance position sets, the higher the probability of falling into the image semantic information sensitive pixel domain; or when the overlapping area in the disturbance position set is larger, the probability that the pixel points in the area fall into the sensitive pixel domain of the image semantic information is larger;
the process of screening the sensitive pixel domain of the image semantic information in the step 5 is as follows:
counting the total occurrence times of each pixel point in all disturbance position sets;
if the total times exceeds a preset threshold value, the corresponding pixel point is regarded as falling into an image semantic information sensitive pixel domain;
or, the process of screening the sensitive pixel domain of the image semantic information in the step 5 is as follows:
calculating an intersection and a union of every two disturbance position sets;
and calculating IoU of each two disturbance position sets by adopting a cross-over ratio IoU method, and respectively judging IoU whether the disturbance position sets are larger than a preset value, if so, regarding the pixel point positions in the cross-over set corresponding to the two disturbance position sets as falling into an image semantic information sensitive pixel domain.
2. The method according to claim 1, characterized in that: in the step 5, at least two different methods are adopted to obtain an image semantic information sensitive pixel domain; and calculating the union set to obtain the completely sensitive pixel domain of the semantic information of the characterization image.
3. The method according to claim 1, characterized in that: the criteria for implementing a no specific target attack pattern are:
challenge samples generated under challenge action, so that the neural network classifies the image true class Y t Misjudgment as any other category Y t ' satisfy: y is Y t ’≠Y t 。
4. A method of application based on the screening method of any one of claims 1-3, characterized in that: applied to misleading classification or applied to verifying decision credibility of a neural network-based image classification/recognition model;
the method is applied to misleading classification, and comprises the following steps:
acquiring an image semantic information sensitive pixel domain by using the screening method;
tampering with pixels in the image semantic information sensitive pixel domain, and classifying by using an image recognition model based on a neural network to realize classification misleading;
when applied to verifying the decision credibility of the image classification/identification model based on the neural network, the method comprises the following steps:
acquiring an image semantic information sensitive pixel domain by using the screening method, and acquiring a classification/identification result of an image classification/identification model based on a neural network;
and performing visualization operation on the image semantic information sensitive pixel domain, and verifying the decision credibility of the neural network based on a visualization result.
5. A system based on the screening method of any one of claims 1-3, characterized in that: comprising the following steps:
the target image acquisition module is used for acquiring a target image to be analyzed and taking the target image as an input image;
the challenge sample generation module is used for inputting the input image into a plurality of challenge algorithms, and respectively acting on a plurality of types of neural networks to execute a non-specific target attack mode so as to generate a plurality of challenge samples; wherein, one type of challenge algorithm and one type of neural network at least correspond to one challenge sample;
the contrast disturbance generation module is used for calculating the difference value between each contrast sample and the input image to obtain contrast disturbance;
the disturbance position set generation module is used for counting tampered pixel positions in each anti-disturbance to obtain a plurality of disturbance position sets;
the screening module is used for carefully selecting the pixel point positions in the disturbance position sets, and screening the image semantic information sensitive pixel domain, wherein the higher the occurrence frequency/frequency of each pixel point position in all disturbance position sets, the higher the probability of falling into the image semantic information sensitive pixel domain; or when the overlapping area in the disturbance position set is larger, the probability that the pixel points in the area fall into the sensitive pixel domain of the image semantic information is larger.
6. An electronic terminal, characterized in that: comprising the following steps:
one or more processors;
a memory storing one or more computer programs;
the processor invokes the computer program to implement:
a method for filtering image semantic information sensitive pixel domains according to any one of claims 1-3 or a method for applying according to claim 4.
7. A computer-readable storage medium, characterized by: a computer program is stored, which is called by a processor to implement:
a method for filtering image semantic information sensitive pixel domains according to any one of claims 1-3 or a method for applying according to claim 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111555905.1A CN114220097B (en) | 2021-12-17 | 2021-12-17 | Screening method, application method and system of image semantic information sensitive pixel domain based on attack resistance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111555905.1A CN114220097B (en) | 2021-12-17 | 2021-12-17 | Screening method, application method and system of image semantic information sensitive pixel domain based on attack resistance |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114220097A CN114220097A (en) | 2022-03-22 |
| CN114220097B true CN114220097B (en) | 2024-04-12 |
Family
ID=80703899
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111555905.1A Active CN114220097B (en) | 2021-12-17 | 2021-12-17 | Screening method, application method and system of image semantic information sensitive pixel domain based on attack resistance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114220097B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114821823B (en) * | 2022-04-12 | 2023-07-25 | 马上消费金融股份有限公司 | Image processing, training of human face anti-counterfeiting model and living body detection method and device |
| CN114998707B (en) * | 2022-08-05 | 2022-11-04 | 深圳中集智能科技有限公司 | Attack method and device for evaluating robustness of target detection model |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111144274A (en) * | 2019-12-24 | 2020-05-12 | 南京航空航天大学 | Social image privacy protection method and device facing YOLO detector |
| CN111414964A (en) * | 2020-03-23 | 2020-07-14 | 上海金桥信息股份有限公司 | Image security identification method based on defense sample |
| CN112907552A (en) * | 2021-03-09 | 2021-06-04 | 百度在线网络技术(北京)有限公司 | Robustness detection method, device and program product for image processing model |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11227215B2 (en) * | 2019-03-08 | 2022-01-18 | International Business Machines Corporation | Quantifying vulnerabilities of deep learning computing systems to adversarial perturbations |
-
2021
- 2021-12-17 CN CN202111555905.1A patent/CN114220097B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111144274A (en) * | 2019-12-24 | 2020-05-12 | 南京航空航天大学 | Social image privacy protection method and device facing YOLO detector |
| CN111414964A (en) * | 2020-03-23 | 2020-07-14 | 上海金桥信息股份有限公司 | Image security identification method based on defense sample |
| CN112907552A (en) * | 2021-03-09 | 2021-06-04 | 百度在线网络技术(北京)有限公司 | Robustness detection method, device and program product for image processing model |
Non-Patent Citations (2)
| Title |
|---|
| D-S证据理论在小型空地无人集群战场目标识别中的运用;杨华 杨君刚等;指挥控制与仿真;第43卷(第5期);70-76 * |
| 一种利用对抗性学习提高推荐鲁棒性的算法;吴哲夫 等;小型微型计算机系统;第42卷(第10期);2080-2084 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114220097A (en) | 2022-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11275841B2 (en) | Combination of protection measures for artificial intelligence applications against artificial intelligence attacks | |
| Dumford et al. | Backdooring convolutional neural networks via targeted weight perturbations | |
| CN114220097B (en) | Screening method, application method and system of image semantic information sensitive pixel domain based on attack resistance | |
| CN107577945B (en) | URL attack detection method and device and electronic equipment | |
| US11475130B2 (en) | Detection of test-time evasion attacks | |
| Kraetzer et al. | Modeling attacks on photo-ID documents and applying media forensics for the detection of facial morphing | |
| CN108133207A (en) | The image of auxiliary items closes the method, apparatus and electronic equipment of rule | |
| US11977626B2 (en) | Securing machine learning models against adversarial samples through backdoor misclassification | |
| CN111953665B (en) | Server attack access identification method and system, computer equipment and storage medium | |
| CN114817933A (en) | Method and device for evaluating robustness of business prediction model and computing equipment | |
| Cilloni et al. | Ulixes: Facial recognition privacy with adversarial machine learning | |
| CN111210018A (en) | Method and device for improving robustness of deep neural network model | |
| Kwon | Multi-model selective backdoor attack with different trigger positions | |
| CN113723215B (en) | Training method of living body detection network, living body detection method and device | |
| Munoz-González | Bayesian optimization for black-box evasion of machine learning systems | |
| Lim et al. | Metamorphic testing-based adversarial attack to fool deepfake detectors | |
| JP2023513109A (en) | Detecting and mitigating cyberattacks on binary image recognition systems | |
| Nowroozi et al. | Employing deep ensemble learning for improving the security of computer networks against adversarial attacks | |
| CN116383814B (en) | Neural network model back door detection method and system | |
| US11250254B2 (en) | Methods and systems for detecting photograph replacement in a photo identity document | |
| Alshammari | E-passport security systems and attack implications | |
| CN116503923B (en) | Method and device for training face recognition model | |
| US11755757B1 (en) | Methods and systems for determining the authenticity of an identity document | |
| CN115859292B (en) | Fraud-related APP detection system, fraud-related APP judgment method and storage medium | |
| US20240104677A1 (en) | Method and apparatus for scannable non-fungible token generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |