CN114298190A - Target positioning-based attack resisting method, device, equipment and storage medium - Google Patents
Target positioning-based attack resisting method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114298190A CN114298190A CN202111565878.6A CN202111565878A CN114298190A CN 114298190 A CN114298190 A CN 114298190A CN 202111565878 A CN202111565878 A CN 202111565878A CN 114298190 A CN114298190 A CN 114298190A
- Authority
- CN
- China
- Prior art keywords
- target
- image
- target class
- processed
- iteration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000004913 activation Effects 0.000 claims abstract description 72
- 238000010586 diagram Methods 0.000 claims abstract description 65
- 238000000605 extraction Methods 0.000 claims abstract description 53
- 238000001514 detection method Methods 0.000 claims abstract description 24
- 230000006870 function Effects 0.000 claims description 19
- 238000004422 calculation algorithm Methods 0.000 claims description 17
- 238000004364 calculation method Methods 0.000 claims description 17
- 238000011176 pooling Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 13
- 238000012935 Averaging Methods 0.000 claims description 7
- 230000003213 activating effect Effects 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 16
- 238000013473 artificial intelligence Methods 0.000 abstract description 4
- 241000282326 Felis catus Species 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Landscapes
- Image Analysis (AREA)
Abstract
The application relates to the technical field of artificial intelligence, and discloses a method, a device, equipment and a storage medium for resisting attack based on target positioning, wherein the method comprises the following steps: acquiring an image to be processed; extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed; confirming the position of the target class based on the target class activation thermodynamic diagram; calculating corresponding noise disturbance according to the target class position; after the noise disturbance corresponding to the target position is added to the corresponding target position, carrying out multiple iterations to obtain a corresponding countermeasure sample; and inputting the confrontation sample into a model to be attacked for detection. The method and the device for improving the attack accuracy and the attack effect of the model to be attacked are achieved.
Description
Technical Field
The present application relates to the field of artificial intelligence, and in particular, to a method, an apparatus, a device, and a storage medium for resisting attacks based on target positioning.
Background
With the increasing development of deep learning technology, the artificial intelligence industry has a huge breakthrough. The safety problem of the artificial intelligence model is also increasingly paid attention by AI practitioners. The safety problem of the related field of the deep learning model at the present stage also has certain limitation. In the prior art, an attack picture is obtained by directly performing fuzzy processing or other noise adding on a picture or detecting the position of a target type by using an anchor frame, performing simple processing such as noise adding on the position, and attacking a detection model according to the attack picture, but the scheme in the prior art has a low attack accuracy rate, so how to improve the attack accuracy rate of a model to be attacked becomes an urgent problem to be solved.
Disclosure of Invention
The application provides a method, a device, equipment and a storage medium for resisting attack based on target positioning, which aim to solve the problem of the attack accuracy rate of a model to be attacked in the prior art.
In order to solve the above problem, the present application provides a method for resisting attack based on target positioning, including:
acquiring an image to be processed;
extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed;
confirming the position of the target class based on the target class activation thermodynamic diagram;
calculating corresponding noise disturbance according to the target class position;
after the noise disturbance corresponding to the target class position is added to the corresponding target class position, carrying out multiple iterations to obtain a corresponding countermeasure sample;
and inputting the confrontation sample into a model to be attacked for detection.
Further, the extracting the thermal point of the image to be processed through the extraction model to obtain the target class activation thermodynamic diagram corresponding to the image to be processed includes:
performing convolution processing on the image to be processed through a convolution layer in the extraction model to obtain a characteristic diagram;
the feature map passes through a first activation layer in the extraction model to obtain the probability of the category to which the image to be processed belongs;
calculating partial derivatives of the characteristic graph by using the probability to obtain partial derivatives;
carrying out global averaging on the partial derivatives through a pooling layer in the extraction model to obtain weight values;
and weighting and summing the feature maps based on the weight values, and then obtaining the target class activation thermodynamic diagram through a second activation layer in the extraction model.
Further, the step of identifying the location of the target class based on the target class activation thermodynamic diagram comprises:
superposing the target class activation thermodynamic diagram and the image to be processed to obtain an intermediate image;
and judging the numerical value of each pixel point in the intermediate image and a preset threshold value, and determining the position of the pixel point as the target position when the numerical value of the pixel point is greater than the preset threshold value.
Further, the calculating the corresponding noise disturbance according to the target class position includes:
calculating the noise disturbance corresponding to the target class position according to the following formula:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, and θ represents the parameters of the model.
Further, after the noise disturbance corresponding to the target class position is added to the corresponding target class position, performing multiple iterations to obtain a corresponding countermeasure sample includes:
adding the noise disturbance corresponding to the target class position to the corresponding target class position to obtain an iteration item;
and carrying out multiple iterations on the iteration item by utilizing an iteration algorithm to obtain the confrontation sample.
Further, the obtaining the confrontation sample by performing multiple iterations on the iteration term by using an iteration algorithm includes:
the iteration algorithm carries out multiple iterations on the iteration item according to the following formula until the iteration number requirement is met, or the difference between the results obtained by two adjacent iterations is smaller than a preset requirement, and a corresponding confrontation sample is obtained:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, theta represents a parameter of the model, and when N is 1,
i.e. to represent the terms of the iteration,
indicates the final xN+1Limited to the perturbation range of x + S.
In order to solve the above problem, the present application further provides an attack countermeasure device based on target location, the device including:
the acquisition module is used for acquiring an image to be processed;
the extraction module is used for extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed;
the confirming module is used for confirming the position of the target class based on the target class activation thermodynamic diagram;
the noise calculation module is used for calculating corresponding noise disturbance according to the target class position;
the iteration module is used for performing multiple iterations after the noise disturbance corresponding to the target position is added to the corresponding target position to obtain a corresponding countermeasure sample;
and the attack module is used for inputting the confrontation sample into a model to be attacked for detection.
Further, the extraction module comprises:
the convolution submodule is used for performing convolution processing on the image to be processed through the convolution layer in the extraction model to obtain a characteristic diagram;
the first activation submodule is used for enabling the feature map to pass through a first activation layer in the extraction model to obtain the probability of the category to which the image to be processed belongs;
the calculation submodule is used for solving partial derivatives of the characteristic diagram by utilizing the probability to obtain partial derivatives;
the pooling submodule is used for carrying out global averaging on the partial derivative through a pooling layer in the extraction model to obtain a weight value;
and the second activation submodule is used for weighting and summing the characteristic diagram based on the weight value and then obtaining the target class activation thermodynamic diagram through a second activation layer in the extraction model.
In order to solve the above problem, the present application also provides a computer device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a target location based counter attack method as described above.
In order to solve the above problem, the present application also provides a non-volatile computer readable storage medium, which stores computer readable instructions thereon, and when the computer readable instructions are executed by a processor, the method for resisting attack based on target positioning as described above is implemented.
Compared with the prior art, the method, the device, the equipment and the storage medium for resisting the attack based on the target positioning, provided by the embodiment of the application, at least have the following beneficial effects:
acquiring an image to be processed, extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed so as to judge a target position, confirming the target class position based on the target class activation thermodynamic diagram, calculating corresponding noise disturbance according to the target position, realizing the noise adding of the target position, adding the noise disturbance corresponding to the target position to the corresponding target position, performing multiple iterations to obtain corresponding confrontation samples, completing the noise addition of the image to be processed, and only the target position is subjected to noise addition, the confrontation sample is input into the model to be attacked for detection, and whether the detection model can detect the confrontation sample or not is judged, so that the effect of improving the attack accuracy of the model to be attacked is realized, and the attack effect is enhanced.
Drawings
In order to more clearly illustrate the solution of the present application, a brief description will be given below of the drawings required for describing the embodiments of the present application, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without inventive effort.
Fig. 1 is a schematic flowchart of a method for countering an attack based on target location according to an embodiment of the present application;
FIG. 2 is a flowchart of one embodiment of step S2 of FIG. 1;
FIG. 3 is a flowchart of one embodiment of step S3 of FIG. 1;
fig. 4 is a schematic block diagram of a device for countering an attack based on target location according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. One skilled in the art will explicitly or implicitly appreciate that the embodiments described herein can be combined with other embodiments.
The application provides an anti-attack method based on target positioning. Referring to fig. 1, fig. 1 is a schematic flowchart of a method for countering an attack based on target location according to an embodiment of the present application.
In this embodiment, the method for resisting attack based on target location includes:
s1, acquiring an image to be processed;
specifically, the target detection model is used to detect that the image contains a cat and a dog, that is, the tags of the cat and the dog are the cat and the dog, by acquiring the image to be processed from the database, or directly inputting the image to be processed by the user or from other systems, where the image to be processed is an image with set tags, for example, an image to be processed.
S2, extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed;
specifically, the extraction model comprises a convolution layer, a first activation layer, a pooling layer and a second convolution layer, and the image to be processed sequentially passes through the layers in the extraction model, so that the extraction of the heat points can be realized, and the target class activation thermodynamic diagram corresponding to the image to be processed is obtained.
Further, as shown in fig. 2, the obtaining a target class activation thermodynamic diagram corresponding to the image to be processed by extracting the thermal point of the image to be processed through the extraction model includes:
performing convolution processing on the image to be processed through a convolution layer in the extraction model to obtain a characteristic diagram;
the feature map passes through a first activation layer in the extraction model to obtain the probability of the category to which the image to be processed belongs;
calculating partial derivatives of the characteristic graph by using the probability to obtain partial derivatives;
carrying out global averaging on the partial derivatives through a pooling layer in the extraction model to obtain weight values;
and weighting and summing the feature maps based on the weight values, and then obtaining the target class activation thermodynamic diagram through a second activation layer in the extraction model.
Specifically, after the image to be processed enters the extraction model for processing, feature extraction is firstly carried out through the convolution layer in the extraction model to obtain a corresponding feature map AijThe number of layers of the convolutional layer can be freely set according to the requirement, and the characteristic diagram AijAnd processing the image by a first activation layer, wherein in the application, the first activation layer is a softmax layer, and the probability y of the category to which the image to be processed belongs is obtainedcBy using the probability ycPerforming partial derivation on the characteristic diagram to obtain a partial derivative
Wherein y represents the softmax output probability vector, c represents the specified target category, i and j represent dimension serial numbers of the image width and height, k represents the channel dimension serial number of the feature map,
a characteristic diagram of each channel k is shown.
Performing global averaging on the partial derivatives obtained and the pooling layer in the extraction model to obtain weight values
The specific calculation formula is as follows:
based on the weight value, the feature maps are subjected to weighted summation, and the obtained result is processed by a second activation layer to obtain a target class activation thermodynamic diagram LcThe specific calculation formula is as follows:
and obtaining a target type activation thermodynamic diagram through the matching processing of the convolution layer, the first activation layer, the pooling layer and the second convolution layer in the extraction model, so as to be convenient for determining the target position subsequently.
S3, confirming the position of the target class based on the target class activation thermodynamic diagram;
specifically, the target class activation thermodynamic diagram and the image to be processed are overlapped, and the position of the target class is determined based on the overlapped image.
Further, as shown in fig. 3, the identifying the location of the target class based on the target class activation thermodynamic diagram includes:
superposing the target class activation thermodynamic diagram and the image to be processed to obtain an intermediate image;
and judging the numerical value of each pixel point in the intermediate image and a preset threshold value, and determining the position of the pixel point as the target position when the numerical value of the pixel point is greater than the preset threshold value.
Specifically, the target class activation thermodynamic diagram is superposed with the corresponding image to be processed to obtain an intermediate image, the deeper and redder local numerical values in the intermediate image are larger, the numerical value of each pixel point in the intermediate image is judged with a preset threshold value, when the numerical value of the pixel point is larger than the preset threshold value, the position of the pixel point is determined as the target class position, and the preset threshold value is set according to actual needs.
The image to be processed is detected by the target detection model, the image contains the dog and the cat, the thermodynamic diagram is activated through the target class, and the position of the target class is confirmed, namely the position of the cat or the dog in the image to be processed can be selectively confirmed as the position of the target class. In the application, the position of the cat in the image to be processed is confirmed as the target class position.
The target position is specifically confirmed by adopting a threshold value method, so that the target position can be accurately positioned and determined, and the attack range is effectively determined, so that the attack accuracy is improved.
S4, calculating corresponding noise disturbance according to the target class position;
specifically, the target class position is used as an input x and input into a noise disturbance calculation algorithm to obtain a corresponding noise disturbance eta.
Further, the calculating the corresponding noise disturbance according to the target class position includes:
calculating the noise disturbance corresponding to the target class position according to the following formula:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, and θ represents the parameters of the model.
And according to a calculation formula of the noise disturbance calculation algorithm, the calculation formula is as follows:
the noise disturbance is correspondingly calculated by using the formula, so that the noise disturbance corresponding to the target position is obtained, and the noise is only added to the target position.
By only adding noise to the target class position, attacks to the non-target class are reduced, and detection of the non-target class is not easily interfered.
S5, adding the noise disturbance corresponding to the target position to the corresponding target position, and then performing multiple iterations to obtain a corresponding countermeasure sample;
specifically, after the noise disturbance corresponding to the target position is added to the corresponding target position, an iterative algorithm is used to perform multiple iterations to obtain a corresponding countermeasure sample.
Further, after the noise disturbance corresponding to the target class position is added to the corresponding target class position, performing multiple iterations to obtain a corresponding countermeasure sample includes:
adding the noise disturbance corresponding to the target position to the corresponding target position to obtain an iteration item;
and carrying out multiple iterations on the iteration item by utilizing an iteration algorithm to obtain the confrontation sample.
Specifically, the noise disturbance corresponding to the target position is added to the corresponding target position to obtain an iteration term
Performing multiple iterations on the iteration item by using an iteration algorithm to obtain a confrontation sample, wherein the iteration times can be set according to requirements, and a formula used by the iteration algorithm is
And a countermeasure sample is obtained in an iterative mode, so that the attack effect of the countermeasure sample is enhanced.
Still further, the obtaining the confrontation sample by performing multiple iterations on the iteration term by using an iteration algorithm includes:
the iteration algorithm carries out multiple iterations on the iteration item according to the following formula until the iteration number requirement is met, or the difference between the results obtained by two adjacent iterations is smaller than a preset requirement, and a corresponding confrontation sample is obtained:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, theta represents a parameter of the model, and when N is 1,
i.e. to represent the terms of the iteration,
indicates the final xN+1Limited to the perturbation range of x + S.
Specifically, at the first iteration, the noise disturbance is directly added to the corresponding target class position, that is, the noise disturbance is added
On the second iteration, i.e. x2As input, and calculating the corresponding noise disturbance, x2And corresponding noise disturbances are added to obtain x3And continuously iterating in sequence until the requirement of iteration times is met or the difference between the results obtained by two adjacent iterations is smaller than a preset requirement, and stopping iteration.
And a countermeasure sample is obtained in an iterative mode, so that the attack effect of the countermeasure sample is enhanced.
And S6, inputting the confrontation sample into a model to be attacked for detection.
Specifically, after obtaining a countermeasure sample, inputting the countermeasure sample into a model to be attacked for detection, and judging whether the model to be attacked can detect labels of images to be processed, namely a cat and a dog, corresponding to the countermeasure sample; according to the method and the device, noise is added only at the position of the cat in the image to be processed to obtain the corresponding confrontation sample, so that whether the cat and the dog can be detected by the original target detection model or not is judged, if the cat and the dog are detected, attack failure is proved, and if the dog is detected only and the cat is not detected, attack success is proved.
It is emphasized that, in order to further ensure the privacy and security of the data, all data of the original image and the preset profile of the valve may also be stored in the nodes of a block chain.
The block chain referred by the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Acquiring an image to be processed, extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed so as to judge a target position, confirming the target class position based on the target class activation thermodynamic diagram, calculating corresponding noise disturbance according to the target position, realizing the noise adding of the target position, adding the noise disturbance corresponding to the target position to the corresponding target position, performing multiple iterations to obtain corresponding confrontation samples, completing the noise addition of the image to be processed, and only the target position is subjected to noise addition, the confrontation sample is input into the model to be attacked for detection, and whether the detection model can detect the confrontation sample or not is judged, so that the effect of improving the attack accuracy of the model to be attacked is realized, and the attack effect is enhanced.
The embodiment also provides a device for countering attacks based on target positioning, which is a functional block diagram of the device for countering attacks based on target positioning according to the present application, as shown in fig. 4.
The device 100 for countering attacks based on target positioning can be installed in electronic equipment. According to the implemented functions, the target-location-based anti-attack apparatus 100 may include an obtaining module 101, an extracting module 102, a confirming module 103, a noise calculating module 104, an iterating module 105, and an attacking module 106. A module, which may also be referred to as a unit in this application, refers to a series of computer program segments that can be executed by a processor of an electronic device and that can perform a fixed function, and that are stored in a memory of the electronic device.
In the present embodiment, the functions regarding the respective modules/units are as follows:
an obtaining module 101, configured to obtain an image to be processed;
the extraction module 102 is configured to perform thermal point extraction on the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed;
further, the extraction module 102 includes a convolution sub-module, a first activation module, a calculation sub-module, a pooling sub-module, and a second activation module;
the convolution submodule is used for performing convolution processing on the image to be processed through the convolution layer in the extraction model to obtain a characteristic diagram;
the first activation module is used for obtaining the probability of the category to which the image to be processed belongs by the feature map through a first activation layer in the extraction model;
the calculation submodule is used for solving partial derivatives of the characteristic diagram by utilizing the probability to obtain partial derivatives;
the pooling submodule is used for carrying out global averaging on the partial derivative through a pooling layer in the extraction model to obtain a weight value;
and the second activation module is used for weighting and summing the feature maps based on the weight values, and then obtaining the target class activation thermodynamic diagram through a second activation layer in the extraction model.
And the target type activation thermodynamic diagram is obtained through the cooperation of the convolution sub-module, the first activation module, the calculation sub-module, the pooling sub-module and the second activation module, so that the target position can be conveniently determined subsequently.
The confirming module 103 is used for confirming the position of the target class based on the target class activation thermodynamic diagram;
further, the confirmation module 103 includes a superposition sub-module and a threshold judgment sub-module;
the superposition submodule is used for superposing the target class activation thermodynamic diagram and the image to be processed to obtain an intermediate image;
and the threshold judgment submodule is used for judging the numerical value of each pixel point in the intermediate image and a preset threshold, and when the numerical value of the pixel point is greater than the preset threshold, determining the position of the pixel point as the target position.
The target position is specifically confirmed by the aid of the matching of the superposition sub-module and the threshold judgment sub-module and the threshold method, so that the target position can be accurately positioned and determined, and the attack range is effectively determined, and the attack accuracy is improved.
A noise calculation module 104, configured to calculate corresponding noise disturbance according to the target class position;
further, the noise calculation module 104 includes a noise disturbance calculation sub-module;
the noise disturbance calculation submodule is configured to calculate the noise disturbance corresponding to the target class position according to the following formula:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, and θ represents the parameters of the model.
By the noise disturbance calculation submodule, the noise disturbance is correspondingly calculated by using the formula to obtain the noise disturbance corresponding to the target position, so that only the target position is subjected to noise addition, and by only the target position, the attack to the non-target is reduced, and the detection of the non-target is not easily interfered.
The iteration module 105 is configured to perform multiple iterations after adding the noise disturbance corresponding to the target class position to the corresponding target class position, so as to obtain a corresponding countermeasure sample;
further, the iteration module 105 includes an adding sub-module and a plurality of iteration sub-modules;
the adding submodule is used for adding the noise disturbance corresponding to the target position to the corresponding target position to obtain an iteration item;
and the multiple iteration submodule is used for performing multiple iterations on the iteration item by utilizing an iteration algorithm to obtain the confrontation sample.
By adding the sub-modules and the cooperation of the multi-iteration sub-modules, the countersample is obtained in an iteration mode, and the attack effect of the countersample is enhanced.
Still further, the multiple iteration sub-module further comprises an iteration unit;
the iteration unit is used for performing multiple iterations on the iteration item by the iteration algorithm according to the following formula until the iteration number requirement is met or the difference between the results obtained by two adjacent iterations is smaller than a preset requirement, and obtaining a corresponding confrontation sample:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, theta represents a parameter of the model, and when N is 1,
i.e. to represent the terms of the iteration,
indicates the final xN+1Limited to the perturbation range of x + S.
The countermeasure sample is obtained through the iteration unit in an iteration mode, and the attack effect of the countermeasure sample is enhanced.
And the attack module 106 is used for inputting the confrontation sample into a model to be attacked for detection.
By adopting the device, the countermeasure attack device 100 based on target positioning obtains an image to be processed by matching the obtaining module 101, the extracting module 102, the confirming module 103, the noise calculating module 104, the iteration module 105 and the attack module 106, extracts a thermal point of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed to judge a target position, confirms the target class position based on the target class activation thermodynamic diagram, calculates corresponding noise disturbance according to the target class position to realize the purpose of adding noise to the target class position, adds the noise disturbance corresponding to the target class position to the corresponding target class position, performs multiple iterations to obtain a corresponding countermeasure sample to realize the purpose of adding noise to the image to be processed and only adds noise to the target class position, inputting the confrontation sample into a model to be attacked for detection, and judging whether the detection model can detect the confrontation sample, so that the effect of improving the attack accuracy of the model to be attacked is realized, and the attack effect is enhanced.
The embodiment of the application also provides computer equipment. Referring to fig. 5, fig. 5 is a block diagram of a basic structure of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It is noted that only computer device 4 having components 41-43 is shown, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction, and the hardware includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 4. Of course, the memory 41 may also include both internal and external storage devices of the computer device 4. In this embodiment, the memory 41 is generally used for storing an operating system and various types of application software installed on the computer device 4, such as computer readable instructions of a target-location-based anti-attack method. Further, the memory 41 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute the computer readable instructions stored in the memory 41 or process data, for example, execute the computer readable instructions of the target-location-based anti-attack method.
The network interface 43 may comprise a wireless network interface or a wired network interface, and the network interface 43 is generally used for establishing communication connection between the computer device 4 and other electronic devices.
In this embodiment, when a processor executes a computer readable instruction stored in a memory, the method for resisting attack based on target positioning according to the above embodiment is implemented, an image to be processed is obtained, a model is extracted, a thermal point of the image to be processed is extracted, a target class activation thermodynamic diagram corresponding to the image to be processed is obtained, a target position is determined, the target class position is confirmed based on the target class activation thermodynamic diagram, a corresponding noise disturbance is calculated according to the target class position, the target class position is denoised, the noise disturbance corresponding to the target class position is added to the corresponding target class position, multiple iterations are performed to obtain a corresponding resisting sample, the image to be processed is denoised completely, the noise is applied only to the target class position, and the resisting sample is input into the model to be attacked for detection, and judging whether the detection model can detect the countersample or not, thereby realizing the effect of improving the attack accuracy of the model to be attacked and enhancing the attack effect.
The embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores computer-readable instructions, and the computer-readable instructions are executable by at least one processor, so that the at least one processor performs the steps of the method for countering attacks based on target positioning as described above, obtains an image to be processed, extracts a thermal point from the image to be processed through an extraction model, obtains a target class activation thermodynamic diagram corresponding to the image to be processed, determines a target position, confirms a target class position based on the target class activation thermodynamic diagram, calculates a corresponding noise disturbance according to the target class position, implements noise adding on the target class position, adds the noise disturbance corresponding to the target class position to the corresponding target class position, performs multiple iterations to obtain a corresponding countering sample, the method comprises the steps of completing noise adding of an image to be processed, only adding noise aiming at a target position, inputting the confrontation sample into a model to be attacked for detection, judging whether the detection model can detect the confrontation sample or not, achieving the effect of improving the attack accuracy rate of the model to be attacked, and enhancing the attack effect.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
The device, the computer device, and the computer-readable storage medium for resisting attack based on target positioning according to the above embodiments of the present application have the same technical effects as the method for resisting attack based on target positioning according to the above embodiments, and are not expanded herein.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.
Claims (10)
1. A method for countering attacks based on target positioning, the method comprising:
acquiring an image to be processed;
extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed;
confirming the position of the target class based on the target class activation thermodynamic diagram;
calculating corresponding noise disturbance according to the target class position;
after the noise disturbance corresponding to the target class position is added to the corresponding target class position, carrying out multiple iterations to obtain a corresponding countermeasure sample;
and inputting the confrontation sample into a model to be attacked for detection.
2. The method for resisting attack based on target positioning according to claim 1, wherein the obtaining the target class activation thermodynamic diagram corresponding to the image to be processed by extracting the thermal point of the image to be processed through the extraction model comprises:
performing convolution processing on the image to be processed through a convolution layer in the extraction model to obtain a characteristic diagram;
the feature map passes through a first activation layer in the extraction model to obtain the probability of the category to which the image to be processed belongs;
calculating partial derivatives of the characteristic graph by using the probability to obtain partial derivatives;
carrying out global averaging on the partial derivatives through a pooling layer in the extraction model to obtain weight values;
and weighting and summing the feature maps based on the weight values, and then obtaining the target class activation thermodynamic diagram through a second activation layer in the extraction model.
3. The target-location-based counter attack method of claim 1, wherein the activating a thermodynamic diagram based on the target class, confirming target class location comprises:
superposing the target class activation thermodynamic diagram and the image to be processed to obtain an intermediate image;
and judging the numerical value of each pixel point in the intermediate image and a preset threshold value, and determining the position of the pixel point as the target position when the numerical value of the pixel point is greater than the preset threshold value.
4. The target-localization-based attack-confrontation method according to claim 1, wherein the calculating of the corresponding noise disturbance according to the target-class location comprises:
calculating the noise disturbance corresponding to the target class position according to the following formula:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, and θ represents the parameters of the model.
5. The method of claim 1, wherein the adding the noise disturbance corresponding to the target class position to the corresponding target class position and then performing multiple iterations to obtain the corresponding counterattack sample comprises:
adding the noise disturbance corresponding to the target class position to the corresponding target class position to obtain an iteration item;
and carrying out multiple iterations on the iteration item by utilizing an iteration algorithm to obtain the confrontation sample.
6. The method of claim 5, wherein the iterating the iteration term by using the iterative algorithm for multiple iterations to obtain the counterattack sample comprises:
the iteration algorithm carries out multiple iterations on the iteration item according to the following formula until the iteration number requirement is met, or the difference between the results obtained by two adjacent iterations is smaller than a preset requirement, and a corresponding confrontation sample is obtained:
where η represents the noise disturbance, α represents the magnitude of each iteration image pixel update,
represents the gradient of the loss function derived with respect to the input x, J () represents the loss function, theta represents a parameter of the model, and when N is 1,
i.e. to represent the terms of the iteration,
indicates the final xN+1Limited to the perturbation range of x + S.
7. An apparatus for countering attacks based on target location, the apparatus comprising:
the acquisition module is used for acquiring an image to be processed;
the extraction module is used for extracting heat points of the image to be processed through an extraction model to obtain a target class activation thermodynamic diagram corresponding to the image to be processed;
the confirming module is used for confirming the position of the target class based on the target class activation thermodynamic diagram;
the noise calculation module is used for calculating corresponding noise disturbance according to the target class position;
the iteration module is used for performing multiple iterations after the noise disturbance corresponding to the target position is added to the corresponding target position to obtain a corresponding countermeasure sample;
and the attack module is used for inputting the confrontation sample into a model to be attacked for detection.
8. The target-location-based counter attack apparatus of claim 7, wherein the extraction module comprises:
the convolution submodule is used for performing convolution processing on the image to be processed through the convolution layer in the extraction model to obtain a characteristic diagram;
the first activation submodule is used for enabling the feature map to pass through a first activation layer in the extraction model to obtain the probability of the category to which the image to be processed belongs;
the calculation submodule is used for solving partial derivatives of the characteristic diagram by utilizing the probability to obtain partial derivatives;
the pooling submodule is used for carrying out global averaging on the partial derivative through a pooling layer in the extraction model to obtain a weight value;
and the second activation submodule is used for weighting and summing the characteristic diagram based on the weight value and then obtaining the target class activation thermodynamic diagram through a second activation layer in the extraction model.
9. A computer device, characterized in that the computer device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores computer readable instructions which, when executed by the processor, implement the target location based counter attack method as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium having computer-readable instructions stored thereon, which when executed by a processor implement the target-location-based counter attack method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111565878.6A CN114298190A (en) | 2021-12-20 | 2021-12-20 | Target positioning-based attack resisting method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111565878.6A CN114298190A (en) | 2021-12-20 | 2021-12-20 | Target positioning-based attack resisting method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114298190A true CN114298190A (en) | 2022-04-08 |
Family
ID=80968563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111565878.6A Pending CN114298190A (en) | 2021-12-20 | 2021-12-20 | Target positioning-based attack resisting method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114298190A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969728A (en) * | 2022-06-06 | 2022-08-30 | 北京邮电大学 | Thermodynamic diagram-based neural network attack method |
| CN114998707A (en) * | 2022-08-05 | 2022-09-02 | 深圳中集智能科技有限公司 | Attack method and device for evaluating robustness of target detection model |
-
2021
- 2021-12-20 CN CN202111565878.6A patent/CN114298190A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969728A (en) * | 2022-06-06 | 2022-08-30 | 北京邮电大学 | Thermodynamic diagram-based neural network attack method |
| CN114969728B (en) * | 2022-06-06 | 2024-06-07 | 北京邮电大学 | Neural network attack method based on thermodynamic diagram |
| CN114998707A (en) * | 2022-08-05 | 2022-09-02 | 深圳中集智能科技有限公司 | Attack method and device for evaluating robustness of target detection model |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114298190A (en) | Target positioning-based attack resisting method, device, equipment and storage medium | |
| WO2019205369A1 (en) | Electronic device, identity recognition method based on human face image and voiceprint information, and storage medium | |
| CN110705652B (en) | Countermeasure sample, generation method, medium, device and computing equipment thereof | |
| CN111754519B (en) | Class activation mapping-based countermeasure method | |
| CN113066002A (en) | Generation method of countermeasure sample, training method of neural network, training device of neural network and equipment | |
| CN111818101B (en) | Network security detection method and device, computer equipment and storage medium | |
| CN111461979B (en) | Verification code image denoising and identifying method, electronic device and storage medium | |
| CN112560753A (en) | Face recognition method, device and equipment based on feature fusion and storage medium | |
| CN110852311A (en) | Three-dimensional human hand key point positioning method and device | |
| CN111695410A (en) | Violation reporting method and device, computer equipment and storage medium | |
| TWI770947B (en) | Verification method and verification apparatus based on attacking image style transfer | |
| CN116343166A (en) | Method and device for defending countermeasure patches of traffic sign | |
| CN116383814B (en) | Neural network model back door detection method and system | |
| CN112434689A (en) | Method, device and equipment for identifying information in picture and storage medium | |
| CN113780363B (en) | Method, system, computer and medium for defending countermeasures | |
| CN113656798B (en) | Regularization identification method and device for malicious software tag overturn attack | |
| CN114332982A (en) | Face recognition model attack defense method, device, equipment and storage medium | |
| CN114282258A (en) | Screen capture data desensitization method and device, computer equipment and storage medium | |
| CN111709346A (en) | Historical building identification and detection method based on deep learning and high-resolution images | |
| Wu et al. | Adversarial detection: Attacking object detection in real time | |
| Iskhakov et al. | Approach to security provision of machine vision for unmanned vehicles of “Smart City” | |
| CN111695441B (en) | Image document processing method, device and computer readable storage medium | |
| CN114881103A (en) | Countermeasure sample detection method and device based on universal disturbance sticker | |
| CN114764858B (en) | Copy-paste image identification method and device, computer equipment and storage medium | |
| Xiao et al. | Acnn: arbitrary trace attacks based on leakage area detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |