CN114612689A - Confrontation sample generation method, model training method, processing method and electronic equipment - Google Patents
Confrontation sample generation method, model training method, processing method and electronic equipment Download PDFInfo
- Publication number
- CN114612689A CN114612689A CN202210525752.4A CN202210525752A CN114612689A CN 114612689 A CN114612689 A CN 114612689A CN 202210525752 A CN202210525752 A CN 202210525752A CN 114612689 A CN114612689 A CN 114612689A
- Authority
- CN
- China
- Prior art keywords
- image
- iteration
- image corresponding
- function
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 238000012549 training Methods 0.000 title claims abstract description 35
- 238000003672 processing method Methods 0.000 title claims abstract description 21
- 239000013598 vector Substances 0.000 claims abstract description 92
- 238000012545 processing Methods 0.000 claims abstract description 86
- 239000006185 dispersion Substances 0.000 claims abstract description 53
- 238000000605 extraction Methods 0.000 claims description 18
- 238000010606 normalization Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000006870 function Effects 0.000 description 93
- 238000004590 computer program Methods 0.000 description 22
- 238000010586 diagram Methods 0.000 description 16
- 230000008569 process Effects 0.000 description 11
- 230000015654 memory Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 238000013145 classification model Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 4
- 238000013473 artificial intelligence Methods 0.000 description 3
- 238000003709 image segmentation Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003042 antagnostic effect Effects 0.000 description 1
- QVGXLLKOCUKJST-UHFFFAOYSA-N atomic oxygen Chemical compound [O] QVGXLLKOCUKJST-UHFFFAOYSA-N 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000007789 gas Substances 0.000 description 1
- 238000012804 iterative process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000001301 oxygen Substances 0.000 description 1
- 229910052760 oxygen Inorganic materials 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Image Analysis (AREA)
Abstract
The invention provides a countermeasure sample generation method, an image processing model training method and an image processing method. The confrontation sample generation method comprises the following steps: performing multiple rounds of iterative processing on the image until a preset iterative condition is met; and determining the image meeting the preset iteration condition as a countermeasure sample. Performing multiple rounds of iterative processing on the image includes: processing image characteristic data corresponding to the current iteration to obtain an image characteristic vector; and obtaining a disturbance value according to the image characteristic vector corresponding to the initial image and the image characteristic vector corresponding to the current round of iteration based on an objective function, wherein the objective function is determined according to the dispersion function and the distance function, and obtaining an image corresponding to the next round of iteration according to the disturbance value corresponding to the current round of iteration and the image corresponding to the current round of iteration. The invention also provides the electronic equipment.
Description
Technical Field
The invention relates to the technical field of artificial intelligence and machine learning, in particular to a confrontation sample generation method, a model training method, a processing method and electronic equipment.
Background
Machine learning and artificial intelligence related technologies are attracting attention in recent years, and due to excellent performance, the machine learning and artificial intelligence related technologies are widely applied to the field of computer vision, and the application range can include various tasks such as image recognition, target detection, image segmentation and the like, and the application scenes include posture detection, automatic driving and the like.
The recognition accuracy of the current image classification model in the application scene is high, but researches find that the model can generate wrong classification only by adding some carefully designed tiny disturbances on a test sample, and the disturbances are not enough to interfere with the human visual system. Such perturbed images that can alter the depth classification model prediction results are referred to as countermeasure samples.
The conventional countermeasure sample generation method usually utilizes a depth classification model to calculate a corresponding loss function, and then leads to generate a disturbance which makes the loss function tend to be in a poor condition, so that the depth model is classified incorrectly. The process depends on the output of the final loss function of the depth classification model, so that the success rate of the generated attack against the sample is not high, and the generalization on different image classification models is lacked.
Disclosure of Invention
In view of the foregoing problems, the present invention provides a countermeasure sample generation method, a model training method, an image processing method, and an electronic apparatus.
One aspect of the present invention provides a method for generating a confrontation sample, including: performing multiple rounds of iterative processing on the image until a preset iterative condition is met; determining an image meeting a predetermined iteration condition as a countermeasure sample; wherein, carrying out multiple rounds of iterative processing on the image comprises the following steps: processing image characteristic data of the image corresponding to the current iteration to obtain an image characteristic vector of the image corresponding to the current iteration; obtaining a disturbance value of the image corresponding to the current round of iteration according to an image feature vector corresponding to the initial image and an image feature vector of the image corresponding to the current round of iteration based on an objective function, wherein the objective function is determined according to a dispersion function and a distance function, the dispersion function is a function for calculating dispersion based on the image feature vector of the image corresponding to each round of iteration, and the distance function is a function for calculating a distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each round of iteration; and obtaining an image corresponding to the next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
Optionally, the objective function is determined from the dispersion function and the distance function, including: calculating a function of dispersion and a first hyper-parameter according to an image feature vector for calculating dispersion based on an image corresponding to each iteration, and obtaining a weighted feature dispersion function; obtaining a weighted distance function according to a function for calculating the distance between the image characteristic vector corresponding to the initial image and the image characteristic vector of the image corresponding to each iteration and a second hyperparameter; and determining a target function according to the weighted feature dispersion function and the weighted distance function.
Optionally, obtaining an image corresponding to a next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration, including: determining an updating step length of an image corresponding to the current round of iteration; obtaining an updated disturbance value of the image corresponding to the current round based on the disturbance value of the image corresponding to the current round of iteration and the update step length of the image corresponding to the current round of iteration; and obtaining an image corresponding to the next iteration according to the updated disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
Optionally, processing image feature data of an image corresponding to the current round of iteration to obtain an image feature vector of the image corresponding to the current round of iteration includes: inputting image characteristic data of an image corresponding to the current iteration into a characteristic extraction model to obtain image extraction characteristics corresponding to the current iteration; and performing normalization processing on the image extraction features to obtain an image feature vector of the image corresponding to the current iteration.
Optionally, the preset iteration condition includes a preset number of iterations.
Optionally, the dispersion comprises an entropy or variance.
Optionally, the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration is an optimal transmission distance, a manhattan distance, or a euclidean distance.
According to another aspect of the present invention, there is provided an image processing model training method, including: and training the model to be trained by using the confrontation sample to obtain the trained image processing model, wherein the confrontation sample is generated by using the confrontation sample generation method.
According to another aspect of the present invention, there is provided an image processing method including: and processing the target original image by using an image processing model to obtain an output result aiming at the target original image, wherein the image processing model is obtained by training according to the image processing model training method.
Another aspect of the present invention provides an electronic device, including: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described method for generating a countermeasure sample, method for training an image processing model, and method for processing an image.
Another aspect of the present invention also provides a computer-readable storage medium, on which executable instructions are stored, and when executed by a processor, the instructions cause the processor to perform the above-mentioned confrontational sample generation method, image processing model training method and image processing method.
Another aspect of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the above-mentioned confrontation sample generation method, the image processing model training method, and the image processing method.
Based on a target function determined by the dispersion function and the distance function, a disturbance value of an image corresponding to current round iteration is obtained according to an image characteristic vector corresponding to an initial image and an image characteristic vector corresponding to the current round of iteration, an image corresponding to next round of iteration is obtained according to the disturbance value of the image corresponding to the current round of iteration and the image corresponding to the current round of iteration, until a preset iteration condition is met, the image obtained under the condition that the preset iteration condition is met is determined as a countermeasure sample, semantic information which can comprehensively utilize distance measurement and dispersion of depth features is generated to generate the countermeasure sample, generalization of the countermeasure sample is improved, and practicability and expansibility of generation of the countermeasure sample are increased.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent from the following description of embodiments of the present invention with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a countermeasure sample generation method, an image processing model training method, an image processing method and an apparatus according to an embodiment of the present invention;
FIG. 2 schematically illustrates a flow diagram of a challenge sample generation method according to an embodiment of the invention;
FIG. 3 schematically shows a flow diagram of an image processing model training method according to an embodiment of the invention;
FIG. 4 schematically shows a flow chart of an image processing method according to an embodiment of the invention;
FIG. 5 schematically illustrates a block diagram of a challenge sample generation device according to an embodiment of the present invention;
FIG. 6 schematically shows a block diagram of an image processing model training apparatus according to an embodiment of the present invention;
fig. 7 schematically shows a block diagram of an image processing apparatus according to an embodiment of the present invention;
FIG. 8 schematically illustrates a block diagram of an electronic device suitable for implementing the countermeasure sample generation method, the image processing model training method, and the image processing method, in accordance with an embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. It is to be understood that this description is made only by way of example and not as a limitation on the scope of the invention. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the invention provides a method for generating a confrontation sample, which comprises the following steps: and executing multiple rounds of iterative processing on the image until a preset iterative condition is met. And determining the image meeting the preset iteration condition as the confrontation sample. Performing multiple rounds of iterative processing on the image may include: and processing the image characteristic data of the image corresponding to the current iteration to obtain the image characteristic vector of the image corresponding to the current iteration. And obtaining a disturbance value of the image corresponding to the current round of iteration according to an image feature vector corresponding to the initial image and an image feature vector of the image corresponding to the current round of iteration based on an objective function, wherein the objective function is determined according to a dispersion function and a distance function, the dispersion function is a function for calculating dispersion based on the image feature vector of the image corresponding to each round of iteration, and the distance function is a function for calculating the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each round of iteration. And obtaining an image corresponding to the next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
Fig. 1 schematically shows an application scenario diagram of a countermeasure sample generation method, an image processing model training method, an image processing method and an apparatus according to an embodiment of the present invention.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104 and a server 105. Network 104 is the medium used to provide communication links between terminal devices 101, 102, 103 and server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may use terminal devices 101, 102, 103 to interact with a server 105 over a network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the countermeasure sample generation method, the training method of the image processing model, and the image processing method provided by the embodiment of the present invention may be generally executed by the server 105. Accordingly, the countermeasure sample generation apparatus, the training apparatus of the image processing model, and the image processing apparatus provided by the embodiment of the present invention may be generally disposed in the server 105. The countermeasure sample generation method, the training method of the image processing model, and the image processing method provided by the embodiment of the present invention may also be executed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the countermeasure sample generation apparatus, the training apparatus of the image processing model, and the image processing apparatus provided in the embodiment of the present invention may also be disposed in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of a challenge sample generation method according to an embodiment of the present invention.
As shown in FIG. 2, the method 200 may include operations S210 to S220.
In operation S210, a plurality of rounds of iterative processes are performed on the image until a predetermined iterative condition is satisfied.
In operation S220, an image satisfying a predetermined iteration condition is determined as a countermeasure sample.
According to an embodiment of the invention, operation S210 may include operations S211-S213.
In operation S211, image feature data of an image corresponding to the current iteration is processed to obtain an image feature vector of the image corresponding to the current iteration.
In operation S212, a perturbation value of an image corresponding to a current round of iteration is obtained from an image feature vector corresponding to an initial image and an image feature vector of the image corresponding to the current round of iteration based on an objective function, wherein the objective function is determined according to a dispersion function for calculating dispersion based on the image feature vector of the image corresponding to each round of iteration and a distance function for calculating a distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each round of iteration.
In operation S213, an image corresponding to the next iteration is obtained according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
According to an embodiment of the present invention, the predetermined iteration condition may be used as a condition whether the image satisfies the antagonistic sample generation. The preset iteration condition may include a preset iteration number, and the preset iteration number may be a number of times that the iteration number reaches the maximum iteration number, and may be set in a user-defined manner according to an actual requirement, which is not limited herein.
According to an embodiment of the invention, for each of a plurality of iterations, there is an image and an image feature vector corresponding to each iteration. Performing multiple rounds of iterative processing on the image until a predetermined iteration condition is satisfied may include: the ongoing round is referred to as the current round. And obtaining a disturbance value of the image corresponding to the current round of iteration by using the image characteristic vector of the image corresponding to the current round of iteration and the image characteristic vector corresponding to the initial image based on the target function. And adjusting the image corresponding to the current iteration according to the disturbance value of the image corresponding to the current iteration to obtain the image corresponding to the next iteration.
According to an embodiment of the present invention, the objective function is determined from a function for calculating the dispersion based on the image feature vectors of the images corresponding to each iteration and a function for calculating the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration.
And under the condition that the current iteration is the first iteration, performing feature processing on the initial image to obtain an image feature vector of the initial image corresponding to the first iteration, wherein the image feature vector can also be understood as the image feature vector corresponding to the initial image. Based on the objective function, obtaining a disturbance value of the image corresponding to the first iteration by using the image feature vector of the initial image corresponding to the first iteration and the image feature vector corresponding to the initial image, and adding the disturbance value to the initial image to obtain the image corresponding to the second iteration.
According to the embodiment of the present invention, when the current iteration is the second iteration, the image feature vector of the image corresponding to the second iteration is obtained, the disturbance value of the image corresponding to the second iteration is obtained by using the image feature vector of the image corresponding to the second iteration and the image feature vector corresponding to the initial image based on the objective function, and the disturbance value of the image corresponding to the second iteration is added to the image corresponding to the second iteration to obtain the image corresponding to the third iteration.
Based on the iteration processing process, executing multiple iterations on the image until a preset iteration condition is met, namely a preset iteration number is met, obtaining the image after the multiple iterations, and determining the image meeting the preset iteration number as a confrontation sample.
According to the embodiment of the invention, based on the objective function determined by the function for calculating the dispersion based on the image feature vector of the image corresponding to each iteration and the function for calculating the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration, the disturbance value of the image corresponding to the current iteration is obtained according to the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to the current iteration, the image corresponding to the next iteration is obtained according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration until the preset iteration condition is met, the image obtained under the condition that the preset iteration condition is met is determined as the countermeasure sample, and the generation of the countermeasure sample by comprehensively utilizing the distance measurement and the dispersion of the depth feature is realized, the generalization of the confrontation sample is improved, and the practicability and the expansibility of the generation of the confrontation sample are increased.
According to an embodiment of the present invention, the objective function is determined according to the dispersion function and the distance function, and may include: calculating a function of dispersion and a first hyper-parameter according to an image feature vector for calculating dispersion based on an image corresponding to each iteration, and obtaining a weighted feature dispersion function; obtaining a weighted distance function according to a function for calculating the distance between the image characteristic vector corresponding to the initial image and the image characteristic vector of the image corresponding to each iteration and a second hyperparameter; and determining a target function according to the weighted feature dispersion function and the weighted distance function.
According to an embodiment of the invention, the dispersion function may be used to characterize the dispersion of the image feature vector based on the image corresponding to each iteration in each iteration; the distance function may be used to characterize the distance between the image feature vector based on the image corresponding to each iteration and the image feature vector corresponding to the initial image during each iteration.
According to an embodiment of the present invention, the first hyper-parameter and the second hyper-parameter may be used to characterize parameters for adjusting the dispersion function and the distance function, respectively, thereby achieving an adjustment of the objective function. The first hyper-parameter and the second hyper-parameter can be adjusted according to the actual requirement of iteration.
According to the embodiment of the invention, a function for calculating the dispersion based on the image feature vector of the image corresponding to each iteration is weighted by using the first hyper-parameter, so that a weighted feature dispersion function is obtained.
According to an embodiment of the present invention, the dispersion may include an entropy value or a variance. For example, the entropy for dispersion calculated based on the image feature vector of the image corresponding to each iterationThe value can be expressed as
The number of iterations is 
Wherein, in the process,
then the function used to compute the dispersion based on the image feature vectors of the images corresponding to each iteration can be expressed as an entropy value
Wherein, in the process,
for the image feature vectors of the image corresponding to each iteration,
as the image corresponding to each iteration of the round.
According to the embodiment of the invention, the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration is the optimal transmission distance, the Manhattan distance and the Euclidean distance.
According to an embodiment of the present invention, for example, the Wasserstein distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration may be calculated using the optimal transmission distance algorithm, which may be expressed as
Wherein, in the process,xis the initial image.
According to an embodiment of the invention, the first hyper-parameter may be expressed as
The weighted feature dispersion function can be expressed as
(ii) a The second hyperparameter may be expressed as
The weighted distance function can be expressed as
。
According to embodiments of the invention, for example, the objective function
Can be represented by formula (1):
according to the embodiment of the invention, the target function is determined based on the feature dispersion and the feature distance measurement of the image, the semantic information of the image depth feature is fully utilized, and the practicability and the expansibility of the generated confrontation sample meeting the preset iteration condition are improved.
According to the embodiment of the invention, obtaining an image corresponding to the next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration comprises: determining an updating step length of an image corresponding to the current round of iteration; obtaining an updated disturbance value of the image corresponding to the current round based on the disturbance value of the image corresponding to the current round of iteration and the update step length of the image corresponding to the current round of iteration; and obtaining an image corresponding to the next iteration according to the updated disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
According to the embodiment of the invention, the disturbance value of the image corresponding to the current round of iteration can be obtained by performing back propagation calculation on the target function. The update step size is understood to be the update of the value of a specific parameter in the opposite direction of the perturbation value during each iteration, and can be expressed as
。
According to an embodiment of the present invention, for example, the countermeasure sample corresponding to the t +1 th iteration, that is, the image corresponding to the t +1 th iteration may be represented as
May be based on the above-mentioned objective function
(when
Is composed of
Time) through gradient back propagation calculation, the updated disturbance value of the image corresponding to the t-th iteration can be expressed as 
Combining images corresponding to the t-th iteration
To obtain an image corresponding to the t +1 th iteration
Can be represented by formula (2):
according to the embodiment of the invention, in order to avoid excessive disturbance to the image corresponding to each iteration, the obtained image corresponding to each iteration is subjected to
With constraints on the disturbance, the upper limit of the disturbance can be set to
. For example, for the obtained image corresponding to the t +1 th iteration
The perturbation constraint can be expressed as equation (3):
wherein,xis the initial image.
According to the embodiment of the present invention, processing image feature data of an image corresponding to a current round of iteration to obtain an image feature vector of the image corresponding to the current round of iteration includes: inputting image characteristic data of an image corresponding to the current iteration into a characteristic extraction model to obtain image extraction characteristics corresponding to the current iteration; and performing normalization processing on the image extraction features to obtain an image feature vector of the image corresponding to the current iteration.
According to an embodiment of the present invention, for example, the current round is the t-th iteration, and the image corresponding to the current round iteration is
The image corresponding to the current round iteration is
Inputting the image into a feature extraction model to obtain image extraction features corresponding to the current iteration 
Extracting features from the image
Carrying out normalization processing to obtain the image characteristic vector of the image corresponding to the current iteration
Extracting features from the image
The normalization process can be performed bySoftmaxThe function is implemented as a function of, i.e.,
。
according to an embodiment of the present invention, for example, when the current round is the first round iteration, the image corresponding to the current round iteration is the initial imagexAn initial imagexInputting the image extraction features of the initial image into the feature extraction model
Extracting features from the image
Normalization processing is carried out to obtain the image characteristic vector of the initial image normalization processing
That is, the amount of the oxygen present in the gas,
。
according to an embodiment of the present invention, the normalization process may be a process of performing a series of standard processing transformations on the image extraction features, so that the image extraction features are transformed into a fixed standard form.
FIG. 3 schematically shows a flow chart of an image processing model training method according to an embodiment of the present invention.
As shown in fig. 3, the method 300 may include operation S310.
In operation S310, a model to be trained is trained by using a confrontation sample, which is generated by using the method for generating the confrontation sample, to obtain a trained image processing model.
According to the embodiment of the invention, the model to be trained can be a deep learning classification model to be trained, and can be a model of a data sequence classified by different images. And inputting the confrontation sample generated by the generation method of the confrontation sample into a model to be trained, training the deep learning model, and obtaining the image processing model.
Fig. 4 schematically shows a flow chart of an image processing method according to an embodiment of the invention.
As shown in fig. 4, the method 400 may include the operations of: and S410.
In operation S410, the target raw image is processed by using an image processing model, which is trained by using the image processing model training method, to obtain an output result for the target raw image.
According to the embodiment of the present invention, for example, the processing required to be performed on the image may include image classification, image detection, image segmentation, and the like, and the target original image is input into the image processing model trained by using the image processing model by using the above image processing method, and an output result for the target original image, such as an image classification result, an image detection result, an image segmentation result, or the like, is obtained.
According to the embodiment of the invention, the confrontation sample generated by the generation method of the confrontation sample trains the image processing model, and the image processing model is used for processing data, so that the generalization of the image processing model when the generated confrontation sample aims at different image processing tasks is improved, and the generated confrontation sample has better practicability and expansibility.
Fig. 5 schematically illustrates a block diagram of a challenge sample generation device according to an embodiment of the present invention.
As shown in fig. 5, the confrontation sample generating apparatus 500 may include: an iteration module 510 and a determination module 520.
And an iteration module 510, configured to perform multiple rounds of iterative processing on the image until a predetermined iteration condition is satisfied.
A determining module 520, configured to determine an image satisfying a predetermined iteration condition as a countermeasure sample.
According to an embodiment of the invention, the iteration module 510 may comprise: a processing sub-module 511, a first obtaining sub-module 512 and a second obtaining sub-module 513.
And the processing submodule 511 is configured to process the image feature data of the image corresponding to the current iteration, so as to obtain an image feature vector of the image corresponding to the current iteration.
The first obtaining sub-module 512 is configured to obtain a perturbation value of an image corresponding to a current round of iteration according to an image feature vector corresponding to an initial image and an image feature vector of the image corresponding to the current round of iteration based on an objective function, where the objective function is determined according to a dispersion function and a distance function, the dispersion function is a function for calculating dispersion based on the image feature vector of the image corresponding to each round of iteration, and the distance function is a function for calculating a distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each round of iteration.
And a second obtaining submodule 513, configured to obtain an image corresponding to a next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
According to an embodiment of the invention, the objective function is determined from a dispersion function and a distance function, comprising: calculating a function of dispersion and a first hyper-parameter according to an image feature vector for calculating dispersion based on an image corresponding to each iteration, and obtaining a weighted feature dispersion function; obtaining a weighted distance function according to a function for calculating the distance between the image characteristic vector corresponding to the initial image and the image characteristic vector of the image corresponding to each iteration and a second hyperparameter; and determining a target function according to the weighted feature dispersion function and the weighted distance function.
According to an embodiment of the present invention, the second obtaining sub-module may include: the device comprises a determining unit, a first obtaining unit and a second obtaining unit.
And the determining unit is used for determining the updating step size of the image corresponding to the current round of iteration.
And the first obtaining unit is used for obtaining the updated disturbance value of the image corresponding to the current round based on the disturbance value of the image corresponding to the current round of iteration and the update step length of the image corresponding to the current round of iteration.
And the second obtaining unit is used for obtaining an image corresponding to the next iteration according to the updated disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
According to an embodiment of the present invention, the processing sub-module may include: an input unit and a third obtaining unit.
And the input unit is used for inputting the image characteristic data of the image corresponding to the current iteration into the characteristic extraction model to obtain the image extraction characteristic corresponding to the current iteration.
And the third obtaining unit is used for carrying out normalization processing on the image extraction features to obtain the image feature vector of the image corresponding to the current iteration.
According to an embodiment of the present invention, the preset iteration condition includes a preset number of iterations.
According to an embodiment of the invention, the dispersion comprises an entropy value or a variance.
According to the embodiment of the invention, the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration is the optimal transmission distance, the Manhattan distance and the Euclidean distance.
Fig. 6 schematically shows a block diagram of an image processing model training apparatus according to an embodiment of the present invention.
As shown in fig. 6, the apparatus 600 may include: and a training module 610.
The training module 610 is configured to train a model to be trained by using a confrontation sample to obtain a trained image processing model, where the confrontation sample is generated by using the confrontation sample generation method.
Fig. 7 schematically shows a block diagram of an image processing apparatus according to an embodiment of the present invention.
As shown in fig. 7, the apparatus 700 may include: a module 710 is obtained.
An obtaining module 710, configured to process the target original image by using an image processing model, and obtain an output result for the target original image, where the image processing model is obtained by using the image processing model training method.
The invention also provides an electronic device, a readable storage medium and a computer program product according to the embodiment of the invention.
According to an embodiment of the present invention, an electronic apparatus includes: one or more processors; a storage device for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described countermeasure sample generation method, the image processing model training method, and the image processing method.
According to an embodiment of the present invention, a computer-readable storage medium has stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described countermeasure sample generation method, image processing model training method, and image processing method.
According to an embodiment of the present invention, a computer program product includes a computer program which, when executed by a processor, implements the above-described countermeasure sample generation method, image processing model training method, and image processing method.
Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a confrontational sample generation method, an image processing model training method, and an image processing method in accordance with an embodiment of the present invention.
As shown in fig. 8, an electronic device 800 according to an embodiment of the present invention includes a processor 801 which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., CPU), an instruction set processor and/or related chip sets and/or a special purpose microprocessor (e.g., Application Specific Integrated Circuit (ASIC)), among others. The processor 801 may also include on-board memory for caching purposes. The processor 801 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present invention.
In the RAM 803, various programs and data necessary for the operation of the electronic apparatus 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiment of the present invention by executing programs in the ROM 802 and/or the RAM 803. Note that the programs may also be stored in one or more memories other than the ROM 802 and RAM 803. The processor 801 may also perform various operations of method flows according to embodiments of the present invention by executing programs stored in the one or more memories.
The present invention also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the present invention.
According to embodiments of the present invention, the computer readable storage medium may be a non-volatile computer readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present invention, a computer-readable storage medium may include the ROM 802 and/or the RAM 803 described above and/or one or more memories other than the ROM 802 and the RAM 803.
Embodiments of the invention also include a computer program product comprising a computer program comprising program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided by the embodiment of the invention.
The computer program performs the above-described functions defined in the system/apparatus of the embodiment of the present invention when executed by the processor 801. The above described systems, devices, modules, units, etc. may be implemented by computer program modules according to embodiments of the invention.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via communication section 809, and/or installed from removable media 811. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program, when executed by the processor 801, performs the above-described functions defined in the system of the embodiment of the present invention. The above described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules according to embodiments of the present invention.
According to embodiments of the present invention, program code for executing a computer program provided by embodiments of the present invention may be written in any combination of one or more programming languages, and in particular, the computer program may be implemented using a high level procedural and/or object oriented programming language, and/or an assembly/machine language. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by a person skilled in the art that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present invention are possible, even if such combinations or combinations are not explicitly recited in the present invention. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present invention may be made without departing from the spirit or teaching of the invention. All such combinations and/or associations are within the scope of the present invention.
The embodiments of the present invention have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the invention is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the invention, and these alternatives and modifications are intended to fall within the scope of the invention.
Claims (10)
1. A challenge sample generation method, comprising:
performing multiple rounds of iterative processing on the image until a preset iterative condition is met;
determining an image satisfying the predetermined iteration condition as the countermeasure sample;
wherein the performing multiple rounds of iterative processing on the image comprises:
processing image characteristic data of an image corresponding to the current round of iteration to obtain an image characteristic vector of the image corresponding to the current round of iteration;
obtaining a disturbance value of an image corresponding to the current round of iteration according to an image feature vector corresponding to an initial image and an image feature vector of the image corresponding to the current round of iteration based on an objective function, wherein the objective function is determined according to a dispersion function and a distance function, the dispersion function is a function for calculating dispersion based on the image feature vector of the image corresponding to each round of iteration, and the distance function is a function for calculating a distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each round of iteration;
And obtaining an image corresponding to the next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
2. The method of claim 1, wherein the objective function is determined from a dispersion function and a distance function, comprising:
calculating a function of dispersion and a first hyper-parameter according to an image feature vector for calculating dispersion based on an image corresponding to each iteration, and obtaining a weighted feature dispersion function;
obtaining a weighted distance function according to a function for calculating the distance between the image characteristic vector corresponding to the initial image and the image characteristic vector of the image corresponding to each iteration and a second hyperparameter;
and determining the target function according to the weighted feature dispersion function and the weighted distance function.
3. The method of claim 1, wherein the obtaining an image corresponding to a next iteration according to the disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration comprises:
determining an update step size of an image corresponding to the current round of iteration;
obtaining an updated disturbance value of the image corresponding to the current round based on the disturbance value of the image corresponding to the current round of iteration and the update step length of the image corresponding to the current round of iteration;
And obtaining an image corresponding to the next iteration according to the updated disturbance value of the image corresponding to the current iteration and the image corresponding to the current iteration.
4. The method of claim 1, wherein the processing image feature data of the image corresponding to the current round of iteration to obtain an image feature vector of the image corresponding to the current round of iteration comprises:
inputting image characteristic data of an image corresponding to the current iteration into a characteristic extraction model to obtain image extraction characteristics corresponding to the current iteration;
and performing normalization processing on the image extraction features to obtain the image feature vector of the image corresponding to the current iteration.
5. The method of claim 1, wherein the preset iteration condition comprises a preset number of iterations.
6. The method of claim 1, wherein the dispersion comprises an entropy value or a variance.
7. The method of claim 1, wherein the distance between the image feature vector corresponding to the initial image and the image feature vector of the image corresponding to each iteration is an optimal transmission distance, a manhattan distance, a euclidean distance.
8. An image processing model training method, comprising:
training the model to be trained by using the confrontation sample to obtain a trained image processing model,
wherein the challenge sample is generated using the method of claim 1.
9. An image processing method, comprising:
processing the target original image by using an image processing model to obtain an output result aiming at the target original image,
wherein the image processing model is trained by the training method according to claim 8.
10. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any one of claims 1-7 or 8 or 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210525752.4A CN114612689B (en) | 2022-05-16 | 2022-05-16 | Countermeasure sample generation method, model training method, processing method and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210525752.4A CN114612689B (en) | 2022-05-16 | 2022-05-16 | Countermeasure sample generation method, model training method, processing method and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114612689A true CN114612689A (en) | 2022-06-10 |
| CN114612689B CN114612689B (en) | 2022-09-09 |
Family
ID=81870456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210525752.4A Active CN114612689B (en) | 2022-05-16 | 2022-05-16 | Countermeasure sample generation method, model training method, processing method and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114612689B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109948663A (en) * | 2019-02-27 | 2019-06-28 | 天津大学 | A kind of confrontation attack method of the adaptive step based on model extraction |
| CN112907552A (en) * | 2021-03-09 | 2021-06-04 | 百度在线网络技术(北京)有限公司 | Robustness detection method, device and program product for image processing model |
| US20220058273A1 (en) * | 2020-07-17 | 2022-02-24 | Tata Consultancy Services Limited | Method and system for defending universal adversarial attacks on time-series data |
| CN114241569A (en) * | 2021-12-21 | 2022-03-25 | 中国电信股份有限公司 | Face recognition attack sample generation method, model training method and related equipment |
| CN114331829A (en) * | 2021-09-03 | 2022-04-12 | 腾讯科技(深圳)有限公司 | Countermeasure sample generation method, device, equipment and readable storage medium |
-
2022
- 2022-05-16 CN CN202210525752.4A patent/CN114612689B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109948663A (en) * | 2019-02-27 | 2019-06-28 | 天津大学 | A kind of confrontation attack method of the adaptive step based on model extraction |
| US20220058273A1 (en) * | 2020-07-17 | 2022-02-24 | Tata Consultancy Services Limited | Method and system for defending universal adversarial attacks on time-series data |
| CN112907552A (en) * | 2021-03-09 | 2021-06-04 | 百度在线网络技术(北京)有限公司 | Robustness detection method, device and program product for image processing model |
| CN114331829A (en) * | 2021-09-03 | 2022-04-12 | 腾讯科技(深圳)有限公司 | Countermeasure sample generation method, device, equipment and readable storage medium |
| CN114241569A (en) * | 2021-12-21 | 2022-03-25 | 中国电信股份有限公司 | Face recognition attack sample generation method, model training method and related equipment |
Non-Patent Citations (1)
| Title |
|---|
| 周文等: "面向低维工控网数据集的对抗样本攻击分析", 《计算机研究与发展》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114612689B (en) | 2022-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11978245B2 (en) | Method and apparatus for generating image | |
| CN109816589B (en) | Method and apparatus for generating cartoon style conversion model | |
| US10650492B2 (en) | Method and apparatus for generating image | |
| CN110929780B (en) | Video classification model construction method, video classification device, video classification equipment and medium | |
| CN108197652B (en) | Method and apparatus for generating information | |
| CN108229419B (en) | Method and apparatus for clustering images | |
| CN113435583B (en) | Federal learning-based countermeasure generation network model training method and related equipment thereof | |
| CN109816039A (en) | A kind of cross-module state information retrieval method, device and storage medium | |
| CN113128419B (en) | Obstacle recognition method and device, electronic equipment and storage medium | |
| CN111708876B (en) | Method and device for generating information | |
| CN109800730B (en) | Method and device for generating head portrait generation model | |
| CN111368973B (en) | Method and apparatus for training a super network | |
| CN113361710B (en) | Student model training method, picture processing device and electronic equipment | |
| CN112149699B (en) | Method and device for generating model and method and device for identifying image | |
| CN114612688B (en) | Countermeasure sample generation method, model training method, processing method and electronic equipment | |
| CN111340221A (en) | Method and device for sampling neural network structure | |
| CN112650841A (en) | Information processing method and device and electronic equipment | |
| CN110659657A (en) | Method and device for training model | |
| CN111488517B (en) | Method and device for training click rate estimation model | |
| CN115841366B (en) | Method and device for training object recommendation model, electronic equipment and storage medium | |
| CN114841142A (en) | Text generation method and device, electronic equipment and storage medium | |
| CN112966701A (en) | Method and device for classifying objects | |
| CN110008926B (en) | Method and device for identifying age | |
| WO2019234156A1 (en) | Training spectral inference neural networks using bilevel optimization | |
| CN114494747A (en) | Model training method, image processing method, device, electronic device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |