CN115392434A - Depth model reinforcement method based on graph structure variation test - Google Patents

Abstract

The invention provides a depth model reinforcement method based on graph structure variation test, which comprises the steps of injecting different variation operators into a deep learning system to construct different variation test models, analyzing the detection degree of variation to evaluate the quality of the test models and preferentially sequencing the models, so that graph network indexes with guiding significance are found according to sequencing results after the models are mapped into a graph structure to generate a new robust graph structure and reconstruct the new robust graph structure back to the models, and the robustness of the models is improved.

Description

A Deep Model Hardening Method Based on Graph Structure Mutation Test

technical field

The invention relates to the fields of distributed machine learning and artificial intelligence security, in particular to a deep model reinforcement method based on graph structure variation testing.

Background technique

In the past few decades, deep learning has achieved great success in many fields, including autonomous driving, artificial intelligence, video surveillance, etc. However, with the recent series of catastrophic accidents related to deep learning, the robustness and safety of deep learning systems has become a big problem. In particular, the recent adversarial test generation technique proposed by Christian et al. to add a misleading perturbation imperceptible to humans on the original sample image has further exacerbated this problem. This newly generated test sample is called an adversarial sample, which poses a potential security threat to deep learning systems, such as face recognition systems, automatic verification systems, and automatic driving systems.

In the past few years, a large number of defense methods have been proposed to improve the robustness of models to adversarial examples to avoid potential dangers in real-world applications. These methods can be broadly categorized into adversarial training, input transformation, model architecture transformation, and adversarial example detection. However, most of these methods above focus on the pixel space of the input image, and few of them analyze the impact of adversarial perturbations by studying the interlayer structure of the model. This is because while it is generally accepted that the performance of a neural network depends on its network parameters and training samples, there is a lack of systematic understanding of the relationship between neural network accuracy and its underlying graph structure. In a recent study, You et al. proposed a new way to represent neural networks as graphs, called relational graphs. The diagram focuses primarily on the exchange of information, not just directed data flow. However, this method can only build the original robust model, and it is difficult to explain and defend from a fine-grained perspective once it is attacked by an adversarial example. At the same time, due to the unique characteristics of deep learning systems, new quality evaluation standards are needed to guide them. Recently, Ma et al. proposed a mutation testing framework for deep learning systems. By defining a set of source-level mutation operators and a set of model-level mutation operators, faults are injected into the deep learning system, and finally through the analysis The degree of detection of injected faults is used to evaluate the quality of test data. However, this kind of mutation test only detects faults in local areas, and cannot provide a guiding optimization method for the overall structure of the model.

And just recently, Laura et al. conducted an exploratory experiment on the underlying graph structure index of the simulated human brain network. They simulated the network structure of the human brain by using the network topology and modular organization calculation methods, and drew a brain structure map. Indexes including feature path length and clustering coefficient were counted to guide the research. However, these graph indicators lack complex research on multi-level and multi-perspective deep learning networks, and lack an interpretable theoretical basis for network robust performance changes.

In view of the above problems, the present invention proposes a method of injecting different mutation operators into the deep learning system to construct different mutation test models, and evaluates the quality of the models by analyzing the degree of detection of mutations to prioritize the models. After mapping the model into a graph structure, find the guiding graph network indicators according to the sorting results, so as to generate a new robust graph structure and refactor it back into the model to improve the robustness of the model.

Contents of the invention

In order to further explore the relationship between the multi-level, multi-view complex network structure and the robust performance of the model, and to provide a guiding fine-grained explanation for the graph structure representation of the network, the present invention proposes a graph-based The in-depth model reinforcement method of structural variation testing, injects different mutation operators into the deep learning system to construct different variation testing models, analyzes the degree of variation detection to evaluate the quality of the testing models and prioritizes the models. After the model is mapped into a graph structure, find the instructive graph structure index according to the sorting results to generate a new robust graph structure and reconstruct it back into the model, and finally improve the robustness of the model and strengthen the model.

In order to realize the above-mentioned purpose of the invention, the present invention provides the following technical solutions:

A deep model reinforcement method based on graph structure mutation testing, including:

1) Obtain training data and test data;

2) Construct the original target model, and train the original target model based on the acquired training data;

3) Construct the mutation test model of the original target model, the mutation test model includes the mutation test model generated by using the source-level mutation operator and/or the model-level mutation operator; wherein, for the generated by using the model-level mutation operator The trained mutation test model is directly saved, and the untrained mutation test model generated by the source-level mutation operator is trained and saved based on the obtained training data and using the same parameters as the original target model training;

4) Carry out mutation detection to the variation test model based on the test data, and calculate the variation score of each variation test model:

Among them, M' is the collection of each mutation test model, m' is the index of the mutation test model in each mutation test model, K is the number of types of labels of the test data, KilledClasses(T', m') represents the test data T The set of test data types in the 'killing mutation test model m'; for a test data point t in the test data T', if the following conditions are met, it is said that t kills the _xi type data in the mutation test model m';

I,t is correctly classified as x _i by the original target model m;

II, t is not correctly classified as _xi by the mutation test model m′; wherein, the test data is divided into K classes based on the number of types of labels, and _xi represents the test data set whose type of label is i;

5) Construct the graph structure of the original target model and each variation test model, wherein the nodes in the graph structure correspond to the neurons of each layer of neural network, and the edges in the graph structure correspond to two The connection between neuron nodes, the weight of the edge is the component of the eigenvector matrix of the corresponding node when propagating from the previous layer to the next layer;

6) Calculate the graph structure index corresponding to the graph structure of the original target model and each variation test model, readjust the growth direction of the graph structure of the original target model according to the variation trend of the graph structure index of each variation test model with the variation score, Finally, the adjusted graph structure is reconstructed back to the model to achieve model reinforcement.

The technical idea of the present invention is: the deep model reinforcement method based on the graph structure mutation test provided by the present invention constructs different mutation test models by injecting different mutation operators into the deep learning system, and analyzes the degree of detection of the mutation to evaluate the test The quality of the model and the optimal ranking of the models, so that after the model is mapped to the graph structure, the graph network indicators with guiding significance can be found according to the sorting results to generate a new robust graph structure and reconstruct it back to the model to improve the robustness of the model sex.

Further, the source-level mutation operator includes:

LR operator: Randomly delete a layer from the original target model structure that has not been trained;

LA operator: Randomly add a layer to the original target model structure that has never been trained;

And/or AFR operator: Randomly remove all activation functions of a layer from the original target model structure that was not trained.

Further, the model-level mutation operator includes:

GF operator: Based on the Gaussian distribution of weights in the trained original target model structure, change the value of the weight in the trained original target model structure;

WS operator: Randomly select neurons in the trained original target model structure, and replace the weights of their connections to the previous layer;

NEB operator: Randomly select the weights of all neurons in a layer from the trained original target model structure and set them to 0;

NAI operator: in the trained original target model structure, the weights of all neurons in a layer are randomly selected and set to negative values;

And/or NS operator: Randomly select the weights of 20% of the neurons in a layer from the trained original target model structure for random exchange.

Further, in the GF operator, the value of the weight value is changed in the trained original target model structure, and the value range of the changed value is [w-3σ, w+3σ]; where σ is used in training The standard deviation of the Gaussian distribution of weights in a good original target model structure.

Further, the acquired training data and test data are image data, and the original target model is an image classification network model, which is obtained through training as follows:

Taking each training sample in the training data as input and the predicted category of the training sample as output, the original target model constructed is trained by minimizing the loss between the output and the true label of the sample to obtain the trained original model.

Further, in said step 4), it also includes:

Calculate the average error rate of each mutation test model m'∈M' on the test data T' to measure the overall behavior difference effect of each mutation model AveErrorRate(T', M'):

Among them, ∑ _m'∈M' ErrorRate(T', m') represents the error rate of the test data T' in the mutation test model m'test;

Exclude one or several variant test models M' in which the overall behavioral difference effect AveErrorRate(T', M') is high.

Further, in the step 6), the graph structure index includes: characteristic path length, degree and/or clustering coefficient.

Further, in the step 6), it also includes: adopting one or more adversarial attack methods to conduct an adversarial attack on the reconstructed model, so as to evaluate the improvement of the robust performance of the reinforced model.

The method of the present invention can be applied to the construction and reinforcement of various neural network models, and is especially suitable for the construction and reinforcement of image classification network models based on K classification, specifically, a method for constructing image classification network models based on graph structure variation testing ,include:

1) Obtain training data and test data, both of which are images;

2) Construct the original target model and train the original target model based on the acquired training data: each training sample in the training data is used as input, and the predicted category of the training sample is used as the output, and is constructed by minimizing the loss pair between the output and the real label of the sample The original target model is trained to obtain the trained original model.

3) constructing a mutation test model of the original target model, the mutation test model comprising a mutation test model generated using a source-level mutation operator and/or a model-level mutation operator;

4) Carry out variation detection to variation testing model based on test data, calculate the variation score of every kind of variation testing model;

5) Construct the graph structure of original target model and every kind of variation test model;

6) Calculate the graph structure index corresponding to the graph structure of the original target model and each variation test model, readjust the growth direction of the graph structure of the original target model according to the variation trend of the graph structure index of each variation test model with the variation score, Finally, the adjusted graph structure is reconstructed back to the model to achieve model reinforcement.

The beneficial results of the present invention are mainly reflected in: 1) Compared with the traditional model testing method, the mutation operator proposed by the mutation test modifies and tests the model in a more fine-grained manner, which not only ensures that the accuracy of the model will not produce obvious The decrease of , and the diversity of the experiment is preserved. 2) In the mutation test, the model-level mutation operator only operates on a small number of neurons in the neural network, which greatly preserves the integrity of the neural network. 3) The robust optimization method of model structure guided by graph structure provides a new direction for future model robustness research.

Description of drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

Figure 1 is a flow chart of the method of the present invention.

Fig. 2 is a schematic diagram of the workflow of mutation testing in the present invention.

Detailed ways

In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, and do not limit the protection scope of the present invention.

Referring to Figures 1 to 2, a deep model reinforcement method based on graph structure variation testing, this embodiment takes image classification model reinforcement as an example, including the following steps:

1) Build the target model dataset

In this embodiment, the CIFAR-10 data set is used to construct and verify the robustness of the brain-like map of the image classification model. The CIFAR-10 data set contains a total of 60,000 RGB color images, each image size is 32*32, divided into 10 categories, and each category has a total of 6,000 samples. Among them, there are 50,000 training samples and 10,000 testing samples. The present invention takes all 50,000 of the 50,000 training samples of the CIFAR-10 data set as the training set of the target model, and takes all 10,000 of the test samples as the test set of the target model.

2) Train the original model

Taking each training sample as input and the category of the training sample as output, the constructed original model is trained by minimizing the loss between the output and the true label of the sample to obtain the trained original model. In this example, three 5-layer MLPs with 512 hidden units are used as the original model structure of the image classification model in the CIFAR-10 data set, and the input of the MLP is the 3072-dimensional CIFAR-10 image (32*32*3) Flat vector, the output is a 10-dimensional image category prediction probability, each MLP layer has a ReLU activation function and a BatchNorm regularization layer. The training set uniform hyperparameters: the number of training epochs is 200, the batch size is 128, stochastic gradient descent (SGD) is used, the learning rate is set to the initial cos cosine learning rate of 0.1, and the loss function is based on the cross entropy function. The parameter is λ, expressed as the following formula, but not limited thereto:

表示模型参数，n是样本总数，λ表示正则化系数，||*||₂是二范数。where p(·) represents the real label of the sample, q(·) represents the predicted probability of the model, y _i represents the input sample,

Represents the model parameters, n is the total number of samples, λ represents the regularization coefficient, and ||*|| ₂ is the second norm.

3) Build a variation test model

3.1) Define the source-level mutation operator

Layer removal (LR): The LR operator randomly deletes a layer of the deep neural network under the condition that the input and output structures of the deleted layer are the same. Here, 5 operations are performed. Each time, a layer structure that is not repeated with the previous selection is randomly selected from the original model structure that has never been trained, and 5 mutation test models are constructed after deletion.

Layer Addition (LA): Compared with the LR operator, the LA operator adds a layer to the deep neural network structure. The focus of LA is to add layers. Here, 5 operations are also performed. Each time, a layer structure that is not repeated with the previous selection is randomly selected from the original model structure that has never been trained, and a new layer of network is added after the layer structure to build 5 Variation Test Models

Activation Function Removal (AFR): Due to the high representation of deep neural networks, activation functions play an important role in the nonlinearity of deep neural networks. The AFR operation randomly removes all activation features of a layer to simulate a situation where a developer forgets to add an activation layer. Here, 5 operations are also performed. Each time, a layer structure that is not repeated with the previous selection is randomly selected from the original model structure that has never been trained, and all activation functions of this layer are deleted to build 5 mutation test models.

3.2) Define the model-level mutation operator

Gaussian blur (GF): Weights are the basic elements of deep neural networks, which describe the importance of connections between neurons. Weights are also an important part of the decision logic of deep neural networks. A natural way to change the weight is to blur its value in order to change the connection importance it represents. The GF operator follows a Gaussian distribution N(w, σ ² ) to vary a given weight w, where σ is a user-configurable standard deviation parameter. Most of the GF operators blur the weight to the value range near it (generally the fuzzy value is located in the probability distribution of [w-3σ, w+3σ]). Here, 5 operations are performed, and each time a different size of σ is selected in the trained Perform fuzzy operations on the original model to build 5 mutation test models

Weight Transformation (WS): The output of a neuron is usually determined by the previous layer of neurons, and each layer of neurons is connected to a weight. The WS operator randomly selects neurons and replaces their connected weights to the previous layer. Randomly selected neurons can remain unchanged or become the weights of the replaced neurons in the previous layer. Here, 5 operations are performed, and each time a layer of the trained original model is randomly selected to replace 10% of the neurons to the previous layer to build 5 mutation test models

Neuron Effect Blocking (NEB): When a test data point is read into a deep neural network, it is processed and propagated through layers of connections and neurons with different weights until a final result is produced. Each neuron contributes to some extent to the final decision of the deep neural network according to the strength of its connections. The NEB operator prevents a neuron from influencing all connected neurons in the next layer by resetting its connection weights in the next layer to zero. Here, 5 operations are performed, and each time a layer of the trained original model is randomly selected to set all neurons to zero to build 5 mutation test models.

Neuronal Inverse Activation (NAI): The activation function plays a key role in shaping the nonlinear behavior of neuronal neural networks. Many widely used activation functions (such as ReLU, etc.) exhibit different behaviors according to their activation state. The NAI operator attempts to invert the activation state of a neuron, which can be achieved by changing the sign of the neuron's output value before applying the neuron's activation function. This helps generate more variant neuron activation patterns, each of which can exhibit new mathematical properties (such as linearity) of deep neural networks. Here, 5 operations are performed, and each time a layer of the trained original model is randomly selected, the weights of all neurons in the layer are negatively valued to realize the inverse activation of neurons, and 5 mutation test models are constructed.

Neuron Switch (NS): Neurons in one deep neural network layer often have different effects on connected neurons in the next layer. The NS operation exchanges the role and influence of several neurons on the next layer in one layer. Here, 5 operations are performed, and each time a layer of the trained original model is randomly selected to take the weight of 20% of the neurons for random exchange to build 5 mutation test models

3.3) Train and save the model

The trained mutation test model generated by the model-level mutation operator is directly saved, and the untrained mutation test model generated by the source-level mutation operator is trained and saved using the parameters in step 2).

4) Mutation detection

4.1) Define detection indicators

For a K classification problem, Z={x ₁ , . . . , x _K } are input data of all K classes, and _xi represents one class of data (i=1, 2...K). For a test data point t in the test set T', if the following conditions are met, it is said that t kills the data of type _xi in the mutation test model m' (where m'∈M', M' is each mutation test model The collection of, comprise 8 kinds of variation test models in the present embodiment, comprise 5 variation test models in every kind of variation test model):

I, t is correctly classified as x _i by the original model m;

II. t is incorrectly classified as x _i by the mutation test model m'.

Define the mutation score MutationScore(T', m') of the mutation test model m' as follows, where KilledClasses(T', m') is the set of classes of the test data in T' that kills the m' mutation test model:

In general, it is difficult to precisely predict the behavioral differences brought about by mutation operators. Therefore, as a preferred solution, in order to avoid introducing too many behavioral differences between the DL variant model and the original model, a quality control procedure for the DL variant model is proposed. The error rate on T' for each variation test model m' was measured. If the error rate of m' is too high for T', m' is not considered a good mutation test sample because it introduces large behavioral differences. These variant test models with high error rates were excluded from M′ for further analysis. Define the average error rate (AER) of each mutation test model m′∈M′ on T′ to measure the overall behavior difference effect introduced by all mutation operators:

Among them, ∑ _m'∈M' ErrorRate(T', m') represents the error rate of the test data T' in the mutation test model m'test;

4.2) Sorting Variation Test Model

Use the definition in 4.1) to carry out mutation detection on each saved mutation test model, first exclude several abnormal mutation test models with significantly higher average error rate (AER), and then use the variation scores of the remaining mutation test models Sorting from high to low, in general, the higher the score, the lower the robustness of the model.

5) Build the model graph structure

5.1) Define the neural network

为边集合，且每个节点v有一个节点的特征向量W_v。Define graph G=(V, E), where y={v ₁ ,...,v _n } is a node set,

is a collection of edges, and each node v has a node feature vector W _v .

5.2) Define the calculation graph of the model

为每前后两层之间有传播关系的两个神经元节点v_i，v_j之间的连线，边的权重设为由前一层向后一层传播时对应节点的特征向量矩阵的分量，以全连接网络为例，用公式描述为：Using the forward propagation algorithm, define the graph node set V={v ₁ ,...,v _n } as the neurons and edge sets of each layer

is the connection between two neuron nodes v _i and v _j that have a propagation relationship between the two layers before and after each layer, and the weight of the edge is set to the component of the feature vector matrix of the corresponding node when it propagates from the previous layer to the next layer , taking the fully connected network as an example, the formula is described as:

W _v =[w _i1 , w _i2 , . . . , w _ij , . . . ]

Among them, for each component w _ij , i represents the position of the subscript of the neuron in the previous layer network connected by the weight, and j represents the position of the subscript of the neuron in the subsequent layer connected by the weight. Generally, in a fully connected network, each neuron in the previous layer of the network has an edge with all neurons in the next layer, that is, from the 1st to the nth.

5.3) Use the calculation graph method defined in 5..2) to build a calculation graph structure for each model that has undergone a mutation test in 4.2).

6) Refactor the model under the guidance of graph structure indicators

6.1) Define a variety of graph structure indicators. In this embodiment, the following three graph structure indicators are used:

①Characteristic path length: The characteristic path length is an index to measure efficiency, which is defined as the average shortest path length of the network. The distance matrix used to calculate the shortest path must be a connection length matrix, usually obtained by mapping from weights to lengths. Here, the most commonly used weighted path length is used as the calculation standard, and the formula is as follows:

Wherein w _ij is the edge weight defined in step 3.2), l represents the lth layer, l=1, 2, ... L, L is the total number of layers of the neural network, here generally set l to be the neural network of subscript i in w _ij The layer the element is in.

② Degree: The degree of a point refers to the number of edges connected to the point in the graph. Let L _i represent the degree of the i-th node, which is defined as follows:

L _i = {v _i : e _ij ∈ E∧e _ji ∈ E}

Among them, v _i represents the i-th node, e _ij represents the edge between nodes i and j, and ∧ represents the logical intersection operation.

③Clustering coefficient: The clustering coefficient is a coefficient used to describe the degree of clustering between vertices in a graph. Specifically, it is the degree of interconnection between adjacent points of a point. Let CL _i represent the clustering coefficient of the i-th node, which is defined as follows:

where each e represents an edge between two nodes.

6.2) Refactoring model

Use the method in 6.1) to calculate each graph index corresponding to the graph structure of each original target model and each mutation test model, and observe the changes in the index according to the order of the mutation scores of each mutation test model, and find the ones with obvious variability trends The indicator guides the growth direction of the graph structure. Take the characteristic path length as an example. If it is observed that the characteristic path length increases with the variation score of each variation test model, it means that the larger the characteristic path length, the lower the robustness of the model. , therefore, adjust and fix the feature path length of the original target model to a small value, then back-calculate each weight value to obtain a new graph structure, and finally reconstruct the graph structure back to the model to obtain m _new .

7) Further, conduct adversarial attacks on the original model and the reconstructed model, and evaluate the robustness of the reconstructed model

Various adversarial attack methods are adopted, including FGSM attack, CW attack and PGD attack. For each attack, 1000 generated adversarial samples are randomly selected in each data set for attack. The three kinds of attacks set different parameters, among them, for FGSM attack, set parameter ε=2; for CW attack, use L ₂ norm attack, set initial value c=0.01, confidence degree k=0, iteration number epoch=200; For PGD attack, set parameter ε=2, step size α=ε/10, iteration number epoch=20.

Model robustness evaluation index; when subjected to adversarial attacks, the accuracy of the model is often used as an evaluation index of robust performance.

Accuracy rate: Accuracy rate indicates that for a given test data set, the ratio of the number of samples correctly classified by the classifier to the total number of samples

Among them, TP means that the positive class is judged as a positive class, FP means that a negative class is judged as a positive class, FN means that a positive class is judged as a negative class, and TN means that a negative class is judged as a negative class. The lower the accuracy rate, it indicates robust performance. The better, the more robust the model. The accuracy of the reconstructed model of the CIFAR-10 dataset is improved by an average of 30.7% under the three attacks compared with the original model.

The above-mentioned specific embodiments have described the technical solutions and beneficial effects of the present invention in detail. It should be understood that the above-mentioned are only the most preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, supplements and equivalent replacements made within the scope shall be included in the protection scope of the present invention.

Claims (8)

1. A deep model reinforcement method based on graph structure variation testing, characterized in that it comprises: 1) Obtain training data and test data; 2) Construct the original target model, and train the original target model based on the acquired training data; 3) Construct the mutation test model of the original target model, the mutation test model includes the mutation test model generated by using the source-level mutation operator and/or the model-level mutation operator; wherein, for the generated by using the model-level mutation operator The trained mutation test model is directly saved, and the untrained mutation test model generated by the source-level mutation operator is trained and saved based on the obtained training data and using the same parameters as the original target model training; 4) Carry out mutation detection to the variation test model based on the test data, and calculate the variation score of each variation test model:

Among them, M' is the set of each mutation test model, m' is the index of the mutation test model in each mutation test model, K is the number of types of labels of the test data, KilledClasses(T',m') represents the test data T The set of test data types in the 'killing mutation test model m'; for a test data point t in the test data T', if the following conditions are met, it is said that t kills the _xi type data in the mutation test model m'; Ⅰ. t is correctly classified as x _i by the original target model m; Ⅱ. t is not correctly classified as _xi by the mutation test model m′; wherein, the test data is divided into K categories based on the number of types of labels, and _xi represents the test data set whose type of label is i; 5) Construct the graph structure of the original target model and each variation test model, wherein the nodes in the graph structure correspond to the neurons of each layer of neural network, and the edges in the graph structure correspond to two The connection between neuron nodes, the weight of the edge is the component of the eigenvector matrix of the corresponding node when propagating from the previous layer to the next layer; 6) Calculate the graph structure index corresponding to the graph structure of the original target model and each variation test model, readjust the growth direction of the graph structure of the original target model according to the variation trend of the graph structure index of each variation test model with the variation score, Finally, the adjusted graph structure is reconstructed back to the model to achieve model reinforcement. 2. The method according to claim 1, wherein the source-level mutation operator comprises: LR operator: Randomly delete a layer from the original target model structure that has not been trained; LA operator: Randomly add a layer to the original target model structure that has never been trained; And/or AFR operator: Randomly remove all activation functions of a layer from the original target model structure that was not trained. 3. The method according to claim 1, wherein the model-level mutation operator comprises: GF operator: Based on the Gaussian distribution of weights in the trained original target model structure, change the value of the weight in the trained original target model structure; WS operator: Randomly select neurons in the trained original target model structure, and replace the weights of their connections to the previous layer; NEB operator: Randomly select the weights of all neurons in a layer from the trained original target model structure and set them to 0; NAI operator: in the trained original target model structure, the weights of all neurons in a layer are randomly selected and set to negative values; And/or NS operator: Randomly select the weights of 20% of the neurons in a layer from the trained original target model structure for random exchange. 4. The method according to claim 3, characterized in that, in the GF operator, the value of the weight is changed in the trained original target model structure, and the value range of the changed value is [w-3σ ,w+3σ]; where σ is the standard deviation of the Gaussian distribution of weights in the trained original target model structure. 5. The method according to claim 1, wherein the training data and test data obtained are image data, and the original target model is an image classification network model, which is obtained by training as follows: Taking each training sample in the training data as input and the predicted category of the training sample as output, the original target model constructed is trained by minimizing the loss between the output and the true label of the sample to obtain the trained original model. 6. method according to claim 1, is characterized in that, in described step 4), also comprises: Calculate the average error rate of each mutation test model m'∈M' on the test data T' to measure the overall behavior difference effect of each mutation model AveErrorRate(T',M'):

Among them, ∑ _m'∈M' ErrorRate(T', m') represents the error rate of the test data T' in the mutation test model m'test; Exclude one or several variant test models M' in which the overall behavior difference effect AveErrorRate(T', M') is high. 7. The method according to claim 1, characterized in that, in the step 6), the graph structure index includes: characteristic path length, degree and/or clustering coefficient. 8. The method according to claim 7, characterized in that, in the step 6), further comprising: using one or more adversarial attack methods to conduct an adversarial attack on the reconstructed model.

Images