CN115619616A - Method, device, equipment and medium for generating confrontation sample based on watermark disturbance - Google Patents
Method, device, equipment and medium for generating confrontation sample based on watermark disturbance Download PDFInfo
- Publication number
- CN115619616A CN115619616A CN202211401679.6A CN202211401679A CN115619616A CN 115619616 A CN115619616 A CN 115619616A CN 202211401679 A CN202211401679 A CN 202211401679A CN 115619616 A CN115619616 A CN 115619616A
- Authority
- CN
- China
- Prior art keywords
- sample
- probability
- countermeasure
- preset category
- watermark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06T—IMAGE DATA PROCESSING OR GENERATION, IN GENERAL
- G06T1/00—General purpose image data processing
- G06T1/0021—Image watermarking
- G06T1/005—Robust watermarking, e.g. average attack or collusion attack resistant
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/764—Arrangements for image or video recognition or understanding using pattern recognition or machine learning using classification, e.g. of video objects
- G06V10/765—Arrangements for image or video recognition or understanding using pattern recognition or machine learning using classification, e.g. of video objects using rules for classification or partitioning the feature space
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Multimedia (AREA)
- Editing Of Facsimile Originals (AREA)
- Image Processing (AREA)
Abstract
The utility model provides a countercheck sample generation method based on watermark disturbance, which is applied to the technical field of image processing and comprises the following steps: obtaining disturbance parameters for embedding a watermark image into a host image, carrying out random initialization on the disturbance parameters to generate a first antagonistic sample, carrying out minimization of a heuristic algorithm on the disturbance parameters obtained after the random initialization on the disturbance parameters to generate a second antagonistic sample, and determining the finally generated antagonistic sample from the first antagonistic sample and the second antagonistic sample. The disclosure also provides a countercheck sample generation device, an electronic device and a storage medium based on watermark disturbance, which can simultaneously complete countercheck attack and copyright protection.
Description
Technical Field
The present disclosure relates to the field of image processing technologies, and in particular, to a method and an apparatus for generating a countermeasure sample based on watermark perturbation, an electronic device, and a storage medium.
Background
In recent years, with the continuous development of artificial intelligence security, countermeasure samples in the field attract more and more attention. Generally speaking, general adversarial attack methods generate adversarial samples by adding random noise matrixes to original image matrixes, the adversarial samples generated based on the methods have good visual effects, but the fact that disturbance information is random noise has no realistic meaning.
In recent years, methods for generating countermeasure samples through visible watermark perturbation are proposed, and the methods mainly generate the countermeasure samples by adding a visible watermark matrix into an original image matrix. Therefore, there is a need for a new type of challenge sample that has both a good visual effect comparable to that of a challenge sample generated by a common attack method, and perturbation information that is as meaningful as a challenge sample perturbed by a visible watermark.
Disclosure of Invention
The present disclosure is mainly directed to provide a method and an apparatus for generating an antagonistic sample based on watermark perturbation, an electronic device, and a storage medium, and aims to solve the technical problem in the prior art that the visual effect of the antagonistic sample is poor.
In order to achieve the above object, a first aspect of the embodiments of the present disclosure provides a method for generating a countermeasure sample based on watermark perturbation, including:
acquiring disturbance parameters for embedding the watermark image into the host image;
randomly initializing the disturbance parameters to generate a first impedance sample;
carrying out minimization of a heuristic algorithm on the disturbance parameters obtained after the random initialization is carried out on the disturbance parameters, and generating a second antagonizing sample;
determining a final generated challenge sample from the first and second challenge samples.
In an embodiment of the present disclosure, the determining a final generated countermeasure sample from the first countermeasure sample and the second countermeasure sample includes:
determining the probability that the first antagonizing sample belongs to a preset category and the probability that the second antagonizing sample belongs to the preset category;
determining a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample based on the probability that the first countermeasure sample belongs to a preset category and the probability that the second countermeasure sample belongs to the preset category.
In an embodiment of the present disclosure, the determining, based on the probability that the first countermeasure sample belongs to the preset category and the probability that the second countermeasure sample belongs to the preset category, a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample includes:
judging whether the probability that the second antagonizing sample belongs to the preset category is smaller than the probability that the first antagonizing sample belongs to the preset category;
and taking the second antagonizing sample as the finally generated antagonizing sample under the condition that the probability that the second antagonizing sample belongs to the preset category is smaller than the probability that the first antagonizing sample belongs to the preset category.
In an embodiment of the present disclosure, the determining the probability that the first antagonizing sample belongs to the preset category and the probability that the second antagonizing sample belongs to the preset category includes:
constructing an objective function by adopting a non-objective attack or objective attack mode;
and determining the probability that the first antagonistic sample belongs to a preset category and the probability that the second antagonistic sample belongs to the preset category according to the objective function.
In an embodiment of the present disclosure, the method further includes:
and under the condition that the probability that the second countermeasure sample belongs to the preset category is not smaller than the probability that the first countermeasure sample belongs to the preset category, taking the first countermeasure sample as the finally generated countermeasure sample.
In an embodiment of the present disclosure, the method further includes:
storing the perturbation parameters used by the finally generated countermeasure samples.
In an embodiment of the present disclosure, the perturbation parameter includes a number of channels for embedding the watermark image into the host image, and an iteration number of a counter attack method.
A second aspect of the embodiments of the present disclosure provides a countercheck sample generation apparatus based on watermark perturbation, including:
and the acquisition module is used for acquiring the disturbance parameters for embedding the watermark image into the host image.
And the initialization module is used for carrying out random initialization on the disturbance parameters to generate a first impedance sample.
And the minimization module is used for minimizing the disturbance parameters obtained after the random initialization of the disturbance parameters by a heuristic algorithm to generate a second antagonizing sample.
A determining module for determining a final generated confrontational sample from the first and second confrontational samples.
In an embodiment of the present disclosure, the determining module includes:
a first determining submodule, configured to determine a probability that the first countermeasure sample belongs to a preset category and a probability that the second countermeasure sample belongs to the preset category;
a second determining sub-module, configured to determine a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample based on a probability that the first countermeasure sample belongs to a preset category and a probability that the second countermeasure sample belongs to the preset category.
In an embodiment of the present disclosure, the second determining sub-module includes:
the judging unit is used for judging whether the probability that the second antagonizing sample belongs to the preset category is smaller than the probability that the first antagonizing sample belongs to the preset category;
a first selecting unit, configured to, when a probability that the second countermeasure sample belongs to the preset category is smaller than a probability that the first countermeasure sample belongs to the preset category, take the second countermeasure sample as the finally generated countermeasure sample.
In an embodiment of the present disclosure, the first determining sub-module includes:
the constructing unit is used for constructing an objective function by adopting a non-objective attack or objective attack mode;
a determining unit, configured to determine, according to the objective function, a probability that the first antagonizing sample belongs to a preset category and a probability that the second antagonizing sample belongs to the preset category.
In an embodiment of the present disclosure, the apparatus further includes:
a second selecting unit, configured to, when a probability that the second countermeasure sample belongs to the preset category is not smaller than a probability that the first countermeasure sample belongs to the preset category, take the first countermeasure sample as the finally generated countermeasure sample.
In an embodiment of the present disclosure, the apparatus further includes:
and the storage module is used for storing the disturbance parameters used by the finally generated countermeasure samples.
In an embodiment of the present disclosure, the perturbation parameter includes a number of channels for embedding the watermark image into the host image, and an iteration number of a counter-attack method.
A third aspect of the embodiments of the present disclosure provides an electronic device, including:
the watermark perturbation based countermeasure sample generation method provided by the first aspect of the embodiments of the present disclosure is implemented by a memory, a processor and a computer program stored on the memory and executable on the processor.
A fourth aspect of the embodiments of the present disclosure provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for generating countersamples based on watermark perturbation provided in the first aspect of the embodiments of the present disclosure.
It can be known from the foregoing embodiments of the present disclosure that, in the countermeasure sample generation method based on watermark disturbance, the apparatus, the electronic device, and the storage medium provided in the present disclosure, a disturbance parameter for embedding a watermark image into a host image is obtained, the disturbance parameter is randomly initialized to generate a first countermeasure sample, the disturbance parameter obtained after the random initialization of the disturbance parameter is minimized by a heuristic algorithm, a second countermeasure sample is generated, and a finally generated countermeasure sample is determined from the first countermeasure sample and the second countermeasure sample.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic flowchart of a method for generating a challenge sample based on watermark perturbation according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a counter sample generation apparatus based on watermark perturbation according to an embodiment of the present disclosure;
fig. 3 shows a hardware structure diagram of an electronic device.
Detailed Description
In order to make the objects, features and advantages of the present disclosure more apparent and understandable, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The method, the device, the electronic equipment and the storage medium for generating the countermeasure samples based on the watermark disturbance, provided by the disclosure, are used for acquiring the disturbance parameters for embedding the watermark image into the host image, randomly initializing the disturbance parameters to generate first countermeasure samples, minimizing the disturbance parameters obtained after the disturbance parameters are randomly initialized to generate second countermeasure samples, determining the finally generated countermeasure samples from the first countermeasure samples and the second countermeasure samples, wherein the watermark embedded in the generated countermeasure samples is not easy to find, the visual disturbance is greatly reduced and not easy to crack, and meanwhile, the countermeasure attack and the copyright protection are completed, so that the method and the device have a huge commercial application prospect.
In an exemplary application scenario, with the continuous development of internet technology, most users inevitably publish some multimedia contents (videos and images) on a public platform, the users firstly adopt the method for generating the confrontation samples based on watermark disturbance provided by the present disclosure to carry out the confrontation attack on the multimedia contents, then disclose the confrontation samples, the confrontation samples have good visual effects and do not affect the purpose of user sharing, meanwhile, the confrontation samples can also prevent the multimedia contents from being applied by some software maliciously, and the disturbance information in the confrontation samples is the watermarks and can represent ownership of the confrontation samples, and the users can extract the watermarks in the confrontation samples according to the method to protect their own rights and interests.
Referring to fig. 1, fig. 1 is a schematic flow chart of a method for generating a countermeasure sample based on watermark disturbance according to an embodiment of the present disclosure, where the method mainly includes the following steps S101-S104:
s101, obtaining a disturbance parameter for embedding the watermark image into the host image.
Specifically, the host image is selected for determining the original image for performing the antagonism, and the present disclosure only attacks images that are correctly classified under a specific classification model (such as ResNet101, inclusion _ V3, VGG16, etc.). The watermark image can be selected according to the requirements of the user.
The disturbance parameters comprise the channel number C of the watermark image embedded into the host image and the iteration number L of the adversarial attack method. Wherein, if the image is in the YUV or RGB mode, the value of C is 1-3, and if the image is in the CMYK mode, the value of C is 1-4, the disclosure takes the image in the YUV or RGB mode as an example for explanation, that is, the value of C is 1-3.
The present disclosure may select digital watermarking techniques for subsequent fusion into a heuristic algorithm to generate confrontational samples. The digital watermarking technology is mainly divided into a visible watermarking technology and an invisible watermarking technology, and the invisible watermarking technology is adopted in the disclosure for realizing. Common invisible watermark technologies are: difference expansion, histogram, discrete wavelet transform. The method adopts a difference expansion or discrete wavelet transform watermarking technology, improves the robustness of the confrontation sample, and is suitable for copyright protection.
And S102, randomly initializing the disturbance parameters to generate a first impedance sample.
In the present disclosure, two perturbation parameters, the number C of channels for embedding the watermark image into the host image and the iteration number I of the adversarial attack method are randomly initialized, and the initialization solution is denoted as S (= S (C, I)), that is, the two perturbation parameters after initialization are C and I, respectively. At this time, the generated countermeasure sample is denoted by g (= g (H, W, C, I) = H represents the host image, and W represents the watermark image. The probability of the confrontation sample belonging to the preset category is f t (g (H, W, C, I)), t is a preset category, and the minimization method by the heuristic algorithm is marked as a function L (), where the solution S has a corresponding function value L (f) t (g(*)))=L(f t (g(H,W,C*,I*)))。
S103, minimizing the disturbance parameter obtained after random initialization of the disturbance parameter by a heuristic algorithm, and generating a second antagonizing sample.
And generating a new disturbance parameter by a minimization method of a heuristic algorithm, recording the algorithm as a function AL (), and evolving a new solution S (= S (C, I) based on the function AL), namely the current value of C is C, and the current value of I is I. The process conforms to equation 1.
S (=) = AL (S ()) formula 1
And S104, determining a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample.
In an embodiment of the present disclosure, S104 includes: determining the probability that the first countermeasure sample belongs to a preset category and the probability that the second countermeasure sample belongs to the preset category, and determining a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample based on the probability that the first countermeasure sample belongs to the preset category and the probability that the second countermeasure sample belongs to the preset category.
An Accept () function may be set to select either Accept or reject the solution S. The process follows the following equation. Where g (S (×) represents the second antagonizing sample generated based on solution S (×), f t (g (S ()))) represents the probability that the second antagonizing sample g (S ()) belongs to the predetermined class t. Likewise, g (S ()) represents the first pair of anti-samples generated by solution S (, f) t (g (S ())) represents the probability that the first antagonizing sample g (S () belongs to the preset category t.
In an embodiment of the present disclosure, the determining the probability that the first countermeasure sample belongs to the preset category and the probability that the second countermeasure sample belongs to the preset category includes: and constructing an objective function by adopting a non-target attack or target attack mode, and determining the probability of the first antagonistic sample belonging to a preset category and the probability of the second antagonistic sample belonging to the preset category according to the objective function.
In the present disclosure, an objective function is constructed for the completion of a resistant attack of a specific task. The non-target attack can be realized by minimizing the probability that the host image belongs to the correct class, the target attack can be realized by maximizing the probability that the host image belongs to a certain error class, and once the advanced deep learning classification model classifies an image not belonging to the correct classification of the image, the image is a countersample, namely, the counterattack is completed.
If a non-target attack mode is adopted to construct the target function, the target function meets the following formula 2. f. of t (H) Representing the probability of the host image belonging to the preset category, g (H, W, C, I) representing the corresponding generated confrontation sample, f t (g (H, W, C, I)) represents the probability that the challenge sample belongs to a predetermined class, M represents the maximum value of I, and the value of M is verified by a number of experiments and belongs to a hyperparameter. The current demand can be reduced to minimize f t (g (H, W, C, I)), i.e., minimizing the probability that the challenge sample belongs to a predetermined class, when f t The value of (g (H, W, C, I)) is low enough, and the deep learning model can carry out error classification on the generated confrontation samples, namely, the confrontation attack is completed.
min f t (g (H, W, C, I)), subject to I ≦ M formula 2
If the target attack mode is adopted to construct the target function, the target function satisfies the formula 3. This objective function differs from the previous objective function mainly by two, which aims at minimizing the probability that a challenge sample belongs to class t, i.e. minimizing the probability that a challenge sample belongs to the correct class. However, the objective function aims to maximize the probability that the confrontation sample belongs to another preset category o, which can be specified, but another preset category 0 cannot be a correct classification of the image, i.e. to maximize the probability that the confrontation sample belongs to another preset category o, achieving the target attack.
max f o (g (H, W, C, I)), subject to I ≦ M formula 3
In the present disclosure, an objective function constructed in a non-target attack manner is taken as an example to schematically illustrate the counterattack sample generation method based on watermark perturbation provided by the present disclosure.
In an embodiment of the disclosure, the determining the finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample based on the probability that the first countermeasure sample belongs to the preset category and the probability that the second countermeasure sample belongs to the preset category includes: and judging whether the probability that the second countermeasure sample belongs to the preset category is smaller than the probability that the first countermeasure sample belongs to the preset category, and taking the second countermeasure sample as the finally generated countermeasure sample under the condition that the probability that the second countermeasure sample belongs to the preset category is smaller than the probability that the first countermeasure sample belongs to the preset category.
In particular, if f t (g (S) () is less than f) t (g (S ()), perturbation parameters C and I are accepted, since the perturbation parameters C and I make the probability that the second pair of anti-samples belong to the preset category t further lower, and it is more likely to fool the trained deep learning model. Otherwise, the perturbation parameters C and I are rejected.
In an embodiment of the present disclosure, in a case that the probability that the second countermeasure sample belongs to the predetermined category is not smaller than the probability that the first countermeasure sample belongs to the predetermined category, the first countermeasure sample is taken as the finally generated countermeasure sample.
In particular, if f t (g (S) }) is not less than f t (g (S ())), perturbation parameters C and I are accepted, and since the probability that the second antagonizing sample belongs to the preset category t is further reduced by the perturbation parameters C and I, it is more likely to fool the trained deep learning model.
In an embodiment of the present disclosure, the method shown in fig. 1 further includes: and storing the disturbance parameters used by the finally generated countermeasure sample for subsequent extraction of the embedded invisible watermark for copyright protection. Specifically, a set of disturbance parameters of the countermeasure sample can be directly recorded into a file, the file needs to be authorized to be obtained, and further, the file needing to be authorized can be encrypted by adopting a specific encryption algorithm, so that the security of the countermeasure attack method is further enhanced.
More, the host image and the watermark image can be encrypted and protected first, and the encrypted watermark image is embedded into the encrypted host image. Triple encryption can be realized, the encryption process can be realized through asymmetric encryption, and the safety of the adversarial attack method is further improved. And storing the perturbation parameters in the confrontation sample to protect the copyright of the confrontation sample. According to the authorization file, watermark information in the novel countermeasure sample can be extracted for copyright protection of the countermeasure sample.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an anti-sample generating device based on watermark perturbation according to an embodiment of the present disclosure, the device may be embedded in an electronic device, and the device mainly includes:
an obtaining module 210, configured to obtain a perturbation parameter for embedding the watermark image into the host image.
The initialization module 220 is configured to perform random initialization on the perturbation parameter to generate a first pair of anti-samples.
And the minimization module 230 is configured to perform minimization of a heuristic algorithm on the perturbation parameter obtained after the random initialization is performed on the perturbation parameter, and generate a second antagonizing sample.
A determining module 240, configured to determine a final generated countermeasure sample from the first countermeasure sample and the second countermeasure sample.
In an embodiment of the present disclosure, the determining module 240 includes:
the first determining submodule is used for determining the probability that the first antagonizing sample belongs to the preset category and the probability that the second antagonizing sample belongs to the preset category;
and the second determination submodule is used for determining a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample based on the probability that the first countermeasure sample belongs to the preset category and the probability that the second countermeasure sample belongs to the preset category.
In an embodiment of the present disclosure, the second determining sub-module includes:
the judging unit is used for judging whether the probability that the second antagonizing sample belongs to the preset category is smaller than the probability that the first antagonizing sample belongs to the preset category;
a first selecting unit, configured to, when a probability that the second countermeasure sample belongs to the preset category is smaller than a probability that the first countermeasure sample belongs to the preset category, take the second countermeasure sample as the finally generated countermeasure sample.
In an embodiment of the disclosure, the first determining submodule includes:
the constructing unit is used for constructing an objective function by adopting a non-objective attack or objective attack mode;
and the determining unit is used for determining the probability that the first antagonizing sample belongs to the preset category and the probability that the second antagonizing sample belongs to the preset category according to the target function.
In an embodiment of the present disclosure, the apparatus further includes:
and the second selecting unit is used for taking the first countermeasure sample as the finally generated countermeasure sample under the condition that the probability that the second countermeasure sample belongs to the preset category is not less than the probability that the first countermeasure sample belongs to the preset category.
In an embodiment of the present disclosure, the apparatus further includes:
and the storage module is used for storing the disturbance parameters used by the finally generated countermeasure sample.
In an embodiment of the present disclosure, the perturbation parameter includes the number of channels for embedding the watermark image into the host image, and the number of iterations of the adversarial attack method.
Referring to fig. 3, fig. 3 shows a hardware structure diagram of an electronic device.
The electronic device described in this embodiment includes:
a memory 31, a processor 32 and a computer program stored on the memory 31 and executable on the processor, the processor implementing the counter sample generation method based on watermark perturbation described in the embodiment of fig. 1.
Further, the electronic device further includes:
at least one input device 33; at least one output device 34.
The memory 31, processor 32 input device 33 and output device 34 are connected by a bus 35.
The input device 33 may be a camera, a touch panel, a physical button, or a mouse. The output device 34 may specifically be a display screen.
The Memory 31 may be a Random Access Memory (RAM) Memory or a non-volatile Memory (non-volatile Memory), such as a disk Memory. The memory 31 is used for storing a set of executable program code, and the processor 32 is coupled to the memory 31.
Further, an embodiment of the present disclosure also provides a computer-readable storage medium, where the computer-readable storage medium may be provided in the electronic device in the foregoing embodiments, and the computer-readable storage medium may be the electronic device in the foregoing embodiment shown in fig. 3. The computer readable storage medium has a computer program stored thereon, and the program is executed by a processor to implement the method for generating the countermeasures based on the watermark perturbation described in the embodiment shown in fig. 1. Further, the computer-readable medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or various other media capable of storing program codes.
It should be noted that each functional module in each embodiment of the present disclosure may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present disclosure may be embodied in the form of software products, in part or in whole, which substantially contributes to the prior art.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no acts or modules are necessarily required in the present disclosure.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to the related descriptions of other embodiments.
In the above description, for the method, the apparatus, the electronic device and the readable storage medium for generating a countercheck sample based on watermark perturbation provided by the present disclosure, for those skilled in the art, there may be variations in the specific implementation and application scope according to the ideas of the embodiments of the present disclosure, and in summary, the present specification should not be construed as a limitation to the present disclosure.
Claims (10)
1. A method for generating confrontation samples based on watermark disturbance is characterized by comprising the following steps:
acquiring disturbance parameters for embedding the watermark image into the host image;
randomly initializing the disturbance parameters to generate a first impedance sample;
carrying out minimization of a heuristic algorithm on the disturbance parameters obtained after the random initialization is carried out on the disturbance parameters, and generating a second impedance sample;
determining a final generated challenge sample from the first and second challenge samples.
2. The method according to claim 1, wherein the determining the finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample comprises:
determining a probability that the first antagonizing sample belongs to a preset category and a probability that the second antagonizing sample belongs to the preset category;
determining a finally generated countermeasure sample from the first countermeasure sample and the second countermeasure sample based on the probability that the first countermeasure sample belongs to a preset category and the probability that the second countermeasure sample belongs to the preset category.
3. The method as claimed in claim 1, wherein the determining the final generated confrontational sample from the first confrontational sample and the second confrontational sample based on the probability of the first confrontational sample belonging to the predetermined category and the probability of the second confrontational sample belonging to the predetermined category comprises:
judging whether the probability that the second antagonizing sample belongs to the preset category is smaller than the probability that the first antagonizing sample belongs to the preset category;
and taking the second antagonizing sample as the finally generated antagonizing sample under the condition that the probability that the second antagonizing sample belongs to the preset category is smaller than the probability that the first antagonizing sample belongs to the preset category.
4. The method of claim 2, wherein the determining the probability that the first countermeasure sample belongs to a preset category and the probability that the second countermeasure sample belongs to the preset category comprises:
constructing an objective function by adopting a non-objective attack or objective attack mode;
and determining the probability that the first antagonistic sample belongs to a preset category and the probability that the second antagonistic sample belongs to the preset category according to the objective function.
5. The watermark perturbation based countermeasure sample generation method of claim 3, wherein the method further comprises:
and under the condition that the probability that the second countermeasure sample belongs to the preset category is not smaller than the probability that the first countermeasure sample belongs to the preset category, taking the first countermeasure sample as the finally generated countermeasure sample.
6. The watermark perturbation based countermeasure sample generation method according to any one of claims 1 to 5, wherein the method further comprises:
storing the perturbation parameters used by the finally generated countermeasure samples.
7. The method as claimed in claim 6, wherein the perturbation parameters include the number of channels for embedding the watermark image into the host image, and the number of iterations of the adversarial attack method.
8. A countermeasure sample generation apparatus based on watermark perturbation, comprising:
the acquisition module is used for acquiring disturbance parameters for embedding the watermark image into the host image;
the initialization module is used for carrying out random initialization on the disturbance parameters to generate a first impedance sample;
the minimization module is used for minimizing a heuristic algorithm on the disturbance parameters obtained after the random initialization is carried out on the disturbance parameters, and generating a second impedance sample;
a determining module for determining a final generated confrontational sample from the first and second confrontational samples.
9. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method for generating countersample based on watermark perturbation according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of the method for generating a countersample based on watermark perturbation according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211401679.6A CN115619616A (en) | 2022-11-09 | 2022-11-09 | Method, device, equipment and medium for generating confrontation sample based on watermark disturbance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211401679.6A CN115619616A (en) | 2022-11-09 | 2022-11-09 | Method, device, equipment and medium for generating confrontation sample based on watermark disturbance |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115619616A true CN115619616A (en) | 2023-01-17 |
Family
ID=84879341
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211401679.6A Pending CN115619616A (en) | 2022-11-09 | 2022-11-09 | Method, device, equipment and medium for generating confrontation sample based on watermark disturbance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115619616A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116975797A (en) * | 2023-09-25 | 2023-10-31 | 中国科学技术大学 | Text content protection method for OCR extraction attack |
| CN117408907A (en) * | 2023-12-15 | 2024-01-16 | 齐鲁空天信息研究院 | Method and device for improving image countermeasure capability and electronic equipment |
-
2022
- 2022-11-09 CN CN202211401679.6A patent/CN115619616A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116975797A (en) * | 2023-09-25 | 2023-10-31 | 中国科学技术大学 | Text content protection method for OCR extraction attack |
| CN116975797B (en) * | 2023-09-25 | 2024-02-23 | 中国科学技术大学 | Text content protection method for OCR extraction attack |
| CN117408907A (en) * | 2023-12-15 | 2024-01-16 | 齐鲁空天信息研究院 | Method and device for improving image countermeasure capability and electronic equipment |
| CN117408907B (en) * | 2023-12-15 | 2024-03-22 | 齐鲁空天信息研究院 | Method and device for improving image countermeasure capability and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Al-Dmour et al. | A steganography embedding method based on edge identification and XOR coding | |
| Su | Novel blind colour image watermarking technique using Hessenberg decomposition | |
| CN115619616A (en) | Method, device, equipment and medium for generating confrontation sample based on watermark disturbance | |
| GB2607647A (en) | Method and device for generating adversarial image, equipment, and readable storage medium | |
| Wang et al. | Data hiding with deep learning: A survey unifying digital watermarking and steganography | |
| CN115378574B (en) | Lightweight dynamic image data encryption method and system | |
| Cui et al. | An optimized digital watermarking algorithm in wavelet domain based on differential evolution for color image | |
| CN110781952A (en) | Image identification risk prompting method, device, equipment and storage medium | |
| Wang et al. | HidingGAN: High capacity information hiding with generative adversarial network | |
| Meenakshi et al. | A hybrid matrix factorization technique to free the watermarking scheme from false positive and negative problems | |
| Li et al. | High-capacity coverless image steganographic scheme based on image synthesis | |
| Pan et al. | Seek-and-hide: adversarial steganography via deep reinforcement learning | |
| Wang et al. | Data hiding with deep learning: a survey unifying digital watermarking and steganography | |
| Yang et al. | ACGIS: Adversarial cover generator for image steganography with noise residuals features-preserving | |
| Darwish et al. | A new colour image copyright protection approach using evolution-based dual watermarking | |
| Alkhowaiter et al. | Evaluating perceptual hashing algorithms in detecting image manipulation over social media platforms | |
| CN107844696B (en) | Verification code interference method and server | |
| Lin et al. | Source-ID-Tracker: Source Face Identity Protection in Face Swapping | |
| Liang et al. | Poisoned forgery face: Towards backdoor attacks on face forgery detection | |
| Su et al. | A robust color image watermarking scheme in the fusion domain based on LU factorization | |
| Wang et al. | Image fragile watermarking algorithm based on deneighbourhood mapping | |
| CN113191380B (en) | Image evidence obtaining method and system based on multi-view features | |
| Gao et al. | An Improved Image Processing Based on Deep Learning Backpropagation Technique | |
| El Bakrawy et al. | A rough k-means fragile watermarking approach for image authentication | |
| Sharma et al. | Towards secured image steganography based on content-adaptive adversarial perturbation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |