CN116415631A

CN116415631A - Image processing method and device

Info

Publication number: CN116415631A
Application number: CN202310093433.5A
Authority: CN
Inventors: 邱寒; 张园超; 王龙
Original assignee: Zhejiang eCommerce Bank Co Ltd
Current assignee: Zhejiang eCommerce Bank Co Ltd
Priority date: 2023-01-30
Filing date: 2023-01-30
Publication date: 2023-07-11

Abstract

Embodiments of the present specification provide an image processing method and apparatus, wherein the image processing method is applied to an image processing model including a neural network layer, and a result output network layer associated with the neural network layer, the method including: inputting an image to be processed into the image processing model, and processing the image to be processed by utilizing the neural network layer to obtain an intermediate output result output by the neural network layer; inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer; and under the condition that the predicted result meets the preset result condition, determining the predicted result as a target predicted result of the image to be processed. The prediction can be dynamically finished in advance when the image processing model is used for image processing, so that the defense against bit flip attack is realized, and the prediction accuracy of the model is ensured.

Description

Image processing method and device

Technical Field

The embodiment of the specification relates to the technical field of model training, in particular to an image processing method.

Background

With the development of computer technology, neural network models are widely used in various fields, such as an automatic driving field, a malware detection field, and a medical diagnosis field. However, when the neural network model is attacked maliciously during running, for example, for attack oriented to model parameters (i.e. bit flipping attack), since the neural network model needs to be loaded into a memory of a computer to run during running, by flipping bits of the model parameters in the memory, tampering with the model parameters of the model can cause model prediction errors, thereby reducing model prediction accuracy. Therefore, an effective solution is needed to solve the above problems.

Disclosure of Invention

In view of this, the present embodiment provides an image processing method. One or more embodiments of the present disclosure relate to an image processing apparatus, a neural network model training method, a neural network model training apparatus, a computing device, a computer-readable storage medium, and a computer program, which solve the technical drawbacks of the prior art.

According to a first aspect of embodiments of the present specification, there is provided an image processing method applied to an image processing model including a neural network layer, and a result output network layer associated with the neural network layer, the method comprising:

Inputting an image to be processed into the image processing model, and processing the image to be processed by utilizing the neural network layer to obtain an intermediate output result output by the neural network layer;

inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer;

and under the condition that the predicted result meets the preset result condition, determining the predicted result as a target predicted result of the image to be processed.

According to a second aspect of embodiments of the present specification, there is provided an image processing apparatus applied to an image processing model including a neural network layer, and a result output network layer associated with the neural network layer, the apparatus comprising:

the first input module is configured to input an image to be processed into the image processing model, process the image to be processed by utilizing the neural network layer, and obtain an intermediate output result output by the neural network layer;

the second input module is configured to input the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer;

And the determining module is configured to determine the prediction result as a target prediction result of the image to be processed under the condition that the prediction result meets a preset result condition.

According to a third aspect of embodiments of the present specification, there is provided a neural network model training method, including:

determining a neural network layer of an initial neural network model, and adding a result output network layer after the neural network layer to obtain a target neural network model;

inputting an image training sample into the neural network layer to obtain an intermediate output result output by the neural network layer;

and training the result output network layer by utilizing the image training label corresponding to the image training sample and the prediction result until a target neural network model meeting the training stop condition is obtained.

According to a fourth aspect of embodiments of the present specification, there is provided a neural network model training apparatus, comprising:

the adding module is configured to determine a neural network layer of the initial neural network model, and add a result output network layer after the neural network layer to obtain a target neural network model;

The first input module is configured to input an image training sample into the neural network layer to obtain an intermediate output result output by the neural network layer;

and the training module is configured to train the result output network layer by utilizing the image training label corresponding to the image training sample and the prediction result until a target neural network model meeting the training stop condition is obtained.

According to a fifth aspect of embodiments of the present specification, there is provided a computing device comprising:

a memory and a processor;

the memory is configured to store computer-executable instructions that, when executed by the processor, perform the steps of the method described above.

According to a sixth aspect of embodiments of the present description, there is provided a computer readable storage medium storing computer executable instructions which, when executed by a processor, implement the steps of the above-described method.

According to a seventh aspect of the embodiments of the present specification, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the above method.

An embodiment of the present disclosure provides an image processing method, applied to an image processing model, where the image processing model includes a neural network layer and a result output network layer associated with the neural network layer, an image to be processed is input into the image processing model, and the neural network layer is used to process the image to be processed, so as to obtain an intermediate output result output by the neural network layer; inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer; and under the condition that the predicted result meets the preset result condition, determining the predicted result as a target predicted result of the image to be processed.

According to the method, the result output network layer which is related to the neural network layer is arranged in the image processing model, the intermediate output result output by the neural network layer is input into the result output network layer, and under the condition that the prediction result output by the result output network layer meets the preset result condition, the prediction result is output as the output result of the image processing model, so that the prediction can be dynamically finished in advance when the image processing model is used for image processing, the model has the capability of finishing the prediction in advance, the prediction result is output by the random selection result output network layer, the probability of being attacked by bit turning is reduced, the neural network layer attacked by bit turning is ignored in the model prediction process, the influence caused by the bit turning attack on the parameter of one neural network layer in the image processing model is reduced, the defense against the bit turning attack is realized, the model prediction error caused by the bit turning attack is avoided, and the prediction accuracy of the model is ensured.

Drawings

FIG. 1 is a schematic diagram of a bit flip attack provided by one embodiment of the present description;

fig. 2 is a schematic application scenario diagram of an image processing method according to an embodiment of the present disclosure;

FIG. 3 is a flow chart of an image processing method provided in one embodiment of the present disclosure;

FIG. 4 is a schematic diagram of an image processing model in an image processing method according to an embodiment of the present disclosure;

FIG. 5 is a schematic flow chart of training an image processing model in an image processing method according to an embodiment of the present disclosure;

FIG. 6 is a process flow diagram of an image processing method according to one embodiment of the present disclosure;

fig. 7 is a schematic structural view of an image processing apparatus according to an embodiment of the present specification;

FIG. 8 is a flowchart of a neural network model training method provided in one embodiment of the present disclosure;

FIG. 9 is a schematic structural diagram of a neural network model training device according to an embodiment of the present disclosure;

FIG. 10 is a block diagram of a computing device provided in one embodiment of the present description.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many other forms than described herein and similarly generalized by those skilled in the art to whom this disclosure pertains without departing from the spirit of the disclosure and, therefore, this disclosure is not limited by the specific implementations disclosed below.

The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any or all possible combinations of one or more of the associated listed items.

It should be understood that, although the terms first, second, etc. may be used in one or more embodiments of this specification to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.

First, terms related to one or more embodiments of the present specification will be explained.

Bit flip attack: in a computer device, the neural network model needs to be loaded into a memory for execution, and bit flipping generally refers to modifying a bit value in the memory (for example, modifying the bit value from 0 to 1 or from 1 to 0) in a hardware device, so that data stored by other programs in the memory can be manipulated without requiring authority of an administrator.

Weight error injection attack: the deep neural network model mainly consists of parameters, the most important weights in the parameters are hundreds of millions of weights in the common neural network model, and a neural network model can be thoroughly destroyed by modifying few weights (less than 10) such as changing the accuracy rate of the neural network model from more than 90% to 10%, or the gate can operate the reasoning result through a trigger after implantation. While such a weight error injection attack may be implemented in such a way that an attacker can modify the corresponding bits of the key weights of the neural network model on a computer device, and can implement its attack by manipulating fewer than 10 bits.

In practice, bit flipping attacks can be classified into directional attacks and non-directional attacks. The goal of a non-directional bit flip attack is to reduce the accuracy of the victim model to the point where the model is not available. The directional bit flip attack misdirects the victim model to predict a particular sample or a sample embedded in a particular trigger as a particular class, but on other samples the model accuracy can be guaranteed. Thus, the directional attack is more concealed. The existing bit flip attack method mainly comprises 3 kinds of:

TBT attacks are directed bit flip attacks that inject a back gate into the victim model through flip bits. The goal of an attacker is to have the victim model guarantee model accuracy on benign input samples, but have errors on samples embedded with specific triggers. An attacker activates the back gate implanted in the model by embedding special triggers into the input samples. The model classifies all input samples with a particular trigger into a particular target class. TBT attacks only attack bits in the last layer of the victim model. First, the attacker will select several key network neurons at the last layer that have the greatest impact on the target class. A special trigger is then generated and when this trigger is included in the input sample, the selected neuron will be activated. Finally, the attacker solves through the optimization algorithm, modifies the key parameters corresponding to these neurons.

ProFlip attacks implant a backgate in the neural network model by flipping the bits in the network weights, and misleading the model to predict the input samples of all embedded triggers to a particular target class. This approach can flip bits in all neural network layers of the model. This attack method selects the significant neurons that have the greatest impact on the model output and then generates the triggers using a gradient descent method. And finally, selecting parameters in the model by using a search algorithm, and determining key bits in the parameters to overturn.

TA-LBF attacks can misclassify particular samples to particular target categories by flipping key bits in the model parameters. This attack does not require a trigger and is therefore more hidden than TBT attacks and pro flip attacks. Since the parameters are stored in memory in binary bit form, an attacker programs the attack in binary integers. This binary integer programming problem is then further equivalent to a continuous optimization problem. The optimization problem is solved using an alternating direction multiplier method to determine the critical bits to flip.

For a directed bit-flip attack, fig. 1 shows a schematic diagram of a bit-flip attack provided according to one embodiment of the present description. As shown in fig. 1, a neural network model includes a plurality of neural network layers, data is input into the neural network model, passes through a first neural network layer, a second neural network layer … …, a kth neural network layer … …, and up to a last neural network layer, and then outputs the result. Each neural network layer includes a number of model parameters, such as parameters P11, P12, and P1n, in the 1 st neural network layer. Since in the neural network model, the parameters in the last neural network layer are often directly related to the prediction result of the model, some bit flipping attacks only attack the last layer in the neural network model, i.e. flip the bits of the parameters in the last neural network layer, such as for the parameters Pi in the last layer, which flip the original bits 10001000 to 01001000. There is also a bit flipping attack method that attacks any layer in the neural network model, for example, an attacker may use a certain search algorithm to locate key bits in the neural network layer, where the key bits may be understood as bits that can directly affect the prediction result of the model. Such as an attack on the kth neural network layer, which inverts the original bits 11010010 to 00010010 for the parameters PKn in the kth neural network layer.

For bit-flipping attacks, the current defenses can be divided into two categories, namely an integrity verification scheme and a model enhancement scheme. The integrity verification-based method can detect whether a bit flip attack exists by verifying the integrity of model parameters at model runtime. The method can detect any tampered model, and thus can detect both directed bit-flip attacks and non-directed bit-flip attacks. However, such methods are generally less scalable and require additional performance overhead and resource costs, which are not suitable for existing commercial equipment and practical scenarios.

Model enhancement based approaches focus on improving the robustness of the target model and thus significantly increasing the cost of bit flipping attacks. An important indicator for evaluating the cost of a bit flipping attack is the number of bits to flip. While model enhancement methods typically significantly increase the number of bits required for flipping. However, such defense schemes can severely reduce the accuracy of the model, affecting its use. Therefore, an effective solution is needed to solve the above problems.

It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) according to the embodiments of the present disclosure are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.

In the present specification, an image processing method is provided, and the present specification relates to an image processing apparatus, a neural network model training method, a neural network model training apparatus, a computing device, and a computer-readable storage medium, one by one, which are described in detail in the following embodiments.

Referring to fig. 2, fig. 2 shows a schematic application scenario of an image processing method according to an embodiment of the present disclosure.

Fig. 2 includes a client 202 and a server 204. The server 204 is deployed with the image processing model, and can execute the image processing method.

In particular implementations, a user may send an image to be processed to the server 204 via the client 202. After receiving the image to be processed, the server 204 inputs the image to be processed to a neural network layer in the image processing model, inputs an intermediate output result of the neural network layer to a result output network layer, calculates a confidence coefficient of each prediction result under the condition that each result output network layer outputs the prediction result, and sends the prediction result meeting the preset result condition as a target prediction result to the client 202. The target prediction result may be, for example, type information of the image to be processed. Therefore, the prediction result of the image processing model is output in advance, bit flipping attack is avoided, and the running safety of the model is realized.

Referring to fig. 3, fig. 3 shows a flowchart of an image processing method according to an embodiment of the present specification, which is applied to an image processing model including a neural network layer and a result output network layer associated with the neural network layer, and specifically includes the following steps.

Step 302: inputting an image to be processed into the image processing model, and processing the image to be processed by utilizing the neural network layer to obtain an intermediate output result output by the neural network layer.

The image processing model is understood to be a neural network model for processing an image, for example, a model for predicting the type of image or a model for dividing the image. The result output network layer may be understood as a neural network layer for outputting the prediction result in advance, which may be an exit of the image processing model, and includes a convolution layer and a full connection layer, which may be used to process the intermediate output result output by the neural network layer. The result output network layer associated with the neural network layer may be understood as the result output network layer following the neural network layer, i.e. the output of the neural network layer is the input of the result output network layer. The neural network layer may be understood as a hidden layer in the image processing model, i.e. other layers than the input layer and the output layer in the image processing model.

Based on the above, the image to be processed can be input into the image processing model, the image to be processed is processed by utilizing the neural network layer in the image processing model, and the intermediate output result output by the neural network layer is obtained, and the intermediate output result is the input of the result output network layer after the neural network layer.

In practical application, the number of the neural network layers included in the image processing model is at least two;

correspondingly, the image to be processed is processed by the neural network layer, and an intermediate output result output by the neural network layer is obtained, which comprises the following steps:

inputting the image to be processed into an ith neural network layer to obtain a jth intermediate output result output by the ith neural network layer, wherein i epsilon [ 1, n ] and i and j start from 1;

judging whether i is greater than or equal to n, if not, increasing i by 1;

inputting the jth intermediate output result into an ith neural network layer to obtain a jth+1th intermediate output result output by the ith neural network layer;

judging whether i is greater than or equal to n, if not, i is increased by 1, j is increased by 1, and continuously executing the step of inputting the j-th intermediate output result into the i-th neural network layer to obtain the j+1-th intermediate output result output by the i-th neural network layer.

Where i and j are positive integers, i is 1, 2, 3 … …, and j is 1, 2, 3 … …. N may be understood as the number of neural network layers comprised by the image processing model, and N may be understood as a positive integer.

Taking the image processing model as an example, the image processing model includes 3 neural network layers, i.e. n is 3. And inputting the image to be processed into the 1 st neural network layer to obtain a 1 st intermediate output result output by the 1 st neural network layer, wherein i is 1, and j is 1. At this time, i is smaller than n, i is increased by 1, the 1 st intermediate output result is input into the 2 nd neural network layer, and the 2 nd intermediate output result output by the 2 nd neural network layer is obtained, at this time, i is 2, and j is 1.I is smaller than n, I increases 1 certainly, j increases 1 voluntarily, the 2 nd intermediate output result is input into the 3 rd neural network layer, and the 3 rd intermediate output result output by the 3 rd neural network layer is obtained.

In summary, by obtaining the intermediate output result output by each neural network layer, input is provided for the result output network layer, so that the predicted result output by the model can be obtained later.

Step 304: and inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer.

Specifically, after obtaining the intermediate output result output by the neural network layer, the intermediate output result may be input to a result output network layer associated with the neural network layer, and a prediction result output by the result output network layer may be obtained.

In the implementation, since the image processing model comprises at least two neural network layers, the number of the result output network layers is at least two correspondingly;

correspondingly, the inputting the intermediate output result into the result output network layer to obtain the prediction result output by the result output network layer includes:

inputting the jth intermediate output result into an ith result output network layer to obtain a jth predicted result output by the ith result output network layer, wherein the ith result output network layer is associated with the ith neural network layer;

judging whether i is greater than or equal to n, if not, i is self-increment 1, j is self-increment 1, and continuously executing the input of the jth intermediate output result into an ith result output network layer to obtain a jth prediction result output by the ith result output network layer.

Specifically, after each neural network layer in the image processing model, a result output network layer associated therewith may be set. And the intermediate output result output by each neural network layer is input into the result output network layer associated with the intermediate output result, and the prediction result output by the result output network layer is obtained.

Along the above example, the 1 st result output network layer may be set after the 1 st neural network layer, the 2 nd result output network layer may be set after the 2 nd neural network layer, and since the output result of the 3 rd neural network layer may be output through the output layer of the image processing model, the result output network layer may not be set after the 3 rd neural network layer. That is, for the last neural network layer in the image processing model, there is no need to set the result output network layer associated therewith.

Then, the 1 st intermediate output result of the 1 st neural network layer is input into the 1 st result output network layer, the 1 st prediction result output by the 1 st result output network layer is obtained, the 2 nd intermediate output result of the 2 nd neural network layer is input into the 2 nd result output network layer, and the 2 nd prediction result output by the 2 nd result output network layer is obtained.

In summary, by setting the result output network layer after each neural network layer, the target prediction result can be output in advance, thereby reducing the influence of bit flipping attack.

Step 306: and under the condition that the predicted result meets the preset result condition, determining the predicted result as a target predicted result of the image to be processed.

Specifically, after the predicted result output by the result output network layer is obtained, whether the predicted result can meet the preset result condition is judged first, and the predicted result meeting the preset result condition can be used as a target predicted result finally output by the image processing model.

The preset result condition may be understood as a condition that enables the prediction result to be output from the result output network layer, for example, the preset result condition may be that the confidence of the prediction result is greater than a preset confidence threshold.

The preset result condition may be set according to actual requirements, and the embodiment of the present specification is not limited herein.

In a specific implementation, the determining the prediction result as the target prediction result of the image to be processed under the condition that the prediction result meets the preset result condition includes:

determining the confidence level of a first predicted result, wherein the first predicted result is one of the predicted results output by the at least two result output network layers;

and under the condition that the confidence coefficient of the first predicted result is larger than a preset confidence coefficient threshold value, obtaining a target predicted result of the image to be processed, which is output by the image processing model.

The confidence of the predicted result can be calculated by using a confidence algorithm.

Based on this, the confidence of each predicted result output by each result output network layer can be determined, and the predicted result with the confidence greater than the preset confidence threshold is taken as the target predicted result finally output by the image processing model.

Along the above example, for the 1 st prediction result and the 2 nd prediction result, the confidence level of the 1 st prediction result and the confidence level of the 2 nd prediction result may be calculated, and the 2 nd prediction result with the confidence level greater than the preset confidence level threshold is taken as the target prediction result.

In addition, in the case where the confidence level of the predicted result output by each result output network layer does not satisfy the condition that is greater than the preset confidence threshold value, the predicted result output by the last result output network layer may be taken as the target predicted result. The bit flipping attacks are avoided to be only aimed at the last neural network layer in the image processing model, so that the influence caused by the attack is avoided.

In sum, by taking the prediction result with the confidence coefficient larger than the preset confidence coefficient threshold value as the final output result of the image processing model, the accuracy of the output result can be ensured while defending the attack.

In practical application, in order to ensure the model prediction efficiency, the accuracy and the safety of model prediction are balanced and considered, a preset number of candidate result output network layers can be determined in all result output network layers, and the specific implementation mode is as follows:

before determining the confidence level of the first predicted result, the method further comprises:

determining a preset number of first result output network layers from the at least two result output network layers, and determining a first prediction result output by the first result output network layers, wherein the first result output network layer is one of the at least two result output network layers.

The first result output network layer is a candidate result output network layer, and the target prediction result finally output by the image processing model is the prediction result output by any result output network layer in the candidate result output network layer. The preset number may be understood as a hyper-parameter of the image processing model, which may be predetermined during the model training process and may be dynamically adjusted as the model training proceeds.

Specifically, a preset number of candidate result output network layers can be randomly selected from at least two result output network layers, and a prediction result output by each candidate result output network layer is determined. And the confidence coefficient of each predicted result is conveniently and subsequently determined, and the predicted result meeting the preset result condition is determined as a target predicted result from the predicted results.

For example, for an image processing model including 10 result output network layers, 5 candidate result output network layers may be randomly selected from the 10 result output network layers, and then the prediction result output by each candidate result output network layer in the 5 candidate result output network layers is calculated, and then the confidence level of each prediction result is calculated, so as to determine the target prediction result.

In summary, by selecting a preset number of candidate result output network layers, balanced consideration of model prediction accuracy and safety can be realized, so that the result output network layer of the selected final output target prediction result is more random as much as possible while the prediction accuracy is ensured, and the safety is ensured.

In practical application, in order to ensure accuracy and efficiency of model prediction, the image processing model comprises at least two neural network layers, and accordingly, the image processing model also comprises at least two result output network layers. Fig. 4 is a schematic diagram of an image processing model in an image processing method according to an embodiment of the present disclosure.

Referring to fig. 4, the image processing model shown in fig. 4 includes a first neural network layer F1, a second neural network layer F2 … …, an nth neural network layer FN … …, and a last neural network layer Ff, and the image X to be processed is taken as an input of the image processing model, and passes through the first neural network layer … … to the last neural network layer to obtain a final output result FfX of the image processing model. Specifically, the image X to be processed passes through the first neural network layer F1 to obtain a first intermediate output result F1X of the first neural network layer F1, the first intermediate output result F1X is input into the second neural network layer F2, and a second intermediate output result F2X … … of the second neural network layer F2 is obtained until an nth intermediate output result FNX output by the nth neural network layer FN and a last intermediate output result FfX output by the last neural network layer Ff are obtained.

Meanwhile, in the image processing model, a result output network layer is arranged behind each neural network layer, the result output network layer comprises a convolution layer and a full connection layer, specifically, a first result output network layer C1 is arranged behind a first neural network layer F1, and an Nth result output network layer CN is arranged behind an Nth neural network layer FN of … …. It can be understood that after the last neural network layer in the image processing model is processed, the processing result is directly output through the output layer, that is, the output layer plays a role of outputting the output result of the last neural network layer, so that the result output network layer does not need to be set after the last neural network layer.

The first intermediate output result F1X output by the first neural network layer F1 is input into the first result output network layer C1, and a first prediction result C1X output by the first result output network layer C1 is obtained. And a second intermediate output result F2X output by the second neural network layer F2 is input into the second result output network layer C2, and a second prediction result C2X output by the second result output network layer C2 is obtained. Similarly, an nth predicted result CNX output by the nth result output network layer CN is obtained. In the N result output network layers, a preset number (q) of candidate result output network layers can be randomly selected, confidence calculation is performed on the prediction results output by the q candidate result output network layers, the prediction result with the confidence greater than a preset confidence threshold is determined as a target prediction result finally output by the image processing model, that is, the result output network layer outputting the prediction result with the confidence greater than the preset confidence threshold is used as an exit of the image to be processed. Q is a super parameter of the image processing model, and can be preset and dynamically adjusted in a model training stage. It can be appreciated that selecting smaller hyper-parameters may make the selected exit more random and entropy larger, but at the same time increase the probability that the q candidate result output network layers cannot meet the exit condition that the confidence is greater than the preset confidence threshold, thereby reducing the prediction accuracy.

In addition, in the case that no predicted result output by the candidate result output network layer satisfies the exit condition that the confidence coefficient is greater than the preset confidence coefficient threshold, the last candidate result output network layer may be used as an exit, and the predicted result output by the last candidate result output network layer may be used as a target predicted result.

For example, in the N result output network layers, C1, C2 and C3 are determined as candidate result output network layers, confidence degrees of C1X, C X and C3X are calculated respectively, and C2X with the confidence degree larger than a preset confidence degree threshold is taken as a target prediction result, so that C2 is an exit. In the case that the confidence coefficient of both C1X, C X and C3X does not satisfy the exit condition that the confidence coefficient is greater than the preset confidence coefficient threshold, then the last 1 candidate result output network layers (i.e., C3) of the 3 candidate result output network layers are used as exit ports, and then C3X is the target prediction result of the image processing model.

In practical application, the training step of the image processing model comprises the following steps:

step one: determining a neural network layer of an initial image processing model, and adding a result output network layer after the neural network layer to obtain a target image processing model;

Step two: inputting an image training sample into the neural network layer to obtain an intermediate output result output by the neural network layer;

the number of the neural network layers is at least two;

correspondingly, the inputting the image training sample into the neural network layer to obtain an intermediate output result output by the neural network layer comprises the following steps:

inputting the image training sample into an ith neural network layer to obtain a jth intermediate output result output by the ith neural network layer, wherein i epsilon [ 1, n ] and i and j start from 1;

judging whether i is greater than or equal to n, if not, increasing i by 1;

Step three: inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer;

the number of the result output network layers is at least two;

The step of inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer comprises the following steps:

Step four: and training the result output network layer by utilizing the image training label corresponding to the image training sample and the prediction result until a target image processing model meeting the training stop condition is obtained.

The training of the result output network layer by using the image training label corresponding to the image training sample and the prediction result until a target image processing model meeting the training stop condition is obtained comprises the following steps:

and training the jth result output network layer by utilizing the image training label corresponding to the image training sample and the jth predicted result until a target image processing model meeting the training stop condition is obtained.

The target image processing model is understood to be a trained image processing model.

Specifically, when the image processing model is trained, each result output network layer in the image processing model can be trained, and the specific implementation manner is similar to that of the image processing method, and the detailed description is not repeated here.

Further, since an attacker may perform bit flipping attack on all the neural network layers in the image processing model, even if the bit to be flipped is greatly increased, so as to increase attack cost, the possibility of such bit flipping attack still exists, and therefore, the result output network layer may be robustly trained, that is, the influence of the image processing model when being bit flipped is simulated, a flipping training sample is constructed, and the result output network layer is trained, with the following specific implementation modes:

the method comprises the steps of determining a neural network layer of an initial image processing model, adding a result output network layer after the neural network layer, and obtaining a target image processing model, and further comprises the following steps:

constructing a flipped sample providing model according to the initial image processing model, wherein the flipped sample providing model comprises a neural network layer;

Inputting an image training sample into the neural network layer to obtain a turnover training sample output by the neural network layer;

and training the result output network layer of the initial image processing model by utilizing the overturning training sample and the image training label corresponding to the image training sample to obtain a target image processing model comprising the neural network layer of the initial image processing model and the trained result output network layer.

The flipped sample providing model may be understood as a model after bit flipping, which may be used to provide flipped training samples for robust training of the result output network layer. The target image processing model can be understood as the initial image processing model after training.

Based on the method, a turnover sample providing model after bit turnover can be constructed according to an initial image processing model, an image training sample is input into a neural network layer in the turnover sample providing model, a turnover training sample output by the neural network layer is obtained, and an image training label corresponding to the turnover training sample and the image training sample is utilized to train a result output network layer of the initial image processing model, so that a target image processing model meeting a training stop condition is obtained.

In summary, the result output network layer can be adapted to the impact of a bit-flipping attack by training the result output network layer with a flipping training sample that simulates the output of the attacked neural network layer, the result output network layer learning the class of data to correct the prediction in the challenge scenario.

In the implementation, in order to ensure that the neural network layer of the initial image processing model is not affected, the simulation of the attacked model can be realized by copying the initial image processing model, and the specific implementation method is as follows:

the step of constructing a turnover sample providing model according to the initial image processing model comprises the following steps:

and copying the initial image processing model, determining target bits corresponding to model parameters in the copied initial image processing model, and performing overturn processing on the target bits to obtain an overturn sample providing model.

Wherein a target bit may be understood as a bit that may be flipped in a bit flipping attack. The initial image processing model obtained by copying can be understood as a copy model obtained after copying the initial image processing model. For example, the initial image processing model a is duplicated, the initial image processing model A1 is duplicated, and the subsequent target bit flipping is completed in the duplicated initial image processing model A1. The initial image processing model herein may be understood as an initial image processing model to which the result output network layer has not been added, i.e. the result output network layer is not included in the initial image processing model.

Based on this, the initial image processing model can be duplicated, resulting in a duplicated model that is identical to the initial image processing model. And determining target bits corresponding to the model parameters in the replication model, and performing overturn processing on the target bits to obtain an overturn sample providing model.

In sum, by copying the initial image processing model, the attacked model is simulated while the neural network of the initial image processing model is not affected, the authenticity of the attacked model is improved, and the authenticity of the subsequent overturn training sample is further realized.

In implementation, since the current bit flipping attack generally regards the gradient of the bit as a key part for selecting the attacked bit, the gradient value of the bit can reflect the importance of the bit in the model decision, thereby affecting the model prediction effect, in order to determine the target bit that may be flipped, the gradient value of the bit can be calculated by using a preset algorithm, and the target bit is determined according to the gradient value, and the specific implementation manner is as follows:

determining target bits corresponding to model parameters in the copied initial image processing model, and performing overturn processing on the target bits to obtain an overturn sample providing model, wherein the method comprises the following steps:

Determining at least two bits corresponding to model parameters in an initial image processing model obtained by copying;

calculating a gradient value of a first bit according to a preset algorithm, wherein the first bit is one of the at least two bits;

under the condition that the gradient value of the first bit is larger than a preset gradient value threshold value, determining the first bit as a target bit, and performing overturn processing on the target bit to obtain an overturned initial image processing model;

and determining at least two bits corresponding to model parameters in the flipped initial image processing model, and continuously executing the step of calculating the gradient value of the first bit according to a preset algorithm until a preset stopping condition is reached to obtain a flipped sample providing model.

The preset algorithm may be understood as an algorithm for calculating a bit gradient value, for example, may be a vulnerability protection algorithm, and a specific formula thereof is as follows.

Wherein L is _inf For the inferred loss of bits,

for cross entropy loss, l is true label, F _final (x) And outputting a result of the last neural network layer in the image processing model. The preset stop condition may be understood as reaching a preset number of iterations.

Based on the method, at least two bits corresponding to model parameters in the initial image processing model obtained by copying can be determined, the gradient value of each bit is calculated according to a preset algorithm, the bit with the gradient value larger than the preset gradient value threshold value is determined as a target bit, and the target bit is subjected to overturn processing to obtain the overturned initial image processing model. And determining at least two bits corresponding to model parameters in the turned initial image processing model, continuously calculating the gradient value of each bit by using a preset algorithm, determining the bit with the gradient value larger than a preset gradient value threshold as a target bit, and turning the target bit until the preset iteration times are reached, so as to obtain a final turned sample providing model.

In practical application, in each iteration process, the gradient of each bit about inference loss can be calculated, then the vulnerability of each bit is ordered according to the absolute value of the gradient, the maximum K bits are determined according to the ordering result, the K bits are used as target bits (i.e. the bits which are easy to attack), and the K bits are turned over. Repeating the iterative process for several times to finally obtain a turnover sample providing model after bit turnover.

In summary, by determining target bits that may be attacked, and recalculating the gradient of each bit in each iteration, the dynamic change of the model with flipped bits can be accommodated, and the recalculated gradient values can reflect the importance of the bits in the dynamically changing model.

In addition, the image training sample and the overturn training sample can be utilized to train the result output network layer at the same time. Referring to fig. 5, fig. 5 is a schematic flow chart of training an image processing model in an image processing method according to an embodiment of the present disclosure, and specific steps are as follows.

Step 502: and copying the initial image processing model to obtain a copy model.

Step 504: and adding a result output network layer after each neural network layer in the initial image processing model to obtain a target image processing model.

Specifically, the result output network layer C1 … … is added after the neural network layer F1 and the result output network layer CN is added after the neural network layer FN.

Step 506: and determining target bits possibly attacked in the copy model, and performing overturn processing on the target bits to obtain an overturn sample providing model.

Step 508: image training samples and image training labels are obtained from a training dataset.

Step 510: and inputting the image training sample into a target image processing model to obtain an intermediate output result output by a neural network layer in the target processing model.

Specifically, the intermediate output result F1X … … output by the neural network layer F1 is obtained, and the intermediate output result FNX output by the neural network layer FN is obtained.

Wherein the intermediate output results output as results the original training samples of the network layer.

Step 512: and inputting the image training sample into a turnover sample providing model to obtain an intermediate output result output by a neural network layer in the turnover sample providing model.

Specifically, the intermediate output result F '1X … … of the flipped neural network layer F' 1 is obtained, and the flipped neural network layer F 'N is obtained to obtain the intermediate output result F' NX.

And outputting the intermediate output result as a result to a turnover training sample of the network layer.

Step 514: and training the result output network layer by using the original training sample, the overturning training sample and the image training label until a target image processing model meeting training conditions is obtained.

Specifically, the result output network layer C1 is trained by using the intermediate output result F1X output by the neural network layer F1, the intermediate output result F '1X of the inverted neural network layer F' 1, and the image training label. The training process for the other result output network layers is similar to the training process for the result output network layer C1, and will not be repeated here.

In addition, the original training sample and the image training label can be utilized to train the result output network layer, and then the overturn training sample and the image training label are utilized to train the result output network layer. It will be appreciated that the training sequence using the original training samples and using the flipped training samples may be determined according to actual requirements, and embodiments of the present disclosure are not limited.

In conclusion, the original training samples and the overturn training samples are utilized to train the result output network layer, so that the robustness of the result output network layer is improved, the influence caused by bit overturn attack can be adapted to, and the bit overturn attack is further defended.

The image processing method provided in the present specification will be further described with reference to fig. 6 by taking an application of the image processing method to a neural network model including three neural network layers as an example. Fig. 6 shows a flowchart of a processing procedure of an image processing method according to an embodiment of the present disclosure, which specifically includes the following steps.

Step 602: and inputting the image to be processed into a first neural network layer in the image processing model, and obtaining a first intermediate output result output by the first neural network layer.

Step 604: and inputting the first intermediate output result into a first result output network layer to obtain a first prediction result output by the first result output network layer.

Specifically, the first result output network layer also belongs to an image processing model, and is disposed behind the first neural network layer.

Step 606, inputting the first intermediate output result into the second neural network layer to obtain a second intermediate output result output by the second neural network layer.

Step 608: and inputting the second intermediate output result into a second result output network layer to obtain a second prediction result output by the second result output network layer.

Step 610: and calculating the confidence coefficient of the first predicted result, calculating the confidence coefficient of the second predicted result, and determining the predicted result with the confidence coefficient larger than the preset confidence coefficient threshold value as the target predicted result of the image processing model.

Corresponding to the above method embodiments, the present disclosure further provides an image processing apparatus embodiment, and fig. 7 shows a schematic structural diagram of an image processing apparatus according to one embodiment of the present disclosure. As shown in fig. 7, the apparatus is applied to an image processing model including a neural network layer, and a result output network layer associated with the neural network layer, and the apparatus includes:

the first input module 702 is configured to input an image to be processed into the image processing model, process the image to be processed by using the neural network layer, and obtain an intermediate output result output by the neural network layer;

a second input module 704 configured to input the intermediate output result into the result output network layer, and obtain a prediction result output by the result output network layer;

a determining module 706, configured to determine the prediction result as a target prediction result of the image to be processed, in a case where it is determined that the prediction result satisfies a preset result condition.

In an alternative embodiment, the neural network layer is at least two; the first input module 702 is further configured to:

judging whether i is greater than or equal to n, if not, increasing i by 1;

In an alternative embodiment, the result output network layer is at least two; the second input module 704 is further configured to:

In an alternative embodiment, the determining module 706 is further configured to:

In an alternative embodiment, the apparatus further comprises a training module configured to:

determining a neural network layer of an initial image processing model, and adding a result output network layer after the neural network layer to obtain a target image processing model;

and training the result output network layer by utilizing the image training label corresponding to the image training sample and the prediction result until a target image processing model meeting the training stop condition is obtained.

In an alternative embodiment, the neural network layer is at least two; the training module is further configured to:

judging whether i is greater than or equal to n, if not, increasing i by 1;

In an alternative embodiment, the result output network layer is at least two; the training module is further configured to:

In an alternative embodiment, the training module is further configured to:

In summary, the device sets the result output network layer associated with the neural network layer in the image processing model, inputs the intermediate output result output by the neural network layer into the result output network layer, outputs the prediction result as the output result of the image processing model when the prediction result output by the result output network layer meets the preset result condition, so that the prediction can be dynamically finished in advance when the image processing model is used for image processing, the model has the capability of finishing the prediction in advance, the prediction result is output by the result output network layer through random selection, the probability of being attacked by bit turning is reduced, the neural network layer attacked by bit turning is ignored in the model prediction process, the influence caused by bit turning attack on the parameter of one neural network layer in the image processing model is reduced, the defense against the bit turning attack is realized, the model prediction error caused by the bit turning attack is avoided, and the prediction accuracy of the model is ensured.

The above is a schematic scheme of an image processing apparatus of the present embodiment. It should be noted that, the technical solution of the image processing apparatus and the technical solution of the image processing method belong to the same concept, and details of the technical solution of the image processing apparatus, which are not described in detail, can be referred to the description of the technical solution of the image processing method.

Corresponding to the above method embodiments, the present disclosure further provides a neural network model training method embodiment, and fig. 8 shows a flowchart of a neural network model training method according to one embodiment of the present disclosure, and specific steps are as follows.

Step 802: determining a neural network layer of an initial neural network model, and adding a result output network layer after the neural network layer to obtain a target neural network model;

step 804: inputting an image training sample into the neural network layer to obtain an intermediate output result output by the neural network layer;

step 806: inputting the intermediate output result into the result output network layer to obtain a prediction result output by the result output network layer;

step 808: and training the result output network layer by utilizing the image training label corresponding to the image training sample and the prediction result until a target neural network model meeting the training stop condition is obtained.

The neural network model may be the image processing model, and the training sample is an image training sample. The neural network model may also be a text processing model, where the training sample is a text training sample. The embodiments of the present specification are not limited herein.

In summary, the method sets the result output network layer associated with the neural network layer in the image processing model, inputs the intermediate output result output by the neural network layer into the result output network layer, outputs the prediction result as the output result of the image processing model when the prediction result output by the result output network layer meets the preset result condition, so that the prediction can be dynamically finished in advance when the image processing model is used for image processing, the model has the capability of finishing the prediction in advance, the prediction result is output by the result output network layer through random selection, the probability of being attacked by bit turning is reduced, the neural network layer attacked by bit turning is ignored in the model prediction process, the influence caused by bit turning attack on the parameter of one neural network layer in the image processing model is reduced, the defense against the bit turning attack is realized, the model prediction error caused by the bit turning attack is avoided, and the prediction accuracy of the model is ensured.

The above is a schematic scheme of a neural network model training method of this embodiment. It should be noted that, the technical solution of the neural network model training method and the technical solution of the image processing method belong to the same concept, and details of the technical solution of the neural network model training method which are not described in detail can be referred to the description of the technical solution of the image processing method.

Corresponding to the above method embodiments, the present disclosure further provides an embodiment of a neural network model training device, and fig. 9 shows a schematic structural diagram of a neural network model training device provided in one embodiment of the present disclosure, where the device includes:

an adding module 902 configured to determine a neural network layer of an initial neural network model, and add a result output network layer after the neural network layer, to obtain a target neural network model;

a first input module 904 configured to input an image training sample into the neural network layer, and obtain an intermediate output result output by the neural network layer;

a second input module 906 configured to input the intermediate output result into the result output network layer, and obtain a prediction result output by the result output network layer;

And the training module 908 is configured to train the result output network layer by using the image training label corresponding to the image training sample and the prediction result until a target neural network model meeting the training stop condition is obtained.

The above is a schematic scheme of a neural network model training device of the present embodiment. It should be noted that, the technical solution of the neural network model training device and the technical solution of the neural network model training method belong to the same concept, and details of the technical solution of the neural network model training device which are not described in detail can be referred to the description of the technical solution of the neural network model training method.

Fig. 10 illustrates a block diagram of a computing device 1000 provided in accordance with one embodiment of the present description. The components of the computing device 1000 include, but are not limited to, a memory 1010 and a processor 1020. Processor 1020 is coupled to memory 1010 via bus 1030 and database 1050 is used to store data.

Computing device 1000 also includes access device 1040, which access device 1040 enables computing device 1000 to communicate via one or more networks 1060. Examples of such networks include public switched telephone networks (PSTN, public Switched Telephone Network), local area networks (LAN, local Area Network), wide area networks (WAN, wide Area Network), personal area networks (PAN, personal Area Network), or combinations of communication networks such as the internet. The access device 1040 may include one or more of any type of network interface, wired or wireless, such as a network interface card (NIC, network interface controller), such as an IEEE802.11 wireless local area network (WLAN, wireless Local Area Network) wireless interface, a worldwide interoperability for microwave access (Wi-MAX, worldwide Interoperability for Microwave Access) interface, an ethernet interface, a universal serial bus (USB, universal Serial Bus) interface, a cellular network interface, a bluetooth interface, a near-field communication (NFC, near Field Communication) interface, and so forth.

In one embodiment of the present application, the above-described components of computing device 1000, as well as other components not shown in FIG. 10, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device illustrated in FIG. 10 is for exemplary purposes only and is not intended to limit the scope of the present application. Those skilled in the art may add or replace other components as desired.

Computing device 1000 may be any type of stationary or mobile computing device including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smart phone), wearable computing device (e.g., smart watch, smart glasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or personal computer (PC, personal Computer). Computing device 1000 may also be a mobile or stationary server.

Wherein the processor 1020 is configured to execute computer-executable instructions that, when executed by the processor, perform the steps of the methods described above.

The foregoing is a schematic illustration of a computing device of this embodiment. It should be noted that, the technical solution of the computing device and the technical solution of the method belong to the same conception, and details of the technical solution of the computing device, which are not described in detail, can be referred to the description of the technical solution of the method.

An embodiment of the present disclosure also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, perform the steps of the above-described method.

The above is an exemplary version of a computer-readable storage medium of the present embodiment. It should be noted that, the technical solution of the storage medium and the technical solution of the method belong to the same conception, and details of the technical solution of the storage medium which are not described in detail can be referred to the description of the technical solution of the method.

An embodiment of the present specification also provides a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the above method.

The above is an exemplary version of a computer program of the present embodiment. It should be noted that, the technical solution of the computer program and the technical solution of the method belong to the same conception, and details of the technical solution of the computer program, which are not described in detail, can be referred to the description of the technical solution of the method.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

The computer instructions include computer program code that may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.

It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the embodiments are not limited by the order of actions described, as some steps may be performed in other order or simultaneously according to the embodiments of the present disclosure. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the embodiments described in the specification.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.

The preferred embodiments of the present specification disclosed above are merely used to help clarify the present specification. Alternative embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the teaching of the embodiments. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. This specification is to be limited only by the claims and the full scope and equivalents thereof.

Claims

1. An image processing method applied to an image processing model, the image processing model comprising a neural network layer, and a result output network layer associated with the neural network layer, the method comprising:

2. The method of claim 1, the neural network layer being at least two;

judging whether i is greater than or equal to n, if not, increasing i by 1;

3. The method of claim 2, the result output network layer being at least two;

4. A method according to claim 3, wherein in case it is determined that the prediction result meets a preset result condition, the determining the prediction result as a target prediction result of the image to be processed comprises:

5. The method of claim 4, further comprising, prior to determining the confidence of the first prediction result:

6. The method of any of claims 1-5, the training step of the image processing model comprising:

7. The method of claim 6, the neural network layer being at least two;

judging whether i is greater than or equal to n, if not, increasing i by 1;

8. The method of claim 7, the result output network layer being at least two;

9. The method of claim 8, wherein training the result output network layer by using the image training label corresponding to the image training sample and the prediction result until a target image processing model satisfying a training stop condition is obtained, comprises:

10. The method of claim 6, wherein determining a neural network layer of an initial image processing model, and adding a result output network layer after the neural network layer, and after obtaining a target image processing model, further comprises:

11. The method of claim 10, the constructing a flipped sample-providing model from the initial image-processing model, comprising:

12. The method according to claim 11, wherein the determining the target bits corresponding to the model parameters in the copied initial image processing model and performing the flipping process on the target bits to obtain the flipped sample providing model includes:

13. A neural network model training method, comprising:

14. A computing device, comprising:

a memory and a processor;

the memory is configured to store computer executable instructions, the processor being configured to execute the computer executable instructions, which when executed by the processor, implement the steps of the method of any one of claims 1 to 12 or 13.