CN116452923B - Cooperative defense strategy and system for attack resistance - Google Patents

Abstract

The invention provides a cooperative defense strategy and a system for resisting attack, wherein the method comprises the following steps: training an challenge sample detector; acquiring an image to be processed; detecting the countersample of the image to be processed according to the trained countersample detector to obtain a detection result; if the detection result is NO, the image to be processed is directly delivered to a target deep neural network for image classification; if the detection result is yes, denoising the concerned region of the image to be processed to obtain a denoised image; then, carrying out super-resolution reconstruction on the denoising image to obtain a restored image; and finally, delivering the restored image to a target deep neural network for image classification. The method is suitable for application in actual scenes, has low time consumption, and can effectively defend various types of countermeasure samples.

Description

Cooperative defense strategy and system for attack resistance

Technical Field

The invention relates to the technical field of artificial intelligence security, in particular to a cooperative defense strategy and system for resisting attacks.

Background

The use of artificial intelligence technology in various fields has evolved rapidly in recent years, and has penetrated every person's life. Deep neural networks have also achieved great success in many areas as an important branch of the artificial intelligence field. Deep neural networks have been widely used in many important systems such as computer vision, speech recognition, natural language processing, bioinformatics, autopilot, face recognition, traffic monitoring, medical image processing, and expert systems.

Deep learning has profound performance in various fields, however, researchers have found that deep neural networks are extremely vulnerable to challenge with samples. The challenge sample is a deliberate minor modification of the raw data such that a deep neural network based model outputs false results to it, potentially with catastrophic consequences. These disturbances are typically imperceptible to the human eye, but classification models output a false result with a high degree of confidence.

In defense research against a sample, two methods of robust defense and detection defense are mainly included. The purpose of the robust defense is to make the model correctly classify the challenge samples, however, most of the robust defense methods have high time consumption and poor classification performance, are difficult to defend multiple attack algorithms at the same time, and can reduce the classification accuracy of the inference model on clean samples during the defense. The detection defenses are aimed at distinguishing real samples from challenge samples, although the time consumption is low, in many application scenarios it is not enough to detect challenge samples only, and it is also necessary to know the real classification of challenge samples. For example, in intelligent driving, if the safety system only detects that the speed limit sign of the roadside is an countermeasure sample, blind parking is dangerous, and if the actual classification of the countermeasure sample can be recognized, many accidents can be avoided.

Aiming at the problems of insufficient defense capacity, excessively high time consumption and the like of the existing countermeasure sample defense method, the defense method which is applicable to practical application scenes, has lower time consumption and can effectively defend various types of countermeasure samples is urgently needed.

Disclosure of Invention

(one) solving the technical problems

In order to solve the technical problems in the background technology, the invention provides a cooperative defense strategy and a system aiming at resisting attack. The method combines the advantages of detection defense and robustness defense, has low time consumption, can enable the model to accurately classify the countermeasure sample, hardly influences the classification precision of the clean sample, and is suitable for being deployed in actual application scenes.

(II) technical scheme

The invention provides a cooperative defense strategy and system for attack resistance.

Specifically, the invention is realized by the following technical scheme.

According to a first aspect of an embodiment of the present invention, there is provided a cooperative defense strategy for combating attacks, comprising:

training an challenge sample detector; in the training process of the countermeasure sample detector, the combined training is carried out according to the two classification discrimination network, the original data and the noise data; the basic part of the two-classification discrimination network is a two-classification discrimination network, and the original data and the noise data are used for training a network model together on the discrimination network; the noise data comprises data with random noise and challenge samples generated by different challenge algorithms;

acquiring an image to be processed;

detecting the countersample of the image to be processed according to the trained countersample detector to obtain a detection result;

according to the detection result, if the detection result is no, the image to be processed is directly delivered to a target depth neural network for image classification;

according to the detection result, if the detection result is yes, acquiring a neural network attention area from the image to be processed; in the process of acquiring the concerned region, activating a visual result of a mapping technology according to a robust class;

denoising according to the region of interest to obtain a denoised image;

performing super-resolution reconstruction according to the denoising image to obtain a restored image;

and sending the restored image into a target deep neural network for image classification.

According to a second aspect of an embodiment of the present invention, there is provided a cooperative defense system against attack, including: front-end acquisition equipment and back-end processing equipment; wherein:

the front-end acquisition equipment is used for acquiring images;

the back-end processing device comprises a detection defense device, a robustness defense device and a target deep neural network;

the detection defending equipment is used for acquiring the image acquired by the front-end acquisition equipment;

the detecting defending equipment is also used for detecting the countermeasure sample of the acquired image according to the trained countermeasure sample detector to obtain a detection result; in the training process of the countermeasure sample detector, carrying out joint training according to a two-class discrimination network, original data and noise data, wherein the basic part of the two-class discrimination network is a two-class discrimination network, and the original data and the noise data are used for jointly training a network model on the discrimination network; the noise data comprises data with random noise and challenge samples generated by different challenge algorithms;

the robustness device is used for acquiring a detection result of the detection device on the acquired image;

the robustness equipment is also used for carrying out image processing on the acquired image according to the detection result; if the detection result is no, the acquired image is directly delivered to a target deep neural network for image classification; if the detection result is yes, acquiring a neural network attention area from the acquired image; in the process of acquiring the concerned region, activating a visual result of a mapping technology according to a robust class; denoising according to the region of interest to obtain a denoised image; performing super-resolution reconstruction according to the denoising image to obtain a restored image; sending the restored image into a target deep neural network for image classification to obtain a classification result;

the target depth neural network is used for acquiring a classification result of the acquired image with the detection result being NO;

the target depth neural network is further used for acquiring a classification result of the restored image;

the target deep neural network is also used as a target network attacked in the training process of the challenge sample detector;

compared with the prior art, the technical scheme provided by the invention has the following beneficial technical effects:

1. the selection of the region of interest is increased. When denoising an image in the prior art, aiming at the whole image, the invention tries to find the area possibly added for resisting disturbance, thereby reducing the image precision loss and texture detail loss caused by denoising;

2. a synergistic defense strategy combining a detection defense and a robustness defense is proposed. Only the countermeasure sample needs to undergo the robust defense after the detected defense is added before the image classification, so that the precision loss of the clean image caused by the robust defense can be avoided, the robust defense needs a large amount of time resources, and the time cost of the countermeasure sample defense can be greatly shortened through the short-time detected defense. The strategy does not need to retrain the target network, and is suitable for being deployed in practical application.

Drawings

FIG. 1 is a schematic flow diagram of a cooperative defense strategy for combating attacks;

FIG. 2 is a schematic diagram of a cooperative defense system against attack;

FIG. 3 is a schematic diagram of an challenge sample detector training process;

FIG. 4 is a schematic diagram of an challenge sampler detection process;

FIG. 5 is a visual illustration of region of interest selection in robustness defense;

FIG. 6 is a visual schematic diagram of an embodiment 1 through a synergistic defense against challenge;

fig. 7 is a visual schematic diagram of an implementation example 2 through a synergistic defense against challenge.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of systems and policies that are consistent with aspects of the invention as detailed in the accompanying claims.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

In order to better understand the technical solution provided by the embodiments of the present invention and make the above objects, features and advantages of the embodiments of the present invention more obvious, the technical solution in the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.

Referring to fig. 1, a flow chart of a cooperative defense strategy for challenge according to an embodiment of the present invention is shown in fig. 1, where the cooperative defense strategy for challenge may include the following steps:

s1: pretraining a robust challenge sample detector.

By way of example, considering that the detector is trained with the challenge sample set alone, the result of the over-fitting, i.e., the experimental effect on the real data is far less than that of the training set. In order to enhance the generalization capability of the detector, the embodiment of the invention tries to combine the countermeasure training with the two classification discrimination networks, increases the countermeasure sample set for joint training in the unsupervised detection with better generalization capability, improves the generalization capability of the countermeasure training by utilizing the advantages of the discrimination network, improves the optimization efficiency of the discrimination network by utilizing the countermeasure training, and mutually enhances the countermeasure training and the discrimination network so as to improve the robustness of the detector.

In this embodiment, the two-class discrimination network model mainly includes two components, and the basic component is to design a two-class discrimination network D, i.e. an countermeasure sample detector. On the discrimination network D, the network model is trained by using the original data and the noise data together, and the network is continuously optimized and trained through the set discrimination objective function, so that the detection capability of the discrimination network is improved. Here, the noise data includes data with random noiseAnd challenge samples generated by different challenge algorithms +.>. The present embodiment selects noise figure ∈ ->In [0.01,0.30 ]]Since the noise coefficient is continuous, 7 values are selected as the noise coefficient of the training discrimination model at intervals of 0.05>Corresponding noise is added to the original image. Challenge sample set->Consists of attack algorithms that pose a threat to neural network classifiers, e.g., fast gradient notation (FGSM), iterative attack (BIM), optimization-based attack (C)&W) and the like, which is responsible for completing the generation of the challenge sample.

The objective function is the key of the successful training of the neural network model, and the objective function of the classification discrimination network is as follows:

+/>wherein D represents a discrimination neural network, x and z are clean original data and noise data respectively, +.>Representing the probability that x comes from the original dataset, +.>Representing the probability that z is from noise data. By training, the discrimination network D outputs a higher value for the input normal sample and a lower value for the noise data.

This embodiment sets different labels for both the original and noise input data. The network output of the original data is set as a true label, the network output of the noise data is set as an error label, and the data is processed through a cross entropy functionTo achieve the minimization, the calculation method is as follows:

=/>wherein->For the original data +.>For network output of the original data, P is the correct tag, ">For weight, add +.>；

=/>Wherein->Is noise data, Q is error tag, +.>For weight, the +.sub.is reduced as much as possible by minimizing the formula>。。/>、/>The system is randomly initialized.

For example, when training the discrimination network, the original data or noise data is first input into the discrimination network D, and the network generates an outputSetting the correct tag P for the original data by minimizing +.>Training the discrimination network to generate higher values for the original data; for noise data, the wrong tag Q is set, by minimizing +.>So that the network outputs a smaller value. In the training process, the original samples and the noise samples are alternately input, different labels are set for different data sample outputs, and corresponding loss functions are respectively used for continuously training the optimized network. The trained discrimination network outputs a corresponding value to a given input, and the comparison with a set threshold value can detect whether the input sample is antagonistic or not.

In this embodiment, the detection rate of the countermeasures sample and the false detection rate of the normal samples are comprehensively considered, and the false detection rate of the discrimination model is not set too high. Thus, for a training-completed binary discrimination networkTaking the original training set x to input a corresponding discrimination network +.>In (1) obtaining all output values +.>The arrangement is from small to large, and the value represented by the position corresponding to 5% of the data is selected as a detection threshold value +.>。

Table 1, discrimination network structure

For the discrimination network structure, please refer to table 1, for the 3-channel color image, the discrimination network structure model is composed of 4-layer convolution layer Conv2D and 2-layer full connection layer Linear. The method comprises the steps that a LeakReLu activation function is used among convolution layers, a full connection layer and a full connection layer, and a Sigmoid activation function is used between the convolution layers; for a single-channel gray level image, the discrimination network model consists of 4 full-connection layer Linear. The full connection layers of the model are subjected to a LeakReLu activation function, and Dropout layers are added among all the full connection layers to prevent overfitting, and the Dropout coefficient is selected to be 0.3 in the embodiment.

S2: and acquiring an image to be processed.

By way of example, the image to be processed may include, but is not limited to, an image acquired in real time by a front-end acquisition device or a back-end stored image.

S3: and detecting the countermeasure sample according to the trained countermeasure sample detector, so as to obtain a detection result.

For example, the image a to be processed is sent into the countersample detector, and the detection result is 'no', which indicates that the detector detects the image as a clean sample; the image b to be processed is sent to the challenge sample detector, and the detection result is yes, which indicates that the detector detects the image as a challenge sample.

S4: and according to the detection result, if the detection result is NO, directly delivering the image to be processed to a target deep neural network for image classification.

S5: according to the detection result, if the detection result is yes, acquiring a neural network attention area of the image to be processed; in the process of acquiring the region of interest, the mapping technology is activated according to the visual result of the robust class.

Illustratively, in the embodiment of the invention, a robust class activation mapping technology is adopted to find the region of interest. Class activation technique CAM is a tool that helps us visualize CNNs. Using CAM, it can be clearly observed which area of the picture is of interest to the target network. For example, in the process of identifying the firearm, the network can clearly see which part of the picture is focused on by the network through the CAM, and the classification result is obtained according to which part. Typically, the CAM obtains a mapping for the class for which the model assigns the highest probability. However, in the case where there is an antagonistic disturbance in the input, the category that gives the highest probability may be incorrect. The challenge sample in view of successfully changing the most likely class tends to leave the other classes of the top k classes unchanged, which are synonyms or close relatives of the primary class. For example, against attacks such that "african images" are misclassified as "river horses", but the class names "indian images" and "asian images" of the second and third classification probabilities are unchanged, so in order to obtain a mapping that is robust to fluctuations of the most likely class, embodiments of the present invention exponentially weight average the mapping of the first k classes;

for example, for a certain input picture, letRepresenting the spatial coordinates of the last convolution layer +.>The activation value of the kth cell. For the kth element, global pooled results +.>Is->. For each category, input of Softmax layer +.>Is->. Here->Is the weight of the kth element for category c,/->Indicated is +.>Importance to category c. Will->Substituted into->Obtaining: />=/>. Definitions->Activating the mapping for class c, each element of the space is +.>=/>. In order to obtain a mapping that is robust to fluctuations of the most likely class, the mapping of the first k classes is exponentially weighted averaged with the calculation formula:

=/>,

the class of k depends on the total class value, for example, 1000 classes are included in the ImageNet dataset, k=5 is selected in the embodiment of the invention, non-maximum suppression is used to avoid near-overlapping observations, the obtained local maximum is subjected to binarization processing, and finally the size of the concerned region can be controlled through thresholding technology.

S6: and denoising according to the region of interest to obtain a denoised image.

By way of example, since all counterattack attacks add noise to an image in the form of deliberate disturbances, effective image denoising techniques can mitigate the effects of these disturbances to a large extent. However, image denoising in the spatial or frequency domain can result in loss of texture detail, which is detrimental to achieving performance objectives on the denoised image that are similar to those of a clean image, and thus embodiments of the present invention narrow the range of denoising, denoising only the region of interest.

Illustratively, the embodiment of the invention adopts wavelet denoising to denoise the region of interest, and the adopted Bayesian contraction algorithm is an adaptive method of wavelet soft threshold, and uses different thresholds for each wavelet subband by considering Gaussian noise. For exampleFor a certain clean image, the corresponding challenge sample is +.>There is->，/>Is an added disturbance. Is provided with->Is a wavelet transformation against the sample image due to +.>And->Independent of each other, is provided with->、/>、/>The corresponding variance is->、/>And->There is->Wavelet subband variance estimation for a challenge sample imageWherein->For subband wavelet, M is the total number of wavelet coefficients in the subband, and the calculation formula of the soft threshold is:

s7: and carrying out super-resolution reconstruction according to the denoising image to obtain a restored image.

By way of example, considering that the anti-noise is typically added to the attacked image in the form of a high frequency signal, one feature of the super-resolution algorithm is to add a high frequency signal to the whole image, thereby counteracting the effect of the anti-noise, and the super-resolution algorithm improves the resolution of the image so that the restored image maintains details close to the original image.

Exemplary, embodiments of the present invention use EDSR as the super-resolution network.

S8: and sending the restored image into a target deep neural network for image classification.

Referring to fig. 2, a schematic structural diagram of a cooperative defense system for attack resistance according to an embodiment of the present invention is shown in fig. 2, and may be divided into:

the system comprises front-end acquisition equipment and back-end processing equipment, wherein the back-end processing equipment consists of detection defense equipment, robustness defense equipment and a target deep neural network.

The front-end acquisition equipment is used for image acquisition.

The detecting defending equipment is used for acquiring the image acquired by the front-end acquisition equipment.

The detecting defending equipment is also used for detecting the countermeasure sample of the acquired image according to the trained countermeasure sample detector to obtain a detection result; in the training process of the countermeasure sample detector, the combined training is carried out according to the two classification discrimination network, the original data and the noise data; the basic part of the two-classification discrimination network is a two-classification discrimination network, and the original data and the noise data are used for training a network model together on the discrimination network; the noise data comprises data with random noise and challenge samples generated by different challenge algorithms;

the robustness device is used for acquiring a detection result of the detection device on the acquired image.

The robustness equipment is also used for carrying out image processing on the acquired image according to the detection result; if the detection result is no, the image to be processed is directly delivered to a target deep neural network for image classification; if the detection result is yes, acquiring a neural network attention area from the acquired image; in the process of acquiring the concerned region, activating a visual result of a mapping technology according to a robust class; denoising according to the region of interest to obtain a denoised image; performing super-resolution reconstruction according to the denoising image to obtain a restored image; and sending the restored image into a target deep neural network for image classification to obtain a classification result.

The target depth neural network is used for acquiring the classification result of the acquired image with the detection result being NO.

The target deep neural network is further used for acquiring a classification result of the restored image.

The target deep neural network is also used as a target network attacked in the challenge sample detector training process.

Please refer to fig. 6, which is a schematic diagram for visualizing the implementation of example 1 through a synergistic defense against challenge. The embodiment 1 is a natural image, firstly, the embodiment 1 is sent to a trained countermeasure sample detector, the detector returns a result of no, which indicates that the embodiment 1 is detected as a clean image, and the embodiment 1 is directly sent to a target neural network classifier to obtain a corresponding correct label of "cinquefoil in mecca".

Please refer to fig. 7, which is a schematic diagram for visualizing the implementation of example 2 through a synergistic defense against challenge. The implementation example 2 is an artificial noise-added countermeasure sample, firstly, the implementation example 2 is sent into a trained countermeasure sample detector, the detector returns a result of 'yes', which indicates that the implementation example 2 is detected as the countermeasure sample, then, a concerned region of the implementation example 2 is calculated, the concerned region is subjected to denoising treatment to obtain a denoising image, then, the denoising image is subjected to super-resolution reconstruction to obtain a recovery image, and finally, the recovery image is sent into a target neural network classifier to obtain a corresponding correct label of 'Megaku cinquefoil';

the performance of the examples of the present invention was next verified experimentally.

1. Robustness to various attack techniques

The embodiment of the invention tests the effect of robustness defense on the countermeasure sample on the large data set ImageNet, compares the effect with other defense methods, and takes the classification result based on the maximum probability classification category. The classification accuracy of the pictures selected in the experiment was 100% when no challenge was conducted, since the pictures that were misclassified at the beginning were not able to measure the effect of the defense method.

Table 2, imageNet data set defensive effects against various attack methods (acceptance v-3 model)

Table 3, imageNet dataset vs. other defense methods (acceptance v-3 model)

2. Capability of detecting challenge samples

According to the embodiment of the invention, the detection capability of the countermeasure sample is tested, VGG11 and acceptance V3 are adopted as the target network F in the experiment, and the detection effect of the target network on a plurality of attack algorithms FGSM, PDG, C and W, BIM is compared and analyzed.

Table 4, MNIST dataset single attack detection effect

Table 5 MNIST dataset hybrid attack detection effect

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (4)

1. A synergistic defensive strategy against attack, characterized by: the method comprises the following steps:

s1: pretraining the countermeasure sample detector with better robustness; in the training process of the countermeasure sample detector, the combined training is carried out according to the two classification discrimination network, the original data and the noise data; the basic part of the two-classification discrimination network is a two-classification discrimination network, and the original data and the noise data are used for training a network model together on the discrimination network; the noise data comprises data with random noise and challenge samples generated by different challenge algorithms;

s2: acquiring an image to be processed;

s3: according to the antagonism sample detector with good robustness, the antagonism sample detection is carried out on the image to be processed, and a detection result is obtained;

s4: according to the detection result, if the detection result is no, the image to be processed is directly delivered to a target depth neural network for image classification;

s5: according to the detection result, if the detection result is yes, acquiring a neural network attention area from the image to be processed; wherein the acquisition process of the region of interest refers to class activation mapping techniques; the class activation mapping technology is a tool capable of visualizing the interest area of the neural network on the classified picture, and generally, the class activation mapping technology obtains a mapping of a class for which a model is assigned with the highest probability, however, in the case that the input has an antagonistic disturbance, the class with the highest probability may be incorrect, and considering that the antagonistic sample successfully changing the most likely class often keeps the other classes of the first k classes unchanged, the calculation process of the interest area is as follows:

for a certain input picture, letRepresenting the spatial coordinates of the last convolution layer +.>An activation value of a kth cell; for the firstk units, global pooled results->Is->The method comprises the steps of carrying out a first treatment on the surface of the For each category, input of Softmax layer +.>Is->Wherein->Is the weight of the kth element for category c,/->Indicated is +.>Importance to category c, willSubstituted into->Obtaining: />=/>Definitions->Activating the mapping for class c, each element of the space is=/>In order to obtain a mapping that is robust to fluctuations of the most likely class, the mapping of the first k classes is exponentially weighted averaged to obtain: />=/>The category of k depends on the total value of the category, non-maximum suppression is used for avoiding almost overlapped observation results, the obtained local maximum value is subjected to binarization processing, and finally the concerned region is obtained through thresholding technology;

s6: denoising according to the region of interest to obtain a denoised image;

s7: performing super-resolution reconstruction according to the denoising image to obtain a restored image;

s8: and sending the restored image into a target deep neural network for image classification.

2. The cooperative defense strategy for attack resistance according to claim 1, wherein in the step S1, the network model is trained by using the raw data and the noise data together in the training process of the detector, and the network is continuously optimally trained by the set discrimination objective function, so as to improve the detection capability of the discrimination network.

3. The cooperative defense strategy for attack resistance according to claim 1, wherein the denoising technique in step S6 is wavelet denoising with soft threshold, and denoising the region of interest;

4. a cooperative defense system for attack resistance, which is characterized by comprising front-end acquisition equipment and back-end processing equipment;

the front-end acquisition equipment is used for acquiring images;

the back-end processing device comprises a detection defense device, a robustness defense device and a target deep neural network;

the detection defending equipment is used for acquiring the image acquired by the front-end acquisition equipment;

the detecting defending equipment is further used for detecting the countermeasure sample of the acquired image according to the trained countermeasure sample detector to obtain a detection result; in the training process of the countermeasure sample detector, the combined training is carried out according to the two classification discrimination network, the original data and the noise data; the basic part of the two-classification discrimination network is a two-classification discrimination network, and the original data and the noise data are used for training a network model together on the discrimination network; the noise data comprises data with random noise and challenge samples generated by different challenge algorithms;

the robustness device is used for acquiring a detection result of the detection device on the acquired image;

the robustness device is further configured to perform image processing on the acquired image according to the detection result; if the detection result is no, the acquired image is directly transmitted to the target depth neural network for image classification; if the detection result is yes, acquiring a neural network attention area from the acquired image; wherein the acquisition process of the region of interest refers to class activation mapping techniques; the class activation mapping technology is a tool capable of visualizing the regions of interest of the neural network on the classified pictures, and the calculation process of the regions of interest is as follows:

for a certain input picture, letRepresenting the spatial coordinates of the last convolution layer +.>An activation value of a kth cell; for the kth element, global pooled results +.>Is->The method comprises the steps of carrying out a first treatment on the surface of the For each category, input of Softmax layerIs->Wherein->Is the weight of the kth element for category c,/->Indicated is +.>Importance to category c, will +.>Substituted into->Obtaining: />=/>Definitions->Activating the mapping for class c, each element of the space is=/>To obtain the most probable pairThe fluctuation of the energy class has robust mapping, and the mapping of the first k classes is subjected to exponential weighted average to obtain: />=/>The category of k depends on the total value of the category, non-maximum suppression is used for avoiding almost overlapped observation results, the obtained local maximum value is subjected to binarization processing, and finally the concerned region is obtained through thresholding technology;

denoising according to the region of interest to obtain a denoised image; performing super-resolution reconstruction according to the denoising image to obtain a restored image; sending the restored image into a target deep neural network for image classification to obtain a classification result;

the target depth neural network is used for acquiring a classification result of the acquired image with the detection result being NO;

the target depth neural network is further used for acquiring a classification result of the restored image;

the target deep neural network is also used as a target network attacked in the challenge sample detector training process.