CN116665214A - Large character set verification code attack defense method based on countermeasure sample - Google Patents

Large character set verification code attack defense method based on countermeasure sample Download PDF

Info

Publication number
CN116665214A
CN116665214A CN202310377899.8A CN202310377899A CN116665214A CN 116665214 A CN116665214 A CN 116665214A CN 202310377899 A CN202310377899 A CN 202310377899A CN 116665214 A CN116665214 A CN 116665214A
Authority
CN
China
Prior art keywords
verification code
character
model
sample
gradient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310377899.8A
Other languages
Chinese (zh)
Inventor
王海舟
杨涵
傅宇成
孙国恒
黄骏天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan University
Original Assignee
Sichuan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan University filed Critical Sichuan University
Priority to CN202310377899.8A priority Critical patent/CN116665214A/en
Publication of CN116665214A publication Critical patent/CN116665214A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V30/00Character recognition; Recognising digital ink; Document-oriented image-based pattern recognition
    • G06V30/10Character recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/82Arrangements for image or video recognition or understanding using pattern recognition or machine learning using neural networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V30/00Character recognition; Recognising digital ink; Document-oriented image-based pattern recognition
    • G06V30/10Character recognition
    • G06V30/19Recognition using electronic means
    • G06V30/191Design or setup of recognition systems or techniques; Extraction of features in feature space; Clustering techniques; Blind source separation
    • G06V30/19147Obtaining sets of training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V30/00Character recognition; Recognising digital ink; Document-oriented image-based pattern recognition
    • G06V30/10Character recognition
    • G06V30/19Recognition using electronic means
    • G06V30/191Design or setup of recognition systems or techniques; Extraction of features in feature space; Clustering techniques; Blind source separation
    • G06V30/19173Classification techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Multimedia (AREA)
  • Software Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Health & Medical Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Character Discrimination (AREA)

Abstract

The invention discloses a large character set verification code attack defending method based on a countermeasure sample, which comprises the steps of firstly collecting the existing large character set verification code data on a Chinese verification code service website and manually marking, and generating a very similar new verification code by imitating the crawled verification code at the same time, so as to construct an expanded verification code data set; then respectively constructing character detection and recognition models, and respectively generating noise on the characters and the background of the verification code based on the two models; finally, according to a countersample verification code generation method combining input transformation, gradient attack and attention mechanism, generating countersample characters aiming at a verification codeword recognition model; for verifying the threat of the codeword detection model, an integrated countermeasure sample generation method is adopted, loss functions of various different construction character detection models are integrated, black box settings of the different construction character detection models are converted into white box settings, and countermeasure noise is generated on the background of the verification code to defend the character detection models.

Description

Large character set verification code attack defense method based on countermeasure sample
Technical Field
The invention relates to the technical field of network security, in particular to a large character set verification code attack defense method based on a challenge sample.
Background
The passcode is a common fully automated program for distinguishing whether a user is a computer or a person. A successfully designed captcha mechanism should enable humans to pass the test of the captcha very easily, while excluding automated cracking programs written by an attacker. Currently, verification codes are widely applied to various large online websites and application programs, and malicious behaviors on various Internet including malicious registration, junk mail and social robots are prevented to a certain extent.
Although many kinds of verification codes have been designed at present, character-type verification codes are still the most widely used verification codes at present due to low generation cost and high user acceptance, and the most convenient type of verification codes are for users and websites. Character-type captchas are typically designed as a plurality of more difficult-to-recognize characters plus a background of interference and require the user to enter the characters in the captcha.
Unfortunately, character-type verification codes have been cracked by many research efforts. One reason is that conventional character-type verification codes contain only english alphabets and roman numerals. In the case of a small character-type captcha classification space, such a captcha will be easily broken using a deep learning model that has been popular in recent years.
To solve this problem, verification codes with larger character sets have been designed. The large character set verification code comprises verification codes containing Chinese characters, japanese characters, korean characters and the like. Taking a large Chinese character set verification code as an example, the large Chinese character set verification code can generally contain 3755 commonly used Chinese characters, and the larger character set increases the target category of the verification code attack model, so that the safety of the verification code is improved. The verification codes increase the difficulty of constructing and training an attacker model and reduce the success rate of cracking to a certain extent.
However, as research work proceeds, large character set captchas are also faced with serious security threats. In recent years, security analysis is carried out on the Chinese character set verification codes in a plurality of large websites and the Chinese character set verification codes on a plurality of large websites are successfully cracked with higher accuracy. In order to defend against attacks on large character set captchas, many of the methods proposed in the prior art have mostly focused on increasing the complexity of the captchas, but decreasing the usability of the captchas. And as deep learning techniques continue to evolve, they may still be broken down by more efficient methods.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a large character set verification code attack defense method based on a challenge sample, which is different from the existing method for improving the complexity of the verification code. The technical proposal is as follows:
a large character set verification code attack defense method based on a challenge sample comprises the following steps:
step 1: collecting the existing large character set verification code data on a Chinese verification code service website, manually marking, and generating a new verification code by imitating the obtained verification code at the same time, thereby constructing an expanded verification code data set;
step 2: constructing a character detection model and a character recognition model, wherein the character detection model comprises a white box model for generating noise aiming at the character detection model and a black box model for testing migration effects of an countermeasure sample; the character recognition model comprises a white box model for generating a challenge sample character to defend the character recognition model, and a black box model for testing migration effects of the challenge sample; generating noise on the characters and the background of the verification code based on the character detection model and the character recognition model respectively;
Step 3: generation of challenge sample verification code
Step 3.1: in the process of generating the challenge sample verification code, a challenge sample generation method combining gradient attack, input transformation and attention mechanism is adopted to generate a challenge sample character aiming at a verification codeword recognition model;
step 3.2: the method comprises the steps of integrating a loss function of a plurality of different construction character detection models by adopting an integrated countermeasure sample generation method in face of threat of the verification code character detection model, converting black box setting of the different construction character detection models into white box setting, and generating countermeasure noise on the background of the verification code to defend the character detection models.
Further, in the step 1, the labeling information for manually labeling the verification code data includes: the position and character category of the characters in the verification code; firstly, counting the sizes of character sets appearing in the collected verification code pictures; and dividing each marked verification code into two parts in half, wherein one part is used for training a verification code cracking model, and the other part is used for testing an attack model and producing an countermeasure sample verification code.
Further, in the step 2, constructing the character detection model and the character recognition model further includes:
1) The character detection model selects Faster-RCNN, YOLO-v5 and SSD as target detection architecture; for Faster-RCNN, training the models of three backbone networks of ResNet-50, resNet-101 and VGG; for SSD, training models of two main networks, namely MobileNet V2 and VGG; for YOLO-v5, training was performed using CSPDarknet-53 as the backbone network;
setting the label of the character detection model as whether characters exist or not, namely uniformly taking the characters as the foreground when the character detection model is trained and tested, and not recognizing specific character types;
SSD using Faster-RCNN, mobileNetV2 with ResNet-101 as the backbone network, and YOLO-v5 as the white box model; using a fast-RCNN with ResNet-50 and VGG as a backbone network, and using SSD with VGG as the backbone network as a black box model;
2) The character recognition model selects network models of acceptance-Resnet-v 2, acceptance-v 3, resNet-50 and VGG-16 to carry out multi-classification recognition on single characters; inception-Resnet-v2 was used as the white-box model, and Inception-v3, resNet-50, and VGG-16 were used as the black-box models.
Further, the generating the challenge sample character for the verification codeword identification model in the step 3 specifically includes:
Step 3.1.1: determining a loss function of an antagonistic sample generation model f
Found challenge sample picture x adv The following conditions are satisfied
f(x adv ;θ)≠y (1)
||x-x adv ||∞<ε (2)
Wherein θ is a parameter of the challenge sample generation model f, x is an arbitrary input character picture, y is a category real label of the picture x, for example, a label of a character picture "person" is a code y of the word "person" under a white box model, and epsilon is the maximum noise amplitude at each pixel point;
the aim of searching the countermeasure sample is achieved by maximizing the loss value of the input character picture x to the real category under the countermeasure sample generation model f, and category cross entropy J is adopted as a loss function of the countermeasure sample generation model f:
step 3.1.2: gradient-based attack
Calculated to obtainDerivative of the loss function->Combining gradient variance reduction and Nesterov iteration in a gradient iteration step; before each iteration, the current isChallenge sample character in epoch +.>Performing one update to obtain->
wherein ,for the antagonistic sample character in the current epoch, u is the momentum decay factor, a is the noise amplitude added in each iteration step, +.>The updated challenge sample character; g t A gradient for the t-th iteration;
in each epoch, after updating the gradient, the gradient variance v is updated according to the following formula t
wherein ,vt+1 The updated gradient variance; and is also provided with
Wherein, N represents that when calculating gradient variance, sampling the gradients of N adjacent points around the current x; the near point of x is defined as x i =x+r i ,rU[-(β·ε) d ,(β·ε) d ]Wherein U [ - (beta. Epsilon.) is used as the main component d ,(β·ε) d ]Representing a random vector, each point obeys uniform distribution in a range, beta is a super-parameter of gradient variance calculation, and r i Represents the ith randomVector; r represents the sample from U [ - (beta. Epsilon.) s d ,(β·ε) d ]Is a random vector of (a);representing the derivative of x with respect to the loss function before random sampling,/>Representing the derivative of the near points of x with respect to the loss function;
during gradient updating, the gradient variance v obtained in the last step is obtained t Andderivative of loss functionAdding, updating gradient g of the t-th iteration based on momentum t
wherein ,gt+1 In order to pass the gradient after the momentum update, 1 represents an L1 norm;
step 3.1.3: input transformation attack
A variety of input methods are employed: before the character picture is input into the challenge sample generation model, it is shaped and filled with probabilities p:
D(x;p) (8)
the translational invariance method is adopted: the picture is translated to achieve the aim of data amplification, and convolution operation is carried out between the kernel matrix and the original picture:
T(g)=W*g (9)
wherein W is a predefined convolution kernel matrix, T (g) is a gradient subjected to convolution operation, and g is an original gradient;
The method adopts a scaling invariance method: a single input picture is amplified into a series of new pictures and a weighted average of these new picture gradients is taken when calculating the gradients:
wherein ,m0 Representing the number of amplified pictures;
step 3.1.4: adjusting noise amplitude based on attention mechanism on captcha characters
To obtain the contribution of each location in the white-box model feature layer to the result, the attention approximation of the challenge sample generation model is considered as a feature mapAirspace pooling gradient of real label y of input picture x:
wherein ,the c-th feature map representing the k-th layer, Z is a normalization factor such that +.>The attention weight of the c-th feature map of the kth convolution layer relative to the real label y is obtained>f (x) represents a white box model; m and n respectively represent the horizontal and vertical coordinates of the pixel point;
subjecting different feature maps to attention weightingScaling is carried out, the more focused features of the model are obtained, then the features of all channels are summed and processed by using a ReLu activation function, and negative values are removed to obtain the model:
wherein ,an attention activation graph representing a negative value removed;
taking absolute value of the result after weighting and summing the feature graphs, and normalizing the result to [0,1 ] again ]Subsequently, the obtainedShaping to the same size as the input picture; because of the translational invariance of the convolutional neural network, the mapped thermodynamic diagram represents the attention weights of the model at different positions in the original picture:
wherein ,representing an attention activation graph after taking an absolute value;
according toConstructing an epsilon-based mask that determines the noise amplitude that can be updated per iteration in the iterative anti-sample generation process when updating noise for the anti-sample:
where α is the noise update amplitude of each epoch, α=ε/T, ε is the maximum noise amplitude allowed at each point, T is the iteration number, γ is the hyper-parameter used to amplify the stride, and it clips the picture at the end of the iteration to ensure ||x-x adv || <ε。
Further, step 3.2 specifically includes:
using three models of Faster-RCNN, YOLO-v5 and SSD which participate in integrated attack as loss functions generated by the countermeasure sample aiming at the detection model;
loss function L for Faster-RCNN training frcnn The method comprises the following steps:
L frcnn =L rpnCls +L rpnLoc +L roiCls +L roiLoc (15)
wherein ,LrpnCls Classification loss, L, of RPN module representing Faster-RCNN rpnLoc The Bounding Box regression loss of the RPN module of the Faster-RCNN is used for training the positioning capability of the model; l (L) roiCls Representing ROI module classification loss, L roiLoc Representing the regression loss of the Bounding Box of the ROI module;
loss function L for YOLO-v5 training yolov5 The method comprises the following steps:
L yolov5 =L loc +L cls +L conf (16)
wherein ,Lloc Is the loss of position of YOLO-v5, L cls To include the classification loss of an object, L conf Is a multi-class confidence penalty;
loss function L during SSD training ssd The method comprises the following steps:
L ssd =L loc ′+L cls ′ (17)
wherein ,Lloc ' is the loss of position of SSD, L cls ' classification loss;
in the process of the integration attack, the three losses are weighted and averaged based on different weights, so that the integration loss is obtained:
J ens (x,y;θ)=w 1 L frcnn (x,y;θ 1 )+w 2 L yolov5 (x,y;θ 2 )+w 3 L ssd (x,y;θ 3 ) (18)
wherein ,θ1 ,θ 2 ,θ 3 Model parameters of Faster-RCNN, YOLO-v5 and SSD are respectively represented; w (w) 1 ,w 2 ,w 3 The weights of the three loss functions are represented respectively.
The beneficial effects of the invention are as follows:
1) Aiming at the current situation that a large character set verification code is cracked based on a deep learning model, a character detection and recognition model is constructed, noise is generated on characters and a background of the verification code based on the two models, and an countermeasure sample verification code is generated for defending;
2) The invention provides a method for generating an anti-sample verification code by combining input transformation, gradient attack and attention mechanisms, namely M-VNI-CT-FGSM, wherein the generation method can improve generalization of an anti-sample and is used for generating an anti-sample character aiming at a verification codeword recognition model;
3) The invention is based on an integrated countermeasure sample generation method, namely SVRE-MI-FGSM, integrates the loss functions of various different construction character detection models, converts the black box setting of the different construction character detection models into white box setting, and generates countermeasure noise on the background of a verification code to defend the threat of the character detection models;
4) The invention has remarkable results on the problem of generating the anti-sample verification code to defend the verification code from cracking attack, improves the safety of the large character set verification code on the existing real website on the basis of protecting the usability of the verification code, and provides a method and thinking for defending the large character set verification code in the future.
Drawings
FIG. 1 is a basic frame diagram of a large character set verification code attack defense method based on a challenge sample.
Fig. 2 is a flowchart of the M-VNI-CT-FGSM algorithm.
Fig. 3 is a graph comparing the defensive effects of the challenge sample verification code under three black box attacks.
FIG. 4 is an ASR with four captchas under NC, AC, and AA, respectively.
Detailed Description
The invention will now be described in further detail with reference to the drawings and to specific examples.
The large character set verification code attack defense method based on the challenge sample mainly comprises three parts: acquisition and generation, character recognition and detection model construction, and generation of challenge sample verification codes, as shown in fig. 1.
(1) Data acquisition and generation: the method comprises the steps of collecting ten real verification code pictures on the Chinese Internet through a web crawler, processing collected data to obtain a real verification code data set, and meanwhile, as the Chinese verification codes have larger classification space, the requirements of training a character recognition model cannot be met only by the collected verification code data set, a large number of imitated verification code pictures are generated for each verification code to expand a training set and a verification set, and the real verification codes and the imitated verification codes jointly form a complete data set.
(2) Character detection and recognition model construction: the Chinese verification codes collected by the invention are divided into 8 click categories and 2 input categories. For clicking the class verification code, an attacker usually locates the characters and then identifies them, while for inputting the class verification code, the attacker can directly identify the character sequence by using an end-to-end model, or can locate and then identify them. Thus, the present invention contemplates the most general case: and respectively constructing a character detection model and a character recognition model, and respectively generating noise on the characters and the background of the verification code based on the two models.
(3) Generation of challenge sample verification code: the invention uses a countersample generation method combining input transformation, gradient attack and attention mechanism, namely M-VNI-CT-FGSM, to improve generalization of the countersample, and is used for generating countersample characters aiming at a verification codeword recognition model; for verifying the threat of the codeword detection model, the invention is based on an integrated countermeasure sample generation method, namely SVRE-MI-FGSM, integrating the loss functions of a plurality of different construction character detection models, converting the black box setting of the different construction character detection models into white box setting, and generating countermeasure noise on the background of the verification code.
The method comprises the following specific steps:
step 1: and (5) data acquisition and generation.
Because of the lack of a public Chinese verification code data set on the current network, the embodiment selects to collect real verification code pictures from the Chinese Internet and make manual labeling, and the collected verification codes cover the current mainstream Chinese verification codes. Further, because the Chinese verification code has a larger classification space, the collected verification code data set cannot meet the training requirement of the character recognition model, and a new verification code data set is generated by imitating the collected multiple verification code pictures.
1.1. Data acquisition
(1) Data collection method
This embodiment designs an efficient, multi-threaded crawler to collect various data, which includes the following 4 parts:
proxy pool, requester, processor, database.
1) Agent pool: since large websites set limits on the frequency of access to individual IPs. To achieve highly parallel data crawling, concurrency and crawler efficiency may be improved using proxy pools.
2) The requester: the tasks of the requester are divided into requests for Token and requests for data. The former is to acquire a certain number of credentials required to request a large amount of data, and the latter is to acquire data using Token as required.
3) A processor: the processor is used for preprocessing and automatically removing the duplicate of the crawled original verification code picture, and storing the processed data into the database.
4) Database: and storing various original pictures of the verification codes in the database according to the source websites of the verification codes.
(2) Data collection policy
In the embodiment, ten websites providing Chinese verification code service are selected from the group consisting of several beauty, a shield, YY, a street, a polar inspection, a dog search, a people net, a hundred-degree net disk, 58 same city and top image, and verification code pictures of each website are obtained through a crawler. Wherein people network and dog searching use input type Chinese verification codes, and the other is click type Chinese verification codes. All the verification code samples are collected from 2022, 6 months to 2022, 7 months. And then, cleaning the data, and removing repeated and damaged verification code pictures. By manually marking the verification codes, the marked information comprises the positions and the character types of the characters in the verification codes, and then the sizes of character sets appearing in the collected verification code pictures are counted. All labeling work is completed by four people, and verification code pictures which are too complex to be recognized by labeling personnel are discarded. Each of the verification codes noted is split in half into two parts, one part being used to train the verification code cracking model and the other part being used to test the attack model and to produce the challenge sample verification code.
1.2. Generation of extended data sets
For each verification code, the present invention generates a large number of simulated verification code pictures to augment the training set and verification set. In order to ensure the uniformity of training data of the character recognition model, the invention sets the verification code generation script and ensures that the occurrence times of each character in the imitation data set of each verification code are the same. For more complex verification code numerics and easily, the present invention adaptively generates a larger imitation data set, i.e., 400 occurrences of each character. Considering that the character set of the dog search verification code has only 20 characters, the collected verification code is enough to train a cracking model of the dog search verification code, and the invention does not generate a simulated training set. All other verification codes appear 200 times per character. The final raw dataset is in the form of: each verification code picture is provided with a corresponding label, and the position where the characters appear in the picture and the character type information are recorded.
Finally, the final dataset size established by the present invention is shown in Table 1.
Table 1 scale of authentic and simulated verification codes
Step 2: and (5) constructing a character detection and recognition model.
The Chinese verification codes collected by the invention are divided into 8 click categories and 2 input categories. For clicking the class verification code, an attacker usually locates the characters and then identifies them, while for inputting the class verification code, the attacker can directly identify the character sequence by using an end-to-end model, or can locate and then identify them. Thus, the present invention contemplates the most general case: character detection and recognition models are constructed separately. Noise is generated on the character and the background of the verification code based on the two types of models respectively.
2.1. Character detection model construction
For the character detection model, the invention selects various commonly used target detection architectures, namely Faster-RCNN, YOLO-v5 and SSD. For Faster-RCNN, the invention trains the models of three backbone networks of ResNet-50, resNet-101 and VGG. For SSD, the invention trains the model of two backbone networks, mobileNet V2, VGG. The present invention was trained for YOLO-v5 using the most common CSPDarknet-53 as the backbone network. The labels of the character detection model are set to be whether characters are present or not, i.e., the model unifies characters as foreground at the time of training and testing without recognition of specific character categories. For ease of expression, the present definition next represents the object detection model by means of a 'model architecture (backbone network)', such as Faster-RCNN (ResNet-101).
In the character detection model, the present invention uses fast-RCNN (ResNet-101), SSD (MobileNet V2), YOLO-v5 as a white box model to generate noise for the character detection model, fast-RCNN (ResNet-50), fast-RCNN (VGG), SSD (VGG), and YOLO-v5 as black box models to test migration effects against samples.
2.2. Character recognition model construction
For character recognition models, although the relevant work differs from the recognition model of chinese characters. However, due to the complexity of Chinese captchas, these models require a deep enough network to extract features. In order to make the generating model of the invention have more generalization capability, the invention selects the common network model with stronger characteristic extraction capability to carry out multi-classification recognition on single characters, and the models comprise: inception-Resnet-v2, inception-v3, resNet-50, VGG-16.
In the character recognition model, the invention uses the acceptance-Resnet-v 2 as a white box model to generate the challenge sample characters to defend the character recognition model, and uses the acceptance-v 3, resNet-50 and VGG-16 as black box models to test the migration effect of the challenge samples.
Step 3: generation of challenge sample verification code.
In the challenge sample verification code generation module, the invention uses a challenge sample generation method combining input transformation, gradient attack and attention mechanisms, namely M-VNI-CT-FGSM, improves generalization of a challenge sample and is used for generating a challenge sample character aiming at a verification codeword recognition model. The invention is based on an integrated countermeasure sample generation method, namely SVRE-MI-FGSM, integrating a plurality of loss functions of different construction character detection models, converting black box settings of the different construction character detection models into white box settings, and generating countermeasure noise on the background of the verification code. The method can realize mobility among various target detection model architectures while maintaining mobility of the countermeasures among different feature extraction networks.
For any Chinese verification code picture input into the countermeasure sample generation framework, the generation framework firstly extracts characters according to the labels. The present invention generates an anti-noise on each character based on a class label and a white box model, then splices the characters on a noise-free original background, and generates an anti-sample noise on a background other than the characters according to a detection model and a position label of the characters.
The process of generating the anti-sample noise is opposite to the attack flow, because if noise is added to the detection model, the interference of the whole picture is changed after the noise is added to the identification model, and the defense effect of the anti-sample in the detection stage is affected.
3.1 the explicit optimization objectives of the invention are as follows:
let f be the antigen sampleThe model has model parameters of theta, for any input picture x, the real label of the model is y, and the maximum noise amplitude at each pixel point is epsilon, and the invention needs to find an countermeasure sample picture x adv The following conditions are satisfied:
f(x adv ;θ)≠y (1)
||x-x adv || <ε (2)
furthermore, the invention achieves the purpose of searching for the countermeasure sample by maximizing the loss value of the input character picture to the real category under the model. Let J be the loss function for the generative model f:
the above optimization objective generates a challenge sample under the white-box model f. The three inputs of the generated model f are different for the recognition and detection of the challenge sample generation at the input picture x, the label y, and the invention is described in detail in the following section.
3.2. Challenge sample verification code generation for character recognition models
In the recognition stage, the challenge sample generation algorithm takes a single Zhang Yanzheng code character as an input picture x, a multi-class label of the character as a label y, and selects an acceptance-Resnet-v 2 as a generation model f. Because the accuracy is highest in the character recognition model trained by the invention, and the classification boundary can be better fitted with the real classification boundary due to the fine model structure, so that a higher-quality countermeasure sample can be generated. The output of this stage is a single character picture after adding the interference.
Because the verification codeword recognition model actually used by an attacker cannot be obtained, the invention generates the countermeasure sample under the white box model, and realizes the defense of the black box model by means of the mobility of the countermeasure sample. In order to be able to deceive the attacker's black box recognition model on the premise of adding as little noise as possible, the migration capability of the challenge sample is improved to the greatest extent, and three strategies are introduced to construct a challenge sample character generation algorithm: respectively gradient-based attacks, input transformation attacks and attention mechanisms.
(1) Gradient-based attack
One big strategy to improve the resistance to sample migration is to improve the gradient-based optimization process, after the gradient is calculated, the input x is updated in a more generalized direction. The invention combines gradient variance reduction and Nesterov iteration rapid gradient method in gradient iteration step. Order theFor the antagonistic sample characters in the current epoch, u is the decay factor of momentum, and a is the noise amplitude added in each iteration. Before each iteration +.>Will first be updated once to obtain
During gradient updating, the gradient variance v obtained in the last step is obtained t And gradientAdding, updating g based on momentum t
After updating the gradient in each epoch, the present invention updates the gradient variance v according to the following formula t
wherein
N in equation (7) represents sampling the gradient of N adjacent points around the current x when calculating the gradient variance. Where the proximities of x are defined as x i =x+r i ,rU[-(β·ε) d ,(β·ε) d ]Wherein U [ - (beta. Epsilon.) is used as the main component d ,(β·ε) d ]Representing a random vector, each point obeys a uniform distribution over the range, β being the hyper-parameter of the gradient variance calculation, for controlling the range of samples. r is (r) i Represents the ith random vector; r represents the sample from U [ - (beta. Epsilon.) s d ,(β·ε) d ]Is a random vector of (c).
(2) Input transformation attack
Another strategy to improve the resistance to sample migration is input transformation. The concept of input transformation is similar to data enhancement, namely, various different forms of input are synthesized, so that the gradient updating direction is more generalized, and the overfitting of an algorithm under a current model is prevented. In the course of the challenge sample character generation, the present invention considers three input transformation strategies:
a variety of input methods: before a character picture is input into a model, a certain probability p is applied with shaping (resize) and padding (padding) to improve the generalization capability of an countermeasure sample, and the character picture is expressed as
D(x;p) (8)
Translation invariance method: according to the method, translational invariance of a convolutional neural network is considered, the purpose of data amplification is achieved by translating pictures, and migration of an countermeasure sample is improved. The present invention represents this process as:
T(g)=W*g (9)
The scaling invariance method comprises the following steps: the method takes into account the scaling invariance of convolutional neural networks, expands a single input picture into a series of new pictures, and takes a weighted average of the new picture gradients when calculating the gradients.
wherein m0 Representing the number of amplified pictures, in this context the invention sets m 0 4 to balance performance and speed.
(3) Attention mechanism
Although feature extraction approaches vary from model pair to model pair, they are typically capable of capturing a large number of identical common features. In particular, for a simple-structured object such as a character, there is a large overlap of the content focused on by different models. The invention further adjusts the noise amplitude on the captcha character based on the attention mechanism. To obtain the contribution of each location in the feature layer of the white-box model to the result, the attention of the model is approximately seen as a feature mapAirspace pooling gradient for final result y (spatially pooled gradients):
wherein The c-th feature map representing the k-th layer, Z is a normalization factor such that +.>Thus, the attention weight of the c-th feature map of the kth convolution layer with respect to the real label y is obtained>
Subjecting different feature maps to attention weighting Scaling to obtain more focused features of the model, summing the features of each channel and processing with ReLu activation function to remove negative values
In the next step, the new loss function is added as a regularization term to the loss function, with the objective of optimizing to maximize the new loss function. Unlike their method, the present invention calculates +.>When the ReLu function is not used for cutting off negative values, but the result after weighted summation of the feature images is taken as an absolute value, and the result is normalized to be 0,1 again]Subsequently, the +.>Shaping to the same size as the input picture. Because of the translational invariance of the convolutional neural network, the mapped thermodynamic diagram can represent the attention weights of the model at different positions in the original picture:
the invention is then based onConstructing an epsilon-based mask which determines the update noise in the challenge sample during the iterative challenge sample generation processNoise amplitude that can be updated per iteration at acoustic time:
where α=ε/T, ε is the maximum noise amplitude allowed at each point, T is the iteration round number, γ is the hyper-parameter used to amplify the stride, which allows the model attention weighted location to be updated in larger steps each time, note that although each pixel point can be updated in larger amplitude, the invention clips the picture at the end of the iteration to ensure ||x-x adv || <ε。
The reasons for the above modifications are two: first, in the feature mapIf the value of a certain position is positive, the positive influence of the position on the group true class y is indicated, namely the probability of the class y in the prediction output is increased by the point. If its value is negative, it is stated that the pixel point has a negative effect on class y, i.e. the point makes the probability of class y in the prediction output smaller. And the larger the absolute value of the value at that point, the greater the impact on the result. The present invention considers that in the scenario of generating an challenge sample, setting the point of the negative part to 0 directly reduces the effect of the attention mechanism. Thus, the invention is toTaking the absolute value, i.e. the greater the absolute value, the greater the update amplitude at the point, and the direction of the update is determined by sign (g) of the present invention when running FGSM-based algorithms, the information in the attention weight, whether positively contributing to y or negatively contributing to y, is fully utilized. Second, the heat map maps back to the original picture instead of being optimized based on the regularization term, because +.>Optimization in gradient sign method cannot be effectively utilized in regular termsThe direction information and the loss function needs to be used for a plurality of times in the calculation process in the formula (7), and each time the loss function is optimized, the regular term is calculated based on the attention, so that the running speed of the algorithm is reduced. Thus the present invention is selected to be +. >It is then shaped back to the size of the input and a mask is constructed.
(4) Generating process of recognition model countermeasure sample
In summary, the invention provides a generation flow of an identification model countermeasure sample, which is an iteration method based on gradient marks, the three defense strategies are combined together, the update amplitude (M) of each point is determined by an attention mask, the region of general attention of the model is destroyed, in each iteration process, the input is Comprehensively Transformed (CT) to enhance the data, the generalization capability of the algorithm is improved, and the algorithm is prevented from falling into local optimum by combining gradient variance reduction (V) and Nesterov acceleration gradient method (NI) during gradient update. In calculating the gradient, the present invention simply uses the class cross entropy J as the loss function. The algorithm of the present invention is named M-VNI-CT-FGSM, and the flow is shown in the algorithm of FIG. 2.
In the actual generation process, all single characters in the verification code are cut according to the pre-marked character position labels, and are sent into a model together with the category labels, and the anti-noise is added, and then the original position is pasted.
3.3. Challenge sample verification code generation for character detection models
In the challenge sample generation algorithm in the detection stage, the whole verification code picture is taken as input x, the corresponding label y is defined as a frame representing the character position and a classification label under the position, and note that in the detection stage, the label only has two types of foreground (characters) and background (not characters). The invention selects three target detection models of Faster-RCNN (ResNet 101), YOLO-v5 and SSD (MobileNetV 2) to generate a model, and generates an countermeasure sample aiming at the detection model by an integrated attack method.
On the challenge sample of the character detection model, the present invention uses a challenge sample generation method integrating a plurality of model loss functions, which is based on a most advanced integrated challenge sample generation algorithm. According to the algorithm, integrated attack based on random gradient variance reduction is carried out on various recognition models, the integrated models are attacked on the premise of considering gradient variances, and local minimum values of various models are found, so that the algorithm can be more easily migrated to other black box models. Unlike the algorithm, the invention uses a plurality of character detection models with different architectures as an integrated model for generating the countermeasure sample, because for the detection models with different architectures, huge deviation exists in the path for searching the local maximum value, so that the countermeasure sample generated by the model with any architecture alone cannot be well migrated into the models with other architectures. Therefore, the method is used, and on the basis of integrating multiple models, the gradient variance reduction is considered, so that a path with smaller gradient variance under the detection model of multiple architectures is found.
The invention redefines the loss function, considers three models participating in the integrated attack, namely, faster-RCNN, YOLO-v5 and SSD. The present invention directly uses the loss function of these models as a loss function against sample generation.
L frcnn =L rpnCls +L rpnLoc +L roiCls +L roiLoc (15)
wherein ,LrpnCls Classification loss, L, of RPN module representing Faster-RCNN rpnLoc The Bounding Box regression loss of the RPN module representing Faster-RCNN is used to train the positioning ability of the model. L (L) roiCls Representing ROI module classification loss, L roiLoc The Bounding Box regression loss of the ROI module is represented.
L yolov5 =L loc +L cls +L conf (16)
wherein ,Lloc Is the loss of position of YOLO-v5, L cls To include a classification penalty for whether an object is involved. L (L) conf Is a multi-class confidence penalty.
L ssd =L loc ′+L cls ′ (17)
wherein ,Lloc ' is the loss of position of ssd, L cls ' is the classification penalty.
In the process of integrated attack, the invention carries out weighted average on the three losses based on different weights w to obtain integrated losses:
J ens (x,y;θ)=w 1 L frcnn (x,y;θ 1 )+w 2 L yolov5 (x,y;θ 2 )+w 3 L ssd (x,y;θ 3 ) (18)
wherein θ1 ,θ 2 ,θ 3 Model parameters, w, representing Faster-RCNN, YOLO-v5 and SSD, respectively 1 ,w 2 ,w 3 The weights of the three loss functions are represented respectively.
The invention is based on SVRE-MI-FGSM as algorithm for generating countermeasure sample, and the loss function is modified into J ens (x, y; θ) in each round of the inner loop, the algorithm will randomly run from L frcnn 、L yolov5 and Lssd And selecting one to perform gradient variance reduction and updating the gradient.
In the actual generation process, the invention inputs the picture with the noise resistance added on the character into the algorithm, and sets a mask with the same size as the input picture in each iteration step, and the position value containing the character is 0, and the position value not containing the character is the maximum noise amplitude epsilon, namely the noise at the character is not updated to prevent mutual interference. Finally, after challenge attack against the detection model, the challenge sample verification code of the present invention can spoof a variety of character recognition models and character detection models.
Experiment:
4.1. experimental setup
Three experiments are designed to evaluate the defending effect against the sample verification code. All model training and challenge sample generation in the experiment were performed on 4 Intel (R) Xeon (R) platform 8255C CPU with memory 43G and server with memory 24GB NVIDIA GeForce RTX-3090.
Three evaluation indexes of the weighing models on the attack capability of the verification code are defined:
detection Success Rate (DSR) =verification code number/verification code total number with all the characters positioned in the label;
recognition Success Rate (RSR) =number of verification codes/total number of verification codes in which all characters are correctly recognized;
attack Success Rate (ASR) =number of successfully attacked captchas/total number of captchas.
It should be noted that, for the click type Chinese verification code and the input type Chinese verification code, the definition of the success of the attack is different according to different characteristics. For click type captchas, if the attack model can correctly give out all the characters contained in the captcha label, consider this as a successful attack; for an input class of captchas, any additional answers are wrong because the user is required to enter all the characters in the captcha, so an attack model is considered a successful attack if its output character is identical to the character in the captcha label. The success of the test is defined by, for each box (rectangle covering the character) within the captcha label, a box b' in the predicted result, satisfying their cross-federation IOU b,b' <0.5。
Top-1 accuracy is also used to evaluate the extent of impact on resistance disturbance when recognizing characters. To further investigate the defensive effect of the resistance disturbance on the detection model, the mean error check number (MMN) was defined. It refers to the average number of predicted boxes that each captcha does not contain a character in the tag. A higher MMN means that the countering example is better for misleading the detection model.
The maximum perturbation epsilon is set to 0.1, which means that each pixel in the captcha varies by less than 10%. In M-VNI-CT-FGSM, the maximum disturbance gamma added by the attention mask in equation (5) is set to 0.03, the loss function introduced in equation (6) is used in SVRE-MI-FGSM, and the error correction is performed in three white-box modes f 1 ,f 2 ,f 3 Setting w in 1 =w 2 =w 3 =1
4.2. Defensive capability experiment against sample large character set verification codes
The effectiveness of combating the sample validation code against black box attacks is demonstrated in this experiment. For each of the eight captchas, 1000 clean captchas in the test set were used to generate a reactance sample captcha. Then, the clean verification code and the challenge sample verification code are input into three kinds of black box attacks:
(1) SR: namely, SSD (VGG) is used to detect characters and ResNet-50 is used as a character recognition model;
(2) FA: i.e., using the Faster-RCNN (ResNet-50) to detect characters and using an attention-based model to recognize characters. For input of verification codes like the verification code people net and the verification code for dog searching, the characters are identified directly using an end-to-end based attention model. In this case, the recognition and detection processes cannot be separated, so only their ASR metrics are measured;
(3) EM: i.e. using an end-to-end model with Mask-RCNN architecture. In this case, the recognition and detection cannot be separated, and only the ASR index is measured.
The experimental results are shown in table 2. It can be seen that, first, the DSR, RSR and ASR of a clean captcha are all relatively high, especially ASR values varying from 6.5% to 100.0%, which proves that the usual attack model is sufficient to break the captcha for a large character set. Secondly, the three indexes can be greatly reduced by the challenge sample verification code, the average ASR of the clean verification code and the average ASR of the challenge verification code are calculated, and the result shows that after the challenge disturbance is added, the average ASR is reduced from 53.33 percent to
3.49%, in particular, end-to-end models and attention-mechanism-based models, which are very different from white-box models, can also be successfully defended. In addition, the RSR of the 8 verification codes is also greatly reduced to nearly 0.0%. DSR is also reduced in most schemes. However, DSR decreases in the extreme test and dog search were not apparent, and the reasons for this were analyzed as follows: for extremely verified captchas, the difference between the character and the background is quite obvious, so that it is difficult for the detection model to "believe" that the character in the disturbed captcha is the background area; for searching dogs, the character position of the input type verification code is quite fixed, and the model is easy to learn the characteristic, so that the attack model is more difficult to mislead. Third, as seen in FIG. 3, disturbances in the resistance verification codes are not apparent, meaning that the availability of these verification codes is maintained.
Table 2 evaluation of the mobility of four verification codes to character recognition model attacks
In general, the method for generating the resistance verification code can reduce the success rate of the black box model attack while maintaining the usability of the verification code.
4.3. Mobility contrast experiment against sample verification codes
Four representative verification codes are selected for carrying out experiments, and the verification codes are as follows: extremely test (multiple fonts), easily shield (distorted characters, complex background), YY (open characters, multiple fonts), and street (inclined characters, finer fonts). The selected white-box models are used to generate the antagonistic characters and the antagonistic verification code, which are then attacked using multiple black-box models to test their migratability.
(1) Mobility for character recognition attacks
For each validation code, 1,000 characters are randomly selected in the test set to produce an antagonistic character. These characters are then attacked using the white box model and the five black box models. They are the aggregate models of the prediction probabilities of the admission-Resnet-v 2, admission-v 3, resNet-50, VGG-16, averaging the prediction probabilities of the admission-v 3, resNet-50, VGG-16, and the attention-based models, which are denoted R1, R2, R3, R4, R5, and R6, respectively. Five baseline methods were used to compare the migratability. These are VNI-CT-FGSM, NI-FGSM, FGSM and deep Fool. VNI-CT-FGSM is an algorithm step ablation result of the method of the invention, which removes the attention mechanism, VNI-FGSM is an ablation method which cancels the input transformation, FSGM is the most basic fast gradient marker attack, and deep Fool is another classical method of countersample generation. Meanwhile, clean characters are used, and random Gaussian noise with the same disturbance amplitude epsilon is added to the characters for comparison.
The final results are shown in table 2. First, all character recognition models achieved high accuracy on both clean characters and randomly noisy characters. Among them, the character recognition accuracy of the acceptance-Resnet-v 2 is highest, and VGG-16 is lowest. Secondly, the accuracy of a plurality of white-box and black-box models can be obviously reduced by using the antagonism characters generated by the method of the invention by the white-box model acceptance-Resnet-v 2. Third, gradient-based attacks, input transformations, and attention mechanisms can all improve the portability of resistant characters. After integrating these methods, the method of the invention achieves the best defense effect.
(2) Mobility for character detection attacks
For each verification code, 1,000 verification codes in the test set are used to generate an antagonistic verification code. First adding a disturbance on the character and then adding a disturbance on the background. These challenge verifications are attacked using three white-box models, namely Faster-RCNN (ResNet-101), SSD (MobileNet V2) and YOLO-v5, denoted as D1, D2 and D3, respectively, and three black-box models; the black box models are Faster-RCNN (ResNet-50), faster-RCNN (VGG), SSD (VGG), denoted as D4, D5 and D6, respectively. The clean captcha was used and three perturbations, random gaussian noise, the perturbation by ENS-MI-FGSM (random variance reduction) and the noise by SVRE-MI-FGSM, were added for comparison. Wherein both ENS-MI-FGSM and SVREMI-FGSM use the loss function of (6). The test set with perturbations is then input into the white-box and black-box detection models and the DSR and MMN of these detection models are evaluated.
As shown in table 3, first, all character detection models achieved a higher DSR and a lower MMN on noise-free and random noise captcha images. This means that the character detection model is less prone to error on the captcha without resistance disturbance; secondly, a detection model with multiple architectures and feature extraction modules has lower DSR and higher MMN when the challenge-resistance verification code is attacked, the lower DSR means that the defensive measure of the invention greatly reduces the character detection capacity of the black box and white box models, so that only a small number of challenge-resistance verification codes have all character positions, the higher MMN means that the challenge samples enable the detection models to give more predicted positions, that is, a part of the background is mistakenly regarded as characters, and the results show that the challenge-resistance verification code with the migratable defensive capacity for the detection challenge model can be generated by considering the aggregation method of different object detection structures; finally, the use of SVRE-MI-GSM may further improve the defensive power against character detection models as compared to random noise and ENS-MI-GSM.
Table 3 migration assessment of four verification codes against character detection model attacks
4.3. Robustness experiment against sample verification code
In a real world scenario, when an attacker finds the presence of a challenge sample validation code, they can use a more advanced method to deal with the challenge sample to break the challenge sample validation code. In this experiment, one of the most effective aggression measures was selected, i.e. resistance training using the resistance sample training model. It is assumed that an attacker can collect a limited number of challenge verification codes to fine tune their attack model trained on the normal verification code dataset. Taking the verification codes of the shield, the street, the YY and the pole test as examples, 1,000 antagonism disturbance of the verification codes are generated from the training set. The characters in all perturbed captchas are then extracted to fine tune the character recognition model ResNet-50 trained on normal characters. Next, these perturbed captchas are used to fine tune the character detection model SSD (VGG) trained on the normal captchas.
ASR metrics were measured for comparison for three cases:
1) NC: normal training is performed using SSD (VGG) and res net-50 to attack clean verification codes.
2) AC: clean captchas are attacked by fine tuning for resistance training using SSD (VGG) and ResNet-50.
3) AA: fine tuning is performed through resistance training using SSD (VGG) and ResNet-50 to attack the resistance verification code.
As a result, as shown in fig. 4, after the model is trimmed using the challenge verification code, the ASR index of the attack model is increased. Taking the extreme test as an example, the ASR index is improved from 1.2% (as can be seen in Table 2) to 37.8%. However, the ASR index up to 37.8% of AA is still significantly lower than the ASR index up to 93.9% of NC and the ASR index up to 93.5% of AC, meaning that the defenses of the generated challenge verification code of the invention are still much better than verification codes without added challenge disturbance. Thus, even if an attacker obtains an antagonistic verification code to fine-tune their model, the antagonistic verification code generated by the present invention can still maintain a strong defensive power against the fine-tuned model.
In summary, the large character set verification code attack defense method based on the challenge sample provided by the invention applies the challenge sample based defense based on the Chinese verification codes on 10 popular websites, and attacks the large character set verification code based on the challenge sample by using various black box models including the conventional method for cracking the verification code. Experimental results show that the generated challenge sample enables attack models of various black boxes to obviously reduce the success rate of character detection and recognition, and the challenge sample verification code has good mobility. Meanwhile, the challenge sample verification code can also resist the scene of using a filter and challenge training by an attacker to a certain extent, and the challenge sample verification code is shown to have better robustness. The invention obtains excellent results on the problem of generating the anti-sample verification code to resist the attack of the verification code.

Claims (5)

1. The large character set verification code attack defense method based on the challenge sample is characterized by comprising the following steps:
step 1: collecting the existing large character set verification code data on a Chinese verification code service website, manually marking, and generating a new verification code by imitating the obtained verification code at the same time, thereby constructing an expanded verification code data set;
step 2: constructing a character detection model and a character recognition model, wherein the character detection model comprises a white box model for generating noise aiming at the character detection model and a black box model for testing migration effects of an countermeasure sample; the character recognition model comprises a white box model for generating a challenge sample character to defend the character recognition model, and a black box model for testing migration effects of the challenge sample; generating noise on the characters and the background of the verification code based on the character detection model and the character recognition model respectively;
step 3: generation of challenge sample verification code
Step 3.1: in the process of generating the challenge sample verification code, a challenge sample generation method combining gradient attack, input transformation and attention mechanism is adopted to generate a challenge sample character aiming at a verification codeword recognition model;
Step 3.2: the method comprises the steps of integrating a loss function of a plurality of different construction character detection models by adopting an integrated countermeasure sample generation method in face of threat of the verification code character detection model, converting black box setting of the different construction character detection models into white box setting, and generating countermeasure noise on the background of the verification code to defend the character detection models.
2. The large character set verification code attack defense method based on the challenge sample according to claim 1, wherein in the step 1, labeling information for manually labeling the verification code data includes: the position and character category of the characters in the verification code; firstly, counting the sizes of character sets appearing in the collected verification code pictures; and dividing each marked verification code into two parts in half, wherein one part is used for training a verification code cracking model, and the other part is used for testing an attack model and producing an countermeasure sample verification code.
3. The large character set verification code attack defense method based on the challenge sample according to claim 1, wherein in the step 2, constructing the character detection model and the character recognition model further comprises:
1) The character detection model selects Faster-RCNN, YOLO-v5 and SSD as target detection architecture; for Faster-RCNN, training the models of three backbone networks of ResNet-50, resNet-101 and VGG; for SSD, training models of two main networks, namely MobileNet V2 and VGG; for YOLO-v5, training was performed using CSPDarknet-53 as the backbone network;
Setting the label of the character detection model as whether characters exist or not, namely uniformly taking the characters as the foreground when the character detection model is trained and tested, and not recognizing specific character types;
SSD using Faster-RCNN, mobileNetV2 with ResNet-101 as the backbone network, and YOLO-v5 as the white box model; using a fast-RCNN with a network backbone of res net-50 and VGG,
SSD with VGG as backbone network is used as a black box model;
2) The character recognition model selects network models of acceptance-Resnet-v 2, acceptance-v 3, resNet-50 and VGG-16 to carry out multi-classification recognition on single characters; inception-Resnet-v2 was used as the white-box model, and Inception-v3, resNet-50, and VGG-16 were used as the black-box models.
4. The large character set verification code attack defense method based on the challenge sample according to claim 1, wherein the generating the challenge sample character for the verification codeword recognition model in the step 3 specifically includes:
step 3.1.1: determining a loss function of the challenge sample generation model f;
found challenge sample picture x adv The following conditions are satisfied
f(x adv ;θ)≠y (1)
||x-x adv || <ε (2)
Wherein θ is a parameter of the challenge sample generation model f, x is an arbitrary input character picture, y is a category real label of the picture x, and ε is the maximum noise amplitude at each pixel point;
The aim of searching the countermeasure sample is achieved by maximizing the loss value of the input character picture x to the real category under the countermeasure sample generation model f, and category cross entropy J is adopted as a loss function of the countermeasure sample generation model f:
step 3.1.2: gradient-based attacks;
calculated to obtainDerivative of the loss function->Combining gradient variance reduction and Nesterov iteration in a gradient iteration step; before each iteration, the challenge sample character in the current epoch is +.>One-time updating to obtain
wherein ,for the antagonistic sample character in the current epoch, u is the momentum decay factor, a is the noise amplitude added in each iteration step, +.>The updated challenge sample character; g t A gradient that is the t iteration;
in each epoch, after updating the gradient, the gradient variance v is updated according to the following formula t
wherein ,vt+1 The updated gradient variance; and is also provided with
Wherein, N represents that when calculating gradient variance, sampling the gradients of N adjacent points around the current x; the near point of x is defined as x i =x+r i ,r~U[-(β·ε) d ,(β·ε) d ]Wherein U [ - (beta. Epsilon.) is used as the main component d ,(β·ε) d ]Representing a random vector, each point obeys uniform distribution in a range, beta is a super-parameter of gradient variance calculation, and r i Represents the ith random vector; r represents the sample from U [ - (beta. Epsilon.) s d ,(β·ε) d ]Is a random vector of (a);representing the derivative of x with respect to the loss function before random sampling,/>Representing the derivative of the near points of x with respect to the loss function;
during gradient updating, the gradient variance v obtained in the last step is obtained t Andderivative of the loss function->Adding, baseGradient g at momentum update t-th iteration t
wherein ,gt+1 In order to pass the gradient after the momentum update, I.I 1 Represents an L1 norm;
step 3.1.3: input transformation attack
A variety of input methods are employed: before the character picture is input into the challenge sample generation model, it is shaped and filled with probabilities p:
D(x;p) (8)
the translational invariance method is adopted: the picture is translated to achieve the aim of data amplification, and convolution operation is carried out between the kernel matrix and the original picture:
T(g)=W*g (9)
wherein W is a predefined convolution kernel matrix, T (g) is a gradient subjected to convolution operation, and g is an original gradient;
the method adopts a scaling invariance method: a single input picture is amplified into a series of new pictures and a weighted average of these new picture gradients is taken when calculating the gradients:
wherein ,m0 Representing the number of amplified pictures;
step 3.1.4: adjusting noise amplitude based on attention mechanism on captcha characters
To obtain the contribution of each location in the white-box model feature layer to the result, the attention approximation of the challenge sample generation model is considered as a feature map Airspace pooling gradient of real label y of input picture x:
wherein ,the c-th feature map representing the k-th layer, Z is a normalization factor such that +.>The attention weight of the c-th feature map of the kth convolution layer relative to the real label y is obtained>f (x) represents a white box model; m and n respectively represent the horizontal and vertical coordinates of the pixel point;
subjecting different feature maps to attention weightingScaling is carried out, the more focused features of the model are obtained, then the features of all channels are summed and processed by using a ReLu activation function, and negative values are removed to obtain the model:
wherein ,an attention activation graph representing a negative value removed;
taking absolute value of the result after weighting and summing the feature graphs, and normalizing the result to [0,1 ] again]Subsequently, the obtainedShaping to the same size as the input picture; due to convolutional neural networksIs used for mapping the thermodynamic diagram representation model to the attention weights of different positions in the original picture:
wherein ,representing an attention activation graph after taking an absolute value;
according toConstructing an epsilon-based mask that determines the noise amplitude that can be updated per iteration in the iterative anti-sample generation process when updating noise for the anti-sample:
Where α is the noise update amplitude of each epoch, α=ε/T, ε is the maximum noise amplitude allowed at each point, T is the iteration number, γ is the hyper-parameter used to amplify the stride, and it clips the picture at the end of the iteration to ensure ||x-x adv || <ε。
5. The large character set verification code attack defense method based on challenge samples according to claim 4, wherein step 3.2 specifically comprises:
using three models of Faster-RCNN, yolo-v5 and SSD which participate in integrated attack as loss functions generated by the countermeasure sample aiming at the detection model;
loss function L for Faster-RCNN training frcnn The method comprises the following steps:
L frcnn =L rpnCls +L rpnLoc +L roiCls +L roiLoc (15)
wherein ,LrpnCls Classification loss, L, of RPN module representing Faster-RCNN rpnLoc The Bounding Box regression loss of the RPN module of the Faster-RCNN is used for training the positioning capability of the model; l (L) roiCls Representing ROI module classification loss, L roiLoc Representing the regression loss of the Bounding Box of the ROI module;
loss function L for YOLO-v5 training yolov5 The method comprises the following steps:
L yolov5 =L loc +L cls +L conf (16)
wherein ,Lloc Is the loss of position of YOLO-v5, L cls To include the classification loss of an object, L conf Is a multi-class confidence penalty;
loss function L during SSD training ssd The method comprises the following steps:
L ssd =L loc ′+L cls ′ (17)
wherein ,Lloc ' is the loss of position of SSD, L cls ' classification loss;
In the process of the integration attack, the three losses are weighted and averaged based on different weights, so that the integration loss is obtained:
J ens (x,y;θ)=w 1 L frcnn (x,y;θ 1 )+w 2 L yolov5 (x,y;θ 2 )+w 3 L ssd (x,y;θ 3 ) (18)
wherein ,θ1 ,θ 2 ,θ 3 Model parameters of Faster-RCNN, YOLO-v5 and SSD are respectively represented; w (w) 1 ,w 2 ,w 3 The weights of the three loss functions are represented respectively.
CN202310377899.8A 2023-04-11 2023-04-11 Large character set verification code attack defense method based on countermeasure sample Pending CN116665214A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310377899.8A CN116665214A (en) 2023-04-11 2023-04-11 Large character set verification code attack defense method based on countermeasure sample

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310377899.8A CN116665214A (en) 2023-04-11 2023-04-11 Large character set verification code attack defense method based on countermeasure sample

Publications (1)

Publication Number Publication Date
CN116665214A true CN116665214A (en) 2023-08-29

Family

ID=87719606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310377899.8A Pending CN116665214A (en) 2023-04-11 2023-04-11 Large character set verification code attack defense method based on countermeasure sample

Country Status (1)

Country Link
CN (1) CN116665214A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117132989A (en) * 2023-10-23 2023-11-28 山东大学 Character verification code identification method, system and equipment based on convolutional neural network
CN117669651A (en) * 2024-01-31 2024-03-08 山东省计算中心(国家超级计算济南中心) ARMA model-based method and ARMA model-based system for defending against sample black box attack
CN117669651B (en) * 2024-01-31 2024-05-14 山东省计算中心(国家超级计算济南中心) ARMA model-based method and ARMA model-based system for defending against sample black box attack

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117132989A (en) * 2023-10-23 2023-11-28 山东大学 Character verification code identification method, system and equipment based on convolutional neural network
CN117132989B (en) * 2023-10-23 2024-01-26 山东大学 Character verification code identification method, system and equipment based on convolutional neural network
CN117669651A (en) * 2024-01-31 2024-03-08 山东省计算中心(国家超级计算济南中心) ARMA model-based method and ARMA model-based system for defending against sample black box attack
CN117669651B (en) * 2024-01-31 2024-05-14 山东省计算中心(国家超级计算济南中心) ARMA model-based method and ARMA model-based system for defending against sample black box attack

Similar Documents

Publication Publication Date Title
Miller et al. Adversarial learning targeting deep neural network classification: A comprehensive review of defenses against attacks
CN105138993B (en) Establish the method and device of human face recognition model
Zhao et al. SEV‐Net: Residual network embedded with attention mechanism for plant disease severity detection
Ahmadi et al. Iris tissue recognition based on GLDM feature extraction and hybrid MLPNN-ICA classifier
Li et al. Black-box attack against handwritten signature verification with region-restricted adversarial perturbations
CN112215292A (en) Image countermeasure sample generation device and method based on mobility
CN113095156B (en) Double-current network signature identification method and device based on inverse gray scale mode
CN111967592A (en) Method for generating counterimage machine recognition based on positive and negative disturbance separation
CN116665214A (en) Large character set verification code attack defense method based on countermeasure sample
Luo et al. Camouflaged instance segmentation via explicit de-camouflaging
Meenakshi et al. An Optimised Defensive Technique to Recognize Adversarial Iris Images Using Curvelet Transform.
Li et al. Transformer based defense GAN against palm-vein adversarial attacks
Huang et al. Cyclical adversarial attack pierces black-box deep neural networks
Bai et al. Feature distillation with guided adversarial contrastive learning
Hamouda et al. Modified convolutional neural network based on adaptive patch extraction for hyperspectral image classification
CN110163163B (en) Defense method and defense device for single face query frequency limited attack
CN111860266A (en) Disguised face recognition method based on depth features
Zhu et al. Multi-spectral palmprints joint attack and defense with adversarial examples learning
Silva et al. Speeding-up the handwritten signature segmentation process through an optimized fully convolutional neural network
Winston et al. Performance‐enhanced modified self‐organising map for iris data classification
Deng et al. Detection method of wood skin defects based on Bag-of-words model
Thang et al. Adversarial examples identification in an end-to-end system with image transformation and filters
Yue et al. Model-contrastive learning for backdoor defense
Yuan et al. A low-frequency adversarial attack method for object detection using generative model
Li et al. A Malicious Webpage Detection Algorithm Based on Image Semantics.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination