CN116776966A - Training method, training device, computer equipment and storage medium of image classification network - Google Patents
Training method, training device, computer equipment and storage medium of image classification network Download PDFInfo
- Publication number
- CN116776966A CN116776966A CN202310753848.0A CN202310753848A CN116776966A CN 116776966 A CN116776966 A CN 116776966A CN 202310753848 A CN202310753848 A CN 202310753848A CN 116776966 A CN116776966 A CN 116776966A
- Authority
- CN
- China
- Prior art keywords
- image classification
- attack
- initial target
- classification network
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012549 training Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000011156 evaluation Methods 0.000 claims abstract description 106
- 238000012216 screening Methods 0.000 claims abstract description 34
- 230000006870 function Effects 0.000 claims abstract description 30
- 238000012545 processing Methods 0.000 claims abstract description 13
- 230000008859 change Effects 0.000 claims description 60
- 238000004590 computer program Methods 0.000 claims description 24
- 238000004088 simulation Methods 0.000 claims description 10
- 238000013528 artificial neural network Methods 0.000 abstract description 22
- 230000000694 effects Effects 0.000 abstract description 15
- 230000007123 defense Effects 0.000 abstract description 14
- 238000013135 deep learning Methods 0.000 abstract description 11
- 238000013473 artificial intelligence Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012804 iterative process Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/092—Reinforcement learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/77—Processing image or video features in feature spaces; using data integration or data reduction, e.g. principal component analysis [PCA] or independent component analysis [ICA] or self-organising maps [SOM]; Blind source separation
- G06V10/774—Generating sets of training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/77—Processing image or video features in feature spaces; using data integration or data reduction, e.g. principal component analysis [PCA] or independent component analysis [ICA] or self-organising maps [SOM]; Blind source separation
- G06V10/776—Validation; Performance evaluation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/70—Arrangements for image or video recognition or understanding using pattern recognition or machine learning
- G06V10/82—Arrangements for image or video recognition or understanding using pattern recognition or machine learning using neural networks
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Multimedia (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- General Engineering & Computer Science (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Image Analysis (AREA)
Abstract
The application relates to a training method, a training device, computer equipment and a storage medium of an image classification network. The application relates to the technical field of image processing and artificial intelligence. The method comprises the following steps: obtaining countermeasure samples corresponding to a plurality of attack algorithms, and calculating an image classification result of an image classification network corresponding to each attack algorithm; based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm; based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function; training an initial target attack algorithm through the evaluation value to obtain a target attack algorithm, and training an image classification network through the target attack algorithm to obtain a target image classification network. By adopting the method, the defense effect of the training deep learning neural network can be improved.
Description
Technical Field
The present application relates to the field of image processing and artificial intelligence, and in particular, to a training method, apparatus, computer device, storage medium and computer program product for an image classification network.
Background
With the development environment of the deep learning neural network of image classification, the deep neural network of image classification is extremely vulnerable to invasion of an countermeasure sample, and the countermeasure sample is usually a tiny modification added with careful design in a picture, so that the deep neural network outputs an erroneous image classification result. Therefore, how to improve the defense effect of the deep learning neural network on the challenge sample is the current research focus.
At present, the traditional method is to attack the deep learning neural network through a large number of challenge samples, so as to improve the defense effect of the deep learning neural network on the challenge samples. However, the traditional method is to train the deep learning neural network based on different countermeasure samples, but the defense weak points of different deep learning neural networks cannot be trained directly, so that the defense effect of the trained deep learning neural network is poor.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a training method, apparatus, computer device, computer-readable storage medium, and computer program product for an image classification network.
In a first aspect, the present application provides a training method for an image classification network. The method comprises the following steps:
obtaining countermeasures corresponding to a plurality of attack algorithms, and inputting the countermeasures of the attack algorithms into an image classification network aiming at each attack algorithm to obtain an image classification result of the image classification network;
based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm;
based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function;
and under the condition that the evaluation value is lower than a preset evaluation threshold value, returning to the step of executing the attack parameter adjusting the initial target attack algorithm, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain a target image classification network.
Optionally, the obtaining the challenge samples corresponding to the attack algorithms includes:
and for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Optionally, the screening the initial target attack algorithm in each attack algorithm based on the classification success rate in the image classification result includes:
based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
and in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
Optionally, the adjusting the attack parameters of the initial target attack algorithm includes:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
Calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
Optionally, the attacking the image classification network based on the adjusted initial target attack algorithm to obtain a new image classification result of the image classification network includes:
based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Optionally, before the step of returning to execute the step of adjusting the attack parameters of the initial target attack algorithm, the method further includes:
calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
And adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
In a second aspect, the application further provides a training device of the image classification network. The device comprises:
the acquisition module is used for acquiring the countermeasure samples corresponding to the attack algorithms, inputting the countermeasure samples of the attack algorithms into the image classification network aiming at each attack algorithm, and obtaining an image classification result of the image classification network;
the screening module is used for screening an initial target attack algorithm in each attack algorithm based on the classification success rate in the image classification result and adjusting attack parameters of the initial target attack algorithm;
the evaluation module is used for attacking the image classification network based on the adjusted initial target attack algorithm to obtain a new image classification result of the image classification network, and evaluating the evaluation value of the image classification network through a network evaluation function;
and the training module is used for returning to the step of executing the attack parameter adjusting the initial target attack algorithm under the condition that the evaluation value is lower than the preset evaluation threshold value, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as the target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain the target image classification network.
Optionally, the acquiring module is specifically configured to:
and for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Optionally, the screening module is specifically configured to:
based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
and in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
Optionally, the screening module is specifically configured to:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
Optionally, the evaluation module is specifically configured to:
based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Optionally, the apparatus further includes:
the computing module is used for computing difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
the adjusting module is used for adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the method of any of the first aspects when the processor executes the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of any of the first aspects.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the first aspects.
According to the training method, the training device, the computer equipment and the storage medium of the image classification network, the countermeasure samples corresponding to a plurality of attack algorithms are obtained, and aiming at each attack algorithm, the countermeasure samples of the attack algorithm are input into the image classification network to obtain the image classification result of the image classification network; based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm; based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function; and under the condition that the evaluation value is lower than a preset evaluation threshold value, returning to the step of executing the attack parameter adjusting the initial target attack algorithm, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain a target image classification network. And respectively attacking the image classification network through each attack algorithm to obtain the classification success rate of the image classification network, screening an initial target attack algorithm, and adjusting attack parameters of the initial target attack algorithm to ensure that the attack effect of the initial target attack algorithm on the image classification network is optimal, thereby obtaining a target attack algorithm, searching an optimized target attack algorithm which is most suitable for training the defense vulnerability aiming at the defense vulnerability of the image classification network, and improving the defense effect of the trained deep learning neural network.
Drawings
FIG. 1 is a flow diagram of a training method of an image classification network in one embodiment;
FIG. 2 is a flow diagram of an example training of an image classification network in one embodiment;
FIG. 3 is a block diagram of a training apparatus of an image classification network in one embodiment;
fig. 4 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The training method of the image classification network provided by the embodiment of the application can be applied to a terminal, a server and a system comprising the terminal and the server, and is realized through interaction of the terminal and the server. The terminal may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and the like. The server may be implemented as a stand-alone server or as a server cluster composed of a plurality of servers. The terminal respectively attacks the image classification network through each attack algorithm to obtain the classification success rate of the image classification network, screens an initial target attack algorithm, adjusts attack parameters of the initial target attack algorithm, enables the attack effect of the initial target attack algorithm on the image classification network to be optimal, and obtains the target attack algorithm, so that the optimized target attack algorithm which is most suitable for training the defense vulnerability is searched for aiming at the defense vulnerability of the image classification network, and the defense effect of the trained deep learning neural network is improved.
In one embodiment, as shown in fig. 1, a training method of an image classification network is provided, and the method is applied to a terminal for illustration, and includes the following steps:
step S101, obtaining countermeasure samples corresponding to a plurality of attack algorithms, and inputting the countermeasure samples of the attack algorithms into an image classification network for each attack algorithm to obtain an image classification result of the image classification network.
In this embodiment, the terminal generates, by each attack algorithm, a challenge sample corresponding to the attack algorithm in the image classification network. And then the terminal responds to the network training operation of the user to acquire the classification network to be trained as an image classification network. The attack algorithm is an attack algorithm which generates deviation on classification information of an image classification network by disturbing the image classification network, for example, a fast gradient symbol attack method (Fast Gradient Sign Method, FSGM), and the image classification network is a reinforced learning type neural network for image recognition and classification labeling. For example, an acceptance V3 neural network, an acceptance V4 neural network, a Inception Resnet V neural network, and a Resnet V2 101, etc. The terminal inputs the countermeasure sample of each attack algorithm into an image classification network which is executing the image classification task, and an image classification result of the image classification network is obtained. Wherein the image classification result contains classification information of each image corresponding to the image classification task. The specific challenge sample acquisition process will be described in detail later. The countering sample is interference information of the image classification network generated by an attack algorithm based on the image classification network, and the interference information can be, but is not limited to, various types of image noise information, interference information for modifying the image size, interference information for modifying the image pixels, and the like. The image classification network is used for identifying the image type of each image and classifying the image type, for example, the terminal inputs animal images into the image classification network, the image classification network can divide the animal images into the animal types corresponding to the animal images, and the image classification result is the animal type.
Step S102, based on the classification success rate in the image classification result, in each attack algorithm, an initial target attack algorithm is screened, and attack parameters of the initial target attack algorithm are adjusted.
In this embodiment, the terminal respectively identifies whether the classification information of each image is correct or not through a preset classification identification policy, and uses the ratio of the number of correctly classified images to the number of all images as the classification success rate of the image classification result. And then the terminal screens the attack algorithm corresponding to the image classification network with the lowest classification success rate in each attack algorithm to be used as an initial target attack algorithm. And the terminal adjusts the attack parameters of the initial target attack algorithm based on the image classification network. And adjusting the attack parameters of the initial target attack algorithm to improve the attack effect of the initial attack algorithm on the image classification network. The specific adjustment process will be described in detail later. The identification process of the classification and identification strategy will be described in detail later.
Step S103, based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating the evaluation value of the image classification network through a network evaluation function.
In this embodiment, the terminal re-acquires an attack sample of the initial target attack algorithm based on the adjusted initial target attack algorithm, and executes step S101 to obtain a new image classification result of the image classification network. Then, the terminal evaluates the evaluation value of the new image classification result of the image classification network through the network evaluation function. Wherein the network evaluation function may be, but is not limited to, a Tenengrad evaluation function, a Laplacian gradient function, an energy gradient function (Energy of Gradient, EOG), a Roberts function, and the like.
And step S104, returning to the step of executing the attack parameter adjusting the initial target attack algorithm under the condition that the evaluation value is lower than the preset evaluation threshold value, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as the target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain the target image classification network.
In this embodiment, the terminal presets the evaluation threshold, and returns to execute step S102 when the evaluation value is lower than the preset evaluation threshold, until the evaluation value is higher than the preset evaluation threshold, and the terminal stops the iterative process. Then, the terminal takes the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as the target attack algorithm. And finally, training the defensive capability of the image classification network by the terminal through the target attack algorithm to obtain the target image classification network.
Based on the scheme, the image classification network is attacked through each attack algorithm to obtain the classification success rate of the image classification network, the initial target attack algorithm is screened, and the attack parameters of the initial target attack algorithm are adjusted, so that the attack effect of the initial target attack algorithm on the image classification network is optimal, the target attack algorithm is obtained, and therefore, the optimized target attack algorithm which is most suitable for training the defense weakness is searched for aiming at the defense weakness of the image classification network, and the defense effect of the trained deep learning neural network is improved.
Optionally, obtaining the challenge samples corresponding to the plurality of attack algorithms includes:
for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
In this embodiment, the terminal performs a simulation attack process on the image classification network based on the attack algorithm for each attack algorithm, to obtain an interfered image classification network. Then, the terminal generates a countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
For example, the terminal is through fast gradient symbol attack (Fast Gradient Sign Method, FSGM). The acceptance V3 neural network is perturbed such that the acceptance V3 neural network generates an challenge sample.
In particular, the basic idea of FGSM against sample generation strategies is to keep the number of changes against disturbances consistent with the aspect of loss gradient variation of the image classification network. θ is the image classification network parameter, x is the input of the image classification network, y is the correct class corresponding to the input x, and the loss function of the image classification network isThe gradient of the loss function with respect to x is +.>The principle of FGSM is:
here α is the hyper-parameter, expressed as the step size of the next gradient of the image classification network, and sign (-) is the sign function, so the obtained counter-disturbance of this way is the counter-disturbance under the constraint of the l-infinity norm.
Based on the scheme, the terminal generates the countermeasure sample in the image neural network through the attack algorithm, so that the interference effect of the countermeasure sample on the image neural network is more obvious, and the accuracy of the subsequent screening initial target attack algorithm is improved.
Optionally, based on the classification success rate in the image classification result, in each attack algorithm, the initial target attack algorithm is screened, including: based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network; and in the attack algorithms, screening an attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
In this embodiment, the terminal presets correct classification information of each image, then identifies classification information of each image in the image classification result of the image classification network, and determines whether normal classification information and classification information of the same image are the same. And then the terminal takes the ratio of the same number between the normal classification information and the classification information of the same image and the number of all images as the classification success rate of the image classification network. And then, the terminal screens an attack algorithm corresponding to the image classification network with the lowest classification success rate from all attack algorithms as an initial target attack algorithm.
Based on the scheme, the accuracy of the screening attack algorithm is improved through the screening attack algorithm with the classification success rate.
Optionally, adjusting attack parameters of the initial target attack algorithm includes: identifying the current gradient step length of an image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm; calculating change information of the attack parameter when adding a unit gradient step under the current gradient step, updating the attack parameter based on the change information to obtain a first attack parameter, and taking an initial target attack algorithm containing the first attack parameter as an adjusted initial target attack algorithm.
In this embodiment, the terminal obtains the current gradient step of the image classification network by querying the parameter information of the image classification network that has been attacked by the initial target attack algorithm. And then the terminal determines the association relation between the current gradient step length of the image classification network and the attack parameters of the initial target attack algorithm based on the loss function of the image classification network.
Specifically, under the condition that the gradient change mode of the loss function of the image classification network is linear, the terminal directly establishes an association relation between the current gradient step length of the image classification network and the attack parameter of the initial target attack algorithm based on the loss function, and under the condition that the gradient change mode of the loss function of the image classification network is nonlinear, the terminal determines the association relation between the current gradient step length of the image classification network and the attack parameter of the initial target attack algorithm by establishing the association function of the loss function of the image classification network and the initial target attack algorithm.
For example, in the case that the gradient change mode of the loss function of the image classification network is nonlinear, the terminal establishes a correlation function between the loss function of the image classification network and the attack algorithm based on the loss function of the acceptance V3 neural network and the FGSM attack algorithm, and a specific function formula is as follows:
Wherein,,for the countermeasure sample data obtained by the i-th adjusted attack algorithm, alpha is a parameterExpressed as the average rate of change of the gradient of each step as the iteration is performed, the Clip (-) principle is to set a variable greater than the maximum to the maximum, a variable less than the minimum to the minimum, which can set x outside the domain to the minimum A Is limited in a specified range, so that the attack effect of an initial target attack algorithm is improved, and the classification success rate of the image classification network is reduced.
The terminal calculates the change information of the attack parameters when adding the unit gradient step under the current gradient step through the association relation between the current gradient step of the image classification network and the attack parameters of the initial target attack algorithm. And then the terminal determines a first attack parameter of the initial target attack algorithm based on the attack parameter of the initial target attack algorithm and the change information of the attack parameter. And finally, the terminal takes the initial target attack algorithm containing the first attack parameter as an adjusted initial target attack algorithm. The adjustment method may be, but is not limited to, iterative optimization of the initial target attack algorithm.
Based on the scheme, the terminal determines the change information of the attack parameters of the initial target attack algorithm through the association relation between the current gradient step length of the image classification network and the attack parameters of the initial target attack algorithm, so that the attack parameters of the initial target attack algorithm are adjusted, the attack effect of the initial target attack algorithm is improved, and the classification success rate of the image classification network is reduced.
Optionally, based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, including:
based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
In this embodiment, the terminal re-acquires a new challenge sample corresponding to the adjusted initial target attack algorithm based on the image classification network in the manner of step S102. Then, the terminal inputs the new countermeasure sample into the image classification network to obtain a new image classification result of the image classification network.
Based on the scheme, a new image classification result is obtained by re-acquiring a new countermeasure sample, so that the obtained image classification result can be ensured to be capable of identifying the attack effect of the adjusted initial target attack algorithm on the image classification network in a data mode.
Optionally, before returning to the step of adjusting the attack parameters of the initial target attack algorithm, the method further includes: calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information; and adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
In this embodiment, the terminal calculates difference information between the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm. The difference information comprises a positive difference value and a negative difference value, and under the condition that the difference information is the positive difference value, the terminal determines that the change information of the initial target attack algorithm is error-free, and directly takes the first attack parameter of the initial target attack algorithm as the second attack parameter of the initial target attack algorithm. And under the condition that the difference information is a negative difference value, the terminal determines that the change information of the initial target attack algorithm is wrong. And then the terminal returns to execute the step of adjusting the attack parameters of the initial target attack algorithm based on the difference information, and adjusts the change information of the initial target attack algorithm to obtain new change information. And then the terminal adjusts the first attack parameters of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameters of the adjusted initial target attack algorithm. And finally, the terminal adjusts the first attack parameter of the adjusted initial target attack algorithm into a second attack parameter.
Based on the scheme, the change information of the initial target attack algorithm is adjusted through the difference information of the classification success rate and the new classification success rate, so that the attack efficiency of the initial target attack algorithm is ensured to be gradually improved along with the increase of the iteration times, and the optimization efficiency of the initial target attack algorithm is further improved.
In one embodiment, as shown in FIG. 2, a training example of an image classification network is provided, the example comprising the steps of:
step S201, for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Step S202, inputting the countermeasure sample of the attack algorithm into the image classification network for each attack algorithm to obtain the image classification result of the image classification network.
Step S203, based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network.
Step S204, selecting an attack algorithm corresponding to the image classification network with the lowest classification success rate from the attack algorithms as an initial target attack algorithm.
Step S205, the current gradient step of the image classification network attacked by the initial target attack algorithm is identified, and the association relation between the current gradient step and the attack parameter of the initial target attack algorithm is identified.
Step S206, calculating change information of the attack parameter when adding a unit gradient step under the current gradient step, updating the attack parameter based on the change information to obtain a first attack parameter, and taking an initial target attack algorithm containing the first attack parameter as an adjusted initial target attack algorithm.
Step S207, based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Step S208, calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information.
Step S209, the first attack parameter of the adjusted initial target attack algorithm is adjusted based on the new change information, the second attack parameter of the adjusted initial target attack algorithm is obtained, and the first attack parameter of the adjusted initial target attack algorithm is adjusted to the second attack parameter.
And step S210, returning to the step of executing the attack parameter adjusting the initial target attack algorithm under the condition that the evaluation value is lower than the preset evaluation threshold value, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as the target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain the target image classification network.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a training device of the image classification network for realizing the training method of the image classification network. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the training device for one or more image classification networks provided below may be referred to the limitation of the training method for an image classification network hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 3, there is provided a training apparatus of an image classification network, comprising: an acquisition module 310, a screening module 320, an evaluation module 330, and a training module 340, wherein:
an obtaining module 310, configured to obtain countermeasures corresponding to a plurality of attack algorithms, and input the countermeasures of the attack algorithms to an image classification network for each attack algorithm, so as to obtain an image classification result of the image classification network;
the screening module 320 is configured to screen an initial target attack algorithm from the attack algorithms based on the classification success rate in the image classification result, and adjust attack parameters of the initial target attack algorithm;
The evaluation module 330 is configured to attack the image classification network based on the adjusted initial target attack algorithm, obtain a new image classification result of the image classification network, and evaluate an evaluation value of the image classification network through a network evaluation function;
and the training module 340 is configured to return to executing the step of adjusting the attack parameter of the initial target attack algorithm when the evaluation value is lower than a preset evaluation threshold value, and when the evaluation value is higher than the preset evaluation threshold value, take the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm, and train the image classification network through the target attack algorithm to obtain a target image classification network.
Optionally, the acquiring module 310 is specifically configured to:
and for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Optionally, the screening module 320 is specifically configured to:
based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
And in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
Optionally, the screening module 320 is specifically configured to:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
Optionally, the evaluation module 330 is specifically configured to:
based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Optionally, the apparatus further includes:
The computing module is used for computing difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
the adjusting module is used for adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
The respective modules in the training device of the image classification network may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 4. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a training method for an image classification network. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 4 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting as to the computer device to which the present inventive arrangements are applicable, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of:
obtaining countermeasures corresponding to a plurality of attack algorithms, and inputting the countermeasures of the attack algorithms into an image classification network aiming at each attack algorithm to obtain an image classification result of the image classification network;
based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm;
based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function;
And under the condition that the evaluation value is lower than a preset evaluation threshold value, returning to the step of executing the attack parameter adjusting the initial target attack algorithm, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain a target image classification network.
Optionally, the obtaining the challenge samples corresponding to the attack algorithms includes:
and for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Optionally, the screening the initial target attack algorithm in each attack algorithm based on the classification success rate in the image classification result includes:
based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
And in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
Optionally, the adjusting the attack parameters of the initial target attack algorithm includes:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
Optionally, the attacking the image classification network based on the adjusted initial target attack algorithm to obtain a new image classification result of the image classification network includes:
based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Optionally, before the step of returning to execute the step of adjusting the attack parameters of the initial target attack algorithm, the method further includes:
calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
and adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
obtaining countermeasures corresponding to a plurality of attack algorithms, and inputting the countermeasures of the attack algorithms into an image classification network aiming at each attack algorithm to obtain an image classification result of the image classification network;
Based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm;
based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function;
and under the condition that the evaluation value is lower than a preset evaluation threshold value, returning to the step of executing the attack parameter adjusting the initial target attack algorithm, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain a target image classification network.
Optionally, the obtaining the challenge samples corresponding to the attack algorithms includes:
and for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Optionally, the screening the initial target attack algorithm in each attack algorithm based on the classification success rate in the image classification result includes:
based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
and in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
Optionally, the adjusting the attack parameters of the initial target attack algorithm includes:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
Optionally, the attacking the image classification network based on the adjusted initial target attack algorithm to obtain a new image classification result of the image classification network includes:
Based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Optionally, before the step of returning to execute the step of adjusting the attack parameters of the initial target attack algorithm, the method further includes:
calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
and adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
Obtaining countermeasures corresponding to a plurality of attack algorithms, and inputting the countermeasures of the attack algorithms into an image classification network aiming at each attack algorithm to obtain an image classification result of the image classification network;
based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm;
based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function;
and under the condition that the evaluation value is lower than a preset evaluation threshold value, returning to the step of executing the attack parameter adjusting the initial target attack algorithm, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain a target image classification network.
Optionally, the obtaining the challenge samples corresponding to the attack algorithms includes:
And for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
Optionally, the screening the initial target attack algorithm in each attack algorithm based on the classification success rate in the image classification result includes:
based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
and in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
Optionally, the adjusting the attack parameters of the initial target attack algorithm includes:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
Optionally, the attacking the image classification network based on the adjusted initial target attack algorithm to obtain a new image classification result of the image classification network includes:
based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
Optionally, before the step of returning to execute the step of adjusting the attack parameters of the initial target attack algorithm, the method further includes:
calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
and adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
The user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (10)
1. A method of training an image classification network, the method comprising:
obtaining countermeasures corresponding to a plurality of attack algorithms, and inputting the countermeasures of the attack algorithms into an image classification network aiming at each attack algorithm to obtain an image classification result of the image classification network;
based on the classification success rate in the image classification result, screening an initial target attack algorithm in each attack algorithm, and adjusting attack parameters of the initial target attack algorithm;
Based on the adjusted initial target attack algorithm, attacking the image classification network to obtain a new image classification result of the image classification network, and evaluating an evaluation value of the image classification network through a network evaluation function;
and under the condition that the evaluation value is lower than a preset evaluation threshold value, returning to the step of executing the attack parameter adjusting the initial target attack algorithm, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as a target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain a target image classification network.
2. The method of claim 1, wherein the obtaining the challenge samples corresponding to the plurality of attack algorithms comprises:
and for each attack algorithm, performing simulation attack processing on the image classification network based on the attack algorithm to obtain an interfered image classification network, and generating an countermeasure sample corresponding to the attack algorithm based on the interfered image classification network.
3. The method of claim 1, wherein the screening the initial target attack algorithm based on the classification success rate in the image classification result comprises:
Based on the image classification result of the image classification network, analyzing the correct classification number of the image classification result to obtain the classification success rate of the image classification network;
and in the attack algorithms, screening the attack algorithm corresponding to the image classification network with the lowest classification success rate as an initial target attack algorithm.
4. The method of claim 1, wherein said adjusting attack parameters of said initial target attack algorithm comprises:
identifying the current gradient step length of the image classification network attacked by the initial target attack algorithm, and identifying the association relation between the current gradient step length and attack parameters of the initial target attack algorithm;
calculating change information of the attack parameters when adding a unit gradient step under the current gradient step, updating the attack parameters based on the change information to obtain first attack parameters, and taking an initial target attack algorithm containing the first attack parameters as an adjusted initial target attack algorithm.
5. The method of claim 1, wherein the attacking the image classification network based on the adjusted initial target attack algorithm results in a new image classification result for the image classification network, comprising:
Based on the adjusted initial target attack algorithm, a new countermeasure sample corresponding to the adjusted initial target attack algorithm is obtained through the image classification network, and the new countermeasure sample is input into the image classification network to obtain a new image classification result of the image classification network.
6. The method of claim 4, wherein before the returning step of adjusting the attack parameters of the initial target attack algorithm, further comprising:
calculating difference information of the classification success rate and the new classification success rate based on the classification success rate of the image classification network corresponding to the initial target attack algorithm and the new classification success rate of the image classification network corresponding to the adjusted initial target attack algorithm, and adjusting change information of the initial target attack algorithm based on the difference information to obtain new change information;
and adjusting the first attack parameter of the adjusted initial target attack algorithm based on the new change information to obtain the second attack parameter of the adjusted initial target attack algorithm, and adjusting the first attack parameter of the adjusted initial target attack algorithm to the second attack parameter.
7. A training apparatus for an image classification network, the apparatus comprising:
the acquisition module is used for acquiring the countermeasure samples corresponding to the attack algorithms, inputting the countermeasure samples of the attack algorithms into the image classification network aiming at each attack algorithm, and obtaining an image classification result of the image classification network;
the screening module is used for screening an initial target attack algorithm in each attack algorithm based on the classification success rate in the image classification result and adjusting attack parameters of the initial target attack algorithm;
the evaluation module is used for attacking the image classification network based on the adjusted initial target attack algorithm to obtain a new image classification result of the image classification network, and evaluating the evaluation value of the image classification network through a network evaluation function;
and the training module is used for returning to the step of executing the attack parameter adjusting the initial target attack algorithm under the condition that the evaluation value is lower than the preset evaluation threshold value, taking the adjusted initial target attack algorithm corresponding to the image classification network with the evaluation value higher than the evaluation threshold value as the target attack algorithm when the evaluation value is higher than the preset evaluation threshold value, and training the image classification network through the target attack algorithm to obtain the target image classification network.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310753848.0A CN116776966A (en) | 2023-06-26 | 2023-06-26 | Training method, training device, computer equipment and storage medium of image classification network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310753848.0A CN116776966A (en) | 2023-06-26 | 2023-06-26 | Training method, training device, computer equipment and storage medium of image classification network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116776966A true CN116776966A (en) | 2023-09-19 |
Family
ID=88011157
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310753848.0A Pending CN116776966A (en) | 2023-06-26 | 2023-06-26 | Training method, training device, computer equipment and storage medium of image classification network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116776966A (en) |
-
2023
- 2023-06-26 CN CN202310753848.0A patent/CN116776966A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rahman et al. | Membership inference attack against differentially private deep learning model. | |
| Sommer et al. | Towards probabilistic verification of machine unlearning | |
| Xu et al. | An adaptive and fast convergent approach to differentially private deep learning | |
| CN113822328A (en) | Image classification method for defending against sample attack, terminal device and storage medium | |
| Qian et al. | State reduction for network intervention in probabilistic Boolean networks | |
| CN116030312B (en) | Model evaluation method, device, computer equipment and storage medium | |
| Ding et al. | Full‐reference image quality assessment using statistical local correlation | |
| CN112560960B (en) | Hyperspectral image classification method and device and computing equipment | |
| CN118097293A (en) | Small sample data classification method and system based on residual graph convolution network and self-attention | |
| Li et al. | Contrastive learning of graphs under label noise | |
| CN116842171A (en) | Article recommendation method, apparatus, computer device and storage medium | |
| Katebi et al. | ADCAS: Adversarial deep clustering of Android streams | |
| CN116776966A (en) | Training method, training device, computer equipment and storage medium of image classification network | |
| CN116189208A (en) | Method, apparatus, device and medium for text recognition | |
| Liu et al. | Margin-based two-stage supervised hashing for image retrieval | |
| CN115147296A (en) | Hyperspectral image correction method, device, computer equipment and storage medium | |
| Tian et al. | Lookup table allocation for approximate computing with memory under quality constraints | |
| CN117851959B (en) | FHGS-based dynamic network subgraph anomaly detection method, device and equipment | |
| US20240144097A1 (en) | Universal Post-Training Backdoor Detection and Mitigation for Classifiers | |
| CN114648678B (en) | Challenge sample detection method, apparatus, computer device, and storage medium | |
| CN117017277A (en) | Identity recognition method, device, equipment and medium based on photoelectric volume pulse wave | |
| Tajwar | On the Robustness of Prunnig Algorithms to Adversarial Attacks | |
| CN116996272B (en) | Network security situation prediction method based on improved sparrow search algorithm | |
| Wang | Towards Robust and Secure Deep Learning Models and Beyond | |
| CN115470526A (en) | Processing method and device for anti-attack data based on black box model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |