DE102018122019A1 - Computer-implemented method for evaluating object image data of an object - Google Patents

Abstract

Computer-implemented method for evaluating object image data of an object in a multi-stage method comprising several evaluation levels,
an image value of the object image data being compared with a value range in an evaluation level,
which range of values is defined by area boundaries, at least one distance between the image value and / or an image value overlaid with a weighting function and an area boundary of the area boundaries being determined in at least one evaluation level.

Description

The invention described below relates to a computer-implemented method for evaluating object image data of an object in a multi-stage method comprising a plurality of evaluation levels,
an image value of the object image data being compared with a value range in an evaluation level,
which range of values is defined by range limits.

A multi-stage process for evaluating objects is used, for example, in the form of neural networks. Image values - or generally object values - are compared with one value range or with several value ranges in individual evaluation levels.

According to current teaching, an object is assessed using image data including image values. For this purpose, the object to be evaluated is recorded by means of an image sensor that outputs image data, such as a camera.

The image value is a vectorial quantity, which vectorial quantity indicates at least one property of a pixel, specifying the position of the pixel. The property of a pixel can be, for example, a gray value or a color code.

The image data comprise image values by means of which image values characteristic properties of the object such as the color of the object, the size of the object, edges of the object can be evaluated. On the basis of these determined properties, an evaluation of the recorded object can be carried out by means of neural networks, a first image value being evaluated in one evaluation level and a second image value being evaluated in a second evaluation level.

Equivalent to the image data of the object, an evaluation of an object is possible on the basis of object data including object values stored in a database. Following this, the method according to the invention described below can also be carried out on the basis of data records.

However, the evaluation of image data of an object for the classification of the object is problematic. The image data of an object can be overlaid with interference data so that a person still perceives the object as such an object, while a computer-implemented method perceives the object as another object.

Like data-driven learning from examples in general, deep learning [GOODFELLOW, I, BENGIO, Y, COURVILLE A ,, DEEP LEARNING. THE MIT PRESS, 2016] especially a poorly posed multivariate functional approximation problem. According to current teaching, the stability of deep learning cannot be guaranteed.

Since the discovery by Szegedy et al. [C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus, "Intriguing properties of neural networks", arXiv 1312.6199, 2014] has the problem of the Deception of Deep Neuronal Network (DNN ) Systems attracted increased attention due to manipulated data ("adversarial examples"). Numerous examples of such data manipulations leading to deception are known in the literature [A. Kurakin, I. Goodfellow, S. Bengio, "Adversarial examples in the physical world", In International Conference on Learning Representations Workshop, 2017, Galloway, A., Taylor, GW, and M. Moussa, "Attacking binarized neural networks", International Conference on Learning Representations, 2018, Galloway, A., Taylor, GW, and M. Moussa, "Attacking binarized neural networks", International Conference on Learning Representations, 2018, X. Yuan, P. He, Q. Zhu, RR Bhat, X. Li, "Adversarial examples: Attacks and defenses for deep learning", arXiv 1712.07107, 2017, C. Xie, J. Wang, Z. Zhang, Z. Ren, A. Yuille, "Mitigating adversarial effects through randomization" , In International Conference on Learning Representations, 2018, J. Uesato, B. O'Donoghue, A. van den Oord, P. Kohli, "Adversarial risk and the dangers of evaluating against weak attacks", In International Conference on Machine Learning, 2018.]. For an overview of defense strategies and detection of such delusions, see [N. Akhtar and A. Mian, "Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey," in IEEE Access, vol. 6, pp. 14410-14430, 2018] and [Yuan, X .; He, P .; Zhu, Q .; Bhat, R. R., X. Li, "Adversarial Examples: Attacks and Defenses for Deep Learning", arXiv 1712.07107, 2017].

In the English specialist literature, this data leading to deception is referred to as "adversarial examples". In the context of the disclosure of the method according to the invention, these data are briefly referred to as “A data”.

• Die erste Art basiert auf korrekt klassifizierten Bildern bzw. Daten, die unter unmerklichen Störungen dazu führen, dass das Deep Neuronal Network-System das modifizierte Bild mit „hoher Glaubwürdigkeit“ [C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus, „Intriguing properties of neural networks“, arXiv 1312.6199, 2014] falsch klassifiziert.

The person skilled in the art knows essentially two manipulation phenomena:

• The first type is based on correctly classified images or data which, with imperceptible interference, lead the Deep Neuronal Network system to use the modified image with "high credibility" [C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus, "Intriguing properties of neural networks", arXiv 1312.6199, 2014] incorrectly classified.

The second type is based on the input of noise, e.g. by interference signals that are manipulated in such a way that the Deep Neuronal Network system delivers an output of “high credibility”.

The term “high credibility” refers to a number between 0 and 1 with reference to the current teaching, by means of which number the Deep Neuronal Network system evaluates the classification. This number is commonly interpreted as a probability.

According to the current teaching, the following countermeasures against the manipulation phenomena are known in principle.

The "adversarial" training method is based on the rapid generation of A data [P. Frossard, S.-M. Moosavi-Dezfooli, A. Fawzi, "Deepfool: a simple and accurate method to fool deep neural networks", In CVPR, pages 2574-2582, 2016], to use this during the training as data augmentation to gain more robustness.

However, it turns out that this method does not solve the problem, since A data can again be constructed for the resulting classifier [R. Huang, B. Xu, D. Schuurmans, and C. Szepesvari, "Learning with a strong adversary", In ICLR, 2016, N. Papernot, P. McDaniel, X.Wu, S. Jha, A. Swami, "Distillation as a defense to adversarial perturbations against deep neural networks ”, In Security and Privacy (SP), 2016 IEEE Symposium on, pages 582-597. IEEE, 2016, A. Kurakin, I. Goodfellow, S. Bengio, "Adversarial examples in the physical world", In International Conference on Learning Representations Workshop, 2017, S.M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, "Universal adversarial perturbations", In CVPR, 2017, J. Kos, I. Fischer, and D. Song, "Adversarial examples for generative models", In ICLR Workshop, 2017]. Even worse, such procedures can lead to a false sense of security.

There are various methods to check whether the output is not changed within a standard environment (eg with regard to Euclidean distance) of an image. These methods are based either on exact formal verification methods such as SMT [G. Katz, C. Barrett, D. L. Dill, K. Julian, and M. J. Kochenderfer, "Reluplex: An efficient SMT solver for verifying deep neural networks", In International Conference on Computer Aided Verification, pages 97-117. Springer, 2017, R. Ehlers, "Formal Verification of Piece-Wise Linear Feed-Forward Neural Networks", In Automated Technology for Verification and Analysis, International Symposium on, 2017] or on so-called "Bound Propagation" methods [Dvijotham, KD , Uesato, J., R. Arandjelovi, "Training Verified Learners with Learned Verifiers", arXiv 1805.10265v2, 2018, Mirman M, T. Gehr, M. Vechev, "Differentiable Abstract Interpretation for Provably Robust Neural Networks", ICML 2018 ( https://github.com/ethsri/diffai), T. Gehr, M. Mirman, D. Drachsler-Cohen, P. Tsankov, S. Chaudhuri, and M. Vechev, "AI2: Safety and robustness certification of neural networks with abstract interpretation ". In Security and Privacy (SP), 2018 IEEE Symposium on, 2018, K. Dvijotham, R. Stanforth, S. Gowal, T. Mann, and P. Kohli, "Towards scalable verification of neural networks: A dual approach", In Conference on Uncertainty in Artificial Intelligence, 2018, JZ Kolter and E. Wong, "Provable defenses against adversarial examples via the convex outer adversarial polytope", arXiv 1711.00851, 2017] or on the calculation of a lower limit ("lower distance bound") [ M. Hein and M. Andriushchenko, "Formal Guarantees on the Robustness of a Classifier against Adversarial Manipulation", 31st Conference on Neural Information Processing Systems, NIPS 2017].

The SMT-based method [G. Katz, C. Barrett, D. L. Dill, K. Julian, and M. J. Kochenderfer, "Reluplex: An efficient SMT solver for verifying deep neural networks", In International Conference on Computer Aided Verification, pages 97-117. Springer, 2017, R. Ehlers, "Formal Verification of Piece-Wise Linear Feed-Forward Neural Networks", In Automated Technology for Verification and Analysis, International Symposium on, 2017] become unusably complex for larger deep neuronal network systems. It is similar with the method of [M. Hein and M. Andriushchenko, "Formal Guarantees on the Robustness of a Classifier against Adversarial Manipulation", 31st Conference on Neural Information Processing Systems, NIPS 2017], which calculates a lower distance barrier for continuously differentiable deep neuronal network models. The lower distance barrier indicates that this barrier must be exceeded due to interference in order to be able to generate A data based on a correctly classified image. If this limit is not exceeded, it can be guaranteed that any manipulation will not lead to a change in classification by the Deep Neuronal Network system. The restriction to continuously differentiable deep neuronal network models includes also represents the continuously differentiable activation function. However, since the most common choice for the activation function is a so-called "rectified linear unit" function, this method cannot be applied to this class of deep neuronal network systems.

The basic idea of bound propagation is as follows: Consider an n-dimensional cuboid (standard sphere in the maxmium standard) that is located in the center of a certain data point (image). You now want to verify that there are no A data in this box. However, the direct check is practically impracticable, since it leads to a (NP hard) NP difficult complex optimization problem. An approximation is therefore chosen in the respective layers. In the method of [Dvijotham, KD, Uesato, J., R. Arandjelovi, "Training Verified Learners with Learned Verifiers", arXiv 1805.10265v2, 2018], this approximation again consists of cuboids that enclose actually propagated data values. Other authors use other classes of convex bodies, such as zonotopes [T. Gehr, M. Mirman, D. Drachsler-Cohen, P. Tsankov, S. Chaudhuri, and M. Vechev, "AI2: Safety and robustness certification of neural networks with abstract interpretation". In Security and Privacy (SP), 2018 IEEE Symposium on, 2018].

A verification that there is no A data within the enclosing areas then verifies that there is no A data in particular in the exit cuboid. However, this method has its limits with more complex data, since these circumscribing convex verification areas can take on exponentially increasing dimensions depending on the number of layers. Thus, in the case of more complex data, there is a high probability that such verification areas overlap with data points of other classes, so that the verification process subsequently fails (since data from another class is now in the verification area). This analysis is supported by experiments, see evaluation tables by [Dvijotham, K. D., Uesato, J., R. Arandjelovi, "Training Verified Learners with Learned Verifiers", arXiv 1805.10265v2, 2018].

The invention discussed below has the task of detecting when instability is present and when not when using deep learning methods according to the prior art.

The object of the invention is to improve a multi-stage method for evaluating an object on the basis of its image values or also object values according to the prior art in such a way that the method according to the invention is integral to external influences. The further object of the invention can be derived from this that the method according to the invention is designed such that external influences on the method according to the invention can be identified.

Almost invisible or difficult to detect manipulations ("adversarial examples") are particularly tricky for applications, which lead to violations of the integrity of these applications.

Integral evaluation of image content by means of computer-implemented methods using neural networks is of enormous importance, for example, when evaluating image data in autonomous driving controls.

According to the invention this is achieved in that
at least one distance between the image value and / or the image value superimposed with a weighting function and an area boundary of the area limits is determined in at least one evaluation level.

In the following disclosure of the invention, no distinction is made between an image value and an image value distorted by a weighting function, unless this is explicitly or implicitly stated. Following the current teaching, for example, an image value with a weighting function is superimposed when evaluating using neural networks, with a certain degree of “distortion” of the image values.

The invention disclosed here is characterized in that, in addition to determining an intersection of an image value and a value range, the distance between the image value and at least one limit value of the value range is determined. This can be done at selected rating levels or at all rating levels.

The distance can be an absolute value. The distance can also be a vector. In any case, the distance is a mathematical quantity, which can be calculated using the usual mathematical teaching (difference, calculation of the length of a vector et cetera).

The distance can also be a size, which size is given taking into account a function extending between the image value and the relative area boundary. According to the current teaching, the determination of the distance as an absolute value or as a vector is dependent on the existing input values, namely the image value and the area boundary.

The method according to the invention can be characterized in that
the determined distance is compared with a threshold value.

The distance given as an absolute size can be compared to a threshold given as an absolute size. As it were, the distance can be in the form of a vectorial Size can be compared with a threshold in the form of a vectorial size. Furthermore, a length of the vector can be determined as an absolute size from a vectorial size, which length can be compared with an absolute size determined from the vectorial size.

The method according to the invention is characterized in that the determined distance is introduced as a criterion for the reliability of the evaluation of the image data. For this purpose, the determined distance can be overlaid with a weighting function.

These distances provide information about the integrity of the evaluation of the image value in the evaluation level, so that if a maximum distance is adhered to, it can be assumed with a high degree of probability that the image values will be overlaid by further image values or falsified by noise or intentional manipulations with a predefined maximum deviation limit Do not prevent the integrity of the method according to the invention for evaluating image values.

The distances can already be determined and taken into account when designing the system, so that if the defined threshold value is complied with, the integrity can be regarded as guaranteed.

The method according to the invention is characterized in that, in addition to the range of values, an integrity range is also defined, which range of integrity is part of the range of values. The distance specification can also only contain the specification that the image value is contained in the integration area, the smallest distance being for an evaluation of an intersection between the image value and the integration area.

By comparing the image value with the threshold value, it is determined whether the image value lies within this integrity range. The comparison of the threshold value is therefore equivalent to the determination of an intersection area between the image value and an integrity area. Such an integration range is defined by a minimum distance from the limit value that makes up the value of the threshold value.

The determination of the distance allows the determination of the measure by which measure the image value lies in the integrity area or by which measure the image value lies outside the integrity area. In addition to the specification of the absolute, vectorial or the distance following a function, the distance can also include a direction by means of which direction the position of the image value is specified in relation to the relative limit value. The method is preferably carried out in such a way that the distance of the individual object values increases each area boundary defining the area is compared. The smallest distance is determined using the threshold value, and depending on whether the minimum distance falls below or exceeds the threshold value, the evaluation carried out in this evaluation stage can be classified as safe or as unsafe.

The smallest distance is an absolute value if there are absolute values. For vector sizes, the smallest distance can be calculated from the distance between the scalars or from the distance between the vectors. The smallest distance can therefore be an absolute value or a vector size if there are vector sizes.

Within the scope of the method according to the invention, the smallest distance, which smallest distance falls below the threshold value, can be regarded as an indication of an uncertain assessment of the event. Within the scope of this invention, the smallest distance, which smallest distance exceeds the threshold value, can be regarded as an indication of a reliable evaluation.

The necessity of defense strategies for the detection of interference signals can be derived from the distance and in particular from the comparison of the distance to a setpoint value, whereby superimpositions or falsifications of the object image data due to noise remain within an acceptable range defined by the setpoint value. The defense strategies that may be introduced are not part of the method according to the invention.

The range limits can be defined by a user.

As an alternative or in addition to this, the range limits can also be defined by self-learning methods.

During a process of teaching the computer-implemented evaluation method, the image values are classified directly or indirectly by a person. An indirect evaluation can be carried out in such a way that the person classifies image values, as a result of which further image values associated with the image values are selected. Such processes are known in the prior art.

The area boundaries can be defined by mathematical methods around the directly and / or indirectly selected image values.

The above explanation relates to the evaluation of image data comprising image values in an evaluation level. According to the prior art, an evaluation, for example by means of neural networks, comprises several evaluation levels. The method according to the invention described above can also be carried out on selected evaluation levels or on all evaluation levels.

When using the method according to the invention, at least one distance per evaluation level can be determined on several evaluation levels, the determined distances being compared with target values. The statement as to whether an assessment is uncertain can then be made by considering the number of distances and comparing them with the target values.

The method according to the invention can be characterized in that
in n evaluation levels (n = 1, 2, 3, ...) at least a distance of the image value and / or of the image value superimposed by a weighting function to an area limit of the area limits is determined, wherein
coding encompassing the distance information about the determined distances of the individual evaluation levels is created.

When the method according to the invention is applied to several evaluation levels, a coding comprising the distance information of the individual evaluation levels can be created from the individual distance information.

The distance specification in an evaluation level can also only contain the specification that the image value is contained in the value range and / or in the integration range. Accordingly, coding can contain the information as to whether an image value or an image value distorted by a weighting function falls in a value range and / or in an integration range. It should be noted that similar object image data have a similar coding.

Similar image values, which are evaluated via similar evaluation levels, have a similar coding. A similar coding of similar image values can therefore be included as a measure of consistency when carrying out the method according to the invention or in a method independent of the above method steps.

A coding can be present, for example, in matrix form, with line-by-line information about the falling of an image value into a value range and column-by-line information per evaluation level.

The method according to the invention is additionally explained by the following description of the figures and by the following figures. The person skilled in the art is able to combine the features of the above general description part and the following description of the figures. However, the scope of protection is determined exclusively by the claims.

1

Pandabär

2

erstes Bild

3

zweites Bild

4

Ergebnisbild

5

erster Bildwert

6

zweiter Bildwert

7

Wertebereich

8

Bereichsgrenzen

9

Bereichsgrenzen

10

Bereichsgrenzen

11

erster Abstand

12

zweiter Abstand

13

erste Teilfläche

In the figures, the following elements are identified by the preceding reference symbols.

1

Panda bear

2nd

first picture

3rd

second picture

4th

Result picture

5

first image value

6

second image value

7

Range of values

8th

Range limits

9

Range limits

10th

Range limits

11

first distance

12th

second distance

13

first partial area

• In 1 the problem underlying the method according to the invention is shown.
• 2nd illustrates the effect of the method according to the invention on the principle of set theory.

• Attacks and Defenses for Deep Learning, (arXiv 1712.07107,
• https://arxiv.org/abs/1712.07107) entnommen. 1 zeigt links das Bild eines Pandabären 1 (erstes Bild 2). Nach dem Stand der Technik erkennt ein Computer implementiertes Verfahren zur Bewertung von Bilddaten anhand von Bildwerten mit einer in 1 angegebenen Wahrscheinlichkeit in der Höhe von 57,7% („confidence“), dass in dem linken Bild ein Pandabär 1 („panda“) dargestellt ist.

1 illustrates the problem underlying the invention discussed here. That in the 1 Image included was taken from Xiaoyong Yuan et al: Adversial Examples:

• Attacks and Defenses for Deep Learning, (arXiv 1712.07107,
• https://arxiv.org/abs/1712.07107). 1 shows on the left the picture of a panda bear 1 (first picture 2nd ). According to the prior art, a computer recognizes implemented method for evaluating image data on the basis of image values with an in 1 specified probability in the amount of 57.7% ("confidence") that in the left picture a panda bear 1 ("Panda") is shown.

1 illustrates that the first picture 2nd with an interference signal (second picture 3rd ) is superimposed. The overlay also has a weighting factor of 0.007.

1 also includes the result picture 4th the overlay of the first image 2nd and the second picture 3rd . It is in the result image for the human eye 4th still a panda bear 1 evident. The one in the result picture 4th panda bear perceptible to the human eye 1 corresponds to that in the first picture 2nd panda bears perceptible to the human eye 1 .

However, it is implemented in the result image for the computer 4th included a gibbon. That with the to evaluate the content of the result picture 4th The method used evaluates the image data of the result image with a specified probability of 99.3% (“confidence”) as a Gibbon.

It is explicitly noted that the specified probability of evaluating the first image 2nd is lower than the specified probability of evaluating the result image 4th . Due to the interference signal (second picture 3rd ) the evaluation of the image data and the specified probability of the evaluation can be influenced.

2nd illustrates the effect of the method according to the invention on the principle of set theory. An image value comprising image values becomes a first image value 5 and a second image value 6 read out. Both image values 5 , 6 are within a range of values 7 . The range of values 7 is by range boundaries 8th , 9 , 10th limited.

A comparison of the first image value 5 with the range of values 7 according to the prior art, the result is that the first image value 5 in the value range 7 is. It can be the first image value 7 and the range boundaries, as it were 8th , 9 , 10th exist as absolute sizes or as vectorial sizes.

A comparison of the second image value provides at the same time 6 with the value range 7 according to the prior art, the knowledge that the second image value is in the value range 7 is.

The first image value 5 and the second image value 6 can - with reference to the 1 - be a color value of the panda.

In addition to the above comparison of the first image value 5 with the range of values 7 and the second image value 6 with the range of values 7 in the method according to the invention, the distance between the image values 5 , 6 to the area boundaries 8th , 9 , 10th determined. In 3rd the distance is an example 11 than the smallest distance between the second image value 6 and the range limits 8th , 9 , 10th registered. For reasons of clarity, the other distances are the first image value 5 and the second image value to the area boundaries 8th , 9 , 10th not specified. However, the expert clearly and clearly recognizes that the first image value 5 from the area boundaries 8th , 9 , 10th is further away than the second image value 6 .

It becomes the distance 11 compared to a threshold. It is about introducing a threshold and comparing the determined distance 11 a minimum distance between the image value, here the second image value 6 and the range limits, here the range limit 10th Are defined. Is the distance 11 less than the threshold, the result is considered uncertain because the second image value 6 too close to the area boundary 10th is.

2nd also illustrates the basis of the method according to the invention for calculating a distance of an image value or a weighted distance of an image value from a limit function.

zu spezifzieren, um zu einem gegebenen Bild (Datenpunkt) x die entsprechende Kategorie (label) $y=\left({\theta }_{}\left(x\right)\right)$

vorherzusagen; diese Spezifikation erfolgt gemäß dem Stand der Technik durch die Minimierung eines Risikomodells $$

(loss function) für Fehlklassifikationen. Lernen bedeutet dabei, passende Parameter 0 zu finden, die diese Optimierungsaufgabe hinreichend gut lösen.Given the training data ( x _i , y _i ) _{i = 1, ..., N} as pairs of input data with an assignment to a category (label); the learning problem is a parameterized input-output function, ${\stackrel{}{˜}}_{\theta }=\circ {\theta }_{}:{ℝ}^n\to {\left[0.1\right]}^M,$

to specify in order to give the corresponding category (label) for a given image (data point) $y=\left({\theta }_{}\left(x\right)\right)$

predict; this specification takes place according to the state of the art by minimizing a risk model $$

(loss function) for misclassifications. Learning means finding suitable parameters 0 that solve this optimization task sufficiently well.

According to the state of the art, we assume that the input data can be represented vectorially in an n-dimensional number space, ie x _i ∈ ℝ ⁿ ; for example an image with a fixed format; Furthermore, it is assumed that the categories y _i ∈ {1, ..., M} can be represented as a discrete set of numbers.

Deep models (DNN) specify the parameterized input-output function as a multi-layer structure (layers) of calculations [GBC16].

aus der iterativen Anwendung von Kompositionsoperationen von affinen Voraktivierungsfunktionen (pre-activation oder net-input function) f_k(z_k-1) := W_kz_k-1 + b_k und einer anschließenden komponentenweisen Anwendung einer nichtlinearen Aktivierungsfunktion g : ℝ → ℝ.The function results for the architecture of a multilayer perceptron MLP ${\theta }_{}:{ℝ}^n\to {ℝ}^{n_L}$

from the iterative application of composition operations of affine pre-activation functions (pre-activation or net-input function) f _k (z _k-1 ): = W _k z _k-1 + b _k and a subsequent component-wise application of a non-linear activation function g: ℝ → ℝ.

• • z₀ = g ∈ ℝⁿ (Input Bild)
• • z_k = g ◦ f_k(z_k-1) ∈ ℝ^{n k} als Output in der k-ten Schicht,

wobei W_k ∈ ℝ^{n k×n k-1} die Gewichtsmatrix und b_k ∈ ℝ^{n k} den Bias Vektor in der k-ten Schicht bezeichnet. Das Gewicht zusammen mit den Bias Vektoren werden durch en Parametervektor θ zusammengefasst.The iteration follows

• • z ₀ = g ∈ ℝ ⁿ (input image)
• • z _k = g ◦ f _k (z _k-1 ) ∈ ℝ ^{n k} as output in the kth layer,

where W _k ∈ ℝ ^{n k × n k-1} the weight matrix and b _k ∈ ℝ ^{n k} denotes the bias vector in the kth layer. The weight together with the bias vectors are summarized by the parameter vector θ.

wie die Trainingsdaten die Abweichung zwischen den wahren Kategorien und den vorhergesagten Kategorien bestrafen.The top layer specifies the risk function (loss function) $:{ℝ}^{n_L}\to {\left[0.1\right]}^M$

how the training data punish the discrepancy between the true categories and the predicted categories.

Different risk functions are used for different tasks [ZGF + 16, GBC16, VBG + 17]. For example, the Softmax function is used to predict a single category from M mutually exclusive categories, so Softmax returns a single value. The sigmoid cross entropy function is used to determine the probabilities of belonging to M categories, so the cross entropy function provides a probability distribution.

Like almost all other neural networks, they are learned with a version of the back propagation algorithm [GBC16].

The selection of the activation function is an important design question that has a significant impact on the overall performance. The most important activation function is the rectified linear unit (ReLU): $$G\left(a\right):=\text{Max}\left\{\mathrm{0,}a\right\}.$$

One of our initial ideas is the consideration of equivalence classes, which are induced in the n-dimensional vector space X of the input data (images) by identifying points with the same activation profile when propagating over the network.

• • 0, wenn die Aktivierungsfunktion 0 liefert;
• • 1, wenn die Aktivierungsfunktion einen positiven Wert liefert.

For example, for ReLU we can define the following activation states:

• • 0 if the activation function returns 0;
• • 1 if the activation function delivers a positive value.

wobei s_{k,k i} den Aktivierungszustand des k_i-en Neurons in der k-ten Schicht und L die Gesamtanzahl der Schichten bezeichnet
Auf diese Weise erhalten wir folgende Äquivalenzrelation $$x_1\sim x_2:\iff d_F\left(c\left(x_1\right),c\left(x_2\right)\right)=\mathrm{0,}$$

wobei d_F eine beliebige Distanzfunktion im Raum der Sequenzen der Aktivierungszustände bezeichnet, beispielsweise die Hammingdistanz.
x₁ ~ x₂ ist eine Äquivalenzrelation, da aus d_F(c(x₁),c(x₂)) = 0 und d_F(c(x₂),c(x₃)) = 0 mittels der Dreiecksungleichung der Distanzfunktion d_F folgt: d_F(c(x₁),c(x₃)) = 0. Somit folgt aus x₁ ~ x₂ und x₂ ~ x₃ die Beziehung x₁~x₃. Wir bezeichnen mit [x̃] die Äquivalenzklasse mit Repräsentanten x̃ ∈ ℝⁿ.We now number the neurons (lines in the respective weight matrices) in layers. In this way we get a sequence of activation states $$c\left(x\right)={\left(s_k{,}_{k_i}\right)}_{k=\mathrm{1,...,}L,k_i=\mathrm{1,...,}{k}_n}$$

where s _{k, k i} denotes the activation state of the k _i neuron in the k th layer and L denotes the total number of layers
In this way we get the following equivalence relation $$x_1\sim x_{\mathrm{2nd}}:\iff d_F\left(c\left(x_1\right),c\left(x_{\mathrm{2nd}}\right)\right)=\mathrm{0,}$$

where d _F denotes any distance function in the space of the sequences of the activation states, for example the Hamming distance.
x ₁ ~ x ₂ is an equivalence relation, since from d _F (c (x ₁ ), c (x ₂ )) = 0 and d _F (c (x ₂ ), c (x ₃ )) = 0 by means of the triangle inequality of Distance function d _F follows: d _F (c (x ₁ ), c (x ₃ )) = 0. Hence x ₁ ~ x ₂ and x ₂ ~ x _{3 result in} the relationship x ₁ ~ x ₃ . We denote by [x̃] the equivalence class with representatives x̃ ∈ ℝ ⁿ .

• Zunächst definieren wir den binären Aktivierungsstatus (z₀ = x̃ ∈ ℝⁿ, z_k = g ◦ f_k(z_k-1) ∈ ℝ^{n k} )

$${\beta }_{k_i}^{\left(k\right)}:=\{\begin{array}{c}1\dots {\text{unit k}}_i{\text{ on for z}}_{k-1}\\ 0\dots {\text{unit k}}_i{\text{ off for z}}_{k-1}\end{array}$$

und den polaren Aktivierungsstatus ${\pi }_{k_i}^{\left(k\right)}:=2{\beta }_{k_i}^{\left(k\right)}-1\in \left\{-\mathrm{1,1}\right\}.$

The idea and invention is now to determine these equivalence classes in the following way:

• First we define the binary activation status (z ₀ = x̃ ∈ ℝ ⁿ , z _k = g ◦ f _k (z _k-1 ) ∈ ℝ ^{n k} )

$${\beta }_{k_i}^{\left(k\right)}:=\{\begin{array}{c}1...{\text{unit k}}_i{\text{on for z}}_{k-1}\\ 0...{\text{unit k}}_i{\text{off for z}}_{k-1}\end{array}$$

and the polar activation status ${\pi }_{k_i}^{\left(k\right)}:=\mathrm{2nd}{\beta }_{k_i}^{\left(k\right)}-1\in \left\{-1.1\right\}.$

und $$Q_{\beta }^{\left(k\right)}:=\text{Diag}\left[{\beta }_1^{\left(k\right)},\dots ,{\beta }_{k_n}^{\left(k\right)}\right].$$

We use this to define the following diagonal matrices $$Q_{\pi }^{\left(k\right)}:=\text{Diag}\left[{\pi }_1^{\left(k\right)},...,{\pi }_{k_n}^{\left(k\right)}\right]$$

and $$Q_{\beta }^{\left(k\right)}:=\text{Diag}\left[{\beta }_1^{\left(k\right)},...,{\beta }_{k_n}^{\left(k\right)}\right].$$

wobei $$W_{\tilde{x}}^{\left(k\right)}:=Q_{\pi }^{\left(k\right)}{W}_k{\displaystyle \prod _{j=1}^{k-1}{Q}_{\beta }^{\left(j\right)}{W}_j},$$

$$b_{\tilde{x}}^{\left(k\right)}:=Q_{\pi }^{\left(k\right)}{W}_k{\displaystyle \sum _{i=1}^{k-1}\left({\displaystyle \prod _{j=i+1}^{k-1}{Q}_{\beta }^{\left(j\right)}{W}_j}\right)Q_{\beta }^{\left(i\right)}{b}_i+Q_{\pi }^{\left(k\right)}{b}_k}.$$

It can now be shown that [x̃] is determined by the following system of linear inequalities $$x\in \left[\tilde{x}\right]\iff W_{\tilde{x}}^{\left(k\right)}x+b_{\tilde{x}}^{\left(k\right)}\ge \mathrm{0,}k=\mathrm{1,}...,L$$

in which $$W_{\tilde{x}}^{\left(k\right)}:=Q_{\pi }^{\left(k\right)}{W}_k{\displaystyle \prod _{j=1}^{k-1}{Q}_{\beta }^{\left(j\right)}{W}_j},$$

$$b_{\tilde{x}}^{\left(k\right)}:=Q_{\pi }^{\left(k\right)}{W}_k{\displaystyle \sum _{i=1}^{k-1}\left({\displaystyle \prod _{j=i+1}^{k-1}{Q}_{\beta }^{\left(j\right)}{W}_j}\right)Q_{\beta }^{\left(i\right)}{b}_i+Q_{\pi }^{\left(k\right)}{b}_k}.$$

Equation 2 above demonstrates the geometric characterization of the cells across all layers, i.e. k = 1, ..., L.

If you only carry out these steps up to an intermediate layer k * ∈ {1, ..., L}, you get a coarser breakdown into cells. In this way, a coarse-to-fine analysis can be carried out.

These inequalities now make it possible to determine the minimum distance d _{0 of} an input image x̃ to the nearest cell [x̃ '] with a different classification, F _θ (x̃) ≠ F _θ (x̃'). d ₀ provides information about the integrity of the input image.

The approach according to the invention is not based on the bound propagation of approximating circumscribing bodies, but on the calculation of a lower distance barrier d ₀ .

These inequalities can now be used to calculate certain distances that provide information about the integrity of an input image. For this purpose, the determined distances are compared with the respective limit values in the distance mentioned in the claim.

• Sollten beim Trainieren äquivalente Punkte jedoch tatsächlich zu unterschiedlichen Kategorien gehören, so gibt dieser Anteil δ∈[0,1] der inkonsistenten Klassifikationen eine Maßzahl k = 1 - δ für die Konsistenz und somit Zuverlässigkeit des Klassifikators an; eine solche Maßzahl für die Konsistenz bzw. Inkonsistenz kann auch mittels Maßen der Informationstheorie modelliert werden, etwa als bedingte Entropie von F_θ(x) bei gegebenem code code(x) bzw. dessen zu erwartender Wert auf Basis einer Sampling Verteilung für die Auswahl der Test-Inputbilder x. Das Inkonsistenzmaß liefert jedenfalls den Wert 0, wenn alle Punkte in einer Zelle zur gleichen Klasse gehören.

Inconsistency measure:

• If, however, equivalent points actually belong to different categories during training, this proportion δ∈ [0.1] of the inconsistent classifications indicates a measure k = 1 - δ for the consistency and thus reliability of the classifier; Such a measure of consistency or inconsistency can also be modeled using measures of information theory, e.g. as a conditional entropy of F _θ (x) for a given code code (x) or its expected value based on a sampling distribution for the selection of the Test input images x. In any case, the inconsistency measure returns the value 0 if all points in a cell belong to the same class.

Lower distance barrier for ReLU networks as a measure of the robustness against adversary attacks:

wobei B_ρ(x̃) = {x | d(x,x̃) ≤ ρ} die Norm-Kugel um x̃ mit Radius ρ > 0 und Distanzfunktion d darstellt. Wir verwenden hier die Euklidische Distanz: $d\left(x,\tilde{x}\right)=\sqrt{{\displaystyle {\sum }_{i=1}^n{\left(x_i-{\tilde{x}}_i\right)}^2}}.$

We determine a lower distance barrier as follows. The idea is to determine a limit ρ: = d _x̃ for an input image x̃ ∈ ℝ ^{n in} such a way that it can be guaranteed that for all images x ∈ ℝ ⁿ with less deviation from x̃ ∈ ℝ ⁿ than ρ: = d _x̃ the DNN system delivers the same decision, that is $$\forall x\in B_{\rho }\left(\tilde{x}\right)\Rightarrow F_{\theta }\left(\tilde{x}\right)=F_{\theta }\left(x\right)$$

where B _ρ (x̃) = {x | d (x, x̃) ≤ ρ} represents the norm sphere around x̃ with radius ρ> 0 and distance function d. We use the Euclidean distance here: $d\left(x,\tilde{x}\right)=\sqrt{{\displaystyle {\sum }_{i=1}^n{\left(x_i-{\tilde{x}}_i\right)}^{\mathrm{2nd}}}}.$

• (1) Festlegen einer Sicherheitsschwelle ε₀;
• (2) Berechnen der binären und polaren Aktivierungszustände für x̃;
• (3) Berechnen der Matrizen $W_{\tilde{x}}^{\left(k\right)}$
  
  und Bias Vektoren $b_{\tilde{x}}^{\left(k\right)}$
  
  gemäß Gleichung (2) und den binären und polaren Aktivierungszuständen;
• (4) Berechnen die minimale Distanz d₀(x̃) =: d(x̃,∂[x̃]) von x̃ zum Rand ∂[x̃] seiner Äquivalenzklasse [x̃]bzgl. der Euklidischen Distanz; Diese Berechnung erfolgt nach Stand der Technik durch Berechnung der Punkt-zu-Hyperebene Abstände zwischen x̃ und jenen Hyperebenen, die sich durch die jeweiligen Reihen in der Gewichtsmatrix in Gleichung (3) als Normalvektoren gegeben sind;
• (5) Als Ergebnis erhält man eine Liste von Distanzen mit den jeweiligen Hyperebeneben, die durch die Normalvektoren samt Versatz (korrespondierende Komponente des Biasvektors) gegeben sind;
• (6) Berechnen der minimalen Distanz aus dieser Liste: d0(x̃);
• (7) Wenn d₀(x̃) ≥ ε₀, dann stoppt das Verfahren und es wurde eine untere Distanzschranke, nämlich d₀(x̃) gefunden;
• (8) wenn d₀(x̃) ≥ ε₀ nicht erfüllt ist, so wird die Analyse wie folgt verfeinert:
  • • Bestimme den Basispunkt P der nächstgelegenen Hyperebene (mit normierten Normalvektor w) zu x̃; (P ist die Projektion von x̃ auf jene Seitenfläche von [x̃], die x̃ am nächsten gelegen ist);
  • • Eruiere F_θ(p+εw) für ε < ε₀.
  • • Wenn F_θ(p + εw) ≠ F_θ(x̃), dann stoppt das Verfahren und es kann keine minimale unter Distanzschranke gefunden werden; damit ist bewiesen, dass aus x̃ mittels Überlagerung eines Störungsbildes Δ ein Bild x̃' = x̃ + Δ ∈ B_{ε 0} (x̃) generiert werden kann, dass zu einer anderen Klassifikation führt, also F_θ(x̃) ≠ F_θ(x̃'). x̃ ist somit ein Kandidat für eine adversielle Attacke;
  • • Wenn F_θ(p + εw) = F_θ(x̃), dann kann das Verfahren wie folgt verfeinert werden:
    • ◯ streichen jenes Neurons mit der Gewichtsreihe w aus der Liste (bzw auf Null setzen) und das Verfahren (2)-(7) erneut anwenden;

The procedure for determining the lower distance barrier ρ: = d _x̃ for the input image x̃ is now

• (1) Setting a security threshold ε ₀ ;
• (2) computing the binary and polar activation states for x̃;
• (3) Calculate the matrices $W_{\tilde{x}}^{\left(k\right)}$
  
  and bias vectors $b_{\tilde{x}}^{\left(k\right)}$
  
  according to equation (2) and the binary and polar activation states;
• (4) Calculate the minimum distance d ₀ (x̃) =: d (x̃, ∂ [x̃]) from x̃ to the edge ∂ [x̃] of its equivalence class [x̃] with respect to the Euclidean distance; According to the prior art, this calculation is carried out by calculating the point-to-hyperplane distances between x̃ and those hyperplanes which are given by the respective rows in the weight matrix in equation (3) as normal vectors;
• (5) The result is a list of distances with the respective hyperplane levels, which are given by the normal vectors including the offset (corresponding component of the bias vector);
• (6) Calculate the minimum distance from this list: d0 (x̃);
• (7) If d ₀ (x̃) ≥ ε ₀ , the process stops and a lower distance barrier, namely d ₀ (x̃), has been found;
• (8) if d ₀ (x̃) ≥ ε _{0 is} not satisfied, the analysis is refined as follows:
  • • Determine the base point P of the closest hyperplane (with normalized normal vector w) to x̃; (P is the projection of x̃ on that side surface of [x̃] which is closest to x̃);
  • • Find F _θ (p + εw) for ε <ε ₀ .
  • • If F _θ (p + εw) ≠ F _θ (x̃), then the process stops and no minimum distance barrier can be found; This proves that x̃ by superimposing an interference pattern Δ becomes an image x̃ '= x̃ + Δ ∈ B _{ε 0} (x̃) can be generated that leads to a different classification, i.e. F _θ (x̃) ≠ F _θ (x̃ '). x̃ is therefore a candidate for an adversary attack;
  • • If F _θ (p + εw) = F _θ (x̃), the procedure can be refined as follows:
    • ◯ delete that neuron with the weight series w from the list (or set to zero) and use the procedure (2) - (7) again;

If a lower bound can be found in this way, then x̃ with regard to the specification ε _{0 is} not at risk (with probability κ). If no lower bound can be found in this way, an adversive attack, namely F _θ (p + εw), can definitely be constructed.

In contrast to M. Hein and M. Andriushchenko, "Formal Guarantees on the Robustness of a Classifier against Adversarial Manipulation", 31st Conference on Neural Information Processing Systems, NIPS 2017, our procedure does not require any differentiability and can be used on deep networks apply any number of layers.

2nd further illustrates the equivalence of determining a first distance 11 between a first image value 5 and a range limit 10th and determining the position of the first image value 5 within the value range 7 and determining whether the first image value 5 in a first partial area 13 is.

The determination of the position of the first pixel 5 within the range of values also implies the calculation of the first distance 11 to an area boundary 10th or is this first distance 11 slightly from the position of the first pixel 5 and the range limit 10th determinable.

By determining whether a first pixel 5 within a sub-area 13 is positioned, it can also be determined whether the first pixel 5 a defined distance from the area boundary 10th having. This includes that the first section 13 is at a minimum distance from the area boundary.

Claims (4)

Computer-implemented method for evaluating object image data of an object in a multi-stage method comprising a plurality of evaluation levels, an image value of the object image data being compared with a value range in a evaluation level, which value range is defined by range boundaries, characterized in that at least one distance of at least one evaluation level Image value and / or an image value superimposed with a weighting function for an area limit of the area limits is determined. Procedure according to Claim 1 , characterized in that the distance is compared with a limit value. Procedure according to one of the Claims 1 to 2nd , characterized in that the area limits are defined by a user. Procedure according to one of the Claims 1 to 3rd , characterized in that at least a distance of the image value and / or of the image value superimposed by a weighting function to an area boundary of the area limits is determined in several assessment levels, a coding comprising the distance information about the determined distances of the individual assessment levels being created.

Images