KR102441490B1 - Method and system for generating adversarial pattern on image - Google Patents

Abstract

The present disclosure is a method for generating an adversarial attack pattern performed by at least one processor. The method for generating the adversarial attack pattern includes the steps of: preparing an attack pattern; outputting an attack pattern rendering image based on an attack target image and the attack pattern by means of a neural rendering model; and causing the malfunction of the attack target model by inputting the attack pattern rendering image to the attack target model.

Description

Method and system for generating hostile attack patterns

The present disclosure relates to a method and system for generating a hostile attack pattern, and more particularly, to a method and system for generating a three-dimensional hostile attack pattern based on neural rendering.

An adversarial attack refers to an attack that deceives a machine learning model by providing deceptive input. Adversarial attacks refer to attacks that manipulate input data to cause machine learning models to malfunction. For example, in a hostile attack, if an image of a hostile attack is created by adding intentional noise to a picture of a panda, and this is input to a machine learning model, say the process

Looking at the hostile attack execution method, hostile attacks that manipulate input data may be largely divided into perturbation, patch, and pattern methods. The perturbation method may be performed by adding a minute noise to the input image to attack. The patch method may be performed by attaching a specific patch to an object existing in the input image to attack. The pattern method may be performed by rendering a specific pattern repetitively on the surface of a 3D object and attacking it.

The disturbance and patch method is a method applied to a two-dimensional image, and when applied to a three-dimensional object, it can be applied only to a part of the object, such as a plane. On the other hand, the pattern method can attack regardless of the position and viewing angle of the object.

The hostile attack type may include a white-box attack and a black-box attack. The white box attack must be differentiable from the input stage to the output stage of the attack model in a situation where all information (eg, model structure, parameters, etc.) of the attack target model is known. On the other hand, the black box attack is possible in a situation where the information of the attack target model is unknown. In general, white box attack performance can be better than black box attack. However, the pattern method among hostile attacks may be limited to a black box attack due to the characteristics of rendering. Since the general rendering technique is non-differentiable, only a black box attack can be performed.

The present disclosure provides a method for generating a hostile attack pattern, a computer program stored in a recording medium, and an apparatus (system) for solving the above problems.

The present disclosure may be implemented in various ways including a method, an apparatus (system), or a computer program stored in a readable storage medium.

According to an embodiment of the present disclosure, the method for generating a hostile attack pattern, executed by at least one processor, includes preparing an attack pattern, rendering the attack pattern based on the attack target image and the attack pattern by a neural rendering model outputting an image, and inputting an attack pattern rendering image to the attack target model to cause a malfunction of the attack target model.

According to an embodiment of the present disclosure, outputting the attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model includes, by the neural rendering model, the attack including the attack pattern in the attack target image. It may include mapping to a texture of the target object.

According to an embodiment of the present disclosure, the step of outputting the attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model includes an auto-encoder-based transformation feature extractor, It may include extracting a transformation feature from the target image, and generating an attack pattern rendering image from the transformation feature by an attack pattern converter capable of complex operation between images.

According to an embodiment of the present disclosure, the step of generating the attack pattern rendering image from the transformation feature by the attack pattern converter capable of complex operation between images includes subtracting the transformation feature from the attack pattern and then using a rectified linear function (ReLU) applying a first image to generate a first image, adding a transform feature to the first image to generate a second image, multiplying the second image by a transform feature to produce a third image, and adding the transform feature to the third image It may include generating an attack pattern rendering image by applying a rectifying linear function after multiplication.

According to an embodiment of the present disclosure, the method includes the steps of learning the neural rendering model so that the attack target image and the attack pattern are input, and the neural rendering model maps the attack pattern to the texture of the attack target object included in the attack target image. may include more.

According to an embodiment of the present disclosure, the artificial neural network learning method for generating a hostile attack pattern rendering image, which is executed by at least one processor, is a neural rendering image by inputting an attack target image and an attack pattern as an input by a neural rendering model. inferring, generating, by the graphics engine, an attack target image and an attack pattern as input, a graphics engine rendering image, and a neural rendering model such that a loss function for a difference between the neural rendering image and the graphics engine rendering image is minimized. It includes the step of learning.

According to an embodiment of the present disclosure, the step of inferring the neural rendering image by inputting the attack target image and the attack pattern as an input by the neural rendering model is an auto-encoder-based transformation feature extractor, the attack target It may include extracting a transformation feature from the image, and generating a neural rendering image from the transformation feature by an attack pattern converter capable of complex operation between images.

According to an embodiment of the present disclosure, the step of generating a neural rendering image from a transform feature by an attack pattern converter capable of complex operation between images includes subtracting a transform feature from an attack pattern and then applying a rectified linear function (ReLU) to generate a first image, generating a second image by adding a transform feature to the first image, multiplying the second image by a transform feature to generate a third image, and multiplying the third image by a transform feature The method may include generating a neural rendering image by applying a post-rectified linear function.

According to an embodiment of the present disclosure, generating, by the graphic engine, the graphic engine rendering image by inputting the attack target image and the attack pattern as an input, includes, by the graphic engine, the texture of the attack target object included in the attack target image. It may include generating a graphics engine rendered image by applying an attack pattern.

According to an embodiment of the present disclosure, the step of learning the neural rendering model so that the loss function for the difference between the neural rendering image and the graphics engine rendering image is minimized comprises: binary cross entropy ( It may include learning the neural rendering model so that the loss function defined based on BCE: Binary Cross-Entropy is minimized.

A hostile attack pattern generating system according to an embodiment of the present disclosure includes a communication module, a memory, and at least one processor connected to the memory and configured to execute at least one computer-readable program included in the memory, at least One program prepares an attack pattern, outputs the attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model, and inputs the attack pattern rendering image to the attack target model, thereby causing malfunction of the attack target model contains one or more instructions to trigger

According to an embodiment of the present disclosure, outputting the attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model includes, by the neural rendering model, the attack target included in the attack target image. This may include mapping to an object's texture.

According to an embodiment of the present disclosure, the neural rendering model generates an auto-encoder-based transformation feature extractor for extracting transformation features from an attack target image, and an attack pattern rendering image from transformation features It may include an attack pattern converter that executes complex operations between images to do so.

According to an embodiment of the present disclosure, the attack pattern converter generates a first image by applying a rectified linear function (ReLU) after subtracting a transform feature from the attack pattern, and adds a transform feature to the first image to obtain a second image and generating a third image by multiplying the second image by the transform feature, multiplying the third image by the transform feature, and then applying a rectified linear function to generate an attack pattern rendering image.

According to an embodiment of the present disclosure, at least one program learns the neural rendering model so that the attack target image and the attack pattern are input, and the neural rendering model maps the attack pattern to the texture of the attack target object included in the attack target image. It may further include one or more instructions for doing.

According to an embodiment of the present disclosure, learning the neural rendering model to map the attack pattern to the texture of the attack target object included in the attack target image by inputting the attack target image and the attack pattern as an input is the neural rendering model. inferring a neural rendered image by inputting an attack target image and an attack pattern by the graphics engine, generating a graphics engine rendering image by inputting the attack target image and an attack pattern by a neural rendering image and a graphics engine It may include training the neural rendering model so that the loss function for the difference between the rendered images is minimized.

According to an embodiment of the present disclosure, the training of the neural rendering model so that the loss function for the difference between the neural rendering image and the graphics engine rendering image is minimized is the binary cross entropy (BCE) between the neural rendering image and the graphics engine rendering image : It may include learning the neural rendering model so that the loss function defined based on Binary Cross-Entropy is minimized.

In order to execute the method for generating a hostile attack pattern according to an embodiment of the present disclosure in a computer, the computer program stored in the computer-readable recording medium includes the steps of preparing an attack pattern, the attack target image and the attack pattern by the neural rendering model. outputting an attack pattern rendering image based on the one or more instructions for executing the step of causing a malfunction of the attack target model by inputting the attack pattern rendering image to the attack target model.

According to an embodiment of the present disclosure, the step of outputting the attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model includes an auto-encoder-based transformation feature extractor, It may include extracting a transformation feature from the target image, and generating an attack pattern rendering image from the transformation feature by an attack pattern converter capable of complex operation between images.

According to an embodiment of the present disclosure, the step of generating the attack pattern rendering image from the transformation feature by the attack pattern converter capable of complex operation between images includes subtracting the transformation feature from the attack pattern and then using a rectified linear function (ReLU) applying a first image to generate a first image, adding a transform feature to the first image to generate a second image, multiplying the second image by a transform feature to produce a third image, and adding the transform feature to the third image It may include generating an attack pattern rendering image by applying a rectifying linear function after multiplication.

According to some embodiments of the present disclosure, an attack pattern may be applied to a surface of a 3D object included in an attack target image.

According to some embodiments of the present disclosure, it is possible to make attacks possible regardless of the position and viewing angle of the object, compared to the conventional hostile attack techniques such as disturbance and patching.

According to some embodiments of the present disclosure, a white box attack may be made possible by applying a neural rendering technique.

According to some embodiments of the present disclosure, attack performance may be improved compared to a conventional black box-based pattern attack method.

According to some embodiments of the present disclosure, by performing the process of generating an attack pattern with improved attack performance, it can be efficiently utilized to implement a technology to cope with artificial intelligence security vulnerabilities in the future.

The effect of the present disclosure is not limited to the above-mentioned effects, and other effects not mentioned are clear from the description of the claims to those of ordinary skill in the art (referred to as "person of ordinary skill") will be able to understand

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present disclosure will be described with reference to the accompanying drawings described below, wherein like reference numerals denote like elements, but are not limited thereto.
1 is a diagram illustrating a procedure for generating and utilizing a hostile attack pattern according to an embodiment of the present disclosure.
2 is a block diagram illustrating an internal configuration of a system for generating a hostile attack pattern according to an embodiment of the present disclosure.
3 is a diagram illustrating a configuration of a processor of a hostile attack pattern generation system according to an embodiment of the present disclosure.
4 is a diagram illustrating a configuration of an artificial neural network executed by a processor of a hostile attack pattern generation system according to an embodiment of the present disclosure.
5 is a diagram illustrating an internal structure of a neural rendering model according to an embodiment of the present disclosure.
6 is a diagram illustrating a learning method of an artificial neural network executed by a processor of a hostile attack pattern generation system according to an embodiment of the present disclosure.
7 is a flowchart illustrating a method for generating a hostile attack pattern according to an embodiment of the present disclosure.
8 is a flowchart illustrating an artificial neural network learning method for generating an adversarial pattern rendering image according to an embodiment of the present disclosure.

Hereinafter, specific contents for carrying out the present disclosure will be described in detail with reference to the accompanying drawings. However, in the following description, if there is a risk of unnecessarily obscuring the gist of the present disclosure, detailed descriptions of well-known functions or configurations will be omitted.

In the accompanying drawings, identical or corresponding components are assigned the same reference numerals. In addition, in the description of the embodiments below, overlapping description of the same or corresponding components may be omitted. However, even if description regarding components is omitted, it is not intended that such components are not included in any embodiment.

Advantages and features of the disclosed embodiments, and methods of achieving them, will become apparent with reference to the embodiments described below in conjunction with the accompanying drawings. However, the present disclosure is not limited to the embodiments disclosed below, but may be implemented in various different forms, and only the present embodiments allow the present disclosure to be complete, and the present disclosure provides those skilled in the art with the scope of the invention. It is provided for complete information only.

Terms used in this specification will be briefly described, and the disclosed embodiments will be described in detail. The terms used in the present specification have been selected as currently widely used general terms as possible while considering the functions in the present disclosure, but these may vary depending on the intention or precedent of a person skilled in the art, the emergence of new technology, and the like. In addition, in a specific case, there is a term arbitrarily selected by the applicant, and in this case, the meaning will be described in detail in the description of the corresponding invention. Therefore, the terms used in the present disclosure should be defined based on the meaning of the term and the contents of the present disclosure, rather than the simple name of the term.

Expressions in the singular herein include plural expressions unless the context clearly dictates the singular. Also, the plural expression includes the singular expression unless the context clearly dictates the plural. In the entire specification, when a part includes a certain component, this means that other components may be further included, rather than excluding other components, unless otherwise stated.

In addition, the term 'module' or 'unit' used in the specification means a software or hardware component, and 'module' or 'unit' performs certain roles. However, 'module' or 'unit' is not meant to be limited to software or hardware. A 'module' or 'unit' may be configured to reside on an addressable storage medium or may be configured to reproduce one or more processors. Thus, as an example, a 'module' or 'unit' refers to components such as software components, object-oriented software components, class components, and task components, and processes, functions, and properties. , procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, database, data structures, tables, arrays or at least one of variables. Components and 'modules' or 'units' are the functions provided within are combined into a smaller number of components and 'modules' or 'units' or additional components and 'modules' or 'units' can be further separated.

According to an embodiment of the present disclosure, a 'module' or a 'unit' may be implemented with a processor and a memory. 'Processor' should be construed broadly to include general purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, and the like. In some contexts, a 'processor' may refer to an application specific semiconductor (ASIC), a programmable logic device (PLD), a field programmable gate array (FPGA), or the like. 'Processor' refers to a combination of processing devices, such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in combination with a DSP core, or any other such configurations. You may. Also, 'memory' should be construed broadly to include any electronic component capable of storing electronic information. 'Memory' means random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erase-programmable read-only memory (EPROM); may refer to various types of processor-readable media, such as electrically erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, and the like. A memory is said to be in electronic communication with the processor if the processor is capable of reading information from and/or writing information to the memory. A memory integrated in the processor is in electronic communication with the processor.

In the present disclosure, a 'system' may include at least one of a server device and a cloud device, but is not limited thereto. For example, a system may consist of one or more server devices. As another example, a system may consist of one or more cloud devices. As another example, the system may be operated with a server device and a cloud device configured together.

In this disclosure, a 'display' may refer to any display device associated with a computing device, for example, any display device that is controlled by or capable of displaying any information/data provided from the computing device. can refer to

In the present disclosure, 'each of a plurality of A' or 'each of a plurality of A' may refer to each of all components included in the plurality of As or may refer to each of some components included in the plurality of As. .

1 is a diagram illustrating a procedure for generating and utilizing a hostile attack pattern according to an embodiment of the present disclosure. In an embodiment, the hostile attack pattern generating system 120 may receive an attack target image 110 and an attack pattern 112 . For example, the attack target image 110 may include a 3D object to be recognized by the object detection model. When the object detection model is included in the autonomous vehicle, a vehicle, a pedestrian, etc. that the object detection model generally recognizes may be included.

The hostile attack pattern generating system 120 may output the attack pattern rendering image 130 based on the attack target image 110 and the attack pattern 112 by the neural rendering model. Here, the output attack pattern rendering image 130 may be converted into an input image input to the object detection model 150 , and the attack pattern rendering image 140 may be input to the object detection model 150 . For example, when the target to be detected by the object detection module 150 included in the autonomous vehicle is a vehicle, the attack target image 110 including the vehicle is rendered as an attack pattern through the hostile attack pattern generating system 120 . It may be output as the image 130 and converted into an input image input to the object detection model 150 . Neural Rendering is the explicit or implicit of scene properties such as illumination, camera parameters, pose, geometry, appearance, semantic structure, etc. An approach to creating a deep image or video that enables control. Neural rendering is a rendering technique using machine learning technology, and is differentiable compared to conventional rendering technology.

The attack pattern rendering image 140 may cause a malfunction of the object detection model 150 by being input to the object detection model 150 which is an attack target model. Here, the object detection model 150 may be an attack target model. The attack target model can be a classification model that classifies the type of image or an object detection model that detects an object in the image. For example, the image classification model may be a Convolution Neural Network (CNN), and the object detection model may be a Regions with Convolutional Neuron Networks features (R-CNN) model, a You Only Look Once (YOLO) model, or the like. For example, the object detection model 150 may be included in an autonomous vehicle and driven.

In addition, the object detection model 150, which is an attack target model, may receive an attack pattern rendering image 140 including a vehicle, detect the object, and output a result of misrecognition of the object 160 . For example, the object detection model 150, which is an attack target model, detects a car with a 90% probability from the attack target image 110 including a car before applying the attack pattern 112, whereas an attack with a car A vehicle on the attack pattern rendering image 140 may be misrecognized by detecting it as a vehicle with a 20% probability from the pattern rendering image 140 . As such, the object detection model 150 that detects a car well with a high probability in a general image including a car may not properly detect a car in the attack pattern rendering image 140 including the same car.

2 is a block diagram illustrating an internal configuration of the hostile attack pattern generating system 120 according to an embodiment of the present disclosure. The hostile attack pattern generation system 120 may store, provide, and execute a computer executable program (eg, a downloadable application) and data for inducing a malfunction of the object detection model through generation of a hostile attack pattern rendering image. It may include one or more computing devices and/or databases, or one or more distributed computing devices and/or distributed databases based on cloud computing services.

As shown, the hostile attack pattern generating system 120 may include a memory 210 , a processor 220 , a communication module 230 , and an input/output interface 240 . The memory 210 may include any non-transitory computer-readable recording medium. According to one embodiment, the memory 210 is a non-volatile mass storage device such as random access memory (RAM), read only memory (ROM), disk drive, solid state drive (SSD), flash memory, etc. mass storage device). As another example, a non-volatile mass storage device such as a ROM, SSD, flash memory, disk drive, etc. may be included in the hostile attack pattern generating system 120 as a separate persistent storage device distinct from the memory. Also, the memory 210 may store an operating system and at least one program code.

These software components may be loaded from a computer-readable recording medium separate from the memory 210 . Such a separate computer-readable recording medium may include a recording medium directly connectable to the hostile attack pattern generating system 120, for example, a floppy drive, a disk, a tape, a DVD/CD-ROM drive, a memory It may include a computer-readable recording medium such as a card. As another example, the software components may be loaded into the memory 210 through a communication module rather than a computer-readable recording medium. For example, the at least one program may be loaded into the memory 210 based on a computer program installed by files provided through a network by developers or a file distribution system for distributing installation files of applications.

The processor 220 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input/output operations. The instructions may be provided to the processor 220 by the memory 210 or the communication module 230 . For example, the processor 220 may be configured to execute a received instruction according to program code stored in a recording device such as the memory 210 .

The communication module 230 may provide a configuration or function for the hostile attack pattern generating system 120 to communicate with another computing device or another system (eg, a separate cloud system). For example, through the communication module 230 , the hostile attack pattern generating system 120 is an attack target image that is the original data required for learning the artificial neural network model from another computing device or another system (eg, a separate cloud system, etc.) and receiving a plurality of learning data (eg, car image, pedestrian image, etc.) sensed at a predetermined movement interval of the autonomous vehicle through at least one sensor installed in the autonomous vehicle or receiving the attack pattern, or learning data Learning data may be received from the database DB. As another example, through the communication module 230 , the hostile attack pattern generating system 120 may transmit the generated attack pattern rendering image to another device and/or system.

The input/output interface 240 of the hostile attack pattern generation system 120 is connected to the hostile attack pattern generation system 120 or a device (not shown) for input or output that the hostile attack pattern generation system 120 may include. It may be a means for an interface. Although the input/output interface 240 is illustrated as an element configured separately from the processor 220 in FIG. 2 , the present invention is not limited thereto, and the input/output interface 240 may be configured to be included in the processor 220 . In an embodiment, the input/output interface 240 may output the generated attack pattern rendering image. The user checks the attack pattern rendering image output through the input/output interface 240, and inputs information on whether to reflect the attack pattern rendering image in the main detection area in the image that is the object detection target again through the input/output interface 240 can do. The hostile attack pattern generating system 120 may include more components than those of FIG. 2 . However, there is no need to clearly show most of the prior art components.

The processor 220 of the hostile attack pattern generation system 120 may be configured to manage, process, and/or store information and/or data received from a plurality of computing devices and/or a plurality of external systems. In an embodiment, the processor 220 may prepare an attack pattern and output an attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model. Also, the processor 220 may cause a malfunction of the attack target model by inputting the attack pattern rendering image into the attack target model.

Additionally, the processor 220 may infer a neural rendering image by inputting an attack target image and an attack pattern by the neural rendering model. In addition, the processor 220 may generate a graphic engine rendering image by inputting an attack target image and an attack pattern by the graphic engine. Subsequently, the processor 220 may learn the neural rendering model so that the loss function for the difference between the neural rendering image and the graphics engine rendering image is minimized.

3 is a diagram illustrating the configuration of the processor 220 of the hostile attack pattern generation system according to an embodiment of the present disclosure. In an embodiment, the processor 220 may include a data input unit 310 , an artificial neural network model learning unit 320 , and a graphic engine 330 .

The processor 220 is connected to the learning data DB 350 . The training data DB 350 may store training data for learning the artificial neural network model. The training data may include at least one attack target image and an attack pattern related to a process of generating an attack pattern rendering image performed by the processor 220 .

In an embodiment, the data input unit 310 may receive an attack target image and an attack pattern as training data from the training data DB 350 .

The artificial neural network model learning unit 320 may include a neural rendering model. The artificial neural network model learning unit 320 may infer a neural rendering image by inputting an attack target image and an attack pattern received through the data input unit 310 .

In addition, the graphic engine 330 may generate a graphic engine rendering image by inputting an attack target image and an attack pattern as inputs.

Thereafter, the artificial neural network model learning unit 320 may learn the neural rendering model so that the loss function for the difference between the neural rendering image and the graphic engine rendering image is minimized.

4 is a diagram illustrating a configuration of an artificial neural network executed by a processor of a hostile attack pattern generation system according to an embodiment of the present disclosure. In one embodiment, the artificial neural network may be performed by a processor (eg, at least one processor of the hostile attack pattern generation system). The artificial neural network may be implemented as a neural rendering model. The neural rendering model 420 may be configured to receive an attack target object image 410 and an attack pattern 412 and output an attack pattern rendering image 430 . As shown, in the artificial neural network, the processor receives an attack target image 410 and an attack pattern 412, and the input attack target image 410 and the attack pattern 412 are applied to the neural rendering model 420. It can be executed by inputting (①).

The artificial neural network may output an attack pattern rendering image 430 in which an attack pattern is rendered on an object through the neural rendering model 420 (②).

In addition, the artificial neural network may input the attack pattern rendering image 430 in which the attack pattern 412 is rendered to the attack target model 440 (③).

Thereafter, the artificial neural network may generate an attack pattern that causes a malfunction of the attack target model 440 through backpropagation and gradient descent algorithms (④).

As such, the hostile attack pattern generating system according to an embodiment of the present disclosure may apply the attack pattern to the surface of the 3D object included in the attack target image. The system for generating a hostile attack pattern according to an embodiment can attack regardless of the position and viewing angle of the object, compared to the conventional hostile attack technique such as disturbance and patching.

In addition, the hostile attack pattern generation system according to an embodiment can perform a white box attack by applying a neural rendering technique. The system for generating a hostile attack pattern according to an embodiment may improve attack performance compared to a conventional black box-based pattern attack method.

Furthermore, the system for generating a hostile attack pattern according to an embodiment can be efficiently utilized in implementing a technology for responding to vulnerabilities in artificial intelligence security in the future through generation of an attack pattern with improved attack performance.

5 is a diagram illustrating an internal structure of a neural rendering model according to an embodiment of the present disclosure. In one embodiment, the neural rendering model may be performed by a processor (eg, at least one processor of a hostile attack pattern generation system). The neural rendering model 420 may be configured as an autoencoder-based model having two inputs and one output. The neural rendering model includes a transformation feature extractor 520 that extracts characteristics applied to the received attack target image, and an attack that is a result of rendering a texture (pattern) input using the extracted characteristics to the attack target image. It may be composed of an attack pattern converter 540 deriving a pattern rendering image 550 . Here, the attack pattern transformer 540 may be referred to as an expected texture transformer. The transform feature extractor 520 may be configured in the form of a convolutional autoencoder. The attack pattern converter 540 may be configured to infer a rendering result by complexly applying an operation between images.

As shown, the neural rendering model 420 may be executed when the transform feature extractor 520 receives the attack target image 510 . Inside the transformation feature extractor 520, after subtracting the transformation features (TF) 530 extracted by the transformation feature extractor 520 from the attack pattern (Expected Texture) 512, a rectified linear unit (ReLU, Rectified) Linear Unit) is applied (542), TF is added to the result (544), the result is multiplied by TF (546), and ReLU is applied by adding TF to the result (548). The result may be an attack pattern rendering image 550 in which the attack pattern 512 is finally rendered.

In one embodiment, the neural rendering model 420 generates a first image by applying a rectified linear function (ReLU) after subtracting the transform feature 530 from the attack pattern 512, and adds the transform feature to the first image. In addition, a second image is generated, a third image is generated by multiplying the second image by a transform feature, and a rectified linear function is applied after multiplying the third image by a transform feature to generate an attack pattern rendering image 550. .

6 is a diagram illustrating a learning method of an artificial neural network executed by a processor of a hostile attack pattern generation system according to an embodiment of the present disclosure. In an embodiment, the learning method of the artificial neural network may be performed by a processor (eg, at least one processor of the hostile attack pattern generating system). Here, the neural rendering model structure may be composed of an autoencoder-based model that receives two inputs and outputs one output. The auto encoder may be a deep learning model that compresses information of an input image and restores an existing image through the compressed information.

As shown, the processor may infer the neural rendering image 630 by inputting the attack target image 610 and the attack pattern 612 to the neural rendering model 420 (①).

In addition, the processor may derive the graphic engine rendering image 640 in which the attack pattern 612 is rendered on the actual target object through the graphic engine 620 supporting rendering (②). For example, the graphic engine 620 may refer to a graphic engine such as Unreal Engine or Unity. The process of deriving the rendered image of the attack pattern 612 may be to apply a texture part of the material of the attack target object as a corresponding attack pattern in the graphic engine 620 . This process may correspond to a texture mapping process during the rendering process.

The processor defines a loss function for the difference between the neural rendering image 630 and the graphic engine rendering image 640 derived in steps ① and ②, respectively, and trains the neural rendering model to minimize the loss function (650). Can (③).

In one embodiment, the equation representing the loss function may be expressed as [Equation 1] below.

Here, descriptions of variables included in [Equation 1] are as follows.

: 뉴럴 렌더링 모델

: Neural Rendering Model

: 그래픽 엔진

: graphics engine

: 공격 대상 물체 이미지

: Attack target image

: 공격 패턴

: attack pattern

: 뉴럴 렌더링 이미지

: Neural Rendered Image

: 그래픽 엔진 렌더링 이미지

: Graphics engine rendering image

That is, the loss function is binary cross-entropy representing the difference between the neural rendering image and the graphic engine rendering image, and the neural rendering model can be trained to minimize this.

7 is a flowchart illustrating a method 700 for generating a hostile attack pattern according to an embodiment of the present disclosure. In an embodiment, the method 700 for generating a hostile attack pattern may be performed by a processor (eg, at least one processor of a hostile attack pattern generating system). As shown, the hostile attack pattern generation method 700 may be initiated by the processor preparing the attack pattern (S710).

The processor may output an attack pattern rendering image based on the attack target image and the attack pattern by the neural rendering model (S720). The processor may map the attack pattern to the texture of the attack target object included in the attack target image by the neural rendering model. In addition, the processor extracts a transformation feature from an attack target image by an auto-encoder-based transformation feature extractor, and attacks an attack pattern from a transformation feature by an attack pattern converter capable of complex operations between images A render image can be created. Here, the processor generates a first image by applying a rectification linear function (ReLU) after subtracting the transformation feature from the attack pattern, generates a second image by adding the transformation feature to the first image, and adds the transformation feature to the second image to generate a third image, multiply the third image by a transform feature, and then apply a rectifying linear function to generate an attack pattern rendering image.

The processor may cause a malfunction of the attack target model by inputting the attack pattern rendering image into the attack target model (S730). Here, the processor may separately define a loss function to cause a malfunction of the attack target model, and learn an attack pattern through a backpropagation algorithm to minimize the loss function.

Additionally, the processor may learn the neural rendering model so that the attack target image and the attack pattern are input, and the neural rendering model maps the attack pattern to the texture of the attack target object included in the attack target image.

8 is a flowchart illustrating an artificial neural network learning method 800 for generating an adversarial pattern rendering image according to an embodiment of the present disclosure. In one embodiment, the artificial neural network learning method 800 may be performed by a processor (eg, at least one processor of the hostile attack pattern generation system). As shown, the artificial neural network learning method 800 may be initiated by the processor inferring the neural rendering image by inputting the attack target image and the attack pattern as inputs by the neural rendering model ( S810 ). Here, the processor extracts a transformation feature from an attack target image by an auto-encoder-based transformation feature extractor, and performs a neural rendering from the transformation feature by an attack pattern converter capable of complex operations between images You can create an image. In addition, the processor generates a first image by applying a rectified linear function (ReLU) after subtracting the transformation feature from the attack pattern, generates a second image by adding the transformation feature to the first image, and adds the transformation feature to the second image to generate a third image, multiply the third image by a transform feature, and then apply a rectified linear function to generate a neural rendered image.

The processor may generate a graphic engine rendering image by inputting an attack target image and an attack pattern by the graphic engine (S820). Here, the processor may generate the graphic engine rendering image by applying the attack pattern to the texture of the attack target object included in the attack target image by the graphic engine.

The processor may learn the neural rendering model so that the loss function for the difference between the neural rendering image and the graphics engine rendering image is minimized ( S830 ). Here, the processor may learn the neural rendering model such that a loss function defined based on binary cross-entropy (BCE) between the neural rendering image and the graphic engine rendering image is minimized.

The above-described method may be provided as a computer program stored in a computer-readable recording medium for execution by a computer. The medium may continuously store a computer executable program, or may be a temporary storage for execution or download. In addition, the medium may be various recording means or storage means in the form of a single or several hardware combined, it is not limited to a medium directly connected to any computer system, and may exist distributed on a network. Examples of the medium include a hard disk, a magnetic medium such as a floppy disk and a magnetic tape, an optical recording medium such as CD-ROM and DVD, a magneto-optical medium such as a floppy disk, and those configured to store program instructions, including ROM, RAM, flash memory, and the like. In addition, examples of other media may include recording media or storage media managed by an app store that distributes applications, sites that supply or distribute various other software, or servers.

The method, operation, or techniques of this disclosure may be implemented by various means. For example, these techniques may be implemented in hardware, firmware, software, or a combination thereof. Those of ordinary skill in the art will appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementations should not be interpreted as causing a departure from the scope of the present disclosure.

In a hardware implementation, the processing units used to perform the techniques include one or more ASICs, DSPs, digital signal processing devices (DSPDs), programmable logic devices (PLDs). ), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, electronic devices, other electronic units designed to perform the functions described in this disclosure. , a computer, or a combination thereof.

Accordingly, the various illustrative logic blocks, modules, and circuits described in connection with this disclosure are suitable for use in general purpose processors, DSPs, ASICs, FPGAs or other programmable logic devices, discrete gate or transistor logic, discrete hardware components, or the present disclosure. It may be implemented or performed in any combination of those designed to perform the functions described in A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, eg, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other configuration.

In firmware and/or software implementations, the techniques include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), PROM ( on computer-readable media such as programmable read-only memory), erasable programmable read-only memory (EPROM), electrically erasable PROM (EEPROM), flash memory, compact disc (CD), magnetic or optical data storage devices, etc. It may be implemented as stored instructions. The instructions may be executable by one or more processors, and may cause the processor(s) to perform certain aspects of the functionality described in this disclosure.

Although the embodiments described above have been described utilizing aspects of the presently disclosed subject matter in one or more standalone computer systems, the present disclosure is not limited thereto and may be implemented in connection with any computing environment, such as a network or distributed computing environment. . Still further, aspects of the subject matter in this disclosure may be implemented in a plurality of processing chips or devices, and storage may be similarly affected across the plurality of devices. Such devices may include PCs, network servers, and portable devices.

Although the present disclosure has been described in connection with some embodiments herein, various modifications and changes can be made without departing from the scope of the present disclosure that can be understood by those skilled in the art to which the present disclosure pertains. Further, such modifications and variations are intended to fall within the scope of the claims appended hereto.

120: hostile pattern generation system
150: object detection model
210: memory
220: processor
230: communication module
240: input/output interface
310: data input unit
320: artificial neural network model learning unit
330: graphics engine
340: training data DB
420: Neural Rendering Model
520; transform feature extractor
540: Attack Pattern Converter
620: graphics engine

Claims (20)

In the method for generating a hostile attack pattern, performed by at least one processor,
preparing an attack pattern;
learning the neural rendering model to map the attack pattern to the texture of the attack target object included in the attack target image by inputting the attack target image and the attack pattern as inputs;
extracting transformation features from the attack target image by an auto-encoder-based transformation feature extractor included in the neural rendering model;
By generating an attack pattern rendering image from the transformation feature by an attack pattern converter that can perform complex operations between images included in the neural rendering model, the attack pattern is mapped to the texture of the attack target object included in the attack target image outputting the attack pattern rendering image; and
Inducing a malfunction of the attack target model by inputting the attack pattern rendering image into the attack target model
A method comprising
delete delete According to claim 1,
By generating an attack pattern rendering image from the transformation feature by an attack pattern converter that can perform complex operations between images included in the neural rendering model, the attack pattern is mapped to the texture of the attack target object included in the attack target image The step of outputting the attack pattern rendering image is,
generating a first image by subtracting the transformation feature from the attack pattern and applying a rectified linear function (ReLU);
generating a second image by adding the transform feature to the first image;
generating a third image by multiplying the second image by the transform feature; and
and generating the attack pattern rendering image by multiplying the third image by the transform feature and then applying the rectified linear function.
delete In the artificial neural network learning method for generating a hostile attack pattern rendering image, performed by at least one processor,
extracting a transformation feature from the attack target image by inputting an attack target image and an attack pattern using the neural rendering model, and generating a neural rendering image from the transformed feature;
generating, by a graphic engine, the attack target image and the attack pattern as inputs, and applying the attack pattern to a texture of an attack target object included in the attack target image to generate a graphic engine rendering image; and
learning the neural rendering model so that a loss function for a difference between the neural rendering image and the graphics engine rendering image is minimized;
A method comprising
7. The method of claim 6,
The step of generating a neural rendering image from the transformation feature by extracting a transformation feature from the attack target image by inputting an attack target image and an attack pattern by a neural rendering model,
extracting the transform feature from the attack target image by an auto-encoder-based transform feature extractor; and
and generating the neural rendered image from the transform feature by an attack pattern converter capable of performing complex operations between images.
8. The method of claim 7,
The step of generating the neural rendering image from the transformation feature by an attack pattern converter capable of complex operation between images includes:
generating a first image by subtracting the transformation feature from the attack pattern and applying a rectified linear function (ReLU);
generating a second image by adding the transform feature to the first image;
generating a third image by multiplying the second image by the transform feature; and
and generating the neural rendered image by multiplying the third image by the transform feature and then applying the rectified linear function.
delete 7. The method of claim 6,
Learning the neural rendering model so that a loss function for a difference between the neural rendering image and the graphics engine rendering image is minimized,
and learning the neural rendering model such that a loss function defined based on binary cross-entropy (BCE) between the neural rendering image and the graphics engine rendering image is minimized.
As a hostile attack pattern generation system,
communication module;
Memory; and
at least one processor coupled to the memory and configured to execute at least one computer readable program contained in the memory
including,
the at least one program,
prepare an attack pattern,
Learning the neural rendering model by inputting the attack target image and the attack pattern as an input so that the neural rendering model maps the attack pattern to the texture of the attack target object included in the attack target image,
Extracting a transformation feature from the attack target image by an auto-encoder-based transformation feature extractor included in the neural rendering model,
By generating an attack pattern rendering image from the transformation feature by an attack pattern converter that can perform complex operations between images included in the neural rendering model, the attack pattern is mapped to the texture of the attack target object included in the attack target image Outputs one of the attack pattern rendering images,
and one or more instructions for causing a malfunction of the attack target model by inputting the attack pattern rendering image into the attack target model.
delete delete 12. The method of claim 11,
The attack pattern converter,
After subtracting the transformation feature from the attack pattern, a rectification linear function (ReLU) is applied to generate a first image,
generating a second image by adding the transformation feature to the first image;
multiplying the second image by the transform feature to generate a third image,
and multiply the third image by the transform feature and then apply the rectified linear function to generate the attack pattern rendering image.
delete 12. The method of claim 11,
Learning the neural rendering model to map the attack pattern to the texture of the attack target object included in the attack target image by inputting the attack target image and the attack pattern as inputs,
inferring a neural rendering image based on the neural rendering model by inputting the attack target image and the attack pattern as inputs;
generating, by a graphic engine, a graphic engine rendering image by inputting the attack target image and the attack pattern; and
and learning the neural rendering model such that a loss function for a difference between the neural rendered image and the graphics engine rendered image is minimized.
17. The method of claim 16,
Learning the neural rendering model so that the loss function for the difference between the neural rendering image and the graphics engine rendering image is minimized,
and learning the neural rendering model such that a loss function defined based on binary cross-entropy (BCE) between the neural rendered image and the graphics engine rendered image is minimized.
A computer program stored in a computer-readable recording medium for executing a method for generating a hostile attack pattern on a computer, comprising:
preparing an attack pattern;
learning the neural rendering model by inputting the attack target image and the attack pattern as inputs so that the neural rendering model maps the attack pattern to the texture of the attack target object included in the attack target image;
extracting transformation features from the attack target image by an auto-encoder-based transformation feature extractor included in the neural rendering model;
By generating an attack pattern rendering image from the transformation feature by an attack pattern converter that can perform complex operations between images included in the neural rendering model, the attack pattern is mapped to the texture of the attack target object included in the attack target image outputting the attack pattern rendering image; and
A computer program stored in a computer-readable recording medium comprising one or more instructions for executing the step of causing a malfunction of the attack target model by inputting the attack pattern rendering image into the attack target model.
delete 19. The method of claim 18,
By generating an attack pattern rendering image from the transformation feature by an attack pattern converter that can perform complex operations between images included in the neural rendering model, the attack pattern is mapped to the texture of the attack target object included in the attack target image The step of outputting the attack pattern rendering image is,
generating a first image by subtracting the transformation feature from the attack pattern and applying a rectified linear function (ReLU);
generating a second image by adding the transform feature to the first image;
generating a third image by multiplying the second image by the transform feature; and
and generating the attack pattern rendering image by multiplying the third image by the transformation feature and then applying the rectified linear function.

Images