KR102592120B1 - Method of unsupervised detection of adversarial example and apparatus using the method - Google Patents

Abstract

An unsupervised anomaly detection method for adversarial examples and a device using the same are provided. The method includes generating an AI (eXplanable Artificial Intelligence; , generating a target XAI signature of the target image from the artificial intelligence model, and a reference error obtained by passing the normal XAI signature set through the compression-decompression model and the It includes determining whether the target image is an adversarial example based on a comparison result of target errors obtained by passing through .

Description

Unsupervised anomaly detection method of adversarial example and device using the same {METHOD OF UNSUPERVISED DETECTION OF ADVERSARIAL EXAMPLE AND APPARATUS USING THE METHOD}

The present invention relates to an unsupervised anomaly detection method of adversarial examples and a device using the same. More specifically, the present invention relates to anomalies in image data using unsupervised learning for adversarial examples that may generate incorrect output when input to a neural network. It relates to a detection method and a device that uses it.

Recently, artificial intelligence technology has been used in various fields such as image classification and natural language processing and has proven its performance, but various security attack methods using vulnerabilities in machine learning algorithms that create artificial intelligence models are also being studied.

Figure 1a shows an example of an evasion attack that produces incorrect results by manipulating input data using an adversarial example generation technique. Adversarial examples, which are so elaborately created that they are difficult to distinguish from normal data, can cause security problems by causing malfunctions in artificial intelligence models.

Figure 1b shows a solution to the problem through learning about these adversarial examples. In other words, by creating hostile examples in advance and learning them using a deep learning model, the artificial intelligence model can distinguish between normal data and hostile examples.

However, this method is difficult to respond to because it requires a re-training process every time a new adversarial example appears, and generating and learning adversarial examples can result in significant time and cost. In addition, even when learning adversarial examples in this way, there is a problem in that there are limits to the ability of the artificial intelligence model to distinguish between elaborately created adversarial examples.

The technical problem to be solved by the present invention is to provide a detection method that can effectively distinguish adversarial examples using unsupervised learning and a device using the same.

The technical problems of the present invention are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.

The unsupervised anomaly detection method of adversarial examples according to some embodiments of the present invention to solve the above-mentioned technical problems generates an AI (eXplanable Artificial Intelligence (XAI)) signature set that can normally explain normal image datasets from an artificial intelligence model. A step of generating a compression-decompression model by learning the normal XAI signature set with an autoencoder, generating a target It includes determining whether the target image is an adversarial example based on a comparison result of a reference error obtained by passing the XAI signature of the target image through the model and a target error obtained by passing the XAI signature of the target image through the compression-decompression model.

In some embodiments of the present invention, generating the normal It may include obtaining a feature value using at least one of (Integrated Gradient).

In some embodiments of the present invention, generating the normal It may include obtaining pixel contribution of a normal image to the artificial intelligence model.

In some embodiments of the present invention, the step of determining whether the target image is an adversarial example may include determining the target image as an adversarial example when the difference between the target error and the reference error is greater than a predetermined value. there is.

In some embodiments of the present invention, the target image uses at least one of FGSM (Fast Gradient Sign Method), CW ((Carlini & Wagner's), and PGD (Projected Gradient Descent) on images included in the normal image dataset. It may include an image created by synthesizing the generated noise.

An unsupervised anomaly detection device for adversarial examples according to some embodiments of the present invention for solving the above-described technical problem includes a processor and a memory storing instructions executable by the processor, wherein the instructions are executed by the processor. Executed, generating a normal XAI signature set of a normal image dataset from an artificial intelligence model, learning the normal In the step of generating an XAI signature and the result of comparing the reference error obtained by passing the normal Based on this, a step is performed to determine whether the target image is an adversarial example.

Specific details of other embodiments are included in the detailed description and drawings.

The unsupervised anomaly detection method and detection device for adversarial examples according to an embodiment of the present invention can detect anomalies in adversarial examples through unsupervised learning using an autoencoder, thereby generating adversarial examples. And the time and cost required for learning can be greatly reduced.

In addition, various algorithms (e.g. saliency map, LIME, SHAP, IG, etc.) used in the normal Adaptability can be improved.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description of the claims.

Figure 1a shows an example of an evasion attack that produces incorrect results by manipulating input data using an adversarial example generation technique.
Figure 1b shows a problem solving method through learning on adversarial examples.
Figure 2 is a diagram illustrating an unsupervised anomaly detection device for adversarial examples according to some embodiments of the present invention.
Figure 3 is a flowchart illustrating an unsupervised anomaly detection method for adversarial examples according to some embodiments of the present invention.
FIG. 4 is a diagram illustrating a series of anomaly detection processes performed by an unsupervised anomaly detection device for adversarial examples according to some embodiments of the present invention.
Figure 5 is a diagram illustrating the effectiveness of an unsupervised anomaly detection method for adversarial examples according to an embodiment of the present invention.

The advantages and features of the present invention and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below and will be implemented in various different forms. The present embodiments only serve to ensure that the disclosure of the present invention is complete and that common knowledge in the technical field to which the present invention pertains is not limited. It is provided to fully inform those who have the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

One component is said to be “connected to” or “coupled to” another component when it is directly connected or coupled to another component or with an intervening other component. Includes all cases. On the other hand, when one component is referred to as “directly connected to” or “directly coupled to” another component, it indicates that there is no intervening other component. “And/or” includes each and every combination of one or more of the mentioned items.

The terminology used herein is for describing embodiments and is not intended to limit the invention. As used herein, singular forms also include plural forms, unless specifically stated otherwise in the context. As used herein, “comprises” and/or “comprising” refers to the presence of one or more other components, steps, operations and/or elements. or does not rule out addition.

Although first, second, etc. are used to describe various components, it goes without saying that these components are not limited by these terms. These terms are merely used to distinguish one component from another. Therefore, of course, the first component mentioned below may also be the second component within the technical spirit of the present invention.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings that can be commonly understood by those skilled in the art to which the present invention pertains. Additionally, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless clearly specifically defined.

Figure 2 is a diagram illustrating an unsupervised anomaly detection device for adversarial examples according to some embodiments of the present invention.

Referring to FIG. 2, the unsupervised anomaly detection device 100 of an adversarial example according to some embodiments of the present invention may include a processor 110, a memory 120, an interface 130, and a storage 140. .

The unsupervised anomaly detection device 100 for adversarial examples may include a computing device capable of performing unsupervised learning using a given dataset and target data and performing an operation to determine an adversarial example. Such computing devices may include, but are not limited to, personal computers (PCs), notebook PCs, server computers, etc., mobile phones, smart phones, tablet PCs, etc. It may also include .

The processor 110 may control the operation of the unsupervised anomaly detection device 100 of the adversarial example. Specifically, the processor 110 preprocesses input data acquired through the interface 130 or input data stored in the storage 140, learns an artificial neural network using the preprocessed data, and determines adversarial examples through the learned artificial neural network. For this purpose, data mining, data analysis, intelligent decision-making, and machine learning algorithms can be performed, while information to be used for the operation method according to an embodiment of the present invention can be received, classified, stored, and output.

The memory 120 may be communicatively connected to the processor 110 . Memory 120 may temporarily store data processed by processor 110.

In addition, the memory 120 stores an artificial intelligence model and a compression-decompression model used to perform an unsupervised anomaly detection method of an adversarial example, which will be described later, while storing instructions executable by the processor 110. there is.

The interface 130 receives normal image datasets and target images required for machine learning to perform the adversarial example unsupervised anomaly detection method according to an embodiment of the present invention, while receiving the adversarial image data set performed by the processor 110. The judgment result can be output externally.

The storage 140 may store programs and data necessary for the operation of the unsupervised anomaly detection device 100 for adversarial examples. The storage 140 may store, for example, a normal image dataset for generating a normal XAI signature set and a hostile image dataset generated from the normal image dataset.

FIG. 3 is a flowchart illustrating an unsupervised anomaly detection method of adversarial examples according to some embodiments of the present invention, and FIG. 4 is a diagram illustrating a series of adversarial example anomaly detection processes performed by the method of FIG. 3. .

Referring to FIG. 3, the unsupervised anomaly detection method of an adversarial example according to an embodiment of the present invention includes generating a normal XAI signature set of a normal image dataset from an artificial intelligence model (S110), and generating the normal A step of generating a compression-decompression model by learning (S120), a step of generating the target XAI signature of the target image from the artificial intelligence model (S130), the reference error obtained from the normal A step of determining whether the target image is a hostile example based on the comparison result (S140), determining whether the reference error is greater than the target error (S150), and determining that the target image is a hostile example if the reference error is smaller than the target error. (S160) and, if the reference error is greater than the target error, determining that the target image is an adversarial example (S165).

Each step of the above-described method may be performed by the unsupervised anomaly detection device 100, particularly the processor 110, of the adversarial example described with reference to FIG. 2. Hereinafter, a more detailed description will be given with reference to FIGS. 3 and 4.

First, a step (S110) of generating a normal XAI signature set of a normal image dataset from an artificial intelligence model may be performed.

The normal image dataset 210 may refer to a set of normal image data to which an adversarial example generation technique, which will be described later, has not been applied. The unsupervised anomaly detection device 100 of the adversarial example receives a normal image dataset 210 through the interface 130, or uses the normal image dataset 210 stored in the storage 140 to set a normal (220) can be generated.

XAI signatures, or explainable signatures of artificial intelligence, present the reasons why artificial intelligence classified or judged input data using an artificial intelligence model so that people can understand them, allowing them to look into the thought process of artificial intelligence. It's technology.

In image data, the It means visualizing the characteristics of image data. Of course, the present invention is not limited to this, and the XAI signature may include those generated by artificial intelligence that can explain other methods in addition to the four methods described above.

Hereinafter, the unsupervised anomaly detection device 100 of the adversarial example will be described based on generating an XAI signature using a saliency map of image data.

The unsupervised anomaly detection device 100 of the adversarial example may generate a normal XAI signature set 220 using an artificial intelligence model pre-stored in the memory 120 and a normal image dataset 210. Here, the artificial intelligence model pre-stored in the memory 120 may mean an artificial intelligence model of a target on which an evasion attack is performed by an adversarial example.

When generating a normal XAI signature of normal image data using a saliency map, pixel contributions to the artificial intelligence model of the normal image can be generated. This can be created by gathering and mapping parts of the image data where the pixel value changes rapidly. A normal XAI signature set 220 corresponding to the normal image dataset 210 can be generated by generating a normal there is. Here, the explanation is based on the creation of a saliency mapset corresponding to a normal image dataset.

Subsequently, a step (S120) of generating a compression-decompression model by learning the normal XAI signature set with an autoencoder may be performed.

The autoencoder 230 is a deep neural network specialized in restoring and reducing noise of high-dimensional data such as images and voices, and consists of an encoder and a decoder that are symmetrical to each other. The encoder compresses high-dimensional data into low-dimensional data to minimize unnecessary information, and the decoder restores low-dimensional data back to high-dimensional data.

By inputting and learning the normal The unsupervised anomaly detection device 100 for adversarial examples can calculate the error required for judging adversarial examples using the compression-decompression model learned by the autoencoder 230.

Subsequently, a step (S130) of generating a target XAI signature of the target image from the artificial intelligence model may be performed. It is assumed that the target image 240 is an adversarial example created by adding noise from a normal image for an evasion attack against an artificial intelligence model. For example, the addition of the noise may use at least one of FGSM (Fast Gradient Sign Method), CW (Carlini & Wagner's), and PGD (Projected Gradient Descent) algorithms, but the present invention is not limited thereto. Hereinafter , the target image 240 is explained assuming that noise is added to a normal image using FGSM so that the artificial intelligence model is created to classify it into different result values.

The unsupervised anomaly detection device 100 of the adversarial example may store the target image 240 in advance in the storage 140 or receive the target image 240 through the interface 130. Alternatively, the unsupervised anomaly detection device 100 of the adversarial example may generate a target image set consisting of a plurality of target images 240 by adding noise to the pre-stored normal image dataset 210.

For example, the target It can be created by visualizing the characteristics of target image data. At this time, the generation of the normal XAI signature set 220 of the above-described normal image dataset 210 and the target XAI signature 250 of the target image 240 need to be performed using the same algorithm. Therefore, when a saliency map is applied to the normal image dataset 210 to generate a normal There is a need to create an XAI signature (250).

Subsequently, a step (S140) of determining whether the target image is an adversarial example may be performed based on a comparison result between the reference error obtained from the normal XAI signature set and the target error obtained from the target XAI signature.

The unsupervised anomaly detection device 100 for adversarial examples according to an embodiment of the present invention can calculate the error required for determining adversarial examples using the compression-decompression model generated by the autoencoder 230.

Specifically, the unsupervised anomaly detection device 100 of the adversarial example may input the normal In the process of compressing the normal A reference error may be generated using the reconstruction error between the normal XAI signature set 220, which is a set of a plurality of image data, and the corresponding restored XAI signature set. For example, the reference error may include the average value of the reconstruction error between the normal XAI signature set 220 and the corresponding restored XAI signature set.

Additionally, the unsupervised anomaly detection apparatus 100 of the adversarial example may input the target A target error, which means a reconstruction error between the target XAI signature 250 and the corresponding restored target XAI signature, may be generated.

To determine whether the target image is a hostile example, determine whether the large difference between the reference error and the target error is greater than a predetermined standard (S150), and if the difference is greater than the predetermined standard, determine that the target image is a hostile example ( S160), if the difference is smaller than a predetermined standard, it can be performed by determining that the target image is an adversarial example (S165).

If the difference between the reference error and the target error is greater than a predetermined standard, the restoration loss of the restored target This case is larger than the indicated reconstruction error (e.g., the average for the normal XAI signature set), meaning that the target image corresponds to an adversarial example.

On the other hand, if the difference between the reference error and the target error is smaller than the predetermined standard, the restoration loss of the restored target This refers to the case where the restoration error shown during restoration (e.g., the average for the normal XAI signature set) is smaller, and the target image is general image data rather than an adversarial example.

Figure 5 is a diagram illustrating the effectiveness of an unsupervised anomaly detection method for adversarial examples according to an embodiment of the present invention.

Referring to FIG. 5, the minimum, maximum, and average values of the reference error of the normal XAI signature set and the target error of the target The average of the standard error of the normal It can also be seen that it is increasing.

As such, the unsupervised anomaly detection method and detection device for adversarial examples according to an embodiment of the present invention can detect anomalies in adversarial examples through unsupervised learning using an autoencoder, which is necessary for generating and learning adversarial examples. Time and cost can be greatly reduced.

In addition, various algorithms (e.g. saliency map, LIME, SHAP, IG, etc.) used in the normal Adaptability can be improved.

The present invention can also be implemented as computer-readable code on a computer-readable recording medium. Computer-readable recording media include all types of recording devices that store data that can be read by a computer device. Examples of computer-readable recording media include hard disks, ROMs, RAM, CD-ROMs, hard disks, magnetic tapes, floppy disks, and optical data storage devices, as well as carrier waves (e.g., transmission via the Internet). It also includes implementation in the form of.

Although embodiments of the present invention have been described above with reference to the attached drawings, those skilled in the art will understand that the present invention can be implemented in other specific forms without changing the technical idea or essential features. You will be able to understand it. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive.

100: Unsupervised anomaly detection device for adversarial examples
110: processor
120: memory
130: interface
140: storage
210: Normal image dataset
220: Normal XAI signature set
230: Autoencoder
240: Target image
250: Target XAI signature

Claims (10)

Generating a normally explainable AI (eXplanable Artificial Intelligence; XAI) signature set of a normal image dataset from an artificial intelligence model;
generating a compression-decompression model by learning the normal XAI signature set with an autoencoder;
Generating a target XAI signature of a target image from the artificial intelligence model; and
Based on the comparison result of the reference error obtained by passing the normal XAI signature set through the compression-decompression model and the target error obtained by passing the Includes a step of determining whether it is an example,
The step of determining whether the target image is an adversarial example is,
An unsupervised anomaly detection method of an adversarial example, comprising determining the target image as an adversarial example when the difference between the target error and the reference error is greater than a predetermined value. According to claim 1,
The step of generating the normal XAI signature set is,
Including obtaining feature values from the normal image dataset using at least one of a saliency map, LIME (Local Interpretable Model-Agnostic Explanation), SHAP (SHapley Additive exPlanations), and IG (Integrated Gradient),
An unsupervised anomaly detection method for adversarial examples. According to clause 2,
Generating the normal XAI signature set includes generating a saliency mapset from the normal image dataset,
Generating the saliency mapset includes obtaining pixel contributions to the artificial intelligence model of a normal image included in the normal image dataset,
An unsupervised anomaly detection method for adversarial examples. delete According to clause 1,
The target image is generated by synthesizing noise generated using at least one of FGSM (Fast Gradient Sign Method), CW ((Carlini &Wagner's), and PGD (Projected Gradient Descent) with the image included in the normal image dataset. containing images,
An unsupervised anomaly detection method for adversarial examples. processor; and
a memory storing instructions executable by the processor, the instructions being executed by the processor,
Generating a normal XAI signature set of a normal image dataset from an artificial intelligence model;
generating a compression-decompression model by learning the normal XAI signature set with an autoencoder;
Generating a target XAI signature of a target image from the artificial intelligence model; and
Based on the comparison result of the reference error obtained by passing the normal XAI signature set through the compression-decompression model and the target error obtained by passing the Take steps to determine whether an example is present,
The step of determining whether the target image is an adversarial example is,
Including determining the target image as an adversarial example when the difference between the target error and the reference error is greater than a predetermined value,
An unsupervised anomaly detector on adversarial examples. According to clause 6,
The step of generating the normal XAI signature set is,
Including obtaining feature values from the normal image dataset using at least one of a saliency map, LIME, SHAP, and IG,
An unsupervised anomaly detector on adversarial examples. According to clause 7,
Generating the normal XAI signature set includes generating a saliency mapset from the normal image dataset,
Generating the saliency mapset includes obtaining pixel contributions to the artificial intelligence model of a normal image included in the normal image dataset,
An unsupervised anomaly detector on adversarial examples. delete According to clause 6,
The target image is generated by synthesizing noise generated using at least one of FGSM (Fast Gradient Sign Method), CW ((Carlini &Wagner's), and PGD (Projected Gradient Descent) with the image included in the normal image dataset. containing images,
An unsupervised anomaly detector on adversarial examples.