KR102596738B1 - An Autonomous Decision-Making Framework for Gait Recognition Systems Against Adversarial Attack Using Reinforcement Learning - Google Patents

Abstract

An adversarial attack method using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention, a device and a computer program for performing the same, strengthen a gait recognition system based on deep learning. By performing an adversarial attack using reinforcement learning, the safety of the gait recognition system can be more accurately verified by analyzing vulnerabilities of the gait recognition system.

Description

An Autonomous Decision-Making Framework for Gait Recognition Systems Against Adversarial Attack Using Reinforcement Learning}

The present invention relates to an autonomous decision-making framework for a gait recognition system against adversarial attacks using reinforcement learning, and more specifically, to verify the safety of a deep learning-based gait recognition system. , relates to a method, device, and computer program for performing attacks on gait recognition systems.

Over the past few decades, technological advances in artificial intelligence (AI), machine learning (ML), and deep learning (DL) have expanded the use of autonomous systems in almost all areas. Additionally, the security factors for these deep neural networks (DNNs) must be well investigated, and it is becoming increasingly important to determine the stability of these deep neural networks (DNNs) under adversarial attacks.

Since the initial observation that neural networks were vulnerable to adversarial attacks, examining advances in artificial intelligence (AI) from the attack perspective has become an increasingly focused focus, with researchers attempting to design new variants of attack and defense methods to exploit the weaknesses and robustness of various systems. I'm trying. More precisely, in these studies, the resilience of models to potentially manipulated data samples has become an important design goal. Trained models are very good and confident at classifying given unknown samples, and recent studies have shown that attackers can frequently change input samples such that these trained models produce incorrect results. This argument is valid even when alterations or perturbations in the image are unnoticed by humans and the model predicts the wrong class. Security considerations aside, this process shows that the deep learning (DL) algorithms for which they are designed do not concisely capture the underlying assumptions. Attacks are classified into black box attacks, white box attacks, targeted attacks, and non-targeted attacks.

In white box attacks, potentially harmful samples are computed by accessing model parameters and structure or architecture. The relative is calculated using information extracted by calculating the model slope for a given sample. Examples of white box attacks include fast gradient sign method (FGSM), momentum iterative FGSM, and iterative FGSM. Likewise, several new variants of the FGSM method were also designed, including the one-step target class method, the basic iterative method and the iterative-least likely class method. ), etc. Additionally, not only the gradient information but also the Jacobian matrix of the base model is calculated to generate adversarial samples. Additionally, a set of consecutive repetitions is calculated by calculating the minimum size of perturbation for a given input sample. This process continues until no decision boundary is found that is closer to the normal sample, and then the enemy beyond the boundary is found.

Conversely, black box attacks are more powerful and difficult to perform. Typically, in black box scenarios, adversarial samples are computed without collecting information about the parameters, gradients, and structure of the underlying model. For example, hinge-like loss function and symmetric difference are used to compute adversarial samples. Additionally, an optimization problem based on a differential evolution algorithm is used to determine the optimal perturbation size equal to 1. Therefore, the attack is called a 1-pixel attack. Similarly, naturally occurring adversarial networks are also used to generate adversarial samples where the distance between representations of internal layers is reduced.

As a result, these attacks can be modeled in various settings, such as targeted and untargeted attacks. Typically, in a targeted attack, the attacker creates input samples for the adversarial sample such that the model outputs the desired class. In contrast, in an untargeted attack, the model predicts an incorrect random class from the set of trained classes. According to existing research, black box attacks performed in a targeted or non-targeted manner seem more natural and practical. Attackers typically lack insight into the underlying model architecture and parameters of artificial intelligence (AI)-based systems designed for security and surveillance. As a result, white box attacks are less practical and successful on these systems. Several researchers have proposed many studies to exploit vulnerabilities in various artificial intelligence (AI), deep learning (DL), and computer vision-related use cases and problems. These investigations provide robustness of deep learning (DL) models in environments where they are subject to adversarial attacks prior to deployment in real-world applications, especially safety-critical systems.

The purpose of the present invention is to provide a gait recognition system that performs an adversarial attack using reinforcement learning on a deep learning-based gait recognition system. The goal is to provide an adversarial attack method using reinforcement learning, a device and a computer program to perform it.

Other unspecified objects of the present invention can be additionally considered within the scope that can be easily inferred from the following detailed description and its effects.

An adversarial attack method using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention to achieve the above technical problem acquires a gait recognition system based on deep learning, which is the subject of analysis. steps; and performing an adversarial attack, which is a black box attack, on the gait recognition system using reinforcement learning (RL).

Here, the gait recognition system is based on a deep convolutional neural network (DCNN) that recognizes an individual by gait style using a gait representation based on a gait energy image (GEI). It may be an intelligent model.

Here, in the hostile attack performance step, the Gait Energy Image (GEI) with which the agent interacts is the environment, and the pixel location in the Gait Energy Image (GEI) is the state. , All possible movements of the agent in its current state are actions, and the action quality value determined based on the prediction result provided from the intelligent model is the reward, using the reinforcement learning (RL), to recognize the gait. This can be achieved by performing the above adversarial attack against the system.

Here, the action is: the agent moves to the pixel above based on the pixel location according to the current state, the agent moves to the pixel below based on the pixel location according to the current state, and the agent moves to the pixel below based on the pixel location according to the current state. This may include moving to the pixel on the left based on the pixel position according to the agent's current state, and moving to the pixel on the right based on the pixel position according to the agent's current state.

Here, the action may be that the agent moves to another pixel in steps of a preset size based on the pixel position according to the current state.

Here, the step of performing the adversarial attack may consist of performing the adversarial attack on the gait recognition system based on Q-learning.

Here, the adversarial attack performance step generates an adversarial patch of a preset size based on the action performed by the agent, and converts an adversarial patch to which the adversarial patch is added into the intelligent model. and performing the hostile attack on the gait recognition system through a process of determining the reward for the action based on the prediction result for the hostile gait energy image (GEI) provided from the intelligent model. It can be done.

Here, the hostile attack performance step generates the hostile patch having a size of n × n in which pixel values are randomly generated centering on the pixel location of the state of the agent according to the action performed by the agent, The adversarial patch may be added to the GEI based on the pixel location of the adversarial patch to obtain the adversarial GEI in which pixels are perturbed.

Here, in the adversarial attack performance step, if the prediction result for the adversarial gait energy image (GEI) provided from the intelligent model corresponds to a result that lowers the confidence of the intelligent model, the action quality value is positive. It is determined as the reward for the action, and if the prediction result for the hostile gait energy image (GEI) provided from the intelligent model does not correspond to a result that lowers the reliability of the intelligent model, a negative action quality value is applied to the action. This can be done by deciding on the compensation for the above.

A computer program according to a preferred embodiment of the present invention for achieving the above technical problem is stored in a computer-readable storage medium and executes one of the adversarial attack methods using reinforcement learning on the gait recognition system described above on the computer.

An adversarial attack device using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention to achieve the above technical problem is to strengthen a gait recognition system based on deep learning. A memory that stores one or more programs to perform an adversarial attack using reinforcement learning (RL); and one or more processors that perform an operation to perform the adversarial attack on the gait recognition system using the reinforcement learning according to the one or more programs stored in the memory, wherein the processor is configured to perform the gait recognition system. Obtain a recognition system, and perform the adversarial attack, a black box attack, on the gait recognition system using reinforcement learning (RL).

Here, the gait recognition system is based on a deep convolutional neural network (DCNN) that recognizes an individual by gait style using a gait representation based on a gait energy image (GEI). It may be an intelligent model.

Here, the processor is configured so that the Gait Energy Image (GEI) with which the agent interacts is the environment, the pixel location in the Gait Energy Image (GEI) is the state, and the agent All possible movements in the current state are actions, and the action quality value determined based on the prediction result provided from the intelligent model is a reward, using reinforcement learning (RL) for the gait recognition system. The above hostile attack can be performed.

Here, the processor may perform the hostile attack on the gait recognition system based on Q-learning.

Here, the processor generates an adversarial patch of a preset size based on the action performed by the agent, and provides an adversarial gait energy image (GEI) to which the adversarial patch is added to the intelligent model; , the hostile attack can be performed on the gait recognition system through a process of determining the reward for the action based on the prediction result for the hostile gait energy image (GEI) provided from the intelligent model.

Here, the processor generates the adversarial patch having a size of n×n in which pixel values are randomly generated centering on the pixel location of the state of the agent according to the action performed by the agent, and the adversarial patch By adding the adversarial patch to the GEI based on the pixel location of , the adversarial GEI in which pixels are perturbed can be obtained.

Here, if the prediction result for the hostile gait energy image (GEI) provided from the intelligent model corresponds to a result that lowers the confidence of the intelligent model, the processor sets a positive action quality value for the action. If the compensation is determined as the reward, and the prediction result for the hostile gait energy image (GEI) provided from the intelligent model does not correspond to a result that lowers the reliability of the intelligent model, the action quality value is negative as the reward for the action. can be decided.

According to an adversarial attack method using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention, a device and a computer program for performing the same, for a gait recognition system based on deep learning, By performing an adversarial attack using reinforcement learning, the safety of the gait recognition system can be more accurately verified by analyzing the vulnerabilities of the gait recognition system.

The effects of the present invention are not limited to the effects mentioned above, and other effects not mentioned will be clearly understood by those skilled in the art from the description below.

1 is a block diagram illustrating an adversarial attack device using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention.
Figure 2 is a flowchart illustrating an adversarial attack method using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention.
FIG. 3 is a diagram for explaining the steps of performing a hostile attack shown in FIG. 2.
Figure 4 is a diagram illustrating an example of mapping reinforcement learning to a presented problem according to a preferred embodiment of the present invention.
Figure 5 is a diagram illustrating an adversarial attack process using reinforcement learning according to a preferred embodiment of the present invention.
Figure 6 is a diagram illustrating a hostile attack on a human gait analysis-based monitoring system according to a preferred embodiment of the present invention.
Figure 7 is a diagram illustrating the interaction between an agent and the environment according to a preferred embodiment of the present invention.
Figure 8 is a diagram illustrating an algorithm for an adversarial attack using Q-learning according to a preferred embodiment of the present invention.
Figure 9 is a table showing the results of a gait recognition model according to a preferred embodiment of the present invention.
Figure 10 is a table showing the results of a gait recognition model under a hostile attack according to a preferred embodiment of the present invention.
Figure 11 is a diagram showing a density plot of reliability values for each walking energy image of a probe set including all three walking conditions according to a preferred embodiment of the present invention.
Figure 12 is a table showing the results of a gait recognition model with different step sizes under a hostile attack according to a preferred embodiment of the present invention.
Figure 13 is a diagram showing an example of a clean walking energy image and a hostile walking energy image according to a preferred embodiment of the present invention.
Figure 14 is a diagram showing the attack success rate for all walking conditions according to a preferred embodiment of the present invention.
Figure 15 is a table showing the results of a number of training episodes for one individual according to a preferred embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the attached drawings. The advantages and features of the present invention and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below and may be implemented in various different forms. The present embodiments are merely provided to ensure that the disclosure of the present invention is complete and to provide a general understanding of the technical field to which the present invention pertains. It is provided to fully inform those with knowledge of the scope of the invention, and the present invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings that can be commonly understood by those skilled in the art to which the present invention pertains. Additionally, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless clearly specifically defined.

In this specification, terms such as “first” and “second” are used to distinguish one component from another component, and the scope of rights should not be limited by these terms. For example, a first component may be named a second component, and similarly, the second component may also be named a first component.

In this specification, identification codes (e.g., a, b, c, etc.) for each step are used for convenience of explanation. The identification codes do not describe the order of each step, and each step is clearly ordered in a specific order in context. Unless specified, it may occur differently from the specified order. That is, each step may occur in the same order as specified, may be performed substantially simultaneously, or may be performed in the opposite order.

In this specification, expressions such as “have,” “may have,” “includes,” or “may include” indicate the presence of the corresponding feature (e.g., a numerical value, function, operation, or component such as a part). indicates, does not rule out the presence of additional features.

Hereinafter, with reference to the attached drawings, a preferred embodiment of an adversarial attack method using reinforcement learning for a gait recognition system according to the present invention, a device for performing the same, and a computer program will be described in detail.

First, with reference to FIG. 1, an adversarial attack device using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention will be described.

1 is a block diagram illustrating an adversarial attack device using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention.

Referring to FIG. 1, an adversarial attack device 100 using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention (hereinafter referred to as 'adversarial attack device') is a deep learning (DL)-based device. An adversarial attack can be performed on a gait recognition system using reinforcement learning (RL).

Accordingly, the present invention can more accurately verify the safety of the gait recognition system by analyzing the vulnerabilities of the gait recognition system.

To this end, the hostile attack device 100 may include one or more processors 110, a computer-readable storage medium 130, and a communication bus 150.

The processor 110 may control the operation of the hostile attack device 100. For example, the processor 110 may execute one or more programs 131 stored in the computer-readable storage medium 130. One or more programs 131 may include one or more computer-executable instructions, which, when executed by the processor 110, allow the hostile attack device 100 to verify the safety of the gait recognition system. , It may be configured to perform an operation to perform an adversarial attack on a gait recognition system using reinforcement learning (RL).

The computer-readable storage medium 130 is configured to store computer-executable instructions, program code, program data, and/or other suitable form of information for performing an adversarial attack on a gait recognition system using reinforcement learning (RL). do. The program 131 stored in the computer-readable storage medium 130 includes a set of instructions executable by the processor 110. In one embodiment, computer-readable storage medium 130 includes memory (volatile memory, such as random access memory, non-volatile memory, or an appropriate combination thereof), one or more magnetic disk storage devices, optical disk storage devices, flash It may be memory devices, other types of storage media that can be accessed by the hostile attack device 100 and store desired information, or a suitable combination thereof.

Communication bus 150 interconnects various other components of adversary attack device 100, including processor 110 and computer-readable storage medium 130.

Hostile attack device 100 may also include one or more input/output interfaces 170 and one or more communication interfaces 190 that provide an interface for one or more input/output devices. The input/output interface 170 and communication interface 190 are connected to the communication bus 150. An input/output device (not shown) may be connected to other components of the hostile attack device 100 through the input/output interface 170.

Next, an adversarial attack method using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention will be described with reference to FIGS. 2 and 3.

Figure 2 is a flowchart for explaining an adversarial attack method using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention, and Figure 3 is a diagram for explaining the steps of performing an adversarial attack shown in Figure 2.

Referring to FIG. 2, the processor 110 of the hostile attack device 100 may acquire a deep learning (DL)-based gait recognition system that is an analysis target (S110).

Here, the gait recognition system is an intelligent model based on a deep convolutional neural network (DCNN) that recognizes individuals by walking style using a gait representation based on a gait energy image (GEI). It may be (intelligent model). In other words, the gait recognition system can obtain a gait expression based on images captured through a camera and identify the corresponding person based on the obtained gait expression. Of course, the gait recognition system may be a surveillance system based on human gait analysis that goes beyond the operation of recognizing individuals using gait expressions and performs operations that can monitor intruders.

Then, the processor 110 may perform an adversarial attack, called a black box attack, on the gait recognition system using reinforcement learning (RL) (S120).

Here, a black box attack refers to an attack on a gait recognition system without knowing the parameters, gradient, and structure of the underlying model of the gait recognition system that is the target of the attack. says

That is, the processor 110 determines that the GEI with which the agent interacts is the environment, the pixel location in the GEI is the state, and the agent interacts with the GEI. An adversarial attack is carried out against the gait recognition system using reinforcement learning (RL), where all possible movements in the current state are actions and the action quality value determined based on the prediction results provided from the intelligent model is the reward. It can be done.

Here, the action is: the agent moves to the pixel above based on the pixel location according to the current state, the agent moves to the pixel below based on the pixel location according to the current state, and the agent moves to the pixel below based on the pixel location according to the current state. This can include moving to the pixel on the left, and moving to the pixel on the right based on the pixel location according to the agent's current state. At this time, the action allows the agent to move to another pixel in steps of a preset size based on the pixel location according to the current state. For example, if the step size is '1', the action can move the agent to another pixel by 1 step (i.e., 1 pixel) based on the pixel location according to the current state. If the step size is '3', the action can move the agent to another pixel by 3 steps (i.e., 3 pixels) based on the pixel location according to the current state. If the step size is '5', the action allows the agent to move to another pixel by 5 steps (i.e., 5 pixels) based on the pixel location according to the current state.

At this time, the processor 110 may perform a hostile attack on the gait recognition system based on Q-learning. Q-learning is explained in detail below.

In more detail, the processor 110 may generate an adversarial patch of a preset size based on the action performed by the agent. In other words, the processor 110 creates an adversarial patch with n × n size (e.g., 3 × 3, etc.) in which pixel values are randomly generated centering on the pixel position, which is the state of the agent according to the action performed by the agent. You can.

Additionally, the processor 110 may provide an adversarial gait energy image (GEI) to which adversarial patches are added to the intelligent model. That is, the processor 110 may obtain a GEI in which pixels are perturbed by adding the hostile patch to the GEI based on the pixel location of the hostile patch.

Additionally, the processor 110 may determine compensation for the action based on the prediction result of the hostile gait energy image (GEI) provided from the intelligent model. That is, the processor 110 sets a positive action quality value (e.g., +10, etc.) if the prediction result for the hostile gait energy image (GEI) provided from the intelligent model corresponds to a result that lowers the confidence of the intelligent model. It is determined as a reward for the action, and if the prediction result for the hostile Gait Energy Image (GEI) provided by the intelligent model does not correspond to a result that lowers the reliability of the intelligent model, a negative action quality value (e.g., -10, etc.) is applied to the action. It can be decided as compensation for.

Through this adversarial patch generation process, adversarial gait energy image (GEI) provision process, and compensation determination process, the processor 110 can perform an adversarial attack on the gait recognition system.

Then, with reference to FIGS. 4 to 15 , the adversarial attack process using reinforcement learning for a gait recognition system according to a preferred embodiment of the present invention will be described in more detail.

Figure 4 is a diagram illustrating an example of mapping reinforcement learning to a presented problem according to a preferred embodiment of the present invention.

In the present invention, vulnerabilities in the 'gait recognition system' were exploited during black box attacks. Gait refers to an individual way of walking and is considered a unique characteristic of humans. Like a person's fingerprint, signature, face, or voice, gait is another biometric feature that uniquely distinguishes one subject from another. The main advantage of human gait over these biometrics is that gait acquisition does not require subject intervention and can be acquired from long-distance and low-resolution cameras. Therefore, human gait is a viable and evolving technology for security/surveillance systems where human authentication is performed through unique gait properties.

Recently, walking-related video surveillance systems have widely adopted deep learning (DL)-based strategies and achieved excellent performance. These studies observed that intelligent autonomous models based on convolutional neural network (CNN) architecture have effective decision-making capabilities and the highest recognition rates. Therefore, it is essential to determine the functionality of the gait recognition framework design through a deep learning (DL) approach, especially when the attacker does not have access to the system. This decision appropriately highlights key flaws, especially the adversarial robustness of the system against these attacks. The weaknesses of these intelligent walking-based autonomous systems are hidden. In these strategies, one of the most common gait representations for performing gait recognition in security/surveillance systems is the Gait Energy Image (GEI). However, the sensitivity of these algorithms under adversarial attacks needs to be described. In the literature, this sensitivity is studied with silhouette-based representation. However, studies have shown that Gait Energy Image (GEI)-based gait representations are less noisy than silhouette-based representations. As a result, an important research question is how to exploit model vulnerabilities using the most effective gait representation. Second, when a gait recognition system is under close surveillance, attackers often do not have access to the model. As an extension of this work, we propose another variant of the black box using reinforcement learning (RL), another branch of machine learning (ML) in which the agent attempts to perform the best action in the environment to increase the overall reward. In the reinforcement learning (RL)-based black box attack proposed in the present invention, the attacker does not know about the environment, such as information about model gradients, parameters, and structure. Additionally, for every clean image, a reinforcement learning (RL) agent attempts to engage with the environment to calculate and determine the optimal location of the image. Here, pixel disturbance causes the base model to misclassify the clean image. Interacting with the environment is the only way to gather information about the environment. A sample mapping of an adversarial attack using reinforcement learning (RL) is depicted in the figure shown in Figure 4. The black box attack proposed through this invention shows important results in violating the security of the basic system. We formulate the problem in Q-learning, one of the basic algorithms of reinforcement learning (RL), in which the agent attempts to determine the optimal location of randomly generated perturbations to prevent the model from predicting the correct class.

The contributions of the present invention are as follows.

- We propose an efficient black box adversarial attack using reinforcement learning (RL) to verify and investigate the decision-making ability of an autonomous video surveillance system designed using human gait.

- The proposed adversarial attack does not include basic deep learning (DL) model structure and parameters while creating the adversary.

- Adversarial images were generated using more concise gait representations, especially gait energy images (GEI), and the added adversarial noise is less evident in the images.

Reinforcement learning-based adversarial attack proposed in the present invention

Figure 5 is a diagram illustrating an adversarial attack process using reinforcement learning according to a preferred embodiment of the present invention.

This section describes an adversarial attack against the reinforcement learning (RL)-based gait recognition system proposed through the present invention. The core motivation and concept of this algorithm is to perform adversarial attacks on autonomous walking-based video surveillance systems when the attacker does not have access to the model structure. The algorithm uses reinforcement learning (RL) to create adversarial samples by joining the base model. However, before launching an adversarial attack, an accurate gait recognition system must first be secured using deep learning (DL). To this end, we launch a deep learning (DL)-based gait recognition system and perform an adversarial attack on it. The following sections describe the step-by-step procedure. A pictorial representation of the proposed work is depicted in the figure shown in Figure 5.

1. Video-based gait data

There are several ways to collect gait data to perform person identification. The present invention performs gait recognition using video-based gait data. Therefore, in the first step, we collected gait data of various individuals obtained from the Chinese Academy of Sciences (CASIA) database. This database consists of three main parts: CASIA A, B and C. The present invention used the CASIA-B gait database, the largest multi-view gait database, for experimental purposes. This part includes video sequences of various individuals from different camera angles. More precisely, each person has 10 video sequences of three types. Normal walking, carrying a bag while walking, and wearing various coats. The database contains data from 124 subjects, each subject having 10 walking sequences for 11 camera views.

2. Gait data representation

Before training an intelligent deep learning (DL) model, gait data collected from surveillance video captured by a camera is preprocessed into a specific gait expression. Many representations have been proposed by researchers in the existing literature on gait. However, in some studies, silhouette frames of video sequences of different subjects are used directly for human identification.

Each video sequence consists of many frames, and the processing of each frame increases the computational complexity of the algorithm. Therefore, to overcome this problem, the present invention uses gait energy image (GEI), one of the most widely used gait expressions, which can be calculated using [Equation 1].

In [Equation 1], the symbols x and y represent the positions of pixel values, and t represents the frame number, from t=1 to T. The resulting image is called a Gait Energy Image (GEI), expressed as GEI(x,y). Here, x and y represent the pixel positions of the image. Gait Energy Image (GEI) is the average of all video sequence frames for a specific subject. After compiling the gait energy image (GEI) for all subjects, the size of the gait energy image (GEI) is adjusted to a predefined size of 240 × 240 × 1.

3. Intelligent model based on deep convolutional neural network (DCNN)

After going through the preprocessing stage of the gait recognition system, we design a deep convolutional neural network (DCNN) that recognizes individuals by gait style using gait expression based on gait energy image (GEI) to provide an end-to-end autonomous solution. . In the present invention, Bukhari et al. proposed [M. Bukhari, K. B. Bajwa, S. Gillani, M. Maqsood, M. Y. Durrani, I. Mehmood, et al., “An efficient gait recognition method for known and unknown covariate conditions,” IEEE Access, vol. 9, pp. 6465-6477, 2020.] continues to use the same DCNN architecture. This structure has four convolutional layers with a filter size of 3×3, and there is a leaky rectified linear unit activation function after every convolutional layer. Next, to reduce the size of the output feature map generated in the previous layer, a max-pooling layer with a window size of 2×2 was inserted after all convolutional layers. The total number of filters in all convolutional layers is 16, 32, 64, and 124. Then, a flattened layer was added to convert the output of the last max pooling layer to one dimension and pass the output to the dense layer. Finally, two dense layers were added to perform a classification process based on the features extracted from the convolutional layer and the max pooling layer. The number of hidden units in the last dense layer is equal to the number of objects available in the gait database. Additionally, other model hyperparameters include weight initialization and optimization methods, which are Xavier and Adam, respectively. The learning rate was set to 0.001, the batch size was set to 4, and the total number of epochs was set to 30. The loss function is 'categorical cross entropy' since it is a multi-class classification problem.

4. Adversarial attack using reinforcement learning

Figure 6 is a diagram illustrating a hostile attack on a human gait analysis-based monitoring system according to a preferred embodiment of the present invention.

Reinforcement learning (RL) is a field of machine learning (ML) in which problems and solutions are studied by intelligent agents that learn how to behave in specific scenarios to increase rewards while interacting with the environment. Reinforcement learning (RL) problems can be very useful for problems where there is no instructor to guide the agent or learner on what action to take. Therefore, the agent must find direction through trial and error methods.

also. Reinforcement learning (RL) is an approach to identify and implement goal-directed learning and optimal decision making. It is distinct from other computational techniques that emphasize that the agent learns through direct interaction with the environment. Some types of reinforcement learning (RL) algorithms are model-based, and some are model-free. One of the simplest types of reinforcement learning (RL) algorithms is Q-learning, an off-policy algorithm of reinforcement learning (RL) that is learned to determine the optimal action based on the current state. Only policies that increase the value of rewards are learned. A pictorial representation of an adversarial attack is shown in the figure shown in Figure 6.

More specifically, the problem of adversarial attacks can be solved by formulating various reinforcement learning (RL) components or steps (e.g., environment, state-space, action, goal, state transition, etc.). It is expressed in the reinforcement learning (RL) paradigm. The environment of the algorithm proposed through the present invention is the Gait Energy Image (GEI) with which the agent interacts. A state is the pixel location at which the agent acts. Rewards are assigned after the action. The amount of reward awarded to an agent is determined by the agent's performance in reducing the model's confidence in the actual label of the image. As can be seen in the figure shown in Figure 6, a reinforcement learning (RL) agent perturbs a clean Gait Energy Image (GEI) with adversarial patches of random pixels. The resulting adversarial gait energy image (GEI) is passed as a query to a basic surveillance system based on reinforcement learning (DL). The model predicts an incorrect target ID as a result of the query. The step-by-step formula is as follows:

4-1. hostile patch

The proposed adversarial attack on the gait-based automatic surveillance system is performed without access to network structural parameters. The main goal of this attack is to verify the trustworthiness of a deep convolutional neural network (DCNN) model under subject authentication. Consider a basic target model f whose input is a 240×240×1 GEI and whose output is the correct class label t of the GEI. The present invention lets v=(x,y) be an adversarial patch of size n×n with random pixel values between 0 and 255. When this patch is added to the original Gait Energy Image (GEI) at the optimal location determined by a reinforcement learning (RL) agent, the model output will not resemble the correct label, as shown in Equation 2.

In [Equation 2] above, n×n is the size of the hostile patch (e.g., 3×3, etc.). Since the Gait Energy Image (GEI) is also a grayscale image, the pixel value of the patch is randomly generated within the grayscale value range. In the proposed adversarial attack, the main goal of the agent is to find added noise (i.e., adversarial patches) that cause the underlying deep learning (DL) model to misclassify the Gait Energy Image (GEI). The added patch disturbs a few pixels of the overall Gait Energy Image (GEI). Therefore, changes in the image are less noticeable to the naked eye. As a result, noise ends up hidden in the image.

4-2. Q-Learning

In the present invention, we propose a black box adversarial attack using Q-learning. In the current context, the agent or learner is the decision maker, and everything outside the agent or learner is the environment. At any time t step, the agent observes knowledge/information about the environment, called the state, and attempts an action based on this current state. As a result of this action, the agent receives a reward from the environment and performs a transition to another state.

More technically, problems in reinforcement learning (RL) are often expressed as a Markov decision process as a tuple (S,A,R,ρ,γ), where S is the list of all possible states. , A is a set of actions that the agent can perform, and R is the reward. ρ represents the transition probability, and γ represents the discount factor. The main goal of the agent is [Equation 3] ~ As shown in [Equation 5], the optimal policy (policy) (π│a)) that increases the total expected and discounted cumulative reward by performing action a∈A in state s∈S is determined. .

In [Equation 4], the immediate reward obtained at step t is expressed as R(τ). One of the key components of reinforcement learning (RL) is a policy, denoted as π, that generates the probability of an action being performed. These reinforcement learning (RL) algorithms are classified into on-policy and off-policy approaches according to this policy. In Q-Learning, a reinforcement learning (RL) algorithm without an off-policy model, the agent uses the best state-action-value function. Interact with the environment to achieve. This method maintains a Q-table (also called state-action table) that holds the Q-value for each state-action pair. This Q-table is initially initialized with a value of 0, and later this table is updated using a temporal difference method such as [Equation 6].

In [Equation 6], α represents the learning rate and is equal to the discount factor γ[0,1]. State-Action Pair The actual Q-value for While the state-action pair is denoted by The target Q-value for is (i.e., immediate reward with the Q-value of the next state discounted). For every state-action pair, this table is updated adaptively through successive iterations. The ε-greedy method is often used for rapid convergence of Q-tables. Typically in this approach the Q-value is initialized to 0, which indicates that all possible actions for a state are equally likely to be selected. As a result, an exploration-exploitation trade-off is used to converge the Q-table through iterations. The exploration process selects a random action and randomly updates the Q-value of the state-action pair. Exploitation selects the greedy action from the Q table that has the highest reward for a given state. The step-by-step formulation of this algorithm, especially for this problem, is described below.

4-2-1. environmental modeling

To successfully carry out an adversarial attack, the agent attempts to interact with the environment. Therefore, in this problem the environment with which the agent interacts is a two-dimensional (2D) gait energy image (GEI) of a specific object. In general, an image can be considered a 2D grid with the same size as the image dimension. Initially, the agent does not have enough information about the environment (image), and obtains information from the environment by interacting with the environment, such as manipulating the pixel values of the image to perform adversarial attacks.

4-2-2. state space

Figure 7 is a diagram illustrating the interaction between an agent and the environment according to a preferred embodiment of the present invention.

The state space contains the set of possible states (positions) in which the agent can explore and exploit the environment. In the context of the proposed problem, a state is a pixel position in the Gait Energy Image (GEI) of a particular subject. The total number of states is equal to the number of pixel positions in the Gait Energy Image (GEI). The agent can move to arbitrary pixel locations, manipulate them, and create adversarial samples. The state transitions of the agent are shown in the figure shown in Figure 7.

4-2-3. action

Actions include all possible moves that an agent takes in a particular state. For this problem, the agent can perform four possible actions at any pixel location in the Gait Energy Image (GEI): These operations include “up,” “down,” “left,” and “right.”

4-2-4. Agent Goals and Rewards

Figure 8 is a diagram illustrating an algorithm for an adversarial attack using Q-learning according to a preferred embodiment of the present invention.

A reward is a number assigned to an agent when the agent takes an action in the environment. This reward represents the quality of the action taken by the agent. For this problem, we set two compensation values: +10 and -10. When an agent adds an adversarial patch at a specific location, the quality of this action can be calculated by predicting the label of the Gait Energy Image (GEI) after adding patch-based adversarial perturbation. If the added perturbation lowers the probability or confidence of the model for a real Gait Energy Image (GEI) class, the agent is assigned a reward value of +10. Otherwise, the reward is -10. A reward with a value of -10 is also called a penalty for reinforcement learning (RL) agents. More technically, dimensions We consider a basic object model f that takes the gait energy image (GEI) of a specific object with , and classifies the gait energy image (GEI) into the correct label t with confidence probability ρ. However, if the agent moves to a certain state (pixel position) in the Gait Energy Image (GEI) and takes an action to perturb this position with an adversarial patch, this action will use the adversarial patch to create a Gait Energy Image (GEI) with the perturbed position. GEI) can be verified by calculating the probability ρ of a given model. The agent receives a reward according to this probability. Mathematically, this procedure is defined as follows [Equation 7].

In [Equation 7], at each time step t, when the agent takes an action that disturbs the Gait Energy Image (GEI) location, the action quality is the model's reliability for the actual class. It is determined by calculating and comparing it with the reliability ρ after the disturbance is added. If a perturbation (i.e. an adversarial patch) added to the result of an agent's action lowers the model's confidence in the true class, the action performed by the model is good and receives +10 points. However, if the action taken by the reinforcement learning (RL) agent does not lead to a decrease in the probability of the base model for the true class, then the action is not good and the model is penalized (i.e., a negative reward value of -10, as shown in Figure 7). granted. In this way, the agent learns the environment, and when the agent reaches the desired state given in Equation 2, the episode for the agent ends and the algorithm stops. More specifically, the agent's goal is reached when it reaches a position that causes the model/system to misclassify the image when perturbed by an adversarial patch. Achieving the goal state is interactive because agents take actions and are rewarded based on how successfully they reduce the model's confidence in the actual image labels. The step-by-step operating sequence of the adversarial attack algorithm using Q-learning is described in Algorithm 1 shown in Figure 8.

More precisely, as can be seen from Algorithm 1, the input of Algorithm 1 is The basic model to deceive is the Gait Energy Image (GEI) The output of Algorithm 1 is the goal state reached by the agent or the location where the adversarial patch was added. Algorithm 1 is run on all Gait Energy Images (GEI) for a fixed number of episodes and repetitions. More precisely, as given in line 3, we first initialize the hyperparameters including the number of episodes and the number of iterations (steps) per episode with the state and action sizes. Then, a series of episodes are executed for each gait energy image (GEI) (i.e., the gait energy image (GEI) of a different subject calculated using Equation 1). For every given state, the agent takes an action (line 8) that results in a state transition and a reward (lines 9, 10, and 11). The state is just the pixel position of the Gait Energy Image (GEI) where the agent is in row 8, and then a patch of size n × n is added to the pixel position as shown in [Equation 2]. The agent adds a patch, performs transitions between left, right, up, and down states, and then receives a reward calculated by [Equation 7]. Later, the value of the Q-table is updated by calculating the time difference in [Equation 6] where γ is the discount factor and α is the learning rate. This table is adaptively updated by subsequent iterations for each state-action pair. This entire Algorithm 1 is repeated for a set number of episodes.

Experimental results of the present invention

This section describes the results of the adversarial attack proposed through the present invention. However, before examining the results of an adversarial attack, we evaluate the performance of a deep learning (DL)-based gait recognition system while the system is not under attack. As a result, the first subsection describes the results of the gait recognition system in detail, and the second section presents the results of the adversarial attack. More precisely, the decision-making capabilities of the autonomous gait recognition system are discussed in detail. Additionally, evaluation metrics are defined below.

1. Accuracy

Accuracy is a widely used metric to evaluate the performance of classification models. In particular, accuracy measures how many object IDs were correctly predicted among all objects in the training data. Mathematically, it is defined as [Equation 8].

2. Success rate

Success rate indicates how successful a reinforcement learning (RL) agent is in fooling or reducing the accuracy of the underlying model or system. This is the opposite of the actual accuracy of model f. Mathematically, the success rate is calculated as [Equation 9].

3. Results of deep convolutional neural network (DCNN)

Figure 9 is a table showing the results of a gait recognition model according to a preferred embodiment of the present invention.

To evaluate the performance of a deep convolutional neural network (DCNN)-based gait recognition system, data from various subjects in the form of gait representations called gait energy images (GEI) are provided as input to the training model. As shown in the data section, the CASIA-B gait database contains data from 124 subjects, each subject with 10 gait sequences and 3 different gait conditions. These walking conditions include normal walking (nm), walking while carrying a bag (bg), and walking while wearing various coats (cl). In the present invention, each walking condition is dealt with individually. Out of 10 individual walking videos, 6 are general walking videos. The typical walking video of each individual is divided into a gallery set and a probe set. nm-01 to nm-04 are kept in the gallery set, and the remaining nm-05 to nm-06 are kept in the probe set. maintain. In this experimental setup, the model achieves 97.98% accuracy.

Similarly, in the second experiment, videos of regular walking were combined with videos of people carrying different types of bags. In this setting, the target images (nm-01~nm-03) and one bag image sequence (bg-01) are maintained in the gallery set, and the remaining images (nm-04, bg-02) are used in the probe set. The result of the deep convolutional neural network (DCNN) model in this experiment is 97.50% (second row of the table shown in Figure 9). In the third walking condition, subjects walked wearing various types of coats. In this scenario, the normal walking video and coat-based video of each subject (nm-01 to nm-03 with cl-01) are kept in the gallery set, and the nm-04 and cl-02 videos are kept with the probe set. Details of the experimental setup and accuracy results are presented in the table shown in Figure 9. The analysis and results of this experiment show that the model makes intelligent decisions with remarkable accuracy in identifying individuals based on their gait.

4. Results of adversarial attack through Q-learning

Figure 10 is a table showing the results of a gait recognition model under a hostile attack according to a preferred embodiment of the present invention.

The results indicate that the deep learning (DL) assisted walking-based video surveillance system performs quite well in terms of accuracy. However, what happens if an attacker gains access to the surveillance system through an adversarial attack and disrupts the desired performance of the model? The decision-making ability of this model under adversarial attack is described below.

To answer this, we design an adversarial attack in which the attacker does not have access to the underlying model parameters. This attack can be performed through reinforcement learning (RL)-based intelligent agents that aim to perturb the subject's gait energy image (GEI) to cause the model to misclassify the image. Initially, the agent has no information about the Gait Energy Image (GEI) that serves as the environment. An action is taken, and the quality of the action is determined by sending a query Gait Energy Image (GEI) to the model. The agent receives a numerical reward value based on model predictions. This setup shows that an attacker can pass a query image to the target model. Model predictions help create powerful adversarial attacks. In the experimental setup, we first trained the model on subjects' typical gait sequences. Predictions from these trained models are used to perform adversarial attacks. The present invention divided the data into a gallery set and a probe set of general walking videos. Later, the model was trained on the gallery set. Then, for each GEI in the probe set, determine the optimal location of the generated adversarial patch using random values of grayscale pixels, interacting with the GEI and the model's predictions. It uses reinforcement learning (RL) based agents. The optimal location is where the model misclassifies the image due to the added patch. This patch is computed randomly at each iteration for every episode of the agent. The algorithm is run for 10 episodes, each repeated 20 times. In each iteration, the agent takes action using the ε policy. Initially, a random number between 0 and 1 is generated.

If this random number is less than ε, the agent chooses the best action according to the Q-table. Otherwise, a random action is performed from among the four possible actions. The "Up" action moves the agent one pixel up in the Gait Energy Image (GEI). Similarly, the "down" action moves the agent one pixel down in the Gait Energy Image (GEI). Additionally, the "Left" and "Right" actions move the agent one pixel left and right in the Gait Energy Image (GEI). The central pixel of the patch represents the agent's location, and the neighboring pixels are agent boundaries and represent disturbances. The probe data set was divided into three different sets. The first set contained data for the first 25 subjects, and similarly, the second set increased the number of subjects to 50, but the final experiment used data for all 124 subjects. To evaluate the consequences of an adversarial attack, we evaluated the agent on data for the first 25 targets in the probe set.

The results of the adversarial attack under typical walking conditions are presented in row 1 of the table shown in Figure 10 for a probe set consisting of 25 subjects. The gait recognition algorithm, which shows 97.98% accuracy in a typical walking environment, becomes inefficient when attacked by an enemy, and its decision-making ability drops to 32%. Similarly, the performance of adversarial attacks was also evaluated in two different walking conditions (i.e., normal walking while wearing a bag and a coat). The probe set includes both normal and bag-based walking conditions for the normal and bag settings. In this experimental setup, the results of the adversarial attack are depicted in the second row of the table shown in Figure 10 for a probe set with 25 subjects. Then, in the third scenario, the model is trained on normal and court videos of different subjects and the probe set also consists of separate normal and court videos. Under this experimental scenario, the results of the adversarial attack are provided in the third row of the table shown in Figure 10 for a probe set with 25 subjects. Similarly, in the following experiments, we accumulated data for the first 50 objects of the probe set for all three walking conditions. In this setting, model accuracy dropped significantly. In particular, when walking normally, the accuracy drop is lowered from 97.98% to 62%, and the attack success rate reaches up to 35.98%. The success rate is the percentage of images that the model misclassified. Similarly, using the probe set for bags, the model accuracy drops to 61%, while the results for the probe set for coats drop to 30%. In the final experiment, data from all 124 subjects available in the database were used. In this case, the final accuracy values of the model across all walking conditions (i.e. normal, with bag, with coat) are 46.37%, 30.89%, and 58.13%, respectively. The above experiment shows that accuracy drops more significantly when subjects wear different coat types. Additionally, these experiments show that a reinforcement learning (RL) agent moves in one step (i.e., transitions from one state to another, and the agent takes a step (“up”, “down”, “left”, or “right”)). It is executed when moving).

5. Confidence in adversaries

Figure 11 is a diagram showing a density plot of reliability values for each walking energy image of a probe set including all three walking conditions according to a preferred embodiment of the present invention.

The model probability while predicting an adversarial image is also considered a performance measure against adversarial attacks. We calculated model confidence for adversarial gait energy imagery (GEI) using probe sets of all sizes. Additionally, the confidence value of the intelligent model must be determined for each adversarial GEI for which the model displays an incorrect class label, the density plot of which is depicted in the figure shown in Figure 11.

The first graph in the figure shown in Figure 11 displays confidence values for each gait energy image (GEI) across all walking conditions using a probe set of 50 subjects. Additionally, the density is higher or peaks for Gait Energy Imagery (GEI) and the confidence level is around 60%. Similarly, the second graph shows confidence values for the probe set containing the first 50 subjects. Additionally, the Generic Gait Energy Image (GEI) has a confidence value of approximately 60% for this model. Similarly, the third graph shows confidence values for all gait energy images (GEIs) using a probe set containing all 124 subjects. In all walking conditions, the proposed adversarial attack works very efficiently with good confidence scores to reduce the performance of walking-based video surveillance systems.

6. Jump of reinforcement learning (RL) agent

Figure 12 is a table showing the results of a gait recognition model with different step sizes under a hostile attack according to a preferred embodiment of the present invention.

Reinforcement learning (RL)-based intelligent agents that attempt to determine the optimal location in a gait energy image (GEI) are tuned using different settings. From the results presented in the table shown in Figure 10, the adversarial attack performed with a reinforcement learning (RL) agent shows very encouraging results. However, in the above experiment, the agent takes actions to move in an environment modeled in a Gait Energy Image (GEI). More precisely, when an agent takes an action, the result of this action can move the agent from one pixel location to another in steps of just one pixel. Additionally, we verified the performance of adversarial attacks when the reinforcement learning (RL) agent takes larger steps when taking actions. Results for all three walking conditions for this experimental setup were evaluated. In the first scenario, normal walking conditions were used to maintain the gallery set and probe set. A deep convolutional neural network (DCNN) model was trained on a gallery set containing typical walking videos of individuals.

Later, during testing, probe sets containing gait energy images (GEIs) of different subjects were perturbed with random pixels at specific locations specified by a reinforcement learning (RL) agent. Row 1 of the table shown in Figure 12 lists the results of an adversarial attack using a regular walking probe set containing the first 25 subjects. In this case, while the agent is interacting with the environment, the agent takes actions that result in state transitions. In this scenario, a reinforcement learning (RL) agent can perform transitions in three moving steps: For any position (x,y), if the action is "up", the reinforcement learning (RL) agent moves up 3 steps to (x-3,y). In this case, the accuracy reduction for typical walking is 56%, as listed in row 1 of the table shown in Figure 12 for a probe set containing 25 subjects. Additionally, the same experiment was conducted where subjects created enemies by a reinforcement learning (RL) agent walking while carrying bags of different shapes and types. In this case, the accuracy drop is 64% and the attack success rate is 31.5%. Likewise, in the case of the court, the attack success rate is 73.5%. In the next step, data from the first 50 subjects was used to generate the corresponding enemies.

Results for all walking conditions regarding attack success rate and model accuracy after adversarial attack are provided in the table shown in Figure 12 for a probe set of 50 subjects. The attack success rates of the normal walking set and the bag and coat wearing set were 59.98%, 43.5%, and 51%, respectively, proving the effectiveness of the proposed attack. However, the experiment was repeated for all subjects. In addition, we further increased the agent's step size (i.e., 5) and evaluated all three waling conditions. If we set the agent step size to 5, the new position (state) of the agent with the "up" action at (x,y) is (x-5,y). For the probe set consisting of only the first 25 subjects, the attack success rates in the normal, coat, and bag conditions were 45.98%, 63.5%, and 51.5%. Similarly, for the probe set containing only data for the first 50 subjects, the attack success rates are 36.98%, 44.5%, and 51.5% for the normal, coat, and bag conditions, respectively. Additionally, the third experiment was conducted on all 124 subjects in the database. Additionally, when the step of the jump is set to 5, the drop in accuracy values for normal walking, court condition, and bag condition is 65.32%, 19.91%, and 47.96%, respectively.

7. Adversary visualizations

Figure 13 is a diagram showing an example of a clean walking energy image and a hostile walking energy image according to a preferred embodiment of the present invention, and Figure 14 is a drawing showing the attack success rate for all walking conditions according to a preferred embodiment of the present invention. 15 is a table showing the results of numerous training episodes for one individual according to a preferred embodiment of the present invention.

The proposed attack generates an adversary in the form of a GEI by disturbing the actual GEI with randomly generated adversarial patches. The size of the Gait Energy Image (GEI) is 240×240×1 and is a 2D array (240×240). When a clean GEI is perturbed with a 3×3 adversarial patch of locations provided by a reinforcement learning (RL) agent, the resulting GEI is called an adversarial or adversarial GEI. Sample examples of adversarial Gait Energy Images (GEI) and clean Gait Energy Images (GEI) are shown in the figure shown in Figure 13. The left image is the subject's clean Gait Energy Image (GEI), and the right image is the hostile Gait Energy Image (GEI). The perturbation of the hostile image is emphasized by the red square. Clean Gait Energy Image (GEI) and Adversarial Gait Energy Image (GEI) look very similar (i.e. no added perturbations are noticeable). In an image of 240×240=57,600 pixels, if the size of the adversarial patch is 3×3, only 9 pixels are perturbed. Therefore, it is difficult to observe with the naked eye only a perturbation of 9 pixels.

Therefore, the added noise is hidden in the Gait Energy Image (GEI). This argument demonstrates another feasible value of the proposed adversarial attack, demonstrating effective results while remaining unobtrusive. Additionally, the average success rate of all experiments for all walking conditions is graphically displayed in the figure shown in Figure 14. The agent's performance was accessed by running numerous episodes.

For each episode, the agent performed 100 iterations. In the experiment, the agent also learned with 10 episodes, and for each episode, the agent performed 20 iterations. Additionally, in this experiment, gait energy images (GEI) of individual #01 were taken from all three walking conditions of the corresponding probe set. For each gait energy image (GEI), the agent was trained using 1000 episodes, and for each episode, the agent performed 100 iterations. The results of this experimental setup are listed in the table shown in Fig. 15, which shows that when the reinforcement learning (RL) agent enters test mode after 1000 training episodes, the most feasible actions are determined based on the Q-table built during the training time. It shows that it performs.

8. Conclusion

The proposed adversarial attack shows encouraging results in exploiting vulnerabilities in a deep convolutional neural network (DCNN)-based autonomous gait recognition system. The present invention has proven that a deep convolutional neural network (DCNN)-based autonomous monitoring system through human gait analysis has accurate results. However, adding minimal disturbance to the input Gait Energy Image (GEI) produces very poor results. Additionally, if the surveillance system is maintained with strict security protocols, it is not easy to spoof it. An attacker cannot access the underlying model or gradient information, parameters, and structure. In this scenario, a black box adversarial attack was proposed to exploit the vulnerabilities and robustness of deep convolutional neural network (DCNN)-based surveillance systems. In the present invention, an attacker can access the system to provide a query image and obtain the required results. No other information about model structure and parameters is required. The system's result information resulting from query image delivery informs the agent of the next action to be taken. The attack is performed using a reinforcement learning (RL)-based intelligent agent that engages with the environment and learns how to determine the optimal location from the Gait Energy Image (GEI). The main goal of this agent is to interact with the environment by performing different actions and moving to find locations where added adversarial patches transform clean images into adversaries.

In summary, gait identification based on deep learning (DL) technology has recently emerged as a biometric technology for surveillance. The present invention uses a patch-based black box adversarial attack using reinforcement learning (RL) to exploit the vulnerability and decision-making ability of deep learning models in a gait-based autonomous surveillance system when the attacker cannot access the gradient, structure, etc. of the base model. I used it. These automated surveillance systems are secured to block attackers' access. Therefore, the attack can be performed in a reinforcement learning (RL) framework where the agent's goal is to determine the optimal image location, causing the model to perform poorly when perturbed by random pixels. Additionally, the adversarial attack proposed through the present invention shows encouraging results (maximum success rate = 77.59%). Researchers should explore system restoration scenarios (e.g., when an attacker does not have system access, etc.) before using these models in surveillance applications.

Operations according to the present embodiments may be implemented in the form of program instructions that can be performed through various computer means and recorded on a computer-readable storage medium. A computer-readable storage medium refers to any medium that participates in providing instructions to a processor for execution. A computer-readable storage medium may include program instructions, data files, data structures, or combinations thereof. For example, there may be magnetic media, optical recording media, memory, etc. A computer program may be distributed over networked computer systems so that computer-readable code can be stored and executed in a distributed manner. Functional programs, codes, and code segments for implementing this embodiment can be easily deduced by programmers in the technical field to which this embodiment belongs.

These embodiments are intended to explain the technical idea of the present embodiment, and the scope of the technical idea of the present embodiment is not limited by these examples. The scope of protection of this embodiment should be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of rights of this embodiment.

100: Hostile attack device,
110: processor,
130: computer-readable storage medium,
131: program,
150: communication bus,
170: input/output interface,
190: communication interface

Claims (17)

Obtaining a deep learning-based gait recognition system that is the subject of analysis; and
The gait energy image (GEI) with which the agent interacts is the environment, the pixel location in the gait energy image (GEI) is the state, and the agent is currently All possible movements in the state are actions, and the action quality value determined based on the prediction result provided from the gait recognition system is a reward. A black box attack is performed using reinforcement learning (RL). performing an adversarial attack on the gait recognition system;
Includes,
The action is: the agent moves to the upper pixel based on the pixel position according to the current state, the agent moves to the lower pixel based on the pixel position according to the current state, and the agent moves to the pixel according to the current state. moving to the pixel to the left based on the position, and moving to the pixel to the right based on the pixel position according to the agent's current state,
The adversarial attack performance step consists of performing the adversarial attack on the gait recognition system based on Q-learning,
In the Q-learning, the Gait Energy Image (GEI) and Q-learning algorithm parameters are input, the target state reached by the agent is the output, and hyperparameters including the number of episodes and the number of repetitions per episode are used as state and action parameters. After initializing to size, for each GEI, based on the number of repetitions per episode and the number of episodes, the agent bases the pixel position in the GEI according to the current state. In the process of performing the action, an adversarial patch of a preset size is generated based on the action performed by the agent, and an adversarial gait energy image (GEI) to which the adversarial patch is added is sent to the gait recognition system. a process of performing a state transition, a process of determining the reward for the action based on a prediction result for the hostile gait energy image (GEI) provided from the gait recognition system, and each state-action pair (state- An algorithm that repeatedly performs the process of updating a Q-table that holds Q-values for action pairs,
An adversarial attack method using reinforcement learning for a gait recognition system. In paragraph 1:
The gait recognition system is,
An intelligent model based on a deep convolutional neural network (DCNN) that recognizes individuals by walking style using the gait representation based on the gait energy image (GEI),
An adversarial attack method using reinforcement learning for a gait recognition system. delete delete In paragraph 2,
The action is,
The agent moves to another pixel in steps of a preset size based on the pixel position according to the current state,
An adversarial attack method using reinforcement learning for a gait recognition system. delete delete In paragraph 5,
The hostile attack execution step is,
Generating the hostile patch with n×n size in which pixel values are randomly generated centering on the pixel location, which is the state of the agent according to the action performed by the agent, and walking based on the pixel location of the hostile patch. Consisting of adding the adversarial patch to the energy image (GEI) to obtain the adversarial gait energy image (GEI) in which pixels are perturbed.
An adversarial attack method using reinforcement learning for a gait recognition system. In paragraph 8:
The hostile attack execution step is,
If the prediction result for the hostile gait energy image (GEI) provided from the intelligent model corresponds to a result that lowers the confidence of the intelligent model, determining the positive action quality value as the compensation for the action, If the prediction result for the hostile gait energy image (GEI) provided from the intelligent model does not correspond to a result that lowers the reliability of the intelligent model, determining the negative action quality value as the compensation for the action,
An adversarial attack method using reinforcement learning for a gait recognition system. Stored in a computer-readable storage medium to execute an adversarial attack method using reinforcement learning on a gait recognition system according to any one of paragraphs 1, 2, 5, 8, and 9 on a computer. computer program. A memory that stores one or more programs for performing an adversarial attack using reinforcement learning (RL) for a deep learning-based gait recognition system; and
One or more processors that perform an operation to perform the adversarial attack on the gait recognition system using the reinforcement learning according to the one or more programs stored in the memory;
Includes,
The processor,
Acquire the gait recognition system that is the subject of analysis,
The gait energy image (GEI) with which the agent interacts is the environment, the pixel location in the gait energy image (GEI) is the state, and the agent is currently All possible movements in the state are actions, and the action quality value determined based on the prediction result provided from the gait recognition system is the reward. A black box attack using the reinforcement learning (RL). Performing the adversarial attack on the gait recognition system,
The action is: the agent moves to the upper pixel based on the pixel position according to the current state, the agent moves to the lower pixel based on the pixel position according to the current state, and the agent moves to the pixel according to the current state. moving to the pixel to the left based on the position, and moving to the pixel to the right based on the pixel position according to the agent's current state,
The processor performs the adversarial attack on the gait recognition system based on Q-learning,
In the Q-learning, the Gait Energy Image (GEI) and Q-learning algorithm parameters are input, the target state reached by the agent is the output, and hyperparameters including the number of episodes and the number of repetitions per episode are used as state and action parameters. After initializing to size, for each GEI, based on the number of repetitions per episode and the number of episodes, the agent bases the pixel position in the GEI according to the current state. In the process of performing the action, an adversarial patch of a preset size is generated based on the action performed by the agent, and an adversarial gait energy image (GEI) to which the adversarial patch is added is sent to the gait recognition system. a process of performing a state transition, a process of determining the reward for the action based on a prediction result for the hostile gait energy image (GEI) provided from the gait recognition system, and each state-action pair (state- An algorithm that repeatedly performs the process of updating a Q-table that holds Q-values for action pairs,
An adversarial attack device using reinforcement learning for a gait recognition system. In paragraph 11:
The gait recognition system is,
An intelligent model based on a deep convolutional neural network (DCNN) that recognizes individuals by walking style using the gait representation based on the gait energy image (GEI),
An adversarial attack device using reinforcement learning for a gait recognition system. delete delete delete In paragraph 12:
The processor,
Generating the hostile patch with n×n size in which pixel values are randomly generated centering on the pixel location, which is the state of the agent according to the action performed by the agent, and walking based on the pixel location of the hostile patch. Obtaining the adversarial gait energy image (GEI) in which pixels are perturbed by adding the adversarial patch to the energy image (GEI),
An adversarial attack device using reinforcement learning for a gait recognition system. In paragraph 16:
The processor,
If the prediction result for the hostile gait energy image (GEI) provided from the intelligent model corresponds to a result that lowers the confidence of the intelligent model, determining the positive action quality value as the compensation for the action, If the prediction result for the hostile gait energy image (GEI) provided from the intelligent model does not correspond to a result that lowers the reliability of the intelligent model, determining the negative action quality value as the reward for the action,
An adversarial attack device using reinforcement learning for a gait recognition system.

Images