為使本申請的目的、技術方案和優點更加清楚,下面將結合本申請具體實施例及相應的附圖對本申請技術方案進行清楚、完整地描述。顯然,所描述的實施例僅是本申請一部分實施例,而不是全部的實施例。基於本申請中的實施例,本領域普通技術人員在沒有做出創造性勞動前提下所獲得的所有其他實施例,都屬於本申請保護的範圍。
為降低圖像傳播過程中發生隱私洩露的風險,本說明書實施例提供一種基於對抗樣本的隱私資訊保護方法及裝置。本說明書實施例提供的基於對抗樣本的隱私資訊保護方法及裝置可以由電子設備執行,例如終端設備或服務端設備。換言之,所述方法可以由安裝在終端設備或服務端設備的軟體或硬體來執行。所述服務端包括但不限於:單台伺服器、伺服器集群、雲端伺服器或雲端伺服器集群等。所述終端設備包括但不限於:智慧手機、個人電腦(personal computer,PC)、筆記型電腦、平板電腦、電子閱讀器、網路電視、可穿戴設備等智慧終端機設備中的任一種。
下面結合圖1對本說明書實施例提供的技術方案的一種可能的應用場景進行說明。
如圖1所示,本說明書實施例提供的一種系統架構包括:用戶終端11和雲端伺服器13。其中,用戶終端11可透過網路12與雲端伺服器13相連,以進行資料通信或交互。雲端伺服器13中可儲存有待傳播的原始圖像。在該應用場景下,用戶終端11可作為本說明書實施例提供的一種基於對抗樣本的隱私資訊保護方法及裝置的執行主體,更為具體的,用戶終端11中可安裝一應用程式(Application,APP),可將該APP作為本說明書實施例提供的一種基於對抗樣本的隱私資訊保護方法及裝置的執行主體,且用戶終端11可從雲端伺服器13中獲取待傳播的原始圖像。在圖1所示的應用場景下,用戶終端11為智慧手機。
下面對本說明書實施例提供的一種基於對抗樣本的隱私保護方法進行說明。
圖2是本說明書的一個實施例提供的基於對抗樣本的隱私資訊保護方法的流程示意圖,該方法可以用於如圖1所示的用戶終端中,如圖2所示,該方法可以包括:
步驟202、獲取待傳播的原始圖像,所述原始圖像中包含用字元表示的隱私資訊。
待傳播的原始圖像可以是用戶有意或無意傳播的任一圖像,且其中包含用字元表示的隱私資訊。其中,用字元表示的隱私資訊可以是文字也可以是數位。例如,待傳播的圖像可以是用戶的證件圖像,其中包含用數位表示的證件編號等隱私資訊。另外,待傳播的圖像可以是儲存在用戶終端本地的圖像,也可以是透過用戶終端即時拍攝的圖像,或從雲端伺服器下載的圖像,或透過螢幕錄影或螢幕截取從用戶終端獲取的圖像,等等。
步驟204、對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
其中,字元識別演算法可以包括相關技術中以及未來出現的字元識別演算法中的至少一種。作為一個例子,字元識別演算法可以是光學字元辨識(Optical Character Recognition,OCR)。OCR是指電子設備透過檢測圖像中暗、亮的模式確定其中的字元的形狀,然後用字元識別方法將形狀翻譯成字元的過程。具體的,OCR可以包括支援向量機(Support Vector Machine, SVM)、卷積神經網路(convolutional neural network,CNN)和快速區域卷積神經網路(Faster region convolutional neural network,Faster R-CNN)等演算法。
在具體實現時,步驟204可以包括:確定待對抗的一種字元識別演算法;針對所述一種字元識別演算法,基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到一張對抗樣本圖像。
或者,步驟204可以包括:確定待對抗的多種字元識別演算法;針對所述多種字元識別演算法,分別基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到多張對抗樣本圖像。
按照能否獲得字元識別演算法的細節資訊(如模型結合和模型參數等),可以將預設對抗樣本生成演算法分為白盒和黑盒兩種。其中,白盒對抗樣本生成演算法可以獲得字元識別演算法的細節資訊,例如快速梯度符號演算法(Fast Gradient Sign Method,FGSM)、C&W(Carlini & Wagner)對抗樣本生成演算法等。黑盒對抗樣本生成演算法無法獲得字元識別演算法的細節資訊,例如boundary attack、One pixel、生成式對抗網路(GAN, Generative Adversarial Networks)等對抗樣本生成演算法。
在確定預設對抗樣本生成演算法之後,可以利用該預設對抗樣本生成演算法,針對所述至少一個字元識別演算法,分別生成原始圖像的對抗樣本圖像,得到多張對抗樣本圖像。
步驟206、利用所述對抗樣本圖像代替所述原始圖像進行傳播。
當步驟204中針對原始圖像生成一張對抗樣本圖像時,步驟206可以直接利用該對抗樣本圖像代替原始圖像進行傳播。
當步驟204中針對原始圖像生成多張對抗樣本圖像時,步驟206可以包括:從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像;利用所述目標對抗樣本圖像代替所述原始圖像進行傳播。
作為一個例子,其中,從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像,可以包括:隨機從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像。
作為另一個例子,其中,從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像,可以包括:分別評估所述多張對抗樣本圖像,對所述多種字元識別演算法的對抗效果;將所述多張對抗樣本圖像中,對所述多種字元識別演算法的對抗效果滿足第二預設條件的對抗樣本圖像,確定為目標對抗樣本圖像。
具體的,可以先利用所述多種字元識別演算法,對所述多張對抗本樣本圖像中的各對抗樣本圖像中進行字元識別,得到各對抗樣本圖像的識別結果;然後依據各對抗樣本圖像的識別結果,對各樣本對抗圖像的對抗效果進行打分;最後將所述多張對抗樣本圖像中評分結果最高(第二預設條件)的一個作為目標對抗樣本圖像。當然,第二預設條件也可以是其他條件。
舉例來說,假如步驟204中對原始圖像進行處理,生成對抗N種字元識別演算法的N張對抗樣本圖像,那麼可以分別利用這N種字元識別演算法,對這N 對抗樣本圖像進行識別,使得其中的任一張對抗樣本圖像分別得到N個識別結果;然後針對各對抗樣本圖像,分別依據N個識別結果得出N個評分;最後對各對抗樣本圖像的N個評分進行求和或加權求和(不同字元識別演算法對應不同的權重),並將求和結果最高的一張對抗樣本圖像確定為目標對抗樣本圖像。
其中,依據識別結果對一張對抗樣本圖像進行評分的方式可以有很多種,一種可選地方式是,假如原始圖像中包含多個字元,可以將字元識別演算法正確識別出的字元占原始圖像中的總字元數的百分比,作為該對抗樣本圖像的評分。
可以理解,由於對抗樣本是在原樣本上增加人類難以透過感官辨識到的細微改變,但是卻可以讓機器學習模型接受並做出錯誤的分類決定。因此,在本說明書實施例中,生成對抗字元識別演算法的對抗樣本圖像,並利用對抗樣本圖像代替原始圖像進行傳播,可以防止圖像中用字元表示的隱私資訊被字元識別演算法識別出,從而降低原始圖像中包含的隱私資訊被洩露的風險。
圖3示出了本說明書的另一個實施例提供的一種基於對抗樣本的隱私資訊保護方法的另一流程示意圖,如圖3所示,在步驟206之前,該方法還可以包括:
步驟208、對所述對抗樣本圖像的品質進行評估,確定所述對抗樣本圖像的品質是否滿足第一預設條件,如滿足再執行步驟206,否則返回執行步驟204。
亦即在所述對抗樣本圖像的品質滿足第一預設條件時,再執行步驟206;在所述對抗樣本圖像的品質不滿足第一預設條件時,返回執行步驟204。
作為一個例子,在步驟208中,對所述對抗樣本圖像的品質進行評估,可以包括:確定所述對抗樣本圖像與所述原始圖像的像素差值;在所述對抗樣本圖像與所述原始圖像的像素差值的平方和小於或等於預設閾值時,確定所述對抗樣本圖像的品質滿足所述第一預設條件。其中,像素差值可以是像素的灰度等特徵值的差值。
在確定所述對抗樣本圖像與所述原始圖像的像素差值時,既可以對兩張圖像中的全部像素做差值,也可以不對兩張圖像中的全部像素做差值,而是按一定的規律對其中的部分像素做差值,以提高計算效率,如每間隔幾個像素對一個或多個像素分別差值,本說明書實施例對此不做限定。
另外,除了像素差值的平方和小於或等於預設閾值,第一預設條件還可以是其他條件,如像素差值的和小於或等於預設閾值等,本說明書實施例對此也不做限定。
圖3所示的實施例提供的一種基於對抗樣本的隱私資訊保護方法,由於是在對抗樣本圖像的品質滿足第一預設條件時,再利用對抗樣本圖像代替原始圖像進行傳播,因此,除了可以防止圖像中用字元表示的隱私資訊被字元識別演算法識別出,從而降低原始圖像中包含的隱私資訊被洩露的風險,還可以很好地保證對抗樣本圖像相對於原始圖像在用戶的視覺上未發生改變,從而保證圖像的正常使用不受影響。
如今人們足不出戶就可以透過手機等終端設備獲取多種服務,比如,用戶可以透過安裝在手機中的理財應用購買理財產品。但是,有些服務的獲取需要用戶具備一定的信用資質,並需要用戶上傳具備該信用資質的證明。在一些情況下,信用資質的證明可以是用戶透過其他APP獲取服務並付出相應權益後累積的信用分或信用額度。在該情況下,一些APP會引導用戶打開其他APP,並進入其他APP的相應頁面進行螢幕截取或螢幕錄影,然後將螢幕截取或螢幕錄影結果上傳到所述一些APP的伺服器,以使該伺服器從中識別出用戶的信用分或信用額度。但是,用戶在其他APP中累積的信用分或信用額度屬於用戶的隱私,並且螢幕截取或螢幕錄影結果中可能還包括用戶的其他隱私資訊,這種隨意截圖或螢幕錄影獲取用戶在其他APP中的隱私資訊的行為,存在用戶隱私資訊被洩露的風險。
下面結合這一更為具體的應用場景(保護用戶APP(如第三方支付APP)頁面中的隱私資訊的場景),對本說明書實施例提供的一種基於對抗樣本的隱私資訊保護方法進行說明。
如圖4所示,本說明書的一個實施例提供的一種基於對抗樣本的隱私資訊保護方法,可以應用於待保護的APP(如第三方支付APP)的用戶端中,該方法可以包括:
步驟402、在展示目標頁面前,監測用戶終端的螢幕狀態,其中,所述目標頁面中包含用字元表示的隱私資訊。
目標頁面,可以是用戶終端安裝的某一APP的包含隱私資訊的頁面。
以智慧手機為例,其作業系統本身會開放一些用於控制螢幕狀態的介面(如API),因此,透過監控這些介面的調用情況,便可以實現對螢幕狀態的監控。具體的,對於螢幕是否處於螢幕錄影狀態來說,可以透過監測開啟螢幕錄影功能的介面是否被調用來實現。此外,對於螢幕是否處於螢幕截取狀態來說,還可以按照基於預設規則預測的方式實現,例如,可以根據登錄該用戶端的APP的用戶的一些特徵資訊來預測螢幕是否會處於螢幕截取狀態,比如該用戶曾經被識別為是網貸用戶,則被認為在展示目標頁面時會進行螢幕截取,因此需要加對抗樣本。
可以理解,當用戶終端開啟螢幕錄影功能或準備螢幕截取時,可以認為存在透過螢幕錄影或螢幕截取竊取目標頁面中的隱私資訊的可能,需要生成目標頁面的原始圖像的對抗樣本圖像並代替原始圖像進行展示,從而避免隱私資訊洩漏。
步驟404、當所述用戶終端的螢幕處於指定狀態時,獲取所述目標頁面的原始圖像,其中,所述指定狀態包括但不限於螢幕截取狀態和螢幕錄影狀態中的至少一種。
可選地,當所述用戶終端的螢幕未處於指定狀態時,接收該APP的伺服器返回的目標頁面的原始圖像並展示。
具體的,可以將監測結果上報該APP的伺服器(如雲端伺服器),當所述用戶終端的螢幕未處於指定狀態時,接收該APP的伺服器返回的目標頁面的原始圖像並展示;當所述用戶終端的螢幕處於指定狀態時,可則繼續執行下述步驟406至步驟408。
步驟406、對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
其中,字元識別演算法可以包括相關技術中以及未來出現的字元識別演算法中的至少一種。作為一個例子,字元識別演算法可以是OCR,具體的,OCR可以包括但不限於 SVM、CNN和Faster R-CNN等演算法。
在具體實現時,步驟406可以包括:確定待對抗的一種字元識別演算法;針對所述一種字元識別演算法,基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到一張對抗樣本圖像。
或者,步驟406可以包括:確定待對抗的多種字元識別演算法;針對所述多種字元識別演算法,分別基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到多張對抗樣本圖像。
按照能否獲得字元識別演算法的細節資訊(如模型結合和模型參數等),可以將預設對抗樣本生成演算法分為白盒和黑盒兩種。其中,白盒對抗樣本生成演算法可以獲得字元識別演算法的細節資訊,例如FGSM、C&W等。黑盒對抗樣本生成演算法無法獲得字元識別演算法的細節資訊,如boundary attack、One pixel等。
在確定預設對抗樣本生成演算法之後,可以利用該預設對抗樣本生成演算法,針對所述至少一個字元識別演算法,分別生成原始圖像的對抗樣本圖像,得到多張對抗樣本圖像。
步驟408、透過展示所述對抗樣本圖像完成所述目標頁面的展示。
當步驟406中針對原始圖像生成一張對抗樣本圖像時,步驟408可以直接利用該對抗樣本圖像代替原始圖像進行傳播。
當步驟406中針對原始圖像生成多張對抗樣本圖像時,步驟408可以包括:從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像;利用所述目標對抗樣本圖像代替所述原始圖像進行傳播。
作為一個例子,其中,從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像,可以包括:隨機從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像。
作為另一個例子,其中,從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像,可以包括:分別評估所述多張對抗樣本圖像,對所述多種字元識別演算法的對抗效果;將所述多張對抗樣本圖像中,對所述多種字元識別演算法的對抗效果滿足第二預設條件的對抗樣本圖像,確定為目標對抗樣本圖像。
具體的,可以先利用所述多種字元識別演算法,對所述多張對抗本樣本圖像中的各對抗樣本圖像中進行字元識別,得到各對抗樣本圖像的識別結果;然後依據各對抗樣本圖像的識別結果,對各樣本對抗圖像的對抗效果進行打分;最後將所述多張對抗樣本圖像中評分結果最高(第二預設條件)的一個作為目標對抗樣本圖像。當然,第二預設條件也可以是其他條件。
可以理解,由於對抗樣本是在原樣本上增加人類難以透過感官辨識到的細微改變,但是卻可以讓機器學習模型接受並做出錯誤的分類決定。因此,在本說明書實施例中,生成對抗字元識別演算法的對抗樣本圖像,並利用對抗樣本圖像代替目標頁面的原始圖像進行展示,可以防止目標頁面中用字元表示的隱私資訊被字元識別演算法識別出,從而降低目標頁面中的隱私資訊被洩露的風險。
圖5示出了在保護用戶APP頁面中的隱私資訊的這一應用場景下,本說明書的另一個實施例提供的一種基於對抗樣本的隱私資訊保護方法的流程示意圖,如圖5所示,在步驟408之前,該方法還可以包括:
步驟410、對所述對抗樣本圖像的品質進行評估,確定所述對抗樣本圖像的品質是否滿足第一預設條件,如滿足再執行步驟408,否則返回執行步驟406。
亦即在所述對抗樣本圖像的品質滿足第一預設條件時,再執行步驟408;在所述對抗樣本圖像的品質不滿足第一預設條件時,返回執行步驟406。
作為一個例子,在步驟410中,對所述對抗樣本圖像的品質進行評估,可以包括:確定所述對抗樣本圖像與所述原始圖像的像素差值;在所述對抗樣本圖像與所述原始圖像的像素差值的平方和小於或等於預設閾值時,確定所述對抗樣本圖像的品質滿足所述第一預設條件。其中,像素差值可以是像素的灰度等特徵值的差值。
在確定所述對抗樣本圖像與所述原始圖像的像素差值時,既可以對兩張圖像中的全部像素做差值,也可以不對兩張圖像中的全部像素做差值,而是按一定的規律對其中的部分像素做差值,以提高計算效率,如每間隔幾個像素對一個或多個像素分別差值,本說明書實施例對此不做限定。
另外,除了像素差值的平方和小於或等於預設閾值,第一預設條件還可以是其他條件,如像素差值的和小於或等於預設閾值等,本說明書實施例對此也不做限定。
圖5所示的實施例提供的一種基於對抗樣本的隱私資訊保護方法,由於是在對抗樣本圖像的品質滿足第一預設條件時,再透過展示對抗樣本圖像完成所述目標頁面的展示,因此,除了可以防止目標頁面中用字元表示的隱私資訊被字元識別演算法識別出,從而降低目標頁面中包含的隱私資訊被洩露的風險,還可以很好地保證對抗樣本圖像相對於目標頁面的原始圖像在用戶的視覺上未發生改變,從而保證最終展示的目標頁面不影響用戶的正常使用。
以上是對本說明書提供的方法實施例的說明,下面對本說明書提供的電子設備進行介紹。
圖6是本說明書的一個實施例提供的電子設備的結構示意圖。請參考圖6,在硬體層面,該電子設備包括處理器,可選地還包括內部匯流排、網路介面、記憶體。其中,記憶體可能包含記憶體,例如高速隨機存取記憶體(Random-Access Memory,RAM),也可能還包括非易失性記憶體(non-volatile memory),例如至少一個磁碟記憶體等。當然,該電子設備還可能包括其他業務所需要的硬體。
處理器、網路介面和記憶體可以透過內部匯流排相互連接,該內部匯流排可以是ISA(Industry Standard Architecture,工業標準架構)匯流排、PCI(Peripheral Component Interconnect,外設部件互連標準)匯流排或EISA(Extended Industry Standard Architecture,延伸工業標準架構)匯流排等。所述匯流排可以分為位址匯流排、資料匯流排、控制匯流排等。為便於表示,圖6中僅用一個雙向箭頭表示,但並不表示僅有一根匯流排或一種類型的匯流排。
記憶體,用於存放程式。具體地,程式可以包括程式碼,所述程式碼包括電腦操作指令。記憶體可以包括記憶體和非易失性記憶體,並向處理器提供指令和資料。
處理器從非易失性記憶體中讀取對應的電腦程式到記憶體中然後運行,在邏輯層面上形成基於對抗樣本的隱私資訊保護裝置。處理器,執行記憶體所存放的程式,並具體用於執行以下操作:
獲取待傳播的原始圖像,所述原始圖像中包含用字元表示的隱私資訊;
對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像;
利用所述對抗樣本圖像代替所述原始圖像進行傳播。
或者,處理器,執行記憶體所存放的程式,並具體用於執行以下操作:
在展示目標頁面前,監測用戶終端的螢幕狀態,其中,所述目標頁面中包含用字元表示的隱私資訊;
當所述用戶終端的螢幕處於指定狀態時,獲取所述目標頁面的原始圖像,其中,所述指定狀態包括螢幕截取狀態和螢幕錄影狀態中的至少一種;
對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像;
透過展示所述對抗樣本圖像完成所述目標頁面的展示。
上述如本說明書圖2至圖5任一附圖所示實施例揭示的基於對抗樣本的隱私資訊保護方法可以應用於處理器中,或者由處理器實現。處理器可能是一種積體電路晶片,具有信號的處理能力。在實現過程中,上述方法的各步驟可以透過處理器中的硬體的集成邏輯電路或者軟體形式的指令完成。上述的處理器可以是通用處理器,包括中央處理器(Central Processing Unit,CPU)、網路處理器(Network Processor,NP)等;還可以是數位訊號處理器(Digital Signal Processor,DSP)、專用積體電路(Application Specific Integrated Circuit,ASIC)、現場可程式設計閘陣列(Field-Programmable Gate Array,FPGA)或者其他可程式設計邏輯器件、分立門或者電晶體邏輯器件、分立硬體元件。可以實現或者執行本說明書一個或多個實施例中的公開的各方法、步驟及邏輯框圖。通用處理器可以是微處理器或者該處理器也可以是任何常規的處理器等。結合本說明書一個或多個實施例所公開的方法的步驟可以直接體現為硬體解碼處理器執行完成,或者用解碼處理器中的硬體及軟體模組組合執行完成。軟體模組可以位於隨機記憶體,快閃記憶體、唯讀記憶體,可程式設計唯讀記憶體或者電可讀寫可程式設計記憶體、暫存器等本領域成熟的儲存媒體中。該儲存媒體位於記憶體,處理器讀取記憶體中的資訊,結合其硬體完成上述方法的步驟。
該電子設備還可執行圖2至圖5中任一實施例提供的基於對抗樣本的隱私資訊保護方法,本說明書在此不再贅述。
當然,除了軟體實現方式之外,本說明書的電子設備並不排除其他實現方式,比如邏輯器件抑或軟硬體結合的方式等等,也就是說以下處理流程的執行主體並不限定於各個邏輯單元,也可以是硬體或邏輯器件。
本說明書實施例還提出了一種電腦可讀儲存媒體,該電腦可讀儲存媒體儲存一個或多個程式,該一個或多個程式包括指令,該指令當被包括多個應用程式的可攜式電子設備執行時,能夠使該可攜式電子設備執行圖1所示實施例的方法,並具體用於執行以下操作:
獲取待傳播的原始圖像,所述原始圖像中包含用字元表示的隱私資訊;
對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像;
利用所述對抗樣本圖像代替所述原始圖像進行傳播。
本說明書實施例還提出了一種電腦可讀儲存媒體,該電腦可讀儲存媒體儲存一個或多個程式,該一個或多個程式包括指令,該指令當被包括多個應用程式的可攜式電子設備執行時,能夠使該可攜式電子設備執行圖7所示實施例的方法,並具體用於執行以下操作:
在展示目標頁面前,監測用戶終端的螢幕狀態,其中,所述目標頁面中包含用字元表示的隱私資訊;
當所述用戶終端的螢幕處於指定狀態時,獲取所述目標頁面的原始圖像,其中,所述指定狀態包括螢幕截取狀態和螢幕錄影狀態中的至少一種;
對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像;
透過展示所述對抗樣本圖像完成所述目標頁面的展示。
下面對本說明書提供的基於對抗樣本的隱私資訊保護裝置進行說明。
如圖7所示,本說明書的一個實施例提供了一種基於對抗樣本的隱私資訊保護裝置,在一種軟體實施方式中,該基於對抗樣本的隱私資訊保護裝置700可包括:第一圖像獲取模組701、第一圖像生成模組702和圖像傳播模組703。
第一圖像獲取模組701,用於獲取待傳播的原始圖像,所述原始圖像中包含用字元表示的隱私資訊。
第一圖像生成模組702,用於對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
在具體實現時,第一圖像生成模組702,可用於確定待對抗的一種字元識別演算法;針對所述一種字元識別演算法,基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到一張對抗樣本圖像。
或者,第一圖像生成模組702,可用於確定待對抗的多種字元識別演算法;針對所述多種字元識別演算法,分別基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到多張對抗樣本圖像。
圖像傳播模組703,用於利用所述對抗樣本圖像代替所述原始圖像進行傳播。
當第一圖像生成模組702針對原始圖像生成一張對抗樣本圖像時,圖像傳播模組703可以直接利用該對抗樣本圖像代替原始圖像進行傳播。
當第一圖像生成模組702針對原始圖像生成多張對抗樣本圖像時,圖像傳播模組703可用於:從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像;利用所述目標對抗樣本圖像代替所述原始圖像進行傳播。
作為一個例子,圖像傳播模組703具體可用於:隨機從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像。
作為另一個例子,圖像傳播模組703具體可用於:分別評估所述多張對抗樣本圖像,對所述多種字元識別演算法的對抗效果;將所述多張對抗樣本圖像中,對所述多種字元識別演算法的對抗效果滿足第二預設條件的對抗樣本圖像,確定為目標對抗樣本圖像。
具體的,可以先利用所述多種字元識別演算法,對所述多張對抗本樣本圖像中的各對抗樣本圖像中進行字元識別,得到各對抗樣本圖像的識別結果;然後依據各對抗樣本圖像的識別結果,對各樣本對抗圖像的對抗效果進行打分;最後將所述多張對抗樣本圖像中評分結果最高(第二預設條件)的一個作為目標對抗樣本圖像。當然,第二預設條件也可以是其他條件。
可以理解,由於對抗樣本是在原樣本上增加人類難以透過感官辨識到的細微改變,但是卻可以讓機器學習模型接受並做出錯誤的分類決定。因此,在本說明書實施例中,生成對抗字元識別演算法的對抗樣本圖像,並利用對抗樣本圖像代替原始圖像進行傳播,可以防止圖像中用字元表示的隱私資訊被字元識別演算法識別出,從而降低原始圖像中包含的隱私資訊被洩露的風險。
圖8示出了本說明書的另一個實施例提供的一種基於對抗樣本的隱私資訊保護裝置的另一結構示意圖,如圖8所示,裝置700可包括:第一圖像獲取模組701、第一圖像生成模組702、第一判斷模組704和圖像傳播模組703。
第一圖像獲取模組701,用於獲取待傳播的原始圖像,所述原始圖像中包含用字元表示的隱私資訊。
第一圖像生成模組702,用於對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
第一判斷模組704,用於對所述對抗樣本圖像的品質進行評估,確定所述對抗樣本圖像的品質是否滿足第一預設條件,如滿足觸發圖像傳播模組703,否則返回觸發第一圖像生成模組702。
也即在所述對抗樣本圖像的品質滿足第一預設條件時,利用所述對抗樣本圖像代替所述原始圖像進行傳播;在所述對抗樣本圖像的品質不滿足第一預設條件時,重新對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
圖像傳播模組703,用於利用所述對抗樣本圖像代替所述原始圖像進行傳播。
作為一個例子,第一判斷模組704可用於:確定所述對抗樣本圖像與所述原始圖像的像素差值;在所述對抗樣本圖像與所述原始圖像的像素差值的平方和小於或等於預設閾值時,確定所述對抗樣本圖像的品質滿足所述第一預設條件。其中,像素差值可以是像素的灰度等特徵值的差值。
圖8所示的實施例提供的一種基於對抗樣本的隱私資訊保護裝置,由於是在對抗樣本圖像的品質滿足第一預設條件時,再利用對抗樣本圖像代替原始圖像進行傳播,因此,除了可以防止圖像中用字元表示的隱私資訊被字元識別演算法識別出,從而降低原始圖像中包含的隱私資訊被洩露的風險,還可以很好地保證對抗樣本圖像相對於原始圖像在用戶的視覺上未發生改變,從而保證圖像的正常使用不受影響。
需要說明的是,基於對抗樣本的隱私資訊保護裝置700能夠實現圖2的方法實施例的方法,具體可參考圖2所示實施例的基於對抗樣本的隱私資訊保護方法,不再贅述。
下面結合保護用戶APP頁面中的隱私資訊的這一應用場景,對本說明書實施例提供的一種基於對抗樣本的隱私資訊保護裝置進行說明。
如圖9所示,本說明書的一個實施例提供了一種基於對抗樣本的隱私資訊保護裝置900,在一種軟體實施方式中,該裝置900可包括:螢幕狀態監測模組901、第二圖像獲取模組902、第二圖像生成模組903和圖像展示模組904。
螢幕狀態監測模組901,用於在展示目標頁面前,監測用戶終端的螢幕狀態,其中,所述目標頁面中包含用字元表示的隱私資訊。
第二圖像獲取模組902,用於當所述用戶終端的螢幕處於指定狀態時,獲取所述目標頁面的原始圖像,其中,所述指定狀態包括螢幕截取狀態和螢幕錄影狀態中的至少一種。
第二圖像生成模組903,用於對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
在具體實現時,第二圖像生成模組903,可用於確定待對抗的一種字元識別演算法;針對所述一種字元識別演算法,基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到一張對抗樣本圖像。
或者,第二圖像生成模組903,可用於確定待對抗的多種字元識別演算法;針對所述多種字元識別演算法,分別基於預設對抗樣本生成演算法生成所述原始圖像的對抗樣本圖像,得到多張對抗樣本圖像。
圖像展示模組904,用於透過展示所述對抗樣本圖像完成所述目標頁面的展示。
當第二圖像生成模組903針對原始圖像生成一張對抗樣本圖像時,圖像展示模組904可以直接利用該對抗樣本圖像代替目標頁面的原始圖像進行展示。
當第二圖像生成模組903針對原始圖像生成多張對抗樣本圖像時,圖像展示模組904可以從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像;利用所述目標對抗樣本圖像代替目標頁面的原始圖像進行展示。
作為一個例子,圖像展示模組904可用於:隨機從所述多張對抗樣本圖像選擇一張目標對抗樣本圖像。
作為另一個例子,圖像展示模組904可用於:分別評估所述多張對抗樣本圖像,對所述多種字元識別演算法的對抗效果;將所述多張對抗樣本圖像中,對所述多種字元識別演算法的對抗效果滿足第二預設條件的對抗樣本圖像,確定為目標對抗樣本圖像。
具體的,可以先利用所述多種字元識別演算法,對所述多張對抗本樣本圖像中的各對抗樣本圖像中進行字元識別,得到各對抗樣本圖像的識別結果;然後依據各對抗樣本圖像的識別結果,對各樣本對抗圖像的對抗效果進行打分;最後將所述多張對抗樣本圖像中評分結果最高(第二預設條件)的一個作為目標對抗樣本圖像。當然,第二預設條件也可以是其他條件。
可以理解,由於對抗樣本是在原樣本上增加人類難以透過感官辨識到的細微改變,但是卻可以讓機器學習模型接受並做出錯誤的分類決定。因此,在本說明書實施例中,生成對抗字元識別演算法的對抗樣本圖像,並利用對抗樣本圖像代替目標頁面的原始圖像進行展示,可以防止目標頁面中用字元表示的隱私資訊被字元識別演算法識別出,從而降低目標頁面中的隱私資訊被洩露的風險。
圖10示出了在保護用戶APP頁面中的隱私資訊的這一應用場景下,本說明書的另一個實施例提供的一種基於對抗樣本的隱私資訊保護裝置的結構示意圖,如圖10所示,該裝置900可包括:螢幕狀態監測模組901、第二圖像獲取模組902、第二圖像生成模組903、第二判斷模組905和圖像展示模組904。
螢幕狀態監測模組901,用於在展示目標頁面前,監測用戶終端的螢幕狀態,其中,所述目標頁面中包含用字元表示的隱私資訊。
第二圖像獲取模組902,用於當所述用戶終端的螢幕處於指定狀態時,獲取所述目標頁面的原始圖像,其中,所述指定狀態包括螢幕截取狀態和螢幕錄影狀態中的至少一種。
第二圖像生成模組903,用於對所述原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
第二判斷模組905,用於對所述對抗樣本圖像的品質進行評估,確定所述對抗樣本圖像的品質是否滿足第一預設條件,如滿足觸發圖像展示模組904,否則返回觸發第二圖像生成模組903。
也即在所述對抗樣本圖像的品質滿足第一預設條件時,利用所述對抗樣本圖像代替目標頁面的原始圖像進行展示;在所述對抗樣本圖像的品質不滿足第一預設條件時,重新對目標頁面的原始圖像進行處理,生成對抗字元識別演算法的對抗樣本圖像。
作為一個例子,第二判斷模組905具體可以用於:確定所述對抗樣本圖像與所述原始圖像的像素差值;在所述對抗樣本圖像與所述原始圖像的像素差值的平方和小於或等於預設閾值時,確定所述對抗樣本圖像的品質滿足所述第一預設條件。其中,像素差值可以是像素的灰度等特徵值的差值。
在確定所述對抗樣本圖像與所述原始圖像的像素差值時,既可以對兩張圖像中的全部像素做差值,也可以不對兩張圖像中的全部像素做差值,而是按一定的規律對其中的部分像素做差值,以提高計算效率,如每間隔幾個像素對一個或多個像素分別差值,本說明書實施例對此不做限定。
另外,除了像素差值的平方和小於或等於預設閾值,第一預設條件還可以是其他條件,如像素差值的和小於或等於預設閾值等,本說明書實施例對此也不做限定。
圖像展示模組904,用於透過展示所述對抗樣本圖像完成所述目標頁面的展示。
圖10所示的實施例提供的一種基於對抗樣本的隱私資訊保護裝置,由於是在對抗樣本圖像的品質滿足第一預設條件時,再透過展示對抗樣本圖像完成所述目標頁面的展示,因此,除了可以防止目標頁面中用字元表示的隱私資訊被字元識別演算法識別出,從而降低目標頁面中包含的隱私資訊被洩露的風險,還可以很好地保證對抗樣本圖像相對於目標頁面的原始圖像在用戶的視覺上未發生改變,從而保證最終展示的目標頁面不影響用戶的正常使用。
需要說明的是,基於對抗樣本的隱私資訊保護裝置900能夠實現圖4的方法實施例的方法,具體可參考圖4所示實施例的基於對抗樣本的隱私資訊保護方法,不再贅述。
上述對本說明書特定實施例進行了描述,其它實施例在所附申請專利範圍的範圍內。在一些情況下,在申請專利範圍中記載的動作或步驟可以按照不同於實施例中的順序來執行並且仍然可以實現期望的結果。另外,在附圖中描繪的過程不一定要求示出的特定順序或者連續順序才能實現期望的結果。在某些實施方式中,多工處理和並行處理也是可以的或者可能是有利的。
本說明書中的各個實施例均採用遞進的方式描述,各個實施例之間相同相似的部分互相參見即可,每個實施例重點說明的都是與其他實施例的不同之處。尤其,對於裝置實施例而言,由於其基本相似於方法實施例,所以描述的比較簡單,相關之處參見方法實施例的部分說明即可。
總之,以上所述僅為本說明書的較佳實施例而已,並非用於限定本說明書的保護範圍。凡在本說明書一個或多個實施例的精神和原則之內,所作的任何修改、等同替換、改進等,均應包含在本說明書一個或多個實施例的保護範圍之內。
上述實施例闡明的系統、裝置、模組或單元,具體可以由電腦晶片或實體實現,或者由具有某種功能的產品來實現。一種典型的實現設備為電腦。具體的,電腦例如可以為個人電腦、膝上型電腦、行動電話、相機電話、智慧型電話、個人數位助理、媒體播放機、導航設備、電子郵件設備、遊戲控制台、平板電腦、可穿戴設備或者這些設備中的任何設備的組合。
電腦可讀媒體包括永久性和非永久性、可移動和非可移動媒體可以由任何方法或技術來實現資訊儲存。資訊可以是電腦可讀指令、資料結構、程式的模組或其他資料。電腦的儲存媒體的例子包括,但不限於相變記憶體(PRAM)、靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、其他類型的隨機存取記憶體(RAM)、唯讀記憶體(ROM)、電可擦除可程式設計唯讀記憶體(EEPROM)、快閃記憶體或其他記憶體技術、唯讀光碟唯讀記憶體(CD-ROM)、數位多功能光碟(DVD)或其他光學儲存、磁盒式磁帶,磁帶磁磁片儲存或其他磁性存放裝置或任何其他非傳輸媒體,可用於儲存可以被計算設備訪問的資訊。按照本文中的界定,電腦可讀媒體不包括暫存電腦可讀媒體(transitory media),如調製的資料信號和載波。
還需要說明的是,術語“包括”、“包含”或者其任何其他變體意在涵蓋非排他性的包含,從而使得包括一系列要素的過程、方法、商品或者設備不僅包括那些要素,而且還包括沒有明確列出的其他要素,或者是還包括為這種過程、方法、商品或者設備所固有的要素。在沒有更多限制時,由語句“包括一個……”限定的要素,並不排除在包括所述要素的過程、方法、商品或者設備中還存在另外的相同要素。
本說明書中的各個實施例均採用遞進的方式描述,各個實施例之間相同相似的部分互相參見即可,每個實施例重點說明的都是與其他實施例的不同之處。尤其,對於系統實施例而言,由於其基本相似於方法實施例,所以描述的比較簡單,相關之處參見方法實施例的部分說明即可。For the purposes of this application, The technical solutions and advantages are clearer, The technical solutions of the present application will be clarified below with reference to the specific embodiments of the present application and the corresponding drawings. fully described. Obviously, The described embodiments are only a part of the embodiments of the present application, not all examples. Based on the examples in this application, All other embodiments obtained by those of ordinary skill in the art without creative efforts, All belong to the scope of protection of this application.
In order to reduce the risk of privacy leakage in the process of image dissemination, The embodiments of this specification provide a method and device for protecting privacy information based on adversarial samples. The adversarial sample-based privacy information protection method and device provided in the embodiments of this specification can be executed by electronic equipment, For example, terminal equipment or server equipment. In other words, The method can be executed by software or hardware installed in the terminal device or the server device. The server includes but is not limited to: single server, server cluster, Cloud server or cloud server cluster, etc. The terminal equipment includes but is not limited to: smartphone, personal computer (personal computer, PC), laptop, tablet, e-readers, Internet TV, Any of smart terminal devices such as wearable devices.
A possible application scenario of the technical solutions provided by the embodiments of the present specification will be described below with reference to FIG. 1 .
As shown in Figure 1, A system architecture provided by the embodiments of this specification includes: User terminal 11 and cloud server 13 . in, The user terminal 11 can be connected to the cloud server 13 through the network 12, for data communication or interaction. The original image to be distributed may be stored in the cloud server 13 . In this application scenario, The user terminal 11 can be used as the execution body of the method and device for protecting privacy information based on adversarial samples provided in the embodiments of this specification. More specifically, An application program (Application, APP), The APP can be used as the executive body of the method and device for protecting privacy information based on adversarial samples provided in the embodiments of this specification, And the user terminal 11 can obtain the original image to be broadcast from the cloud server 13 . In the application scenario shown in Figure 1, The user terminal 11 is a smartphone.
The following describes a privacy protection method based on adversarial samples provided by the embodiments of this specification.
FIG. 2 is a schematic flowchart of a method for protecting privacy information based on adversarial samples provided by an embodiment of this specification, The method can be used in the user terminal as shown in Figure 1, as shown in picture 2, The method can include:
Step 202, Get the original image to be propagated, The original image contains private information represented by characters.
The original image to be disseminated can be any image disseminated intentionally or unintentionally by the user, and contains private information expressed in characters. in, Private information expressed in characters can be text or digits. For example, The image to be disseminated may be the user's credential image, It contains private information such as the ID number represented in digits. in addition, The image to be propagated can be an image stored locally in the user terminal, It can also be an image captured by the user terminal in real time, or an image downloaded from a cloud server, Or through screen recording or screen capture of images obtained from the user terminal, etc.
Step 204, processing the original image, Generate adversarial example images for adversarial character recognition algorithms.
in, The character recognition algorithm may include at least one of the related art and future character recognition algorithms. As an example, The character recognition algorithm can be Optical Character Recognition (Optical Character Recognition, OCR). OCR refers to the electronic equipment through the detection of dark, Bright mode determines the shape of the characters in it, The process of translating shapes into characters using character recognition methods. specific, OCR can include support vector machines (Support Vector Machine, SVM), Convolutional neural network (convolutional neural network, CNN) and Faster region convolutional neural network (Faster region convolutional neural network, Faster R-CNN) and other algorithms.
In concrete implementation, Step 204 may include: Determine a character recognition algorithm to be challenged; For the one character recognition algorithm, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, Get an adversarial example image.
or, Step 204 may include: Identify multiple character recognition algorithms to be challenged; For the plurality of character recognition algorithms, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, respectively, Get multiple adversarial images.
According to whether the detailed information of the character recognition algorithm (such as model combination and model parameters, etc.) can be obtained, The preset adversarial example generation algorithms can be divided into two types: white box and black box. in, The white-box adversarial example generation algorithm can obtain the detailed information of the character recognition algorithm, For example, the Fast Gradient Sign Method (Fast Gradient Sign Method, FGSM), C&W (Carlini & Wagner) Adversarial sample generation algorithm, etc. The black-box adversarial sample generation algorithm cannot obtain the detailed information of the character recognition algorithm. For example boundary attack, One pixel, Generative Adversarial Networks (GAN, Generative Adversarial Networks) and other adversarial example generation algorithms.
After determining the preset adversarial sample generation algorithm, The preset adversarial sample generation algorithm can be used, for the at least one character recognition algorithm, Generate adversarial sample images of the original image, respectively, Get multiple adversarial images.
Step 206, The adversarial image is used for propagation in place of the original image.
When an adversarial sample image is generated for the original image in step 204, Step 206 may directly use the adversarial sample image instead of the original image for propagation.
When multiple adversarial sample images are generated for the original image in step 204, Step 206 may include: selecting a target adversarial sample image from the plurality of adversarial sample images; The target adversarial image is used for propagation instead of the original image.
As an example, in, selecting a target adversarial sample image from the plurality of adversarial sample images, Can include: A target adversarial sample image is randomly selected from the plurality of adversarial sample images.
As another example, in, selecting a target adversarial sample image from the plurality of adversarial sample images, Can include: Evaluate the multiple adversarial sample images separately, The confrontational effect on the multiple character recognition algorithms; In the multiple adversarial sample images, The confrontation sample image that satisfies the second preset condition for the confrontation effect of the multiple character recognition algorithms, Determined as the target adversarial sample image.
specific, The various character recognition algorithms can be used first, character recognition is performed on each of the confrontation sample images in the plurality of confrontation sample images, Obtain the recognition results of each adversarial sample image; Then, according to the recognition results of each adversarial sample image, Score the adversarial effect of each sample adversarial image; Finally, the one with the highest scoring result (the second preset condition) among the plurality of adversarial sample images is used as the target adversarial sample image. Of course, The second preset condition may also be other conditions.
for example, If the original image is processed in step 204, Generate N adversarial sample images against N character recognition algorithms, Then you can use these N character recognition algorithms respectively, Identify these N adversarial sample images, Make any one of the adversarial sample images get N recognition results respectively; Then for each adversarial sample image, N scores are obtained according to the N recognition results respectively; Finally, the N scores of each adversarial sample image are summed or weighted (different character recognition algorithms correspond to different weights), The adversarial sample image with the highest summation result is determined as the target adversarial sample image.
in, There are many ways to score an adversarial image based on the recognition results. An optional way is, If the original image contains multiple characters, The percentage of the total number of characters in the original image that can be correctly identified by the character recognition algorithm, as the score for the adversarial image.
understandably, Since the adversarial sample is to add subtle changes to the original sample that are difficult for humans to recognize through the senses, But it can make machine learning models accept and make wrong classification decisions. therefore, In the embodiments of this specification, Generate adversarial sample images for adversarial character recognition algorithms, And use the adversarial sample image instead of the original image for propagation, It can prevent the private information represented by characters in the image from being recognized by the character recognition algorithm, Thus, the risk of private information contained in the original image being leaked is reduced.
FIG. 3 shows another schematic flowchart of a method for protecting privacy information based on adversarial samples provided by another embodiment of this specification, As shown in Figure 3, Before step 206, The method may also include:
Step 208, Evaluate the quality of the adversarial image, determining whether the quality of the adversarial sample image satisfies a first preset condition, If satisfied, perform step 206 again, Otherwise, return to step 204.
That is, when the quality of the adversarial sample image satisfies the first preset condition, Perform step 206 again; When the quality of the adversarial sample image does not meet the first preset condition, Return to step 204.
As an example, In step 208, Evaluate the quality of the adversarial image, Can include: determining the pixel difference between the adversarial sample image and the original image; When the sum of squares of pixel differences between the adversarial sample image and the original image is less than or equal to a preset threshold, It is determined that the quality of the confrontation sample image satisfies the first preset condition. in, The pixel difference value may be the difference value of characteristic values such as the grayscale of the pixel.
When determining the pixel difference between the adversarial sample image and the original image, You can do the difference between all the pixels in the two images, It is also possible not to make a difference between all the pixels in the two images, Instead, according to a certain rule, some of the pixels in the difference are made, To improve computational efficiency, For example, every few pixels are different for one or more pixels, The embodiments of the present specification do not limit this.
in addition, Except that the squared sum of pixel differences is less than or equal to the preset threshold, The first preset condition may also be other conditions, If the sum of pixel differences is less than or equal to the preset threshold, etc., The embodiments of the present specification also do not limit this.
The embodiment shown in FIG. 3 provides a method for protecting privacy information based on adversarial samples, Since the quality of the adversarial sample image satisfies the first preset condition, Then use the adversarial sample image instead of the original image for propagation, therefore, In addition to preventing the private information represented by characters in the image from being recognized by the character recognition algorithm, Thereby reducing the risk of the private information contained in the original image being leaked, It can also be well guaranteed that the adversarial sample image has not changed visually to the user relative to the original image, Thereby ensuring that the normal use of the image is not affected.
Nowadays, people can obtain a variety of services through terminal devices such as mobile phones without leaving home. for example, Users can purchase wealth management products through wealth management applications installed on their mobile phones. but, Some services require users to have certain credit qualifications. And the user is required to upload the proof of the credit qualification. In some cases, The proof of credit qualification can be the accumulated credit points or credit limit after the user obtains services through other APPs and pays the corresponding rights and interests. In this case, Some apps will guide users to open other apps, And enter the corresponding page of other APP to take screen capture or screen recording, Then upload the screen capture or screen video results to the servers of some of the APPs, so that the server can identify the user's credit score or credit limit. but, The credit points or credit limit accumulated by the user in other apps belong to the privacy of the user. And the screen capture or screen recording result may also include other private information of the user, This kind of random screenshot or screen recording to obtain the user's private information in other APPs, There is a risk of user privacy information being leaked.
The following is combined with this more specific application scenario (the scenario of protecting the privacy information in the page of the user APP (such as a third-party payment APP)), A method for protecting privacy information based on adversarial samples provided by the embodiments of this specification will be described.
As shown in Figure 4, An embodiment of this specification provides a method for protecting privacy information based on adversarial samples, It can be applied to the client of the APP to be protected (such as a third-party payment APP), The method can include:
Step 402, Before displaying the target page, Monitor the screen status of the user terminal, in, The target page contains private information represented by characters.
target page, It may be a page containing private information of an APP installed on the user terminal.
Taking smartphones as an example, Its operating system itself will open some interfaces (such as API) for controlling the screen state, therefore, By monitoring the invocation of these interfaces, You can monitor the status of the screen. specific, For whether the screen is in the screen recording state, This can be achieved by monitoring whether the interface that enables the screen recording function is called. also, For whether the screen is in a screen capture state, It can also be implemented in the way of prediction based on preset rules, For example, It can be predicted whether the screen will be in a screen capture state according to some characteristic information of users who log in to the APP of the client, For example, the user was once identified as an online loan user, is considered to take a screenshot when the destination page is displayed. Therefore, adversarial samples need to be added.
understandably, When the user terminal enables the screen recording function or prepares for screen capture, It can be considered that there is a possibility of stealing private information in the target page through screen recording or screen capture. It is necessary to generate an adversarial sample image of the original image of the target page and display it in place of the original image, So as to avoid the leakage of private information.
Step 404, When the screen of the user terminal is in a specified state, get the original image of the target page, in, The designated state includes, but is not limited to, at least one of a screen capture state and a screen recording state.
Optionally, When the screen of the user terminal is not in the specified state, Receive the original image of the target page returned by the APP's server and display it.
specific, The monitoring results can be reported to the APP's server (such as a cloud server), When the screen of the user terminal is not in the specified state, Receive the original image of the target page returned by the APP's server and display it; When the screen of the user terminal is in a specified state, Otherwise, continue to execute the following steps 406 to 408 .
Step 406, processing the original image, Generate adversarial example images for adversarial character recognition algorithms.
in, The character recognition algorithm may include at least one of the related art and future character recognition algorithms. As an example, The character recognition algorithm can be OCR, specific, OCR can include but is not limited to SVM, Algorithms such as CNN and Faster R-CNN.
In concrete implementation, Step 406 may include: Determine a character recognition algorithm to be challenged; For the one character recognition algorithm, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, Get an adversarial example image.
or, Step 406 may include: Identify multiple character recognition algorithms to be challenged; For the plurality of character recognition algorithms, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, respectively, Get multiple adversarial images.
According to whether the detailed information of the character recognition algorithm (such as model combination and model parameters, etc.) can be obtained, The preset adversarial example generation algorithms can be divided into two types: white box and black box. in, The white-box adversarial example generation algorithm can obtain the detailed information of the character recognition algorithm, such as FGSM, C&W et al. The black-box adversarial sample generation algorithm cannot obtain the detailed information of the character recognition algorithm. such as boundary attack, One pixel, etc.
After determining the preset adversarial sample generation algorithm, The preset adversarial sample generation algorithm can be used, for the at least one character recognition algorithm, Generate adversarial sample images of the original image, respectively, Get multiple adversarial images.
Step 408, The display of the target page is completed by displaying the adversarial sample image.
When an adversarial sample image is generated for the original image in step 406, Step 408 may directly use the adversarial sample image instead of the original image for propagation.
When multiple adversarial sample images are generated for the original image in step 406, Step 408 may include: selecting a target adversarial sample image from the plurality of adversarial sample images; The target adversarial image is used for propagation instead of the original image.
As an example, in, selecting a target adversarial sample image from the plurality of adversarial sample images, Can include: A target adversarial sample image is randomly selected from the plurality of adversarial sample images.
As another example, in, selecting a target adversarial sample image from the plurality of adversarial sample images, Can include: Evaluate the multiple adversarial sample images separately, The confrontational effect on the multiple character recognition algorithms; In the multiple adversarial sample images, The confrontation sample image that satisfies the second preset condition for the confrontation effect of the multiple character recognition algorithms, Determined as the target adversarial sample image.
specific, The various character recognition algorithms can be used first, character recognition is performed on each of the confrontation sample images in the plurality of confrontation sample images, Obtain the recognition results of each adversarial sample image; Then, according to the recognition results of each adversarial sample image, Score the adversarial effect of each sample adversarial image; Finally, the one with the highest scoring result (the second preset condition) among the plurality of adversarial sample images is used as the target adversarial sample image. Of course, The second preset condition may also be other conditions.
understandably, Since the adversarial sample is to add subtle changes to the original sample that are difficult for humans to recognize through the senses, But it can make machine learning models accept and make wrong classification decisions. therefore, In the embodiments of this specification, Generate adversarial sample images for adversarial character recognition algorithms, And use the adversarial sample image to replace the original image of the target page for display, It can prevent the private information represented by characters in the target page from being recognized by the character recognition algorithm, Thus, the risk of private information in the target page being leaked is reduced.
Fig. 5 shows in this application scenario of protecting the privacy information in the user's APP page, Another embodiment of this specification provides a schematic flowchart of a method for protecting privacy information based on adversarial samples, As shown in Figure 5, Before step 408, The method may also include:
Step 410, Evaluate the quality of the adversarial image, determining whether the quality of the adversarial sample image satisfies a first preset condition, If satisfied, perform step 408 again, Otherwise, return to step 406.
That is, when the quality of the adversarial sample image satisfies the first preset condition, Perform step 408 again; When the quality of the adversarial sample image does not meet the first preset condition, Return to step 406.
As an example, In step 410, Evaluate the quality of the adversarial image, Can include: determining the pixel difference between the adversarial sample image and the original image; When the sum of squares of pixel differences between the adversarial sample image and the original image is less than or equal to a preset threshold, It is determined that the quality of the confrontation sample image satisfies the first preset condition. in, The pixel difference value may be the difference value of characteristic values such as the grayscale of the pixel.
When determining the pixel difference between the adversarial sample image and the original image, You can do the difference between all the pixels in the two images, It is also possible not to make a difference between all the pixels in the two images, Instead, according to a certain rule, some of the pixels in the difference are made, To improve computational efficiency, For example, every few pixels are different for one or more pixels, The embodiments of the present specification do not limit this.
in addition, Except that the squared sum of pixel differences is less than or equal to the preset threshold, The first preset condition may also be other conditions, If the sum of pixel differences is less than or equal to the preset threshold, etc., The embodiments of the present specification also do not limit this.
The embodiment shown in FIG. 5 provides a method for protecting privacy information based on adversarial samples, Since the quality of the adversarial sample image satisfies the first preset condition, Then, the display of the target page is completed by displaying the adversarial sample image, therefore, In addition to preventing private information represented by characters in the target page from being recognized by the character recognition algorithm, Thereby reducing the risk of the private information contained in the target page being leaked, It can also be well guaranteed that the adversarial sample image is not visually changed by the user relative to the original image of the target page. This ensures that the final displayed target page does not affect the normal use of the user.
The above is the description of the method embodiments provided in this specification, The electronic equipment provided in this manual is described below.
FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present specification. Please refer to Figure 6, At the hardware level, The electronic device includes a processor, Optionally also includes internal busbars, web interface, Memory. in, memory may contain memory, For example, high-speed random access memory (Random-Access Memory, RAM), May also include non-volatile memory (non-volatile memory), For example, at least one disk memory, etc. Of course, The electronic equipment may also include hardware required for other services.
processor, The network interface and memory can be connected to each other through the internal bus, The internal bus bar may be ISA (Industry Standard Architecture, industry standard architecture) busbars, PCI (Peripheral Component Interconnect, Peripheral component interconnection standard) bus bar or EISA (Extended Industry Standard Architecture, Extended industry standard architecture) busbars, etc. The bus bars can be divided into address bus bars, data bus, Control busbars, etc. For ease of presentation, In Figure 6, it is only represented by a double-headed arrow, But it does not mean that there is only one busbar or one type of busbar.
Memory, Used to store programs. specifically, Programs may include code, The program code includes computer operation instructions. Memory can include memory and non-volatile memory, and provide instructions and data to the processor.
The processor reads the corresponding computer program from the non-volatile memory into the memory and runs it, At the logical level, a privacy information protection device based on adversarial samples is formed. processor, Execute the program stored in the memory, and specifically for doing the following:
Get the original image to be propagated, The original image contains private information represented by characters;
processing the original image, Generate adversarial sample images for adversarial character recognition algorithms;
The adversarial image is used for propagation in place of the original image.
or, processor, Execute the program stored in the memory, and specifically for doing the following:
Before displaying the target page, Monitor the screen status of the user terminal, in, The target page contains private information represented by characters;
When the screen of the user terminal is in a specified state, get the original image of the target page, in, The specified state includes at least one of a screen capture state and a screen recording state;
processing the original image, Generate adversarial sample images for adversarial character recognition algorithms;
The display of the target page is completed by displaying the adversarial sample image.
The above-mentioned method for protecting privacy information based on adversarial samples disclosed in the embodiment shown in any of FIG. 2 to FIG. 5 of this specification can be applied to the processor, Or implemented by the processor. The processor may be an integrated circuit chip, Has signal processing capability. During implementation, The steps of the above-mentioned methods can be implemented through hardware integrated logic circuits in the processor or instructions in the form of software. The above-mentioned processor may be a general-purpose processor, Including the Central Processing Unit (Central Processing Unit, CPU), Network Processor (Network Processor, NP), etc.; It can also be a digital signal processor (Digital Signal Processor, DSP), Application Specific Integrated Circuit (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, Discrete gate or transistor logic devices, Discrete hardware components. Each method disclosed in one or more embodiments of this specification, Steps and logical block diagram. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with one or more embodiments of this specification may be directly embodied as being executed and completed by a hardware decoding processor, Or it can be executed by a combination of hardware and software modules in the decoding processor. Software modules can be located in random memory, flash memory, read-only memory, programmable read-only memory or electronically readable and writable programmable memory, Temporary registers and other mature storage media in the field. The storage medium is located in the memory, The processor reads the information in the memory, Complete the steps of the above method in combination with its hardware.
The electronic device may also execute the adversarial sample-based privacy information protection method provided in any of the embodiments in FIG. 2 to FIG. 5 , This specification will not repeat them here.
Of course, In addition to software implementation, The electronic equipment of this specification does not exclude other implementations, For example, logic devices or the combination of software and hardware, etc. That is to say, the execution subject of the following processing flow is not limited to each logical unit. It can also be a hardware or logic device.
The embodiments of this specification also propose a computer-readable storage medium, the computer-readable storage medium stores one or more programs, the one or more programs include instructions, When the instruction is executed by a portable electronic device that includes multiple applications, The portable electronic device can be made to execute the method of the embodiment shown in FIG. 1 , and specifically for doing the following:
Get the original image to be propagated, The original image contains private information represented by characters;
processing the original image, Generate adversarial sample images for adversarial character recognition algorithms;
The adversarial image is used for propagation in place of the original image.
The embodiments of this specification also propose a computer-readable storage medium, the computer-readable storage medium stores one or more programs, the one or more programs include instructions, When the instruction is executed by a portable electronic device that includes multiple applications, The portable electronic device can be made to execute the method of the embodiment shown in FIG. 7 , and specifically for doing the following:
Before displaying the target page, Monitor the screen status of the user terminal, in, The target page contains private information represented by characters;
When the screen of the user terminal is in a specified state, get the original image of the target page, in, The specified state includes at least one of a screen capture state and a screen recording state;
processing the original image, Generate adversarial sample images for adversarial character recognition algorithms;
The display of the target page is completed by displaying the adversarial sample image.
The following describes the privacy information protection device based on adversarial samples provided in this specification.
As shown in Figure 7, An embodiment of this specification provides a privacy information protection device based on adversarial samples, In a software implementation, The adversarial sample-based privacy information protection device 700 may include: The first image acquisition module 701, The first image generation module 702 and the image propagation module 703 .
The first image acquisition module 701, used to obtain the original image to be propagated, The original image contains private information represented by characters.
The first image generation module 702, for processing the original image, Generate adversarial example images for adversarial character recognition algorithms.
In concrete implementation, The first image generation module 702, A character recognition algorithm that can be used to determine a character recognition algorithm to be challenged; For the one character recognition algorithm, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, Get an adversarial example image.
or, The first image generation module 702, Can be used to determine a variety of character recognition algorithms to be challenged; For the plurality of character recognition algorithms, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, respectively, Get multiple adversarial images.
Image dissemination module 703, for propagating with the adversarial sample image in place of the original image.
When the first image generation module 702 generates an adversarial sample image for the original image, The image dissemination module 703 can directly use the adversarial sample image instead of the original image for dissemination.
When the first image generation module 702 generates multiple adversarial sample images for the original image, Image dissemination module 703 can be used to: selecting a target adversarial sample image from the plurality of adversarial sample images; The target adversarial image is used for propagation instead of the original image.
As an example, The image dissemination module 703 can be specifically used for: A target adversarial sample image is randomly selected from the plurality of adversarial sample images.
As another example, The image dissemination module 703 can be specifically used for: Evaluate the multiple adversarial sample images separately, The confrontational effect on the multiple character recognition algorithms; In the multiple adversarial sample images, The confrontation sample image that satisfies the second preset condition for the confrontation effect of the multiple character recognition algorithms, Determined as the target adversarial sample image.
specific, The various character recognition algorithms can be used first, character recognition is performed on each of the confrontation sample images in the plurality of confrontation sample images, Obtain the recognition results of each adversarial sample image; Then, according to the recognition results of each adversarial sample image, Score the adversarial effect of each sample adversarial image; Finally, the one with the highest scoring result (the second preset condition) among the plurality of adversarial sample images is used as the target adversarial sample image. Of course, The second preset condition may also be other conditions.
understandably, Since the adversarial sample is to add subtle changes to the original sample that are difficult for humans to recognize through the senses, But it can make machine learning models accept and make wrong classification decisions. therefore, In the embodiments of this specification, Generate adversarial sample images for adversarial character recognition algorithms, And use the adversarial sample image instead of the original image for propagation, It can prevent the private information represented by characters in the image from being recognized by the character recognition algorithm, Thus, the risk of private information contained in the original image being leaked is reduced.
FIG. 8 shows another schematic structural diagram of an apparatus for protecting privacy information based on an adversarial sample provided by another embodiment of the present specification, As shown in Figure 8, Apparatus 700 may include: The first image acquisition module 701, the first image generation module 702, The first judgment module 704 and the image propagation module 703 .
The first image acquisition module 701, used to obtain the original image to be propagated, The original image contains private information represented by characters.
The first image generation module 702, for processing the original image, Generate adversarial example images for adversarial character recognition algorithms.
The first judgment module 704, for evaluating the quality of the adversarial sample images, determining whether the quality of the adversarial sample image satisfies a first preset condition, If the trigger image propagation module 703 is satisfied, Otherwise, it returns to trigger the first image generation module 702 .
That is, when the quality of the adversarial sample image satisfies the first preset condition, Propagating with the adversarial sample image in place of the original image; When the quality of the adversarial sample image does not meet the first preset condition, reprocess the original image, Generate adversarial example images for adversarial character recognition algorithms.
Image dissemination module 703, for propagating with the adversarial sample image in place of the original image.
As an example, The first judgment module 704 can be used for: determining the pixel difference between the adversarial sample image and the original image; When the sum of squares of pixel differences between the adversarial sample image and the original image is less than or equal to a preset threshold, It is determined that the quality of the confrontation sample image satisfies the first preset condition. in, The pixel difference value may be the difference value of characteristic values such as the grayscale of the pixel.
The embodiment shown in FIG. 8 provides a privacy information protection device based on adversarial samples, Since the quality of the adversarial sample image satisfies the first preset condition, Then use the adversarial sample image instead of the original image for propagation, therefore, In addition to preventing the private information represented by characters in the image from being recognized by the character recognition algorithm, Thereby reducing the risk of the private information contained in the original image being leaked, It can also be well guaranteed that the adversarial sample image has not changed visually to the user relative to the original image, Thereby ensuring that the normal use of the image is not affected.
It should be noted, The private information protection device 700 based on adversarial samples can implement the method of the method embodiment of FIG. 2 , For details, refer to the method for protecting privacy information based on adversarial samples in the embodiment shown in FIG. 2 , No longer.
The following is combined with the application scenario of protecting the privacy information in the user's APP page. An apparatus for protecting privacy information based on adversarial samples provided by the embodiments of this specification will be described.
As shown in Figure 9, An embodiment of this specification provides a privacy information protection device 900 based on adversarial samples, In a software implementation, The apparatus 900 may include: Screen status monitoring module 901, The second image acquisition module 902, The second image generation module 903 and the image display module 904 .
Screen status monitoring module 901, Used to display the target page before, Monitor the screen status of the user terminal, in, The target page contains private information represented by characters.
The second image acquisition module 902, Used for when the screen of the user terminal is in a specified state, get the original image of the target page, in, The designated state includes at least one of a screen capture state and a screen recording state.
The second image generation module 903, for processing the original image, Generate adversarial example images for adversarial character recognition algorithms.
In concrete implementation, The second image generation module 903, A character recognition algorithm that can be used to determine a character recognition algorithm to be challenged; For the one character recognition algorithm, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, Get an adversarial example image.
or, The second image generation module 903, Can be used to determine a variety of character recognition algorithms to be challenged; For the plurality of character recognition algorithms, generating an adversarial sample image of the original image based on a preset adversarial sample generation algorithm, respectively, Get multiple adversarial images.
Image display module 904, for displaying the target page by displaying the adversarial sample image.
When the second image generation module 903 generates an adversarial sample image for the original image, The image display module 904 can directly use the confrontation sample image to replace the original image of the target page for display.
When the second image generation module 903 generates multiple adversarial sample images for the original image, The image display module 904 can select a target adversarial sample image from the plurality of adversarial sample images; The target adversarial sample image is used to replace the original image of the target page for presentation.
As an example, Image presentation module 904 can be used to: A target adversarial sample image is randomly selected from the plurality of adversarial sample images.
As another example, Image presentation module 904 can be used to: Evaluate the multiple adversarial sample images separately, The confrontational effect on the multiple character recognition algorithms; In the multiple adversarial sample images, The confrontation sample image that satisfies the second preset condition for the confrontation effect of the multiple character recognition algorithms, Determined as the target adversarial sample image.
specific, The various character recognition algorithms can be used first, character recognition is performed on each of the confrontation sample images in the plurality of confrontation sample images, Obtain the recognition results of each adversarial sample image; Then, according to the recognition results of each adversarial sample image, Score the adversarial effect of each sample adversarial image; Finally, the one with the highest scoring result (the second preset condition) among the plurality of adversarial sample images is used as the target adversarial sample image. Of course, The second preset condition may also be other conditions.
understandably, Since the adversarial sample is to add subtle changes to the original sample that are difficult for humans to recognize through the senses, But it can make machine learning models accept and make wrong classification decisions. therefore, In the embodiments of this specification, Generate adversarial sample images for adversarial character recognition algorithms, And use the adversarial sample image to replace the original image of the target page for display, It can prevent the private information represented by characters in the target page from being recognized by the character recognition algorithm, Thus, the risk of private information in the target page being leaked is reduced.
Figure 10 shows in this application scenario of protecting the privacy information in the user's APP page, Another embodiment of this specification provides a schematic structural diagram of a privacy information protection device based on adversarial samples, As shown in Figure 10, The apparatus 900 may include: Screen status monitoring module 901, The second image acquisition module 902, The second image generation module 903, The second judgment module 905 and the image display module 904 .
Screen status monitoring module 901, Used to display the target page before, Monitor the screen status of the user terminal, in, The target page contains private information represented by characters.
The second image acquisition module 902, Used for when the screen of the user terminal is in a specified state, get the original image of the target page, in, The designated state includes at least one of a screen capture state and a screen recording state.
The second image generation module 903, for processing the original image, Generate adversarial example images for adversarial character recognition algorithms.
The second judgment module 905, for evaluating the quality of the adversarial sample images, determining whether the quality of the adversarial sample image satisfies a first preset condition, If the trigger image display module 904 is satisfied, Otherwise, it returns to trigger the second image generation module 903 .
That is, when the quality of the adversarial sample image satisfies the first preset condition, Use the adversarial sample image to replace the original image of the target page for display; When the quality of the adversarial sample image does not meet the first preset condition, Reprocess the original image of the target page, Generate adversarial example images for adversarial character recognition algorithms.
As an example, The second judgment module 905 can be specifically used for: determining the pixel difference between the adversarial sample image and the original image; When the sum of squares of pixel differences between the adversarial sample image and the original image is less than or equal to a preset threshold, It is determined that the quality of the confrontation sample image satisfies the first preset condition. in, The pixel difference value may be the difference value of characteristic values such as the grayscale of the pixel.
When determining the pixel difference between the adversarial sample image and the original image, You can do the difference between all the pixels in the two images, It is also possible not to make a difference between all the pixels in the two images, Instead, according to a certain rule, some of the pixels in the difference are made, To improve computational efficiency, For example, every few pixels are different for one or more pixels, The embodiments of the present specification do not limit this.
in addition, Except that the squared sum of pixel differences is less than or equal to the preset threshold, The first preset condition may also be other conditions, If the sum of pixel differences is less than or equal to the preset threshold, etc., The embodiments of the present specification also do not limit this.
Image display module 904, for displaying the target page by displaying the adversarial sample image.
The embodiment shown in FIG. 10 provides a privacy information protection device based on adversarial samples, Since the quality of the adversarial sample image satisfies the first preset condition, Then, the display of the target page is completed by displaying the adversarial sample image, therefore, In addition to preventing private information represented by characters in the target page from being recognized by the character recognition algorithm, Thereby reducing the risk of the private information contained in the target page being leaked, It can also be well guaranteed that the adversarial sample image is not visually changed by the user relative to the original image of the target page. This ensures that the final displayed target page does not affect the normal use of the user.
It should be noted, The private information protection device 900 based on adversarial samples can implement the method of the method embodiment of FIG. 4 , For details, refer to the method for protecting privacy information based on adversarial samples in the embodiment shown in FIG. 4 . No longer.
The foregoing describes specific embodiments of the present specification, Other embodiments are within the scope of the appended claims. In some cases, The actions or steps recited in the claims may be performed in an order different from that in the embodiments and still achieve desirable results. in addition, The processes depicted in the figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain embodiments, Multiplexing and parallel processing are also possible or may be advantageous.
Each embodiment in this specification is described in a progressive manner, The same and similar parts between the various embodiments can be referred to each other, Each embodiment focuses on the differences from the other embodiments. especially, For device embodiments, Since it is substantially similar to the method embodiment, So the description is relatively simple, For related parts, please refer to the partial descriptions of the method embodiments.
In short, The above descriptions are only the preferred embodiments of this specification, It is not intended to limit the protection scope of this specification. Wherever within the spirit and principles of one or more embodiments of this specification, any modifications made, equivalent replacement, improvement etc., All should be included within the protection scope of one or more embodiments of the present specification.
The system illustrated in the above embodiment, device, module or unit, Specifically, it can be realized by computer chips or entities, Or realized by a product with a certain function. A typical implementation device is a computer. specific, The computer can be, for example, a personal computer, laptop, mobile phone, camera phone, smart phone, personal digital assistant, media player, navigation equipment, email equipment, game console, tablet, Wearable device or any combination of these devices.
Computer-readable media includes both permanent and non-permanent, Removable and non-removable media can be implemented by any method or technology for information storage. Information can be computer readable instructions, data structure, Program modules or other data. Examples of computer storage media include, But not limited to phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), Other types of random access memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, CD-ROM (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage device or any other non-transmission medium, Can be used to store information that can be accessed by computing devices. As defined in this paper, Computer-readable media does not include transitory computer-readable media, Such as modulated data signals and carrier waves.
It should also be noted that, the term "includes", "Include" or any other variant thereof is intended to cover non-exclusive inclusion, so that a process consisting of a series of elements, method, Goods or equipment not only include those elements, but also other elements not explicitly listed, Or also include for this process, method, Elements inherent in a commodity or device. In the absence of further restrictions, An element qualified by the statement "includes a...", is not excluded from the inclusion of the elements described in the process, method, There is another element of the same in the commodity or device.
Each embodiment in this specification is described in a progressive manner, The same and similar parts between the various embodiments can be referred to each other, Each embodiment highlights the differences from the other embodiments. especially, For system embodiments, Since it is substantially similar to the method embodiment, So the description is relatively simple, For related parts, please refer to the partial descriptions of the method embodiments.
