WO2021051561A1 - Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium - Google Patents

Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium Download PDF

Info

Publication number
WO2021051561A1
WO2021051561A1 PCT/CN2019/117649 CN2019117649W WO2021051561A1 WO 2021051561 A1 WO2021051561 A1 WO 2021051561A1 CN 2019117649 W CN2019117649 W CN 2019117649W WO 2021051561 A1 WO2021051561 A1 WO 2021051561A1
Authority
WO
WIPO (PCT)
Prior art keywords
deep neural
neural network
original image
sample
network
Prior art date
Application number
PCT/CN2019/117649
Other languages
French (fr)
Chinese (zh)
Inventor
王健宗
孔令炜
黄章成
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021051561A1 publication Critical patent/WO2021051561A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks

Abstract

Disclosed are an adversarial defense method and apparatus for an image classification network, an electronic device, and a computer-readable storage medium, belonging to the technical field of image classification. The method comprises: inputting an original image sample and an adversarial attack sample into a deep neural network so as to extract input features of target layers, the number of which is greater than a predetermined number, of the deep neural network; generating a loss function of the deep neural network according to the input features to serve as an adversarial defense denoiser; using the adversarial defense denoiser to denoise the adversarial attack sample to obtain a denoised adversarial attack sample; regularizing the loss function of the deep neural network to obtain a deep neural network subjected to regularization; and inputting the original image sample and the denoised adversarial attack sample into the deep neural network subjected to regularization to obtain a classification result of an original image. By means of the solution of the present application, the defense capability of an image classification deep neural network can be effectively improved.

Description

图像分类网络的对抗防御方法、装置、电子设备及计算机可读存储介质Confrontation defense method, device, electronic equipment and computer readable storage medium of image classification network
本申请要求2019年09月18日递交、发明名称为“图像分类网络的对抗防御方法及相关装置”的中国专利申请201910879339.6的优先权,在此通过引用将其全部内容合并于此。This application claims the priority of the Chinese patent application 201910879339.6 filed on September 18, 2019 with the title of "Image Classification Network Countermeasures and Defense Methods and Related Devices", the entire contents of which are incorporated herein by reference.
技术领域Technical field
本申请涉及图像分类技术领域,尤其涉及一种图像分类网络的对抗防御方法、装置、电子设备及计算机可读存储介质。This application relates to the field of image classification technology, and in particular to an image classification network confrontation defense method, device, electronic equipment, and computer-readable storage medium.
背景技术Background technique
随着在图像、语音和视频等领域的深度应用,深度神经网络对信息安全的要求也就越来越高,本申请的发明人意识到,尽管深度神经网络可以在进行图像分类的过程中可以有非常高的准确率表现,但往往对样本加入轻微的噪声扰动就会造成神经网络的分类错误问题。由于其易受对抗样本攻击的特点也就要求深度神经网络提升防御能力,降低对抗样本欺骗网络的可能性。With the in-depth applications in the fields of image, voice, and video, the requirements of deep neural networks for information security are getting higher and higher. The inventor of this application realized that although deep neural networks can be used in the process of image classification It has a very high accuracy performance, but often adding a slight noise disturbance to the sample will cause the classification error of the neural network. Due to its susceptibility to attacks by adversarial samples, deep neural networks are required to improve their defense capabilities and reduce the possibility of adversarial samples deceiving the network.
发明内容Summary of the invention
为了解决上述技术问题,本申请的一个目的在于提供一种图像分类网络的对抗防御方法、装置、电子设备及计算机可读存储介质。In order to solve the above technical problems, an object of the present application is to provide an image classification network confrontation defense method, device, electronic equipment, and computer-readable storage medium.
其中,本申请所采用的技术方案为:Among them, the technical solution adopted in this application is:
一方面,一种图像分类网络的对抗防御方法,包括:将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。On the one hand, an image classification network confrontation defense method includes: inputting original image samples and confrontation attack samples into a deep neural network to extract input features of target layers of the deep neural network higher than a predetermined number of layers; Input features to generate the loss function of the deep neural network as an adversarial defense denoiser; use the adversarial defense denoiser to denoise the adversarial attack samples to obtain denoised adversarial attack samples; The loss function of the network is regularized to obtain a regularized deep neural network; the original image samples and the denoised counterattack samples are input into the regularized deep neural network to obtain the original image Classification results.
另一方面,一种图像分类网络的对抗防御装置,包括:提取模块,用于将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;生成模块,用于根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;去噪模块,用于利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;正则化模块,用于对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;分类模块,将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。On the other hand, an image classification network confrontation defense device includes: an extraction module for inputting original image samples and confrontation attack samples into a deep neural network to extract the target layer of the deep neural network higher than a predetermined number of layers Input features; a generation module, used to generate the loss function of the deep neural network according to the input features, as a confrontation defense denoiser; denoising module, used to use the confrontation defense denoiser on the confrontation attack sample Perform denoising to obtain denoised counterattack samples; regularization module, used to regularize the loss function of the deep neural network to obtain a regularized deep neural network; classification module, combine the original image samples with The denoising counterattack sample is input to the regularized deep neural network to obtain the classification result of the original image.
另一方面,一种电子设备,包括:处理单元;以及存储单元,用于存储所述处理单元的图像分类网络的对抗防御程序;其中,所述处理单元配置为经由执行所述图像分类网络的对抗防御程序来执行如上述的图像分类网络的对抗防御方法。On the other hand, an electronic device includes: a processing unit; and a storage unit for storing an adversarial defense program of the image classification network of the processing unit; wherein the processing unit is configured to execute the image classification network via The confrontation defense program executes the confrontation defense method of the image classification network as described above.
另一方面,一种计算机可读存储介质,其上存储有图像分类网络的对抗防御程序,所述图像分类网络的对抗防御程序被处理单元执行时实现如上述的图像分类网络的对抗防御方法。On the other hand, a computer-readable storage medium stores a confrontation defense program of an image classification network, and when the confrontation defense program of the image classification network is executed by a processing unit, the confrontation defense method of the image classification network as described above is realized.
在上述技术方案中,结合高阶特征和梯度正则化的方式,将高阶特征损失对攻击样本进行降噪得到的图像输入到梯度正则化后的原始神经网络,能够更好地提升深度神经网络地防御能力。In the above technical solution, combining high-order features and gradient regularization, the image obtained by denoising attack samples with high-order feature loss is input to the original neural network after gradient regularization, which can better improve the deep neural network. Ground defense capabilities.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and cannot limit the application.
附图说明Description of the drawings
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并于说明书一起用于解释本申请的原理。The drawings here are incorporated into the specification and constitute a part of the specification, show embodiments that conform to the application, and are used together with the specification to explain the principle of the application.
图1示意性示出一种图像分类网络的对抗防御方法的流程图。Fig. 1 schematically shows a flow chart of a confrontation defense method for an image classification network.
图2示意性示出一种图像分类网络的对抗防御方法的应用场景示例图。Fig. 2 schematically shows an example diagram of an application scenario of a confrontation defense method for an image classification network.
图3示意性示出一种样本输入方法流程图。Fig. 3 schematically shows a flow chart of a sample input method.
图4示意性示出一种图像分类网络的对抗防御装置的方框图。Fig. 4 schematically shows a block diagram of an anti-defense device of an image classification network.
图5示出根据示例性实施例的用于实现上述图像分类网络的对抗防御方法的电子设备的框图。Fig. 5 shows a block diagram of an electronic device for implementing the above-mentioned confrontation defense method of the image classification network according to an exemplary embodiment.
图6示出根据示例性实施例的用于实现上述图像分类网络的对抗防御方法的计算机可读存储介质的示意图。Fig. 6 shows a schematic diagram of a computer-readable storage medium for implementing the above-mentioned confrontation defense method of the image classification network according to an exemplary embodiment.
通过上述附图,已示出本申请明确的实施例,后文中将有更详细的描述,这些附图和文字描述并不是为了通过任何方式限制本申请构思的范围,而是通过参考特定实施例为本领域技术人员说明本申请的概念。Through the above drawings, the specific embodiments of the present application have been shown, and there will be more detailed descriptions in the following. These drawings and text descriptions are not intended to limit the scope of the concept of the present application in any way, but by referring to specific embodiments. The concept of this application is explained to those skilled in the art.
具体实施方式detailed description
这里将详细地对示例性实施例执行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Here, an exemplary embodiment will be described in detail, and examples thereof are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements. The implementation manners described in the following exemplary embodiments do not represent all implementation manners consistent with the present application. On the contrary, they are merely examples of devices and methods consistent with some aspects of the application as detailed in the appended claims.
现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本申请将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。所描述的特征、结 构或特性可以以任何合适的方式结合在一个或更多实施方式中。Example embodiments will now be described more fully with reference to the accompanying drawings. However, the example embodiments can be implemented in various forms, and should not be construed as being limited to the examples set forth herein; on the contrary, the provision of these embodiments makes this application more comprehensive and complete, and fully conveys the concept of the example embodiments To those skilled in the art. The described features, structures or characteristics can be combined in one or more embodiments in any suitable way.
本示例实施方式中首先提供了图像分类网络的对抗防御方法,该图像分类网络的对抗防御方法可以运行于服务器,也可以运行于服务器集群或云服务器等,当然,本领域技术人员也可以根据需求在其他平台运行本申请的方法,本示例性实施例中对此不做特殊限定。参考图1所示,该图像分类网络的对抗防御方法可以包括以下步骤:This example embodiment first provides an adversarial defense method for an image classification network. The adversarial defense method of the image classification network can be run on a server, a server cluster or a cloud server, etc. Of course, those skilled in the art can also operate according to their needs. The method of running this application on other platforms is not particularly limited in this exemplary embodiment. As shown in FIG. 1, the confrontation defense method of the image classification network may include the following steps:
步骤S110,将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;Step S110, input the original image sample and the counter-attack sample into the deep neural network to extract the input features of the target layer of the deep neural network higher than a predetermined number of layers;
步骤S120,根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;Step S120, generating a loss function of the deep neural network according to the input feature as an anti-defense denoiser;
步骤S130,利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;Step S130, denoising the adversarial attack sample by using the adversarial defense denoiser to obtain a denoised adversarial attack sample;
步骤S140,对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;Step S140, regularizing the loss function of the deep neural network to obtain a regularized deep neural network;
步骤S150,将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。Step S150: Input the original image sample and the denoised counterattack sample into the regularized deep neural network to obtain a classification result of the original image.
上述图像分类网络的对抗防御方法中,首先,将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;这样可以提取到阶数足够高的差异明显的对照高阶神经网络特征。然后,根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;这样可以基于差异明显的输入特征生成损失函数可以有效保证神经网络模型的效果及优化的目标。其次,利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;这样可以通过对对抗攻击样本基于对抗攻击样本和原始图像样本的特征生成的去噪器进行去噪,实现深度神经网络的防御手段,使得对抗与防御相互联系起来。然后,对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;通过损失函数正则化优化参数,进一步保证深度学习模型效果。最后,将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。结合高阶特征和梯度正则化的方式,将高阶特征损失对攻击样本进行降噪得到的图像输入到梯度正则化后的原始神经网络,能够更好地提升深度神经网络地防御能力。In the above-mentioned confrontation defense method of the image classification network, first, the original image sample and the confrontation attack sample are input into the deep neural network to extract the input features of the target layer of the deep neural network higher than the predetermined number of layers; in this way, the order can be extracted A sufficiently high difference clearly contrasts the characteristics of higher-order neural networks. Then, the loss function of the deep neural network is generated according to the input features as an anti-defense denoiser; in this way, the loss function can be generated based on the input features with obvious differences, which can effectively ensure the effect of the neural network model and the goal of optimization. Secondly, use the adversarial defense denoiser to denoise the adversarial attack samples to obtain denoised adversarial attack samples; in this way, a denoiser can be generated based on the features of the adversarial attack samples and the original image samples for the adversarial attack samples. Perform denoising and realize the defense method of deep neural network, so that confrontation and defense are connected with each other. Then, the loss function of the deep neural network is regularized to obtain a regularized deep neural network; the parameters are optimized through the regularization of the loss function to further ensure the effect of the deep learning model. Finally, input the original image sample and the denoised counterattack sample into the regularized deep neural network to obtain the classification result of the original image. Combining high-order features and gradient regularization methods, inputting the image obtained by denoising attack samples with high-order feature loss into the original neural network after gradient regularization can better improve the defense capabilities of deep neural networks.
下面,将结合附图对本示例实施方式中上述图像分类网络的对抗防御方法中的各步骤进行详细的解释以及说明。Hereinafter, each step in the confrontation defense method of the image classification network in this exemplary embodiment will be explained and described in detail with reference to the accompanying drawings.
在步骤S110中,将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征。In step S110, the original image samples and the anti-attack samples are input to the deep neural network to extract input features of the target layer of the deep neural network higher than a predetermined number of layers.
本示例的实施方式中,参考图2所示,服务器201从服务器服务器202上爬取原始图像样本及对抗攻击样本后,输入部署在服务器201上的深度神经网络,并提取深度神经网络高于预定层数的目标层的输入特征。这样可以在后续步骤中,由服务器201根据输入特 征生成深度神经网络的损失函数,作为对抗防御去噪器。可以理解,在后续步骤中,在条件允许的情况下,也可以由服务器202直接从自身存储空间获取原始图像样本及对抗攻击样本。其中,服务器201和服务器202可以是任何具有处理能力的设备,例如,电脑、云服务器、微处理单元等,在此不做特殊限定。In the embodiment of this example, referring to FIG. 2, after the server 201 crawls the original image samples and counterattack samples from the server 202, it inputs the deep neural network deployed on the server 201, and extracts the deep neural network higher than the predetermined value. The input characteristics of the target layer of the number of layers. In this way, in the subsequent steps, the server 201 can generate the loss function of the deep neural network according to the input characteristics, which can be used as an anti-defense denoiser. It can be understood that in the subsequent steps, if conditions permit, the server 202 may also directly obtain the original image sample and the counter attack sample from its own storage space. Among them, the server 201 and the server 202 may be any devices with processing capabilities, such as computers, cloud servers, micro-processing units, etc., which are not specifically limited herein.
深度神经网络的高于预定层的目标层的输入特征,即深度神经网络由低到高的各层中高于预定层的目标层对图像样本进行分类处理时输入的特征。例如卷积神经网络的高阶卷积层的高阶特征。预定层的确定可以根据需求设定,例如3层、4层等。The input characteristics of the target layer higher than the predetermined layer of the deep neural network, that is, the input characteristics of the target layer higher than the predetermined layer in each layer of the deep neural network from low to high when classifying the image sample. For example, the high-order features of the high-order convolutional layer of the convolutional neural network. The determination of the predetermined layer can be set according to requirements, such as 3 layers, 4 layers, and so on.
对抗攻击样本在图像层和原始图像的差异很小,但是在例如卷积神经网络的高阶特征上差异很明显。通过提取原始图像样本及对抗攻击样本的神经网络高阶特征,对比分析两者的差异,可以在应对不同的对抗攻击时具有更强的鲁棒性。The difference between the sample against the attack in the image layer and the original image is very small, but the difference in high-order features such as convolutional neural networks is very obvious. By extracting the high-order features of the original image samples and the neural network of the counter attack samples, and comparing and analyzing the differences between the two, it can be more robust in dealing with different counter attacks.
一种实施例中,对抗攻击样本包括:In an embodiment, the adversarial attack sample includes:
当接收到原始图像样本,对所述原始图像样本施加噪声,得到与所述原始图像样本对应的对抗攻击样本。When an original image sample is received, noise is applied to the original image sample to obtain an anti-attack sample corresponding to the original image sample.
对抗攻击方式主要是基于FGSM和I-FGSM的白盒攻击和黑盒攻击,FGSM主要是通过在梯度方向上进行添加增量添加噪声或者单像素修改等方式进行攻击,从而诱导网络对生成的图片对抗样本进行误分类。黑盒攻击相比白盒攻击无需知道被攻击模型的具体信息,适用于在不同的网络模型中,具有更好的攻击传递性。Counter attack methods are mainly white box attacks and black box attacks based on FGSM and I-FGSM. FGSM mainly attacks by adding incremental noise or single-pixel modification in the gradient direction, thereby inducing the network to attack the generated image Misclassify adversarial samples. Compared with white box attacks, black box attacks do not need to know the specific information of the attacked model. It is suitable for different network models and has better attack transferability.
所以对原始图像样本施加噪声就是通过对抗攻击方式进行添加噪声,得到与原始图像样本对应的对抗攻击样本,这样可以保证原始图像和对抗攻击样本的对应性。Therefore, applying noise to the original image sample is to add noise through the counter-attack method to obtain the counter-attack sample corresponding to the original image sample, so that the correspondence between the original image and the counter-attack sample can be guaranteed.
一种实施例中,对抗攻击样本包括:In an embodiment, the adversarial attack sample includes:
当接收到原始图像样本,利用对应于多种深度神经网络的噪声添加手段对所述原始图像样本添加噪声,得到多个对抗攻击样本;When an original image sample is received, noise is added to the original image sample by means of noise adding methods corresponding to a variety of deep neural networks to obtain multiple counter-attack samples;
所述将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征,包括:The inputting the original image sample and the counter-attack sample into the deep neural network to extract the input features of the target layer of the deep neural network higher than a predetermined number of layers includes:
将原始图像样本及每个所述对抗攻击样本分别输入深度神经网络,分别提取深度神经网络高于预定层数的目标层的子输入特征;Input the original image sample and each of the anti-attack samples into the deep neural network respectively, and extract the sub-input features of the target layer of the deep neural network higher than a predetermined number of layers;
获取所有子输入特征的集合,作为所述输入特征。Obtain a set of all sub-input features as the input feature.
多种深度神经网络的噪声添加手段就是多种对抗攻击方式,通过多种对抗攻击方式依次对原始图像样本添加噪声,得到多个对抗攻击样本,这样可以结合多网络(resnet、Inception和nasnet等网络)的攻击手段得到原始图像的多个对抗图像。然后,将原始图像样本及每个对抗攻击样本分别输入深度神经网络,分别提取深度神经网络高于预定层数的目标层的子输入特征后,获取子输入特征的集合,作为输入特征。提取高阶特征集合来在后续步骤中决定深度神经网络的损失函数设置,可以保证防御模型有更好的泛化能力。同时,可以使得基于高阶特征差异得到的对抗防御去噪器进行去噪的方式适用的神经网络可以不仅限于当前网络,应对同类的攻击具有广泛抵抗作用。The noise addition methods of multiple deep neural networks are multiple counter-attack methods. Through multiple counter-attack methods, noise is added to the original image samples in turn to obtain multiple counter-attack samples, which can be combined with multiple networks (resnet, Inception, nasnet, etc.) The attack method of) obtains multiple confrontation images of the original image. Then, the original image sample and each counter-attack sample are input into the deep neural network, respectively, after extracting the sub-input features of the target layer of the deep neural network higher than the predetermined number of layers, the set of sub-input features is obtained as the input feature. Extracting high-order feature sets to determine the loss function settings of the deep neural network in the subsequent steps can ensure that the defense model has better generalization capabilities. At the same time, the neural network that can be applied to the denoising method of the anti-defense denoiser based on the difference of high-order features can be not only limited to the current network, but has a broad resistance to similar attacks.
一种实施例中,对抗攻击样本包括:In an embodiment, the adversarial attack sample includes:
当接收到原始图像样本,结合多种深度神经网络的噪声添加手段对所述原始图像样本添加噪声,得到对抗攻击样本;When an original image sample is received, noise is added to the original image sample in combination with a variety of noise addition methods of deep neural networks to obtain a counterattack sample;
所述将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征,包括:The inputting the original image sample and the counter-attack sample into the deep neural network to extract the input features of the target layer of the deep neural network higher than a predetermined number of layers includes:
将原始图像样本及所述对抗攻击样本输入深度神经网络,提取深度神经网络高于预定层数的目标层的输入特征。The original image samples and the counter-attack samples are input to the deep neural network, and the input features of the target layer of the deep neural network higher than the predetermined number of layers are extracted.
这样可以结合多网络(resnet、Inception和nasnet等网络)的攻击手段得到原始图像的对抗图像后,可以提取深度神经网络高于预定层数的目标层的高阶特征之和来在后续步骤中决定深度神经网络的损失函数设置。可以进一步保证防御模型有更好的泛化能力。同时,基于高阶特征差异得到的对抗防御去噪器进行去噪的方式适用的神经网络可以不仅限于当前网络,应对同类的攻击具有更广泛抵抗作用。In this way, the attack methods of multiple networks (resnet, Inception, and nasnet) can be combined to obtain the original image of the confrontational image, and the sum of high-order features of the target layer of the deep neural network higher than the predetermined number of layers can be extracted to determine in the subsequent steps The loss function setting of the deep neural network. It can further ensure that the defense model has better generalization capabilities. At the same time, the neural network that is applied to the denoising method of the anti-defense denoiser based on the difference of high-order features can be not limited to the current network, and has a wider resistance to similar attacks.
一种实施例中,参考图3所示,将原始图像样本及对抗攻击样本输入深度神经网络包括:In an embodiment, referring to FIG. 3, inputting original image samples and counter-attack samples into a deep neural network includes:
步骤S310,调整所述原始图像样本及所述对抗攻击样本的网络参数一致;Step S310, adjusting the network parameters of the original image sample and the anti-attack sample to be consistent;
步骤S320,将网络参数调整一致的所述原始图像样本及所述对抗攻击样本输入深度神经网络。Step S320: Input the original image samples and the counter-attack samples whose network parameters are adjusted to be consistent into a deep neural network.
网络参数就是样本数量、样本长、样本宽、样本深度(对应图片通道数)等参数。通过调整原始图像样本和对抗攻击样本的网络参数一致,可以保证输入深度神经网络的两种样本的可对比性。Network parameters are the number of samples, sample length, sample width, sample depth (corresponding to the number of image channels) and other parameters. By adjusting the network parameters of the original image sample and the anti-attack sample to be consistent, the comparability of the two samples input to the deep neural network can be guaranteed.
一种实施例中,所述将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络的高于预定层的目标层的输入特征,包括:In an embodiment, the inputting the original image samples and the anti-attack samples into the deep neural network to extract the input features of the target layer higher than the predetermined layer of the deep neural network includes:
将所述原始图像样本输入所述深度神经网络,提取所述原始图像样本输入所述深度神经网络的目标层的第一网络特征;Inputting the original image sample into the deep neural network, extracting the original image sample into the first network feature of the target layer of the deep neural network;
将所述对抗攻击样本输入所述深度神经网络,提取所述对抗攻击样本输入所述深度神经网络的目标层的第二网络特征;Inputting the counter-attack sample into the deep neural network, extracting the second network feature of the counter-attack sample input into the target layer of the deep neural network;
根据所述第一网络特征和所述第二网络特征生成所述输入特征。The input feature is generated according to the first network feature and the second network feature.
在步骤S120中,根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器。In step S120, a loss function of the deep neural network is generated according to the input feature as a countermeasure defense denoiser.
本示例的实施方式中,神经网络模型的效果及优化的目标是通过损失函数来定义的。根据上述步骤获取的深度神经网络的高于预定层的目标层的输入特征,利用高阶的输入特征(高于预定层的目标层的输入特征)的差异明显特性,生成深度学习网络的损失函数,可以使得损失函数对应的神经网络模型的效果及优化的目标更加显著。其中,生成深度学习网络的损失函数可以是根据输入特征中提取的对抗攻击样本输入所述深度神经网络的预定层的对抗特征及原始图像样本输入深度神经网络的预定层的原始特征生成平均绝对 值误差损失函数或者交叉熵损失函数等。In the implementation of this example, the effect of the neural network model and the goal of optimization are defined by a loss function. The input features of the target layer higher than the predetermined layer of the deep neural network obtained according to the above steps, and the obvious difference characteristics of the higher-order input features (the input features of the target layer higher than the predetermined layer) are used to generate the loss function of the deep learning network , Can make the effect of the neural network model corresponding to the loss function and the optimization goal more significant. Wherein, generating the loss function of the deep learning network can be based on inputting the anti-attack sample extracted from the input features into the anti-attack feature of the predetermined layer of the deep neural network and the original image sample input into the original feature of the predetermined layer of the deep neural network to generate the average absolute value Error loss function or cross entropy loss function, etc.
一种实施例中,根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器,包括:In an embodiment, generating the loss function of the deep neural network according to the input feature as an anti-defense denoiser includes:
根据公式L=||f l(x')-f l(x)||生成所述深度神经网络的损失函数,作为对抗防御去噪器,其中所述f l(x')为所述输入特征中提取的所述对抗攻击样本输入所述深度神经网络的预定层的网络特征,所述f l(x)为所述输入特征中提取的所述原始图像样本输入所述深度神经网络的预定层的网络特征,L=||f l(x')-f l(x)||表示原始图像样本网络特征相对于对抗攻击样本网络特征的损失值。 According to the formula L=||f l (x')-f l (x)||, the loss function of the deep neural network is generated as an adversarial defense denoiser, wherein the f l (x') is the input The anti-attack samples extracted from the features are input to the network features of the predetermined layer of the deep neural network, and the f l (x) is the predetermined input of the original image samples extracted from the input features to the deep neural network The network feature of the layer, L=||f l (x')-f l (x)|| represents the loss value of the network feature of the original image sample relative to the network feature of the counter attack sample.
这样可以迫使深度神经网络分类时不会偏离原始图像样本的网络特征f l(x)和对抗攻击样本的对抗特征f l(x')之间的差异,对深度学习网络形成有效约束,有效保证神经网络模型的效果及优化的目标。 This can force the deep neural network to classify without deviating from the difference between the network feature f l (x) of the original image sample and the adversarial feature f l (x') of the adversarial attack sample, which forms effective constraints on the deep learning network and effectively guarantees The effect of the neural network model and the goal of optimization.
在步骤S130中,利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本。In step S130, the confrontational defense denoiser is used to denoise the confrontational attack samples to obtain denoised confrontational attack samples.
本示例的实施方式中,利用上述对抗防御去噪器对对抗攻击样本进行去噪就是例如通过邻域平均法,将一个像素及其邻域中所有像素的平均值赋给输出图像中相应的像素,使得输入深度学习网络的样本更加平滑,对图像样本的攻击进行防御。可以理解去噪的方法也可以是根据中值滤波法进行去噪。由于上述对抗防御去噪器是基于输入特征中提取的所述对抗攻击样本输入所述深度神经网络的预定层的对抗特征及所述原始图像样本输入所述深度神经网络的预定层的原始特征的差异获得的,即基于高阶特征差异得到的,所以利用对抗防御去噪器对对抗攻击样本进行去噪,得到去噪后对抗攻击样本可以使得对抗攻击和防御手段往相互联系,增加两者的相关性,从而导致防御手段可以很好地适应新的攻击方法。In the implementation of this example, the denoising of the adversarial attack samples using the aforementioned adversarial defense denoiser is, for example, by the neighborhood averaging method, assigning the average value of a pixel and all pixels in its neighborhood to the corresponding pixel in the output image , Which makes the samples input to the deep learning network smoother and defends against attacks on image samples. It can be understood that the method of denoising can also be denoising according to the median filtering method. Because the above-mentioned confrontation defense denoiser is based on the confrontation features extracted from the input features that the confrontation attack samples are input into the predetermined layer of the deep neural network and the original image samples are input into the original features of the predetermined layer of the deep neural network The difference is obtained based on the difference of high-order features, so the adversarial defense denoiser is used to denoise the adversarial attack samples. After denoising, the adversarial attack samples can make the adversarial attacks and defense methods related to each other, increasing the difference between the two Correlation, resulting in defenses that can be well adapted to new attack methods.
在步骤S140中,对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络。In step S140, regularization is performed on the loss function of the deep neural network to obtain a regularized deep neural network.
本示例的实施方式中,正则化就是对损失函数的参数进行限制,由于神经网络模型的效果及优化的目标是通过损失函数来定义的,所以通过正则化可以使得损失函数的拟合过程中让权值尽可能小,最后构造一个所有参数都比较小的网络模型。参数值小的模型比较简单,能适应不同的数据集,也在一定程度上避免过拟合现象。通过提取的高阶的输入特征对应的损失函数来正则化的过程形成梯度正则化过程,进而有效保证深度学习网络的分类准确性。其中正则化的方法可以是例如L1正则化或者L2正则化。In the implementation of this example, regularization is to limit the parameters of the loss function. Since the effect of the neural network model and the optimization goal are defined by the loss function, regularization can make the fitting process of the loss function let The weights are as small as possible, and finally a network model with relatively small parameters is constructed. Models with small parameter values are relatively simple, can adapt to different data sets, and avoid overfitting to a certain extent. The process of regularization through the loss function corresponding to the extracted high-order input features forms a gradient regularization process, thereby effectively ensuring the classification accuracy of the deep learning network. The regularization method may be, for example, L1 regularization or L2 regularization.
一种实施例中,对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,包括:In an embodiment, regularizing the loss function of the deep neural network to obtain a regularized deep neural network includes:
根据公式L(ω,b)=R(ω,b)+λ||ω|| 2对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,其中L(ω,b)为正则化后的损失函数,R(ω,b)为正则化前的损失函数,λ||ω|| 2为正则化项,λ为正则化系数。 Regularize the loss function of the deep neural network according to the formula L(ω,b)=R(ω,b)+λ||ω|| 2 to obtain a regularized deep neural network, where L(ω, b) is the loss function after regularization, R(ω,b) is the loss function before regularization, λ||ω|| 2 is the regularization term, and λ is the regularization coefficient.
正则化系数为小于1的值,进而通过λ||ω|| 2正则化项可以对损失函数的参数ω进行约束。 The regularization coefficient is a value less than 1, and the parameter ω of the loss function can be restricted by the λ||ω|| 2 regularization term.
在步骤S150中,将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。In step S150, input the original image sample and the denoised counterattack sample into the regularized deep neural network to obtain the classification result of the original image.
本申请的实施例,结合高阶输入特征提取和梯度正则化的方式,将通过高阶特征损失对攻击样本进行降噪得到的对抗攻击样本与原始图像样本输入到梯度正则化后的原始神经网络,完成原始图像的分类,能够更好地提升深度神经网络地防御能力。The embodiment of the present application combines high-order input feature extraction and gradient regularization methods, and input the anti-attack samples obtained by denoising the attack samples through high-order feature loss and the original image samples into the original neural network after the gradient regularization , To complete the classification of the original image, can better improve the defense capabilities of the deep neural network.
相关方法中,对抗攻击方式主要是基于FGSM和I-FGSM的白盒攻击和黑盒攻击,FGSM主要是通过在梯度方向上进行添加增量添加噪声,从而诱导网络对生成的图片对抗样本进行误分类。黑盒攻击相比白盒攻击无需知道被攻击模型的具体信息,适用于在不同的网络模型中,具有更好的攻击传递性。而目前的对抗攻击和防御手段往往相互独立,缺少一定的相关性,从而导致防御手段不能很好地适应新的攻击方法而造成分类错误。Among the related methods, the counter attack methods are mainly white box attacks and black box attacks based on FGSM and I-FGSM. FGSM mainly adds noise in the gradient direction, thereby inducing the network to make mistakes on the generated image counter samples. classification. Compared with white box attacks, black box attacks do not need to know the specific information of the attacked model. It is suitable for different network models and has better attack transferability. However, the current confrontational attacks and defense methods are often independent of each other and lack a certain degree of correlation, which leads to the inability of defense methods to adapt to new attack methods and cause classification errors.
本申请的实施例,基于对抗攻击样本在图像层和原始图像的差异很小,但是在卷积神经网络的高阶特征上差异很明显。本方法通过对比对抗攻击样本和原始图像的神经网络高阶特征的差异,从而在应对不同的对抗攻击时具有更强的鲁棒性;The embodiment of the present application is based on the fact that the difference between the image layer and the original image based on the adversarial attack sample is very small, but the difference in the high-order features of the convolutional neural network is obvious. This method compares the differences in the high-level features of the neural network between the adversarial attack sample and the original image, so that it has stronger robustness in dealing with different adversarial attacks;
通过高阶特征差异进行去噪的方式适用的神经网络不仅限于当前网络,应对同类的攻击具有更广泛的应用意义;The neural network applicable to denoising through high-order feature differences is not limited to the current network, and has broader application significance in dealing with similar attacks;
结合高阶特征和梯度正则化的方式,将高阶特征损失对攻击样本进行降噪得到的图像输入到梯度正则化后的原始神经网络,更好地提升防御能力。Combining high-order features and gradient regularization methods, the image obtained by denoising the attack samples with high-order feature loss is input to the original neural network after gradient regularization to better improve defense capabilities.
本申请还提供了一种图像分类网络的对抗防御装置。参考图4所示,该图像分类网络的对抗防御装置可以包括订阅模块410、分配模块420、接收模块430及推送模块450。其中:This application also provides a countermeasure and defense device for an image classification network. Referring to FIG. 4, the confrontation defense device of the image classification network may include a subscription module 410, a distribution module 420, a receiving module 430, and a pushing module 450. among them:
提取模块410用于将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;The extraction module 410 is configured to input the original image samples and the anti-attack samples into the deep neural network, so as to extract the input features of the target layer of the deep neural network higher than a predetermined number of layers;
生成模块420用于根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;The generating module 420 is configured to generate a loss function of the deep neural network according to the input feature, as a countermeasure defense denoiser;
去噪模块430用于利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;The denoising module 430 is configured to denoise the adversarial attack samples by using the adversarial defense denoiser to obtain denoised adversarial attack samples;
正则化模块440用于对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;The regularization module 440 is configured to regularize the loss function of the deep neural network to obtain a regularized deep neural network;
分类模块450将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。The classification module 450 inputs the original image sample and the denoised counterattack sample into the regularized deep neural network to obtain the classification result of the original image.
上述图像分类网络的对抗防御装置中各模块的具体细节已经在对应的图像分类网络的对抗防御方法中进行了详细的描述,因此此处不再赘述。The specific details of each module in the confrontation defense device of the image classification network have been described in detail in the confrontation defense method of the corresponding image classification network, so it will not be repeated here.
应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元, 但是这种划分并非强制性的。实际上,根据本申请的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to the embodiments of the present application, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of a module or unit described above can be further divided into multiple modules or units to be embodied.
此外,尽管在附图中以特定顺序描述了本申请中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。In addition, although the various steps of the method in the present application are described in a specific order in the drawings, this does not require or imply that these steps must be performed in the specific order, or that all the steps shown must be performed to achieve the desired result. Additionally or alternatively, some steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本申请实施方式的方法。Through the description of the above embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which can be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present application.
在本申请的示例性实施例中,还提供了一种能够实现上述方法的电子设备。In the exemplary embodiment of the present application, an electronic device capable of implementing the above method is also provided.
所属技术领域的技术人员能够理解,本申请的各个方面可以实现为系统、方法或程序产品。因此,本申请的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“系统”。Those skilled in the art can understand that various aspects of the present application can be implemented as a system, a method, or a program product. Therefore, each aspect of the present application can be specifically implemented in the following forms, namely: complete hardware implementation, complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as "Circuit", "Module" or "System".
下面参照图5来描述根据本申请的这种实施方式的电子设备500。图5显示的电子设备500仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。The electronic device 500 according to this embodiment of the present application will be described below with reference to FIG. 5. The electronic device 500 shown in FIG. 5 is only an example, and should not bring any limitation to the function and scope of use of the embodiments of the present application.
如图5所示,电子设备500以通用计算设备的形式表现。电子设备500的组件可以包括但不限于:上述至少一个处理单元510、上述至少一个存储单元520、连接不同系统组件(包括存储单元520和处理单元510)的总线530。As shown in FIG. 5, the electronic device 500 is represented in the form of a general-purpose computing device. The components of the electronic device 500 may include, but are not limited to: the aforementioned at least one processing unit 510, the aforementioned at least one storage unit 520, and a bus 530 connecting different system components (including the storage unit 520 and the processing unit 510).
其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元510执行,使得所述处理单元510执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。例如,所述处理单元510可以执行如图1中所示的步骤S110:将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;S120:根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;步骤S130:利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;步骤S140:对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;步骤S150:将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。Wherein, the storage unit stores program code, and the program code can be executed by the processing unit 510, so that the processing unit 510 executes the various exemplary methods described in the “Exemplary Method” section of this specification. Steps of implementation. For example, the processing unit 510 may perform step S110 as shown in FIG. 1: input the original image samples and the anti-attack samples into the deep neural network to extract the input features of the target layer of the deep neural network higher than a predetermined number of layers S120: Generate the loss function of the deep neural network according to the input feature as a countermeasure defense denoiser; Step S130: Use the countermeasure defense denoiser to denoise the counter attack sample to obtain the denoised Counterattack samples; step S140: regularize the loss function of the deep neural network to obtain a regularized deep neural network; step S150: input the original image samples and the denoised counterattack samples into all The regularized deep neural network is used to obtain the classification result of the original image.
存储单元520可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)5201和/或高速缓存存储单元5202,还可以进一步包括只读存储单元(ROM)5203。The storage unit 520 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 5201 and/or a cache storage unit 5202, and may further include a read-only storage unit (ROM) 5203.
存储单元520还可以包括具有一组(至少一个)程序模块5205的程序/实用工具5204,这样的程序模块5205包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage unit 520 may also include a program/utility tool 5204 having a set (at least one) program module 5205. Such program module 5205 includes but is not limited to: an operating system, one or more application programs, other program modules, and program data, Each of these examples or some combination may include the implementation of a network environment.
总线530可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。The bus 530 may represent one or more of several types of bus structures, including a storage unit bus or a storage unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local area using any bus structure among multiple bus structures. bus.
电子设备500也可以与一个或多个外部设备700(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得客户能与该电子设备500交互的设备通信,和/或与使得该电子设备500能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口550进行。并且,电子设备500还可以通过网络适配器560与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器560通过总线530与电子设备500的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备500使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The electronic device 500 can also communicate with one or more external devices 700 (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable customers to interact with the electronic device 500, and/or communicate with Any device (such as a router, modem, etc.) that enables the electronic device 500 to communicate with one or more other computing devices. Such communication can be performed through an input/output (I/O) interface 550. In addition, the electronic device 500 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) through the network adapter 560. As shown in the figure, the network adapter 560 communicates with other modules of the electronic device 500 through the bus 530. It should be understood that although not shown in the figure, other hardware and/or software modules can be used in conjunction with the electronic device 500, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本申请实施方式的方法。Through the description of the above embodiments, those skilled in the art can easily understand that the example embodiments described here can be implemented by software, or can be implemented by combining software with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, U disk, mobile hard disk, etc.) or on the network , Including several instructions to make a computing device (which can be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiment of the present application.
在本申请的示例性实施例中,参考图6所示,还提供了一种计算机可读存储介质,其上存储有能够实现本说明书上述方法的程序产品,该计算机可读存储介质可以为计算机非易失性可读存储介质。在一些可能的实施方式中,本申请的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本申请各种示例性实施方式的步骤。In the exemplary embodiment of the present application, as shown in FIG. 6, a computer-readable storage medium is also provided, which stores a program product capable of implementing the above-mentioned method of this specification. The computer-readable storage medium may be a computer Non-volatile readable storage medium. In some possible implementation manners, various aspects of the present application can also be implemented in the form of a program product, which includes program code. When the program product runs on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present application described in the above-mentioned "Exemplary Method" section of this specification.
参考图6所示,描述了根据本申请的实施方式的用于实现上述方法的程序产品600,其可以采用便携式紧凑盘只读存储器(CD-ROM)并包括程序代码,并可以在终端设备,例如个人电脑上运行。然而,本申请的程序产品不限于此,在本文件中,可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。Referring to FIG. 6, a program product 600 for implementing the above method according to an embodiment of the present application is described. It can adopt a portable compact disk read-only memory (CD-ROM) and include program code, and can be installed in a terminal device, For example, running on a personal computer. However, the program product of this application is not limited to this. In this document, the readable storage medium can be any tangible medium that contains or stores a program, and the program can be used by or in combination with an instruction execution system, device, or device.
所述程序产品可以采用一个或多个可读介质的任意组合。可读介质可以是可读信号介质或者可读存储介质。可读存储介质例如可以为但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。可读存储介质的更具体的例子(非穷 举的列表)包括:具有一个或多个导线的电连接、便携式盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。The program product can use any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable Type programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。The computer-readable signal medium may include a data signal propagated in baseband or as a part of a carrier wave, and readable program code is carried therein. This propagated data signal can take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable signal medium may also be any readable medium other than a readable storage medium, and the readable medium may send, propagate, or transmit a program for use by or in combination with the instruction execution system, apparatus, or device.
可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。The program code contained on the readable medium can be transmitted by any suitable medium, including but not limited to wireless, wired, optical cable, RF, etc., or any suitable combination of the above.
可以以一种或多种程序设计语言的任意组合来编写用于执行本申请操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在客户计算设备上执行、部分地在客户设备上执行、作为一个独立的软件包执行、部分在客户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到客户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。The program code used to perform the operations of the present application can be written in any combination of one or more programming languages. The programming languages include object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming languages. Programming language-such as "C" language or similar programming language. The program code can be executed entirely on the client computing device, partly executed on the client device, executed as an independent software package, partly executed on the client computing device and partly executed on the remote computing device, or entirely on the remote computing device or server Executed on. In the case of a remote computing device, the remote computing device can be connected to a client computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (for example, using Internet service providers). Business to connect via the Internet).
此外,上述附图仅是根据本申请示例性实施例的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。In addition, the above-mentioned drawings are merely schematic illustrations of the processing included in the method according to the exemplary embodiments of the present application, and are not intended for limitation. It is easy to understand that the processing shown in the above drawings does not indicate or limit the time sequence of these processings. In addition, it is easy to understand that these processes can be executed synchronously or asynchronously in multiple modules, for example.
本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其他实施例。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由权利要求指出。After considering the specification and practicing the invention disclosed herein, those skilled in the art will easily think of other embodiments of the present application. This application is intended to cover any variations, uses, or adaptive changes of this application. These variations, uses, or adaptive changes follow the general principles of this application and include common knowledge or customary technical means in the technical field that are not disclosed in this application. . The description and embodiments are only regarded as exemplary, and the true scope and spirit of the application are pointed out by the claims.

Claims (22)

  1. 一种图像分类网络的对抗防御方法,包括:An image classification network confrontation defense method, including:
    将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;Inputting the original image sample and the counter attack sample into the deep neural network to extract input features of the target layer of the deep neural network higher than a predetermined number of layers;
    根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;Generating a loss function of the deep neural network according to the input feature as an anti-defense denoiser;
    利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;Denoising the adversarial attack sample by using the adversarial defense denoiser to obtain a denoised adversarial attack sample;
    对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;Regularizing the loss function of the deep neural network to obtain a regularized deep neural network;
    将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。The original image sample and the denoised counterattack sample are input into the regularized deep neural network to obtain a classification result of the original image.
  2. 根据权利要求1所述的方法,其中,所述对抗攻击样本包括:The method according to claim 1, wherein the anti-attack sample comprises:
    当接收到原始图像样本,对所述原始图像样本施加噪声,得到与所述原始图像样本对应的对抗攻击样本。When an original image sample is received, noise is applied to the original image sample to obtain an anti-attack sample corresponding to the original image sample.
  3. 根据权利要求1所述的方法,其中,所述对抗攻击样本包括:The method according to claim 1, wherein the anti-attack sample comprises:
    当接收到原始图像样本,利用对应于多种深度神经网络的噪声添加手段对所述原始图像样本添加噪声,得到多个对抗攻击样本;When an original image sample is received, noise is added to the original image sample by means of noise adding methods corresponding to a variety of deep neural networks to obtain multiple counter-attack samples;
    所述将原始图像样本及对抗攻击样本输入深度神经网络,提取所述深度神经网络高于预定层数的目标层的输入特征,包括:The inputting the original image samples and the counter-attack samples into the deep neural network, and extracting the input features of the target layer of the deep neural network higher than a predetermined number of layers, includes:
    将原始图像样本及每个所述对抗攻击样本分别输入深度神经网络,分别提取深度神经网络高于预定层数的目标层的子输入特征;Input the original image sample and each of the anti-attack samples into the deep neural network respectively, and extract the sub-input features of the target layer of the deep neural network higher than a predetermined number of layers;
    获取所有子输入特征的集合,作为所述输入特征。Obtain a set of all sub-input features as the input feature.
  4. 根据权利要求1所述的方法,其中,所述将原始图像样本及对抗攻击样本输入深度神经网络包括:The method according to claim 1, wherein said inputting original image samples and counterattack samples into a deep neural network comprises:
    调整所述原始图像样本及所述对抗攻击样本的网络参数一致;Adjusting the network parameters of the original image sample and the anti-attack sample to be consistent;
    将网络参数调整一致的所述原始图像样本及所述对抗攻击样本输入深度神经网络。The original image samples and the anti-attack samples whose network parameters are adjusted to be consistent are input into a deep neural network.
  5. 根据权利要求1所述的方法,其中,所述根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器,包括:The method according to claim 1, wherein the generating a loss function of the deep neural network according to the input characteristics as a countermeasure defense denoiser comprises:
    根据公式L=||f l(x')-f l(x)||生成所述深度神经网络的损失函数,作为对抗防御去噪器,其中所述f l(x')为所述输入特征中提取的所述对抗攻击样本输入所述深度神经网络的预定层的网络特征,所述f l(x)为所述输入特征中提取的所述原始图像样本输入所述深度 神经网络的预定层的网络特征,L=||f l(x')-f l(x)||表示原始图像样本网络特征相对于对抗攻击样本网络特征的损失值。 According to the formula L=||f l (x')-f l (x)||, the loss function of the deep neural network is generated as an adversarial defense denoiser, wherein the f l (x') is the input The anti-attack samples extracted from the features are input to the network features of the predetermined layer of the deep neural network, and the f l (x) is the predetermined input of the original image samples extracted from the input features to the deep neural network The network feature of the layer, L=||f l (x')-f l (x)|| represents the loss value of the network feature of the original image sample relative to the network feature of the counter attack sample.
  6. 根据权利要求1所述的方法,其中,所述对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,包括:The method according to claim 1, wherein the regularizing the loss function of the deep neural network to obtain a regularized deep neural network comprises:
    根据公式L(ω,b)=R(ω,b)+λ||ω|| 2对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,其中L(ω,b)为正则化后的损失函数,R(ω,b)为正则化前的损失函数,λ||ω|| 2为正则化项,λ为正则化系数。 Regularize the loss function of the deep neural network according to the formula L(ω,b)=R(ω,b)+λ||ω|| 2 to obtain a regularized deep neural network, where L(ω, b) is the loss function after regularization, R(ω,b) is the loss function before regularization, λ||ω|| 2 is the regularization term, and λ is the regularization coefficient.
  7. 根据权利要求1所述的方法,其中,所述将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络的高于预定层的目标层的输入特征,包括:The method according to claim 1, wherein said inputting original image samples and counterattack samples into a deep neural network to extract input features of a target layer higher than a predetermined layer of the deep neural network comprises:
    将所述原始图像样本输入所述深度神经网络,提取所述原始图像样本输入所述深度神经网络的目标层的第一网络特征;Inputting the original image sample into the deep neural network, extracting the original image sample into the first network feature of the target layer of the deep neural network;
    将所述对抗攻击样本输入所述深度神经网络,提取所述对抗攻击样本输入所述深度神经网络的目标层的第二网络特征;Inputting the counter-attack sample into the deep neural network, extracting the second network feature of the counter-attack sample input into the target layer of the deep neural network;
    根据所述第一网络特征和所述第二网络特征生成所述输入特征。The input feature is generated according to the first network feature and the second network feature.
  8. 一种图像分类网络的对抗防御装置,包括:A confrontation and defense device for an image classification network, including:
    提取模块,用于将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;The extraction module is used to input the original image samples and the counterattack samples into the deep neural network to extract the input features of the target layer of the deep neural network higher than a predetermined number of layers;
    生成模块,用于根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;A generating module, which is used to generate a loss function of the deep neural network according to the input feature as a countermeasure defense denoiser;
    去噪模块,用于利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;A denoising module, configured to denoise the adversarial attack sample by using the adversarial defense denoiser to obtain a denoised adversarial attack sample;
    正则化模块,用于对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;The regularization module is used to regularize the loss function of the deep neural network to obtain a regularized deep neural network;
    分类模块,用于将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。The classification module is used to input the original image sample and the denoised counterattack sample into the regularized deep neural network to obtain the classification result of the original image.
  9. 根据权利要求8所述的装置,还包括:The device according to claim 8, further comprising:
    当接收到原始图像样本,对所述原始图像样本施加噪声,得到与所述原始图像样本对应的对抗攻击样本。When an original image sample is received, noise is applied to the original image sample to obtain an anti-attack sample corresponding to the original image sample.
  10. 根据权利要求8所述的装置,还包括:The device according to claim 8, further comprising:
    当接收到原始图像样本,利用对应于多种深度神经网络的噪声添加手段对所述原始图像样本添加噪声,得到多个对抗攻击样本;When an original image sample is received, noise is added to the original image sample by means of noise adding methods corresponding to a variety of deep neural networks to obtain multiple counter-attack samples;
    所述将原始图像样本及对抗攻击样本输入深度神经网络,提取所述深度神经网络高于预定层数的目标层的输入特征,包括:The inputting the original image samples and the counter-attack samples into the deep neural network, and extracting the input features of the target layer of the deep neural network higher than a predetermined number of layers, includes:
    将原始图像样本及每个所述对抗攻击样本分别输入深度神经网络,分别提取深度神经网络高于预定层数的目标层的子输入特征;Input the original image sample and each of the anti-attack samples into the deep neural network respectively, and extract the sub-input features of the target layer of the deep neural network higher than a predetermined number of layers;
    获取所有子输入特征的集合,作为所述输入特征。Obtain a set of all sub-input features as the input feature.
  11. 根据权利要求8所述的装置,所述提取模块被配置为:The apparatus according to claim 8, wherein the extraction module is configured to:
    调整所述原始图像样本及所述对抗攻击样本的网络参数一致;Adjusting the network parameters of the original image sample and the anti-attack sample to be consistent;
    将网络参数调整一致的所述原始图像样本及所述对抗攻击样本输入深度神经网络。The original image samples and the anti-attack samples whose network parameters are adjusted to be consistent are input into a deep neural network.
  12. 根据权利要求8所述的装置,所述生成模块被配置为:The apparatus according to claim 8, wherein the generating module is configured to:
    根据公式L=||f l(x')-f l(x)||生成所述深度神经网络的损失函数,作为对抗防御去噪器,其中所述f l(x')为所述输入特征中提取的所述对抗攻击样本输入所述深度神经网络的预定层的网络特征,所述f l(x)为所述输入特征中提取的所述原始图像样本输入所述深度神经网络的预定层的网络特征,L=||f l(x')-f l(x)||表示原始图像样本网络特征相对于对抗攻击样本网络特征的损失值。 According to the formula L=||f l (x')-f l (x)||, the loss function of the deep neural network is generated as an adversarial defense denoiser, wherein the f l (x') is the input The anti-attack samples extracted from the features are input to the network features of the predetermined layer of the deep neural network, and the f l (x) is the predetermined input of the original image samples extracted from the input features to the deep neural network The network feature of the layer, L=||f l (x')-f l (x)|| represents the loss value of the network feature of the original image sample relative to the network feature of the counter attack sample.
  13. 根据权利要求8所述的装置,所述分类模块被配置为:The apparatus according to claim 8, wherein the classification module is configured to:
    根据公式L(ω,b)=R(ω,b)+λ||ω|| 2对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,其中L(ω,b)为正则化后的损失函数,R(ω,b)为正则化前的损失函数,λ||ω|| 2为正则化项,λ为正则化系数。 Regularize the loss function of the deep neural network according to the formula L(ω,b)=R(ω,b)+λ||ω|| 2 to obtain a regularized deep neural network, where L(ω, b) is the loss function after regularization, R(ω,b) is the loss function before regularization, λ||ω|| 2 is the regularization term, and λ is the regularization coefficient.
  14. 根据权利要求8所述的装置,所述提取模块被配置为:The apparatus according to claim 8, wherein the extraction module is configured to:
    将所述原始图像样本输入所述深度神经网络,提取所述原始图像样本输入所述深度神经网络的目标层的第一网络特征;Inputting the original image sample into the deep neural network, extracting the original image sample into the first network feature of the target layer of the deep neural network;
    将所述对抗攻击样本输入所述深度神经网络,提取所述对抗攻击样本输入所述深度神经网络的目标层的第二网络特征;Inputting the counter-attack sample into the deep neural network, extracting the second network feature of the counter-attack sample input into the target layer of the deep neural network;
    根据所述第一网络特征和所述第二网络特征生成所述输入特征。The input feature is generated according to the first network feature and the second network feature.
  15. 一种电子设备,包括:处理单元;以及存储单元,用于存储所述处理单元的图像分类网络的对抗防御程序;其中,所述处理单元配置为经由执行所述图像分类网络的对抗 防御程序来执行以下处理:An electronic device comprising: a processing unit; and a storage unit for storing a confrontation defense program of the image classification network of the processing unit; wherein the processing unit is configured to execute the confrontation defense program of the image classification network Perform the following processing:
    将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络高于预定层数的目标层的输入特征;Inputting the original image sample and the counter attack sample into the deep neural network to extract input features of the target layer of the deep neural network higher than a predetermined number of layers;
    根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器;Generating a loss function of the deep neural network according to the input feature as an anti-defense denoiser;
    利用所述对抗防御去噪器对所述对抗攻击样本进行去噪,得到去噪后对抗攻击样本;Denoising the adversarial attack sample by using the adversarial defense denoiser to obtain a denoised adversarial attack sample;
    对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络;Regularizing the loss function of the deep neural network to obtain a regularized deep neural network;
    将所述原始图像样本及所述去噪后对抗攻击样本,输入所述正则化后的深度神经网络,得到所述原始图像的分类结果。The original image sample and the denoised counterattack sample are input into the regularized deep neural network to obtain a classification result of the original image.
  16. 根据权利要求15所述的电子设备,其中,所述对抗攻击样本包括:The electronic device according to claim 15, wherein the counterattack attack sample comprises:
    当接收到原始图像样本,对所述原始图像样本施加噪声,得到与所述原始图像样本对应的对抗攻击样本。When an original image sample is received, noise is applied to the original image sample to obtain an anti-attack sample corresponding to the original image sample.
  17. 根据权利要求15所述的电子设备,其中,所述对抗攻击样本包括:The electronic device according to claim 15, wherein the counterattack attack sample comprises:
    当接收到原始图像样本,利用对应于多种深度神经网络的噪声添加手段对所述原始图像样本添加噪声,得到多个对抗攻击样本;When an original image sample is received, noise is added to the original image sample by means of noise adding methods corresponding to a variety of deep neural networks to obtain multiple counter-attack samples;
    所述将原始图像样本及对抗攻击样本输入深度神经网络,提取所述深度神经网络高于预定层数的目标层的输入特征,包括:The inputting the original image samples and the counter-attack samples into the deep neural network, and extracting the input features of the target layer of the deep neural network higher than a predetermined number of layers, includes:
    将原始图像样本及每个所述对抗攻击样本分别输入深度神经网络,分别提取深度神经网络高于预定层数的目标层的子输入特征;Input the original image sample and each of the anti-attack samples into the deep neural network respectively, and extract the sub-input features of the target layer of the deep neural network higher than a predetermined number of layers;
    获取所有子输入特征的集合,作为所述输入特征。Obtain a set of all sub-input features as the input feature.
  18. 根据权利要求15所述的电子设备,其中,所述将原始图像样本及对抗攻击样本输入深度神经网络包括:The electronic device according to claim 15, wherein the inputting the original image samples and the counterattack samples into the deep neural network comprises:
    调整所述原始图像样本及所述对抗攻击样本的网络参数一致;Adjusting the network parameters of the original image sample and the anti-attack sample to be consistent;
    将网络参数调整一致的所述原始图像样本及所述对抗攻击样本输入深度神经网络。The original image samples and the anti-attack samples whose network parameters are adjusted to be consistent are input into a deep neural network.
  19. 根据权利要求15所述的电子设备,其中,所述根据所述输入特征生成所述深度神经网络的损失函数,作为对抗防御去噪器,包括:The electronic device according to claim 15, wherein the generating the loss function of the deep neural network according to the input feature as a countermeasure defense denoiser comprises:
    根据公式L=||f l(x')-f l(x)||生成所述深度神经网络的损失函数,作为对抗防御去噪器,其中所述f l(x')为所述输入特征中提取的所述对抗攻击样本输入所述深度神经网络的预定层的网络特征,所述f l(x)为所述输入特征中提取的所述原始图像样本输入所述深度神经网络的预定层的网络特征,L=||f l(x')-f l(x)||表示原始图像样本网络特征相对于对抗 攻击样本网络特征的损失值。 According to the formula L=||f l (x')-f l (x)||, the loss function of the deep neural network is generated as an adversarial defense denoiser, wherein the f l (x') is the input The anti-attack samples extracted from the features are input to the network features of the predetermined layer of the deep neural network, and the f l (x) is the predetermined input of the original image samples extracted from the input features to the deep neural network The network feature of the layer, L=||f l (x')-f l (x)|| represents the loss value of the network feature of the original image sample relative to the network feature of the counter attack sample.
  20. 根据权利要求15所述的电子设备,其中,所述对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,包括:15. The electronic device according to claim 15, wherein said regularizing the loss function of the deep neural network to obtain a regularized deep neural network comprises:
    根据公式L(ω,b)=R(ω,b)+λ||ω|| 2对所述深度神经网络的损失函数进行正则化,得到正则化后的深度神经网络,其中L(ω,b)为正则化后的损失函数,R(ω,b)为正则化前的损失函数,λ||ω|| 2为正则化项,λ为正则化系数。 Regularize the loss function of the deep neural network according to the formula L(ω,b)=R(ω,b)+λ||ω|| 2 to obtain a regularized deep neural network, where L(ω, b) is the loss function after regularization, R(ω,b) is the loss function before regularization, λ||ω|| 2 is the regularization term, and λ is the regularization coefficient.
  21. 根据权利要求15所述的电子设备,其中,所述将原始图像样本及对抗攻击样本输入深度神经网络,以提取所述深度神经网络的高于预定层的目标层的输入特征,包括:15. The electronic device according to claim 15, wherein said inputting original image samples and counterattack samples into a deep neural network to extract input features of a target layer higher than a predetermined layer of the deep neural network comprises:
    将所述原始图像样本输入所述深度神经网络,提取所述原始图像样本输入所述深度神经网络的目标层的第一网络特征;Inputting the original image sample into the deep neural network, extracting the original image sample into the first network feature of the target layer of the deep neural network;
    将所述对抗攻击样本输入所述深度神经网络,提取所述对抗攻击样本输入所述深度神经网络的目标层的第二网络特征;Inputting the counter-attack sample into the deep neural network, extracting the second network feature of the counter-attack sample input into the target layer of the deep neural network;
    根据所述第一网络特征和所述第二网络特征生成所述输入特征。The input feature is generated according to the first network feature and the second network feature.
  22. 一种计算机可读存储介质,其上存储有图像分类网络的对抗防御程序,所述图像分类网络的对抗防御程序被处理单元执行时执行权利要求1至7任一项所述的方法。A computer-readable storage medium on which a confrontation defense program of an image classification network is stored, and the method of any one of claims 1 to 7 is executed when the confrontation defense program of the image classification network is executed by a processing unit.
PCT/CN2019/117649 2019-09-18 2019-11-12 Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium WO2021051561A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910879339.6 2019-09-18
CN201910879339.6A CN110717522A (en) 2019-09-18 2019-09-18 Countermeasure defense method of image classification network and related device

Publications (1)

Publication Number Publication Date
WO2021051561A1 true WO2021051561A1 (en) 2021-03-25

Family

ID=69209911

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/117649 WO2021051561A1 (en) 2019-09-18 2019-11-12 Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN110717522A (en)
WO (1) WO2021051561A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113283540A (en) * 2021-06-11 2021-08-20 浙江工业大学 Depth map classification model defense method based on map compression
US20220114259A1 (en) * 2020-10-13 2022-04-14 International Business Machines Corporation Adversarial interpolation backdoor detection
CN114724014A (en) * 2022-06-06 2022-07-08 杭州海康威视数字技术股份有限公司 Anti-sample attack detection method and device based on deep learning and electronic equipment
WO2022218188A1 (en) * 2021-04-16 2022-10-20 华为技术有限公司 Attack sample management method and device
CN115294386A (en) * 2022-07-06 2022-11-04 南通大学 Image classification method based on regularization supervision loss function
CN115330579A (en) * 2022-08-03 2022-11-11 北京百度网讯科技有限公司 Model watermark construction method, device, equipment and storage medium
CN115481719A (en) * 2022-09-20 2022-12-16 宁波大学 Method for defending gradient-based attack countermeasure
CN116452923A (en) * 2023-06-16 2023-07-18 安徽大学 Cooperative defense strategy and system for attack resistance
CN116523032A (en) * 2023-03-13 2023-08-01 之江实验室 Image text double-end migration attack method, device and medium

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111507262B (en) * 2020-04-17 2023-12-08 北京百度网讯科技有限公司 Method and apparatus for detecting living body
CN111695596A (en) * 2020-04-30 2020-09-22 华为技术有限公司 Neural network for image processing and related equipment
CN111783085B (en) * 2020-06-29 2023-08-22 浙大城市学院 Defense method and device for resisting sample attack and electronic equipment
CN111783890B (en) * 2020-07-02 2022-06-03 电子科技大学 Small pixel countermeasure sample defense method for image recognition process
CN111915486B (en) * 2020-07-30 2022-04-22 西华大学 Confrontation sample defense method based on image super-resolution reconstruction
CN111783742A (en) * 2020-07-30 2020-10-16 支付宝(杭州)信息技术有限公司 Image classification method for defending against attack, service decision method and device
CN112287943A (en) * 2020-09-28 2021-01-29 北京航空航天大学 Anti-attack defense method based on image enhancement technology
CN112364885B (en) * 2020-10-12 2022-10-11 浙江大学 Confrontation sample defense method based on interpretability of deep neural network model
CN112579808B (en) * 2020-12-29 2023-07-18 上海赛图默飞医疗科技有限公司 Data annotation processing method, device and system
CN112766324B (en) * 2021-01-02 2024-02-02 西安电子科技大学 Image countermeasure sample detection method, system, storage medium, terminal and application
CN113222960B (en) * 2021-05-27 2022-06-03 哈尔滨工程大学 Deep neural network confrontation defense method, system, storage medium and equipment based on feature denoising
CN113313132B (en) * 2021-07-30 2021-11-09 中国科学院自动化研究所 Determination method and device for confrontation sample image, electronic equipment and storage medium
CN113822328B (en) * 2021-08-05 2022-09-16 厦门市美亚柏科信息股份有限公司 Image classification method for defending against sample attack, terminal device and storage medium
KR20240015472A (en) * 2022-07-27 2024-02-05 숭실대학교산학협력단 An adversarial learning apparetus for simultaneously training a denoising network and a deep neural network and method therefore, and computer readable recording medium for executing the same method
CN117408907B (en) * 2023-12-15 2024-03-22 齐鲁空天信息研究院 Method and device for improving image countermeasure capability and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107103590A (en) * 2017-03-22 2017-08-29 华南理工大学 A kind of image for resisting generation network based on depth convolution reflects minimizing technology
CN109658401A (en) * 2018-12-14 2019-04-19 上海商汤智能科技有限公司 Image processing method and device, electronic equipment and storage medium
US20190156183A1 (en) * 2018-12-27 2019-05-23 David M. Durham Defending neural networks by randomizing model weights

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10636141B2 (en) * 2017-02-09 2020-04-28 Siemens Healthcare Gmbh Adversarial and dual inverse deep learning networks for medical image analysis
JP2019079374A (en) * 2017-10-26 2019-05-23 株式会社Preferred Networks Image processing system, image processing method, and image processing program
CN109948663B (en) * 2019-02-27 2022-03-15 天津大学 Step-length self-adaptive attack resisting method based on model extraction

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107103590A (en) * 2017-03-22 2017-08-29 华南理工大学 A kind of image for resisting generation network based on depth convolution reflects minimizing technology
CN109658401A (en) * 2018-12-14 2019-04-19 上海商汤智能科技有限公司 Image processing method and device, electronic equipment and storage medium
US20190156183A1 (en) * 2018-12-27 2019-05-23 David M. Durham Defending neural networks by randomizing model weights

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LIAO FANGZHOU; LIANG MING; DONG YINPENG; PANG TIANYU; HU XIAOLIN; ZHU JUN: "Defense Against Adversarial Attacks Using High-Level Representation Guided Denoiser", 2018 IEEE/CVF CONFERENCE ON COMPUTER VISION AND PATTERN RECOGNITION, IEEE, 18 June 2018 (2018-06-18), pages 1778 - 1787, XP033476142, DOI: 10.1109/CVPR.2018.00191 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220114259A1 (en) * 2020-10-13 2022-04-14 International Business Machines Corporation Adversarial interpolation backdoor detection
WO2022218188A1 (en) * 2021-04-16 2022-10-20 华为技术有限公司 Attack sample management method and device
CN113283540A (en) * 2021-06-11 2021-08-20 浙江工业大学 Depth map classification model defense method based on map compression
CN113283540B (en) * 2021-06-11 2024-03-26 浙江工业大学 Depth map classification model defense method based on map compression
CN114724014A (en) * 2022-06-06 2022-07-08 杭州海康威视数字技术股份有限公司 Anti-sample attack detection method and device based on deep learning and electronic equipment
CN114724014B (en) * 2022-06-06 2023-06-30 杭州海康威视数字技术股份有限公司 Deep learning-based method and device for detecting attack of countered sample and electronic equipment
CN115294386B (en) * 2022-07-06 2023-11-24 南通大学 Image classification method based on regularization supervision loss function
CN115294386A (en) * 2022-07-06 2022-11-04 南通大学 Image classification method based on regularization supervision loss function
CN115330579A (en) * 2022-08-03 2022-11-11 北京百度网讯科技有限公司 Model watermark construction method, device, equipment and storage medium
CN115481719A (en) * 2022-09-20 2022-12-16 宁波大学 Method for defending gradient-based attack countermeasure
CN115481719B (en) * 2022-09-20 2023-09-15 宁波大学 Method for defending against attack based on gradient
CN116523032B (en) * 2023-03-13 2023-09-29 之江实验室 Image text double-end migration attack method, device and medium
CN116523032A (en) * 2023-03-13 2023-08-01 之江实验室 Image text double-end migration attack method, device and medium
CN116452923B (en) * 2023-06-16 2023-09-01 安徽大学 Cooperative defense strategy and system for attack resistance
CN116452923A (en) * 2023-06-16 2023-07-18 安徽大学 Cooperative defense strategy and system for attack resistance

Also Published As

Publication number Publication date
CN110717522A (en) 2020-01-21

Similar Documents

Publication Publication Date Title
WO2021051561A1 (en) Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium
CN108347430B (en) Network intrusion detection and vulnerability scanning method and device based on deep learning
US10594713B2 (en) Systems and methods for secure propagation of statistical models within threat intelligence communities
CN113364752B (en) Flow abnormity detection method, detection equipment and computer readable storage medium
CN109271782B (en) Method, medium, system and computing device for detecting attack behavior
US20210021624A1 (en) Method, electronic device and computer program product for detecting abnormal network request
CN110929839B (en) Method and device for training neural network, electronic equipment and computer storage medium
JP2019102960A (en) Cyber attack detection system, feature amount selection system, cyber attack detection method, and program
CN111953665B (en) Server attack access identification method and system, computer equipment and storage medium
KR102352954B1 (en) Real-time Abnormal Insider Event Detection on Enterprise Resource Planning Systems via Predictive Auto-regression Model
CN114648675A (en) Countermeasure training method, image processing method, apparatus, device, and medium
CN110618854A (en) Virtual machine behavior analysis system based on deep learning and memory mirror image analysis
Chen et al. Using adversarial examples to bypass deep learning based url detection system
GB2619589A (en) Fuzz testing of machine learning models to detect malicious activity on a computer
He et al. A security analysis method of security protocol implementation based on unpurified security protocol trace and security protocol implementation ontology
KR102307632B1 (en) Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems using Adversarial Recurrent Auto-encoder
KR102472850B1 (en) Malware detection device and method based on hybrid artificial intelligence
Shaohui et al. PCA mix‐based Hotelling's T2 multivariate control charts for intrusion detection system
Jiang et al. Seq2Path: a sequence-to-path-based flow feature fusion approach for encrypted traffic classification
US10832407B2 (en) Training a neural network adapter
CN114866310A (en) Malicious encrypted flow detection method, terminal equipment and storage medium
CN112241742A (en) Cross-domain abnormal traffic detection method and system, electronic equipment and storage medium
US11928232B1 (en) Protecting sensitive data from being exposed in graph embedding vectors
US20230306106A1 (en) Computer Security Systems and Methods Using Self-Supervised Consensus-Building Machine Learning
US20240073241A1 (en) Intrusion response determination

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19946226

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19946226

Country of ref document: EP

Kind code of ref document: A1