WO2021143478A1 - Method and apparatus for identifying adversarial sample to protect model security - Google Patents

Method and apparatus for identifying adversarial sample to protect model security Download PDF

Info

Publication number
WO2021143478A1
WO2021143478A1 PCT/CN2020/138824 CN2020138824W WO2021143478A1 WO 2021143478 A1 WO2021143478 A1 WO 2021143478A1 CN 2020138824 W CN2020138824 W CN 2020138824W WO 2021143478 A1 WO2021143478 A1 WO 2021143478A1
Authority
WO
WIPO (PCT)
Prior art keywords
sample
samples
privacy
control
experimental
Prior art date
Application number
PCT/CN2020/138824
Other languages
French (fr)
Chinese (zh)
Inventor
石磊磊
熊涛
Original Assignee
上海风报信息科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 上海风报信息科技有限公司 filed Critical 上海风报信息科技有限公司
Publication of WO2021143478A1 publication Critical patent/WO2021143478A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Definitions

  • One or more embodiments of this specification relate to the technical field of data computing security, and more particularly to a method and device for identifying countermeasure samples to protect model security.
  • One or more embodiments of this specification describe a method and device for identifying adversarial samples to protect the safety of the model, which can be used to improve the training performance and prediction performance of the model.
  • sampling multiple non-confrontational samples several times to obtain several control sample sets includes: using an enumeration method to sample the multiple non-confrontational samples multiple times to obtain multiple control sample sets; or , Using the stratified sampling method to sample the multiple non-confrontational samples several times to obtain the several control sample sets; or using the self-service sampling method to perform several samplings of the multiple non-confrontational samples to obtain the Describe several control sample sets.
  • using several gain values determined based on the several control sample sets and the several experimental sample sets to determine whether the target sample is an adversarial sample includes: determining the gain average of the several gain values, In addition, in the case where the gain average value is less than the set threshold value, it is determined that the target sample belongs to the adversarial sample; or, the gain ratio of the plurality of gain values that is greater than the set threshold value is determined, and the gain ratio is less than the first In the case of a preset ratio, it is determined that the target sample belongs to the adversarial sample.
  • determining whether the target sample is an adversarial sample further includes: averaging a number of comparison values of the plurality of comparison sample sets against the preset evaluation index to obtain a comparison mean value; The product of the mean value and the second preset ratio is determined as the set threshold.
  • an apparatus for identifying adversarial samples to protect the safety of a model includes: a sampling unit configured to sample multiple non-adversarial samples several times to obtain several control sample sets; and an adding unit configured to The plurality of control sample sets are respectively added to the target samples to be tested to obtain a plurality of experimental sample sets; the first training unit is configured to use the first control sample set for any first control sample set in the plurality of control sample sets The initial machine learning model is trained to obtain the trained first comparison model; the first evaluation unit is configured to use the test sample set to evaluate the performance of the first comparison model to obtain the first comparison value for the preset evaluation index, so The test sample set is determined based on the multiple non-confrontational samples; the second training unit is configured to use the first experimental sample set obtained by adding the target sample to the first control sample set.
  • a method for identifying anti-privacy samples to protect privacy includes: sampling multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets; adding target privacy samples to be tested to the several comparative privacy sample sets to obtain several experimental privacy sample sets; A plurality of comparison privacy sample sets are used for any first comparison privacy sample set, and the first comparison privacy sample set is used to train the initial machine learning model to obtain the trained first comparison model; the test privacy sample set is used to compare the first comparison model Perform performance evaluation to obtain a first comparison value for a preset evaluation index, the test privacy sample set is determined based on the multiple non-confrontational privacy samples; for adding the target privacy sample to the first comparison privacy sample set The first experimental privacy sample set obtained is used to train the initial machine learning model using the first experimental privacy sample set to obtain the trained first experimental model; the test privacy sample set is used to compare the first experimental model Perform performance evaluation to obtain the first experimental value for the preset evaluation index; determine the difference between the first experimental value and the first control value as the first
  • an apparatus for identifying a privacy-against sample to protect privacy includes: a sampling unit configured to sample multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets; an adding unit configured to add target privacy samples to be detected to the several comparative privacy sample sets, respectively, Obtain a number of experimental privacy sample sets; the first training unit is configured to train an initial machine learning model for any first control privacy sample set in the plurality of control privacy sample sets, and use the first control privacy sample set to train an initial machine learning model to obtain the trained A first comparison model; a first evaluation unit configured to evaluate the performance of the first comparison model using a test privacy sample set to obtain a first comparison value for a preset evaluation index, and the test privacy sample set is based on the multiple A non-confrontational privacy sample; the second training unit is configured to use the first experimental privacy sample set for the first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set The initial machine learning model is trained to obtain the trained first experimental model;
  • a computing device including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the method of the first aspect or the third aspect is implemented .
  • Fig. 1 shows an implementation block diagram of a method for identifying adversarial samples according to an embodiment
  • Figure 2 shows a flow chart of a method for identifying adversarial samples to protect model safety according to an embodiment
  • Fig. 3 shows a sequence diagram of steps in identifying adversarial samples according to an embodiment
  • FIG. 4 shows a structural diagram of an apparatus for recognizing adversarial samples to protect model safety according to an embodiment
  • Fig. 6 shows a structural diagram of an apparatus for identifying an anti-privacy sample to protect privacy according to an embodiment.
  • the training samples currently used for model training can include different sources, such as manual marking, crawling from websites or network platforms, etc., among which it is easy to mix adversarial samples. As mentioned earlier, identifying adversarial samples is very important to ensure model training performance and prediction performance, thereby protecting the safety of the model.
  • these samples may be image samples, and accordingly, the initial machine learning model may be an image processing model.
  • these samples may include face images, iris images, fingerprint images, etc., and the initial machine learning model may be an identity recognition model.
  • these samples may be text samples, and accordingly, the initial machine learning model may be a text processing model.
  • these samples may be speech samples, and accordingly, the initial machine learning model may be a speech processing model.
  • the enumeration method may be used to perform multiple sampling to obtain multiple control sample sets.
  • the enumeration method is a method to enumerate all possible methods. Assuming that multiple non-adversarial samples include 3 samples, which are designated by A, B, and C respectively, then the control sample set obtained by using the enumeration method includes: ⁇ A ⁇ , ⁇ B ⁇ , ⁇ C ⁇ , ⁇ A,B ⁇ , ⁇ A,C ⁇ , ⁇ B,C ⁇ and ⁇ A,B,C ⁇ .
  • a self-service sampling method can also be used to perform several samplings to obtain several control sample sets. Specifically, for a certain sampling, assuming that the number of multiple non-adversarial samples is M and the number of samples that need to be collected is m, then one sample can be randomly selected from M non-adversarial samples each time and classified as m samples, and then put this sample back into M non-adversarial samples, so that the sample can still be selected in the next selection. After this process is repeated m times, a control sample set including m samples can be obtained .
  • the initial machine learning model may be an initialization model, that is, the initial machine learning model may be a model that has not undergone any training, and the model parameters are those assigned when the model is initialized. parameter.
  • the initial machine learning model may also be a model trained using some non-confrontational samples other than the aforementioned multiple non-confrontational samples.
  • the initial machine learning model can be a classification model, a regression model, a neural network model, etc., which is not limited.
  • the aforementioned preset evaluation indicators may include: error rate, accuracy, recall rate, precision rate, and so on.
  • the error rate refers to the ratio of the number of test samples with prediction errors to the total number of test samples.
  • Accuracy refers to the proportion of the number of test samples whose predictions are correct to the total number of test samples.
  • the precision rate represents the proportion of test samples that are truly positive (that is, the label is identified as positive) among the test samples predicted to be positive;
  • the recall rate represents the positive examples included in the test sample ( That is, the proportion of samples that are predicted to be correct in the label identification is positive.
  • the prediction evaluation index includes a precision rate
  • the first comparison value may include a precision rate of 0.88.
  • the predictive evaluation index includes an error rate
  • the first control value may include an error rate of 0.16.
  • step S250 and step S260 can refer to the above description of step S230 and step S240, and will not be repeated.
  • the prediction evaluation index includes a precision rate
  • the first experimental value may include a precision rate of 0.80 or 0.90.
  • the predictive evaluation index includes an error rate
  • the first comparison value may include an error rate of 0.10 or 0.20.
  • step S210 the first experimental value corresponding to any first experimental sample set can be obtained, and accordingly, several experimental values corresponding to several experimental sample sets can be obtained.
  • step S210-S260 the rest is not limited. Specifically, in an embodiment, step S210, step S230, step S220, step S250, step S240, and step S260 may be sequentially executed in sequence. In another implementation manner, step S210, step S220, step S230, step S240, step S250, and step S260 may be executed successively.
  • the gain value is used to characterize the optimization effect brought by the target sample to the model performance.
  • the first gain value is minus the first experimental value The difference obtained from the first control value.
  • the preset evaluation index is the precision rate. If the first control value and the first experimental value are 0.88 and 0.80, respectively, the first gain value is -0.80, and if the first control value and the first experimental value are respectively If the values are 0.88 and 0.90, the first gain value is 0.20.
  • step S280 a number of gain values determined based on the number of control sample sets and the number of experimental sample sets are used to determine whether the target sample belongs to an adversarial sample.
  • this step may include: determining the gain average of the several gain values; further, in the case that the gain average is less than a set threshold, determining that the target sample belongs to the adversarial sample, and In the case that the gain average value is not less than the set threshold, it is determined that the target sample does not belong to the adversarial sample.
  • the set threshold may be a manually set threshold, such as 0 or 0.05.
  • the setting threshold may be set based on the following steps: firstly, averaging the comparison values of the above-mentioned comparison sample sets with respect to the preset evaluation index to obtain the comparison mean value; The product of the comparison mean value and the second preset ratio is determined as the set threshold.
  • the second preset ratio can be set by business personnel based on expert experience or actual needs, for example, set to 0.05 or 0.02. In an example, assuming that the above-mentioned control mean value is 0.80 and the second preset ratio is 0.05, the set threshold may be determined to be 0.04.
  • Fig. 3 shows a sequence diagram of steps in identifying adversarial samples according to an embodiment.
  • the identification of adversarial samples includes the following steps: Step S31, sampling normal samples (that is, non-adversarial samples) to obtain a control sample set.
  • Step S32 Use the control sample set to train the initial model, and use the test sample set to evaluate the performance of the trained model to obtain a control evaluation result.
  • step S33 the sample to be tested is added to the control sample set to obtain an experimental sample set.
  • Step S34 Use the experimental sample set to train the initial model, and use the test sample set to evaluate the performance of the trained model to obtain an experimental evaluation result.
  • the target samples to be detected are added to obtain a number of experimental sample sets;
  • the first training unit 430 is configured to train an initial machine learning model for any first control sample set in the plurality of control sample sets, using the first control sample set, Obtain the trained first comparison model;
  • the first evaluation unit 440 is configured to evaluate the performance of the first comparison model by using a test sample set to obtain a first comparison value for a preset evaluation index, and the test sample set is based on The multiple non-adversarial samples are determined;
  • the second training unit 450 is configured to use the first experimental sample set to train for the first experimental sample set obtained by adding the target sample to the first control sample set
  • the initial machine learning model obtains the first experimental model after training;
  • the second evaluation unit 460 is configured to evaluate the performance of the first experimental model by using the test sample set to obtain the preset evaluation index A first experimental value;
  • a gain determining unit 470 configured to determine the difference between the first experimental value and the first control value as a first gain value;
  • the determination unit 480 is configured to determine the gain average of a number of gain values, and, in the case that the gain average is less than a set threshold, determine that the target sample belongs to the adversarial sample; or, determine all A gain ratio of the plurality of gain values that is greater than a set threshold, and in a case where the gain ratio is less than a first preset ratio, it is determined that the target sample belongs to a confrontation sample.
  • the method includes the following steps: Step S510, sampling a plurality of non-confrontational privacy samples several times to obtain a plurality of control privacy sample sets; Step S520, adding to the plurality of control privacy sample sets to be tested respectively
  • Step S530 for any first control privacy sample set in the plurality of control privacy sample sets, use the first control privacy sample set to train the initial machine learning model, and obtain the post-training
  • Step S540 use a test privacy sample set to evaluate the performance of the first comparison model to obtain a first comparison value for a preset evaluation index, and the test privacy sample set is based on the plurality of non-confrontational Privacy samples are determined; step S550, for the first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set, use the first experimental privacy sample set to train the initial machine learning model , Obtain the first experimental model after training; step S560, use the test privacy sample set to evaluate the performance of the first experimental model to obtain the first experimental value for the preset evaluation index; step S570: The difference between the first
  • FIG. 6 shows a structural diagram of an apparatus for identifying an anti-privacy sample to protect privacy and security according to an embodiment.
  • the device 600 may include: a sampling unit 610, configured to sample multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets; and an adding unit 620, configured to provide information to the several comparative privacy samples.
  • the target privacy samples to be tested are respectively added to the sample set to obtain a number of experimental privacy sample sets;
  • the first training unit 630 is configured to use the first control privacy sample set for any first control privacy sample set in the plurality of control privacy sample sets
  • the sample set trains the initial machine learning model to obtain the trained first comparison model;
  • the first evaluation unit 640 is configured to use the test privacy sample set to evaluate the performance of the first comparison model to obtain the first comparison model for the preset evaluation index.
  • the test privacy sample set is determined based on the plurality of non-confrontational privacy samples; the second training unit 650 is configured to respond to the first comparison result obtained by adding the target privacy sample to the first control privacy sample set
  • the experimental privacy sample set uses the first experimental privacy sample set to train the initial machine learning model to obtain the trained first experimental model; the second evaluation unit 660 is configured to use the test privacy sample set to compare the second Perform performance evaluation on an experimental model to obtain the first experimental value for the preset evaluation index; the gain determining unit 670 is configured to determine the difference between the first experimental value and the first control value as the first Gain value;
  • the determination unit 680 is configured to use several gain values determined based on the several control privacy sample sets and the several experimental privacy sample sets to determine whether the target privacy sample belongs to the anti-privacy sample.
  • a computing device including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, a combination of FIG. 1 or FIG. 2 is implemented. Or the method described in Figure 3 or Figure 5.

Abstract

A method for identifying an adversarial sample to protect privacy security. The method comprises: first sampling multiple non-adversarial samples relating to private data, so as to obtain a first control sample set; then adding a target sample to be tested to the first control sample set, so as to obtain a first experimental sample set; next, separately using the first control sample set and the first experimental sample set to train an initial machine learning model, so as to obtain a trained first control model and a trained first experimental model; then, using a test sample set to perform performance evaluation on the first control model and the first experimental model, separately, so as to obtain a first control value and a first experimental value for a preset evaluation index; and next, calculating the difference value between the first control value and the first experimental value as a first gain value of the target sample for the model performance. Therefore, whether the target sample is an adversarial sample can be determined on the basis of the first gain value or multiple gain values obtained by repeating the process above.

Description

识别对抗样本以保护模型安全的方法及装置Method and device for identifying adversarial samples to protect model safety 技术领域Technical field
本说明书一个或多个实施例涉及数据计算安全的技术领域,尤其涉及一种识别对抗样本以保护模型安全的方法及装置。One or more embodiments of this specification relate to the technical field of data computing security, and more particularly to a method and device for identifying countermeasure samples to protect model security.
背景技术Background technique
对抗样本是指在数据集中故意添加细微的干扰所形成的,导致机器学习模型以高置信度输出错误结果的输入样本。例如,在图像识别场景下,原来被图像处理模型识别为熊猫的图片,在加入一点细微的甚至人眼无法察觉的改动后,被误分类为长臂猿。Adversarial samples are input samples that are formed by deliberately adding subtle interference to the data set, which causes the machine learning model to output wrong results with high confidence. For example, in an image recognition scene, a picture that was originally recognized as a panda by the image processing model is misclassified as a gibbon after adding a slight modification that is even imperceptible to the human eye.
对抗样本可以被攻击者用于对机器学习模型进行攻击。比如,在模型训练过程中,因对抗样本中包括错误的标签,导致模型训练性能下降,并且,导致训练完成所得到模型的预测结果准确率偏低。Adversarial samples can be used by attackers to attack machine learning models. For example, in the process of model training, the adversarial sample includes wrong labels, which leads to a decrease in the performance of model training, and the accuracy of the prediction result of the model obtained after the training is low.
因此,迫切需要一种合理、可靠的方案,可以准确地识别出对抗样本,以保护模型安全,从而提高模型的训练性能和预测性能。Therefore, there is an urgent need for a reasonable and reliable solution that can accurately identify adversarial samples to protect the safety of the model, thereby improving the training performance and prediction performance of the model.
发明内容Summary of the invention
本说明书一个或多个实施例描述了一种识别对抗样本以保护模型安全的方法及装置,可以用于提高模型的训练性能和预测性能。One or more embodiments of this specification describe a method and device for identifying adversarial samples to protect the safety of the model, which can be used to improve the training performance and prediction performance of the model.
根据第一方面,提供一种识别对抗样本以保护模型安全的方法,该方法包括:对多个非对抗样本进行若干次采样,得到若干对照样本集;向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集;针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型;利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定;针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型;利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;将所述第一实验值与所述第一对照值的差值,确定为第一增益值;利用基于所述若干对照样本集和所述若干实验样 本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。According to the first aspect, a method for identifying adversarial samples to protect model safety is provided. The method includes: sampling multiple non-adversarial samples several times to obtain several control sample sets; To obtain a number of experimental sample sets; for any first control sample set in the plurality of control sample sets, use the first control sample set to train the initial machine learning model to obtain the trained first control model; use the test The sample set performs performance evaluation on the first control model to obtain a first control value for a preset evaluation index, the test sample set is determined based on the plurality of non-confrontational samples; A first experimental sample set obtained by adding the target sample, using the first experimental sample set to train the initial machine learning model to obtain a trained first experimental model; using the test sample set to compare the first experimental model The performance evaluation of the experimental model is performed to obtain the first experimental value for the preset evaluation index; the difference between the first experimental value and the first control value is determined as the first gain value; By comparing the sample set and the several gain values determined by the several experimental sample sets, it is determined whether the target sample belongs to the adversarial sample.
在一个实施例中,所述多个非对抗样本和目标样本为图像样本,所述初始机器学习模型为图像处理模型;或,所述多个非对抗样本和目标样本为文本样本,所述初始机器学习模型为文本处理模型;或,所述多个非对抗样本和目标样本为语音样本,所述初始机器学习模型为语音处理模型。In an embodiment, the plurality of non-confrontational samples and target samples are image samples, and the initial machine learning model is an image processing model; or, the plurality of non-confrontational samples and target samples are text samples, and the initial machine learning model is an image processing model. The machine learning model is a text processing model; or, the plurality of non-confrontational samples and target samples are speech samples, and the initial machine learning model is a speech processing model.
在一个实施例中,多个非对抗样本进行若干次采样,得到若干对照样本集,包括:利用枚举法,对所述多个非对抗样本进行多次采样,得到多个对照样本集;或,利用分层采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集;或,利用自助采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集。In one embodiment, sampling multiple non-confrontational samples several times to obtain several control sample sets includes: using an enumeration method to sample the multiple non-confrontational samples multiple times to obtain multiple control sample sets; or , Using the stratified sampling method to sample the multiple non-confrontational samples several times to obtain the several control sample sets; or using the self-service sampling method to perform several samplings of the multiple non-confrontational samples to obtain the Describe several control sample sets.
在一个实施例中,所述预设评估指标包括以下中的一种或多种:错误率、精度、查全率、查准率。In an embodiment, the preset evaluation index includes one or more of the following: error rate, accuracy, recall rate, and precision rate.
在一个实施例中,利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否为对抗样本,包括:确定所述若干增益值的增益均值,并且,在所述增益均值小于设定阈值的情况下,判定所述目标样本属于对抗样本;或,确定所述若干增益值中大于设定阈值的增益比例,并且,在所述增益比例小于第一预设比例的情况下,判定所述目标样本属于对抗样本。In one embodiment, using several gain values determined based on the several control sample sets and the several experimental sample sets to determine whether the target sample is an adversarial sample includes: determining the gain average of the several gain values, In addition, in the case where the gain average value is less than the set threshold value, it is determined that the target sample belongs to the adversarial sample; or, the gain ratio of the plurality of gain values that is greater than the set threshold value is determined, and the gain ratio is less than the first In the case of a preset ratio, it is determined that the target sample belongs to the adversarial sample.
在一个具体的实施例中,判定所述目标样本是否为对抗样本,还包括:对所述若干对照样本集针对所述预设评估指标的若干对照值进行平均,得到对照均值;将所述对照均值与第二预设比例的乘积,确定为所述设定阈值。In a specific embodiment, determining whether the target sample is an adversarial sample further includes: averaging a number of comparison values of the plurality of comparison sample sets against the preset evaluation index to obtain a comparison mean value; The product of the mean value and the second preset ratio is determined as the set threshold.
根据第二方面,提供一种识别对抗样本以保护模型安全的装置,该装置包括:采样单元,配置为对多个非对抗样本进行若干次采样,得到若干对照样本集;添加单元,配置为向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集;第一训练单元,配置为针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型;第一评估单元,配置为利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定;第二训练单元,配置为针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型;第二评估单元,配置为利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的 第一实验值;增益确定单元,配置为将所述第一实验值与所述第一对照值的差值,确定为第一增益值;判定单元,配置为利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。According to a second aspect, there is provided an apparatus for identifying adversarial samples to protect the safety of a model. The apparatus includes: a sampling unit configured to sample multiple non-adversarial samples several times to obtain several control sample sets; and an adding unit configured to The plurality of control sample sets are respectively added to the target samples to be tested to obtain a plurality of experimental sample sets; the first training unit is configured to use the first control sample set for any first control sample set in the plurality of control sample sets The initial machine learning model is trained to obtain the trained first comparison model; the first evaluation unit is configured to use the test sample set to evaluate the performance of the first comparison model to obtain the first comparison value for the preset evaluation index, so The test sample set is determined based on the multiple non-confrontational samples; the second training unit is configured to use the first experimental sample set obtained by adding the target sample to the first control sample set. The experimental sample set trains the initial machine learning model to obtain the trained first experimental model; the second evaluation unit is configured to use the test sample set to evaluate the performance of the first experimental model to obtain A first experimental value of the evaluation index; a gain determining unit configured to determine the difference between the first experimental value and the first control value as the first gain value; the determining unit configured to use The sample set and the several gain values determined by the several experimental sample sets determine whether the target sample belongs to the adversarial sample.
根据第三方面,提供一种识别对抗隐私样本以保护隐私安全的方法。该方法包括:对多个非对抗隐私样本进行若干次采样,得到若干对照隐私样本集;向所述若干对照隐私样本集中分别加入待检测的目标隐私样本,得到若干实验隐私样本集;针对所述若干对照隐私样本集中任意的第一对照隐私样本集,利用所述第一对照隐私样本集训练初始机器学习模型,得到训练后的第一对照模型;利用测试隐私样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试隐私样本集基于所述多个非对抗隐私样本而确定;针对向所述第一对照隐私样本集中加入所述目标隐私样本而得到的第一实验隐私样本集,利用所述第一实验隐私样本集训练所述初始机器学习模型,得到训练后的第一实验模型;利用所述测试隐私样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;将所述第一实验值与所述第一对照值的差值,确定为第一增益值;利用基于所述若干对照隐私样本集和所述若干实验隐私样本集确定出的若干增益值,判定所述目标隐私样本是否属于对抗隐私样本。According to the third aspect, a method for identifying anti-privacy samples to protect privacy is provided. The method includes: sampling multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets; adding target privacy samples to be tested to the several comparative privacy sample sets to obtain several experimental privacy sample sets; A plurality of comparison privacy sample sets are used for any first comparison privacy sample set, and the first comparison privacy sample set is used to train the initial machine learning model to obtain the trained first comparison model; the test privacy sample set is used to compare the first comparison model Perform performance evaluation to obtain a first comparison value for a preset evaluation index, the test privacy sample set is determined based on the multiple non-confrontational privacy samples; for adding the target privacy sample to the first comparison privacy sample set The first experimental privacy sample set obtained is used to train the initial machine learning model using the first experimental privacy sample set to obtain the trained first experimental model; the test privacy sample set is used to compare the first experimental model Perform performance evaluation to obtain the first experimental value for the preset evaluation index; determine the difference between the first experimental value and the first control value as the first gain value; use privacy based on the several comparisons The sample set and the several gain values determined by the several experimental privacy sample sets determine whether the target privacy sample belongs to the anti-privacy sample.
根据第四方面,提供一种识别对抗隐私样本以保护隐私安全的装置。该装置包括:采样单元,配置为对多个非对抗隐私样本进行若干次采样,得到若干对照隐私样本集;添加单元,配置为向所述若干对照隐私样本集中分别加入待检测的目标隐私样本,得到若干实验隐私样本集;第一训练单元,配置为针对所述若干对照隐私样本集中任意的第一对照隐私样本集,利用所述第一对照隐私样本集训练初始机器学习模型,得到训练后的第一对照模型;第一评估单元,配置为利用测试隐私样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试隐私样本集基于所述多个非对抗隐私样本而确定;第二训练单元,配置为针对向所述第一对照隐私样本集中加入所述目标隐私样本而得到的第一实验隐私样本集,利用所述第一实验隐私样本集训练所述初始机器学习模型,得到训练后的第一实验模型;第二评估单元,配置为利用所述测试隐私样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;增益确定单元,配置为将所述第一实验值与所述第一对照值的差值,确定为第一增益值;判定单元,配置为利用基于所述若干对照隐私样本集和所述若干实验隐私样本集确定出的若干增益值,判定所述目标隐私样本是否属于对抗隐私样本。According to a fourth aspect, an apparatus for identifying a privacy-against sample to protect privacy is provided. The device includes: a sampling unit configured to sample multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets; an adding unit configured to add target privacy samples to be detected to the several comparative privacy sample sets, respectively, Obtain a number of experimental privacy sample sets; the first training unit is configured to train an initial machine learning model for any first control privacy sample set in the plurality of control privacy sample sets, and use the first control privacy sample set to train an initial machine learning model to obtain the trained A first comparison model; a first evaluation unit configured to evaluate the performance of the first comparison model using a test privacy sample set to obtain a first comparison value for a preset evaluation index, and the test privacy sample set is based on the multiple A non-confrontational privacy sample; the second training unit is configured to use the first experimental privacy sample set for the first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set The initial machine learning model is trained to obtain the trained first experimental model; the second evaluation unit is configured to use the test privacy sample set to evaluate the performance of the first experimental model to obtain the preset evaluation index A gain determination unit configured to determine the difference between the first experimental value and the first control value as a first gain value; the determination unit is configured to use privacy samples based on the plurality of comparisons Set and several gain values determined by the several experimental privacy sample sets to determine whether the target privacy sample belongs to the anti-privacy sample.
根据第五方面,提供了一种计算机可读存储介质,其上存储有计算机程序,当所述 计算机程序在计算机中执行时,令计算机执行第一方面或第三方面的方法。According to a fifth aspect, there is provided a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is caused to execute the method of the first aspect or the third aspect.
根据第六方面,提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面或第三方面的方法。According to a sixth aspect, there is provided a computing device, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, the method of the first aspect or the third aspect is implemented .
综上,在本说明书实施例披露的上述识别方法及装置中,首先确定目标样本对模型性能的增益值,再利用增益值判别该目标样本是否属于对抗样本,如此可以准确识别出对抗样本,进而保护原本会使用到对抗样本的模型的安全,以保证模型良好的训练性能和预测性能。In summary, in the above identification method and device disclosed in the embodiments of this specification, the gain value of the target sample to the model performance is first determined, and then the gain value is used to determine whether the target sample belongs to the adversarial sample, so that the adversarial sample can be accurately identified, and then Protect the security of the model that would otherwise use the adversarial sample to ensure the model's good training performance and prediction performance.
附图说明Description of the drawings
为了更清楚地说明本申请实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to explain the technical solutions of the embodiments of the present application more clearly, the following will briefly introduce the drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. A person of ordinary skill in the art can obtain other drawings based on these drawings without creative work.
图1示出根据一个实施例的识别对抗样本的方法实施框图;Fig. 1 shows an implementation block diagram of a method for identifying adversarial samples according to an embodiment;
图2示出根据一个实施例的识别对抗样本以保护模型安全的方法流程图;Figure 2 shows a flow chart of a method for identifying adversarial samples to protect model safety according to an embodiment;
图3示出根据一个实施例的识别对抗样本的时序步骤图;Fig. 3 shows a sequence diagram of steps in identifying adversarial samples according to an embodiment;
图4示出根据一个实施例的识别对抗样本以保护模型安全的装置结构图;FIG. 4 shows a structural diagram of an apparatus for recognizing adversarial samples to protect model safety according to an embodiment;
图5示出根据一个实施例的识别对抗隐私样本以保护隐私安全的方法流程图;Fig. 5 shows a flow chart of a method for identifying an anti-privacy sample to protect privacy according to an embodiment;
图6示出根据一个实施例的识别对抗隐私样本以保护隐私安全的装置结构图。Fig. 6 shows a structural diagram of an apparatus for identifying an anti-privacy sample to protect privacy according to an embodiment.
具体实施方式Detailed ways
下面结合附图,对本说明书提供的方案进行描述。The following describes the solutions provided in this specification with reference to the accompanying drawings.
目前模型训练所使用的训练样本可以包括不同来源,如人工打标,从网站或网络平台中爬取等,其中很容易混入对抗样本。如前所述,识别出对抗样本对保证模型训练性能和预测性能,从而保护模型安全来说,十分重要。The training samples currently used for model training can include different sources, such as manual marking, crawling from websites or network platforms, etc., among which it is easy to mix adversarial samples. As mentioned earlier, identifying adversarial samples is very important to ensure model training performance and prediction performance, thereby protecting the safety of the model.
此外发明人考虑到,根据对抗样本的定义,对抗样本的标签是错误的,所以给模型带来的性能增益为负值或者非常小。因此,可以通过计算样本对模型性能的增益,检测该样本是否为对抗样本,或者说,可以通过计算样本对模型性能的增益,识别出对抗样 本。In addition, the inventor considers that according to the definition of adversarial examples, the labels of adversarial examples are wrong, so the performance gain brought to the model is negative or very small. Therefore, it is possible to detect whether the sample is an adversarial sample by calculating the gain of the sample to the model performance, or in other words, to identify the adversarial sample by calculating the gain of the sample to the model performance.
基于此,发明人提出一种识别对抗样本以保护模型安全的方法。在一个实施例中,图1示出根据一个实施例的识别对抗样本的方法实施框图,如图1所示,首先,对多个非对抗样本进行若干次采样,得到若干个对照样本集,图1中标识为N个,其中N为正整数。接着,向若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集。然后,基于若干对照样本集和若干实验样本集确定目标样本对模型性能的若干增益值,具体包括:一方面,对于若干对照样本集中任意的第一对照样本集,利用其训练初始机器学习模型,并对训练得到的第一对照模型进行性能评估,得到指示模型性能的第一对照值;另一方面,对于包括目标样本和第一对照样本集中样本的第一实验样本集,利用其训练上述初始机器学习模型,并对训练得到的第一实验模型进行性能评估,得到指示模型性能的第一实验值;进一步地,将第一对照值和第一实验值的差值确定为第一增益值,据此可以确定出上述若干增益值。再接着,根据若干增益值和预设判别规则,判定该目标样本是否为对抗样本。如此,可以实现准确地识别出对抗样本。Based on this, the inventor proposes a method for identifying adversarial samples to protect the safety of the model. In an embodiment, FIG. 1 shows a block diagram of an implementation of a method for identifying adversarial samples according to an embodiment. As shown in FIG. 1, first, a plurality of non-confrontational samples are sampled several times to obtain several control sample sets. The number in 1 is N, where N is a positive integer. Then, the target samples to be tested are added to several control sample sets to obtain several experimental sample sets. Then, based on several control sample sets and several experimental sample sets, several gains of the target sample to the model performance are determined, which specifically includes: On the one hand, for any first control sample set in the several control sample sets, use it to train the initial machine learning model, The performance of the first control model obtained by training is evaluated, and the first control value indicating the performance of the model is obtained; on the other hand, for the first experimental sample set including the target sample and the sample in the first control sample set, use it to train the above-mentioned initial Machine learning model, and perform performance evaluation on the first experimental model obtained by training to obtain the first experimental value indicating the performance of the model; further, the difference between the first control value and the first experimental value is determined as the first gain value, Based on this, the above-mentioned gain values can be determined. Then, according to a number of gain values and preset judgment rules, it is determined whether the target sample is an adversarial sample. In this way, the adversarial samples can be accurately identified.
下面,结合具体的实施例,描述上述识别方法的具体实施步骤。In the following, in conjunction with specific embodiments, specific implementation steps of the above identification method are described.
图2示出根据一个实施例的识别对抗样本以保护模型安全的方法流程图,所述方法的执行主体可以为任何具有计算、处理能力的装置、设备、平台、设备集群。如图2所示,所述方法包括以下步骤。Fig. 2 shows a flowchart of a method for identifying adversarial samples to protect model safety according to an embodiment. The execution subject of the method can be any device, device, platform, or device cluster with computing and processing capabilities. As shown in Figure 2, the method includes the following steps.
步骤S210,对多个非对抗样本进行若干次采样,得到若干对照样本集;步骤S220,向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集;步骤S230,针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型;步骤S240,利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定;步骤S250,针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型;步骤S260,利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;步骤S270,将所述第一实验值与所述第一对照值的差值,确定为第一增益值;步骤S280,利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。Step S210, sampling multiple non-confrontational samples several times to obtain several control sample sets; step S220, adding target samples to be tested to the several control sample sets respectively to obtain several experimental sample sets; step S230, aiming at the An arbitrary first control sample set in a plurality of control sample sets is used to train an initial machine learning model to obtain a trained first control model; step S240, a test sample set is used to perform a test on the first control model The performance evaluation obtains a first control value for a preset evaluation index, and the test sample set is determined based on the multiple non-confrontational samples; step S250, the target sample is obtained by adding the target sample to the first control sample set The first experimental sample set of the first experimental sample set is used to train the initial machine learning model to obtain the first experimental model after training; step S260, the performance of the first experimental model is performed using the test sample set Evaluate to obtain the first experimental value for the preset evaluation index; step S270, determine the difference between the first experimental value and the first control value as the first gain value; step S280, use the The plurality of control sample sets and the plurality of gain values determined by the plurality of experimental sample sets determine whether the target sample belongs to the adversarial sample.
首先需要说明的是,上述第一对照样本集、第一实验样本集、第一对照模型、第一实验模型等中的“第一”,以及后文中的类似用语,仅用于区分同类事物,不具有其他 限定作用。First of all, it should be noted that the "first" in the above-mentioned first control sample set, first experimental sample set, first control model, first experimental model, etc., as well as similar terms in the following text, are only used to distinguish similar things. It has no other restrictive effects.
此外,对于图2示出的步骤中涉及的多个非对抗样本和目标样本,一方面,从样本所包括数据内容的角度来说,在一个实施例中,这些样本可以为隐私数据样本,也就是说,其中涉及到用户隐私数据。此时,识别对抗样本以保护模型安全显得尤为重要。比如说,针对用于识别用户身份的分类模型(如人脸识别模型),若其训练样本中包括的对抗样本未被识别并剔除,则在该分类模型投入使用时,可能导致一个用户提供的身份信息(如人脸等)被错误地识别为归属于另一个用户,从而导致身份被冒用或者用户账户被误扣款等,危机用户隐私安全。另一方面,从样本的数据形式的角度来说,在一个实施例中,这些样本可以为图像样本,相应地,初始机器学习模型可以为图像处理模型。在一个具体的实施例中,这些样本可以包括人脸图像、虹膜图像、指纹图像等,初始机器学习模型可以为身份识别模型。在另一个实施例中,这些样本可以为文本样本,相应地,初始机器学习模型可以为文本处理模型。在又一个实施例中,这些样本可以为语音样本,相应地,初始机器学习模型可以为语音处理模型。In addition, for the multiple non-adversarial samples and target samples involved in the steps shown in FIG. 2, on the one hand, from the perspective of the data content included in the samples, in one embodiment, these samples may be private data samples, or In other words, it involves user privacy data. At this time, it is particularly important to identify adversarial samples to protect the safety of the model. For example, for a classification model used to identify a user's identity (such as a face recognition model), if the adversarial sample included in its training sample is not identified and eliminated, when the classification model is put into use, it may cause a user to provide The identity information (such as human face, etc.) is incorrectly identified as belonging to another user, which leads to fraudulent use of the identity or incorrect deduction of user accounts, etc., which endangers the user’s privacy and security. On the other hand, from the perspective of the data form of the samples, in one embodiment, these samples may be image samples, and accordingly, the initial machine learning model may be an image processing model. In a specific embodiment, these samples may include face images, iris images, fingerprint images, etc., and the initial machine learning model may be an identity recognition model. In another embodiment, these samples may be text samples, and accordingly, the initial machine learning model may be a text processing model. In yet another embodiment, these samples may be speech samples, and accordingly, the initial machine learning model may be a speech processing model.
图2中示出的上述步骤具体如下。The above-mentioned steps shown in FIG. 2 are specifically as follows.
首先在步骤S210,对多个非对抗样本进行若干次采样,得到若干对照样本集。在一个实施例中,其中多个非对抗样本可以是经过人工反复核对,确认标签无误的正常样本。First, in step S210, several non-confrontational samples are sampled several times to obtain several control sample sets. In one embodiment, the multiple non-confrontational samples may be normal samples that have been manually checked repeatedly to confirm that the label is correct.
需要说明,其中若干次采样中若干,以及文中它处的若干包括一个或多个的情况。对于上述若干次采样,可以通过多种采样方法实现。在一个实施例中,可以利用枚举法进行多次采样,得到多个对照样本集。其中枚举法是一种列举出所有可能的方法,假定多个非对抗样本共包括3个样本,分别用A、B和C指代,那么,利用枚举法采用得到的对照样本集包括:
Figure PCTCN2020138824-appb-000001
{A},{B},{C},{A,B},{A,C},{B,C}和{A,B,C}。 It needs to be explained that some of the samples in several times, and some of the other parts in the text include one or more cases. For the several samplings mentioned above, multiple sampling methods can be used. In one embodiment, the enumeration method may be used to perform multiple sampling to obtain multiple control sample sets. The enumeration method is a method to enumerate all possible methods. Assuming that multiple non-adversarial samples include 3 samples, which are designated by A, B, and C respectively, then the control sample set obtained by using the enumeration method includes:
Figure PCTCN2020138824-appb-000001
{A},{B},{C},{A,B},{A,C},{B,C} and {A,B,C}.
在另一个实施例中,可以利用分层采样法进行若干次采样,得到若干对照样本集。其中分层采样法包括,每次采样时选取的各个标签所对应的样本数量之间的比例相同或相近。在一个例子中,假定在二分类场景下,多个非对抗样本中包括正样本和负样本,对于其中任意两次采样,得到的两个对照样本集中,正样本和负样本的比例可以均保持为3:1,例如其中一个对照样本集中正样本和负样本数量分别为30和10,而另一个对照样本集中正样本和负样本数量分别为45和15。In another embodiment, the stratified sampling method may be used to perform several samplings to obtain several control sample sets. Among them, the stratified sampling method includes that the proportions of the sample numbers corresponding to each label selected during each sampling are the same or similar. In an example, assume that in a two-classification scenario, multiple non-adversarial samples include positive samples and negative samples. For any two samplings, the two control sample sets are obtained, and the ratio of positive samples and negative samples can be maintained. It is 3:1, for example, the numbers of positive samples and negative samples in one control sample set are 30 and 10 respectively, while the numbers of positive samples and negative samples in the other control sample set are 45 and 15 respectively.
在又一个实施例中,还可以利用自助采样法进行若干次采样,得到若干对照样本集。具体地,对于其中的某次采样,假定多个非对抗样本的数量为M,需要采集的样本数量 为m,那么,可以每回从M个非对抗样本中随机挑选一个样本,将其归入m个样本,然后再将这个样本放回M个非对抗样本中,使得该样本在下回挑选时仍可以被挑选到,这个过程重复执行m次后,就可以得到包括m个样本的对照样本集。In yet another embodiment, a self-service sampling method can also be used to perform several samplings to obtain several control sample sets. Specifically, for a certain sampling, assuming that the number of multiple non-adversarial samples is M and the number of samples that need to be collected is m, then one sample can be randomly selected from M non-adversarial samples each time and classified as m samples, and then put this sample back into M non-adversarial samples, so that the sample can still be selected in the next selection. After this process is repeated m times, a control sample set including m samples can be obtained .
如此通过若干次采样,可以得到若干对照样本集。接着在步骤S220,向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集。也就是说,分别向每个对照样本集中加入待检测的目标样本,得到与每个对照样本集对应的每个实验样本集,组成若干实验样本集。In this way, through several samplings, several control sample sets can be obtained. Next, in step S220, the target samples to be tested are added to the plurality of control sample sets, respectively, to obtain a plurality of experimental sample sets. That is to say, the target samples to be tested are added to each control sample set respectively, and each experimental sample set corresponding to each control sample set is obtained to form several experimental sample sets.
然后在步骤S230,针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型。并且,在步骤S240,利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定。Then in step S230, for any first control sample set in the several control sample sets, an initial machine learning model is trained using the first control sample set to obtain a trained first control model. In addition, in step S240, a test sample set is used to perform performance evaluation on the first comparison model to obtain a first comparison value for a preset evaluation index, and the test sample set is determined based on the plurality of non-confrontational samples.
需要说明,在执行步骤S210之后,可以同时执行步骤S220和步骤S230,也可以先后执行步骤S220和步骤S230,总之对二者的执行顺序不作限定。It should be noted that after step S210 is performed, step S220 and step S230 can be performed at the same time, or step S220 and step S230 can be performed successively. In short, the execution order of the two is not limited.
在一个实施例中,步骤S230可以包括:将第一对照样本集中的多个第一样本分别输入初始机器学习模型中,得到对应的多个第一预测结果;再根据多个第一预测结果和多个第一样本的样本标签,以及预设的损失函数,调整初始机器学习模型中的模型参数,得到调参后的第一对照模型。由此,可以利用若干对照样本集分别对初始机器学习模型进行调参,得到对应的若干对照模型。In an embodiment, step S230 may include: inputting a plurality of first samples in the first control sample set into the initial machine learning model respectively to obtain a plurality of corresponding first prediction results; and then according to the plurality of first prediction results With the sample labels of the multiple first samples, and the preset loss function, the model parameters in the initial machine learning model are adjusted to obtain the adjusted first control model. As a result, several control sample sets can be used to adjust the parameters of the initial machine learning model to obtain several corresponding control models.
对于上述测试样本集,可以基于上述多个非对抗样本确定。需要理解,测试样本集通常是与训练样本集(如上述若干对照样本集)互斥的,即测试样本集中的样本通常是不会在训练样本集中出现、未在训练过程中使用过。并且,测试样本集和训练样本集的划分通常要保持数据分布的一致性。For the above-mentioned test sample set, it can be determined based on the above-mentioned multiple non-adversarial samples. It should be understood that the test sample set is usually mutually exclusive with the training sample set (such as the several control sample sets mentioned above), that is, the samples in the test sample set usually do not appear in the training sample set and have not been used in the training process. Moreover, the division of the test sample set and the training sample set usually needs to maintain the consistency of the data distribution.
在一个实施例中,上述测试样本集可以为一个。此时,在上述若干对照模型为多个的情况下,意味着可以使用相同的测试样本集对不同的对照模型进行性能评估。在一个具体的实施例中,在上述步骤S210中可以包括:基于上述多个非对抗样本划分出两个互斥的集合,其中一个集合作为上述测试样本集,而另一个集合用于采样确定上述若干对照样本集。In an embodiment, there may be one test sample set. At this time, in the case where there are multiple comparison models mentioned above, it means that the same test sample set can be used to evaluate the performance of different comparison models. In a specific embodiment, the foregoing step S210 may include: dividing two mutually exclusive sets based on the foregoing multiple non-confrontational samples, one set is used as the foregoing test sample set, and the other set is used for sampling to determine the foregoing Several control sample sets.
在另一个实施例中,上述测试样本集可以为多个,如此可以利用不同的测试样本集对不同的对照模型进行性能评估。在一个具体的实施例中,上述步骤S210中可以包括: 基于上述分层采样法,将上述多个(如M个)非对抗样本划分为预定数量(如k个,其中k为小于M的正整数)的互斥集合,并且,将其中(k-1)个互斥集合的并集作为一个对照样本集,将剩余的一个互斥集合作为对应的测试样本集,如此可以得到(k-1)个对照样本集和对应的(k-1)个测试样本集。如此,可以确定出用于评估模型性能的测试样本集。In another embodiment, there may be multiple test sample sets, so that different test sample sets can be used to evaluate the performance of different control models. In a specific embodiment, the above step S210 may include: based on the above layered sampling method, dividing the above multiple (such as M) non-confrontational samples into a predetermined number (such as k, where k is a positive value smaller than M). Integer) mutually exclusive set, and the union of (k-1) mutually exclusive sets is used as a control sample set, and the remaining mutually exclusive set is used as the corresponding test sample set, so that (k-1) ) Control sample sets and corresponding (k-1) test sample sets. In this way, the test sample set for evaluating the performance of the model can be determined.
对于上述初始机器学习模型,在一个实施例中,初始机器学习模型可以为初始化模型,也就是说,初始机器学习模型可以是尚未经过任何训练的模型,其中的模型参数为模型初始化时被赋予的参数。在另一个实施例中,初始机器学习模型还可以为使用上述多个非对抗样本以外的一些非对抗样本训练过的模型。另一方面,初始机器学习模型可以为分类模型、回归模型、神经网络模型等,对此不作限定。For the above-mentioned initial machine learning model, in one embodiment, the initial machine learning model may be an initialization model, that is, the initial machine learning model may be a model that has not undergone any training, and the model parameters are those assigned when the model is initialized. parameter. In another embodiment, the initial machine learning model may also be a model trained using some non-confrontational samples other than the aforementioned multiple non-confrontational samples. On the other hand, the initial machine learning model can be a classification model, a regression model, a neural network model, etc., which is not limited.
上述预设评估指标可以包括:错误率、精度、查全率和查准率等等。需要理解,其中错误率是指预测错误的测试样本数占测试样本总数的比例。精度是指预测正确的测试样本数占测试样本总数的比例。对于二分类问题,查准率表示预测为正例的测试样本中,真正为正例(即标签标识为正例)的测试样本所占的比例;查全率表示测试样本中包括的正例(即标签标识为正例)中,被预测正确的样本所占的比例。在一个例子中,上述预测评估指标包括查准率,上述第一对照值中可以包括查准率0.88。在另一个例子中,上述预测评估指标包括错误率,上述第一对照值可以包括错误率0.16。The aforementioned preset evaluation indicators may include: error rate, accuracy, recall rate, precision rate, and so on. It needs to be understood that the error rate refers to the ratio of the number of test samples with prediction errors to the total number of test samples. Accuracy refers to the proportion of the number of test samples whose predictions are correct to the total number of test samples. For two-category problems, the precision rate represents the proportion of test samples that are truly positive (that is, the label is identified as positive) among the test samples predicted to be positive; the recall rate represents the positive examples included in the test sample ( That is, the proportion of samples that are predicted to be correct in the label identification is positive. In an example, the prediction evaluation index includes a precision rate, and the first comparison value may include a precision rate of 0.88. In another example, the predictive evaluation index includes an error rate, and the first control value may include an error rate of 0.16.
以上在步骤S230和步骤S240,可以得到对应于任意的第一对照样本集的第一对照值,依此,可以得到对应于若干对照样本集的若干对照值。另一方面,在步骤S250,针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型。并且,步骤S260,利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值。In the above steps S230 and S240, the first control value corresponding to any first control sample set can be obtained, and accordingly, several control values corresponding to several control sample sets can be obtained. On the other hand, in step S250, for the first experimental sample set obtained by adding the target sample to the first control sample set, the initial machine learning model is trained using the first experimental sample set to obtain the post-training The first experimental model. In addition, in step S260, the performance evaluation of the first experimental model is performed using the test sample set to obtain the first experimental value for the preset evaluation index.
需要说明的是,利用第一对照样本集进行训练的初始机器学习模型,与利用第一实验样本集进行训练的初始机器学习模型是相同的,并且,对第一实验模型进行性能评估所使用的测试样本集,与对第一对照模型进行性能评估所使用的测试样本集是相同的。此外,对步骤S250和步骤S260的描述可以参见上述对步骤S230和步骤S240的描述,不作赘述。It should be noted that the initial machine learning model trained with the first control sample set is the same as the initial machine learning model trained with the first experimental sample set, and the performance evaluation of the first experimental model is used The test sample set is the same as the test sample set used for the performance evaluation of the first control model. In addition, the description of step S250 and step S260 can refer to the above description of step S230 and step S240, and will not be repeated.
在一个例子中,上述预测评估指标包括查准率,上述第一实验值中可以包括查准率0.80或0.90。在另一个例子中,上述预测评估指标包括错误率,上述第一对照值可以包 括错误率0.10或0.20。In an example, the prediction evaluation index includes a precision rate, and the first experimental value may include a precision rate of 0.80 or 0.90. In another example, the predictive evaluation index includes an error rate, and the first comparison value may include an error rate of 0.10 or 0.20.
以上在步骤S250和步骤S260,可以得到对应于任意的第一实验样本集的第一实验值,依此,可以得到对应于若干实验样本集的若干实验值。需要说明的是,对于前述步骤S210-步骤S260的执行顺序,仅要求步骤S210是最先执行的步骤,以及之后一方面顺序执行步骤S230和步骤S240,另一方面顺序执行步骤S220、步骤S250和步骤S260,其余不作限定。具体地,在一种实施方式中,可以依次顺序执行步骤S210、步骤S230、步骤S220、步骤S250、步骤S240和步骤S260。在另一种实施方式中,可以先后执行步骤S210、步骤S220、步骤S230、步骤S240、步骤S250和步骤S260。In the above steps S250 and S260, the first experimental value corresponding to any first experimental sample set can be obtained, and accordingly, several experimental values corresponding to several experimental sample sets can be obtained. It should be noted that for the execution sequence of the aforementioned steps S210-S260, only step S210 is required to be the first step to be executed, and then steps S230 and S240 are executed sequentially on the one hand, and steps S220, S250 and S250 are executed sequentially on the other hand. Step S260, the rest is not limited. Specifically, in an embodiment, step S210, step S230, step S220, step S250, step S240, and step S260 may be sequentially executed in sequence. In another implementation manner, step S210, step S220, step S230, step S240, step S250, and step S260 may be executed successively.
再然后,步骤S270,将所述第一实验值与所述第一对照值的差值,确定为第一增益值。Then, in step S270, the difference between the first experimental value and the first control value is determined as a first gain value.
需要理解,增益值用于表征目标样本给模型性能带来的优化效果。在一个实施例中,当预设评估指标用于正向表征模型性能时(例如,预设评估指标为精度、查全率或查准率时),第一增益值为第一实验值减去第一对照值得到的差值。在一个例子中,预设评估指标为查准率,若第一对照值和第一实验值分别为0.88和0.80,则第一增益值为-0.80,若第一对照值和第一实验值分别为0.88和0.90,则第一增益值为0.20。It needs to be understood that the gain value is used to characterize the optimization effect brought by the target sample to the model performance. In one embodiment, when the preset evaluation index is used to positively characterize model performance (for example, when the preset evaluation index is accuracy, recall, or precision), the first gain value is minus the first experimental value The difference obtained from the first control value. In an example, the preset evaluation index is the precision rate. If the first control value and the first experimental value are 0.88 and 0.80, respectively, the first gain value is -0.80, and if the first control value and the first experimental value are respectively If the values are 0.88 and 0.90, the first gain value is 0.20.
在另一个实施例中,当预设评估指标用于负向表征模型性能时(例如,预设评估指标为错误率时),第一增益值为第一对照值减去第一实验值得到的差值。在一个例子中,预设评估指标为错误率,若第一对照值和第一实验值分别为0.16和0.10,则第一增益值为0.60,若第一对照值和第一实验值分别为0.16和0.20,则第一增益值为-0.04。In another embodiment, when the preset evaluation index is used to negatively characterize model performance (for example, when the preset evaluation index is the error rate), the first gain value is obtained by subtracting the first experimental value from the first control value Difference. In an example, the preset evaluation index is the error rate. If the first control value and the first experimental value are 0.16 and 0.10, respectively, the first gain value is 0.60, and if the first control value and the first experimental value are 0.16, respectively And 0.20, the first gain value is -0.04.
如此,可以基于上述若干对照值和若干实验值,得到对应的若干增益值。基于此,在步骤S280,利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。In this way, several corresponding gain values can be obtained based on the above-mentioned several control values and several experimental values. Based on this, in step S280, a number of gain values determined based on the number of control sample sets and the number of experimental sample sets are used to determine whether the target sample belongs to an adversarial sample.
在一个实施例中,本步骤中可以包括:确定所述若干增益值的增益均值;进一步地,在所述增益均值小于设定阈值的情况下,判定所述目标样本属于对抗样本,而在所述增益均值不小于设定阈值的情况下,判定所述目标样本不属于对抗样本。In an embodiment, this step may include: determining the gain average of the several gain values; further, in the case that the gain average is less than a set threshold, determining that the target sample belongs to the adversarial sample, and In the case that the gain average value is not less than the set threshold, it is determined that the target sample does not belong to the adversarial sample.
在一个具体的实施例中,其中设定阈值可以为人工设定的阈值,如0或0.05。在另一个具体的实施例中,其中设定阈值可以基于以下步骤设定:首先,对上述若干对照样本集针对所述预设评估指标的若干对照值进行平均,得到对照均值;再将所述对照均值与第二预设比例的乘积,确定为所述设定阈值。在一个更具体的实施例中,其中第二预 设比例可以由业务人员根据专家经验或实际需求设定,如设定为0.05或0.02。在一个例子中,假定上述对照均值为0.80,第二预设比例为0.05,则可以将设定阈值确定为0.04。In a specific embodiment, the set threshold may be a manually set threshold, such as 0 or 0.05. In another specific embodiment, the setting threshold may be set based on the following steps: firstly, averaging the comparison values of the above-mentioned comparison sample sets with respect to the preset evaluation index to obtain the comparison mean value; The product of the comparison mean value and the second preset ratio is determined as the set threshold. In a more specific embodiment, the second preset ratio can be set by business personnel based on expert experience or actual needs, for example, set to 0.05 or 0.02. In an example, assuming that the above-mentioned control mean value is 0.80 and the second preset ratio is 0.05, the set threshold may be determined to be 0.04.
根据一个具体的例子,假定设定阈值为0.04,若上述增益均值为0.01,则可以判定对应的目标样本属于对抗样本,而若上述增益均值为0.06,则可以判断对应的目标样本不属于对抗样本。According to a specific example, assuming that the threshold is set to 0.04, if the above average gain is 0.01, it can be determined that the corresponding target sample belongs to the adversarial sample, and if the average gain is 0.06, it can be determined that the corresponding target sample does not belong to the adversarial sample .
在另一个实施例中,本步骤中可以包括:确定所述若干增益值中大于设定阈值的增益比例,并且,在所述增益比例小于第一预设比例的情况下,判定所述目标样本属于对抗样本。需要说明的是,其中设定阈值可以参见上述实施例中的相关描述,此外,在一个具体的实施例中,其中第一预设比例可以由业务人员根据专家经验或实际需求设定,如设定为0.80或0.90。In another embodiment, this step may include: determining a gain ratio of the plurality of gain values that is greater than a set threshold, and, in a case where the gain ratio is less than a first preset ratio, determining the target sample Belongs to adversarial examples. It should be noted that the setting threshold can be referred to the relevant description in the above embodiment. In addition, in a specific embodiment, the first preset ratio can be set by the business personnel according to expert experience or actual needs, such as setting Set at 0.80 or 0.90.
根据一个具体的例子,假定第一预设比例为0.80,若确定出的增益比例为0.20,则可以判定对应的目标样本属于对抗样本,而若确定出的增益比例为0.87,则可以判定对应的目标样本不属于对抗样本。According to a specific example, assuming that the first preset ratio is 0.80, if the determined gain ratio is 0.20, it can be determined that the corresponding target sample belongs to the adversarial sample, and if the determined gain ratio is 0.87, then the corresponding The target sample does not belong to the adversarial sample.
如此,可以实现检测出目标样本是否属于对抗样本。In this way, it is possible to detect whether the target sample belongs to the adversarial sample.
综上,在本说明书实施例披露的识别对抗样本的方法中,首先确定目标样本对模型性能的增益值,再利用增益值判别该目标样本是否属于对抗样本,如此可以准确识别出对抗样本,进而保护原本会使用到对抗样本的模型的安全,以保证模型良好的训练性能和预测性能。比如说,在需要训练用于识别用户身份的模型的过程中,可以先采用上述识别对抗样本的方法,识别出预先采集的训练样本中包括的对抗样本,并利用去除对抗样本后的训练样本集训练身份识别模型,以保障模型安全。同时,训练出来的模型具有良好的预测性能,可以有效防止误识别,进而防止因误识别而造成的身份冒用、隐私泄漏、财产损失等高危后果。In summary, in the method for identifying adversarial samples disclosed in the embodiments of this specification, the gain value of the target sample to the model performance is first determined, and then the gain value is used to determine whether the target sample belongs to the adversarial sample, so that the adversarial sample can be accurately identified, and then Protect the security of the model that would otherwise use the adversarial sample to ensure the model's good training performance and prediction performance. For example, in the process of training a model for identifying user identities, you can first use the above-mentioned method of identifying adversarial samples to identify adversarial samples included in pre-collected training samples, and use the training sample set after removing the adversarial samples Train the identity recognition model to ensure the safety of the model. At the same time, the trained model has good predictive performance, which can effectively prevent misrecognition, thereby preventing high-risk consequences such as fraudulent use of identity, privacy leakage, and property loss caused by misrecognition.
下面再结合具体的实施例,对上述识别方法进行介绍。图3示出根据一个实施例的识别对抗样本的时序步骤图。如图3所示,其中识别对抗样本包括以下步骤:步骤S31,对正常样本(也就是非对抗样本)进行采样,得到对照样本集。步骤S32,利用对照样本集对初始模型进行训练,并利用测试样本集对训练后的模型进行性能评估,得到对照评估结果。步骤S33,在对照样本集中加入待检测样本,得到实验样本集。步骤S34,利用实验样本集对初始模型进行训练,并利用测试样本集对训练后的模型进行性能评估,得到实验评估结果。步骤S35,根据实验评估结果和对照评估结果,确定出模型性能的 增益。步骤S36,重复步骤S31和步骤S35,确定待检测样本对每次采样带来的模型性能的增益。步骤S37,计算待检测样本带来的模型增益的均值。步骤S38,将均值低于阈值的样本识别为对抗样本。In the following, the above identification method will be introduced in conjunction with specific embodiments. Fig. 3 shows a sequence diagram of steps in identifying adversarial samples according to an embodiment. As shown in FIG. 3, the identification of adversarial samples includes the following steps: Step S31, sampling normal samples (that is, non-adversarial samples) to obtain a control sample set. Step S32: Use the control sample set to train the initial model, and use the test sample set to evaluate the performance of the trained model to obtain a control evaluation result. In step S33, the sample to be tested is added to the control sample set to obtain an experimental sample set. Step S34: Use the experimental sample set to train the initial model, and use the test sample set to evaluate the performance of the trained model to obtain an experimental evaluation result. In step S35, the gain of the model performance is determined based on the experimental evaluation result and the comparison evaluation result. Step S36: Repeat steps S31 and S35 to determine the model performance gain of the sample to be tested for each sampling. Step S37: Calculate the mean value of the model gain brought by the sample to be tested. Step S38: Identify the samples whose average value is lower than the threshold value as adversarial samples.
以上可以实现对抗样本的识别。The above can realize the identification of adversarial samples.
与上述识别方法相对应的,本说明书实施例还披露一种识别装置。图4示出根据一个实施例的识别对抗样本以保护模型安全的装置结构图。如图4所示,所述装置400可以包括:采样单元410,配置为对多个非对抗样本进行若干次采样,得到若干对照样本集;添加单元420,配置为向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集;第一训练单元430,配置为针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型;第一评估单元440,配置为利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定;第二训练单元450,配置为针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型;第二评估单元460,配置为利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;增益确定单元470,配置为将所述第一实验值与所述第一对照值的差值,确定为第一增益值;判定单元480,配置为利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。Corresponding to the above identification method, the embodiment of this specification also discloses an identification device. Fig. 4 shows a structural diagram of an apparatus for recognizing adversarial samples to protect model safety according to an embodiment. As shown in FIG. 4, the apparatus 400 may include: a sampling unit 410, configured to sample multiple non-confrontational samples several times to obtain several control sample sets; and an adding unit 420, configured to separate the several control sample sets. The target samples to be detected are added to obtain a number of experimental sample sets; the first training unit 430 is configured to train an initial machine learning model for any first control sample set in the plurality of control sample sets, using the first control sample set, Obtain the trained first comparison model; the first evaluation unit 440 is configured to evaluate the performance of the first comparison model by using a test sample set to obtain a first comparison value for a preset evaluation index, and the test sample set is based on The multiple non-adversarial samples are determined; the second training unit 450 is configured to use the first experimental sample set to train for the first experimental sample set obtained by adding the target sample to the first control sample set The initial machine learning model obtains the first experimental model after training; the second evaluation unit 460 is configured to evaluate the performance of the first experimental model by using the test sample set to obtain the preset evaluation index A first experimental value; a gain determining unit 470, configured to determine the difference between the first experimental value and the first control value as a first gain value; a determining unit 480, configured to use the number of control samples based on Determining whether the target sample belongs to an adversarial sample or not using the set and the several gain values determined by the several experimental sample sets.
在一个实施例中,所述多个非对抗样本和目标样本为图像样本,所述初始机器学习模型为图像处理模型;或,所述多个非对抗样本和目标样本为文本样本,所述初始机器学习模型为文本处理模型;或,所述多个非对抗样本和目标样本为语音样本,所述初始机器学习模型为语音处理模型。In an embodiment, the plurality of non-confrontational samples and target samples are image samples, and the initial machine learning model is an image processing model; or, the plurality of non-confrontational samples and target samples are text samples, and the initial machine learning model is an image processing model. The machine learning model is a text processing model; or, the plurality of non-confrontational samples and target samples are speech samples, and the initial machine learning model is a speech processing model.
在一个实施例中,所述采样单元410配置为:利用枚举法,对多个非对抗样本进行多次采样,得到多个对照样本集;或,利用分层采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集;或,利用自助采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集。In one embodiment, the sampling unit 410 is configured to: use an enumeration method to sample multiple non-confrontational samples to obtain multiple control sample sets; The non-confrontational samples are sampled several times to obtain the several control sample sets; or, using a self-service sampling method, the multiple non-confrontational samples are sampled several times to obtain the several control sample sets.
在一个实施例中,所述预设评估指标包括以下中的一种或多种:错误率、精度、查全率、查准率。In an embodiment, the preset evaluation index includes one or more of the following: error rate, accuracy, recall rate, and precision rate.
在一个实施例中,所述判定单元480配置为:确定若干增益值的增益均值,并且,在所述增益均值小于设定阈值的情况下,判定所述目标样本属于对抗样本;或,确定所述若干增益值中大于设定阈值的增益比例,并且,在所述增益比例小于第一预设比例的情况下,判定所述目标样本属于对抗样本。In one embodiment, the determination unit 480 is configured to determine the gain average of a number of gain values, and, in the case that the gain average is less than a set threshold, determine that the target sample belongs to the adversarial sample; or, determine all A gain ratio of the plurality of gain values that is greater than a set threshold, and in a case where the gain ratio is less than a first preset ratio, it is determined that the target sample belongs to a confrontation sample.
在一个实施例中,所述判定单元480还配置为:对所述若干对照样本集针对所述预设评估指标的若干对照值进行平均,得到对照均值;将所述对照均值与第二预设比例的乘积,确定为所述设定阈值。In one embodiment, the determining unit 480 is further configured to: average the comparison values of the plurality of comparison sample sets with respect to the preset evaluation index to obtain a comparison mean value; and compare the comparison mean value with a second preset value. The product of the ratio is determined as the set threshold.
综上,在本说明书实施例披露的识别对抗样本的装置中,首先确定目标样本对模型性能的增益值,再利用增益值判别该目标样本是否属于对抗样本,如此可以准确识别出对抗样本,进而保护原本会使用到对抗样本的模型的安全,以保证模型良好的训练性能和预测性能。In summary, in the device for identifying adversarial samples disclosed in the embodiments of this specification, the gain value of the target sample to the model performance is first determined, and then the gain value is used to determine whether the target sample belongs to the adversarial sample, so that the adversarial sample can be accurately identified, and then Protect the security of the model that would otherwise use the adversarial sample to ensure the model's good training performance and prediction performance.
根据另一方面的实施例,本说明书还披露一种识别对抗隐私样本以保护隐私安全的方法。图5示出根据一个实施例的识别对抗样本以保护隐私安全的方法流程图,所述方法的执行主体可以为任何具有计算、处理能力的装置、设备、平台、设备集群。如图5所示,所述方法包括以下步骤:步骤S510,对多个非对抗隐私样本进行若干次采样,得到若干对照隐私样本集;步骤S520,向所述若干对照隐私样本集中分别加入待检测的目标隐私样本,得到若干实验隐私样本集;步骤S530,针对所述若干对照隐私样本集中任意的第一对照隐私样本集,利用所述第一对照隐私样本集训练初始机器学习模型,得到训练后的第一对照模型;步骤S540,利用测试隐私样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试隐私样本集基于所述多个非对抗隐私样本而确定;步骤S550,针对向所述第一对照隐私样本集中加入所述目标隐私样本而得到的第一实验隐私样本集,利用所述第一实验隐私样本集训练所述初始机器学习模型,得到训练后的第一实验模型;步骤S560,利用所述测试隐私样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;步骤S570,将所述第一实验值与所述第一对照值的差值,确定为第一增益值;步骤S580,利用基于所述若干对照隐私样本集和所述若干实验隐私样本集确定出的若干增益值,判定所述目标隐私样本是否属于对抗隐私样本。According to another embodiment, this specification also discloses a method for identifying anti-privacy samples to protect privacy. Fig. 5 shows a flow chart of a method for identifying adversarial samples to protect privacy and security according to an embodiment. The execution subject of the method can be any device, device, platform, or device cluster with computing and processing capabilities. As shown in FIG. 5, the method includes the following steps: Step S510, sampling a plurality of non-confrontational privacy samples several times to obtain a plurality of control privacy sample sets; Step S520, adding to the plurality of control privacy sample sets to be tested respectively In step S530, for any first control privacy sample set in the plurality of control privacy sample sets, use the first control privacy sample set to train the initial machine learning model, and obtain the post-training Step S540, use a test privacy sample set to evaluate the performance of the first comparison model to obtain a first comparison value for a preset evaluation index, and the test privacy sample set is based on the plurality of non-confrontational Privacy samples are determined; step S550, for the first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set, use the first experimental privacy sample set to train the initial machine learning model , Obtain the first experimental model after training; step S560, use the test privacy sample set to evaluate the performance of the first experimental model to obtain the first experimental value for the preset evaluation index; step S570: The difference between the first experimental value and the first control value is determined as a first gain value; step S580, using a number of gain values determined based on the plurality of control privacy sample sets and the plurality of experimental privacy sample sets, It is determined whether the target privacy sample belongs to the anti-privacy sample.
针对以上步骤,需要说明的是,以上步骤相较于图2中示出的步骤,主要区别在于,其中涉及的非对抗隐私样本和目标隐私样本涉及隐私数据。在一个实施例中,其中隐私数据可以包括用户个人信息和生物特征信息等。此外需要说明的是,对图5中示出步骤 的描述,可以参见对图2中示出步骤的描述,在此不作赘述。Regarding the above steps, it should be noted that, compared with the steps shown in FIG. 2, the main difference between the above steps is that the non-confrontational privacy samples and target privacy samples involved involve private data. In an embodiment, the privacy data may include user personal information, biometric information, and so on. In addition, it should be noted that, for the description of the steps shown in FIG. 5, please refer to the description of the steps shown in FIG. 2, which will not be repeated here.
与图5中示出的识别方法相对应的,本说明书实施例还披露一种识别装置。具体地,图6示出根据一个实施例的识别对抗隐私样本以保护隐私安全的装置结构图。如图6所示,所述装置600可以包括:采样单元610,配置为对多个非对抗隐私样本进行若干次采样,得到若干对照隐私样本集;添加单元620,配置为向所述若干对照隐私样本集中分别加入待检测的目标隐私样本,得到若干实验隐私样本集;第一训练单元630,配置为针对所述若干对照隐私样本集中任意的第一对照隐私样本集,利用所述第一对照隐私样本集训练初始机器学习模型,得到训练后的第一对照模型;第一评估单元640,配置为利用测试隐私样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试隐私样本集基于所述多个非对抗隐私样本而确定;第二训练单元650,配置为针对向所述第一对照隐私样本集中加入所述目标隐私样本而得到的第一实验隐私样本集,利用所述第一实验隐私样本集训练所述初始机器学习模型,得到训练后的第一实验模型;第二评估单元660,配置为利用所述测试隐私样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;增益确定单元670,配置为将所述第一实验值与所述第一对照值的差值,确定为第一增益值;判定单元680,配置为利用基于所述若干对照隐私样本集和所述若干实验隐私样本集确定出的若干增益值,判定所述目标隐私样本是否属于对抗隐私样本。Corresponding to the identification method shown in FIG. 5, the embodiment of this specification also discloses an identification device. Specifically, FIG. 6 shows a structural diagram of an apparatus for identifying an anti-privacy sample to protect privacy and security according to an embodiment. As shown in FIG. 6, the device 600 may include: a sampling unit 610, configured to sample multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets; and an adding unit 620, configured to provide information to the several comparative privacy samples. The target privacy samples to be tested are respectively added to the sample set to obtain a number of experimental privacy sample sets; the first training unit 630 is configured to use the first control privacy sample set for any first control privacy sample set in the plurality of control privacy sample sets The sample set trains the initial machine learning model to obtain the trained first comparison model; the first evaluation unit 640 is configured to use the test privacy sample set to evaluate the performance of the first comparison model to obtain the first comparison model for the preset evaluation index. Control value, the test privacy sample set is determined based on the plurality of non-confrontational privacy samples; the second training unit 650 is configured to respond to the first comparison result obtained by adding the target privacy sample to the first control privacy sample set The experimental privacy sample set uses the first experimental privacy sample set to train the initial machine learning model to obtain the trained first experimental model; the second evaluation unit 660 is configured to use the test privacy sample set to compare the second Perform performance evaluation on an experimental model to obtain the first experimental value for the preset evaluation index; the gain determining unit 670 is configured to determine the difference between the first experimental value and the first control value as the first Gain value; The determination unit 680 is configured to use several gain values determined based on the several control privacy sample sets and the several experimental privacy sample sets to determine whether the target privacy sample belongs to the anti-privacy sample.
此外需要说明的是,对图6中示出装置的描述,还可以参见前述对图4中示出装置的描述,在此不作赘述。In addition, it should be noted that the description of the device shown in FIG. 6 can also refer to the foregoing description of the device shown in FIG. 4, which is not repeated here.
根据又一方面的实施例,还提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行结合图1或图2或图3或图5所描述的方法。According to an embodiment of another aspect, there is also provided a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed in a computer, the computer is executed in conjunction with FIG. 1 or FIG. 2 or FIG. 3 or FIG. 5 The method described.
根据再一方面的实施例,还提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现结合图1或图2或图3或图5所述的方法。According to an embodiment of still another aspect, there is also provided a computing device, including a memory and a processor, the memory stores executable code, and when the processor executes the executable code, a combination of FIG. 1 or FIG. 2 is implemented. Or the method described in Figure 3 or Figure 5.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should be aware that, in one or more of the foregoing examples, the functions described in this application can be implemented by hardware, software, firmware, or any combination thereof. When implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or codes on the computer-readable medium.
以上所述的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。The specific implementations described above further describe the purpose, technical solutions and beneficial effects of this application in detail. It should be understood that the above are only specific implementations of this application and are not intended to limit the scope of this application. The scope of protection, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of this application shall be included in the scope of protection of this application.

Claims (16)

  1. 一种识别对抗样本以保护模型安全的方法,包括:A method of identifying adversarial samples to protect the model security, including:
    对多个非对抗样本进行若干次采样,得到若干对照样本集;Sampling multiple non-adversarial samples several times to obtain several control sample sets;
    针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型;For any first control sample set in the plurality of control sample sets, use the first control sample set to train an initial machine learning model to obtain a trained first control model;
    向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集;Adding target samples to be tested to the plurality of control sample sets to obtain a plurality of experimental sample sets;
    针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型;For a first experimental sample set obtained by adding the target sample to the first control sample set, train the initial machine learning model by using the first experimental sample set to obtain a trained first experimental model;
    利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定;Performing performance evaluation on the first comparison model by using a test sample set to obtain a first comparison value for a preset evaluation index, the test sample set being determined based on the plurality of non-confrontational samples;
    利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;Performing performance evaluation on the first experimental model by using the test sample set to obtain a first experimental value for the preset evaluation index;
    将所述第一实验值与所述第一对照值的差值,确定为第一增益值;Determining the difference between the first experimental value and the first control value as a first gain value;
    利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。Using several gain values determined based on the several control sample sets and the several experimental sample sets, it is determined whether the target sample belongs to the adversarial sample.
  2. 根据权利要求1所述的方法,其中,The method of claim 1, wherein:
    所述多个非对抗样本和目标样本为图像样本,所述初始机器学习模型为图像处理模型;或,The multiple non-confrontational samples and target samples are image samples, and the initial machine learning model is an image processing model; or,
    所述多个非对抗样本和目标样本为文本样本,所述初始机器学习模型为文本处理模型;或,The multiple non-adversarial samples and the target samples are text samples, and the initial machine learning model is a text processing model; or,
    所述多个非对抗样本和目标样本为语音样本,所述初始机器学习模型为语音处理模型。The multiple non-confrontational samples and target samples are speech samples, and the initial machine learning model is a speech processing model.
  3. 根据权利要求1所述的方法,其中,对多个非对抗样本进行若干次采样,得到若干对照样本集,包括:The method according to claim 1, wherein sampling multiple non-confrontational samples several times to obtain several control sample sets comprises:
    利用枚举法,对所述多个非对抗样本进行多次采样,得到多个对照样本集;或,Using enumeration method to sample the multiple non-adversarial samples multiple times to obtain multiple control sample sets; or,
    利用分层采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集;或,Using the stratified sampling method to sample the multiple non-confrontational samples several times to obtain the several control sample sets; or,
    利用自助采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集。Using the self-service sampling method, the multiple non-confrontational samples are sampled several times to obtain the several control sample sets.
  4. 根据权利要求1所述的方法,其中,所述预设评估指标包括以下中的一种或多种:错误率、精度、查全率。The method according to claim 1, wherein the preset evaluation index includes one or more of the following: error rate, accuracy, recall rate.
  5. 根据权利要求1所述的方法,其中,利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否为对抗样本,包括:The method according to claim 1, wherein the determining whether the target sample is an adversarial sample using a number of gain values determined based on the number of control sample sets and the number of experimental sample sets comprises:
    确定所述若干增益值的增益均值,并且,在所述增益均值小于设定阈值的情况下,判定所述目标样本属于对抗样本;或,Determine the gain average of the several gain values, and, in the case that the gain average is less than a set threshold, determine that the target sample belongs to the adversarial sample; or,
    确定所述若干增益值中大于设定阈值的增益比例,并且,在所述增益比例小于第一预设比例的情况下,判定所述目标样本属于对抗样本。Determine a gain ratio of the plurality of gain values that is greater than a set threshold, and if the gain ratio is less than a first preset ratio, determine that the target sample belongs to an adversarial sample.
  6. 根据权利要求5所述的方法,其中,判定所述目标样本是否为对抗样本,还包括:The method according to claim 5, wherein determining whether the target sample is an adversarial sample, further comprises:
    对所述若干对照样本集针对所述预设评估指标的若干对照值进行平均,得到对照均值;Averaging the comparison values of the plurality of comparison sample sets with respect to the preset evaluation index to obtain a comparison mean value;
    将所述对照均值与第二预设比例的乘积,确定为所述设定阈值。The product of the control mean value and the second preset ratio is determined as the set threshold.
  7. 一种识别对抗样本以保护模型安全的装置,包括:A device for identifying adversarial samples to protect the safety of the model, including:
    采样单元,配置为对多个非对抗样本进行若干次采样,得到若干对照样本集;The sampling unit is configured to sample multiple non-confrontational samples several times to obtain several control sample sets;
    添加单元,配置为向所述若干对照样本集中分别加入待检测的目标样本,得到若干实验样本集;The adding unit is configured to add target samples to be tested to the several control sample sets to obtain several experimental sample sets;
    第一训练单元,配置为针对所述若干对照样本集中任意的第一对照样本集,利用所述第一对照样本集训练初始机器学习模型,得到训练后的第一对照模型;The first training unit is configured to train an initial machine learning model with respect to any first control sample set in the plurality of control sample sets to obtain a trained first control model;
    第一评估单元,配置为利用测试样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试样本集基于所述多个非对抗样本而确定;A first evaluation unit configured to evaluate the performance of the first comparison model by using a test sample set to obtain a first comparison value for a preset evaluation index, the test sample set being determined based on the plurality of non-confrontational samples;
    第二训练单元,配置为针对向所述第一对照样本集中加入所述目标样本而得到的第一实验样本集,利用所述第一实验样本集训练所述初始机器学习模型,得到训练后的第一实验模型;The second training unit is configured to train the initial machine learning model using the first experimental sample set for the first experimental sample set obtained by adding the target sample to the first control sample set to obtain the trained The first experimental model;
    第二评估单元,配置为利用所述测试样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;A second evaluation unit configured to evaluate the performance of the first experimental model by using the test sample set to obtain a first experimental value for the preset evaluation index;
    增益确定单元,配置为将所述第一实验值与所述第一对照值的差值,确定为第一增益值;A gain determining unit configured to determine the difference between the first experimental value and the first control value as a first gain value;
    判定单元,配置为利用基于所述若干对照样本集和所述若干实验样本集确定出的若干增益值,判定所述目标样本是否属于对抗样本。The determining unit is configured to use several gain values determined based on the several control sample sets and the several experimental sample sets to determine whether the target sample belongs to the adversarial sample.
  8. 根据权利要求7所述的装置,其中,The device according to claim 7, wherein:
    所述多个非对抗样本和目标样本为图像样本,所述初始机器学习模型为图像处理模型;或,The multiple non-confrontational samples and target samples are image samples, and the initial machine learning model is an image processing model; or,
    所述多个非对抗样本和目标样本为文本样本,所述初始机器学习模型为文本处理模型;或,The multiple non-adversarial samples and the target samples are text samples, and the initial machine learning model is a text processing model; or,
    所述多个非对抗样本和目标样本为语音样本,所述初始机器学习模型为语音处理模型。The multiple non-confrontational samples and target samples are speech samples, and the initial machine learning model is a speech processing model.
  9. 根据权利要求7所述的装置,其中,所述采样单元配置为:The device according to claim 7, wherein the sampling unit is configured to:
    利用枚举法,对所述多个非对抗样本进行多次采样,得到多个对照样本集;或,Using the enumeration method, sampling the multiple non-confrontational samples multiple times to obtain multiple control sample sets; or,
    利用分层采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集;或,Using a stratified sampling method to sample the multiple non-confrontational samples several times to obtain the several control sample sets; or,
    利用自助采样法,对所述多个非对抗样本进行若干次采样,得到所述若干对照样本集。Using the self-service sampling method, the multiple non-confrontational samples are sampled several times to obtain the several control sample sets.
  10. 根据权利要求7所述的装置,其中,所述预设评估指标包括以下中的一种或多种:错误率、精度、查全率。The device according to claim 7, wherein the preset evaluation index comprises one or more of the following: error rate, accuracy, recall rate.
  11. 根据权利要求7所述的装置,其中,所述判定单元配置为:The device according to claim 7, wherein the determining unit is configured to:
    确定所述若干增益值的增益均值,并且,在所述增益均值小于设定阈值的情况下,判定所述目标样本属于对抗样本;或,Determine the gain average of the several gain values, and, in the case that the gain average is less than a set threshold, determine that the target sample belongs to the adversarial sample; or,
    确定所述若干增益值中大于设定阈值的增益比例,并且,在所述增益比例小于第一预设比例的情况下,判定所述目标样本属于对抗样本。Determine a gain ratio of the plurality of gain values that is greater than a set threshold, and if the gain ratio is less than a first preset ratio, determine that the target sample belongs to an adversarial sample.
  12. 根据权利要求11所述的装置,其中,所述判定单元还配置为:The device according to claim 11, wherein the determining unit is further configured to:
    对所述若干对照样本集针对所述预设评估指标的若干对照值进行平均,得到对照均值;Averaging the comparison values of the plurality of comparison sample sets with respect to the preset evaluation index to obtain a comparison mean value;
    将所述对照均值与第二预设比例的乘积,确定为所述设定阈值。The product of the control mean value and the second preset ratio is determined as the set threshold.
  13. 一种识别对抗隐私样本以保护隐私安全的方法,包括:A method for identifying anti-privacy samples to protect privacy and security, including:
    对多个非对抗隐私样本进行若干次采样,得到若干对照隐私样本集;Sampling multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets;
    向所述若干对照隐私样本集中分别加入待检测的目标隐私样本,得到若干实验隐私样本集;Adding the target privacy samples to be detected to the plurality of control privacy sample sets respectively to obtain a number of experimental privacy sample sets;
    针对所述若干对照隐私样本集中任意的第一对照隐私样本集,利用所述第一对照隐私样本集训练初始机器学习模型,得到训练后的第一对照模型;For any first control privacy sample set in the plurality of control privacy sample sets, use the first control privacy sample set to train an initial machine learning model to obtain a trained first control model;
    利用测试隐私样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试隐私样本集基于所述多个非对抗隐私样本而确定;Performing performance evaluation on the first comparison model by using a test privacy sample set to obtain a first comparison value for a preset evaluation index, the test privacy sample set being determined based on the plurality of non-confrontational privacy samples;
    针对向所述第一对照隐私样本集中加入所述目标隐私样本而得到的第一实验隐私样本集,利用所述第一实验隐私样本集训练所述初始机器学习模型,得到训练后的第一 实验模型;For the first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set, use the first experimental privacy sample set to train the initial machine learning model to obtain the first experiment after training Model;
    利用所述测试隐私样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;Perform performance evaluation on the first experimental model by using the test privacy sample set to obtain the first experimental value for the preset evaluation index;
    将所述第一实验值与所述第一对照值的差值,确定为第一增益值;Determining the difference between the first experimental value and the first control value as a first gain value;
    利用基于所述若干对照隐私样本集和所述若干实验隐私样本集确定出的若干增益值,判定所述目标隐私样本是否属于对抗隐私样本。Using several gain values determined based on the several control privacy sample sets and the several experimental privacy sample sets, it is determined whether the target privacy sample belongs to the anti-privacy sample.
  14. 一种识别对抗隐私样本以保护隐私安全的装置,包括:A device for identifying and opposing privacy samples to protect privacy and security, including:
    采样单元,配置为对多个非对抗隐私样本进行若干次采样,得到若干对照隐私样本集;The sampling unit is configured to sample multiple non-confrontational privacy samples several times to obtain several comparative privacy sample sets;
    添加单元,配置为向所述若干对照隐私样本集中分别加入待检测的目标隐私样本,得到若干实验隐私样本集;The adding unit is configured to respectively add the target privacy samples to be detected to the plurality of control privacy sample sets to obtain a number of experimental privacy sample sets;
    第一训练单元,配置为针对所述若干对照隐私样本集中任意的第一对照隐私样本集,利用所述第一对照隐私样本集训练初始机器学习模型,得到训练后的第一对照模型;The first training unit is configured to train an initial machine learning model using the first control privacy sample set for any first control privacy sample set in the plurality of control privacy sample sets to obtain a trained first control model;
    第一评估单元,配置为利用测试隐私样本集对所述第一对照模型进行性能评估,得到针对预设评估指标的第一对照值,所述测试隐私样本集基于所述多个非对抗隐私样本而确定;The first evaluation unit is configured to evaluate the performance of the first comparison model by using a test privacy sample set to obtain a first comparison value for a preset evaluation index, and the test privacy sample set is based on the plurality of non-confrontational privacy samples And sure
    第二训练单元,配置为针对向所述第一对照隐私样本集中加入所述目标隐私样本而得到的第一实验隐私样本集,利用所述第一实验隐私样本集训练所述初始机器学习模型,得到训练后的第一实验模型;The second training unit is configured to train the initial machine learning model using the first experimental privacy sample set for the first experimental privacy sample set obtained by adding the target privacy sample to the first control privacy sample set, Get the first experimental model after training;
    第二评估单元,配置为利用所述测试隐私样本集对所述第一实验模型进行性能评估,得到针对所述预设评估指标的第一实验值;The second evaluation unit is configured to evaluate the performance of the first experimental model by using the test privacy sample set to obtain the first experimental value for the preset evaluation index;
    增益确定单元,配置为将所述第一实验值与所述第一对照值的差值,确定为第一增益值;A gain determining unit configured to determine the difference between the first experimental value and the first control value as a first gain value;
    判定单元,配置为利用基于所述若干对照隐私样本集和所述若干实验隐私样本集确定出的若干增益值,判定所述目标隐私样本是否属于对抗隐私样本。The determining unit is configured to use several gain values determined based on the several control privacy sample sets and the several experimental privacy sample sets to determine whether the target privacy sample belongs to the anti-privacy sample.
  15. 一种计算机可读存储介质,其上存储有计算机程序,其中,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-6、13中任一项所述的方法。A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed in a computer, the computer is caused to execute the method according to any one of claims 1-6 and 13.
  16. 一种计算设备,包括存储器和处理器,其中,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-6、13中任一项所述的方法。A computing device, comprising a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the device described in any one of claims 1-6 and 13 is implemented method.
PCT/CN2020/138824 2020-01-15 2020-12-24 Method and apparatus for identifying adversarial sample to protect model security WO2021143478A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010040234.4A CN110852450B (en) 2020-01-15 2020-01-15 Method and device for identifying countermeasure sample to protect model security
CN202010040234.4 2020-01-15

Publications (1)

Publication Number Publication Date
WO2021143478A1 true WO2021143478A1 (en) 2021-07-22

Family

ID=69610734

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/138824 WO2021143478A1 (en) 2020-01-15 2020-12-24 Method and apparatus for identifying adversarial sample to protect model security

Country Status (2)

Country Link
CN (1) CN110852450B (en)
WO (1) WO2021143478A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110852450B (en) * 2020-01-15 2020-04-14 支付宝(杭州)信息技术有限公司 Method and device for identifying countermeasure sample to protect model security
CN113449097A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Method and device for generating countermeasure sample, electronic equipment and storage medium
CN111340008B (en) * 2020-05-15 2021-02-19 支付宝(杭州)信息技术有限公司 Method and system for generation of counterpatch, training of detection model and defense of counterpatch
CN111860698B (en) * 2020-08-05 2023-08-11 中国工商银行股份有限公司 Method and device for determining stability of learning model
CN113012153A (en) * 2021-04-30 2021-06-22 武汉纺织大学 Aluminum profile flaw detection method
CN114140670A (en) * 2021-11-25 2022-03-04 支付宝(杭州)信息技术有限公司 Method and device for model ownership verification based on exogenous features

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109543760A (en) * 2018-11-28 2019-03-29 上海交通大学 Confrontation sample testing method based on image filters algorithm
US20190206057A1 (en) * 2016-09-13 2019-07-04 Ohio State Innovation Foundation Systems and methods for modeling neural architecture
CN110363243A (en) * 2019-07-12 2019-10-22 腾讯科技(深圳)有限公司 The appraisal procedure and device of disaggregated model
CN110852450A (en) * 2020-01-15 2020-02-28 支付宝(杭州)信息技术有限公司 Method and device for identifying countermeasure sample to protect model security

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108304858B (en) * 2017-12-28 2022-01-04 中国银联股份有限公司 Generation method, verification method and system of confrontation sample recognition model
CN108710892B (en) * 2018-04-04 2020-09-01 浙江工业大学 Cooperative immune defense method for multiple anti-picture attacks
CN109902798A (en) * 2018-05-31 2019-06-18 华为技术有限公司 The training method and device of deep neural network
CN108932527A (en) * 2018-06-06 2018-12-04 上海交通大学 Using cross-training model inspection to the method for resisting sample
CN110674856A (en) * 2019-09-12 2020-01-10 阿里巴巴集团控股有限公司 Method and device for machine learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190206057A1 (en) * 2016-09-13 2019-07-04 Ohio State Innovation Foundation Systems and methods for modeling neural architecture
CN109543760A (en) * 2018-11-28 2019-03-29 上海交通大学 Confrontation sample testing method based on image filters algorithm
CN110363243A (en) * 2019-07-12 2019-10-22 腾讯科技(深圳)有限公司 The appraisal procedure and device of disaggregated model
CN110852450A (en) * 2020-01-15 2020-02-28 支付宝(杭州)信息技术有限公司 Method and device for identifying countermeasure sample to protect model security

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WANG, JIA: "Research on Adversarial Examples in Deep Learning based on Image Recognition Problems", COMPUTER KNOWLEDGE AND TECHNOLOGY, vol. 15, 31 October 2019 (2019-10-31), CN, pages 222 - 223, XP009529271, ISSN: 1009-3044, DOI: 10.14004/j.cnki.ckt.2019.3617 *

Also Published As

Publication number Publication date
CN110852450A (en) 2020-02-28
CN110852450B (en) 2020-04-14

Similar Documents

Publication Publication Date Title
WO2021143478A1 (en) Method and apparatus for identifying adversarial sample to protect model security
CN109214360B (en) Construction method and application of face recognition model based on Parasoft Max loss function
CN107609493B (en) Method and device for optimizing human face image quality evaluation model
WO2021026805A1 (en) Adversarial example detection method and apparatus, computing device, and computer storage medium
US8797140B2 (en) Biometric authentication method and biometric authentication apparatus
WO2021027336A1 (en) Authentication method and apparatus based on seal and signature, and computer device
WO2021056746A1 (en) Image model testing method and apparatus, electronic device and storage medium
WO2021036014A1 (en) Federated learning credit management method, apparatus and device, and readable storage medium
WO2019136990A1 (en) Network data detection method, apparatus, computer device and storage medium
US11915311B2 (en) User score model training and calculation
CN111783505A (en) Method and device for identifying forged faces and computer-readable storage medium
WO2020082734A1 (en) Text emotion recognition method and apparatus, electronic device, and computer non-volatile readable storage medium
CN111340144B (en) Risk sample detection method and device, electronic equipment and storage medium
CN105335719A (en) Living body detection method and device
US10423817B2 (en) Latent fingerprint ridge flow map improvement
US20200210459A1 (en) Method and apparatus for classifying samples
WO2017075913A1 (en) Mouse behaviors based authentication method
WO2021190046A1 (en) Training method for gesture recognition model, gesture recognition method, and apparatus
US11232182B2 (en) Open data biometric identity validation
JP2020184331A (en) Liveness detection method and apparatus, face authentication method and apparatus
CN114817933A (en) Method and device for evaluating robustness of business prediction model and computing equipment
CN111803956B (en) Method and device for determining game plug-in behavior, electronic equipment and storage medium
US20220215271A1 (en) Detection device, detection method and detection program
CN111368644B (en) Image processing method, device, electronic equipment and storage medium
CN117275076B (en) Method for constructing face quality assessment model based on characteristics and application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20913811

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20913811

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20913811

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16.05.2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20913811

Country of ref document: EP

Kind code of ref document: A1