WO2022037295A1 - Targeted attack method for deep hash retrieval and terminal device - Google Patents

Targeted attack method for deep hash retrieval and terminal device Download PDF

Info

Publication number
WO2022037295A1
WO2022037295A1 PCT/CN2021/104818 CN2021104818W WO2022037295A1 WO 2022037295 A1 WO2022037295 A1 WO 2022037295A1 CN 2021104818 W CN2021104818 W CN 2021104818W WO 2022037295 A1 WO2022037295 A1 WO 2022037295A1
Authority
WO
WIPO (PCT)
Prior art keywords
hash
sample
deep
retrieval
adversarial
Prior art date
Application number
PCT/CN2021/104818
Other languages
French (fr)
Chinese (zh)
Inventor
夏树涛
白家旺
陈斌
戴涛
李清
齐竹云
Original Assignee
鹏城实验室
清华大学深圳国际研究生院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 鹏城实验室, 清华大学深圳国际研究生院 filed Critical 鹏城实验室
Publication of WO2022037295A1 publication Critical patent/WO2022037295A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Definitions

  • the invention relates to the technical field of hash retrieval, in particular to a targeted attack method and terminal device for deep hash retrieval.
  • Large-scale data approximate nearest neighbor retrieval has the characteristics of high efficiency and high performance, and is used in many search engines to retrieve images or videos, such as Google and Bing.
  • Google and Bing haveh-based retrieval in particular has received more attention, which can map data into a compact binary space, thereby using Hamming distance to measure similarity and improve computational efficiency.
  • Hash retrieval methods based on deep learning can achieve the best performance in current hash retrieval.
  • many studies have shown that deep learning models are vulnerable to adversarial attacks, which affects the performance of deep learning models.
  • adversarial sample generation can be divided into two types: untargeted attack and targeted attack.
  • Untargeted attack refers to degrading the performance of the attacked model
  • targeted attack refers to the attacker to achieve a specific goal (for example, in a classification task, the goal is to classify adversarial examples into a specified class).
  • there are few methods about adversarial attacks in retrieval tasks and there is no targeted attack method for deep hash retrieval, which is not conducive to the research on the robustness and security of retrieval systems.
  • the technical problem to be solved by the present invention is to provide a targeted attack method and terminal device for deep hash retrieval in view of the deficiencies of the prior art, aiming to solve the lack of a targeted attack method for deep hash retrieval in the prior art , which is not conducive to the research on the robustness and security of the retrieval system.
  • a targeted attack method for deep hash retrieval comprising the steps of:
  • the label t specifies the category expected to be returned by the attacker, and the label t is different from the category of the query image x;
  • the representative hash code ha is obtained by adopting the bit voting algorithm
  • tanh is the hyperbolic tangent function
  • x' is the adversarial sample
  • the sample xi is a picture or a video.
  • the targeted attack method for deep hash retrieval wherein the step of using a bit voting algorithm to obtain the representative hash code ha includes:
  • Hash code for all samples in the sample set According to the bit voting method, the representative hash code ha is obtained.
  • the targeted attack method for deep hash retrieval wherein the hash code of all samples in the sample set is
  • the steps of obtaining the representative hash code ha include:
  • a computer-readable storage medium wherein the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors, so as to realize the depth-targeting described in the present invention. Steps in a targeted attack method for hash retrieval.
  • a terminal device comprising: a processor, a memory and a communication bus; a computer-readable program executable by the processor is stored on the memory;
  • the communication bus implements connection communication between the processor and the memory
  • the present invention provides a targeted attack method, storage medium and terminal device for deep hash retrieval.
  • the targeted attack in retrieval is defined as a point-to-set optimization problem, that is, Minimize the average distance between the hash code of the adversarial sample and the set of hash codes of the desired category; then a bit-voting algorithm is designed to obtain the optimal representative hash code of the set of hash codes of the desired category; in order to ensure the invisibility of the adversarial samples It is further proposed to optimize the adversarial noise under infinite constraints, so that the distance between the hash code of the adversarial sample and the representative hash code is as small as possible.
  • the method of the invention not only ensures the indistinguishability between the confrontation sample and the original sample, but also obtains a good target attack effect; the invention adopts this attack method when designing the deep hash retrieval model, which is beneficial to improve the security and robustness of the model.
  • the adversarial examples generated can make the retrieval model return the class samples expected by the attacker.
  • FIG. 1 is a flowchart of a preferred embodiment of a targeted attack method for deep hash retrieval provided by the present invention.
  • FIG. 2 is a schematic diagram of a targeted attack method for deep hash retrieval provided by the present invention.
  • FIG. 3 is a schematic structural diagram of a terminal device provided by the present invention.
  • the present invention provides a targeted attack method, storage medium and terminal device for deep hash retrieval.
  • the present invention is further described in detail below with reference to the accompanying drawings and examples. . It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.
  • the hash function When the user uploads a picture, use the hash function to convert it into 01 code, and then calculate the distance between this code and the codes of all pictures in the database (using Hamming distance calculation at this time), that is, the picture's Binary code, XOR operation with all binary codes in the database, the number of 1 is the distance, sort all distances, select the first 100 closest pictures as similar pictures, and then find the original picture by index and display it .
  • the cifar-10 data set can be used. First, the gist feature is extracted from the data set, and each image is represented by a vector.
  • each image will use A 512-dimensional vector representation, 10,000 pictures are finally formed: a 10000*512 matrix.
  • Divide the data into a training set and a test set and the training set is used to train the hash function.
  • the test set is used to test the precision and recall.
  • the hash function is trained from the training set.
  • the training data is converted into a hash function code through a hash function, and the test data is converted into a hash code. Calculate the distance from the test data to the training data, sort, select the top 100 pictures with the smallest distance, and the 100 pictures found are the pictures of the approximate neighbors.
  • the hash retrieval method based on deep learning can achieve the best performance in the current hash retrieval, however, research shows that the deep learning model is vulnerable to adversarial attacks, which affects the performance of the deep learning model.
  • adversarial sample generation can be divided into two types: untargeted attack and targeted attack.
  • Untargeted attack refers to degrading the performance of the attacked model
  • targeted attack refers to the attacker to achieve a specific goal (for example, in a classification task, the goal is to classify adversarial examples into a specified class).
  • a specific goal for example, in a classification task, the goal is to classify adversarial examples into a specified class.
  • the targeted attack methods in classification cannot be directly transferred to retrieval.
  • Embodiments of the present invention provide a targeted attack method for deep hash retrieval, which includes the steps:
  • the label t specifies the category expected to be returned by the attacker, and the label t is different from the category of the query image x;
  • the representative hash code ha is obtained by adopting the bit voting algorithm
  • tanh is the hyperbolic tangent function
  • x' is the adversarial sample
  • the retrieval process for query sample x is as follows: first, the model outputs the hash code F(x) of x, and then calculates the difference between the query hash code and all sample hash codes in the database. Hamming distance d H (F(x), F(x i )), and finally the retrieval system will sort the samples in the database according to the calculated distance and return the result.
  • the targeted attack method for deep hash retrieval provided by this embodiment first defines the targeted attack in deep hash retrieval as a point-to-set optimization problem, that is, minimizing the hash code of the adversarial sample and the expected class hash Then, a bit-voting algorithm is designed to obtain the optimal representative hash code method of the desired category hash code set; in order to ensure the invisibility of adversarial samples, it is further proposed to optimize the adversarial noise under infinite constraints, so that The distance between the hash code of the adversarial example and the representative hash code is as small as possible.
  • the method of this embodiment not only ensures the indistinguishability of the adversarial sample from the original sample, but also obtains a good effect of targeted attack; this embodiment adopts this attack method when designing the deep hash retrieval model, which is beneficial to improve the security of the model and robustness, and the resulting adversarial examples enable the retrieval model to return samples of the class expected by the attacker.
  • the attacker specifies the desired category t to be returned, and t needs to be different from the real category of x; as an example, if the category of x is dog, the attacker specifies the desired category to be returned.
  • the category t of can be cat, pig, fish, chicken, etc., but is not limited thereto.
  • An attacker can provide a set of samples with label t Generate hash codes for all samples in sample set X (t) using model F( ) Hash code for all samples in the sample set
  • the representative hash code ha is obtained; then the size of the hyperparameter ⁇ is specified as 0 to 1, and the loss function is designed as: Among them, tanh is the hyperbolic tangent function, and x' is the adversarial sample; then use the gradient descent method to calculate the gradient of x', and use the calculated gradient to update x'; project the generated adversarial sample x' so that x' satisfies infinity Constraint and image space; judge whether the preset number of updates is reached, if so, get the adversarial sample x'; if not, continue to return to step S06 to continue updating x'; finally input the adversarial sample x' into the depth In the hope retrieval model, the samples of the desired category are returned.
  • the adversarial samples generated by this algorithm are first input into the hash model, that is, the adversarial query "dog" picture is input into the following feature extractor and fully connected layer to obtain the hash code of the adversarial samples.
  • the hash code retrieves the neighbor samples in the database, and the obtained neighbor samples belong to the attack category preset by the attacker in the targeted attack, that is, the "cat" in the figure below.
  • the size of the hyperparameter ⁇ is set from 0 to 1 to prevent the gradient disappearance problem during backpropagation and speed up the convergence speed of the adversarial sample generation algorithm; by designing the loss function To denote that the infinite norm of the original query image and the generated adversarial sample is smaller than a given threshold ⁇ , that is, to make the hash code of the adversarial sample and the representative hash code ha as close as possible to make the two samples indistinguishable.
  • the preset number of updates is a parameter set by the attacker, which can be set to 2000; reaching a certain preset number of times is to satisfy the success of the attack and at the same time, within an acceptable calculation time, the preset number of updates does not reach the preset value.
  • the number of updates may cause the generated adversarial examples to attack poorly.
  • the sample x' is a picture or a video.
  • This embodiment adopts the algorithm of bit voting to calculate the representative hash code, which provides an optimized target for targeted confrontation attacks, and can make the attack effect efficient and stable.
  • this embodiment provides a computer-readable storage medium, where the computer-readable storage medium stores one or more programs, and the one or more programs can be One or more processors execute to implement the steps in the targeted attack method for deep hash retrieval as described in the above embodiments.
  • the present invention also provides a terminal device, as shown in FIG. 3 , which includes at least one processor 20 ; a display screen 21 ; and a memory 22 , may also include a communications interface (Communications Interface) 23 and a bus 24.
  • the processor 20 , the display screen 21 , the memory 22 and the communication interface 23 can communicate with each other through the bus 24 .
  • the display screen 21 is set to display a user guide interface preset in the initial setting mode.
  • the communication interface 23 can transmit information.
  • the processor 20 may invoke logic instructions in the memory 22 to perform the methods in the above-described embodiments.
  • logic instructions in the memory 22 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product.
  • the memory 22 may be configured to store software programs and computer-executable programs, such as program instructions or modules corresponding to the methods in the embodiments of the present disclosure.
  • the processor 20 executes functional applications and data processing by running the software programs, instructions or modules stored in the memory 22, ie, implements the methods in the above embodiments.
  • the memory 22 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. Additionally, memory 22 may include high-speed random access memory, and may also include non-volatile memory. For example, U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes, or temporary state storage medium.
  • U disk U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes, or temporary state storage medium.
  • the present invention provides a targeted attack method, storage medium and terminal device for deep hash retrieval.
  • the targeted attack in retrieval is defined as a point-to-set optimization problem, that is, minimizing the impact of adversarial samples.
  • the average distance between the hash code and the set of hash codes of the desired category; then a method of bit voting to obtain the optimal representative hash code of the set of hash codes of the desired category is designed; in order to ensure the invisibility of the adversarial samples, it is further proposed that in the infinite
  • the adversarial noise is optimized under constraints so that the distance between the hash code of the adversarial sample and the representative hash code is as small as possible.
  • the method of the invention not only ensures the indistinguishability between the confrontation sample and the original sample, but also obtains a good target attack effect; the invention adopts this attack method when designing the deep hash retrieval model, which is beneficial to improve the security and robustness of the model.
  • the adversarial examples generated can make the retrieval model return the class samples expected by the attacker.
  • the present invention provides support for improving the robustness and security of the retrieval system by proposing a targeted adversarial attack method for deep hash retrieval, verifying the robustness of the retrieval model under this attack.
  • the invention destroys the model retrieval result by adding invisible anti-noise to the input image, and returns the sample of the desired category of the attacker.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Disclosed in the present invention are a targeted attack method for deep hash retrieval and a terminal device. The method comprises: providing a sample set with a tag t, inputting all samples in the sample set into a deep hash retrieval model, and generating a corresponding hash code; obtaining a representative hash code ha by adopting a bit voting algorithm; specifying the size of a hyper-parameter α to be 0-1, and designing a loss function; calculating the gradient of x' by using a gradient descent method and updating the x' by using the gradient; projecting the generated adversarial sample x' such that the x' meets infinite constraints and image space; determining whether a preset number of updates is reached or not, and if yes, obtaining an adversarial sample x'; and inputting the adversarial sample x' into the deep hash retrieval model, and returning a sample of an expected category. When the deep hash retrieval model is designed, the attack method is adopted, the safety and robustness of the model can be improved, and the generated adversarial sample can enable the retrieval model to return to a category sample expected by an attacker.

Description

一种针对深度哈希检索的有目标攻击方法及终端设备A Targeted Attack Method and Terminal Device for Deep Hash Retrieval 技术领域technical field
本发明涉及哈希检索技术领域,特别涉及一种针对深度哈希检索的有目标攻击方法及终端设备。The invention relates to the technical field of hash retrieval, in particular to a targeted attack method and terminal device for deep hash retrieval.
背景技术Background technique
大规模数据近似近邻检索具有高效率和高性能的特点,被应用于很多搜索引擎中检索图像或者视频,例如谷歌和必应等。在这些近似近邻搜索方法中,基于哈希的检索尤其受到更多的关注,它能将数据映射到紧凑的二值空间,从而使用汉明距离度量相似性,提高计算效率。Large-scale data approximate nearest neighbor retrieval has the characteristics of high efficiency and high performance, and is used in many search engines to retrieve images or videos, such as Google and Bing. Among these approximate nearest neighbor search methods, hash-based retrieval in particular has received more attention, which can map data into a compact binary space, thereby using Hamming distance to measure similarity and improve computational efficiency.
基于深度学习的哈希检索方法能够取得当前哈希检索中最好的性能,然而,很多研究表明深度学习模型容易受到对抗攻击,使深度学习模型的性能受到影响。按照攻击目的的不同,对抗样本生成可以分为两类方法:无目标攻击和有目标攻击。无目标攻击是指使受到攻击的模型性能下降,而有目标攻击是指攻击者要达到特定的目的(例如在分类任务中目标是使对抗样本分类到指定类别)。在分类任务中针对这两种攻击存在很多的方法。然而,在检索任务中关于对抗攻击的方法还较少,且没有针对深度哈希检索的有目标攻击方法,这不利于研究检索系统的鲁棒性和安全性。Hash retrieval methods based on deep learning can achieve the best performance in current hash retrieval. However, many studies have shown that deep learning models are vulnerable to adversarial attacks, which affects the performance of deep learning models. According to the different attack purposes, adversarial sample generation can be divided into two types: untargeted attack and targeted attack. Untargeted attack refers to degrading the performance of the attacked model, while targeted attack refers to the attacker to achieve a specific goal (for example, in a classification task, the goal is to classify adversarial examples into a specified class). There are many approaches to these two attacks in classification tasks. However, there are few methods about adversarial attacks in retrieval tasks, and there is no targeted attack method for deep hash retrieval, which is not conducive to the research on the robustness and security of retrieval systems.
因此,现有技术还有待于改进和发展。Therefore, the existing technology still needs to be improved and developed.
发明内容SUMMARY OF THE INVENTION
本发明要解决的技术问题在于,针对现有技术的不足,提供一种针对深度哈希检索的有目标攻击方法及终端设备,旨在解决现有技术缺少针对深度哈希检索的有目标攻击方法,不利于研究检索系统鲁棒性和安全性的问题。The technical problem to be solved by the present invention is to provide a targeted attack method and terminal device for deep hash retrieval in view of the deficiencies of the prior art, aiming to solve the lack of a targeted attack method for deep hash retrieval in the prior art , which is not conducive to the research on the robustness and security of the retrieval system.
为了解决上述技术问题,本发明所采用的技术方案如下:In order to solve the above-mentioned technical problems, the technical scheme adopted in the present invention is as follows:
一种针对深度哈希检索的有目标攻击方法,其中,包括步骤:A targeted attack method for deep hash retrieval, comprising the steps of:
提供具有标签t的样本集合,将所述样本集合中的所有样本输入深度哈希检索模型中,生成相应的哈希码
Figure PCTCN2021104818-appb-000001
其中,所述标签t为攻击者指定期望返回的类别,所述标签t与查询图像x的类别不同; Provide a sample set with label t, input all samples in the sample set into the deep hash retrieval model, and generate corresponding hash codes
Figure PCTCN2021104818-appb-000001
Wherein, the label t specifies the category expected to be returned by the attacker, and the label t is different from the category of the query image x;
采用位投票算法获得代表哈希码h aThe representative hash code ha is obtained by adopting the bit voting algorithm;
指定超参数α的大小为0到1,并设计损失函数为:Specify the size of the hyperparameter α from 0 to 1, and design the loss function as:
Figure PCTCN2021104818-appb-000002
其中,tanh为双曲正切函数,x′为对抗样本;
Figure PCTCN2021104818-appb-000002
Among them, tanh is the hyperbolic tangent function, and x' is the adversarial sample;
利用梯度下降的方法计算x′的梯度;Use the gradient descent method to calculate the gradient of x';
利用计算的梯度更新x′;update x' with the computed gradient;
将生成的对抗样本x′投影,使得x′满足无穷约束和图像空间;Project the generated adversarial sample x' so that x' satisfies the infinite constraints and the image space;
判断是否达到预设的更新次数,如果是,得到对抗样本x′;Determine whether the preset number of updates has been reached, and if so, get the adversarial sample x';
将所述对抗样本x′输入到所述深度哈希检索模型中,返回期望类别的样本。Input the adversarial sample x' into the deep hash retrieval model, and return samples of the desired class.
所述针对深度哈希检索的有目标攻击方法,其中,所述深度哈希检索模型为F(·),其哈希码长为K,样本x i的哈希码的生成公式为:h=F(x)=sign(f θ(x)),其中,f θ(·)表示深度神经网络模型,sign(·)为符号函数,
Figure PCTCN2021104818-appb-000003
表示N个分为C个类别的数据集,y i∈{0,1} C表示标签向量。 The targeted attack method for deep hash retrieval, wherein the deep hash retrieval model is F( ), the length of the hash code is K, and the generation formula of the hash code of the sample x i is: h= F(x)=sign(f θ (x)), where f θ ( ) represents the deep neural network model, sign( ) is the sign function,
Figure PCTCN2021104818-appb-000003
represents N datasets divided into C categories, and y i ∈ {0, 1} C represents the label vector.
所述针对深度哈希检索的有目标攻击方法,其中,所述样本x i为图片或视频。 In the targeted attack method for deep hash retrieval, the sample xi is a picture or a video.
所述针对深度哈希检索的有目标攻击方法,其中,所述采用位投票算法获得代表哈希码h a的步骤包括: The targeted attack method for deep hash retrieval, wherein the step of using a bit voting algorithm to obtain the representative hash code ha includes:
对样本集合中的所有样本的哈希码
Figure PCTCN2021104818-appb-000004
按照位投票方法计算,得到代表哈希码h aHash code for all samples in the sample set
Figure PCTCN2021104818-appb-000004
According to the bit voting method, the representative hash code ha is obtained.
所述针对深度哈希检索的有目标攻击方法,其中,所述对样本集合中的所有样本的哈希码
Figure PCTCN2021104818-appb-000005
进行位投票方法计算,得到代表哈希码h a的步骤包括: The targeted attack method for deep hash retrieval, wherein the hash code of all samples in the sample set is
Figure PCTCN2021104818-appb-000005
The steps of obtaining the representative hash code ha include:
对于j=1,2,…K,计算每个位置上+1和-1的个数,表示为
Figure PCTCN2021104818-appb-000006
Figure PCTCN2021104818-appb-000007
其中,
Figure PCTCN2021104818-appb-000008
其中,
Figure PCTCN2021104818-appb-000009
表示指示函数; For j=1,2,...K, count the number of +1 and -1 at each position, expressed as
Figure PCTCN2021104818-appb-000006
and
Figure PCTCN2021104818-appb-000007
in,
Figure PCTCN2021104818-appb-000008
in,
Figure PCTCN2021104818-appb-000009
Represents an indicator function;
根据公式
Figure PCTCN2021104818-appb-000010
判断第j个位置上
Figure PCTCN2021104818-appb-000011
的值,从而返回代表哈希 码h aAccording to the formula
Figure PCTCN2021104818-appb-000010
Determine the jth position
Figure PCTCN2021104818-appb-000011
The value of , thus returning the representative hash code ha .
一种计算机可读存储介质,其中,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现本发明所述针对深度哈希检索的有目标攻击方法中的步骤。A computer-readable storage medium, wherein the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors, so as to realize the depth-targeting described in the present invention. Steps in a targeted attack method for hash retrieval.
一种终端设备,其中,包括:处理器、存储器及通信总线;所述存储器上存储有可被所述处理器执行的计算机可读程序;A terminal device, comprising: a processor, a memory and a communication bus; a computer-readable program executable by the processor is stored on the memory;
所述通信总线实现处理器和存储器之间的连接通信;The communication bus implements connection communication between the processor and the memory;
所述处理器执行所述计算机可读程序时实现本发明所述针对深度哈希检索的有目标攻击方法中的步骤。When the processor executes the computer-readable program, the steps in the targeted attack method for deep hash retrieval of the present invention are implemented.
有益效果:与现有技术相比,本发明提供了一种针对深度哈希检索的有目标攻击方法、存储介质及终端设备,首先定义检索中的有目标攻击为点到集合的优化问题,即最小化对抗样本的哈希码和期望类别哈希码集合的平均距离;然后设计了一种位投票算法获得期望类别哈希码集合的最优代表哈希码方法;为了保证对抗样本的不可见性,进一步提出在无穷约束下优化对抗噪声,使对抗样本的哈希码与代表哈希码之间的距离尽可能小。本发明方法不仅保证了对抗样本与原始样本不可区分性,还能获得良好的有目标攻击效果;本发明在设计深度哈希检索模型时采用此种攻击方法,有利于提高模型的安全性和鲁棒性,并且产生的对抗样本能够使检索模型返回攻击者期望的类别样本。Beneficial effects: Compared with the prior art, the present invention provides a targeted attack method, storage medium and terminal device for deep hash retrieval. First, the targeted attack in retrieval is defined as a point-to-set optimization problem, that is, Minimize the average distance between the hash code of the adversarial sample and the set of hash codes of the desired category; then a bit-voting algorithm is designed to obtain the optimal representative hash code of the set of hash codes of the desired category; in order to ensure the invisibility of the adversarial samples It is further proposed to optimize the adversarial noise under infinite constraints, so that the distance between the hash code of the adversarial sample and the representative hash code is as small as possible. The method of the invention not only ensures the indistinguishability between the confrontation sample and the original sample, but also obtains a good target attack effect; the invention adopts this attack method when designing the deep hash retrieval model, which is beneficial to improve the security and robustness of the model. The adversarial examples generated can make the retrieval model return the class samples expected by the attacker.
附图说明Description of drawings
图1为本发明提供的一种针对深度哈希检索的有目标攻击方法较佳实施例的流程图。FIG. 1 is a flowchart of a preferred embodiment of a targeted attack method for deep hash retrieval provided by the present invention.
图2为本发明提供的针对深度哈希检索的有目标攻击方法示意图。FIG. 2 is a schematic diagram of a targeted attack method for deep hash retrieval provided by the present invention.
图3为本发明提供的终端设备的结构原理图。FIG. 3 is a schematic structural diagram of a terminal device provided by the present invention.
具体实施方式detailed description
本发明提供一种针对深度哈希检索的有目标攻击方法、存储介质及终端设备,为使本发明的目的、技术方案及效果更加清楚、明确,以下参照附图并举实施例对本发明进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。The present invention provides a targeted attack method, storage medium and terminal device for deep hash retrieval. In order to make the purpose, technical solution and effect of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. . It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.
本技术领域技术人员可以理解,除非特意声明,这里使用的单数形式“一”、“一个”、 “所述”和“该”也可包括复数形式。应该进一步理解的是,本发明的说明书中使用的措辞“包括”是指存在所述特征、整数、步骤、操作、元件和/或组件,但是并不排除存在或添加一个或多个其他特征、整数、步骤、操作、元件、组件和/或它们的组。应该理解,当我们称元件被“连接”或“耦接”到另一元件时,它可以直接连接或耦接到其他元件,或者也可以存在中间元件。此外,这里使用的“连接”或“耦接”可以包括无线连接或无线耦接。这里使用的措辞“和/或”包括一个或更多个相关联的列出项的全部或任一单元和全部组合。It will be understood by those skilled in the art that the singular forms "a", "an", "said" and "the" as used herein can also include the plural forms unless expressly stated otherwise. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of stated features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements, components and/or groups thereof. It will be understood that when we refer to an element as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Furthermore, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combination of one or more of the associated listed items.
本技术领域技术人员可以理解,除非另外定义,这里使用的所有术语(包括技术术语和科学术语),具有与本发明所属领域中的普通技术人员的一般理解相同的意义。还应该理解的是,诸如通用字典中定义的那些术语,应该被理解为具有与现有技术的上下文中的意义一致的意义,并且除非像这里一样被特定定义,否则不会用理想化或过于正式的含义来解释。It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It should also be understood that terms, such as those defined in a general dictionary, should be understood to have meanings consistent with their meanings in the context of the prior art and, unless specifically defined as herein, should not be interpreted in idealistic or overly formal meaning to explain.
下面结合附图,通过对实施例的描述,对发明内容作进一步说明。In the following, the content of the invention will be further illustrated by describing the embodiments with reference to the accompanying drawings.
现存的有目标攻击主要是针对分类任务的。在分类任务中,由于图像存在类别标签,所以对抗攻击有清晰的优化目标。在哈希检索中,样本被映射到二值空间,使得有目标攻击的目标不清晰。以基于哈希的图像检索为例,对于这种大规模数据的检索,近似近邻搜索可以达到很好的效果,它平衡了效率与准确率,使检索达到很好的效果。主要思想是,将每一张图片用一个相对较短的01编码表示,例如长度为64,128的编码,这个编码依然近似保持了图片空间的物理近邻关系。当用户上传一张图片时,使用哈希函数将它转化为01编码,然后计算这条编码与数据库中所有图片的编码进行距离计算(此时使用汉明距离计算),即是将该图片的二进制编码,与数据库中所有二进制编码进行异或运算,其中1的个数即为距离,对所有的距离进行排序,选择前100个距离最近的作为相近的图片,然后通过索引找到原始图片显示出来。具体地,在做基于哈希的图像检索时,可使用cifar-10数据集,首先对该数据集提取gist特征,每张图片用一个向量表示,例如提取512个特征,则每张图片就使用一个512维的向量表示,一万张图片最后形成:10000*512的矩阵。将数据划分为训练集和测试集,训练集用来训练哈希函数。测试集用来测试查准率与查全率。根据训练集训练出哈希函数。将训练数据通过哈希函数转化为哈希函码,将测试数据转化为哈希码。计算测试数据到训练数据的距离,排序,选择距离最小的前100张图片,搜出来的100张图片就是近似近邻的图片。Existing targeted attacks are mainly aimed at classification tasks. In classification tasks, adversarial attacks have clear optimization goals due to the presence of class labels in images. In hash retrieval, samples are mapped into a binary space, making the target of targeted attacks unclear. Taking hash-based image retrieval as an example, for such large-scale data retrieval, approximate nearest neighbor search can achieve good results, it balances efficiency and accuracy, so that retrieval achieves good results. The main idea is to represent each picture with a relatively short 01 code, such as a code with a length of 64,128, which still approximately maintains the physical neighbor relationship in the picture space. When the user uploads a picture, use the hash function to convert it into 01 code, and then calculate the distance between this code and the codes of all pictures in the database (using Hamming distance calculation at this time), that is, the picture's Binary code, XOR operation with all binary codes in the database, the number of 1 is the distance, sort all distances, select the first 100 closest pictures as similar pictures, and then find the original picture by index and display it . Specifically, when doing hash-based image retrieval, the cifar-10 data set can be used. First, the gist feature is extracted from the data set, and each image is represented by a vector. For example, if 512 features are extracted, then each image will use A 512-dimensional vector representation, 10,000 pictures are finally formed: a 10000*512 matrix. Divide the data into a training set and a test set, and the training set is used to train the hash function. The test set is used to test the precision and recall. The hash function is trained from the training set. The training data is converted into a hash function code through a hash function, and the test data is converted into a hash code. Calculate the distance from the test data to the training data, sort, select the top 100 pictures with the smallest distance, and the 100 pictures found are the pictures of the approximate neighbors.
基于深度学习的哈希检索方法能够取得当前哈希检索中最好的性能,然而,然而研 究表明深度学习模型容易受到对抗攻击,使深度学习模型的性能受到影响。按照攻击目的的不同,对抗样本生成可以分为两类方法:无目标攻击和有目标攻击。无目标攻击是指使受到攻击的模型性能下降,而有目标攻击是指攻击者要达到特定的目的(例如在分类任务中目标是使对抗样本分类到指定类别)。在分类任务中针对这两种攻击存在很多的方法。然而,由于分类任务和检索任务本质的不同,分类中的有目标攻击方法不能直接迁移到检索中,现有技术在检索任务中关于对抗攻击的方法还较少,且没有针对深度哈希检索的有目标攻击方法,这不利于研究检索系统的鲁棒性和安全性。因此,有必要提出一种适应于检索任务的特点且有效的有目标攻击技术方案。The hash retrieval method based on deep learning can achieve the best performance in the current hash retrieval, however, research shows that the deep learning model is vulnerable to adversarial attacks, which affects the performance of the deep learning model. According to the different attack purposes, adversarial sample generation can be divided into two types: untargeted attack and targeted attack. Untargeted attack refers to degrading the performance of the attacked model, while targeted attack refers to the attacker to achieve a specific goal (for example, in a classification task, the goal is to classify adversarial examples into a specified class). There are many approaches to these two attacks in classification tasks. However, due to the different nature of classification tasks and retrieval tasks, the targeted attack methods in classification cannot be directly transferred to retrieval. There are few methods for adversarial attacks in retrieval tasks in the prior art, and there is no method for deep hash retrieval. There are targeted attack methods, which are not conducive to the robustness and security of research retrieval systems. Therefore, it is necessary to propose an effective targeted attack technical scheme adapted to the characteristics of retrieval tasks.
本发明实施方式提供了一种针对深度哈希检索的有目标攻击方法,其包括步骤:Embodiments of the present invention provide a targeted attack method for deep hash retrieval, which includes the steps:
提供具有标签t的样本集合,将所述样本集合中的所有样本输入深度哈希检索模型中,生成相应的哈希码
Figure PCTCN2021104818-appb-000012
其中,所述标签t为攻击者指定期望返回的类别,所述标签t与查询图像x的类别不同; Provide a sample set with label t, input all samples in the sample set into the deep hash retrieval model, and generate corresponding hash codes
Figure PCTCN2021104818-appb-000012
Wherein, the label t specifies the category expected to be returned by the attacker, and the label t is different from the category of the query image x;
采用位投票算法获得代表哈希码h aThe representative hash code ha is obtained by adopting the bit voting algorithm;
指定超参数α的大小为0到1,并设计损失函数为:Specify the size of the hyperparameter α from 0 to 1, and design the loss function as:
Figure PCTCN2021104818-appb-000013
其中,tanh为双曲正切函数,x′为对抗样本;
Figure PCTCN2021104818-appb-000013
Among them, tanh is the hyperbolic tangent function, and x' is the adversarial sample;
利用梯度下降的方法计算x′的梯度;Use the gradient descent method to calculate the gradient of x';
利用计算的梯度更新x′;update x' with the computed gradient;
将生成的对抗样本x′投影,使得x′满足无穷约束和图像空间;Project the generated adversarial sample x' so that x' satisfies the infinite constraints and the image space;
判断是否达到预设的更新次数,如果是,得到对抗样本x′;Determine whether the preset number of updates has been reached, and if so, get the adversarial sample x';
将所述对抗样本x′输入到所述深度哈希检索模型中,返回期望类别的样本。Input the adversarial sample x' into the deep hash retrieval model, and return samples of the desired class.
具体来讲,所述深度哈希检索模型为F(·),其哈希码长为K,样本x i的哈希码的生成公式为:h=F(x)=sign(f θ(x)),其中,f θ(·)表示深度神经网络模型,sign(·)为符号函数,
Figure PCTCN2021104818-appb-000014
表示N个分为C个类别的数据集,y i∈{0,1} C表示标签向量。所述深度哈希检索模型在未受到攻击时,对于查询样本x的检索流程如下:首先模 型输出x的哈希码F(x),然后计算查询哈希码与数据库中所有样本哈希码的汉明距离d H(F(x),F(x i)),最后检索系统会依据计算出的距离对数据库中的样本进行排序并返回结果。 Specifically, the deep hash retrieval model is F( ), the length of the hash code is K, and the generation formula of the hash code of the sample x i is: h=F(x)=sign(f θ (x )), where f θ ( ) represents the deep neural network model, sign( ) is the sign function,
Figure PCTCN2021104818-appb-000014
represents N datasets divided into C categories, and y i ∈ {0, 1} C represents the label vector. When the deep hash retrieval model is not attacked, the retrieval process for query sample x is as follows: first, the model outputs the hash code F(x) of x, and then calculates the difference between the query hash code and all sample hash codes in the database. Hamming distance d H (F(x), F(x i )), and finally the retrieval system will sort the samples in the database according to the calculated distance and return the result.
而本实施例提供的针对深度哈希检索的有目标攻击方法,首先定义深度哈希检索中的有目标攻击为点到集合的优化问题,即最小化对抗样本的哈希码和期望类别哈希码集合的平均距离;然后设计了一种位投票算法获得期望类别哈希码集合的最优代表哈希码方法;为了保证对抗样本的不可见性,进一步提出在无穷约束下优化对抗噪声,使对抗样本的哈希码与代表哈希码之间的距离尽可能小。本实施例方法不仅保证了对抗样本与原始样本不可区分性,还能获得良好的有目标攻击效果;本实施例在设计深度哈希检索模型时采用此种攻击方法,有利于提高模型的安全性和鲁棒性,并且产生的对抗样本能够使检索模型返回攻击者期望的类别样本。The targeted attack method for deep hash retrieval provided by this embodiment first defines the targeted attack in deep hash retrieval as a point-to-set optimization problem, that is, minimizing the hash code of the adversarial sample and the expected class hash Then, a bit-voting algorithm is designed to obtain the optimal representative hash code method of the desired category hash code set; in order to ensure the invisibility of adversarial samples, it is further proposed to optimize the adversarial noise under infinite constraints, so that The distance between the hash code of the adversarial example and the representative hash code is as small as possible. The method of this embodiment not only ensures the indistinguishability of the adversarial sample from the original sample, but also obtains a good effect of targeted attack; this embodiment adopts this attack method when designing the deep hash retrieval model, which is beneficial to improve the security of the model and robustness, and the resulting adversarial examples enable the retrieval model to return samples of the class expected by the attacker.
在本实施例中,如图1所示,针对查询图像x,攻击者指定期望返回的类别t,t需要与x的真正类别不同;作为举例,x的类别为狗,则攻击者指定期望返回的类别t可以为猫、猪、鱼、鸡等,但不限于此。攻击者可提供具有标签t的样本集合
Figure PCTCN2021104818-appb-000015
使用模型F(·)为样本集合X (t)中的所有样本生成哈希码
Figure PCTCN2021104818-appb-000016
对样本集合中的所有样本的哈希码
Figure PCTCN2021104818-appb-000017
按照位投票方法计算,得到代表哈希码h a;然后指定超参数α的大小为0到1,并设计损失函数为:
Figure PCTCN2021104818-appb-000018
其中,tanh为双曲正切函数,x′为对抗样本;之后利用梯度下降的方法计算x′的梯度,并利用计算的梯度更新x′;将生成的对抗样本x′投影,使得x′满足无穷约束和图像空间;判断是否达到预设的更新次数,如果是,得到对抗样本x′;如果否,则继续返回步骤S06继续更新x′;最后将所述对抗样本x′输入到所述深度哈希检索模型中,返回期望类别的样本。 In this embodiment, as shown in FIG. 1, for the query image x, the attacker specifies the desired category t to be returned, and t needs to be different from the real category of x; as an example, if the category of x is dog, the attacker specifies the desired category to be returned. The category t of can be cat, pig, fish, chicken, etc., but is not limited thereto. An attacker can provide a set of samples with label t
Figure PCTCN2021104818-appb-000015
Generate hash codes for all samples in sample set X (t) using model F( )
Figure PCTCN2021104818-appb-000016
Hash code for all samples in the sample set
Figure PCTCN2021104818-appb-000017
According to the bit voting method, the representative hash code ha is obtained; then the size of the hyperparameter α is specified as 0 to 1, and the loss function is designed as:
Figure PCTCN2021104818-appb-000018
Among them, tanh is the hyperbolic tangent function, and x' is the adversarial sample; then use the gradient descent method to calculate the gradient of x', and use the calculated gradient to update x'; project the generated adversarial sample x' so that x' satisfies infinity Constraint and image space; judge whether the preset number of updates is reached, if so, get the adversarial sample x'; if not, continue to return to step S06 to continue updating x'; finally input the adversarial sample x' into the depth In the hope retrieval model, the samples of the desired category are returned.
如图2所示,将本算法生成的对抗样本首先输入到哈希模型中,即将对抗查询“狗”图片输入到如下的特征提取器和全连接层,得到对抗样本的哈希码,利用此哈希码在数据库中检索近邻样本,得到的近邻样本属于有目标攻击中攻击者预设的攻击类别,即下图中的“猫”。As shown in Figure 2, the adversarial samples generated by this algorithm are first input into the hash model, that is, the adversarial query "dog" picture is input into the following feature extractor and fully connected layer to obtain the hash code of the adversarial samples. The hash code retrieves the neighbor samples in the database, and the obtained neighbor samples belong to the attack category preset by the attacker in the targeted attack, that is, the "cat" in the figure below.
在本实施例中,通过将所述超参数α的大小设置为0到1,以防止反向传播时的梯 度消失问题,加快对抗样本生成算法的收敛速度;通过设计损失函数
Figure PCTCN2021104818-appb-000019
来表示使原始的查询图像和生成的对抗样本无穷范数小于给定的阈值∈,即使得对抗样本的哈希码与代表哈希码h a尽可能地接近,使人不能区分两个样本。 In this embodiment, the size of the hyperparameter α is set from 0 to 1 to prevent the gradient disappearance problem during backpropagation and speed up the convergence speed of the adversarial sample generation algorithm; by designing the loss function
Figure PCTCN2021104818-appb-000019
To denote that the infinite norm of the original query image and the generated adversarial sample is smaller than a given threshold ∈, that is, to make the hash code of the adversarial sample and the representative hash code ha as close as possible to make the two samples indistinguishable.
在本实施例中,所述利用梯度下降的方法计算x′的梯度是指利用反向传播算法,依据上述提供的损失函数,从输出层开始,逐层计算梯度,得到输入x′的梯度G为止。之后采用公式x′=x′-G对x′进行更新,其中G为上一步骤中求得的梯度G。In this embodiment, calculating the gradient of x' by using the gradient descent method refers to using the back-propagation algorithm, according to the loss function provided above, starting from the output layer, calculating the gradient layer by layer, and obtaining the gradient G of the input x' until. Then use the formula x'=x'-G to update x', where G is the gradient G obtained in the previous step.
在本实施例中,所述将生成的对抗样本x′投影,使得x′满足无穷约束和图像空间的步骤具体包括:根据公式x′=clamp(x′)对对抗样本x′投影,其中,clamp()为投影函数,将x′大于x+∈的值置为x+∈,x′小于x+∈的值置为x′,并且保证x′满足图像空间,即在0-255表示的空间内。In this embodiment, the step of projecting the generated adversarial sample x' so that x' satisfies the infinite constraint and the image space specifically includes: projecting the adversarial sample x' according to the formula x'=clamp(x'), wherein, clamp() is a projection function, set the value of x' greater than x+∈ as x+∈, and set the value of x' less than x+∈ as x', and ensure that x' satisfies the image space, that is, in the space represented by 0-255.
在本实施例中,预设的更新次数为攻击者设定的参数,可设置为2000;达到一定的预设次数是为了能够满足攻击成功同时又在可接受的计算时间内,不达到预设的更新次数可能会导致生成的对抗样本攻击效果不好。In this embodiment, the preset number of updates is a parameter set by the attacker, which can be set to 2000; reaching a certain preset number of times is to satisfy the success of the attack and at the same time, within an acceptable calculation time, the preset number of updates does not reach the preset value. The number of updates may cause the generated adversarial examples to attack poorly.
在一些实施方式中,所述样本x′为图片或视频。In some embodiments, the sample x' is a picture or a video.
在一些实施方式中,所述对样本集合中的所有样本的哈希码
Figure PCTCN2021104818-appb-000020
进行位投票方法计算,得到代表哈希码h a的步骤包括:对于j=1,2,…K,计算每个位置上+1和-1的个数,表示为
Figure PCTCN2021104818-appb-000021
Figure PCTCN2021104818-appb-000022
其中,
Figure PCTCN2021104818-appb-000023
其中,
Figure PCTCN2021104818-appb-000024
表示指示函数;根据公式
Figure PCTCN2021104818-appb-000025
判断第j个位置上
Figure PCTCN2021104818-appb-000026
的值,从而返回代表哈希码h a。本实施例采用位投票的算法计算代表哈希码,为有目标对抗攻击提供了优化目标,能够使得攻击的效果高效稳定。 In some embodiments, the hash code for all samples in the sample set
Figure PCTCN2021104818-appb-000020
The steps of obtaining the representative hash code ha include: for j = 1, 2,...K, calculating the number of +1 and -1 in each position, expressed as
Figure PCTCN2021104818-appb-000021
and
Figure PCTCN2021104818-appb-000022
in,
Figure PCTCN2021104818-appb-000023
in,
Figure PCTCN2021104818-appb-000024
Represents an indicator function; according to the formula
Figure PCTCN2021104818-appb-000025
Determine the jth position
Figure PCTCN2021104818-appb-000026
The value of , thus returning the representative hash code ha . This embodiment adopts the algorithm of bit voting to calculate the representative hash code, which provides an optimized target for targeted confrontation attacks, and can make the attack effect efficient and stable.
基于上述针对深度哈希检索的有目标攻击方法,本实施例提供了一种计算机可读存储介质,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如上述实施例所述的针对深度哈希检索的有目标攻 击方法中的步骤。Based on the above-mentioned targeted attack method for deep hash retrieval, this embodiment provides a computer-readable storage medium, where the computer-readable storage medium stores one or more programs, and the one or more programs can be One or more processors execute to implement the steps in the targeted attack method for deep hash retrieval as described in the above embodiments.
基于上述针对深度哈希检索的有目标攻击方法,本发明还提供了一种终端设备,如图3所示,其包括至少一个处理器(processor)20;显示屏21;以及存储器(memory)22,还可以包括通信接口(Communications Interface)23和总线24。其中,处理器20、显示屏21、存储器22和通信接口23可以通过总线24完成相互间的通信。显示屏21设置为显示初始设置模式中预设的用户引导界面。通信接口23可以传输信息。处理器20可以调用存储器22中的逻辑指令,以执行上述实施例中的方法。Based on the above-mentioned targeted attack method for deep hash retrieval, the present invention also provides a terminal device, as shown in FIG. 3 , which includes at least one processor 20 ; a display screen 21 ; and a memory 22 , may also include a communications interface (Communications Interface) 23 and a bus 24. The processor 20 , the display screen 21 , the memory 22 and the communication interface 23 can communicate with each other through the bus 24 . The display screen 21 is set to display a user guide interface preset in the initial setting mode. The communication interface 23 can transmit information. The processor 20 may invoke logic instructions in the memory 22 to perform the methods in the above-described embodiments.
此外,上述的存储器22中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。In addition, the above-mentioned logic instructions in the memory 22 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product.
存储器22作为一种计算机可读存储介质,可设置为存储软件程序、计算机可执行程序,如本公开实施例中的方法对应的程序指令或模块。处理器20通过运行存储在存储器22中的软件程序、指令或模块,从而执行功能应用以及数据处理,即实现上述实施例中的方法。As a computer-readable storage medium, the memory 22 may be configured to store software programs and computer-executable programs, such as program instructions or modules corresponding to the methods in the embodiments of the present disclosure. The processor 20 executes functional applications and data processing by running the software programs, instructions or modules stored in the memory 22, ie, implements the methods in the above embodiments.
存储器22可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端设备的使用所创建的数据等。此外,存储器22可以包括高速随机存取存储器,还可以包括非易失性存储器。例如,U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等多种可以存储程序代码的介质,也可以是暂态存储介质。The memory 22 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. Additionally, memory 22 may include high-speed random access memory, and may also include non-volatile memory. For example, U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program codes, or temporary state storage medium.
此外,上述存储介质以及终端设备中的多条指令处理器加载并执行的具体过程在上述方法中已经详细说明,在这里就不再一一陈述。In addition, the specific process of loading and executing the above-mentioned storage medium and the multiple instruction processor in the terminal device has been described in detail in the above-mentioned method, and will not be described one by one here.
综上所述,本发明提供了一种针对深度哈希检索的有目标攻击方法、存储介质及终端设备,首先定义检索中的有目标攻击为点到集合的优化问题,即最小化对抗样本的哈希码和期望类别哈希码集合的平均距离;然后设计了一种位投票获得期望类别哈希码集合的最优代表哈希码方法;为了保证对抗样本的不可见性,进一步提出在无穷约束下优化对抗噪声,使对抗样本的哈希码与代表哈希码之间的距离尽可能小。本发明方法不仅保证了对抗样本与原始样本不可区分性,还能获得良好的有目标攻击效果;本发明在设计深度哈希检索模型时采用此种攻击方法,有利于提高模型的安全性和鲁棒性,并且产生的对抗样本能够使检索模型返回攻击者期望的类别样本。本发明通过提出针对深度哈希检索在有目标对抗攻击方法,验证检索模型在这种攻击下的的鲁棒性,为提升检索 系统的鲁棒性和安全性提供支持。本发明通过在输入图像上增加肉眼不可见的对抗噪声,破坏模型检索结果,返回攻击者期望类别的样本。To sum up, the present invention provides a targeted attack method, storage medium and terminal device for deep hash retrieval. First, the targeted attack in retrieval is defined as a point-to-set optimization problem, that is, minimizing the impact of adversarial samples. The average distance between the hash code and the set of hash codes of the desired category; then a method of bit voting to obtain the optimal representative hash code of the set of hash codes of the desired category is designed; in order to ensure the invisibility of the adversarial samples, it is further proposed that in the infinite The adversarial noise is optimized under constraints so that the distance between the hash code of the adversarial sample and the representative hash code is as small as possible. The method of the invention not only ensures the indistinguishability between the confrontation sample and the original sample, but also obtains a good target attack effect; the invention adopts this attack method when designing the deep hash retrieval model, which is beneficial to improve the security and robustness of the model. The adversarial examples generated can make the retrieval model return the class samples expected by the attacker. The present invention provides support for improving the robustness and security of the retrieval system by proposing a targeted adversarial attack method for deep hash retrieval, verifying the robustness of the retrieval model under this attack. The invention destroys the model retrieval result by adding invisible anti-noise to the input image, and returns the sample of the desired category of the attacker.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (7)

  1. 一种针对深度哈希检索的有目标攻击方法,其特征在于,包括步骤:A targeted attack method for deep hash retrieval, characterized in that it comprises the steps of:
    提供具有标签t的样本集合,将所述样本集合中的所有样本输入深度哈希检索模型中,生成相应的哈希码
    Figure PCTCN2021104818-appb-100001
    其中,所述标签t为攻击者指定期望返回的类别,所述标签t与查询图像x的类别不同;     Provide a sample set with label t, input all samples in the sample set into the deep hash retrieval model, and generate corresponding hash codes
    Figure PCTCN2021104818-appb-100001
    Wherein, the label t specifies the category expected to be returned by the attacker, and the label t is different from the category of the query image x;
    采用位投票算法获得代表哈希码h aThe representative hash code ha is obtained by adopting the bit voting algorithm;
    指定超参数α的大小为0到1,并设计损失函数为:Specify the size of the hyperparameter α from 0 to 1, and design the loss function as:
    Figure PCTCN2021104818-appb-100002
    其中,tanh为双曲正切函数,x′为对抗样本;
    Figure PCTCN2021104818-appb-100002
    Among them, tanh is the hyperbolic tangent function, and x' is the adversarial sample;
    利用梯度下降的方法计算x′的梯度;Use the gradient descent method to calculate the gradient of x';
    利用计算的梯度更新x′;update x' with the computed gradient;
    将生成的对抗样本x′投影,使得x′满足无穷约束和图像空间;Project the generated adversarial sample x' so that x' satisfies the infinite constraints and the image space;
    判断是否达到预设的更新次数,如果是,得到对抗样本x′;Determine whether the preset number of updates has been reached, and if so, get the adversarial sample x';
    将所述对抗样本x′输入到所述深度哈希检索模型中,返回期望类别的样本。Input the adversarial sample x' into the deep hash retrieval model, and return samples of the desired class.
  2. 根据权利要求1所述针对深度哈希检索的有目标攻击方法,其特征在于,所述深度哈希检索模型为F(·),其哈希码长为K,样本x i的哈希码的生成公式为:h=F(x)=sign(f θ(x)),其中,f θ(·)表示深度神经网络模型,sign(·)为符号函数,
    Figure PCTCN2021104818-appb-100003
    表示N个分为C个类别的数据集,y i∈{θ,1} C表示标签向量。     The targeted attack method for deep hash retrieval according to claim 1, wherein the deep hash retrieval model is F( ), and its hash code length is K, and the length of the hash code of sample x i is The generation formula is: h=F(x)=sign(f θ (x)), where f θ ( ) represents the deep neural network model, sign ( ) is the sign function,
    Figure PCTCN2021104818-appb-100003
    represents N datasets divided into C categories, and y i ∈ {θ, 1} C represents the label vector.
  3. 根据权利要求2所述针对深度哈希检索的有目标攻击方法,其特征在于,所述样本x i为图片或视频。 The targeted attack method for deep hash retrieval according to claim 2, wherein the sample xi is a picture or a video.
  4. 根据权利要求2所述针对深度哈希检索的有目标攻击方法,其特征在于,所述采用位投票算法获得代表哈希码h a的步骤包括: The targeted attack method for deep hash retrieval according to claim 2, wherein the step of using a bit-voting algorithm to obtain the representative hash code ha comprises:
    对样本集合中的所有样本的哈希码
    Figure PCTCN2021104818-appb-100004
    按照位投票方法计算,得到代表哈希码h a    Hash code for all samples in the sample set
    Figure PCTCN2021104818-appb-100004
    According to the bit voting method, the representative hash code ha is obtained.
  5. 根据权利要求4所述针对深度哈希检索的有目标攻击方法,其特征在于,所述 对样本集合中的所有样本的哈希码
    Figure PCTCN2021104818-appb-100005
    进行位投票方法计算,得到代表哈希码h a的步骤包括:     The targeted attack method for deep hash retrieval according to claim 4, wherein the hash code of all samples in the sample set is
    Figure PCTCN2021104818-appb-100005
    The steps of obtaining the representative hash code ha include:
    对于j=1,2,…K,计算每个位置上+1和-1的个数,表示为
    Figure PCTCN2021104818-appb-100006
    Figure PCTCN2021104818-appb-100007
    其中,
    Figure PCTCN2021104818-appb-100008
    其中,
    Figure PCTCN2021104818-appb-100009
    表示指示函数;     For j=1,2,...K, count the number of +1 and -1 at each position, expressed as
    Figure PCTCN2021104818-appb-100006
    and
    Figure PCTCN2021104818-appb-100007
    in,
    Figure PCTCN2021104818-appb-100008
    in,
    Figure PCTCN2021104818-appb-100009
    Represents an indicator function;
    根据公式
    Figure PCTCN2021104818-appb-100010
    判断第j个位置上
    Figure PCTCN2021104818-appb-100011
    的值,从而返回代表哈希码h a    According to the formula
    Figure PCTCN2021104818-appb-100010
    Determine the jth position
    Figure PCTCN2021104818-appb-100011
    The value of , thus returning the representative hash code ha .
  6. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现如权利要求1-5任意一项所述针对深度哈希检索的有目标攻击方法中的步骤。A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors, so as to realize the invention as claimed in claim 1 -5 any one of the steps in the targeted attack method for deep hash retrieval.
  7. 一种终端设备,其特征在于,包括:处理器、存储器及通信总线;所述存储器上存储有可被所述处理器执行的计算机可读程序;A terminal device, comprising: a processor, a memory, and a communication bus; the memory stores a computer-readable program executable by the processor;
    所述通信总线实现处理器和存储器之间的连接通信;The communication bus implements connection communication between the processor and the memory;
    所述处理器执行所述计算机可读程序时实现如权利要求1-5任意一项所述针对深度哈希检索的有目标攻击方法中的步骤。When the processor executes the computer-readable program, the steps in the targeted attack method for deep hash retrieval according to any one of claims 1-5 are implemented.
PCT/CN2021/104818 2020-08-20 2021-07-06 Targeted attack method for deep hash retrieval and terminal device WO2022037295A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010841276.8 2020-08-20
CN202010841276.8A CN112115317B (en) 2020-08-20 2020-08-20 Targeted attack method for deep hash retrieval and terminal equipment

Publications (1)

Publication Number Publication Date
WO2022037295A1 true WO2022037295A1 (en) 2022-02-24

Family

ID=73805608

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/104818 WO2022037295A1 (en) 2020-08-20 2021-07-06 Targeted attack method for deep hash retrieval and terminal device

Country Status (2)

Country Link
CN (1) CN112115317B (en)
WO (1) WO2022037295A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114882312A (en) * 2022-05-13 2022-08-09 北京百度网讯科技有限公司 Method and device for generating confrontation image sample, electronic equipment and storage medium
CN116070277A (en) * 2023-03-07 2023-05-05 浙江大学 Longitudinal federal learning privacy protection method and system based on deep hash
CN116662490A (en) * 2023-08-01 2023-08-29 山东大学 Confusion-free text hash algorithm and confusion-free text hash device for fusing hierarchical label information

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112115317B (en) * 2020-08-20 2024-05-14 鹏城实验室 Targeted attack method for deep hash retrieval and terminal equipment
CN113343025B (en) * 2021-08-05 2021-11-02 中南大学 Sparse attack resisting method based on weighted gradient Hash activation thermodynamic diagram
CN113727301B (en) * 2021-08-05 2023-07-11 西安交通大学 Hash security access method and system for V2N low-delay communication service

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027060A (en) * 2019-12-17 2020-04-17 电子科技大学 Knowledge distillation-based neural network black box attack type defense method
CN111368725A (en) * 2020-03-03 2020-07-03 广州大学 HRRP (high-resolution Radar) targeted confrontation sample generation method based on deep learning
CN112115317A (en) * 2020-08-20 2020-12-22 鹏城实验室 Targeted attack method for deep hash retrieval and terminal device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109558890B (en) * 2018-09-30 2023-03-31 天津大学 Zero sample image classification method based on adaptive weight Hash loop countermeasure network
CN111127385B (en) * 2019-06-06 2023-01-13 昆明理工大学 Medical information cross-modal Hash coding learning method based on generative countermeasure network
CN110321957B (en) * 2019-07-05 2023-03-24 重庆大学 Multi-label image retrieval method fusing triple loss and generating countermeasure network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027060A (en) * 2019-12-17 2020-04-17 电子科技大学 Knowledge distillation-based neural network black box attack type defense method
CN111368725A (en) * 2020-03-03 2020-07-03 广州大学 HRRP (high-resolution Radar) targeted confrontation sample generation method based on deep learning
CN112115317A (en) * 2020-08-20 2020-12-22 鹏城实验室 Targeted attack method for deep hash retrieval and terminal device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YANG ERKUN: "Deep Compact Coding for Multimedia Nearest Neighbor Search", CHINESE DOCTORAL DISSERTATIONS FULL-TEXT DATABASE, no. 3, 15 March 2020 (2020-03-15), XP055902200 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114882312A (en) * 2022-05-13 2022-08-09 北京百度网讯科技有限公司 Method and device for generating confrontation image sample, electronic equipment and storage medium
CN116070277A (en) * 2023-03-07 2023-05-05 浙江大学 Longitudinal federal learning privacy protection method and system based on deep hash
CN116070277B (en) * 2023-03-07 2023-08-29 浙江大学 Longitudinal federal learning privacy protection method and system based on deep hash
CN116662490A (en) * 2023-08-01 2023-08-29 山东大学 Confusion-free text hash algorithm and confusion-free text hash device for fusing hierarchical label information
CN116662490B (en) * 2023-08-01 2023-10-13 山东大学 Confusion-free text hash algorithm and confusion-free text hash device for fusing hierarchical label information

Also Published As

Publication number Publication date
CN112115317A (en) 2020-12-22
CN112115317B (en) 2024-05-14

Similar Documents

Publication Publication Date Title
WO2022037295A1 (en) Targeted attack method for deep hash retrieval and terminal device
Li et al. Universal perturbation attack against image retrieval
Ke et al. End-to-end automatic image annotation based on deep CNN and multi-label data augmentation
CN110309331B (en) Cross-modal deep hash retrieval method based on self-supervision
US11244205B2 (en) Generating multi modal image representation for an image
Liu et al. Sequential compact code learning for unsupervised image hashing
CN110796057A (en) Pedestrian re-identification method and device and computer equipment
Chen et al. Probabilistic box embeddings for uncertain knowledge graph reasoning
CN109492776B (en) Microblog popularity prediction method based on active learning
CN110020711A (en) A kind of big data analysis method using grey wolf optimization algorithm
CN114329109B (en) Multimodal retrieval method and system based on weakly supervised Hash learning
CN115358305A (en) Incremental learning robustness improving method based on iterative generation of boundary samples
Chu et al. Visualization feature and CNN based homology classification of malicious code
CN113656700A (en) Hash retrieval method based on multi-similarity consistent matrix decomposition
Jiang et al. Active object detection in sonar images
JP2022548187A (en) Target re-identification method and device, terminal and storage medium
Qin et al. Efficient non-targeted attack for deep hashing based image retrieval
CN113869005A (en) Pre-training model method and system based on sentence similarity
CN113535947A (en) Multi-label classification method and device for incomplete data with missing labels
JP2012155394A (en) Document classification learning control device, document classification device and computer program
Vural et al. Deep multi query image retrieval
KR102615073B1 (en) Neural hashing for similarity search
CA3068891C (en) Method and system for generating a vector representation of an image
Zhou et al. Deep triplet residual quantization
CN112685603A (en) Efficient retrieval of top-level similarity representations

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21857390

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21857390

Country of ref document: EP

Kind code of ref document: A1