WO2022100603A1 - Binary sampling processing method and apparatus, adversarial example generation method and apparatus, electronic device, and readable storage medium - Google Patents

Binary sampling processing method and apparatus, adversarial example generation method and apparatus, electronic device, and readable storage medium Download PDF

Info

Publication number
WO2022100603A1
WO2022100603A1 PCT/CN2021/129744 CN2021129744W WO2022100603A1 WO 2022100603 A1 WO2022100603 A1 WO 2022100603A1 CN 2021129744 W CN2021129744 W CN 2021129744W WO 2022100603 A1 WO2022100603 A1 WO 2022100603A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
sample
gradient
sampling
binary
Prior art date
Application number
PCT/CN2021/129744
Other languages
French (fr)
Chinese (zh)
Inventor
沈杨书
何伟
邓磊
祝夭龙
Original Assignee
北京灵汐科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京灵汐科技有限公司 filed Critical 北京灵汐科技有限公司
Priority to KR1020227031112A priority Critical patent/KR20220132010A/en
Publication of WO2022100603A1 publication Critical patent/WO2022100603A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • G06F7/588Random number generators, i.e. based on natural stochastic processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/58Random or pseudo-random number generators
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/04Generating or distributing clock signals or signals derived directly therefrom
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • the present invention relates to the field of computers, and relates to a binary sampling processing method and device, a method and device for generating countermeasures, an electronic device, and a readable storage medium.
  • Embodiments of the present application provide a method and device for processing binary sampling, a method and device for generating countermeasures, electronic equipment, and a readable storage medium, so as to solve the problem of implementing binary sampling by continuously outputting pulse signals in the related art, resulting in two problems.
  • the process of value sampling has the problem of high energy consumption and large resource occupation.
  • a method for processing binary sampling including: determining a first sampling probability; the first sampling probability corresponds to a sampling probability of a binary sampling; determining a trigger signal parameter according to the first sampling probability take a value; input the trigger signal to the random access memory to trigger the execution of the write operation; wherein, the probability of the successful write operation is associated with the value of the trigger signal parameter; in the case that the write operation is successful, generate a first data; if the write operation is unsuccessful, second data is generated; wherein the first data and the second data are respectively different data in the binary data.
  • a method for generating adversarial samples including: performing gradient descent processing on a first sample to obtain a first gradient of the first sample; wherein the sample data in the first sample is binary data, and the data in the first gradient is a continuous value; the absolute value of the data in the first gradient is normalized to obtain a second gradient; wherein, the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1; the data in the second gradient is subjected to binary sampling by the binary sampling processing method described in any embodiment of the present application to obtain a third gradient; wherein, the The sampling probability of the binary sampling is determined by the data in the second gradient; the data in the third gradient is binary data; the target symbol of the data at the target position in the first gradient is extracted, and the adding a target symbol to the data corresponding to the target position in the third gradient; combining the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample; The sample data in the target adversarial sample; The sample data in
  • a binary sampling processing device including: a controller configured to determine a first sampling probability, and determine a value of a trigger signal parameter according to the first sampling probability; the first sampling probability a sampling probability corresponding to a binary sampling; a random access memory for receiving the trigger signal to trigger the execution of a write operation; wherein, the probability of the successful write operation is associated with the value of the trigger signal parameter; the controller, It is also used to generate first data when the write operation is successful; generate second data when the write operation is unsuccessful; wherein the first data and the second data are respectively two different data in the value data.
  • a device for generating an adversarial sample comprising: a first processing module configured to perform gradient descent processing on a first sample to obtain a first gradient of the first sample; wherein the first sample is The sample data in a sample is binary data, and the data in the first gradient is a continuous value; the normalization module is used to normalize the absolute value of the data in the first gradient to obtain The second gradient; wherein, the data in the second gradient is a continuous value that is greater than or equal to zero and less than or equal to 1; the binary sampling processing device of any embodiment of the present application is used for the second gradient.
  • Binary sampling is performed on the data of , to obtain a third gradient; wherein, the sampling probability of the binary sampling is determined by the data in the second gradient; the data in the third gradient is binary data; the second processing module , for extracting the target symbol of the data of the target position in the first gradient, and adding the target symbol to the data corresponding to the target position in the third gradient;
  • the sample data in the first sample is combined with the data in the third gradient after adding the symbol to generate a target adversarial sample; wherein, the sample data in the target adversarial sample is binary data.
  • an embodiment of the present application further provides an electronic device, including a processor, a memory, and a program or instruction stored on the memory and executable on the processor, the program or instruction being When executed by the processor, the method of any embodiment of the present application is implemented.
  • an embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the method of any embodiment of the present application is implemented.
  • the write operation can be triggered by inputting a trigger signal to the random access memory, and then, in the case of a successful or unsuccessful write operation, the first data and the second data are respectively generated, and the first data and the second data are two
  • the data in the value data, and their generation probability corresponds to the sampling probability of the binary sampling, so they can be used as different results of the binary sampling respectively; thus, the application can realize the binary sampling as long as there is a trigger of the trigger signal, without the need for
  • the trigger signal is continuously input to the random access memory, thereby solving the problems of high energy consumption and resource occupation in the binary sampling process by continuously outputting pulse signals for binary sampling in the related art.
  • FIG. 1 is a flowchart of a method for processing binary sampling according to an embodiment of the present application
  • FIG. 2 is a schematic diagram of the relationship between the input voltage of the trigger signal, the pulse width of the trigger signal and the probability of a successful write operation according to an embodiment of the present application;
  • FIG. 3 is a flowchart of a method for generating an adversarial sample according to an embodiment of the present application
  • Fig. 4 is the sample schematic diagram 1 of the embodiment of the present application.
  • FIG. 5 is a second schematic diagram of a sample of an embodiment of the present application.
  • Fig. 6 is the sample schematic diagram 3 of the embodiment of the present application.
  • Fig. 7 is the sample schematic diagram 4 of the embodiment of the present application.
  • Fig. 8 is the gradient schematic diagram 1 of the embodiment of the present application.
  • Fig. 9 is the gradient schematic diagram II of the embodiment of the present application.
  • Fig. 10 is the gradient schematic diagram three of the embodiment of the present application.
  • Fig. 11 is the gradient schematic diagram four of the embodiment of the present application.
  • FIG. 12 is a schematic diagram of gradient descent processing according to an embodiment of the present application.
  • FIG. 13 is a schematic diagram of an absolute value normalization process according to an embodiment of the present application.
  • FIG. 14 is a schematic diagram 1 of binary sampling according to an embodiment of the present application.
  • 15 is a second schematic diagram of binary sampling according to an embodiment of the present application.
  • FIG. 16 is a schematic diagram of taking symbols in an embodiment of the present application.
  • 17 is a schematic diagram of a limit conversion in an embodiment of the present application.
  • FIG. 18 is a complete schematic diagram of generating an adversarial sample according to an embodiment of the present application.
  • FIG. 19 is a schematic structural diagram of an apparatus for generating random numbers according to an embodiment of the present application.
  • 20 is a schematic structural diagram of an apparatus for generating an adversarial sample according to an embodiment of the present application.
  • 21 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
  • FIG. 22 is a schematic structural diagram of a readable storage medium according to an embodiment of the present application.
  • first and second are only for the purpose of description, and cannot be construed as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, a feature delimited with “first”, “second” may expressly or implicitly include one or more of that feature. In the description of the present invention, unless otherwise specified, "plurality" means two or more.
  • FIG. 1 is a flowchart of the method for processing binary sampling according to an embodiment of the present application. As shown in FIG. 1 , the steps of the method are as follows:
  • Step S102 determining a first sampling probability.
  • the first sampling probability corresponds to the sampling probability of a binary sampling.
  • Step S104 Determine the value of the trigger signal parameter according to the first sampling probability.
  • Step S106 input a trigger signal to the random access memory to trigger the execution of the write operation.
  • the probability of a successful write operation is associated with the value of the trigger signal parameter.
  • Step S108 in the case that the write operation is successful, generate the first data; in the case that the write operation is unsuccessful, generate the second data.
  • the first data and the second data are respectively different data in the binary data.
  • RAM random access memory
  • the first sampling probability corresponding to the sampling probability of binary sampling is first determined, and then the value of the trigger signal parameter is set according to the first sampling probability, so that when the corresponding trigger signal is used for the writing operation, the writing
  • the success probability of the operation corresponds to the sampling probability, so the probability of obtaining the first data or the second data according to whether the write operation is successful or not corresponds to the sampling probability, so as long as different sampling results are generated according to the first data and the second data, it can be realized The desired binary sampling.
  • a trigger signal can be input to the random access memory to trigger the execution of the write operation, and then the first data and the second data are respectively generated when the write operation is successful or unsuccessful.
  • the first data and the second data are data in binary data, and their generation probability corresponds to the sampling probability of binary sampling, so they can be used as different results of binary sampling respectively;
  • the binary sampling can be achieved by triggering without continuously inputting a trigger signal to the random access memory, thereby solving the problems of high energy consumption and resource occupation in the related art by continuously outputting pulse signals for binary sampling.
  • the first sampling probability refers to the probability that the binary sampling result is the first data, or the first sampling probability refers to the probability that the binary sampling result is the second data.
  • the binary data in this embodiment of the present application refers to a combination of two specific data, for example, it may include 0 and 1, that is, the first data may be 1, and the second data may be 0; One data is 0, and the second data is 1.
  • the above binary data including 0 and 1 is only for illustration, and other binary data combinations are also possible, for example, the binary data is 2 and 1, or 3 and 5, or 4 and 7, and so on.
  • the specific value of the binary data is not limited in this application, and the specific value can be determined according to the actual situation.
  • the first sampling probability may refer to the probability that the binary sampling result is 1, or it may refer to the binary sampling probability.
  • the probability that the sampling result is 0. If the first sampling probability refers to the probability that the binary sampling result is 1, and the first sampling probability is 0.8, it means that the probability that the binary sampling result is 1 is 0.8 (of course, the probability that the corresponding binary sampling result is 0 is 0.2) .
  • the trigger signal may be a pulse signal.
  • the trigger signal parameters in this embodiment of the present application include at least one of the following: pulse width of the trigger signal, pulse amplitude of the trigger signal, trigger signal The input voltage of the signal, the number of times the trigger signal is input in a unit time (that is, the time of each write operation).
  • the pulse width of the trigger signal can be 20ns
  • the input voltage can be 1.5V
  • the number of times the trigger signal is input per unit time can be 10 times, etc.
  • the probability of a successful write operation is related to the value of the trigger signal parameter, and the trigger signal parameter is the number of times the trigger signal is input in a unit time, which is the current unit time (that is, the time of each write operation) in a specific application scenario. is 1s, and the current number of input trigger signals within 1s is 40 times.
  • the number of input trigger signals within 1s can be increased to 60 times, or, in order to reduce the number of times generated by successful operations The number of input trigger signals can be reduced to 20 times within 1s.
  • the pulse width of the current trigger signal is 20ns
  • the value of the pulse width is related to the probability of a successful write operation
  • the probability of the success of the write operation is higher.
  • the current pulse width can be adjusted to 30ns, 40ns, etc.
  • the success probability of the write operation is lower, the current pulse width can be adjusted to 10ns and so on.
  • the success rate of the write operation may be 100% under a specified pulse width, and the success rate of the write operation decreases exponentially if it is higher or lower than the pulse width.
  • a pulse width of 50 ns with a write success rate of 100% is 60% or less in the case of a pulse width of 40 ns or 60 ns.
  • the value of the trigger signal parameter may be adjusted accordingly according to the actual situation.
  • the processing method is similar, that is, the pulse amplitude of the trigger signal and the input voltage used to adjust the trigger signal can be adjusted. It is represented by the pulse duration) and the corresponding relationship between the success probability of the write operation (represented by the switching probability in the figure), as shown in Figure 2.
  • the random access memory is preferably a non-volatile memory.
  • MRAM non-volatile magnetic random access memory
  • a magnetic random access memory can be used as the above random access memory, because the magnetic random access memory can use a pulse signal as a trigger signal to perform a write operation, and the probability of its successful writing is related to the width of the pulse signal.
  • the parameters of the trigger signal have a certain relationship, which is easy to adjust.
  • the method in the embodiments of the present application may further include:
  • Step S110 Adjust the value of the trigger signal parameter according to the second sampling probability.
  • the second sampling probability corresponds to the sampling probability of another binary sampling.
  • new binary sampling may be continued according to the second sampling probability, and binary sampling may be continuously performed according to the sampling probability of each subsequent binary sampling.
  • both the first sampling probability and the second sampling probability in this embodiment of the present application can be determined by the value of the trigger signal parameter, and both the first sampling probability and the second sampling probability refer to the sampling as the first sampling probability.
  • the probability of the data that is, the probability of a successful write operation
  • the first sampling probability is 0.4
  • the corresponding probability of a successful write operation is also 0.4.
  • the current trigger signal parameter is the number of times the trigger signal is input per unit time
  • the number of times the trigger signal is input per unit time corresponding to the first sampling probability is The number of times the trigger signal is input in 1s is 40 times; if the first sampling probability is to be adjusted to the second sampling probability, and the second sampling probability is 0.6, the corresponding probability of a successful write operation is also 0.6, then the second sampling probability is 0.6.
  • the number of times the trigger signal is input in a unit time corresponding to the sampling probability is increased to 60 times within 1s.
  • other trigger signal parameters are also processed in a similar manner. The above is just an example, and the values of other sampling probabilities and the values of the corresponding trigger signal parameters can be set according to the actual situation.
  • an embodiment of the present application also provides a method for generating an adversarial sample.
  • a spiking neural network since the required input is a binary pulse signal, part of the pulse signal of the input sample is randomly flipped, and then the random flip result is searched. way to generate adversarial samples to achieve the purpose of adversarial attacks.
  • the method for generating an adversarial sample can solve the problem of using random flipping of part of the pulse signal of the input sample in the related art, and then search for the random flipping result, but the search space will lead to a low attack success rate of the pulsed neural network.
  • the problem can solve the problem of using random flipping of part of the pulse signal of the input sample in the related art, and then search for the random flipping result, but the search space will lead to a low attack success rate of the pulsed neural network.
  • the steps of the adversarial sample generation method according to the embodiment of the present application include:
  • Step S302 performing gradient descent processing on the first sample to obtain a first gradient of the first sample.
  • the sample data in the first sample is binary data, and the data in the first gradient is continuous value.
  • Step S304 normalize the absolute value of the data in the first gradient to obtain the second gradient.
  • the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1.
  • Step S306 binary sampling is performed on the data in the second gradient by the method in the above-mentioned embodiment of the processing method for binary sampling to obtain the third gradient.
  • the sampling probability of binary sampling is determined by the data in the second gradient.
  • the data in the third gradient is binary data.
  • Step S308 extracting the target symbol of the data of the target position in the first gradient, and adding the target symbol to the data corresponding to the target position in the third gradient.
  • Step S310 combine the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample.
  • the sample data in the target adversarial sample is binary data.
  • first the binary first sample (the original input sample of the spiking neural network) is subjected to gradient descent processing to obtain the first gradient; the data of the first gradient is obviously a continuous value, and there are positive and negative .
  • the data of the second gradient is a continuous value between 0 and 1, and each continuous value represents the sampling probability of binary sampling. For example, if one piece of data in the first gradient is 0.4, the probability that the binary sampling result is 1 is 0.4, and the probability that the binary sampling result is 0 is 0.6.
  • binary sampling may be performed according to the method of the embodiment of the present application to obtain a binary third gradient.
  • the first sample whose data type is binary data can be processed by gradient descent to obtain a first gradient whose corresponding data is continuous value, and then the first sample of continuous value can be After the gradient is processed by normalization, binary sampling, and taking symbols, it is converted into a third gradient with added symbols whose data is three-valued data. Finally, the sample data in the first sample is compared with the third gradient with added symbols. The data are combined to generate the target adversarial sample, so that the generated target adversarial sample and the data type of the first sample are matched, and both are binary data.
  • the adversarial sample obtained by the embodiment of the present application is a sample of the same data type as the original sample.
  • the gradient descent method is used to generate a sample containing accurate gradient information.
  • the first gradient avoids the use of random flipping of part of the pulse signal of the input sample in the related art, and then searches for the random flip result, but this search space will lead to the problem of low attack success rate of the spiking neural network.
  • the first gradient is processed and converted into an adversarial sample that is consistent with the original sample data type, thereby improving the camouflage ability of the adversarial sample and achieving the effect of improving the success rate of the spiking neural network attack.
  • the first sample in the embodiment of the present application is obtained by converting at least one of the following: an image sample, a voice sample, and a text sample; or, the first sample is data collected by at least one of the following: dynamic vision Sensors, brain-computer interfaces.
  • the third gradient is used to characterize the amount of change in the data in the first sample, so the original sample and the third gradient (the amount of change) can be combined to generate the target adversarial sample.
  • the first sample in the embodiment of the present application is suitable for a neural network that receives a binary input signal, and may be an input sample of a spiking neural network SNN (Spiking Neuron Networks) in a specific application scenario.
  • the binary data in the embodiment of the present application is a data type, and the data type means that the data in the sample only consists of ⁇ 0, 1 ⁇ .
  • the first sample in the embodiment of the present application is in a specific application scenario It may be any one of samples 1 to 4 as shown in FIGS. 4 to 7 .
  • samples 1 to 4 in the embodiment of the present application are only examples for the first sample, and the specific value of the data in the first sample can be determined according to the actual situation.
  • the ternary data in the embodiment of the present application is also a data type, and the data type means that the data in the sample consists only of ⁇ -1, 0, 1 ⁇ , for example, the gradient of the ternary data (after adding the symbol)
  • the third gradient) may be any one of gradients 1 to 4 as shown in FIGS. 8 to 11 .
  • a sample of binary data can be converted to obtain a corresponding gradient according to the following principles: the data in the original sample is 0, and the corresponding data in the converted gradient is 1 or -1; wherein, for- In the case of 1, subsequent limiting needs to be performed.
  • the data in the original sample gradient is 1, and the corresponding data in the gradient is 0 or 1; among them, if the converted value is 1, subsequent limiting needs to be performed.
  • the continuous values in the first gradient obtained after the first sample is processed by gradient descent take the first sample as sample 2 as an example, as shown in FIG. After the gradient descent process, the first gradient can be obtained.
  • the gradient descent process in FIG. 11 is only an example, and it is also possible that the data in the first gradient is other values, and the corresponding first sample is still sample 2. The specific gradient descent processing needs to be processed according to the actual situation.
  • the absolute value of the data in the first gradient involved in step S304 is normalized to obtain a second gradient; wherein, the data in the second gradient is greater than or equal to zero, and less than or equal to 1 continuous value; it should be noted that the continuous value greater than or equal to zero may be a continuous value between 0 and 1 in a specific application scenario.
  • the absolute value of the data in the first gradient is normalized.
  • the absolute value of each data can be determined first, and then the absolute value of The data with the largest value is normalized to 1, and the number with the largest absolute value is determined as the normalization coefficient, and then the other absolute values are divided by the normalization coefficient.
  • the number with the largest absolute value is determined as 2, that is - The absolute value of 2.0 (ie, 2.0), and the result of normalizing it is 1, and it is determined as the normalization coefficient; then, the result of normalizing 0.8 based on this normalization coefficient is 0.4 , and other data in the first gradient are sequentially normalized, as shown in Figure 13.
  • the method involved in step S306 is to perform binary sampling on the data in the second gradient in the manner in the above-mentioned binary sampling processing method embodiment to obtain the third gradient This can be further achieved by:
  • step S306 can be further implemented by the following steps:
  • Step S11 determining that the gradient value of the data in the second gradient is the first sampling probability of the binary sampling.
  • Step S12 Determine the value of the trigger signal parameter based on the first sampling probability.
  • Step S13 input a trigger signal to the random access memory to trigger the execution of the write operation.
  • the probability of a successful write operation is associated with the value of the trigger signal parameter.
  • Step S14 if the write operation is successful, generate the first data; if the write operation is unsuccessful, generate the second data.
  • the first data and the second data are respectively different data in the binary data; the data in the third gradient includes the first data or the second data.
  • sampling probability in the embodiment of the present application refers to the probability of obtaining one of the binary data, that is, the probability of 0 in the binary data or the probability of 1 in the binary data.
  • the first sampling probability refers to the probability that the binary sampling result of each data is 1, that is, the binary sampling of the data whose second gradient is 0.4
  • the first sampling probability of 1 in the second gradient is 0.4; the binary sampling of the data with 0.8 in the second gradient is 0.8; the binary sampling of the data with 1 in the second gradient is 1.
  • the first sampling probability is 1, as shown in FIG. 14 .
  • FIG. 14 is only one of the sampling results, that is, it may also be the result shown in FIG. 15 , and of course it may be other situations; that is, FIG. 14 and FIG. 15 are examples for illustration.
  • the probability of a successful write operation is 0.4, that is, the first sampling probability is 0.4; if 0.8 is continued to be input, the probability of a successful write operation is 0.8, the first sampling probability needs to be adjusted to the second sampling probability, that is, the second sampling probability is 0.8.
  • the probability of a successful write operation after the multiple random access memories are connected is 0.4, and the probability of the successful write operation is determined by the corresponding probability of each of the multiple random access memories. The write operation success probability is combined to obtain.
  • the target position involved in step S308 in this embodiment of the present application refers to any position in the first gradient, that is, the symbols of all the data in the first gradient need to be added to the corresponding data in the third gradient, using the above Take the first gradient in Fig. 12 and the third gradient in Fig. 14 as an example, the symbol "-" in -2.0 can be added to 1 at the corresponding position in the third gradient, and the obtained result is "-1", followed by By analogy, the symbols in other positions are also processed in a similar manner, as shown in FIG. 16 .
  • the sample data in the first sample is combined with the data in the third gradient after adding the symbol to generate the target Ways of adversarial examples can further include:
  • Step S310-11 Accumulate the first sample and the data at the same position in the third gradient after adding the symbol to obtain the first confrontation sample.
  • Step S310-12 performing clipping transformation on the first adversarial sample to generate an adversarial sample.
  • step S310-12 may further be:
  • step S21 data that does not match the binary data is determined from the first adversarial sample.
  • Step S22 Convert the data in the first adversarial sample that does not match the binary data into binary data to generate a target adversarial sample.
  • the clipping in the clipping conversion is determined according to the binary data in the first sample. That is to say, the data type in the finally generated adversarial sample is consistent with the data type in the first sample.
  • the data in the third gradient after adding the symbol and the data in the first sample are accumulated to obtain the first confrontation sample, as shown in FIG. 17 .
  • the data in the first adversarial sample may have data of -1, 0, 1, and 2, that is, the data in the first adversarial sample is quaternary data, it is necessary to perform clipping transformation.
  • the purpose of clipping transformation is to convert the data in the first adversarial sample into binary data, that is, convert the 2 in the first adversarial sample to 1, and convert the -1 in the first adversarial sample to 0, so as to obtain the same value as the data in the first sample.
  • Type-consistent target adversarial examples are possible.
  • the sample gradient of the continuous value format is used to modify the input sample of the pulse format, as the basis for the subsequent generation of the pulse confrontation sample, in which the difference between the confrontation sample and the original sample is limited by probability sampling, so that This makes it possible to generate easily camouflaged adversarial samples with accurate gradient information, consistent with the original sample data type and with a small amount of change, avoiding the use of random flipping of part of the pulse signal of the input sample in the related art, and then searching for the random flipping results.
  • the search space assembly leads to the problem of low attack success rate of the spiking neural network, and achieves the effect of improving the attack success rate of the spiking neural network.
  • FIG. 19 is a schematic structural diagram of a binary sampling processing device according to an embodiment of the present application.
  • the binary sampling processing device 190 includes: a controller 192 and a random access memory 194; wherein,
  • the controller 192 is configured to determine the first sampling probability, and determine the value of the trigger signal parameter according to the first sampling probability.
  • the first sampling probability corresponds to the sampling probability of a binary sampling.
  • the random access memory 194 is used to receive a trigger signal to trigger a write operation.
  • the probability of a successful write operation is associated with the value of the trigger signal parameter
  • the controller 192 is further configured to generate the first data when the write operation is successful; and generate the second data when the write operation is unsuccessful.
  • the first data and the second data are respectively different data in the binary data.
  • a trigger signal can be input to the random access memory to trigger the execution of the write operation, and then the first data and the second data are respectively generated when the write operation is successful or unsuccessful,
  • the first data and the second data are data in binary data, and their generation probability corresponds to the sampling probability of binary sampling, so they can be used as different results of binary sampling respectively; thus, as long as there is a trigger signal in the present application
  • the binary sampling can be realized by only triggering, without continuously inputting the trigger signal to the random access memory, thus solving the problem of high energy consumption and resource occupation in the related art by continuously outputting the pulse signal for binary sampling.
  • the first sampling probability refers to the probability that the binary sampling result is the first data, or the first sampling probability refers to the probability that the binary sampling result is the second data.
  • the trigger signal in this embodiment of the present application is a pulse signal.
  • the trigger signal parameter includes at least one of the following: the pulse width of the trigger signal, the pulse amplitude of the trigger signal, the input voltage of the trigger signal, and the number of times the trigger signal is input per unit time.
  • controller 192 in this embodiment of the present application is further configured to adjust the value of the trigger signal parameter according to the second sampling probability after triggering the execution of the write operation.
  • the second sampling probability corresponds to the sampling probability of another binary sampling.
  • the random access memory in this embodiment of the present application is a non-volatile magnetic random access memory MRAM.
  • an embodiment of the present application also provides an apparatus for generating an adversarial sample. As shown in FIG. 20 , the apparatus includes:
  • the first processing module 202 is configured to perform gradient descent processing on the first sample to obtain the first gradient of the first sample.
  • the sample data in the first sample is binary data, and the data in the first gradient is continuous value.
  • the normalization module 204 is configured to perform normalization processing on the absolute value of the data in the first gradient to obtain the second gradient.
  • the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1.
  • the binary sampling processing device 190 in FIG. 19 is configured to perform binary sampling on the data in the second gradient to obtain the third gradient.
  • the sampling probability of binary sampling is determined by the data in the second gradient; the data in the third gradient is binary data.
  • the second processing module 206 is configured to extract the target symbol of the data of the target position in the first gradient, and add the target symbol to the data corresponding to the target position in the third gradient.
  • the generating module 208 is configured to combine the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample; wherein, the sample data in the target adversarial sample is binary data.
  • the generation module 208 in this embodiment of the present application may further include: an accumulation unit, configured to accumulate the first sample and the data at the same position in the third gradient after adding the symbol to obtain the first confrontation sample; the generation unit , which is used to clip the first adversarial example to generate the target adversarial example.
  • the generating unit in this embodiment of the present application may further include: a determining subunit, configured to determine data that does not match the binary data from the first confrontation sample; The data that does not match the binary data is converted into binary data to generate target adversarial samples.
  • the clipping in the clipping conversion in the embodiment of the present application is determined according to the binary data in the first sample.
  • the first sample in the embodiment of the present application is an input sample of the spiking neural network.
  • the first sample in this embodiment of the present application is obtained by converting at least one of the following: an image sample, a voice sample, and a text sample; or, the first sample is data collected by at least one of the following: a dynamic vision sensor , Brain-computer interface.
  • an embodiment of the present application further provides an electronic device, including a processor, a memory, and a program or instruction stored in the memory and executable on the processor, the program or instruction being executed by the processor During execution, each process of the above-mentioned binary sampling processing method or the method for generating an adversarial sample is implemented, and the same technical effect can be achieved. In order to avoid repetition, details are not repeated here.
  • the electronic devices in the embodiments of the present application include the aforementioned mobile electronic devices and non-mobile electronic devices.
  • an embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the processing of the above-mentioned binary sampling is realized.
  • the method, or the various processes of the embodiments of the method for generating an adversarial sample, and can achieve the same technical effect, in order to avoid repetition, details are not repeated here.
  • the processor is the processor in the electronic device described in the foregoing embodiments.
  • the readable storage medium includes a computer-readable storage medium, such as a computer read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.
  • modules or steps of the present application can be implemented by a general-purpose computing device, and they can be centralized on a single computing device, or distributed in a network composed of multiple computing devices Alternatively, they may be implemented in program code executable by a computing device, such that they may be stored in a storage device and executed by the computing device, and in some cases, in a different order than here
  • the steps shown or described are performed either by fabricating them separately into individual integrated circuit modules, or by fabricating multiple modules or steps of them into a single integrated circuit module.
  • the present application is not limited to any particular combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Complex Calculations (AREA)
  • Other Investigation Or Analysis Of Materials By Electrical Means (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)

Abstract

A binary sampling processing method and apparatus, an adversarial example generation method and apparatus, an electronic device, and a readable storage medium. The binary sampling processing method comprises: determining a first sampling probability (S102), the first sampling probability corresponding to a sampling probability of one binary sampling; determining a value of a trigger signal parameter according to the first sampling probability (S104); inputting a trigger signal to a random access memory to trigger the performing of a write operation (S106), wherein the probability that the write operation is successful is associated with the value of the trigger signal parameter; and if the write operation is successful, generating first data, and if the write operation is not successful, generating second data (S108), wherein the first data and the second data are respectively different data in binary data. The method solves the problem in the related art of large energy consumption and large resource occupation of a binary sampling process caused by implementing binary sampling by continuously outputting pulse signals.

Description

二值采样的处理方法及装置、对抗样本的生成方法及装置、电子设备、可读存储介质Binary sampling processing method and device, counter sample generation method and device, electronic device, readable storage medium 技术领域technical field
本发明涉及计算机领域,涉及一种二值采样的处理方法及装置、对抗样本的生成方法及装置、电子设备、可读存储介质。The present invention relates to the field of computers, and relates to a binary sampling processing method and device, a method and device for generating countermeasures, an electronic device, and a readable storage medium.
背景技术Background technique
目前,在二值采样过程中,需要以与采样概率对应的概率获得随机数(二值随机数);而相关产生随机数的常用方式是:持续输出脉冲信号,并在需要产生随机数时,读取当前脉冲信号的数值,将当前采集到的数值作为随机数。但是,以上产生随机数的方式需要在一定时间内持续输出脉冲信号,导致二值采样过程的能耗大、资源占用大等问题。At present, in the process of binary sampling, it is necessary to obtain random numbers (binary random numbers) with the probability corresponding to the sampling probability; and the common way to generate random numbers by correlation is to continuously output pulse signals, and when random numbers need to be generated, Read the value of the current pulse signal, and use the current collected value as a random number. However, the above method of generating random numbers needs to continuously output a pulse signal within a certain period of time, which leads to problems such as large energy consumption and large resource occupation in the binary sampling process.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供了一种二值采样的处理方法及装置、对抗样本的生成方法及装置、电子设备、可读存储介质,以解决相关技术中通过持续输出脉冲信号实现二值采样,导致二值采样的过程能耗大以及资源占用大的问题。Embodiments of the present application provide a method and device for processing binary sampling, a method and device for generating countermeasures, electronic equipment, and a readable storage medium, so as to solve the problem of implementing binary sampling by continuously outputting pulse signals in the related art, resulting in two problems. The process of value sampling has the problem of high energy consumption and large resource occupation.
为了解决上述技术问题,本申请是这样实现的:In order to solve the above technical problems, this application is implemented as follows:
第一方面,提供了一种二值采样的处理方法,包括:确定第一采样概率;所述第一采样概率对应一次二值采样的采样概率;根据所述第一采样概率确定触发信号参数的取值;向随机存储器输入所述触发信号以触发执行写操作;其中,所述写操作成功的概率与所述触发信号参数的取值关联;在所述写操作成功的情况下,产生第一数据;在所述写操作未成功的情况下,产生第二数据;其中,所述第一数据和所述第二数据分别为二值数据中的不同数据。In a first aspect, a method for processing binary sampling is provided, including: determining a first sampling probability; the first sampling probability corresponds to a sampling probability of a binary sampling; determining a trigger signal parameter according to the first sampling probability take a value; input the trigger signal to the random access memory to trigger the execution of the write operation; wherein, the probability of the successful write operation is associated with the value of the trigger signal parameter; in the case that the write operation is successful, generate a first data; if the write operation is unsuccessful, second data is generated; wherein the first data and the second data are respectively different data in the binary data.
第二方面,提供了一种对抗样本的生成方法,包括:对第一样本进行梯度下降处理,得到所述第一样本的第一梯度;其中,所述第一样本中的样本数据为二值数据,所述第一梯度中的数据为连续数值;对所述第一梯度中的数据的绝对值进行归一化处理,得到第二梯度;其中,所述第二梯度中的数据为大于或等于零,且小于或等于1的连续数值;通过本申请任意实施例所述二值采样的处理方法对所述第二梯度中的数据进行二值采样,得到第三梯度;其中,所述二值采样的采样概率由所述第二梯度中的数据确定;所述第三梯度中的数据为二值数据;提取所述第一梯度中目标位置的数据的目标符号,并将所述目标符号添加到所述第三梯度中与所述目标位置对应的数据上;将所述第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本;其中,所述目标对抗样本中的样本数据的为二值数据。In a second aspect, a method for generating adversarial samples is provided, including: performing gradient descent processing on a first sample to obtain a first gradient of the first sample; wherein the sample data in the first sample is binary data, and the data in the first gradient is a continuous value; the absolute value of the data in the first gradient is normalized to obtain a second gradient; wherein, the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1; the data in the second gradient is subjected to binary sampling by the binary sampling processing method described in any embodiment of the present application to obtain a third gradient; wherein, the The sampling probability of the binary sampling is determined by the data in the second gradient; the data in the third gradient is binary data; the target symbol of the data at the target position in the first gradient is extracted, and the adding a target symbol to the data corresponding to the target position in the third gradient; combining the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample; The sample data in the target adversarial sample is binary data.
第三方面,提供了一种二值采样的处理装置,包括:控制器,用于确定第一采样概率,并根据所述第一采样概率确定触发信号参数的取值;所述第一采样概率对应一次二值采样的采样概率;随机存储器,用于接收所述触发信号以触发执行写操作;其中,所述写操作成功的概率与所述触发信号参数的取值关联;所述控制器,还用于在所述写操作成功的情况下,产生第一数据;在所述写操作未成功的情况下,产生第二数据;其中,所述第一数据和所述第二数据分别为二值数据中的不同数据。In a third aspect, a binary sampling processing device is provided, including: a controller configured to determine a first sampling probability, and determine a value of a trigger signal parameter according to the first sampling probability; the first sampling probability a sampling probability corresponding to a binary sampling; a random access memory for receiving the trigger signal to trigger the execution of a write operation; wherein, the probability of the successful write operation is associated with the value of the trigger signal parameter; the controller, It is also used to generate first data when the write operation is successful; generate second data when the write operation is unsuccessful; wherein the first data and the second data are respectively two different data in the value data.
第四方面,提供了一种对抗样本的生成装置,包括:第一处理模块,用于对第一样本进行梯度下降处理,得到所述第一样本的第一梯度;其中,所述第一样本中的样本数据为二值数据,所述第一梯度中的数据为连续数值;归一化模块,用于对所述第一梯度中的数据的绝对值进行归一化处理,得到第二梯度;其中,所述第二梯度中的数据为大于或等于零,且小于或等于1的连续数值;本申请任意实施例的二值采样的处理装置,用于对所述第二梯度中的数据进行二值采样,得到第三梯度;其中,所述二值采样的采样概率由所述第二梯度中的数据确定;所述第三梯度中的数据为二值数据;第二处理模块,用于 提取所述第一梯度中目标位置的数据的目标符号,并将所述目标符号添加到所述第三梯度中与所述目标位置对应的数据上;生成模块,用于将所述第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本;其中,所述目标对抗样本中的样本数据的为二值数据。In a fourth aspect, a device for generating an adversarial sample is provided, comprising: a first processing module configured to perform gradient descent processing on a first sample to obtain a first gradient of the first sample; wherein the first sample is The sample data in a sample is binary data, and the data in the first gradient is a continuous value; the normalization module is used to normalize the absolute value of the data in the first gradient to obtain The second gradient; wherein, the data in the second gradient is a continuous value that is greater than or equal to zero and less than or equal to 1; the binary sampling processing device of any embodiment of the present application is used for the second gradient. Binary sampling is performed on the data of , to obtain a third gradient; wherein, the sampling probability of the binary sampling is determined by the data in the second gradient; the data in the third gradient is binary data; the second processing module , for extracting the target symbol of the data of the target position in the first gradient, and adding the target symbol to the data corresponding to the target position in the third gradient; The sample data in the first sample is combined with the data in the third gradient after adding the symbol to generate a target adversarial sample; wherein, the sample data in the target adversarial sample is binary data.
第五方面,本申请实施例还提供了一种电子设备,包括处理器,存储器及存储在所述存储器上并可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现本申请任意实施例的方法。In a fifth aspect, an embodiment of the present application further provides an electronic device, including a processor, a memory, and a program or instruction stored on the memory and executable on the processor, the program or instruction being When executed by the processor, the method of any embodiment of the present application is implemented.
第六方面,本申请实施例还提供了一种可读存储介质,所述可读存储介质上存储程序或指令,所述程序或指令被处理器执行时实现本申请任意实施例的方法。In a sixth aspect, an embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the method of any embodiment of the present application is implemented.
通过本申请,可以通过向随机存储器输入触发信号以触发执行写操作,进而在写操作成功或未成功的情况下,分别产生第一数据和第二数据,该第一数据和第二数据为二值数据中的数据,且它们的产生概率与二值采样的采样概率对应,故可用它们分别作为二值采样的不同结果;从而,本申请只要有触发信号的触发即可实现二值采样,无需持续向随机存储器输入触发信号,从而解决了相关技术中通过持续输出脉冲信号进行二值采样,导致二值采样过程能耗大以及资源占用大的问题。Through the present application, the write operation can be triggered by inputting a trigger signal to the random access memory, and then, in the case of a successful or unsuccessful write operation, the first data and the second data are respectively generated, and the first data and the second data are two The data in the value data, and their generation probability corresponds to the sampling probability of the binary sampling, so they can be used as different results of the binary sampling respectively; thus, the application can realize the binary sampling as long as there is a trigger of the trigger signal, without the need for The trigger signal is continuously input to the random access memory, thereby solving the problems of high energy consumption and resource occupation in the binary sampling process by continuously outputting pulse signals for binary sampling in the related art.
附图说明Description of drawings
图1是本申请实施例的二值采样的处理方法的流程图;1 is a flowchart of a method for processing binary sampling according to an embodiment of the present application;
图2是本申请实施例的触发信号的输入电压、触发信号的脉冲宽度与写操作成功概率之间的关系示意图;2 is a schematic diagram of the relationship between the input voltage of the trigger signal, the pulse width of the trigger signal and the probability of a successful write operation according to an embodiment of the present application;
图3是本申请实施例的对抗样本的生成方法流程图;3 is a flowchart of a method for generating an adversarial sample according to an embodiment of the present application;
图4是本申请实施例的样本示意图一;Fig. 4 is the sample schematic diagram 1 of the embodiment of the present application;
图5是本申请实施例的样本示意图二;5 is a second schematic diagram of a sample of an embodiment of the present application;
图6是本申请实施例的样本示意图三;Fig. 6 is the sample schematic diagram 3 of the embodiment of the present application;
图7是本申请实施例的样本示意图四;Fig. 7 is the sample schematic diagram 4 of the embodiment of the present application;
图8是本申请实施例的梯度示意图一;Fig. 8 is the gradient schematic diagram 1 of the embodiment of the present application;
图9是本申请实施例的梯度示意图二;Fig. 9 is the gradient schematic diagram II of the embodiment of the present application;
图10是本申请实施例的梯度示意图三;Fig. 10 is the gradient schematic diagram three of the embodiment of the present application;
图11是本申请实施例的梯度示意图四;Fig. 11 is the gradient schematic diagram four of the embodiment of the present application;
图12是本申请实施例的梯度下降处理的示意图;FIG. 12 is a schematic diagram of gradient descent processing according to an embodiment of the present application;
图13是本申请实施例的绝对值归一化处理的示意图;13 is a schematic diagram of an absolute value normalization process according to an embodiment of the present application;
图14是本申请实施例的二值采样的示意图一;14 is a schematic diagram 1 of binary sampling according to an embodiment of the present application;
图15是本申请实施例的二值采样的示意图二;15 is a second schematic diagram of binary sampling according to an embodiment of the present application;
图16是本申请实施例的取符号的示意图;FIG. 16 is a schematic diagram of taking symbols in an embodiment of the present application;
图17是本申请实施例的限幅转换的示意图;17 is a schematic diagram of a limit conversion in an embodiment of the present application;
图18是本申请实施例的生成对抗样本的完整示意图;FIG. 18 is a complete schematic diagram of generating an adversarial sample according to an embodiment of the present application;
图19是本申请实施例的随机数的产生装置的结构示意图;19 is a schematic structural diagram of an apparatus for generating random numbers according to an embodiment of the present application;
图20是本申请实施例的对抗样本的生成装置的结构示意图;20 is a schematic structural diagram of an apparatus for generating an adversarial sample according to an embodiment of the present application;
图21是本申请实施例的电子设备的结构示意图;21 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
图22是本申请实施例的可读存储介质的结构示意图。FIG. 22 is a schematic structural diagram of a readable storage medium according to an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
在本申请的描述中,需要理解的是,术语“第一”、“第二”仅由于描述目的,且不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。因此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者多个该特征。本发明的描述中,除非 另有说明,“多个”的含义是两个或两个以上。In the description of this application, it should be understood that the terms "first" and "second" are only for the purpose of description, and cannot be construed as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, a feature delimited with "first", "second" may expressly or implicitly include one or more of that feature. In the description of the present invention, unless otherwise specified, "plurality" means two or more.
第一方面,本申请实施例提供了一种二值采样的处理方法,图1是本申请实施例的二值采样的处理方法的流程图,如图1所示,该方法的步骤:In the first aspect, an embodiment of the present application provides a method for processing binary sampling. FIG. 1 is a flowchart of the method for processing binary sampling according to an embodiment of the present application. As shown in FIG. 1 , the steps of the method are as follows:
步骤S102,确定第一采样概率。Step S102, determining a first sampling probability.
其中,第一采样概率对应一次二值采样的采样概率。The first sampling probability corresponds to the sampling probability of a binary sampling.
步骤S104,根据第一采样概率确定触发信号参数的取值。Step S104: Determine the value of the trigger signal parameter according to the first sampling probability.
步骤S106,向随机存储器输入触发信号以触发执行写操作。Step S106, input a trigger signal to the random access memory to trigger the execution of the write operation.
其中,写操作成功的概率与触发信号参数的取值关联。The probability of a successful write operation is associated with the value of the trigger signal parameter.
步骤S108,在写操作成功的情况下,产生第一数据;在写操作未成功的情况下,产生第二数据。Step S108, in the case that the write operation is successful, generate the first data; in the case that the write operation is unsuccessful, generate the second data.
其中,第一数据和第二数据分别为二值数据中的不同数据。Wherein, the first data and the second data are respectively different data in the binary data.
在向随机存储器(RAM)进行写操作时,不是一定成功,而是有一定的成功概率,且该成功概率可通过“触发信号参数的取值”调节;而在写操作之前,该写操作是否成功是无法预知的,或者说其结果是“随机”的。When writing to random access memory (RAM), it is not necessarily successful, but has a certain probability of success, and the probability of success can be adjusted by "the value of the trigger signal parameter"; and before the write operation, whether the write operation is Success is unpredictable, or the outcome is "random".
因此,本申请中首先确定与二值采样的采样概率对应的第一采样概率,再根据第一采样概率设定触发信号参数的取值,从而当用相应的触发信号进行写操作时,该写操作的成功概率与采样概率对应,故根据写操作是否成功得到第一数据或第二数据的概率与采样概率对应,从而只要根据第一数据和第二数据分别产生不同的采样结果,即可实现所需的二值采样。Therefore, in this application, the first sampling probability corresponding to the sampling probability of binary sampling is first determined, and then the value of the trigger signal parameter is set according to the first sampling probability, so that when the corresponding trigger signal is used for the writing operation, the writing The success probability of the operation corresponds to the sampling probability, so the probability of obtaining the first data or the second data according to whether the write operation is successful or not corresponds to the sampling probability, so as long as different sampling results are generated according to the first data and the second data, it can be realized The desired binary sampling.
通过本申请实施例中的步骤S102至步骤S108,可以通过向随机存储器输入触发信号以触发执行写操作,进而在写操作成功或未成功的情况下,分别产生第一数据和第二数据,该第一数据和第二数据为二值数据中的数据,且它们的产生概率与二值采样的采样概率对应,故可用它们分别作为二值采样的不同结果;从而,本申请只要有触发信号的触发即可实现二值采样,无需持续向随机存储器输入触发信号, 从而解决了相关技术中通过持续输出脉冲信号进行二值采样,导致二值采样过程能耗大以及资源占用大的问题。Through steps S102 to S108 in this embodiment of the present application, a trigger signal can be input to the random access memory to trigger the execution of the write operation, and then the first data and the second data are respectively generated when the write operation is successful or unsuccessful. The first data and the second data are data in binary data, and their generation probability corresponds to the sampling probability of binary sampling, so they can be used as different results of binary sampling respectively; The binary sampling can be achieved by triggering without continuously inputting a trigger signal to the random access memory, thereby solving the problems of high energy consumption and resource occupation in the related art by continuously outputting pulse signals for binary sampling.
在本申请实施例的可选实施方式中,第一采样概率是指二值采样结果为第一数据的概率,或,第一采样概率是指二值采样结果为第二数据的概率。In an optional implementation of this embodiment of the present application, the first sampling probability refers to the probability that the binary sampling result is the first data, or the first sampling probability refers to the probability that the binary sampling result is the second data.
需要说明的是,本申请实施例中的二值数据是指特定的两种数据的组合,如其可包括0和1,即第一数据可以是1,第二数据可以为0;也可以是第一数据为0,第二数据为1。当然,上述二值数据包括0和1仅仅是举例说明,其它的二值数据组合也是可以的,例如二值数据为2和1,或3和5,或4和7等等。在本申请中并不限定二值数据的具体取值情况,具体取值可以根据实际情况进行确定。It should be noted that the binary data in this embodiment of the present application refers to a combination of two specific data, for example, it may include 0 and 1, that is, the first data may be 1, and the second data may be 0; One data is 0, and the second data is 1. Of course, the above binary data including 0 and 1 is only for illustration, and other binary data combinations are also possible, for example, the binary data is 2 and 1, or 3 and 5, or 4 and 7, and so on. The specific value of the binary data is not limited in this application, and the specific value can be determined according to the actual situation.
基于此,以二值数据包括0和1为例,如果第一数据为1,第二数据为0,则第一采样概率可以是指二值采样结果为1的概率,也可以是指二值采样结果为0的概率。如果第一采样概率是指二值采样结果为1的概率,且第一采样概率为0.8,则说明二值采样结果为1的概率为0.8(当然相应二值采样结果为0的概率就是0.2)。Based on this, taking the binary data including 0 and 1 as an example, if the first data is 1 and the second data is 0, the first sampling probability may refer to the probability that the binary sampling result is 1, or it may refer to the binary sampling probability. The probability that the sampling result is 0. If the first sampling probability refers to the probability that the binary sampling result is 1, and the first sampling probability is 0.8, it means that the probability that the binary sampling result is 1 is 0.8 (of course, the probability that the corresponding binary sampling result is 0 is 0.2) .
在本申请实施例的可选实施方式中,触发信号可为脉冲信号,基于此,本申请实施例中的触发信号参数包括以下至少一项:触发信号的脉冲宽度、触发信号的脉冲振幅、触发信号的输入电压、单位时间(即每次写操作的时间)内输入触发信号的次数。In an optional implementation of this embodiment of the present application, the trigger signal may be a pulse signal. Based on this, the trigger signal parameters in this embodiment of the present application include at least one of the following: pulse width of the trigger signal, pulse amplitude of the trigger signal, trigger signal The input voltage of the signal, the number of times the trigger signal is input in a unit time (that is, the time of each write operation).
在具体应用场景中,触发信号的脉冲宽度可以为20ns,输入电压可以为1.5V,单位时间内输入触发信号的次数可以为10次等。上述取值仅仅是举例取值,在不同的应用场景中可以根据实际情况进行相应的取值。In a specific application scenario, the pulse width of the trigger signal can be 20ns, the input voltage can be 1.5V, and the number of times the trigger signal is input per unit time can be 10 times, etc. The above values are just examples, and corresponding values can be set according to the actual situation in different application scenarios.
基于此,对于写操作成功的概率与触发信号参数的取值关联,以触发信号参数为单位时间内输入触发信号的次数,在具体应用场景中为当前单位时间(即每次写操作的时间)为1s,当前1s内输入触发信号的次数为40次,为了能够得到更多写操作成功所产生的数据,可以将1s内输入触发信号的次数提高到60次,或者,为了减少操作成功 所产生的数据,可以将1s内输入触发信号的次数降低到20次。对于脉冲宽度,如果当前触发信号的脉冲宽度为20ns,由于脉冲宽度的取值是与写操作成功的概率是关联的,如果是脉冲宽度的取值越大,其写操作的成功概率越高,则为了写操作的成功概率更高,则可以调整当前脉冲宽度为30ns,40ns等等,反之,如果为了写操作的成功概率更低,则可以调整当前脉冲宽度为10ns等等。当然,在其它应用场景中,还可以是在一指定脉冲宽度下,其写操作成功率为100%,高于或低于该脉冲宽度,其写操作成功率呈指数倍下降。例如,写操作成功率为100%的脉冲宽度为50ns,则在脉冲宽度或40ns或60ns的情况下,其成功率为60%或者更低。当然,上述仅仅是举例说明,在具体应用场景中,可以根据实际情况对触发信号参数的取值进行相应的调整。Based on this, the probability of a successful write operation is related to the value of the trigger signal parameter, and the trigger signal parameter is the number of times the trigger signal is input in a unit time, which is the current unit time (that is, the time of each write operation) in a specific application scenario. is 1s, and the current number of input trigger signals within 1s is 40 times. In order to obtain more data generated by successful write operations, the number of input trigger signals within 1s can be increased to 60 times, or, in order to reduce the number of times generated by successful operations The number of input trigger signals can be reduced to 20 times within 1s. For the pulse width, if the pulse width of the current trigger signal is 20ns, since the value of the pulse width is related to the probability of a successful write operation, if the value of the pulse width is larger, the probability of the success of the write operation is higher. In order to have a higher success probability of the write operation, the current pulse width can be adjusted to 30ns, 40ns, etc. On the contrary, if the success probability of the write operation is lower, the current pulse width can be adjusted to 10ns and so on. Of course, in other application scenarios, the success rate of the write operation may be 100% under a specified pulse width, and the success rate of the write operation decreases exponentially if it is higher or lower than the pulse width. For example, a pulse width of 50 ns with a write success rate of 100% is 60% or less in the case of a pulse width of 40 ns or 60 ns. Of course, the above is just an example, and in a specific application scenario, the value of the trigger signal parameter may be adjusted accordingly according to the actual situation.
对于触发信号参数中的其它参数,也是类似的处理方式,即可以调整触发信号的脉冲振幅、用于调整触发信号的输入电压,其中,对于触发信号的输入电压、触发信号的脉冲宽度(图中用脉冲持续时间表示)、写操作成功概率(图中用切换概率表示)的对应关系,如图2所示。For other parameters in the trigger signal parameters, the processing method is similar, that is, the pulse amplitude of the trigger signal and the input voltage used to adjust the trigger signal can be adjusted. It is represented by the pulse duration) and the corresponding relationship between the success probability of the write operation (represented by the switching probability in the figure), as shown in Figure 2.
在本申请实施例的可选实施方式中,随机存储器优选为非易失存储器。当然,上述仅仅是举例说明,还可以是其它存储器,例如:非挥发性的磁性随机存储器MRAM。In an optional implementation manner of the embodiment of the present application, the random access memory is preferably a non-volatile memory. Of course, the above is only an example, and other memories, such as non-volatile magnetic random access memory (MRAM), may also be used.
作为本申请实施例的一种方式,可采用磁性随机存储器MRAM作为以上随机存储器,这是因为磁性随机存储器可以脉冲信号为触发信号进行写入操作,且其写入成功的概率与脉冲信号的宽度等触发信号参数有一定的关系,便于调节。As a way of the embodiment of the present application, a magnetic random access memory (MRAM) can be used as the above random access memory, because the magnetic random access memory can use a pulse signal as a trigger signal to perform a write operation, and the probability of its successful writing is related to the width of the pulse signal. The parameters of the trigger signal have a certain relationship, which is easy to adjust.
基于上述本申请实施例中为了能够调整写操作的成功概率,在触发执行写操作之后,本申请实施例中的方法还可以包括:Based on the foregoing embodiments of the present application, in order to be able to adjust the success probability of the write operation, after triggering the execution of the write operation, the method in the embodiments of the present application may further include:
步骤S110,根据第二采样概率对触发信号参数的取值进行调整。Step S110: Adjust the value of the trigger signal parameter according to the second sampling probability.
其中,第二采样概率对应另一次二值采样的采样概率。Wherein, the second sampling probability corresponds to the sampling probability of another binary sampling.
在根据第一采样概率进行了第一次二值采样后,还可继续根据第二采样概率进行新的二值采样,以及根据后续每次二值采样的采样概 率不断进行二值采样。After the first binary sampling is performed according to the first sampling probability, new binary sampling may be continued according to the second sampling probability, and binary sampling may be continuously performed according to the sampling probability of each subsequent binary sampling.
需要说明的是,本申请实施例中的第一采样概率和第二采样概率均是可以通过触发信号参数的取值确定的,在第一采样概率和第二采样概率均是指采样为第一数据的概率,即写操作成功的概率的情况下,为了能够使得写操作成功的概率与第一采样概率匹配,需要根据第一采样概率或第二采样概率对触发信号参数的取值进行调整;例如,第一采样概率为0.4,对应的写操作成功的概率也是0.4,如果当前触发信号参数为单位时间内输入触发信号的次数,该第一采样概率对应的单位时间内输入触发信号的次数为1s内输入触发信号的次数为40次;如果要将第一采样概率调整为第二采样概率,且第二采样概率的取值为0.6,则对应的写操作成功的概率也是0.6,则第二采样概率对应的单位时间内输入触发信号的次数为1s内输入触发信号的次数提高到60次。需要说明的是,对于其它触发信号参数也是类似的处理方式。上述仅仅是举例说明,对于其它采样概率的取值,以及对应的触发信号参数的取值可以根据实际情况进行相应的设置。It should be noted that both the first sampling probability and the second sampling probability in this embodiment of the present application can be determined by the value of the trigger signal parameter, and both the first sampling probability and the second sampling probability refer to the sampling as the first sampling probability. In the case of the probability of the data, that is, the probability of a successful write operation, in order to match the probability of a successful write operation with the first sampling probability, it is necessary to adjust the value of the trigger signal parameter according to the first sampling probability or the second sampling probability; For example, the first sampling probability is 0.4, and the corresponding probability of a successful write operation is also 0.4. If the current trigger signal parameter is the number of times the trigger signal is input per unit time, the number of times the trigger signal is input per unit time corresponding to the first sampling probability is The number of times the trigger signal is input in 1s is 40 times; if the first sampling probability is to be adjusted to the second sampling probability, and the second sampling probability is 0.6, the corresponding probability of a successful write operation is also 0.6, then the second sampling probability is 0.6. The number of times the trigger signal is input in a unit time corresponding to the sampling probability is increased to 60 times within 1s. It should be noted that other trigger signal parameters are also processed in a similar manner. The above is just an example, and the values of other sampling probabilities and the values of the corresponding trigger signal parameters can be set according to the actual situation.
第二方面,在本申请实施例中还提供了一种对抗样本的生成方法。In a second aspect, an embodiment of the present application also provides a method for generating an adversarial sample.
在一些相关技术中,对于脉冲神经网络(SNN),由于其需要的输入是二值脉冲信号,所以采用的是随机翻转输入样本的部分脉冲信号,再对随机翻转结果进行搜索,通过试错的方式产生对抗样本,而达到对抗攻击的目的。In some related technologies, for a spiking neural network (SNN), since the required input is a binary pulse signal, part of the pulse signal of the input sample is randomly flipped, and then the random flip result is searched. way to generate adversarial samples to achieve the purpose of adversarial attacks.
但是,通过试错法产生脉冲对抗样本的方法,由于搜索空间巨大,难以找到准确的对抗样本,使得攻击成功率较低。However, in the method of generating impulse adversarial samples by trial and error, due to the huge search space, it is difficult to find accurate adversarial samples, resulting in a low attack success rate.
通过本申请实施例的对抗样本的生成方法,能够解决相关技术中采用随机翻转输入样本的部分脉冲信号,再对随机翻转结果进行搜索,但该搜索空间大会导致脉冲神经网络的攻击成功率较低的问题。The method for generating an adversarial sample according to the embodiment of the present application can solve the problem of using random flipping of part of the pulse signal of the input sample in the related art, and then search for the random flipping result, but the search space will lead to a low attack success rate of the pulsed neural network. The problem.
如图3所示,本申请实施例的对抗样本的生成方法的步骤包括:As shown in FIG. 3 , the steps of the adversarial sample generation method according to the embodiment of the present application include:
步骤S302,对第一样本进行梯度下降处理,得到第一样本的第一梯度。Step S302, performing gradient descent processing on the first sample to obtain a first gradient of the first sample.
其中,第一样本中的样本数据为二值数据,第一梯度中的数据为 连续数值。The sample data in the first sample is binary data, and the data in the first gradient is continuous value.
步骤S304,对第一梯度中的数据的绝对值进行归一化处理,得到第二梯度。Step S304, normalize the absolute value of the data in the first gradient to obtain the second gradient.
其中,第二梯度中的数据为大于或等于零,且小于或等于1的连续数值。Wherein, the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1.
步骤S306,通过上述二值采样的处理方法实施例中的方式对第二梯度中的数据进行二值采样,得到第三梯度。Step S306 , binary sampling is performed on the data in the second gradient by the method in the above-mentioned embodiment of the processing method for binary sampling to obtain the third gradient.
其中,二值采样的采样概率由第二梯度中的数据确定。Among them, the sampling probability of binary sampling is determined by the data in the second gradient.
第三梯度中的数据为二值数据。The data in the third gradient is binary data.
步骤S308,提取第一梯度中目标位置的数据的目标符号,并将目标符号添加到第三梯度中与目标位置对应的数据上。Step S308, extracting the target symbol of the data of the target position in the first gradient, and adding the target symbol to the data corresponding to the target position in the third gradient.
步骤S310,将第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本。Step S310, combine the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample.
其中,目标对抗样本中的样本数据的为二值数据。Among them, the sample data in the target adversarial sample is binary data.
本申请实施例中,首先对二值的第一样本(脉冲神经网络的原始输入样本)进行梯度下降处理,得到第一梯度;该第一梯度的数据显然是连续数值,且有正有负。In the embodiment of the present application, first the binary first sample (the original input sample of the spiking neural network) is subjected to gradient descent processing to obtain the first gradient; the data of the first gradient is obviously a continuous value, and there are positive and negative .
之后将第一梯度中的数据取绝对值并归一化,得到第二梯度,故第二梯度的数据为0~1间的连续数值,且每个连续数值即表征二值采样的采样概率。例如,第一梯度中的一个数据为0.4,可表征二值采样结果为1的概率是0.4,二值采样结果为0的概率是0.6。Then, the absolute value of the data in the first gradient is taken and normalized to obtain the second gradient. Therefore, the data of the second gradient is a continuous value between 0 and 1, and each continuous value represents the sampling probability of binary sampling. For example, if one piece of data in the first gradient is 0.4, the probability that the binary sampling result is 1 is 0.4, and the probability that the binary sampling result is 0 is 0.6.
进而,可根据第二梯度,按照本申请实施例的方法进行二值采样,得到二值的第三梯度。Furthermore, according to the second gradient, binary sampling may be performed according to the method of the embodiment of the present application to obtain a binary third gradient.
再将第一梯度中数据的符号添加到第三梯度的对应数据前作为对第一样本的修正,从而将第一样本的数据和修正(即添加符号后的第三梯度的对应数据)相加,即可得到所需的二值对抗样本(目标对抗样本)。Then add the symbol of the data in the first gradient to the corresponding data of the third gradient as a correction to the first sample, so that the data of the first sample and the correction (that is, the corresponding data of the third gradient after adding the symbol) Add them to get the required binary adversarial samples (target adversarial samples).
通过本申请实施例的上述步骤S302至步骤S310,可以将数据类 型为二值数据的第一样本通过梯度下降处理后得到对应的数据为连续数值的第一梯度,进而将连续数值的第一梯度通过归一化、二值采样以及取符号的处理后,转换为数据为三值数据的添加符号的第三梯度,最后将第一样本中的样本数据与添加符号的第三梯度中的数据结合以生成目标对抗样本,从而使得生成的目标对抗样本与第一样本的数据类型是匹配的,都是二值数据。如果第一样本为脉冲神经网络的原始样本,则通过本申请实施例得到的对抗样本,是与原始样本的数据类型一致的样本,一方面,利用梯度下降的方式生成了含有准确梯度信息的第一梯度,避免了相关技术中采用随机翻转输入样本的部分脉冲信号,再对随机翻转结果进行搜索,但该搜索空间大会导致脉冲神经网络的攻击成功率较低的问题,另一方面,通过对第一梯度进行处理转化为与原始样本数据类型一致的对抗样本,从而提高对抗样本的伪装能力,达到了提高脉冲神经网络攻击成功率的效果。Through the above-mentioned steps S302 to S310 in the embodiments of the present application, the first sample whose data type is binary data can be processed by gradient descent to obtain a first gradient whose corresponding data is continuous value, and then the first sample of continuous value can be After the gradient is processed by normalization, binary sampling, and taking symbols, it is converted into a third gradient with added symbols whose data is three-valued data. Finally, the sample data in the first sample is compared with the third gradient with added symbols. The data are combined to generate the target adversarial sample, so that the generated target adversarial sample and the data type of the first sample are matched, and both are binary data. If the first sample is the original sample of the spiking neural network, the adversarial sample obtained by the embodiment of the present application is a sample of the same data type as the original sample. On the one hand, the gradient descent method is used to generate a sample containing accurate gradient information. The first gradient avoids the use of random flipping of part of the pulse signal of the input sample in the related art, and then searches for the random flip result, but this search space will lead to the problem of low attack success rate of the spiking neural network. The first gradient is processed and converted into an adversarial sample that is consistent with the original sample data type, thereby improving the camouflage ability of the adversarial sample and achieving the effect of improving the success rate of the spiking neural network attack.
需要说明的是,本申请实施例中的第一样本为以下至少一项转换得到:图像样本、语音样本、文字样本;或,第一样本为以下至少之一所采集的数据:动态视觉传感器、脑机接口。基于此,第三梯度是用于表征第一样本中数据的变化量,因此,原始样本和第三梯度(变化量)可以结合以生成目标对抗样本。It should be noted that the first sample in the embodiment of the present application is obtained by converting at least one of the following: an image sample, a voice sample, and a text sample; or, the first sample is data collected by at least one of the following: dynamic vision Sensors, brain-computer interfaces. Based on this, the third gradient is used to characterize the amount of change in the data in the first sample, so the original sample and the third gradient (the amount of change) can be combined to generate the target adversarial sample.
此外,本申请实施例中的第一样本适用于接收二值输入信号的神经网络,在具体应用场景中可以是脉冲神经网络SNN(Spiking Neuron Networks)的输入样本。本申请实施例中的二值数据是一种数据类型,该数据类型是指样本中的数据仅由{0,1}组成,例如,本申请实施例中的第一样本在具体应用场景中可以是如图4至图7所示的样本1至样本4中的任一种。In addition, the first sample in the embodiment of the present application is suitable for a neural network that receives a binary input signal, and may be an input sample of a spiking neural network SNN (Spiking Neuron Networks) in a specific application scenario. The binary data in the embodiment of the present application is a data type, and the data type means that the data in the sample only consists of {0, 1}. For example, the first sample in the embodiment of the present application is in a specific application scenario It may be any one of samples 1 to 4 as shown in FIGS. 4 to 7 .
当然,本申请实施例中的样本1至样本4仅仅是对第一样本进行举例说明,具体第一样本中的数据的取值可以根据实际情况来确定。Of course, samples 1 to 4 in the embodiment of the present application are only examples for the first sample, and the specific value of the data in the first sample can be determined according to the actual situation.
此外,本申请实施例中的三值数据也是一种数据类型,该数据类型是指样本中的数据仅由{-1,0,1}组成,例如,三值数据的梯度(添加符号后的第三梯度)可以是如图8至图11所示的梯度1至梯度4中 的任一种。In addition, the ternary data in the embodiment of the present application is also a data type, and the data type means that the data in the sample consists only of {-1, 0, 1}, for example, the gradient of the ternary data (after adding the symbol) The third gradient) may be any one of gradients 1 to 4 as shown in FIGS. 8 to 11 .
也就是说,在本申请实施例中对于二值数据的样本可以通过以下原则来转换得到对应梯度:原样本中的数据为0,转换后梯度中对应数据为1或-1;其中,对于-1的情况后续需要进行限幅。原样本梯度中的数据为1,梯度中对应数据为0或1;其中,对于转换后为1的情况后续需要进行限幅。That is to say, in this embodiment of the present application, a sample of binary data can be converted to obtain a corresponding gradient according to the following principles: the data in the original sample is 0, and the corresponding data in the converted gradient is 1 or -1; wherein, for- In the case of 1, subsequent limiting needs to be performed. The data in the original sample gradient is 1, and the corresponding data in the gradient is 0 or 1; among them, if the converted value is 1, subsequent limiting needs to be performed.
当然,上述梯度1至梯度4仅仅是对三值数据进行举例说明,具体本申请实施例中的三值数据可以根据实际情况来确定。Of course, the above-mentioned gradients 1 to 4 are only examples of the three-valued data, and the specific three-valued data in the embodiment of the present application may be determined according to the actual situation.
另外,本申请实施例中对第一样本进行梯度下降进行处理后的得到的第一梯度中的连续数值,以第一样本为样本2为例,如图11所示,对样本2进行梯度下降处理后,可以得到第一梯度。但图11中的梯度下降处理仅仅是举例说明,也有可能第一梯度中的数据是其它取值,其对应的第一样本依然是样本2。具体的梯度下降处理,需要根据实际情况进行处理。In addition, in the embodiment of the present application, the continuous values in the first gradient obtained after the first sample is processed by gradient descent, take the first sample as sample 2 as an example, as shown in FIG. After the gradient descent process, the first gradient can be obtained. However, the gradient descent process in FIG. 11 is only an example, and it is also possible that the data in the first gradient is other values, and the corresponding first sample is still sample 2. The specific gradient descent processing needs to be processed according to the actual situation.
在本申请实施例中的可选实施方式中,步骤S304中涉及到的对第一梯度中的数据的绝对值进行归一化处理,得到第二梯度;其中,第二梯度中的数据为大于或等于零,且小于或等于1的连续数值;需要说明的是,该大于或等于零的连续数值在具体应用场景中可以是0到1之间的连续数值。In an optional implementation of the embodiment of the present application, the absolute value of the data in the first gradient involved in step S304 is normalized to obtain a second gradient; wherein, the data in the second gradient is greater than or equal to zero, and less than or equal to 1 continuous value; it should be noted that the continuous value greater than or equal to zero may be a continuous value between 0 and 1 in a specific application scenario.
以上述图12中第一梯度的具体取值为例,对第一梯度中的数据的绝对值进行归一化处理,在具体应用场景中可以是:先确定各个数据的绝对值,然后将绝对值最大的数据归一化为1,并确定绝对值最大的数为归一化系数,进而将其它绝对值除以归一化系数,具体可以是:确定绝对值最大的数为2,即-2.0的绝对值(即,2.0),并将其进行归一化处理的结果为1,并确定为归一化系数;然后,基于该归一化系数对0.8进行归一化处理的结果为0.4,第一梯度中其它数据依次进行归一化处理的结果,具体如图13所示。Taking the specific value of the first gradient in the above Figure 12 as an example, the absolute value of the data in the first gradient is normalized. In a specific application scenario, the absolute value of each data can be determined first, and then the absolute value of The data with the largest value is normalized to 1, and the number with the largest absolute value is determined as the normalization coefficient, and then the other absolute values are divided by the normalization coefficient. Specifically, the number with the largest absolute value is determined as 2, that is - The absolute value of 2.0 (ie, 2.0), and the result of normalizing it is 1, and it is determined as the normalization coefficient; then, the result of normalizing 0.8 based on this normalization coefficient is 0.4 , and other data in the first gradient are sequentially normalized, as shown in Figure 13.
在本申请实施例中的可选实施方式中,步骤S306中涉及到的通过上述二值采样的处理方法实施例中的方式对第二梯度中的数据进行二 值采样,得到第三梯度的方式进一步可以通过如下方式实现:In an optional implementation of this embodiment of the present application, the method involved in step S306 is to perform binary sampling on the data in the second gradient in the manner in the above-mentioned binary sampling processing method embodiment to obtain the third gradient This can be further achieved by:
上述步骤S306进一步可以通过以下步骤来实现:The above step S306 can be further implemented by the following steps:
步骤S11,确定第二梯度中的数据的梯度值为二值采样的第一采样概率。Step S11, determining that the gradient value of the data in the second gradient is the first sampling probability of the binary sampling.
步骤S12,基于第一采样概率确定触发信号参数的取值。Step S12: Determine the value of the trigger signal parameter based on the first sampling probability.
步骤S13,向随机存储器输入触发信号以触发执行写操作。Step S13, input a trigger signal to the random access memory to trigger the execution of the write operation.
其中,写操作成功的概率与触发信号参数的取值关联。The probability of a successful write operation is associated with the value of the trigger signal parameter.
步骤S14,在写操作成功的情况下,产生第一数据;在写操作未成功的情况下,产生第二数据。Step S14, if the write operation is successful, generate the first data; if the write operation is unsuccessful, generate the second data.
其中,第一数据和第二数据分别为二值数据中的不同数据;第三梯度中的数据包括第一数据或第二数据。The first data and the second data are respectively different data in the binary data; the data in the third gradient includes the first data or the second data.
需要说明的是,本申请实施例中的采样概率是指得到二值数据中其中之一的概率,即为二值数据中0的概率或是二值数据中1的概率。It should be noted that the sampling probability in the embodiment of the present application refers to the probability of obtaining one of the binary data, that is, the probability of 0 in the binary data or the probability of 1 in the binary data.
下面将以采样为1的概率为例进行说明。The following will take the probability of sampling as 1 as an example for description.
对于上述步骤S306以上述图13中的第二梯度为例,即第一采样概率则是指每一个数据的二值采样结果为1的概率,即第二梯度中为0.4的数据的二值采样结果为1的第一采样概率为0.4;第二梯度中为0.8的数据的二值采样结果为1的第一采样概率为0.8;第二梯度中为1的数据的二值采样结果为1的第一采样概率为1,具体如图14所示。需要说明的是,图14仅仅是其中一种采样结果,即也有可能是如图15所示的结果,当然也可能是其它情况;也就是说,图14和图15进行示例说明。For the above step S306, take the second gradient in the above-mentioned FIG. 13 as an example, that is, the first sampling probability refers to the probability that the binary sampling result of each data is 1, that is, the binary sampling of the data whose second gradient is 0.4 The first sampling probability of 1 in the second gradient is 0.4; the binary sampling of the data with 0.8 in the second gradient is 0.8; the binary sampling of the data with 1 in the second gradient is 1. The first sampling probability is 1, as shown in FIG. 14 . It should be noted that FIG. 14 is only one of the sampling results, that is, it may also be the result shown in FIG. 15 , and of course it may be other situations; that is, FIG. 14 and FIG. 15 are examples for illustration.
也就是说,如果本申请实施例中的随机存储器只有一个,如果是先输入0.4,则写操作成功的概率为0.4,即第一采样概率为0.4;继续输入0.8,则写操作成功的概率为0.8,则需要将第一采样概率调整为第二采样概率,即第二采样概率为0.8。如果本申请实施例中的随机存储器有多个,则输入0.4,则多个随机存储器连接后的写操作成功的概率为0.4,该写操作成功的概率由该多个随机存储器每一个所对应的写 操作成功概率组合得到。That is to say, if there is only one random access memory in the embodiment of the present application, if 0.4 is input first, the probability of a successful write operation is 0.4, that is, the first sampling probability is 0.4; if 0.8 is continued to be input, the probability of a successful write operation is 0.8, the first sampling probability needs to be adjusted to the second sampling probability, that is, the second sampling probability is 0.8. If there are multiple random access memories in this embodiment of the present application, and input 0.4, the probability of a successful write operation after the multiple random access memories are connected is 0.4, and the probability of the successful write operation is determined by the corresponding probability of each of the multiple random access memories. The write operation success probability is combined to obtain.
对于本申请实施例中步骤S308中涉及到的目标位置是指第一梯度中的任一位置,即需要将第一梯度中的所有数据的符号添加到对应的第三梯度的数据中,以上述图12中的第一梯度和图14中的第三梯度为例,可以将-2.0中的符号“-”添加到第三梯度中对应位置的1中,得到的结果为“-1”,依次类推,对于其它位置的符号也是类似的处理方式,具体可以如图16所示。The target position involved in step S308 in this embodiment of the present application refers to any position in the first gradient, that is, the symbols of all the data in the first gradient need to be added to the corresponding data in the third gradient, using the above Take the first gradient in Fig. 12 and the third gradient in Fig. 14 as an example, the symbol "-" in -2.0 can be added to 1 at the corresponding position in the third gradient, and the obtained result is "-1", followed by By analogy, the symbols in other positions are also processed in a similar manner, as shown in FIG. 16 .
在本申请实施例中的可选实施方式中,对于本申请实施例中步骤S310中涉及到的将第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本的方式进一步可以包括:In an optional implementation manner in the embodiment of the present application, for the step S310 involved in the embodiment of the present application, the sample data in the first sample is combined with the data in the third gradient after adding the symbol to generate the target Ways of adversarial examples can further include:
步骤S310-11,将第一样本与添加符号后的第三梯度中相同位置的数据进行累加得到第一对抗样本。Step S310-11: Accumulate the first sample and the data at the same position in the third gradient after adding the symbol to obtain the first confrontation sample.
步骤S310-12,对第一对抗样本进行限幅转换以生成对抗样本。Step S310-12, performing clipping transformation on the first adversarial sample to generate an adversarial sample.
其中,步骤S310-12进一步可以是:Wherein, step S310-12 may further be:
步骤S21,从第一对抗样本中确定出与二值数据不匹配的数据。In step S21, data that does not match the binary data is determined from the first adversarial sample.
步骤S22,将第一对抗样本中与二值数据不匹配的数据转换为二值数据,生成目标对抗样本。Step S22: Convert the data in the first adversarial sample that does not match the binary data into binary data to generate a target adversarial sample.
需要说明的是,限幅转换中的限幅是根据第一样本中的二值数据确定的。也就是说,最后生成的对抗样本中的数据类型是与第一样本中的数据类型一致的。基于此,对于上述步骤S310以上述图16中添加符号后的第三梯度为例,添加符号后第三梯度中的数据与第一样本中的数据累加后得到第一对抗样本,如图17所示,由于第一对抗样本中的数据可能存在-1、0、1、以及2的数据,即第一对抗样本中的数据为四值数据,因此需要进行限幅转换,限幅转换的目的是将第一对抗样本中的数据转换为二值数据,即将第一对抗样本中的2转换为1,将第一对抗样本中的-1转换为0,从而得到了与第一样本中数据类型一致的目标对抗样本。It should be noted that the clipping in the clipping conversion is determined according to the binary data in the first sample. That is to say, the data type in the finally generated adversarial sample is consistent with the data type in the first sample. Based on this, for the above step S310, taking the third gradient after adding the symbol in the above-mentioned FIG. 16 as an example, the data in the third gradient after adding the symbol and the data in the first sample are accumulated to obtain the first confrontation sample, as shown in FIG. 17 . As shown, since the data in the first adversarial sample may have data of -1, 0, 1, and 2, that is, the data in the first adversarial sample is quaternary data, it is necessary to perform clipping transformation. The purpose of clipping transformation is to convert the data in the first adversarial sample into binary data, that is, convert the 2 in the first adversarial sample to 1, and convert the -1 in the first adversarial sample to 0, so as to obtain the same value as the data in the first sample. Type-consistent target adversarial examples.
对于上述步骤S302至步骤S310,在具体应用场景中,整个生成 对抗样本的过程如图18所示。For the above steps S302 to S310, in a specific application scenario, the entire process of generating adversarial samples is shown in Figure 18.
通过本申请实施例,利用梯度下降以产生与原始样本(第一样本)对应的脉冲对抗样本(目标对抗样本),实现了高成功率的脉冲神经网络攻击;在利用梯度下降以产生与原始样本对应的脉冲对抗样本的过程中,利用了连续值格式的样本梯度修改脉冲格式的输入样本,作为后续产生脉冲对抗样本的基础,其中,通过概率采样限制对抗样本与原始样本的差别大小,从而使得可以产生含有准确梯度信息、与原始样本数据类型一致且改变量较小的易伪装的对抗样本,避免了相关技术中采用随机翻转输入样本的部分脉冲信号,再对随机翻转结果进行搜索,但该搜索空间大会导致脉冲神经网络的攻击成功率较低的问题,达到了提高脉冲神经网络攻击成功率的效果。Through the embodiments of the present application, gradient descent is used to generate impulse adversarial samples (target adversarial samples) corresponding to the original samples (first samples), and a high-success rate impulse neural network attack is realized; In the process of the pulse confrontation sample corresponding to the sample, the sample gradient of the continuous value format is used to modify the input sample of the pulse format, as the basis for the subsequent generation of the pulse confrontation sample, in which the difference between the confrontation sample and the original sample is limited by probability sampling, so that This makes it possible to generate easily camouflaged adversarial samples with accurate gradient information, consistent with the original sample data type and with a small amount of change, avoiding the use of random flipping of part of the pulse signal of the input sample in the related art, and then searching for the random flipping results. The search space assembly leads to the problem of low attack success rate of the spiking neural network, and achieves the effect of improving the attack success rate of the spiking neural network.
第三方面,本申请实施例提供了一种二值采样的处理装置。图19是本申请实施例的二值采样的处理装置的结构示意图,如图19所示,该二值采样的处理装置190包括:控制器192和随机存储器194;其中,In a third aspect, an embodiment of the present application provides a binary sampling processing device. FIG. 19 is a schematic structural diagram of a binary sampling processing device according to an embodiment of the present application. As shown in FIG. 19 , the binary sampling processing device 190 includes: a controller 192 and a random access memory 194; wherein,
控制器192,用于确定第一采样概率,并根据第一采样概率确定触发信号参数的取值。The controller 192 is configured to determine the first sampling probability, and determine the value of the trigger signal parameter according to the first sampling probability.
其中,第一采样概率对应一次二值采样的采样概率。The first sampling probability corresponds to the sampling probability of a binary sampling.
随机存储器194,用于接收触发信号以触发执行写操作。The random access memory 194 is used to receive a trigger signal to trigger a write operation.
其中,写操作成功的概率与触发信号参数的取值关联;Among them, the probability of a successful write operation is associated with the value of the trigger signal parameter;
该控制器192,还用于在写操作成功的情况下,产生第一数据;在写操作未成功的情况下,产生第二数据。The controller 192 is further configured to generate the first data when the write operation is successful; and generate the second data when the write operation is unsuccessful.
其中,第一数据和第二数据分别为二值数据中的不同数据。Wherein, the first data and the second data are respectively different data in the binary data.
通过本申请实施例中的二值采样的处理装置,可以通过向随机存储器输入触发信号以触发执行写操作,进而在写操作成功或未成功的情况下,分别产生第一数据和第二数据,该第一数据和第二数据为二值数据中的数据,且它们的产生概率与二值采样的采样概率对应,故可用它们分别作为二值采样的不同结果;从而,本申请只要有触发信 号的触发即可实现二值采样,无需持续向随机存储器输入触发信号,从而解决了相关技术中通过持续输出脉冲信号进行二值采样,导致二值采样过程能耗大以及资源占用大的问题。With the binary sampling processing device in the embodiment of the present application, a trigger signal can be input to the random access memory to trigger the execution of the write operation, and then the first data and the second data are respectively generated when the write operation is successful or unsuccessful, The first data and the second data are data in binary data, and their generation probability corresponds to the sampling probability of binary sampling, so they can be used as different results of binary sampling respectively; thus, as long as there is a trigger signal in the present application The binary sampling can be realized by only triggering, without continuously inputting the trigger signal to the random access memory, thus solving the problem of high energy consumption and resource occupation in the related art by continuously outputting the pulse signal for binary sampling.
可选地,第一采样概率是指二值采样结果为第一数据的概率,或,第一采样概率是指二值采样结果为第二数据的概率。Optionally, the first sampling probability refers to the probability that the binary sampling result is the first data, or the first sampling probability refers to the probability that the binary sampling result is the second data.
可选地,本申请实施例中的触发信号为脉冲信号。基于此,该触发信号参数包括以下至少一项:触发信号的脉冲宽度、触发信号的脉冲振幅、触发信号的输入电压、单位时间内输入触发信号的次数。Optionally, the trigger signal in this embodiment of the present application is a pulse signal. Based on this, the trigger signal parameter includes at least one of the following: the pulse width of the trigger signal, the pulse amplitude of the trigger signal, the input voltage of the trigger signal, and the number of times the trigger signal is input per unit time.
可选地,本申请实施例中的控制器192,还用于在触发执行写操作之后,根据第二采样概率对触发信号参数的取值进行调整。Optionally, the controller 192 in this embodiment of the present application is further configured to adjust the value of the trigger signal parameter according to the second sampling probability after triggering the execution of the write operation.
其中,第二采样概率对应另一次二值采样的采样概率。Wherein, the second sampling probability corresponds to the sampling probability of another binary sampling.
可选地,本申请实施例中的随机存储器为非挥发性的磁性随机存储器MRAM。Optionally, the random access memory in this embodiment of the present application is a non-volatile magnetic random access memory MRAM.
第四方面,本申请实施例中还提供了一种对抗样本的生成装置,如图20所示,该装置包括:In a fourth aspect, an embodiment of the present application also provides an apparatus for generating an adversarial sample. As shown in FIG. 20 , the apparatus includes:
第一处理模块202,用于对第一样本进行梯度下降处理,得到第一样本的第一梯度。The first processing module 202 is configured to perform gradient descent processing on the first sample to obtain the first gradient of the first sample.
其中,第一样本中的样本数据为二值数据,第一梯度中的数据为连续数值。The sample data in the first sample is binary data, and the data in the first gradient is continuous value.
归一化模块204,用于对第一梯度中的数据的绝对值进行归一化处理,得到第二梯度。The normalization module 204 is configured to perform normalization processing on the absolute value of the data in the first gradient to obtain the second gradient.
其中,第二梯度中的数据为大于或等于零,且小于或等于1的连续数值。Wherein, the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1.
图19中的二值采样的处理装置190,用于对第二梯度中的数据进行二值采样,得到第三梯度。The binary sampling processing device 190 in FIG. 19 is configured to perform binary sampling on the data in the second gradient to obtain the third gradient.
其中,二值采样的采样概率由第二梯度中的数据确定;第三梯度中的数据为二值数据。The sampling probability of binary sampling is determined by the data in the second gradient; the data in the third gradient is binary data.
第二处理模块206,用于提取第一梯度中目标位置的数据的目标 符号,并将目标符号添加到第三梯度中与目标位置对应的数据上。The second processing module 206 is configured to extract the target symbol of the data of the target position in the first gradient, and add the target symbol to the data corresponding to the target position in the third gradient.
生成模块208,用于将第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本;其中,目标对抗样本中的样本数据的为二值数据。The generating module 208 is configured to combine the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample; wherein, the sample data in the target adversarial sample is binary data.
可选地,本申请实施例中的生成模块208进一步可以包括:累加单元,用于将第一样本与添加符号后的第三梯度中相同位置的数据进行累加得到第一对抗样本;生成单元,用于对第一对抗样本进行限幅转换以生成目标对抗样本。Optionally, the generation module 208 in this embodiment of the present application may further include: an accumulation unit, configured to accumulate the first sample and the data at the same position in the third gradient after adding the symbol to obtain the first confrontation sample; the generation unit , which is used to clip the first adversarial example to generate the target adversarial example.
可选地,本申请实施例中的生成单元进一步可以包括:确定子单元,用于从第一对抗样本中确定出与二值数据不匹配的数据;生成子单元,用于将第一对抗样本中与二值数据不匹配的数据转换为二值数据,生成目标对抗样本。Optionally, the generating unit in this embodiment of the present application may further include: a determining subunit, configured to determine data that does not match the binary data from the first confrontation sample; The data that does not match the binary data is converted into binary data to generate target adversarial samples.
可选地,本申请实施例中的限幅转换中的限幅是根据第一样本中的二值数据确定的。Optionally, the clipping in the clipping conversion in the embodiment of the present application is determined according to the binary data in the first sample.
可选地,本申请实施例中的第一样本为脉冲神经网络的输入样本。Optionally, the first sample in the embodiment of the present application is an input sample of the spiking neural network.
可选地,本申请实施例中的第一样本为以下至少一项转换得到:图像样本、语音样本、文字样本;或,第一样本为以下至少之一所采集的数据:动态视觉传感器、脑机接口。Optionally, the first sample in this embodiment of the present application is obtained by converting at least one of the following: an image sample, a voice sample, and a text sample; or, the first sample is data collected by at least one of the following: a dynamic vision sensor , Brain-computer interface.
第五方面,参照图21,本申请实施例还提供一种电子设备,包括处理器,存储器,存储在存储器上并可在所述处理器上运行的程序或指令,该程序或指令被处理器执行时实现上述二值采样的处理方法,或,对抗样本的生成方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。In a fifth aspect, referring to FIG. 21 , an embodiment of the present application further provides an electronic device, including a processor, a memory, and a program or instruction stored in the memory and executable on the processor, the program or instruction being executed by the processor During execution, each process of the above-mentioned binary sampling processing method or the method for generating an adversarial sample is implemented, and the same technical effect can be achieved. In order to avoid repetition, details are not repeated here.
需要注意的是,本申请实施例中的电子设备包括上述所述的移动电子设备和非移动电子设备。It should be noted that the electronic devices in the embodiments of the present application include the aforementioned mobile electronic devices and non-mobile electronic devices.
第六方面,参照图22,本申请实施例还提供一种可读存储介质,所述可读存储介质上存储有程序或指令,该程序或指令被处理器执行时实现上述二值采样的处理方法,或,对抗样本的生成方法实施例的 各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。In a sixth aspect, referring to FIG. 22 , an embodiment of the present application further provides a readable storage medium, where a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the processing of the above-mentioned binary sampling is realized. The method, or the various processes of the embodiments of the method for generating an adversarial sample, and can achieve the same technical effect, in order to avoid repetition, details are not repeated here.
其中,所述处理器为上述实施例中所述的电子设备中的处理器。所述可读存储介质,包括计算机可读存储介质,如计算机只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等。Wherein, the processor is the processor in the electronic device described in the foregoing embodiments. The readable storage medium includes a computer-readable storage medium, such as a computer read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk or an optical disk, and the like.
显然,本领域的技术人员应该明白,上述的本申请的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本申请不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above-mentioned modules or steps of the present application can be implemented by a general-purpose computing device, and they can be centralized on a single computing device, or distributed in a network composed of multiple computing devices Alternatively, they may be implemented in program code executable by a computing device, such that they may be stored in a storage device and executed by the computing device, and in some cases, in a different order than here The steps shown or described are performed either by fabricating them separately into individual integrated circuit modules, or by fabricating multiple modules or steps of them into a single integrated circuit module. As such, the present application is not limited to any particular combination of hardware and software.
以上所述仅为本申请的优选实施例而已,并不用于限制本申请,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are only preferred embodiments of the present application, and are not intended to limit the present application. For those skilled in the art, the present application may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the protection scope of this application.

Claims (16)

  1. 一种二值采样的处理方法,其特征在于,包括:A method for processing binary sampling, comprising:
    确定第一采样概率;所述第一采样概率对应一次二值采样的采样概率;determining a first sampling probability; the first sampling probability corresponds to the sampling probability of a binary sampling;
    根据所述第一采样概率确定触发信号参数的取值;Determine the value of the trigger signal parameter according to the first sampling probability;
    向随机存储器输入所述触发信号以触发执行写操作;其中,所述写操作成功的概率与所述触发信号参数的取值关联;inputting the trigger signal to the random access memory to trigger the execution of the write operation; wherein, the probability of the successful write operation is associated with the value of the trigger signal parameter;
    在所述写操作成功的情况下,产生第一数据;in the case that the write operation is successful, generating first data;
    在所述写操作未成功的情况下,产生第二数据;其中,所述第一数据和所述第二数据分别为二值数据中的不同数据。In the case that the write operation is unsuccessful, second data is generated; wherein, the first data and the second data are respectively different data in the binary data.
  2. 根据权利要求1所述的方法,其特征在于,所述第一采样概率是指二值采样结果为所述第一数据的概率,或,所述第一采样概率是指二值采样结果为所述第二数据的概率。The method according to claim 1, wherein the first sampling probability refers to the probability that the binary sampling result is the first data, or the first sampling probability refers to the binary sampling result being all the probability of the second data.
  3. 根据权利要求1所述的方法,其特征在于,所述触发信号为脉冲信号。The method according to claim 1, wherein the trigger signal is a pulse signal.
  4. 根据权利要求3所述的方法,其特征在于,所述触发信号参数包括以下至少一项:所述触发信号的脉冲宽度、所述触发信号的脉冲振幅、所述触发信号的输入电压、单位时间内输入所述触发信号的次数。The method according to claim 3, wherein the trigger signal parameters include at least one of the following: pulse width of the trigger signal, pulse amplitude of the trigger signal, input voltage of the trigger signal, unit time The number of times that the trigger signal is input within.
  5. 根据权利要求1所述的方法,其特征在于,在触发执行写操作之后,所述方法还包括:The method according to claim 1, wherein after triggering the execution of the write operation, the method further comprises:
    根据第二采样概率对所述触发信号参数的取值进行调整;所述第二采样概率对应另一次二值采样的采样概率。The value of the trigger signal parameter is adjusted according to the second sampling probability; the second sampling probability corresponds to the sampling probability of another binary sampling.
  6. 根据权利要求1至5中任一项所述的方法,其特征在于,所述随机存储器为非挥发性的磁性随机存储器MRAM。The method according to any one of claims 1 to 5, wherein the random access memory is a non-volatile magnetic random access memory MRAM.
  7. 一种对抗样本的生成方法,其特征在于,包括:A method for generating adversarial samples, comprising:
    对第一样本进行梯度下降处理,得到所述第一样本的第一梯度;其中,所述第一样本中的样本数据为二值数据,所述第一梯度中的数据为连续数值;Perform gradient descent processing on the first sample to obtain the first gradient of the first sample; wherein, the sample data in the first sample is binary data, and the data in the first gradient is continuous numerical value ;
    对所述第一梯度中的数据的绝对值进行归一化处理,得到第二梯度;其中,所述第二梯度中的数据为大于或等于零,且小于或等于1的连续数值;Normalizing the absolute value of the data in the first gradient to obtain a second gradient; wherein, the data in the second gradient is a continuous value greater than or equal to zero and less than or equal to 1;
    通过权利要求1至6中任一项所述二值采样的处理方法对所述第二梯度中的数据进行二值采样,得到第三梯度;其中,所述二值采样的采样概率由所述第二梯度中的数据确定;所述第三梯度中的数据为二值数据;Binary sampling is performed on the data in the second gradient by using the binary sampling processing method according to any one of claims 1 to 6 to obtain a third gradient; wherein, the sampling probability of the binary sampling is determined by the The data in the second gradient is determined; the data in the third gradient is binary data;
    提取所述第一梯度中目标位置的数据的目标符号,并将所述目标符号添加到所述第三梯度中与所述目标位置对应的数据上;extracting the target symbol of the data of the target position in the first gradient, and adding the target symbol to the data corresponding to the target position in the third gradient;
    将所述第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本;其中,所述目标对抗样本中的样本数据的为二值数据。The sample data in the first sample is combined with the data in the third gradient after adding the symbol to generate a target adversarial sample; wherein, the sample data in the target adversarial sample is binary data.
  8. 根据权利要求7所述的方法,其特征在于,所述将所述第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本,包括:The method according to claim 7, wherein the combining the sample data in the first sample with the data in the third gradient after adding the symbol to generate the target adversarial sample comprises:
    将所述第一样本与添加符号后的第三梯度中相同位置的数据进行累加得到第一对抗样本;Accumulating the first sample and the data at the same position in the third gradient after adding the symbol to obtain the first adversarial sample;
    对第一对抗样本进行限幅转换以生成目标对抗样本。A clipping transformation is performed on the first adversarial example to generate the target adversarial example.
  9. 根据权利要求8所述的方法,其特征在于,所述对第一对抗样本进行限幅转换以生成目标对抗样本,包括:The method according to claim 8, wherein the performing clipping transformation on the first adversarial sample to generate a target adversarial sample, comprising:
    从所述第一对抗样本中确定出与所述二值数据不匹配的数据;determining from the first adversarial sample data that does not match the binary data;
    将所述第一对抗样本中与所述二值数据不匹配的数据转换为二值数据,生成所述目标对抗样本。Converting the data in the first adversarial sample that does not match the binary data into binary data to generate the target adversarial sample.
  10. 根据权利要求8所述的方法,其特征在于,所述限幅转换中的限幅是根据第一样本中的二值数据确定的。The method according to claim 8, wherein the clipping in the clipping conversion is determined according to the binary data in the first sample.
  11. 根据权利要求7至10中任一所述的方法,其特征在于,所述第一样本为脉冲神经网络的输入样本。The method according to any one of claims 7 to 10, wherein the first sample is an input sample of a spiking neural network.
  12. 根据权利要求7至10中任一所述的方法,其特征在于,The method according to any one of claims 7 to 10, wherein,
    所述第一样本为以下至少一项转换得到:图像样本、语音样本、文字样本;The first sample is obtained by converting at least one of the following: an image sample, a voice sample, and a text sample;
    或,or,
    所述第一样本为以下至少之一所采集的数据:动态视觉传感器、脑机接口。The first sample is data collected by at least one of the following: a dynamic vision sensor and a brain-computer interface.
  13. 一种二值采样的处理装置,其特征在于,包括:A processing device for binary sampling, comprising:
    控制器,用于确定第一采样概率,并根据所述第一采样概率确定触发信号参数的取值;所述第一采样概率对应一次二值采样的采样概率;a controller, configured to determine a first sampling probability, and determine a value of a trigger signal parameter according to the first sampling probability; the first sampling probability corresponds to a sampling probability of a binary sampling;
    随机存储器,用于接收所述触发信号以触发执行写操作;其中,所述写操作成功的概率与所述触发信号参数的取值关联;a random access memory, configured to receive the trigger signal to trigger the execution of a write operation; wherein, the probability of the successful write operation is associated with the value of the trigger signal parameter;
    所述控制器,还用于在所述写操作成功的情况下,产生第一数据;在所述写操作未成功的情况下,产生第二数据;其中,所述第一数据和所述第二数据分别为二值数据中的不同数据。The controller is further configured to generate first data when the write operation is successful; generate second data when the write operation is unsuccessful; wherein the first data and the first data The two data are different data in the binary data, respectively.
  14. 一种对抗样本的生成装置,其特征在于,包括:A device for generating adversarial samples, comprising:
    第一处理模块,用于对第一样本进行梯度下降处理,得到所述第一样本的第一梯度;其中,所述第一样本中的样本数据为二值数据,所述第一梯度中的数据为连续数值;a first processing module, configured to perform gradient descent processing on the first sample to obtain a first gradient of the first sample; wherein the sample data in the first sample is binary data, and the first The data in the gradient are continuous values;
    归一化模块,用于对所述第一梯度中的数据的绝对值进行归一化处理,得到第二梯度;其中,所述第二梯度中的数据为大于或等于零,且小于或等于1的连续数值;A normalization module, configured to normalize the absolute value of the data in the first gradient to obtain a second gradient; wherein the data in the second gradient is greater than or equal to zero and less than or equal to 1 continuous value of ;
    权利要求13所述的二值采样的处理装置,用于对所述第二梯度中的数据进行二值采样,得到第三梯度;其中,所述二值采样的采样概率由所述第二梯度中的数据确定;所述第三梯度中的数据为二值数据;The processing device for binary sampling according to claim 13, for performing binary sampling on the data in the second gradient to obtain a third gradient; wherein, the sampling probability of the binary sampling is determined by the second gradient The data in the third gradient is determined; the data in the third gradient is binary data;
    第二处理模块,用于提取所述第一梯度中目标位置的数据的目标 符号,并将所述目标符号添加到所述第三梯度中与所述目标位置对应的数据上;The second processing module, for extracting the target symbol of the data of the target position in the first gradient, and adding the target symbol to the data corresponding to the target position in the third gradient;
    生成模块,用于将所述第一样本中的样本数据与添加符号后的第三梯度中的数据结合,以生成目标对抗样本;其中,所述目标对抗样本中的样本数据的为二值数据。A generating module, configured to combine the sample data in the first sample with the data in the third gradient after adding the symbol to generate a target adversarial sample; wherein, the sample data in the target adversarial sample is a binary value data.
  15. 一种电子设备,其特征在于,包括处理器,存储器及存储在所述存储器上并可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如权利要求1-6中任一项所述二值采样的处理方法,或,实现如权利要求7-12中任一项所述对抗样本的生成方法的步骤。An electronic device, characterized in that it includes a processor, a memory, and a program or instruction stored on the memory and executable on the processor, the program or instruction being executed by the processor to achieve the right The method for processing binary sampling according to any one of claims 1-6, or the steps of implementing the method for generating adversarial samples according to any one of claims 7-12.
  16. 一种可读存储介质,其特征在于,所述可读存储介质上存储程序或指令,所述程序或指令被处理器执行时实现如权利要求1-6中任一项所述二值采样的处理方法,或,实现如权利要求7-12中任一项所述对抗样本的生成方法的步骤。A readable storage medium, characterized in that, a program or an instruction is stored on the readable storage medium, and when the program or instruction is executed by a processor, the binary sampling according to any one of claims 1-6 is implemented. The processing method, or, the steps of implementing the adversarial sample generation method according to any one of claims 7-12.
PCT/CN2021/129744 2020-11-13 2021-11-10 Binary sampling processing method and apparatus, adversarial example generation method and apparatus, electronic device, and readable storage medium WO2022100603A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020227031112A KR20220132010A (en) 2020-11-13 2021-11-10 Method and apparatus for processing binary sampling, method and apparatus for generating hostile samples, electronic devices, and readable storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011271801.3A CN112379859B (en) 2020-11-13 2020-11-13 Binary sampling processing method and device and countermeasure sample generation method and device
CN202011271801.3 2020-11-13

Publications (1)

Publication Number Publication Date
WO2022100603A1 true WO2022100603A1 (en) 2022-05-19

Family

ID=74582620

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/129744 WO2022100603A1 (en) 2020-11-13 2021-11-10 Binary sampling processing method and apparatus, adversarial example generation method and apparatus, electronic device, and readable storage medium

Country Status (3)

Country Link
KR (1) KR20220132010A (en)
CN (1) CN112379859B (en)
WO (1) WO2022100603A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112379858B (en) * 2020-11-13 2024-01-26 北京灵汐科技有限公司 Random number generation method and device, electronic equipment and readable storage medium
CN112379859B (en) * 2020-11-13 2023-08-18 北京灵汐科技有限公司 Binary sampling processing method and device and countermeasure sample generation method and device
CN117151171A (en) * 2023-09-01 2023-12-01 软安科技有限公司 Pulse neural network resistance attack method and system based on supervision algorithm

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190066739A1 (en) * 2017-08-31 2019-02-28 Micron Technology, Inc. Optimized scan interval
CN109920444A (en) * 2017-12-13 2019-06-21 中国电信股份有限公司 Detection method, device and the computer readable storage medium of echo delay time
CN110138366A (en) * 2019-06-11 2019-08-16 北京理工大学 A kind of signal wave modulator approach and system
CN111884674A (en) * 2020-06-24 2020-11-03 哈尔滨工程大学 Underwater sound spread spectrum signal detection method based on step-by-step correlation
CN112379859A (en) * 2020-11-13 2021-02-19 北京灵汐科技有限公司 Binary sampling processing method and device and countermeasure sample generating method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3343468B1 (en) * 2015-08-27 2019-12-25 Hitachi, Ltd. Semiconductor device and information processing device
CN107943450A (en) * 2017-11-17 2018-04-20 上海众人网络安全技术有限公司 Random digit generation method, device, computer equipment and computer-readable medium
CN109471762A (en) * 2018-10-30 2019-03-15 新华三技术有限公司 Solid-state hard disk SSD performance test methods and device
CN110989972B (en) * 2019-12-05 2021-11-30 清华大学 Random number generation method and random number generator
CN111739648A (en) * 2020-06-24 2020-10-02 平安医疗健康管理股份有限公司 Data anomaly detection method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190066739A1 (en) * 2017-08-31 2019-02-28 Micron Technology, Inc. Optimized scan interval
CN109920444A (en) * 2017-12-13 2019-06-21 中国电信股份有限公司 Detection method, device and the computer readable storage medium of echo delay time
CN110138366A (en) * 2019-06-11 2019-08-16 北京理工大学 A kind of signal wave modulator approach and system
CN111884674A (en) * 2020-06-24 2020-11-03 哈尔滨工程大学 Underwater sound spread spectrum signal detection method based on step-by-step correlation
CN112379859A (en) * 2020-11-13 2021-02-19 北京灵汐科技有限公司 Binary sampling processing method and device and countermeasure sample generating method and device

Also Published As

Publication number Publication date
KR20220132010A (en) 2022-09-29
CN112379859A (en) 2021-02-19
CN112379859B (en) 2023-08-18

Similar Documents

Publication Publication Date Title
WO2022100603A1 (en) Binary sampling processing method and apparatus, adversarial example generation method and apparatus, electronic device, and readable storage medium
WO2017219991A1 (en) Optimization method and apparatus suitable for model of pattern recognition, and terminal device
CN109543190B (en) Intention recognition method, device, equipment and storage medium
CN110277085B (en) Method and device for determining polyphone pronunciation
WO2018133761A1 (en) Method and device for man-machine dialogue
WO2023005386A1 (en) Model training method and apparatus
CN110717027B (en) Multi-round intelligent question-answering method, system, controller and medium
WO2020258902A1 (en) Image generating and neural network training method, apparatus, device, and medium
WO2022078218A1 (en) Adversarial sample generation method and apparatus, and electronic device and readable storage medium
CN111667843B (en) Voice wake-up method and system for terminal equipment, electronic equipment and storage medium
WO2019238125A1 (en) Information processing method, related device, and computer storage medium
WO2020192009A1 (en) Silence detection method based on neural network, and terminal device and medium
CN110705250A (en) Method and system for identifying target content in chat records
US20190206410A1 (en) Systems, Apparatuses, and Methods for Speaker Verification using Artificial Neural Networks
CN111931494B (en) Method, apparatus, electronic device, and medium for generating prediction information
CN116682436A (en) Emergency alert acceptance information identification method and device
CN112910890A (en) Anonymous network flow fingerprint identification method and device based on time convolution network
CN116127925A (en) Text data enhancement method and device based on destruction processing of text
CN116232644A (en) AI-based phishing behavior analysis method and system
CN114970470A (en) Method and device for processing file information, electronic equipment and computer readable medium
CN111951791B (en) Voiceprint recognition model training method, electronic equipment and storage medium
CN114495911A (en) Speaker clustering method, device and equipment
CN118076997A (en) Large-scale language model data selection for rare word speech recognition
CN116453023B (en) Video abstraction system, method, electronic equipment and medium for 5G rich media information
US20220222522A1 (en) Method and system for optimized spike encoding for spiking neural networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21891123

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20227031112

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21891123

Country of ref document: EP

Kind code of ref document: A1