WO2022222143A1 - Security test method and apparatus for artificial intelligence system, and terminal device - Google Patents

Security test method and apparatus for artificial intelligence system, and terminal device Download PDF

Info

Publication number
WO2022222143A1
WO2022222143A1 PCT/CN2021/089329 CN2021089329W WO2022222143A1 WO 2022222143 A1 WO2022222143 A1 WO 2022222143A1 CN 2021089329 W CN2021089329 W CN 2021089329W WO 2022222143 A1 WO2022222143 A1 WO 2022222143A1
Authority
WO
WIPO (PCT)
Prior art keywords
artificial intelligence
image data
intelligence system
original image
malicious sample
Prior art date
Application number
PCT/CN2021/089329
Other languages
French (fr)
Chinese (zh)
Inventor
邵翠萍
李慧云
刘艳琳
蒋拯民
Original Assignee
中国科学院深圳先进技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院深圳先进技术研究院 filed Critical 中国科学院深圳先进技术研究院
Priority to PCT/CN2021/089329 priority Critical patent/WO2022222143A1/en
Publication of WO2022222143A1 publication Critical patent/WO2022222143A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Definitions

  • the present application relates to the technical field of artificial intelligence, and in particular, to a security detection method, device, terminal device and readable storage medium of an artificial intelligence system.
  • the relevant security detection methods based on artificial intelligence systems usually carry out specific security attacks on artificial intelligence systems, but cannot comprehensively and systematically detect and evaluate artificial intelligence systems, and cannot determine the safety of artificial intelligence systems in actual scenarios, resulting in artificial intelligence.
  • the accuracy of the safety performance test results of intelligent technology is unstable and the authenticity is poor.
  • the purpose of the embodiments of the present application is to provide a security detection method, device, terminal device and readable storage medium for an artificial intelligence system, including but not limited to solving the problem that the related security detection method based on the artificial intelligence system cannot comprehensively and systematically detect
  • the artificial intelligence system performs detection and evaluation, and the accuracy of the safety performance test results of artificial intelligence technology is unstable and the authenticity is poor.
  • a security detection method for an artificial intelligence system including:
  • the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result
  • a security test is performed on the artificial intelligence system according to the malicious sample data, and a security detection result of the artificial intelligence system is obtained.
  • a security detection device for an artificial intelligence system including:
  • an acquisition module for acquiring multiple original image data
  • a generation module is used to generate malicious sample data according to the original image data; wherein, the malicious sample data is the image data that makes the output result of the artificial intelligence system different from the expected output result;
  • a test module configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
  • a terminal device including a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the first method described above when the processor executes the computer program.
  • the security detection method of the artificial intelligence system according to any one of the aspects.
  • a computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the artificial intelligence system according to any one of the above-mentioned first aspects is implemented security detection method.
  • a fifth aspect provides a computer program product that, when the computer program product runs on a terminal device, enables the terminal device to execute the security detection method for an artificial intelligence system according to any one of the first aspects above.
  • the beneficial effect of the security detection method for an artificial intelligence system is that: by acquiring a large amount of original image data, and generating a large amount of corresponding malicious sample data based on the original image data, the artificial intelligence system is analyzed based on the large amount of malicious sample data. Carry out security performance tests to simulate the security attacks of artificial intelligence systems in real environments, realize comprehensive and real security performance tests for artificial intelligence systems, improve the accuracy of artificial intelligence system security detection results, and reduce the safety of artificial intelligence systems. hidden danger.
  • FIG. 1 is a schematic flowchart of a security detection method of an artificial intelligence system provided by an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of a high-speed high-definition image acquisition system provided by an embodiment of the present application
  • FIG. 3 is a schematic diagram of an application scenario for extracting local texture information of an image by a local binary pattern algorithm provided by an embodiment of the present application;
  • FIG. 4 is a schematic diagram of the positional relationship of a given pixel point pair based on a grayscale co-occurrence matrix provided by an embodiment of the present application;
  • FIG. 5 is a schematic diagram of an application scenario for identifying original image data based on the optimized YOLO3 algorithm provided by an embodiment of the present application;
  • FIG. 6 is a schematic diagram of an application scenario for generating malicious sample data based on a similar adversarial sample generation method provided by an embodiment of the present application;
  • FIG. 7 is a schematic structural diagram of a security detection device of an artificial intelligence system provided by an embodiment of the present application.
  • FIG. 8 is another schematic structural diagram of a security detection device for an artificial intelligence system provided by an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
  • An artificial intelligence system refers to a neural network model that has all the functions of a general-purpose operating system, and also includes speech recognition, machine vision systems, actuator systems, and cognitive behavioral systems.
  • an autonomous driving network model applied to the field of autonomous driving or an autonomous control network model applied to autonomous weapons in the military field.
  • Malicious sample data refers to image data that makes the output of the artificial intelligence system different from the expected output.
  • the autonomous driving network model outputs results such as "driving right” or “turning around” when the input data is the traffic sign data of "driving left", which is different from the expected result. The correct output result "driving left” is different.
  • the security detection method of the artificial intelligence system provided by the embodiment of the present application can be applied to a mobile phone, a tablet computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, and a personal digital assistant (PDA).
  • UMPC ultra-mobile personal computer
  • PDA personal digital assistant
  • a security detection method for an artificial intelligence system proposed in this application generates a corresponding malicious sample data set by acquiring a large amount of original image data, adding corresponding gradient interference information based on the texture information of each original image data, and through malicious
  • the sample data set is used to test the safety of the artificial intelligence system, and the safety test results are obtained, so as to realize the comprehensive and real safety performance test of the artificial intelligence system, improve the accuracy of the safety test results of the artificial intelligence system, and reduce the security risks of the artificial intelligence system.
  • FIG. 1 shows a schematic flowchart of the security detection method of the artificial intelligence system provided by the present application.
  • the method can be applied to the above-mentioned notebook computer.
  • artificial intelligence systems are usually subject to security attacks, and the attack data will make the artificial intelligence output results different from the expected correct output results, resulting in a reduction in the accuracy of the output results of the artificial intelligence system, and there are certain security risks.
  • the original image data refers to the image data collected by the preset collection device in the real environment, or the data set used for training the artificial intelligence system.
  • Artificial intelligence systems specifically refer to vision-based artificial intelligence systems, such as automatic driving neural network models or face recognition systems applied in the field of automatic driving.
  • the existing traffic sign data sets include: Data sets such as CTSDB, CCTSDB, Tsinghua-Tencent 100K tutorial, Baidu ApolloScape, etc., but the above traffic sign data sets often have the problem of incomplete data. To this end, it is set to collect a large amount of traffic sign data in a targeted manner through a specific preset collection device in a real environment. Preset capture devices include but are not limited to HD cameras.
  • the method further includes:
  • Image conversion is performed on each of the original image data by a preset data enhancement method to obtain an original image data set; wherein the preset data enhancement method includes at least one of symmetry processing, rotation processing and scaling processing.
  • the preset data enhancement method includes but is not limited to at least one of symmetry processing, rotation processing and scaling processing.
  • FIG. 2 exemplarily provides a schematic structural diagram of a high-speed high-definition image acquisition system.
  • S102 Generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result.
  • the corresponding malicious sample data is generated by adding interference information to the original image data.
  • the malicious sample data refers to image data that makes the output result of the artificial intelligence system different from the expected output result.
  • the types of malicious sample data include target malicious sample data and non-target malicious sample data; among them, target malicious sample data refers to an attack that makes the artificial intelligence system output a specified wrong result based on the specified input data by attacking the artificial intelligence system. Data; for example, when the input data is the specified "driving left" traffic sign data, the artificial intelligence system is attacked through the target malicious sample data, so that the output result of the artificial intelligence system is the specified "driving right".
  • Non-target malicious sample data refers to attack data that makes the artificial intelligence system output random results (different from the expected output results) by attacking the artificial intelligence system. For example, when the input data is “driving left” traffic sign data, the artificial intelligence system is attacked through non-target malicious sample data, so that the output of the artificial intelligence system includes “driving right", “going straight” or “turning around”, etc. In order to reduce the accuracy of the output results of the artificial intelligence system.
  • the malicious sample data is adjusted, and the artificial intelligence system is attacked based on the adjusted malicious sample data to obtain the corresponding security detection results.
  • the generating malicious sample data according to the original image data includes:
  • gradient interference information is added to generate a corresponding malicious sample data set.
  • the attack data of vision-based artificial intelligence systems is generally image data
  • the texture information of image data is an important feature of regular arrangement in visual information, which can describe the local area of image data from a pixel to The local intensity variation of another pixel, reflecting the homogeneity in the image data. Therefore, it is set to add gradient interference information to the texture information of the original image data to generate the corresponding malicious sample data: first, the texture information of each original image data in the original image data set needs to be calculated, and based on each original image data, add Corresponding gradient interference information causes large pixel changes in each original image data to obtain the corresponding malicious sample data set.
  • texture information is mainly reflected by the grayscale distribution of pixels and their surrounding spaces, which is essentially a statistical feature related to grayscale changes.
  • Methods for calculating texture information include but are not limited to local binary patterns. (Local Binary Patterns, LBP) algorithm, Gray-level Co-occurrence Matrix (GLCM), Discrete Fourier Transform Local Phase Quantization (LPQ), Weber's local feature based on Weber's law ( Weber Local Descriptor, WLD).
  • LBP Local Binary Patterns
  • GLCM Gray-level Co-occurrence Matrix
  • LPQ Discrete Fourier Transform Local Phase Quantization
  • WLD Weber Local Descriptor
  • the Local Binary Patterns (LBP) algorithm mainly measures the neighborhood attribute value (grayscale or RGB single channel) of the surrounding window by the central pixel value in a specific window, and only records the size relationship to reflect the local texture information.
  • the expression method is the concatenated code obtained by binarizing the size relationship.
  • the local binary mode algorithm has the advantages of simplicity, strong operability, rotation invariance, grayscale invariance, scale invariance, and robustness to illumination changes.
  • FIG. 3 exemplarily provides a schematic diagram of an application scene of a local binary pattern algorithm for extracting local texture information of an image
  • the gray value of the center pixel in a window with a size of 3 ⁇ 3 is 83, and the gray values of the 8 pixels adjacent to the center pixel are compared with the gray value of the center pixel. If the center pixel is detected The gray value of the adjacent pixel is greater than the gray value of the central pixel, then the gray value of the adjacent pixel is recorded as 1; otherwise, it is recorded as 0.
  • the eight-bit binary number is obtained and converted into a decimal number, and the converted decimal number is used as the local binary mode value of the center pixel in the window, which can be expressed as:
  • i represents the serial number of the adjacent pixels in the serial port except the center pixel
  • I i represents the attribute value of the ith adjacent pixel
  • I c represents the attribute value of the center pixel
  • s( ) represents the binarization function
  • the gray level co-occurrence matrix is a method for calculating the occurrence probability of a given pixel in image data for different gray values.
  • FIG. 4 exemplarily shows a schematic diagram of the positional relationship of a given pixel point pair based on a grayscale co-occurrence matrix
  • any pixel point f(x, y) in the image data and the deviation from the pixel point f constitutes a pixel point pair. It is assumed that the gray value of the above-mentioned pixel point pair is expressed as (f 1 , f 2 ), and the maximum gray level of the known image data is L. There are L ⁇ L types of permutations and combinations of grayscale values (f 1 , f 2 ) of pixel pairs.
  • gray level co-occurrence matrix statistical parameters are extracted, which can be used to describe the texture information of the image.
  • the common characteristic parameters of the gray level co-occurrence matrix are shown in Table 1.
  • the process of adding gradient interference information can be expressed as:
  • x represents the input data of the artificial intelligence system
  • y represents the output data of the artificial intelligence system
  • x' represents the input data after adding gradient interference information
  • represents the model parameters of the artificial intelligence system
  • J represents the defined artificial intelligence system.
  • model loss function represents Represents gradient operation
  • represents gradient interference step size
  • sign variable represents sign function.
  • the weights and offsets of the neuron nodes are mainly updated along the gradient direction, so that the network model of the artificial intelligence system converges in the direction of reducing the loss value:
  • W ij represents the weight of the neuron node in the artificial intelligence system network model
  • b i represents the offset of the neuron node in the artificial intelligence system network model
  • represents the learning rate
  • the corresponding malicious sample data set is generated by adding gradient interference information based on the image texture of the original image data, and the malicious sample data set is input into the artificial intelligence system network model for processing.
  • the input link increases the loss value in the training process of the artificial intelligence system network model, thereby reducing the ability of the artificial intelligence system network model to correctly identify. It can be understood that when the artificial intelligence system network model adopts a linear or approximately linear activation function, the error conduction value will gradually increase.
  • the method after performing image conversion on each of the original image data by using a preset data enhancement method to obtain the original image data set, the method includes:
  • the content of each original image data in the original image data set is identified, and the label of each original image data is determined.
  • the optimized YOLO3 algorithm is used to identify the content in each original image data and determine the corresponding label. For example, taking an autonomous driving system as an example, it is necessary to obtain a large amount of traffic sign data as the original image data, identify the content of the traffic sign data through the optimized YOLO3 algorithm, determine the instruction information contained in each traffic sign data, and add the corresponding Label.
  • the optimized YOLO3 algorithm refers to the algorithm obtained by optimizing the original YOLO3 algorithm by adjusting the residual structure and anchor.
  • Anchor which is convenient to adapt the YOLO3 algorithm to the size of the original image data (including memory size and aspect ratio information).
  • the original image data is clustered by the clustering Kmeans algorithm to realize the fast training process of the YOLO3 algorithm.
  • part of the original sample data that can reflect the performance of the artificial intelligence system network model can be selected from the original image data set as the target data set, and the label of each original image data in the target data set can be identified and determined. In order to reduce the amount of data processing and improve the efficiency of artificial intelligence system security detection.
  • FIG. 5 exemplarily provides a schematic diagram of an application scenario for identifying original image data based on the optimized YOLO3 algorithm.
  • the original image data is specifically traffic sign data. Based on the optimized YOLO3 algorithm, the indication information contained in each traffic sign data is identified and determined, and corresponding labels are added. Parking" traffic sign data, add the "No Parking" tag.
  • the type of the original image data can be determined according to the label of the original image data, for example, the type of the original image data with the label of "speed limit 40" is “limited”; the original image with the label of "no overtaking” The category of the data is “prohibition”; the category of the original image data with the label “motor vehicle running” is “instruction”; the category of the original image data with the label of "construction ahead” is “warning”.
  • the adding gradient interference information to the original image data to generate corresponding malicious sample data includes:
  • the corresponding gradient interference information is added to the texture information of each original image data in each category of image datasets by the method of generating similar adversarial samples, and multiple categories of malicious sample datasets are obtained.
  • the original image data set is clustered to obtain multiple original image data of different categories, and the original image data of the same category is processed in parallel.
  • the adversarial sample generation method adds gradient interference information to the original image data of the same category, and obtains the corresponding malicious sample data of the same category.
  • obtain a large amount of traffic sign data as the original image data set determine the label of each traffic sign data in the original image data set; perform clustering processing on the original image data set according to the label of each traffic sign data, obtain data including but not limited to A dataset of images in multiple categories such as "ban”, “warning”, “instruction” and “restriction”.
  • the method of generating similar adversarial samples refers to the parallel processing of image datasets of the same category, and the malicious sample data generated from the previous original image data in the same category of image datasets is used as the starting value of the next original image data to generate Corresponding methods for malicious sample datasets. That is, based on the similarity of all the original image data in the image dataset of the same category, and based on the parallel processing of the similar adversarial sample generation method, the malicious sample data of the same category is generated, and the number of iterations is reduced.
  • the original image data in the same category of image data sets are processed in parallel to generate the corresponding malicious sample data sets, which can reduce the number and time of data reading and improve the generation speed of malicious sample data.
  • FIG. 6 exemplarily shows a schematic diagram of an application scenario of generating malicious sample data based on a similar adversarial sample generation method.
  • the types of malicious sample data include target malicious sample data and non-target malicious sample data.
  • performing a security test on the artificial intelligence system according to the malicious sample data to obtain a security detection result of the artificial intelligence system including:
  • the security requirement level and input data authority of the artificial intelligence system determine the ratio of target malicious sample data and non-target malicious sample data and the corresponding preset algorithm, perform a security test on the artificial intelligence system, and obtain the first test result;
  • the artificial intelligence system is subjected to a corresponding preset duration security test through the malicious sample data, and a second test result is obtained;
  • the safety detection score of the artificial intelligence system is determined according to the first test result and the second test result.
  • the types of malicious sample data include but are not limited to target malicious sample data and non-target malicious sample data.
  • the security requirements of artificial intelligence systems in different application fields are different (for example, the security requirement level and security performance level of the face recognition system of customs are higher than those of the face recognition system of shopping malls and residential areas. ; Different input data in the customs' face recognition system also have different levels of authority); therefore, the security attack intensity and attack duration of artificial intelligence systems in different application fields are also different.
  • set the security requirements for different artificial intelligence systems and select the corresponding security testing methods, including: based on the security requirements characteristics of the artificial intelligence system with different defense levels, when the security requirements level and/or input of the artificial intelligence system are detected.
  • the attack algorithm artificial intelligence system conducts security test and obtains the corresponding first test result.
  • the first test result refers to the accuracy rate of the output result of the artificial intelligence system after the artificial intelligence system is subjected to a security attack based on the proportion-adjusted target malicious sample data and non-target malicious sample data through the preset algorithm determined above.
  • IFGSM Iterative Fast Gradient Sign Method
  • C&W attack algorithms C&W attack algorithms.
  • the FGSM algorithm refers to accurately modifying the input data by calculating the gradient of the model output to the input to achieve the purpose of attack.
  • IFGSM is an improved algorithm based on the FGSM algorithm. It can generate more accurate malicious sample data than the FGSM algorithm.
  • the attack success rate is higher than that of the FGSM algorithm, and the attack cost increases accordingly.
  • the C&W algorithm can effectively break through a variety of malicious sample defense methods, and is currently recognized as one of the strongest attack methods.
  • the security of the artificial intelligence system is performed for the first preset duration through the malicious sample data set. test to obtain a corresponding second test result; when it is detected that the security performance level of the artificial intelligence system is low, conduct a security test on the artificial intelligence system for a second preset duration through the malicious sample data set, and obtain a corresponding second test result.
  • the first preset duration is longer than the second attack duration.
  • the second test result refers to the accuracy rate of the output result of the artificial intelligence system after performing a security attack on the artificial intelligence system with a preset duration based on the target malicious sample data and non-target malicious sample data adjusted by the ratio.
  • the safety detection score of the artificial intelligence system is calculated and determined according to the first test result and the second test result.
  • the calculation method and value range of the security detection score can be specifically set according to the actual situation;
  • safety detection score first test result*A+second test result*B; where A and B are the weights of the first test result and the second test result, respectively, which can be specifically set according to the actual situation, corresponding to the safety
  • the value range of the sex detection score is [0, 100].
  • security test score first test result+second test result, and the value range of the corresponding security test score is [0, 1].
  • a large amount of original image data is acquired, a large amount of corresponding malicious sample data is generated based on the original image data, and a safety performance test is performed on the artificial intelligence system based on the large amount of malicious sample data, so as to simulate the performance of the artificial intelligence system in a real environment.
  • Security attack realize comprehensive and real security performance test for artificial intelligence system, improve the accuracy of artificial intelligence system security detection results, and reduce the security risks of artificial intelligence system.
  • FIG. 7 shows a structural block diagram of the security detection device of the artificial intelligence system provided by the embodiment of the present application. Parts related to the embodiments of this application.
  • the present invention also provides another preferred embodiment of the security detection device of the artificial intelligence system.
  • the security detection device of the artificial intelligence system includes: a processor, wherein the processor is used for executing the storage memory
  • a generation module configured to generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
  • a test module configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
  • the security detection device 100 of the artificial intelligence system includes:
  • an acquisition module 101 configured to acquire a plurality of original image data
  • a generating module 102 configured to generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
  • the testing module 103 is configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
  • the security detection device of the artificial intelligence system further includes:
  • a data processing module 201 is configured to perform image conversion on each of the original image data through a preset data enhancement method to obtain an original image data set; wherein the preset data enhancement method includes symmetry processing, rotation processing and scaling processing. at least one of.
  • the apparatus further includes:
  • the identification module 202 is configured to identify the content of each original image data in the original image data set, and determine the label of each original image data.
  • the generating module 102 includes:
  • a computing unit for calculating the texture information of each original image data in the original image data set
  • a generating unit configured to add gradient interference information based on the texture information of each original image data to generate a corresponding malicious sample data set.
  • the generating unit includes:
  • a clustering processing subunit configured to perform clustering processing according to the label of each original image data in the original image data set to obtain image data sets of multiple categories
  • the generating sub-unit is used for adding corresponding gradient interference information to the texture information of each original image data in each category of image datasets by using a similar adversarial sample generation method to obtain multiple categories of malicious sample datasets.
  • the types of malicious sample data include target malicious sample data and non-target malicious sample data.
  • the testing module 103 includes:
  • the first test unit is used to determine the ratio of target malicious sample data and non-target malicious sample data and the corresponding preset algorithm according to the security requirement level and input data authority of the artificial intelligence system, and to perform security on the artificial intelligence system. sex test, get the first test result;
  • a second testing unit configured to perform a corresponding preset duration security test on the artificial intelligence system through the malicious sample data according to the security performance level of the artificial intelligence system, to obtain a second test result
  • a determination unit configured to determine the safety detection score of the artificial intelligence system according to the first test result and the second test result.
  • FIG. 8 exemplarily provides a schematic structural diagram of another security detection device 100 based on an artificial intelligence system
  • the security detection device 100 based on an artificial intelligence system is set to further include a basic hardware layer 104 and a machine learning framework module 105; wherein, the basic hardware layer includes but is not limited to CPU, GPU, FPGA and other artificial intelligence systems.
  • a training/deployment platform that provides hardware base support for the superstructure.
  • Machine learning frameworks including but not limited to open source machine frameworks such as PyTorch, TensorFlow, and MXNet, which are used to support neural network models of artificial intelligence systems trained under different frameworks.
  • a large amount of original image data is acquired, a large amount of corresponding malicious sample data is generated based on the original image data, and a safety performance test is performed on the artificial intelligence system based on the large amount of malicious sample data, so as to simulate the performance of the artificial intelligence system in a real environment.
  • Security attack realize comprehensive and real security performance test for artificial intelligence system, improve the accuracy of artificial intelligence system security detection results, and reduce the security risks of artificial intelligence system.
  • FIG. 9 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
  • the terminal device 9 in this embodiment includes: at least one processor 90 (only one is shown in FIG. 9 ), a memory 91 , and a memory 91 stored in the memory 91 and available in the at least one processor 90
  • the computer program 92 running on the processor 90 when the processor 90 executes the computer program 92, implements the steps in any of the foregoing embodiments of the security detection method for the artificial intelligence system.
  • the terminal device 9 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the terminal device may include, but is not limited to, a processor 90 and a memory 91 .
  • FIG. 9 is only an example of the terminal device 9, and does not constitute a limitation on the terminal device 9. It may include more or less components than the one shown, or combine some components, or different components , for example, may also include input and output devices, network access devices, and the like.
  • the so-called processor 90 may be a central processing unit (Central Processing Unit, CPU), and the processor 90 may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuits) , ASIC), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory 91 may be an internal storage unit of the terminal device 9 in some embodiments, such as a hard disk or a memory of the terminal device 9 . In other embodiments, the memory 91 may also be an external storage device of the terminal device 9, such as a plug-in hard disk equipped on the terminal device 9, a smart memory card (Smart Media Card, SMC), a secure digital Card (Secure Digital, SD), flash memory card (Flash Card), etc.
  • the memory 91 may also include both an internal storage unit of the terminal device 9 and an external storage device.
  • the memory 91 is used to store an operating system, an application program, a boot loader (Boot Loader), data, and other programs, such as program codes of the computer program.
  • the memory 91 can also be used to temporarily store data that has been output or will be output.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the steps in the foregoing method embodiments can be implemented.
  • the embodiments of the present application provide a computer program product, when the computer program product runs on a mobile terminal, the steps in the foregoing method embodiments can be implemented when the mobile terminal executes the computer program product.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium.
  • the present application realizes all or part of the processes in the methods of the above embodiments, which can be completed by instructing the relevant hardware through a computer program, and the computer program can be stored in a computer-readable storage medium.
  • the computer program includes computer program code
  • the computer program code may be in the form of source code, object code, executable file or some intermediate form, and the like.
  • the computer-readable medium may include at least: any entity or device capable of carrying the computer program code to the photographing device/terminal device, recording medium, computer memory, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), electrical carrier signals, telecommunication signals, and software distribution media.
  • ROM read-only memory
  • RAM random access memory
  • electrical carrier signals telecommunication signals
  • software distribution media For example, U disk, mobile hard disk, disk or CD, etc.
  • computer readable media may not be electrical carrier signals and telecommunications signals.
  • the disclosed apparatus/network device and method may be implemented in other manners.
  • the apparatus/network device embodiments described above are only illustrative.
  • the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, such as multiple units. Or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
  • the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

Abstract

Disclosed in the present application are a security test method and apparatus for an artificial intelligence system, and a terminal device. The security test method for an artificial intelligence system comprises: acquiring original image data; generating malicious sample data according to the original image data; and performing a security test on the artificial intelligence system according to the malicious sample data, so as to obtain a security test result of the artificial intelligence system. A security attack against an artificial intelligence system in a real environment is simulated, thereby realizing a comprehensive and real security performance test for the artificial intelligence system, and reducing potential security hazards of the artificial intelligence system.

Description

人工智能系统的安全性检测方法、装置及终端设备Safety detection method, device and terminal equipment of artificial intelligence system 技术领域technical field
本申请涉及人工智能技术领域,具体涉及一种人工智能系统的安全性检测方法、装置、终端设备及可读存储介质。The present application relates to the technical field of artificial intelligence, and in particular, to a security detection method, device, terminal device and readable storage medium of an artificial intelligence system.
背景技术Background technique
近年来,人工智能技术作为引领新一轮科技革命和产业变革的战略性技术,成为各个国家,各个科技领域内最关键的一项技术。In recent years, artificial intelligence technology, as a strategic technology leading a new round of technological revolution and industrial transformation, has become the most critical technology in every country and every technological field.
然而,由于人工智能技术具有强依赖于训练数据,缺乏可解释性的特性,使得在人工智能系统受到安全攻击时,攻击用户通过在训练数据里加入攻击数据,破坏训练数据的完整性,使得人工智能系统输出的结果与预期的正确输出结果不同,降低人工智能系统输出结果的精度。However, due to the fact that artificial intelligence technology is strongly dependent on training data and lacks interpretability, when the artificial intelligence system is attacked by security, the attacking user can destroy the integrity of the training data by adding attack data to the training data, making artificial The output of the intelligent system is different from the expected correct output, reducing the accuracy of the output of the artificial intelligence system.
相关的基于人工智能系统的安全检测方法通常是对人工智能系统进行特定的安全攻击,而无法全面系统地对人工智能系统进行检测评估,无法确定人工智能系统在实际场景中的安全性,导致人工智能技术的安全性能测试结果的精度不稳定、真实性差。The relevant security detection methods based on artificial intelligence systems usually carry out specific security attacks on artificial intelligence systems, but cannot comprehensively and systematically detect and evaluate artificial intelligence systems, and cannot determine the safety of artificial intelligence systems in actual scenarios, resulting in artificial intelligence. The accuracy of the safety performance test results of intelligent technology is unstable and the authenticity is poor.
申请内容Application content
本申请实施例的目的在于:提供一种人工智能系统的安全性检测方法、装置、终端设备及可读存储介质,包括但不限于解决相关的基于人工智能系统的安全检测方法无法全面系统地对人工智能系统进行检测评估,人工智能技术的安全性能测试结果的精度不稳定、真实性差的问题。The purpose of the embodiments of the present application is to provide a security detection method, device, terminal device and readable storage medium for an artificial intelligence system, including but not limited to solving the problem that the related security detection method based on the artificial intelligence system cannot comprehensively and systematically detect The artificial intelligence system performs detection and evaluation, and the accuracy of the safety performance test results of artificial intelligence technology is unstable and the authenticity is poor.
本申请实施例采用的技术方案是:The technical scheme adopted in the embodiment of the present application is:
第一方面,提供了一种人工智能系统的安全性检测方法,包括:In a first aspect, a security detection method for an artificial intelligence system is provided, including:
获取多个原始图像数据;Get multiple raw image data;
根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据为使得人工智能系统的输出结果与预期输出结果不同的图像数据;Generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。A security test is performed on the artificial intelligence system according to the malicious sample data, and a security detection result of the artificial intelligence system is obtained.
第二方面,提供了一种人工智能系统的安全性检测装置,包括:In a second aspect, a security detection device for an artificial intelligence system is provided, including:
获取模块,用于获取多个原始图像数据;an acquisition module for acquiring multiple original image data;
生成模块,用于根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据 为使得人工智能系统的输出结果与预期输出结果不同的图像数据;A generation module is used to generate malicious sample data according to the original image data; wherein, the malicious sample data is the image data that makes the output result of the artificial intelligence system different from the expected output result;
测试模块,用于根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。A test module, configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
第三方面,提供一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如上述第一方面中任一项所述的人工智能系统的安全性检测方法。In a third aspect, a terminal device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the first method described above when the processor executes the computer program. The security detection method of the artificial intelligence system according to any one of the aspects.
第四方面,提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现如上述第一方面中任一项所述的人工智能系统的安全性检测方法。In a fourth aspect, a computer-readable storage medium is provided, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the artificial intelligence system according to any one of the above-mentioned first aspects is implemented security detection method.
第五方面,提供一种计算机程序产品,当计算机程序产品在终端设备上运行时,使得终端设备执行上述第一方面中任一项所述的人工智能系统的安全性检测方法。A fifth aspect provides a computer program product that, when the computer program product runs on a terminal device, enables the terminal device to execute the security detection method for an artificial intelligence system according to any one of the first aspects above.
本申请实施例提供的人工智能系统的安全性检测方法的有益效果在于:通过获取大量的原始图像数据,并基于原始图像数据生成大量对应的恶意样本数据,基于大量的恶意样本数据对人工智能系统进行安全性能测试,以模拟在真实环境下的人工智能系统的安全攻击,实现针对人工智能系统进行全面和真实的安全性能测试,提高人工智能系统安全性检测结果的精度,降低人工智能系统的安全隐患。The beneficial effect of the security detection method for an artificial intelligence system provided by the embodiment of the present application is that: by acquiring a large amount of original image data, and generating a large amount of corresponding malicious sample data based on the original image data, the artificial intelligence system is analyzed based on the large amount of malicious sample data. Carry out security performance tests to simulate the security attacks of artificial intelligence systems in real environments, realize comprehensive and real security performance tests for artificial intelligence systems, improve the accuracy of artificial intelligence system security detection results, and reduce the safety of artificial intelligence systems. hidden danger.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例或示范性技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the accompanying drawings that are used in the description of the embodiments or exemplary technologies. Obviously, the drawings in the following description are only for the present application. In some embodiments, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.
图1是本申请实施例提供的人工智能系统的安全性检测方法的流程示意图;1 is a schematic flowchart of a security detection method of an artificial intelligence system provided by an embodiment of the present application;
图2是本申请实施例提供的高速高清图像采集系统的结构示意图;2 is a schematic structural diagram of a high-speed high-definition image acquisition system provided by an embodiment of the present application;
图3是本申请实施例提供的局部二值模式算法提取图像局部纹理信息的应用场景示意图;3 is a schematic diagram of an application scenario for extracting local texture information of an image by a local binary pattern algorithm provided by an embodiment of the present application;
图4是本申请实施例提供的基于灰度共生矩阵的给定像素点对的位置关系示意图;4 is a schematic diagram of the positional relationship of a given pixel point pair based on a grayscale co-occurrence matrix provided by an embodiment of the present application;
图5是本申请实施例提供的基于优化后的YOLO3算法识别原始图像数据的应用场景示意图;5 is a schematic diagram of an application scenario for identifying original image data based on the optimized YOLO3 algorithm provided by an embodiment of the present application;
图6是本申请实施例提供的基于相近对抗样本生成方法生成恶意样本数据的应用场景示意图;6 is a schematic diagram of an application scenario for generating malicious sample data based on a similar adversarial sample generation method provided by an embodiment of the present application;
图7是本申请实施例提供的人工智能系统的安全性检测装置的结构示意图;7 is a schematic structural diagram of a security detection device of an artificial intelligence system provided by an embodiment of the present application;
图8是本申请实施例提供的人工智能系统的安全性检测装置的另一结构示意图;8 is another schematic structural diagram of a security detection device for an artificial intelligence system provided by an embodiment of the present application;
图9是本申请实施例提供的终端设备的结构示意图。FIG. 9 is a schematic structural diagram of a terminal device provided by an embodiment of the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本申请。In order to make the purpose, technical solutions and advantages of the present application more clearly understood, the present application will be described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present application.
需说明的是,当部件被称为“固定于”或“设置于”另一个部件,它可以直接在另一个部件上或者间接在该另一个部件上。当一个部件被称为是“连接于”另一个部件,它可以是直接或者间接连接至该另一个部件上。术语“上”、“下”、“左”、“右”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本申请的限制,对于本领域的普通技术人员而言,可以根据具体情况理解上述术语的具体含义。术语“第一”、“第二”仅用于便于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明技术特征的数量。“多个”的含义是两个或两个以上,除非另有明确具体的限定。It should be noted that when a component is referred to as being "fixed to" or "disposed on" another component, it can be directly on the other component or indirectly on the other component. When an element is referred to as being "connected to" another element, it can be directly or indirectly connected to the other element. The orientation or positional relationship indicated by the terms "upper", "lower", "left", "right", etc. is based on the orientation or positional relationship shown in the drawings, and is only for the convenience of description, rather than indicating or implying the referred device Or the elements must have a specific orientation, be constructed and operated in a specific orientation, so it cannot be construed as a limitation to the present application, and those of ordinary skill in the art can understand the specific meanings of the above terms according to specific situations. The terms "first" and "second" are only used for the purpose of description, and should not be understood as indicating or implying relative importance or implying indicating the number of technical features. "Plurality" means two or more, unless expressly specifically limited otherwise.
为了说明本申请所提供的技术方案,以下结合具体附图及实施例进行详细说明。In order to illustrate the technical solutions provided in the present application, the following detailed description is given in conjunction with the specific drawings and embodiments.
人工智能系统是指具有通用操作系统具备的所有功能,且还包括语音识别、机器视觉系统、执行器系统和认知行为系统的神经网络模型。例如,应用于自动驾驶领域的自动驾驶网络模型,或者应用于军事领域中自主性武器的自主控制网络模型。恶意样本数据是指使得人工智能系统的输出结果与预期输出结果不同的图像数据。例如,通过恶意样本数据对自动驾驶网络模型进行攻击,使得自动驾驶网络模型在输入数据为“向左行驶”的交通标志数据时,输出“向右行驶”或“掉头”等结果,与预期的正确输出结果“向左行驶”不同。An artificial intelligence system refers to a neural network model that has all the functions of a general-purpose operating system, and also includes speech recognition, machine vision systems, actuator systems, and cognitive behavioral systems. For example, an autonomous driving network model applied to the field of autonomous driving, or an autonomous control network model applied to autonomous weapons in the military field. Malicious sample data refers to image data that makes the output of the artificial intelligence system different from the expected output. For example, by attacking the autonomous driving network model through malicious sample data, the autonomous driving network model outputs results such as "driving right" or "turning around" when the input data is the traffic sign data of "driving left", which is different from the expected result. The correct output result "driving left" is different.
本申请实施例提供的人工智能系统的安全性检测方法可以应用于手机、平板电脑、笔记本电脑、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本、个人数字助理(personal digital assistant,PDA)等终端设备上,本申请实施例对终端设备的具体类型不作任何限制。The security detection method of the artificial intelligence system provided by the embodiment of the present application can be applied to a mobile phone, a tablet computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, and a personal digital assistant (PDA). ) and other terminal devices, the embodiments of the present application do not impose any restrictions on the specific types of the terminal devices.
近年来,虽然人工智能技术已经逐渐成为科技领域内的一项核心、关键技术,但是人工智能技术仍存在一定的安全隐患。相关的基于人工智能系统的安全检测方法通常是基于特定的攻击数据,对人工智能系统中算法或实现过程中某个特定的漏洞进行安全性测试,无法从理论层面上对安全攻击的机理进行解释,无法全面系统地对人工智能系统进行安全 检测评估,也无法确定人工智能系统在实际场景中的安全性,一定程度上导致了人工智能技术的安全性能测试结果的精度不稳定、真实性差。本申请提出的一种人工智能系统的安全性检测方法,通过获取大量的原始图像数据,基于每个原始图像数据的纹理信息添加对应的梯度干扰信息,生成对应的恶意样本数据集,并通过恶意样本数据集对人工智能系统进行安全性测试,得到安全性测试结果,实现针对人工智能系统进行全面和真实的安全性能测试,提高人工智能系统安全检测结果的精度,降低人工智能系统的安全隐患。In recent years, although artificial intelligence technology has gradually become a core and key technology in the field of science and technology, artificial intelligence technology still has certain security risks. The relevant security detection methods based on artificial intelligence systems are usually based on specific attack data to test the security of a specific vulnerability in the algorithm or implementation process of the artificial intelligence system. The mechanism of the security attack cannot be explained theoretically. , it is impossible to comprehensively and systematically conduct safety detection and evaluation of artificial intelligence systems, and it is impossible to determine the safety of artificial intelligence systems in actual scenarios, which leads to the unstable accuracy and poor authenticity of the safety performance test results of artificial intelligence technology to a certain extent. A security detection method for an artificial intelligence system proposed in this application generates a corresponding malicious sample data set by acquiring a large amount of original image data, adding corresponding gradient interference information based on the texture information of each original image data, and through malicious The sample data set is used to test the safety of the artificial intelligence system, and the safety test results are obtained, so as to realize the comprehensive and real safety performance test of the artificial intelligence system, improve the accuracy of the safety test results of the artificial intelligence system, and reduce the security risks of the artificial intelligence system.
图1示出了本申请提供的人工智能系统的安全性检测方法的示意性流程图,作为示例而非限定,该方法可以应用于上述笔记本电脑中。FIG. 1 shows a schematic flowchart of the security detection method of the artificial intelligence system provided by the present application. As an example but not limitation, the method can be applied to the above-mentioned notebook computer.
S101、获取多个原始图像数据。S101. Acquire a plurality of original image data.
在具体应用中,人工智能系统通常会受到安全攻击,攻击数据会使人工智能输出结果与预期的正确输出结果不同,导致人工智能系统的输出结果准确度降低,存在一定的安全隐患。为准确检测人工智能系统的安全性能,设定首先在真实环境中,通过预设采集设备获取大量的原始图像数据,基于原始图像数据的纹理信息生成对应的恶意样本数据,通过恶意样本数据对人工智能系统进行攻击,以测试人工智能系统的安全性。其中,原始图像数据是指在真实环境中通过预设采集设备采集到的图像数据,或用于对人工智能系统进行训练的数据集。人工智能系统具体指基于视觉的人工智能系统,例如:应用于自动驾驶领域的自动驾驶神经网络模型或人脸识别系统。In specific applications, artificial intelligence systems are usually subject to security attacks, and the attack data will make the artificial intelligence output results different from the expected correct output results, resulting in a reduction in the accuracy of the output results of the artificial intelligence system, and there are certain security risks. In order to accurately detect the security performance of the artificial intelligence system, it is set that, in the real environment, a large amount of original image data is obtained through a preset collection device, and corresponding malicious sample data is generated based on the texture information of the original image data. Intelligent systems conduct attacks to test the security of artificial intelligence systems. Among them, the original image data refers to the image data collected by the preset collection device in the real environment, or the data set used for training the artificial intelligence system. Artificial intelligence systems specifically refer to vision-based artificial intelligence systems, such as automatic driving neural network models or face recognition systems applied in the field of automatic driving.
可以理解的是,当原始图像数据的类型越丰富,可以对人工智能系统进行更多层面且更丰富的安全性测试;例如,以自动驾驶网络模型为例,现有的交通标志数据集包括:CTSDB、CCTSDB、Tsinghua-Tencent 100K Tutorial、百度ApolloScape等数据集,但是上述交通标志数据集往往存在数据不完整的问题。为此,设定通过特定的预设采集设备,在真实环境下,针对性的采集大量的交通标志数据。预设采集设备包括但不限于高清摄像机。It is understandable that when the type of original image data is richer, more levels and richer safety tests can be performed on the artificial intelligence system; for example, taking the autonomous driving network model as an example, the existing traffic sign data sets include: Data sets such as CTSDB, CCTSDB, Tsinghua-Tencent 100K Tutorial, Baidu ApolloScape, etc., but the above traffic sign data sets often have the problem of incomplete data. To this end, it is set to collect a large amount of traffic sign data in a targeted manner through a specific preset collection device in a real environment. Preset capture devices include but are not limited to HD cameras.
在一个实施例中,获取原始图像数据之后,还包括:In one embodiment, after acquiring the original image data, the method further includes:
通过预设数据增强方法对每个所述原始图像数据进行图像转换,得到原始图像数据集;其中,所述预设数据增强方法包括对称处理、旋转处理和缩放处理中的至少一种。Image conversion is performed on each of the original image data by a preset data enhancement method to obtain an original image data set; wherein the preset data enhancement method includes at least one of symmetry processing, rotation processing and scaling processing.
在具体应用中,在获取到大量的原始图像数据之后,为扩充原始图像数据集,同时模拟真实环境下具有多样性的原始图像数据,通过预设数据增强方法对每个原始图像数据进行图像转换,得到对应的原始图像数据集;预设数据增强方法包括但不限于对称处理、旋转处理和缩放处理中的至少一种。In a specific application, after obtaining a large amount of original image data, in order to expand the original image data set and simulate the original image data with diversity in the real environment, image conversion is performed on each original image data through a preset data enhancement method. , to obtain the corresponding original image data set; the preset data enhancement method includes but is not limited to at least one of symmetry processing, rotation processing and scaling processing.
图2示例性的提供了一种高速高清图像采集系统的结构示意图。FIG. 2 exemplarily provides a schematic structural diagram of a high-speed high-definition image acquisition system.
图2中,通过在真实场景中,设定高速摄像头和高清采集卡实时拍摄获得图像数据, 通过存储器对图像数据进行存储,并通过监视器对拍摄的图像数据进行展示,得到多个原始图像数据。In Figure 2, in the real scene, set the high-speed camera and the high-definition capture card to capture image data in real time, store the image data through the memory, and display the captured image data through the monitor to obtain a plurality of original image data .
S102、根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据为使得人工智能系统的输出结果与预期输出结果不同的图像数据。S102. Generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result.
在具体应用中,通过对原始图像数据添加干扰信息,生成对应的恶意样本数据。其中,恶意样本数据是指使得人工智能系统的输出结果与预期输出结果不同的图像数据。恶意样本数据的类型包括目标恶意样本数据和非目标恶意样本数据;其中,目标恶意样本数据是指通过对人工智能系统进行攻击,使得人工智能系统基于指定的输入数据,输出指定的错误结果的攻击数据;例如,在输入数据为指定的“向左行驶”的交通标志数据时,通过目标恶意样本数据对人工智能系统攻击,使得人工智能系统的输出结果为指定的“向右行驶”。或者,在输入数据为指定的“禁止驶入”的交通标志数据时,通过目标恶意样本数据对人工智能系统攻击,使得人工智能系统的输出结果为指定的“直行”。非目标恶意样本数据是指通过对人工智能系统进行攻击,使得人工智能系统输出随机结果(与预期输出结果不同)的攻击数据。例如,在输入数据为“向左行驶”的交通标志数据时,通过非目标恶意样本数据对人工智能系统攻击,使得人工智能系统输出包括“向右行驶”、“直行”或“掉头”等,以降低人工智能系统输出结果准确度。In a specific application, the corresponding malicious sample data is generated by adding interference information to the original image data. The malicious sample data refers to image data that makes the output result of the artificial intelligence system different from the expected output result. The types of malicious sample data include target malicious sample data and non-target malicious sample data; among them, target malicious sample data refers to an attack that makes the artificial intelligence system output a specified wrong result based on the specified input data by attacking the artificial intelligence system. Data; for example, when the input data is the specified "driving left" traffic sign data, the artificial intelligence system is attacked through the target malicious sample data, so that the output result of the artificial intelligence system is the specified "driving right". Or, when the input data is the designated "no entry" traffic sign data, the artificial intelligence system is attacked through the target malicious sample data, so that the output result of the artificial intelligence system is the designated "go straight". Non-target malicious sample data refers to attack data that makes the artificial intelligence system output random results (different from the expected output results) by attacking the artificial intelligence system. For example, when the input data is "driving left" traffic sign data, the artificial intelligence system is attacked through non-target malicious sample data, so that the output of the artificial intelligence system includes "driving right", "going straight" or "turning around", etc. In order to reduce the accuracy of the output results of the artificial intelligence system.
S103、根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。S103. Perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
在具体应用中,根据人工智能系统的不同安全需求,对恶意样本数据进行调整,基于调整后的恶意样本数据对人工智能系统进行攻击,获得对应的安全性检测结果。In specific applications, according to the different security requirements of the artificial intelligence system, the malicious sample data is adjusted, and the artificial intelligence system is attacked based on the adjusted malicious sample data to obtain the corresponding security detection results.
在一个实施例中,所述根据所述原始图像数据生成恶意样本数据,包括:In one embodiment, the generating malicious sample data according to the original image data includes:
计算得到所述原始图像数据集中每个原始图像数据的纹理信息;Calculate the texture information of each original image data in the original image data set;
基于所述每个原始图像数据的纹理信息,添加梯度干扰信息,生成对应的恶意样本数据集。Based on the texture information of each original image data, gradient interference information is added to generate a corresponding malicious sample data set.
在具体应用中,基于视觉的人工智能系统的攻击数据一般为图像数据,而图像数据的纹理信息是存在于视觉信息中规律性排列的重要特征,其可以描述图像数据的局部区域从一个像素到另一个像素的局部强度变化,反映图像数据中的同质现象。因此,设定在原始图像数据的纹理信息上添加梯度干扰信息,来生成对应的恶意样本数据:首先,需要计算得到原始图像数据集中每个原始图像数据的纹理信息,基于每个原始图像数据添加对应的梯度干扰信息,使每个原始图像数据发生较大的像素变化,得到对应恶意样本数据集。In specific applications, the attack data of vision-based artificial intelligence systems is generally image data, and the texture information of image data is an important feature of regular arrangement in visual information, which can describe the local area of image data from a pixel to The local intensity variation of another pixel, reflecting the homogeneity in the image data. Therefore, it is set to add gradient interference information to the texture information of the original image data to generate the corresponding malicious sample data: first, the texture information of each original image data in the original image data set needs to be calculated, and based on each original image data, add Corresponding gradient interference information causes large pixel changes in each original image data to obtain the corresponding malicious sample data set.
在具体应用中,纹理信息主要是通过像素及其周围空间领域的灰度分布来体现,其实 质是一个与灰度变化有关的统计特性,计算得到纹理信息的方法包括但不限于局部二值模式(Local Binary Patterns,LBP)算法、灰度共生矩阵(Gray-level Co-occurrence Matrix,GLCM)、离散傅里叶变换的局部相位量化(Local Phase Quantization,LPQ)、基于韦伯定律的韦伯局部特征(Weber Local Descriptor,WLD)。In specific applications, texture information is mainly reflected by the grayscale distribution of pixels and their surrounding spaces, which is essentially a statistical feature related to grayscale changes. Methods for calculating texture information include but are not limited to local binary patterns. (Local Binary Patterns, LBP) algorithm, Gray-level Co-occurrence Matrix (GLCM), Discrete Fourier Transform Local Phase Quantization (LPQ), Weber's local feature based on Weber's law ( Weber Local Descriptor, WLD).
其中,局部二值模式(Local Binary Patterns,LBP)算法主要通过特定窗口内中心像素值衡量周边窗口的邻域属性值(灰度或RGB单通道),且只记录大小关系来反映局部纹理信息,表述方式为对大小关系进行二值化处理,得到的串联编码。局部二值模式算法具有简单、可操作性强、旋转不变性、灰度不变性、尺度不变性、对光照变化鲁棒的优点。Among them, the Local Binary Patterns (LBP) algorithm mainly measures the neighborhood attribute value (grayscale or RGB single channel) of the surrounding window by the central pixel value in a specific window, and only records the size relationship to reflect the local texture information. The expression method is the concatenated code obtained by binarizing the size relationship. The local binary mode algorithm has the advantages of simplicity, strong operability, rotation invariance, grayscale invariance, scale invariance, and robustness to illumination changes.
图3示例性的提供了一种局部二值模式算法提取图像局部纹理信息的应用场景示意图;FIG. 3 exemplarily provides a schematic diagram of an application scene of a local binary pattern algorithm for extracting local texture information of an image;
如图3所示,尺寸为3×3的窗口内中心像素灰度值为83,将与中心像素相邻的8个像素的灰度值与中心像素灰度值进行比较,若检测到中心像素的相邻像素灰度值大于中心像素灰度值,则将该相邻像素灰度值记为1;否则记为0。得到八位的二进制数,并转化成十进制数,将转化后的十进制数作为窗口内中心像素的局部二值模式值,可表示为:As shown in Figure 3, the gray value of the center pixel in a window with a size of 3 × 3 is 83, and the gray values of the 8 pixels adjacent to the center pixel are compared with the gray value of the center pixel. If the center pixel is detected The gray value of the adjacent pixel is greater than the gray value of the central pixel, then the gray value of the adjacent pixel is recorded as 1; otherwise, it is recorded as 0. The eight-bit binary number is obtained and converted into a decimal number, and the converted decimal number is used as the local binary mode value of the center pixel in the window, which can be expressed as:
Figure PCTCN2021089329-appb-000001
Figure PCTCN2021089329-appb-000001
式中:i表示领域串口中除中心像素外的相邻像素的序号;I i表示第i个相邻像素点的属性值;I c表示中心像素的属性值;s()表示二值化函数: In the formula: i represents the serial number of the adjacent pixels in the serial port except the center pixel; I i represents the attribute value of the ith adjacent pixel; I c represents the attribute value of the center pixel; s( ) represents the binarization function :
Figure PCTCN2021089329-appb-000002
Figure PCTCN2021089329-appb-000002
在具体应用中,灰度共生矩阵是计算图像数据中给定像素点对不同灰度值的出现概率的方法。In a specific application, the gray level co-occurrence matrix is a method for calculating the occurrence probability of a given pixel in image data for different gray values.
图4示例性的示出了一种基于灰度共生矩阵的给定像素点对的位置关系示意图;FIG. 4 exemplarily shows a schematic diagram of the positional relationship of a given pixel point pair based on a grayscale co-occurrence matrix;
如图4所示,假设给定了图像数据中像素点对中的方向θ和距离δ两个因素,对应可确定,图像数据中任意一个像素点f(x,y)及偏离该像素点f(x,y)的像素点f(x+dx,y+dy)构成像素点对。假设上述像素点对的灰度值表示为(f 1,f 2),且已知图像数据的最大灰度级为L。像素点对的灰度值(f 1,f 2)的排列组合共有L×L种。统计图像数据中每一种灰度值(f 1,f 2)出现的次数并排成方阵,再归一化上述每一种灰度值(f 1,f 2)出现的概率P(f 1,f 2), 得到灰度共生矩阵。可以看出,灰度共生矩阵P(f 1,f 2)表征灰度级分别为f 1和f 2在给定像素点对f(x,y),f(x+dx,y+dy)中出现的概率: As shown in Figure 4, assuming that two factors, the direction θ and the distance δ in the pixel pair in the image data are given, the correspondence can be determined, any pixel point f(x, y) in the image data and the deviation from the pixel point f The pixel point f(x+dx,y+dy) of (x,y) constitutes a pixel point pair. It is assumed that the gray value of the above-mentioned pixel point pair is expressed as (f 1 , f 2 ), and the maximum gray level of the known image data is L. There are L×L types of permutations and combinations of grayscale values (f 1 , f 2 ) of pixel pairs. Count the number of occurrences of each gray value ( f 1 , f 2 ) in the image data and arrange them into a square matrix, and then normalize the probability P(f 1 , f 2 ) to get the gray level co-occurrence matrix. It can be seen that the gray level co-occurrence matrix P(f 1 , f 2 ) characterizes the gray levels as f 1 and f 2 at a given pixel pair f(x, y), f(x+dx, y+dy) The probability of appearing in:
p(i,j,j,δ,θ)={[(x,y),(x+dx,y+dy)]|f(x,y)=f 1,f(x+dx,y+dy)=f 2}   (3); p(i,j,j,δ,θ)={[(x,y),(x+dx,y+dy)]|f(x,y)=f 1 ,f(x+dx,y+ dy)=f 2 } (3);
根据灰度共生矩阵,提取统计参数,可用于描述图像的纹理信息,灰度共生矩阵的常用特征参数见表1。According to the gray level co-occurrence matrix, statistical parameters are extracted, which can be used to describe the texture information of the image. The common characteristic parameters of the gray level co-occurrence matrix are shown in Table 1.
表1 灰度共生矩阵常用特征参数表Table 1 Common characteristic parameters of gray level co-occurrence matrix
Figure PCTCN2021089329-appb-000003
Figure PCTCN2021089329-appb-000003
在具体应用中,添加梯度干扰信息的过程可表式为:In specific applications, the process of adding gradient interference information can be expressed as:
Figure PCTCN2021089329-appb-000004
Figure PCTCN2021089329-appb-000004
式中,x表示人工智能系统的输入数据;y表示人工智能系统的输出数据;x'表示添加梯度干扰信息后的输入数据;θ表示人工智能系统的模型参数;J表示定义的人工智能系统的模型损失函数;
Figure PCTCN2021089329-appb-000005
表示进行梯度运算;ε表示梯度干扰步长;sign变表示符号函数。 In the formula, x represents the input data of the artificial intelligence system; y represents the output data of the artificial intelligence system; x' represents the input data after adding gradient interference information; θ represents the model parameters of the artificial intelligence system; J represents the defined artificial intelligence system. model loss function;
Figure PCTCN2021089329-appb-000005
Represents gradient operation; ε represents gradient interference step size; sign variable represents sign function.
在人工智能系统网络模型的反向传播中,主要是沿着梯度方向来更新神经元节点的权重和偏移,以使人工智能系统网络模型向减小损失值的方向收敛:In the backpropagation of the network model of the artificial intelligence system, the weights and offsets of the neuron nodes are mainly updated along the gradient direction, so that the network model of the artificial intelligence system converges in the direction of reducing the loss value:
Figure PCTCN2021089329-appb-000006
Figure PCTCN2021089329-appb-000006
Figure PCTCN2021089329-appb-000007
Figure PCTCN2021089329-appb-000007
式中:W ij表示人工智能系统网络模型中神经元节点的权重;b i表示人工智能系统网络模型中神经元节点的偏移;α表示学习率。 In the formula: W ij represents the weight of the neuron node in the artificial intelligence system network model; b i represents the offset of the neuron node in the artificial intelligence system network model; α represents the learning rate.
通过基于原始图像数据的图像纹理添加梯度干扰信息生成对应的恶意样本数据集,将恶意样本数据集输入至人工智能系统网络模型进行处理,可在不改变人工智能系统网络模型参数的前提下,从输入环节增大人工智能系统网络模型训练过程中的损失值,从而降低人工智能系统网络模型的正确识别的能力。可以理解的是,在人工智能系统网络模型采用线性或近似线性的激活函数时,误差传导值将逐渐增大。The corresponding malicious sample data set is generated by adding gradient interference information based on the image texture of the original image data, and the malicious sample data set is input into the artificial intelligence system network model for processing. The input link increases the loss value in the training process of the artificial intelligence system network model, thereby reducing the ability of the artificial intelligence system network model to correctly identify. It can be understood that when the artificial intelligence system network model adopts a linear or approximately linear activation function, the error conduction value will gradually increase.
在一个实施例中,所述通过预设数据增强方法对每个所述原始图像数据进行图像转换,得到原始图像数据集之后包括::In one embodiment, after performing image conversion on each of the original image data by using a preset data enhancement method to obtain the original image data set, the method includes:
识别所述原始图像数据集中每个原始图像数据的内容,确定每个原始图像数据的标签。The content of each original image data in the original image data set is identified, and the label of each original image data is determined.
在具体应用中,通过优化后的YOLO3算法识别每个原始图像数据中的内容,确定对应的标签。例如,以自动驾驶系统为例,需获取大量的交通标志数据作为原始图像数据,通过优化后的YOLO3算法识别交通标志数据的内容,确定每个交通标志数据中包含的指示信息,并添加对应的标签。In specific applications, the optimized YOLO3 algorithm is used to identify the content in each original image data and determine the corresponding label. For example, taking an autonomous driving system as an example, it is necessary to obtain a large amount of traffic sign data as the original image data, identify the content of the traffic sign data through the optimized YOLO3 algorithm, determine the instruction information contained in each traffic sign data, and add the corresponding Label.
其中,优化后的YOLO3算法是指通过调整残差结构和anchor对原本的YOLO3算法进行优化后得到的算法,通过调整残差结构可以提高对原始图像数据进行识别标记的效率;通过调整YOLO3算法的锚(anchor),便于使YOLO3算法适应原始图像数据的大小(包括内存大小及长宽比信息)。通过聚类Kmeans算法对原始图像数据进行聚类处理,实现对YOLO3算法的快速训练过程。Among them, the optimized YOLO3 algorithm refers to the algorithm obtained by optimizing the original YOLO3 algorithm by adjusting the residual structure and anchor. By adjusting the residual structure, the efficiency of identifying and marking the original image data can be improved; Anchor, which is convenient to adapt the YOLO3 algorithm to the size of the original image data (including memory size and aspect ratio information). The original image data is clustered by the clustering Kmeans algorithm to realize the fast training process of the YOLO3 algorithm.
在一个实施例中,可通过从原始图像数据集中选取出能够反映人工智能系统网络模型性能的部分原始样本数据作为目标数据集,并识别确定目标数据集中每个原始图像数据的标签。以减小数据处理量,提高对人工智能系统安全性检测的效率。In one embodiment, part of the original sample data that can reflect the performance of the artificial intelligence system network model can be selected from the original image data set as the target data set, and the label of each original image data in the target data set can be identified and determined. In order to reduce the amount of data processing and improve the efficiency of artificial intelligence system security detection.
图5示例性的提供了一种基于优化后的YOLO3算法识别原始图像数据的应用场景示意图。FIG. 5 exemplarily provides a schematic diagram of an application scenario for identifying original image data based on the optimized YOLO3 algorithm.
图5中,原始图像数据具体为交通标志数据,基于优化后的YOLO3算法识别确定每个交通标志数据中包含的指示信息,并添加对应的标签,例如,对图5中包含指示信息为 “禁止停车”的交通标志数据,添加“禁止停车”标签。In Figure 5, the original image data is specifically traffic sign data. Based on the optimized YOLO3 algorithm, the indication information contained in each traffic sign data is identified and determined, and corresponding labels are added. Parking" traffic sign data, add the "No Parking" tag.
可以理解的是,可根据原始图像数据的标签,确定该原始图像数据的类型,例如,标签为“限速40”的原始图像数据的类别为“限制”;标签为“禁止超车”的原始图像数据的类别为“禁令”;标签为“机动车行驶”的原始图像数据的类别为“指示”;标签为“前方施工”的原始图像数据的类别为“警告”。It can be understood that the type of the original image data can be determined according to the label of the original image data, for example, the type of the original image data with the label of "speed limit 40" is "limited"; the original image with the label of "no overtaking" The category of the data is "prohibition"; the category of the original image data with the label "motor vehicle running" is "instruction"; the category of the original image data with the label of "construction ahead" is "warning".
在一个实施例中,所述对原始图像数据添加梯度干扰信息,生成对应的恶意样本数据,包括:In one embodiment, the adding gradient interference information to the original image data to generate corresponding malicious sample data includes:
根据所述原始图像数据集中每个原始图像数据的标签进行聚类处理,得到多个类别的图像数据集;Perform clustering processing according to the label of each original image data in the original image data set to obtain image data sets of multiple categories;
通过相近对抗样本生成方法对每个类别的图像数据集中每个原始图像数据的纹理信息添加对应的梯度干扰信息,得到多个类别的恶意样本数据集。The corresponding gradient interference information is added to the texture information of each original image data in each category of image datasets by the method of generating similar adversarial samples, and multiple categories of malicious sample datasets are obtained.
在具体应用中,根据原始图像数据集中每个原始图像数据的标签,对原始图像数据集进行聚类处理,得到多个不同类别的原始图像数据,对同类别的原始图像数据并行处理,基于相近对抗样本生成方法对同类别的原始图像数据添加梯度干扰信息,得到对应的同类别的恶意样本数据。In a specific application, according to the label of each original image data in the original image data set, the original image data set is clustered to obtain multiple original image data of different categories, and the original image data of the same category is processed in parallel. The adversarial sample generation method adds gradient interference information to the original image data of the same category, and obtains the corresponding malicious sample data of the same category.
例如:获取大量的交通标志数据作为原始图像数据集,确定原始图像数据集中每个交通标志数据的标签;根据每个交通标志数据的标签对原始图像数据集进行聚类处理,获得包括但不限于“禁令”、“警告”、“指示”和“限制”等多个类别的图像数据集。For example: obtain a large amount of traffic sign data as the original image data set, determine the label of each traffic sign data in the original image data set; perform clustering processing on the original image data set according to the label of each traffic sign data, obtain data including but not limited to A dataset of images in multiple categories such as "ban", "warning", "instruction" and "restriction".
其中,相近对抗样本生成方法是指对同类别的图像数据集并行处理,以根据同类别的图像数据集中上一原始图像数据生成的恶意样本数据作为下一个原始图像数据的起始值,以生成对应的恶意样本数据集的方法。即基于同类别的图像数据集中所有原始图像数据的相似性,基于相近对抗样本生成方法并行处理,生成同类别的恶意样本数据,减少了迭代次数。Among them, the method of generating similar adversarial samples refers to the parallel processing of image datasets of the same category, and the malicious sample data generated from the previous original image data in the same category of image datasets is used as the starting value of the next original image data to generate Corresponding methods for malicious sample datasets. That is, based on the similarity of all the original image data in the image dataset of the same category, and based on the parallel processing of the similar adversarial sample generation method, the malicious sample data of the same category is generated, and the number of iterations is reduced.
基于相近对抗样本生成方法对同类别的图像数据集中的原始图像数据并行处理,生成对应的恶意样本数据集,能够减少数据读取的次数和时间,提高恶意样本数据的生成速度。Based on the similar adversarial sample generation method, the original image data in the same category of image data sets are processed in parallel to generate the corresponding malicious sample data sets, which can reduce the number and time of data reading and improve the generation speed of malicious sample data.
图6示例性的示出了基于相近对抗样本生成方法生成恶意样本数据的应用场景示意图。FIG. 6 exemplarily shows a schematic diagram of an application scenario of generating malicious sample data based on a similar adversarial sample generation method.
在一个实施例中,所述恶意样本数据的类型包括目标恶意样本数据和非目标恶意样本数据。In one embodiment, the types of malicious sample data include target malicious sample data and non-target malicious sample data.
在一个实施例中,所述根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果,包括:In one embodiment, performing a security test on the artificial intelligence system according to the malicious sample data to obtain a security detection result of the artificial intelligence system, including:
根据所述人工智能系统的安全需求等级和输入数据权限,确定目标恶意样本数据和非目标恶意样本数据的比例和对应的预设算法,对所述人工智能系统进行安全性测试,得到第一测试结果;According to the security requirement level and input data authority of the artificial intelligence system, determine the ratio of target malicious sample data and non-target malicious sample data and the corresponding preset algorithm, perform a security test on the artificial intelligence system, and obtain the first test result;
根据所述人工智能系统的安全性能等级,通过所述恶意样本数据对所述人工智能系统进行对应的预设时长的安全性测试,得到第二测试结果;According to the security performance level of the artificial intelligence system, the artificial intelligence system is subjected to a corresponding preset duration security test through the malicious sample data, and a second test result is obtained;
根据所述第一测试结果和第二测试结果确定所述人工智能系统的安全性检测分数。The safety detection score of the artificial intelligence system is determined according to the first test result and the second test result.
在具体应用中,恶意样本数据的类型包括但不限于目标恶意样本数据和非目标恶意样本数据。In a specific application, the types of malicious sample data include but are not limited to target malicious sample data and non-target malicious sample data.
在具体应用中,对于不同应用领域的人工智能系统,其安全需求是不一样的(例如,海关的人脸识别系统的安全需求等级和安全性能等级均比商场、小区的人脸识别系统的高;海关的人脸识别系统内不同输入数据也具有不同等级的权限);因此,不同应用领域的人工智能系统受到的安全攻击强度、攻击时长也不相同。对应的,设定针对不同人工智能系统的安全需求,选择对应的安全测试方法,包括:基于人工智能系统具有不同防御等级的安全需求特性,在检测到人工智能系统的安全需求等级和/或输入数据权限高时,调整恶意样本数据集中目标恶意样本数据的占比大于非目标恶意样本数据的占比,并使用攻击强度高的攻击算法对人工智能系统进行安全性测试,得到对应的第一测试结果;在检测到人工智能系统的安全需求等级和/或输入数据权限低时,调整恶意样本数据集中目标恶意样本数据的占比小于或等于非目标恶意样本数据的占比,并使用攻击强度低的攻击算法人工智能系统进行安全性测试,得到对应的第一测试结果。其中,第一测试结果是指通过上述确定的预设算法,基于比例调整后的目标恶意样本数据和非目标恶意样本数据对人工智能系统进行安全攻击后,人工智能系统输出结果的准确率。In specific applications, the security requirements of artificial intelligence systems in different application fields are different (for example, the security requirement level and security performance level of the face recognition system of customs are higher than those of the face recognition system of shopping malls and residential areas. ; Different input data in the customs' face recognition system also have different levels of authority); therefore, the security attack intensity and attack duration of artificial intelligence systems in different application fields are also different. Correspondingly, set the security requirements for different artificial intelligence systems, and select the corresponding security testing methods, including: based on the security requirements characteristics of the artificial intelligence system with different defense levels, when the security requirements level and/or input of the artificial intelligence system are detected. When the data authority is high, adjust the proportion of target malicious sample data in the malicious sample data set to be greater than the proportion of non-target malicious sample data, and use an attack algorithm with high attack intensity to conduct a security test on the artificial intelligence system, and obtain the corresponding first test. Result; when it is detected that the security requirement level of the artificial intelligence system and/or the input data authority is low, adjust the proportion of target malicious sample data in the malicious sample data set to be less than or equal to the proportion of non-target malicious sample data, and use low attack intensity. The attack algorithm artificial intelligence system conducts security test and obtains the corresponding first test result. The first test result refers to the accuracy rate of the output result of the artificial intelligence system after the artificial intelligence system is subjected to a security attack based on the proportion-adjusted target malicious sample data and non-target malicious sample data through the preset algorithm determined above.
在具体应用中,对人工智能系统进行安全检测的攻击算法包括但不限于有快速梯度攻击算法(Fast Gradient Sign Method,FGSM)、迭代快速梯度攻击算法Iterative Fast Gradient Sign Method(IFGSM)、C&W攻击算法。In specific applications, attack algorithms for security detection of artificial intelligence systems include, but are not limited to, Fast Gradient Sign Method (FGSM), Iterative Fast Gradient Sign Method (IFGSM), and C&W attack algorithms. .
FGSM算法是指通过计算模型输出对输入的梯度,来精确修改输入数据以达到攻击的目的。IFGSM是基于FGSM算法进行改进得到的算法,,可以生成比FGSM算法更精准的恶意样本数据,攻击成功率比FGSM算法的高,攻击成本也相应增加。C&W算法可以有效攻破多种恶意样本防御手段,是目前公认最强的攻击手段之一。The FGSM algorithm refers to accurately modifying the input data by calculating the gradient of the model output to the input to achieve the purpose of attack. IFGSM is an improved algorithm based on the FGSM algorithm. It can generate more accurate malicious sample data than the FGSM algorithm. The attack success rate is higher than that of the FGSM algorithm, and the attack cost increases accordingly. The C&W algorithm can effectively break through a variety of malicious sample defense methods, and is currently recognized as one of the strongest attack methods.
表2 不同强度的攻击方法对比表Table 2 Comparison of attack methods with different strengths
Figure PCTCN2021089329-appb-000008
Figure PCTCN2021089329-appb-000008
Figure PCTCN2021089329-appb-000009
Figure PCTCN2021089329-appb-000009
在具体应用中,基于人工智能系统具有不同防御时长的安全需求特性,在检测到人工智能系统的安全性能等级为高时,通过恶意样本数据集对人工智能系统进行第一预设时长的安全性测试,得到对应的第二测试结果;在检测到人工智能系统的安全性能等级为低时,通过恶意样本数据集对人工智能系统进行第二预设时长的安全性测试,得到对应的第二测试结果。其中,第一预设时长大于第二攻击时长。第二测试结果是指基于比例调整后的目标恶意样本数据和非目标恶意样本数据,对人工智能系统进行预设时长的安全攻击后,人工智能系统输出结果的准确率。In specific applications, based on the characteristics of the security requirements of the artificial intelligence system with different defense durations, when it is detected that the security performance level of the artificial intelligence system is high, the security of the artificial intelligence system is performed for the first preset duration through the malicious sample data set. test to obtain a corresponding second test result; when it is detected that the security performance level of the artificial intelligence system is low, conduct a security test on the artificial intelligence system for a second preset duration through the malicious sample data set, and obtain a corresponding second test result. Wherein, the first preset duration is longer than the second attack duration. The second test result refers to the accuracy rate of the output result of the artificial intelligence system after performing a security attack on the artificial intelligence system with a preset duration based on the target malicious sample data and non-target malicious sample data adjusted by the ratio.
在具体应用中,根据第一测试结果和第二测试结果计算确定人工智能系统的安全性检测分数。其中,安全性检测分数的计算方式和取值范围可根据实际情况进行具体设定;In a specific application, the safety detection score of the artificial intelligence system is calculated and determined according to the first test result and the second test result. Among them, the calculation method and value range of the security detection score can be specifically set according to the actual situation;
例如,安全性检测分数=第一测试结果*A+第二测试结果*B;其中,A、B分别为第一测试结果、第二测试结果的权重,可根据实际情况进行具体设定,对应安全性检测分数的取值范围为[0,100]。或安全性测试分数=第一测试结果+第二测试结果,对应安全性检测分数的取值范围为[0,1]。For example, safety detection score=first test result*A+second test result*B; where A and B are the weights of the first test result and the second test result, respectively, which can be specifically set according to the actual situation, corresponding to the safety The value range of the sex detection score is [0, 100]. Or security test score=first test result+second test result, and the value range of the corresponding security test score is [0, 1].
在本实施例中,设定人工智能系统的安全性检测分数越高,人工智能系统的安全性能越强。In this embodiment, the higher the security detection score of the artificial intelligence system is set, the stronger the security performance of the artificial intelligence system is.
本实施例通过获取大量的原始图像数据,并基于原始图像数据生成大量对应的恶意样本数据,基于大量的恶意样本数据对人工智能系统进行安全性能测试,以模拟在真实环境下的人工智能系统的安全攻击,实现针对人工智能系统进行全面和真实的安全性能测试,提高人工智能系统安全性检测结果的精度,降低人工智能系统的安全隐患。In this embodiment, a large amount of original image data is acquired, a large amount of corresponding malicious sample data is generated based on the original image data, and a safety performance test is performed on the artificial intelligence system based on the large amount of malicious sample data, so as to simulate the performance of the artificial intelligence system in a real environment. Security attack, realize comprehensive and real security performance test for artificial intelligence system, improve the accuracy of artificial intelligence system security detection results, and reduce the security risks of artificial intelligence system.
应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the sequence numbers of the steps in the above embodiments does not mean the sequence of execution, and the execution sequence of each process should be determined by its function and internal logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
对应于上文实施例所述的人工智能系统的安全性检测方法,图7示出了本申请实施例提供的人工智能系统的安全性检测装置的结构框图,为了便于说明,仅示出了与本申请实施例相关的部分。Corresponding to the security detection method of the artificial intelligence system described in the above embodiment, FIG. 7 shows a structural block diagram of the security detection device of the artificial intelligence system provided by the embodiment of the present application. Parts related to the embodiments of this application.
本发明还提供了人工智能系统的安全性检测装置的另一种优先的实施例,在本实施例中,人工智能系统的安全性检测装置包括:处理器,其中所述处理器用于执行存在存储器的以下程序模块:获取模块,用于获取多个原始图像数据;The present invention also provides another preferred embodiment of the security detection device of the artificial intelligence system. In this embodiment, the security detection device of the artificial intelligence system includes: a processor, wherein the processor is used for executing the storage memory The following program modules: acquisition module, used to acquire multiple raw image data;
生成模块,用于根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据为使得人工智能系统的输出结果与预期输出结果不同的图像数据;A generation module, configured to generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
测试模块,用于根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。A test module, configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
参照图7,该人工智能系统的安全性检测装置100包括:Referring to FIG. 7 , the security detection device 100 of the artificial intelligence system includes:
获取模块101,用于获取多个原始图像数据;an acquisition module 101, configured to acquire a plurality of original image data;
生成模块102,用于根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据为使得人工智能系统的输出结果与预期输出结果不同的图像数据;A generating module 102, configured to generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
测试模块103,用于根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。The testing module 103 is configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
在一个实施例中,所述人工智能系统的安全性检测装置,还包括:In one embodiment, the security detection device of the artificial intelligence system further includes:
数据处理模块201,用于通过预设数据增强方法对每个所述原始图像数据进行图像转换,得到原始图像数据集;其中,所述预设数据增强方法包括对称处理、旋转处理和缩放处理中的至少一种。A data processing module 201 is configured to perform image conversion on each of the original image data through a preset data enhancement method to obtain an original image data set; wherein the preset data enhancement method includes symmetry processing, rotation processing and scaling processing. at least one of.
在一个实施例中,所述装置,还包括:In one embodiment, the apparatus further includes:
识别模块202,用于识别所述原始图像数据集中每个原始图像数据的内容,确定每个原始图像数据的标签。The identification module 202 is configured to identify the content of each original image data in the original image data set, and determine the label of each original image data.
在一个实施例中,所述生成模块102,包括:In one embodiment, the generating module 102 includes:
计算单元,用于计算得到所述原始图像数据集中每个原始图像数据的纹理信息;a computing unit, for calculating the texture information of each original image data in the original image data set;
生成单元,用于基于所述每个原始图像数据的纹理信息,添加梯度干扰信息,生成对应的恶意样本数据集。A generating unit, configured to add gradient interference information based on the texture information of each original image data to generate a corresponding malicious sample data set.
在一个实施例中,所述生成单元,包括:In one embodiment, the generating unit includes:
聚类处理子单元,用于根据所述原始图像数据集中每个原始图像数据的标签进行聚类处理,得到多个类别的图像数据集;a clustering processing subunit, configured to perform clustering processing according to the label of each original image data in the original image data set to obtain image data sets of multiple categories;
生成子单元,用于通过相近对抗样本生成方法对每个类别的图像数据集中每个原始图像数据的纹理信息添加对应的梯度干扰信息,得到多个类别的恶意样本数据集。The generating sub-unit is used for adding corresponding gradient interference information to the texture information of each original image data in each category of image datasets by using a similar adversarial sample generation method to obtain multiple categories of malicious sample datasets.
在一个实施例中,所述恶意样本数据的类型包括目标恶意样本数据和非目标恶意样本数据。In one embodiment, the types of malicious sample data include target malicious sample data and non-target malicious sample data.
在一个实施例中,所述测试模块103,包括:In one embodiment, the testing module 103 includes:
第一测试单元,用于根据所述人工智能系统的安全需求等级和输入数据权限,确定目标恶意样本数据和非目标恶意样本数据的比例和对应的预设算法,对所述人工智能系统进行安全性测试,得到第一测试结果;The first test unit is used to determine the ratio of target malicious sample data and non-target malicious sample data and the corresponding preset algorithm according to the security requirement level and input data authority of the artificial intelligence system, and to perform security on the artificial intelligence system. sex test, get the first test result;
第二测试单元,用于根据所述人工智能系统的安全性能等级,通过所述恶意样本数据对所述人工智能系统进行对应的预设时长的安全性测试,得到第二测试结果;a second testing unit, configured to perform a corresponding preset duration security test on the artificial intelligence system through the malicious sample data according to the security performance level of the artificial intelligence system, to obtain a second test result;
确定单元,用于根据所述第一测试结果和第二测试结果确定所述人工智能系统的安全性检测分数。A determination unit, configured to determine the safety detection score of the artificial intelligence system according to the first test result and the second test result.
图8示例性的提供了另一种基于人工智能系统的安全性检测装置100的结构示意图;FIG. 8 exemplarily provides a schematic structural diagram of another security detection device 100 based on an artificial intelligence system;
如图8所示,设定基于人工智能系统的安全性检测装置100还包括基础硬件层104和机器学习框架模块105;其中,基础硬件层包括但不限于CPU、GPU、FPGA等人工智能系统的训练/部署平台,用于为上层结构提供硬件基础支持。机器学习框架:包括但不限于PyTorch、TensorFlow、MXNet等开源机器框架,用于支持在不同框架下训练得到的人工智能系统神经网络模型。As shown in FIG. 8 , the security detection device 100 based on an artificial intelligence system is set to further include a basic hardware layer 104 and a machine learning framework module 105; wherein, the basic hardware layer includes but is not limited to CPU, GPU, FPGA and other artificial intelligence systems. A training/deployment platform that provides hardware base support for the superstructure. Machine learning frameworks: including but not limited to open source machine frameworks such as PyTorch, TensorFlow, and MXNet, which are used to support neural network models of artificial intelligence systems trained under different frameworks.
本实施例通过获取大量的原始图像数据,并基于原始图像数据生成大量对应的恶意样本数据,基于大量的恶意样本数据对人工智能系统进行安全性能测试,以模拟在真实环境下的人工智能系统的安全攻击,实现针对人工智能系统进行全面和真实的安全性能测试,提高人工智能系统安全性检测结果的精度,降低人工智能系统的安全隐患。In this embodiment, a large amount of original image data is acquired, a large amount of corresponding malicious sample data is generated based on the original image data, and a safety performance test is performed on the artificial intelligence system based on the large amount of malicious sample data, so as to simulate the performance of the artificial intelligence system in a real environment. Security attack, realize comprehensive and real security performance test for artificial intelligence system, improve the accuracy of artificial intelligence system security detection results, and reduce the security risks of artificial intelligence system.
需要说明的是,上述装置/单元之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其具体功能及带来的技术效果,具体可参见方法实施例部分,此处不再赘述。It should be noted that the information exchange, execution process and other contents between the above-mentioned devices/units are based on the same concept as the method embodiments of the present application. For specific functions and technical effects, please refer to the method embodiments section. It is not repeated here.
图9为本申请一实施例提供的终端设备的结构示意图。如图9所示,该实施例的终端设备9包括:至少一个处理器90(图9中仅示出一个)、存储器91以及存储在所述存储器91中并可在所述至少一个处理器90上运行的计算机程序92,所述处理器90执行所述计算机程序92时实现上述任意各个人工智能系统的安全性检测方法实施例中的步骤。FIG. 9 is a schematic structural diagram of a terminal device provided by an embodiment of the present application. As shown in FIG. 9 , the terminal device 9 in this embodiment includes: at least one processor 90 (only one is shown in FIG. 9 ), a memory 91 , and a memory 91 stored in the memory 91 and available in the at least one processor 90 The computer program 92 running on the processor 90, when the processor 90 executes the computer program 92, implements the steps in any of the foregoing embodiments of the security detection method for the artificial intelligence system.
所述终端设备9可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。 该终端设备可包括,但不仅限于,处理器90、存储器91。本领域技术人员可以理解,图9仅仅是终端设备9的举例,并不构成对终端设备9的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如还可以包括输入输出设备、网络接入设备等。The terminal device 9 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The terminal device may include, but is not limited to, a processor 90 and a memory 91 . Those skilled in the art can understand that FIG. 9 is only an example of the terminal device 9, and does not constitute a limitation on the terminal device 9. It may include more or less components than the one shown, or combine some components, or different components , for example, may also include input and output devices, network access devices, and the like.
所称处理器90可以是中央处理单元(Central Processing Unit,CPU),该处理器90还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The so-called processor 90 may be a central processing unit (Central Processing Unit, CPU), and the processor 90 may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuits) , ASIC), off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
所述存储器91在一些实施例中可以是所述终端设备9的内部存储单元,例如终端设备9的硬盘或内存。所述存储器91在另一些实施例中也可以是所述终端设备9的外部存储设备,例如所述终端设备9上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字卡(Secure Digital,SD),闪存卡(Flash Card)等。所述存储器91还可以既包括所述终端设备9的内部存储单元也包括外部存储设备。所述存储器91用于存储操作系统、应用程序、引导装载程序(BootLoader)、数据以及其他程序等,例如所述计算机程序的程序代码等。所述存储器91还可以用于暂时地存储已经输出或者将要输出的数据。The memory 91 may be an internal storage unit of the terminal device 9 in some embodiments, such as a hard disk or a memory of the terminal device 9 . In other embodiments, the memory 91 may also be an external storage device of the terminal device 9, such as a plug-in hard disk equipped on the terminal device 9, a smart memory card (Smart Media Card, SMC), a secure digital Card (Secure Digital, SD), flash memory card (Flash Card), etc. The memory 91 may also include both an internal storage unit of the terminal device 9 and an external storage device. The memory 91 is used to store an operating system, an application program, a boot loader (Boot Loader), data, and other programs, such as program codes of the computer program. The memory 91 can also be used to temporarily store data that has been output or will be output.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各功能单元、模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能单元、模块完成,即将所述装置的内部结构划分成不同的功能单元或模块,以完成以上描述的全部或者部分功能。实施例中的各功能单元、模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中,上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。另外,各功能单元、模块的具体名称也只是为了便于相互区分,并不用于限制本申请的保护范围。上述系统中单元、模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and simplicity of description, only the division of the above-mentioned functional units and modules is used as an example. Module completion, that is, dividing the internal structure of the device into different functional units or modules to complete all or part of the functions described above. Each functional unit and module in the embodiment may be integrated in one processing unit, or each unit may exist physically alone, or two or more units may be integrated in one unit, and the above-mentioned integrated units may adopt hardware. It can also be realized in the form of software functional units. In addition, the specific names of the functional units and modules are only for the convenience of distinguishing from each other, and are not used to limit the protection scope of the present application. For the specific working process of the units and modules in the above-mentioned system, reference may be made to the corresponding process in the foregoing method embodiments, which will not be repeated here.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时实现可实现上述各个方法实施例中的步骤。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the steps in the foregoing method embodiments can be implemented.
本申请实施例提供了一种计算机程序产品,当计算机程序产品在移动终端上运行时,使得移动终端执行时实现可实现上述各个方法实施例中的步骤。The embodiments of the present application provide a computer program product, when the computer program product runs on a mobile terminal, the steps in the foregoing method embodiments can be implemented when the mobile terminal executes the computer program product.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实现上述实施例方法中 的全部或部分流程,可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质至少可以包括:能够将计算机程序代码携带到拍照装置/终端设备的任何实体或装置、记录介质、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质。例如U盘、移动硬盘、磁碟或者光盘等。在某些司法管辖区,根据立法和专利实践,计算机可读介质不可以是电载波信号和电信信号。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the present application realizes all or part of the processes in the methods of the above embodiments, which can be completed by instructing the relevant hardware through a computer program, and the computer program can be stored in a computer-readable storage medium. When executed by a processor, the steps of each of the above method embodiments can be implemented. Wherein, the computer program includes computer program code, and the computer program code may be in the form of source code, object code, executable file or some intermediate form, and the like. The computer-readable medium may include at least: any entity or device capable of carrying the computer program code to the photographing device/terminal device, recording medium, computer memory, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), electrical carrier signals, telecommunication signals, and software distribution media. For example, U disk, mobile hard disk, disk or CD, etc. In some jurisdictions, under legislation and patent practice, computer readable media may not be electrical carrier signals and telecommunications signals.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the foregoing embodiments, the description of each embodiment has its own emphasis. For parts that are not described or described in detail in a certain embodiment, reference may be made to the relevant descriptions of other embodiments.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art can realize that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.
在本申请所提供的实施例中,应该理解到,所揭露的装置/网络设备和方法,可以通过其它的方式实现。例如,以上所描述的装置/网络设备实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通讯连接可以是通过一些接口,装置或单元的间接耦合或通讯连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods, such as multiple units. Or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
以上仅为本申请的可选实施例而已,并不用于限制本申请。对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。The above are only optional embodiments of the present application, and are not intended to limit the present application. Various modifications and variations of this application are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the scope of the claims of this application.

Claims (14)

  1. 一种人工智能系统的安全性检测方法,其特征在于,包括:A security detection method for an artificial intelligence system, characterized in that it includes:
    获取多个原始图像数据;Get multiple raw image data;
    根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据为使得人工智能系统的输出结果与预期输出结果不同的图像数据;Generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
    根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。A security test is performed on the artificial intelligence system according to the malicious sample data, and a security detection result of the artificial intelligence system is obtained.
  2. 如权利要求1所述的人工智能系统的安全性检测方法,其特征在于,所述获取原始图像数据之后,还包括:The method for detecting the safety of an artificial intelligence system according to claim 1, wherein after acquiring the original image data, the method further comprises:
    通过预设数据增强方法对每个所述原始图像数据进行图像转换,得到原始图像数据集;其中,所述预设数据增强方法包括对称处理、旋转处理和缩放处理中的至少一种。Image conversion is performed on each of the original image data by a preset data enhancement method to obtain an original image data set; wherein the preset data enhancement method includes at least one of symmetry processing, rotation processing and scaling processing.
  3. 如权利要求2所述的人工智能系统的安全性检测方法,其特征在于,所述通过预设数据增强方法对每个所述原始图像数据进行图像转换,得到原始图像数据集之后,包括:The method for detecting the safety of an artificial intelligence system according to claim 2, wherein the image conversion is performed on each of the original image data by a preset data enhancement method, and after obtaining the original image data set, the method includes:
    识别所述原始图像数据集中每个原始图像数据的内容,确定每个原始图像数据的标签。The content of each original image data in the original image data set is identified, and the label of each original image data is determined.
  4. 如权利要求2所述的人工智能系统的安全性检测方法,其特征在于,所述根据所述原始图像数据生成恶意样本数据,包括:The security detection method for an artificial intelligence system according to claim 2, wherein the generating malicious sample data according to the original image data comprises:
    计算得到所述原始图像数据集中每个原始图像数据的纹理信息;Calculate the texture information of each original image data in the original image data set;
    基于所述每个原始图像数据的纹理信息,添加梯度干扰信息,生成对应的恶意样本数据集。Based on the texture information of each original image data, gradient interference information is added to generate a corresponding malicious sample data set.
  5. 如权利要求4所述的人工智能系统的安全性检测方法,其特征在于,所述基于所述每个原始图像数据的纹理信息,添加梯度干扰信息,生成对应的恶意样本数据集,包括:The security detection method for an artificial intelligence system as claimed in claim 4, wherein, based on the texture information of each original image data, adding gradient interference information to generate a corresponding malicious sample data set, comprising:
    根据所述原始图像数据集中每个原始图像数据的标签进行聚类处理,得到多个类别的图像数据集;Perform clustering processing according to the label of each original image data in the original image data set to obtain image data sets of multiple categories;
    通过相近对抗样本生成方法对每个类别的图像数据集中每个原始图像数据的纹理信息添加对应的梯度干扰信息,得到多个类别的恶意样本数据集。The corresponding gradient interference information is added to the texture information of each original image data in each category of image datasets by the method of generating similar adversarial samples, and multiple categories of malicious sample datasets are obtained.
  6. 如权利要求1所述的人工智能系统的安全性检测方法,其特征在于,所述恶意样本数据的类型包括目标恶意样本数据和非目标恶意样本数据;The security detection method of an artificial intelligence system according to claim 1, wherein the types of the malicious sample data include target malicious sample data and non-target malicious sample data;
    所述根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果,包括:The said artificial intelligence system is subjected to a security test according to the malicious sample data, and a security detection result of the artificial intelligence system is obtained, including:
    根据所述人工智能系统的安全需求等级和输入数据权限,确定目标恶意样本数据和非目标恶意样本数据的比例和对应的预设算法,对所述人工智能系统进行安全性测试,得到第一测试结果;According to the security requirement level and input data authority of the artificial intelligence system, determine the ratio of target malicious sample data and non-target malicious sample data and the corresponding preset algorithm, perform a security test on the artificial intelligence system, and obtain the first test result;
    根据所述人工智能系统的安全性能等级,通过所述恶意样本数据对所述人工智能系统进行对应的预设时长的安全性测试,得到第二测试结果;According to the security performance level of the artificial intelligence system, the artificial intelligence system is subjected to a corresponding preset duration security test through the malicious sample data, and a second test result is obtained;
    根据所述第一测试结果和第二测试结果确定所述人工智能系统的安全性检测分数。The safety detection score of the artificial intelligence system is determined according to the first test result and the second test result.
  7. 一种人工智能系统的安全性检测装置,其特征在于,包括:A safety detection device for an artificial intelligence system, characterized in that it includes:
    获取模块,用于获取多个原始图像数据;an acquisition module for acquiring multiple original image data;
    生成模块,用于根据所述原始图像数据生成恶意样本数据;其中,所述恶意样本数据为使得人工智能系统的输出结果与预期输出结果不同的图像数据;A generation module, configured to generate malicious sample data according to the original image data; wherein, the malicious sample data is image data that makes the output result of the artificial intelligence system different from the expected output result;
    测试模块,用于根据所述恶意样本数据对所述人工智能系统进行安全性测试,得到所述人工智能系统的安全性检测结果。A test module, configured to perform a security test on the artificial intelligence system according to the malicious sample data, and obtain a security detection result of the artificial intelligence system.
  8. 如权利要求7所述的人工智能系统的安全性检测装置,其特征在于,所述装置,还包括:The safety detection device of an artificial intelligence system according to claim 7, wherein the device further comprises:
    数据处理模块,用于通过预设数据增强方法对每个所述原始图像数据进行图像转换,得到原始图像数据集;其中,所述预设数据增强方法包括对称处理、旋转处理和缩放处理中的至少一种。A data processing module, configured to perform image conversion on each of the original image data through a preset data enhancement method to obtain an original image data set; wherein the preset data enhancement method includes symmetry processing, rotation processing and scaling processing. at least one.
  9. 如权利要求8所述的人工智能系统的安全性检测装置,其特征在于,所述装置,还包括:The safety detection device of an artificial intelligence system according to claim 8, wherein the device further comprises:
    识别模块,用于识别所述原始图像数据集中每个原始图像数据的内容,确定每个原始图像数据的标签。The identification module is used for identifying the content of each original image data in the original image data set, and determining the label of each original image data.
  10. 如权利要求8所述的人工智能系统的安全性检测装置,其特征在于,所述生成模块,包括:The security detection device of an artificial intelligence system according to claim 8, wherein the generation module comprises:
    计算单元,用于计算得到所述原始图像数据集中每个原始图像数据的纹理信息;a computing unit, for calculating the texture information of each original image data in the original image data set;
    生成单元,用于基于所述每个原始图像数据的纹理信息,添加梯度干扰信息,生成对应的恶意样本数据集。A generating unit, configured to add gradient interference information based on the texture information of each original image data to generate a corresponding malicious sample data set.
  11. 如权利要求10所述的人工智能系统的安全性检测装置,其特征在于,所述生成单元,包括:The security detection device of an artificial intelligence system according to claim 10, wherein the generating unit comprises:
    聚类处理子单元,用于根据所述原始图像数据集中每个原始图像数据的标签进行聚类 处理,得到多个类别的图像数据集;Clustering processing subunit, for carrying out clustering processing according to the label of each original image data in described original image data set, obtains the image data set of multiple categories;
    生成子单元,用于通过相近对抗样本生成方法对每个类别的图像数据集中每个原始图像数据的纹理信息添加对应的梯度干扰信息,得到多个类别的恶意样本数据集。The generating sub-unit is used for adding corresponding gradient interference information to the texture information of each original image data in each category of image datasets by using a similar adversarial sample generation method to obtain multiple categories of malicious sample datasets.
  12. 如权利要求7所述的人工智能系统的安全性检测装置,其特征在于,所述恶意样本数据的类型包括目标恶意样本数据和非目标恶意样本数据;The security detection device of an artificial intelligence system according to claim 7, wherein the types of the malicious sample data include target malicious sample data and non-target malicious sample data;
    所述测试模块,包括:The test module includes:
    第一测试单元,用于根据所述人工智能系统的安全需求等级和输入数据权限,确定目标恶意样本数据和非目标恶意样本数据的比例和对应的预设算法,对所述人工智能系统进行安全性测试,得到第一测试结果;The first test unit is used to determine the ratio of target malicious sample data and non-target malicious sample data and the corresponding preset algorithm according to the security requirement level and input data authority of the artificial intelligence system, and to perform security on the artificial intelligence system. sex test, get the first test result;
    第二测试单元,用于根据所述人工智能系统的安全性能等级,通过所述恶意样本数据对所述人工智能系统进行对应的预设时长的安全性测试,得到第二测试结果;a second testing unit, configured to perform a corresponding preset duration security test on the artificial intelligence system through the malicious sample data according to the security performance level of the artificial intelligence system, to obtain a second test result;
    确定单元,用于根据所述第一测试结果和第二测试结果确定所述人工智能系统的安全性检测分数。A determination unit, configured to determine the safety detection score of the artificial intelligence system according to the first test result and the second test result.
  13. 一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1至6任一项所述的方法。A terminal device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, characterized in that, when the processor executes the computer program, the process according to claim 1 to 6 The method of any one.
  14. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至6任一项所述的方法。A computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by a processor, the method according to any one of claims 1 to 6 is implemented.
PCT/CN2021/089329 2021-04-23 2021-04-23 Security test method and apparatus for artificial intelligence system, and terminal device WO2022222143A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/089329 WO2022222143A1 (en) 2021-04-23 2021-04-23 Security test method and apparatus for artificial intelligence system, and terminal device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/089329 WO2022222143A1 (en) 2021-04-23 2021-04-23 Security test method and apparatus for artificial intelligence system, and terminal device

Publications (1)

Publication Number Publication Date
WO2022222143A1 true WO2022222143A1 (en) 2022-10-27

Family

ID=83723394

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/089329 WO2022222143A1 (en) 2021-04-23 2021-04-23 Security test method and apparatus for artificial intelligence system, and terminal device

Country Status (1)

Country Link
WO (1) WO2022222143A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110443203A (en) * 2019-08-07 2019-11-12 中新国际联合研究院 The face fraud detection system counter sample generating method of network is generated based on confrontation
CN110851835A (en) * 2019-09-23 2020-02-28 平安科技(深圳)有限公司 Image model detection method and device, electronic equipment and storage medium
CN111723865A (en) * 2020-06-19 2020-09-29 北京瑞莱智慧科技有限公司 Method, apparatus and medium for evaluating performance of image recognition model and attack method
CN112084830A (en) * 2019-06-13 2020-12-15 百度(美国)有限责任公司 Detection of confrontational samples by vision-based perception system
US20210064785A1 (en) * 2019-09-03 2021-03-04 International Business Machines Corporation Root cause analysis of vulnerability of neural networks to adversarial examples

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112084830A (en) * 2019-06-13 2020-12-15 百度(美国)有限责任公司 Detection of confrontational samples by vision-based perception system
CN110443203A (en) * 2019-08-07 2019-11-12 中新国际联合研究院 The face fraud detection system counter sample generating method of network is generated based on confrontation
US20210064785A1 (en) * 2019-09-03 2021-03-04 International Business Machines Corporation Root cause analysis of vulnerability of neural networks to adversarial examples
CN110851835A (en) * 2019-09-23 2020-02-28 平安科技(深圳)有限公司 Image model detection method and device, electronic equipment and storage medium
CN111723865A (en) * 2020-06-19 2020-09-29 北京瑞莱智慧科技有限公司 Method, apparatus and medium for evaluating performance of image recognition model and attack method
CN111723865B (en) * 2020-06-19 2021-07-16 北京瑞莱智慧科技有限公司 Method, apparatus and medium for evaluating performance of image recognition model and attack method

Similar Documents

Publication Publication Date Title
EP4148622A1 (en) Neural network training method, image classification system, and related device
TWI673625B (en) Uniform resource locator (URL) attack detection method, device and electronic device
US20120027252A1 (en) Hand gesture detection
US20120027263A1 (en) Hand gesture detection
WO2020186887A1 (en) Target detection method, device and apparatus for continuous small sample images
EP4099217A1 (en) Image processing model training method and apparatus, device, and storage medium
CN110852311A (en) Three-dimensional human hand key point positioning method and device
EP4085369A1 (en) Forgery detection of face image
CN110689043A (en) Vehicle fine granularity identification method and device based on multiple attention mechanism
WO2020143165A1 (en) Reproduced image recognition method and system, and terminal device
CN114330565A (en) Face recognition method and device
CN113011387A (en) Network training and human face living body detection method, device, equipment and storage medium
CN110020593B (en) Information processing method and device, medium and computing equipment
CN113191189A (en) Face living body detection method, terminal device and computer readable storage medium
WO2022222143A1 (en) Security test method and apparatus for artificial intelligence system, and terminal device
CN113033305B (en) Living body detection method, living body detection device, terminal equipment and storage medium
CN113111833B (en) Safety detection method and device of artificial intelligence system and terminal equipment
WO2022126917A1 (en) Deep learning-based face image evaluation method and apparatus, device, and medium
CN115147469A (en) Registration method, device, equipment and storage medium
CN112270257A (en) Motion trajectory determination method and device and computer readable storage medium
CN114118412A (en) Method, system, device and medium for certificate recognition model training and certificate recognition
WO2019129293A1 (en) Feature data generation method and apparatus and feature matching method and apparatus
CN111597373B (en) Picture classifying method and related equipment based on convolutional neural network and connected graph
CN112085063B (en) Target identification method, device, terminal equipment and storage medium
CN114299371A (en) Method, system, device and medium for certificate recognition model training and certificate recognition

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21937372

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21937372

Country of ref document: EP

Kind code of ref document: A1