WO2023188409A1 - 情報処理装置、情報処理方法、及び記録媒体 - Google Patents

情報処理装置、情報処理方法、及び記録媒体 Download PDF

Info

Publication number
WO2023188409A1
WO2023188409A1 PCT/JP2022/016935 JP2022016935W WO2023188409A1 WO 2023188409 A1 WO2023188409 A1 WO 2023188409A1 JP 2022016935 W JP2022016935 W JP 2022016935W WO 2023188409 A1 WO2023188409 A1 WO 2023188409A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
perturbation
feature amount
similarity
gradient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2022/016935
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
拓磨 天田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2024511141A priority Critical patent/JP7711842B2/ja
Priority to US18/851,264 priority patent/US20250217462A1/en
Priority to PCT/JP2022/016935 priority patent/WO2023188409A1/ja
Publication of WO2023188409A1 publication Critical patent/WO2023188409A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/74Image or video pattern matching; Proximity measures in feature spaces
    • G06V10/761Proximity, similarity or dissimilarity measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/16Human faces, e.g. facial parts, sketches or expressions
    • G06V40/172Classification, e.g. identification

Definitions

  • This disclosure relates to the technical field of information processing devices, information processing methods, and recording media.
  • Patent Document 1 discloses calculating a quantitative evaluation value of robustness against adversarial samples for an authentication model that performs face authentication or the like.
  • Patent Document 2 discloses that by finding hostile sample candidates using feature vectors of facial images, hostile sample candidates that are likely to mislead facial recognition by a face authentication device can be obtained.
  • Patent Document 3 discloses generating hostile input so that an attacker is misidentified in face authentication.
  • This disclosure aims to improve the techniques disclosed in prior art documents.
  • One aspect of the information processing device of this disclosure includes a similarity calculation unit that calculates a similarity between a feature amount of first information and a feature amount of second information, and gradient information that indicates a gradient of the similarity.
  • a gradient information calculation means a perturbation position determining means for determining an element to which a perturbation is to be applied in the first information based on the gradient information; and a perturbation to be applied to the element to be perturbed in the first information.
  • a risk evaluation means that evaluates a risk in the authentication process based on a result of an authentication process that compares the first information to which the perturbation has been applied and the second information.
  • At least one computer calculates the degree of similarity between the feature amount of the first information and the feature amount of the second information, and calculates gradient information indicating the gradient of the degree of similarity. Based on the gradient information, an element to which a perturbation is to be applied is determined in the first information, a perturbation is applied to the element to be perturbed in the first information, and the element to which the perturbation is applied is determined. The risk in the authentication process is evaluated based on the result of the authentication process that compares the first information with the second information.
  • One aspect of the recording medium of this disclosure is to have at least one computer calculate a degree of similarity between a feature amount of the first information and a feature amount of the second information, and calculate gradient information indicating a gradient of the degree of similarity. , determines an element to which perturbation is to be applied in the first information based on the gradient information, applies a perturbation to the element to which perturbation is to be applied in the first information, and determines the element to which perturbation is applied in the first information, and the first element to which the perturbation is applied.
  • a computer program is recorded that executes an information processing method that evaluates a risk in the authentication process based on a result of the authentication process that compares information with the second information.
  • FIG. 1 is a block diagram showing a hardware configuration of an information processing device according to a first embodiment.
  • FIG. 1 is a block diagram showing a functional configuration of an information processing device according to a first embodiment.
  • 3 is a flowchart showing the flow of operations of the information processing apparatus according to the first embodiment.
  • FIG. 2 is a block diagram showing the functional configuration of an information processing device according to a second embodiment.
  • 7 is a flowchart showing the flow of operations of the information processing device according to the second embodiment.
  • 12 is a flowchart showing the flow of a perturbation application position determination operation performed by the information processing device according to the third embodiment.
  • 13 is a flowchart showing the flow of a perturbation application position determination operation by the information processing device according to the fourth embodiment.
  • FIG. 13 is a flowchart showing the flow of a perturbation application position determination operation by the information processing device according to the fifth embodiment. It is a flowchart which shows the flow of risk evaluation operation by an information processing device concerning a 6th embodiment.
  • FIG. 7 is a block diagram showing the functional configuration of an information processing device according to a seventh embodiment.
  • FIG. 2 is a conceptual diagram showing an example of an attack on a face authentication gate at an airport. It is a flowchart which shows the flow of operation of the information processing device concerning a 7th embodiment. 13 is a flowchart showing the flow of a perturbation application position determination operation performed by the information processing device according to the eighth embodiment.
  • FIG. 1 is a block diagram showing the hardware configuration of an information processing apparatus according to the first embodiment.
  • the information processing device 10 includes a processor 11, a RAM (Random Access Memory) 12, a ROM (Read Only Memory) 13, and a storage device 14.
  • the information processing device 10 may further include an input device 15 and an output device 16.
  • the above-described processor 11, RAM 12, ROM 13, storage device 14, input device 15, and output device 16 are connected via a data bus 17.
  • the processor 11 reads a computer program.
  • the processor 11 is configured to read a computer program stored in at least one of the RAM 12, ROM 13, and storage device 14.
  • the processor 11 may read a computer program stored in a computer-readable recording medium using a recording medium reading device (not shown).
  • the processor 11 may obtain (that is, read) a computer program from a device (not shown) located outside the information processing device 10 via a network interface.
  • the processor 11 controls the RAM 12, the storage device 14, the input device 15, and the output device 16 by executing the loaded computer program.
  • a functional block for evaluating the risk of authentication processing is implemented within the processor 11. That is, the processor 11 may function as a controller that executes various controls in the information processing device 10.
  • the processor 11 includes, for example, a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), an FPGA (field-programmable gate array), and a DSP (DSP). It may be configured as an ASIC (Application Specific Integrated Circuit). The processor 11 may be configured with one of these, or may be configured to use a plurality of them in parallel.
  • a CPU Central Processing Unit
  • GPU Graphics Processing Unit
  • FPGA field-programmable gate array
  • DSP DSP
  • ASIC Application Specific Integrated Circuit
  • the RAM 12 temporarily stores computer programs executed by the processor 11.
  • the RAM 12 temporarily stores data that is temporarily used by the processor 11 while the processor 11 is executing a computer program.
  • the RAM 12 may be, for example, D-RAM (Dynamic Random Access Memory) or SRAM (Static Random Access Memory). Further, instead of the RAM 12, other types of volatile memory may be used.
  • the ROM 13 stores computer programs executed by the processor 11.
  • the ROM 13 may also store other fixed data.
  • the ROM 13 may be, for example, a P-ROM (Programmable Read Only Memory) or an EPROM (Erasable Read Only Memory). Further, in place of the ROM 13, other types of nonvolatile memory may be used.
  • the storage device 14 stores data that the information processing device 10 stores for a long time.
  • Storage device 14 may operate as a temporary storage device for processor 11.
  • the storage device 14 may include, for example, at least one of a hard disk device, a magneto-optical disk device, an SSD (Solid State Drive), and a disk array device.
  • the input device 15 is a device that receives input instructions from the user of the information processing device 10.
  • the input device 15 may include, for example, at least one of a keyboard, a mouse, and a touch panel.
  • the input device 15 may be configured as a mobile terminal such as a smartphone or a tablet.
  • the input device 15 may be a device capable of inputting audio, including a microphone, for example.
  • the output device 16 is a device that outputs information regarding the information processing device 10 to the outside.
  • the output device 16 may be a display device (for example, a display) that can display information regarding the information processing device 10.
  • the output device 16 may be a speaker or the like that can output information regarding the information processing device 10 in audio.
  • the output device 16 may be configured as a mobile terminal such as a smartphone or a tablet.
  • the output device 16 may be a device that outputs information in a format other than images.
  • the output device 16 may be a speaker that outputs information regarding the information processing device 10 in audio form.
  • FIG. 1 shows an example of the information processing device 10 that includes a plurality of devices, all or part of these functions may be realized by one device.
  • the information processing device is configured to include only the above-mentioned processor 11, RAM 12, and ROM 13, and other components (i.e., storage device 14, input device 15, and output device 16) are configured by the information processing device. It may also be provided in an external device connected to. Further, the information processing device may realize some of the calculation functions by an external device (for example, an external server, a cloud, etc.).
  • an external device for example, an external server, a cloud, etc.
  • FIG. 2 is a block diagram showing the functional configuration of the information processing device according to the first embodiment.
  • the information processing device 10 includes a similarity calculation unit 110, a gradient information calculation unit 120, and a perturbation position determination unit 130 as components for realizing its functions. , a perturbation applying section 140 , and a risk evaluation section 150 .
  • Each of the similarity calculation section 110, gradient information calculation section 120, perturbation application position determination section 130, perturbation application section 140, and risk evaluation section 150 is a processing block realized by, for example, the above-mentioned processor 11 (see FIG. 1). It's good.
  • each of the similarity calculation section 110, the gradient information calculation section 120, the perturbation application position determination section 130, the perturbation application section 140, and the risk evaluation section 150 may be configured to include a neural network.
  • the similarity calculation unit 110 calculates a feature amount of the first information (hereinafter referred to as "first information feature amount” as appropriate) and a feature amount of the second information (hereinafter referred to as “second information feature amount” as appropriate). is configured to be input.
  • the similarity calculation unit 110 is configured to be able to calculate the similarity between the input first information feature amount and the second information feature amount.
  • the method for calculating the degree of similarity is not particularly limited, and existing techniques may be employed as appropriate.
  • the degree of similarity may be a matching score obtained by comparing the first information feature amount and the second information feature amount. Specific examples of the first information and the second information will be described in detail in other embodiments to be described later.
  • the gradient information calculation unit 120 is configured to be able to calculate gradient information indicating the gradient of the similarity calculated by the similarity calculation unit 110.
  • the gradient information may be information including a Jacobian of similarity. For example, when the similarity between the first information feature f(X a ) and the second information feature f(X t ) is L ⁇ f(X a ), f(X t ) ⁇ , the gradient information ⁇ L(X a , X t ) may be calculated as shown in equation (1) below.
  • M is the number of dimensions of X.
  • the perturbation position determination unit 130 is configured to be able to determine the element to which perturbation is applied in the first information based on the gradient information calculated by the gradient information calculation unit 120.
  • the perturbation application position determination unit 130 determines, for example, at least one element to which a perturbation is applied from among a plurality of elements included in the first information.
  • the "perturbation" here is noise added to increase the similarity between the first information and the second information.
  • the fact that the gradient information shown in equation (1) above is positive means that the degree of similarity between the first information and the second information increases by applying a perturbation to the element Xa . .
  • a more specific method for determining the element to which perturbation is to be applied will be described in detail in other embodiments to be described later.
  • the perturbation applying unit 140 is configured to be able to apply a perturbation to the element determined by the perturbation applying position determination unit 130. That is, the perturbation applying unit 140 is configured to be able to generate perturbed first information (hereinafter appropriately referred to as "hostile sample") by perturbing some elements of the first information. ing.
  • the hostile sample generated by the perturbation adding unit 140 is information that is likely to be mistakenly recognized as second information in the authentication process.
  • the risk evaluation unit 150 is configured to be able to evaluate risks in the authentication process (in other words, risks latent in the authenticator or authentication model that executes the authentication process). More specifically, the risk evaluation unit 150 evaluates the risk in the authentication process based on the result of the authentication process using the adversarial sample generated by the perturbation applying unit 140. For example, the risk evaluation unit 150 may evaluate the possibility that the generated hostile sample (that is, the first information to which the perturbation has been applied) will be recognized as the second information. A specific evaluation method by the risk evaluation unit 150 will be described in detail in other embodiments to be described later.
  • the risk evaluation unit 150 described above may be provided separately from the device that generates the hostile sample.
  • an adversarial sample generation device including a similarity calculation unit 110, a gradient information calculation unit 120, a perturbation position determination unit 130, and a perturbation application unit 140, and a risk evaluation device including a risk evaluation unit 150 may be configured as separate devices.
  • the authentication process may be executed by an authentication device provided separately from the information processing device 10 according to the present embodiment.
  • the hostile sample generated by the perturbation adding unit 140 may be output to the authentication device, and the risk evaluation unit 150 may evaluate the risk using the authentication result input from the authentication device.
  • the risk evaluation unit 150 may have a function of executing authentication processing. That is, the risk evaluation unit 150 itself may be configured to execute the authentication process and evaluate the risk of the authentication process based on the authentication result.
  • FIG. 3 is a flowchart showing the flow of operations of the information processing apparatus according to the first embodiment.
  • the similarity calculation unit 110 first acquires a first information feature amount and a second information feature amount (step S101 ). Then, the similarity calculation unit 110 calculates the similarity between the acquired first information feature amount and second information feature amount (step S102). Information regarding the similarity calculated by the similarity calculation section 110 is output to the gradient information calculation section 120.
  • the gradient information calculation unit 120 calculates gradient information indicating the gradient of the similarity calculated by the similarity calculation unit 110 (step S103).
  • the gradient information calculated by the gradient information calculation section 120 is output to the perturbation application position determination section 130.
  • the perturbation position determination unit 130 determines an element to which a perturbation is to be applied in the first information based on the gradient information calculated by the gradient information calculation unit 120 (step S104). Information regarding the elements determined by the perturbation position determining unit 130 is output to the perturbation applying unit 140.
  • the perturbation applying unit 140 applies perturbation to the element determined by the perturbation applying position determining unit 130 (step S105). That is, a perturbation is applied to the first information to generate an adversarial sample.
  • the adversarial samples generated by the perturbation adding unit 140 are used for authentication processing.
  • the risk evaluation unit 150 evaluates the risk in the authentication process based on the authentication result of the authentication process using the adversarial sample generated by the perturbation applying unit 140 (step S106).
  • the risk evaluation unit 150 may output a risk evaluation result.
  • adversarial samples are generated by applying perturbations based on the similarity between two pieces of information. Then, the risk of the authentication process is evaluated based on the result of the authentication process using the generated hostile sample. In this way, it is possible to appropriately evaluate the risk of authentication processing against hostile input. Specifically, it becomes possible to evaluate what kind of risk the authentication process has against attacks aimed at intentionally obtaining incorrect authentication results.
  • JSMA Java-base Salience Map Attack
  • this method assumes a class classification process (that is, a process in which a classification probability vector is obtained as a processing result). Therefore, it cannot be directly applied when generating adversarial samples for authentication processing (that is, processing that obtains similarity as a processing result).
  • a hostile sample suitable for authentication processing is generated, it is possible to appropriately evaluate the risk in authentication processing.
  • FIG. 4 is a block diagram showing the functional configuration of an information processing device according to the second embodiment.
  • the same reference numerals are given to the same elements as those shown in FIG. 2.
  • the information processing device 10 includes a similarity calculation unit 110, a gradient information calculation unit 120, and a perturbation position determination unit 130 as components for realizing its functions. , a perturbation applying section 140 , a risk evaluation section 150 , and a feature extraction section 160 . That is, the information processing device 10 according to the second embodiment further includes a feature extracting section 160 in addition to the configuration of the first embodiment (see FIG. 2).
  • the feature extraction unit 160 may be a processing block implemented by the processor 11 (see FIG. 1) described above, for example.
  • the feature extraction unit 160 is configured to receive a first image, which is a specific example of first information, and a second image, which is a specific example of second information.
  • first image is an image that includes the first living body
  • second image is an image that includes the second living body.
  • the first image and the second image may be, for example, a face image including a biological face or an iris image including an iris.
  • the feature amount extraction unit 160 is configured to be able to extract feature amounts from the first image and the second image. That is, the feature extraction unit 160 is configured to be able to extract the feature amount related to the first living body included in the first image and the feature amount related to the second living body included in the second image.
  • Each feature extracted by the feature extraction unit 160 is configured to be input to the similarity calculation unit 110 as a first information feature and a second information feature.
  • FIG. 5 is a flowchart showing the flow of operations of the information processing apparatus according to the second embodiment. Note that in FIG. 5, processes similar to those shown in FIG. 3 are given the same reference numerals.
  • the feature extraction unit 160 first acquires a first image and a second image (step S201). Then, the feature extraction unit 160 extracts the first information feature from the first image and the second information feature from the second image (step S202). Information regarding the feature extracted by the feature extraction unit 160 is output to the similarity calculation unit 110.
  • the similarity calculation unit 110 calculates the similarity between the first information feature amount and the second information feature amount extracted by the feature amount extraction unit 160 (step S102). Information regarding the similarity calculated by the similarity calculation section 110 is output to the gradient information calculation section 120.
  • the gradient information calculation unit 120 calculates gradient information indicating the gradient of the similarity calculated by the similarity calculation unit 110 (step S103).
  • the gradient information calculated by the gradient information calculation section 120 is output to the perturbation application position determination section 130.
  • the perturbation position determination unit 130 determines an element to which a perturbation is to be applied in the first information based on the gradient information calculated by the gradient information calculation unit 120 (step S104).
  • the element here may be a pixel in the first image.
  • the perturbation position determination unit 130 may perform a process of determining the position of a pixel to which a perturbation is to be applied, for example, among a plurality of pixels included in the first image.
  • Information regarding the elements determined by the perturbation position determining unit 130 is output to the perturbation applying unit 140.
  • the perturbation applying unit 140 applies perturbation to the element determined by the perturbation applying position determining unit 130 (step S105). That is, the perturbation applying unit 140 applies a perturbation to the pixels of the first image determined by the perturbation position determining unit 130 to generate a hostile sample.
  • the adversarial samples generated by the perturbation adding unit 140 are used for authentication processing.
  • the risk evaluation unit 150 evaluates the risk in the authentication process based on the authentication result of the authentication process using the adversarial sample generated by the perturbation applying unit 140 (step S106).
  • the risk evaluation unit 150 may output a risk evaluation result.
  • feature amounts are extracted from each of the first image and the second image, and perturbations are applied based on their similarity.
  • An adversarial sample is generated by In this way, it is possible to appropriately evaluate the risk of authentication processing using images. For example, it becomes possible to appropriately evaluate the risk of hostile input for face authentication using a face image or iris authentication using an iris image.
  • ⁇ Third embodiment> An information processing device 10 according to a third embodiment will be described with reference to FIG. 6.
  • the third embodiment describes a specific example of the operation (that is, the operation corresponding to step S104 in FIG. 3) when determining the perturbation application position in the first and second embodiments described above.
  • Other parts may be the same as those in the first and second embodiments. Therefore, in the following, parts that are different from each of the embodiments already described will be described in detail, and descriptions of other overlapping parts will be omitted as appropriate.
  • FIG. 6 is a flowchart showing the flow of a perturbation application position determination operation by the information processing apparatus according to the third embodiment.
  • the perturbation position determination unit 130 first calculates the slope information calculated by the slope information calculation unit 120 (i.e., the first gradient information of the degree of similarity between the information feature amount and the second information feature amount) is acquired (step S301). Then, the perturbation position determination unit 130 searches for one element having the maximum slope information based on the slope information calculated by the slope information calculation unit 120 (step S302).
  • the perturbation position determining unit 130 determines one element with the maximum gradient information obtained as a search result as the element to which perturbation is to be applied (that is, the perturbation position) (step S303). Note that if there are multiple elements with the maximum gradient information, the perturbation position determination unit 130 selects one element from the multiple elements and applies the perturbation to all of the determined elements as the elements to which the perturbation is applied. may be determined as an element. Thereafter, the perturbation applying position determination unit 130 outputs information regarding the element to which perturbation is applied to the perturbation applying unit 140 (step S304).
  • one element having the maximum gradient information is determined as the perturbation target.
  • the perturbation application position can be determined easily and appropriately based on the gradient information. Therefore, it is possible to appropriately generate hostile samples and evaluate the risks of authentication processing.
  • ⁇ Fourth embodiment> An information processing device 10 according to a fourth embodiment will be described with reference to FIG. 7. Note that, like the third embodiment described above, the fourth embodiment describes a specific example of the perturbation applying position determination operation, and the other parts are the same as the first and second embodiments. good. Therefore, in the following, parts that are different from each of the embodiments already described will be described in detail, and descriptions of other overlapping parts will be omitted as appropriate.
  • FIG. 7 is a flowchart showing the flow of perturbation application position determining operation by the information processing apparatus according to the fourth embodiment.
  • the perturbing position determining unit 130 calculates the gradient information calculated by the slope information calculating unit 120 (i.e., the first gradient information of the degree of similarity between the information feature amount and the second information feature amount is acquired (step S401). Then, the perturbation position determination unit 130 sorts the elements in descending order of the gradient information calculated by the gradient information calculation unit 120 (step S402).
  • the perturbation applying position determining unit 130 determines a predetermined number of elements in descending order of gradient information as elements to which perturbation is to be applied (that is, perturbation applying positions) (step S403).
  • the "predetermined number” here is the number of elements selected as perturbation application positions, and may be a value that can be set arbitrarily by the user, for example. For example, when the predetermined number is set to "3", the perturbation position determining unit 130 sets the element with the highest gradient information, the second highest element, and the third highest element as perturbation positions. All you have to do is decide.
  • the perturbation applying position determination unit 130 outputs information regarding the element to which perturbation is applied to the perturbation applying unit 140 (step S404).
  • a predetermined number of elements are determined as perturbation targets in descending order of gradient information.
  • the perturbation application position can be determined easily and appropriately based on the gradient information. Therefore, it is possible to appropriately generate hostile samples and evaluate the risks of authentication processing.
  • ⁇ Fifth embodiment> An information processing device 10 according to a fifth embodiment will be described with reference to FIG. 8. Note that, like the third and fourth embodiments described above, the fifth embodiment describes a specific example of the perturbation applying position determination operation, and the other parts are the same as the first and second embodiments. It may be. Therefore, in the following, parts that are different from each of the embodiments already described will be described in detail, and descriptions of other overlapping parts will be omitted as appropriate.
  • FIG. 8 is a flowchart showing the flow of perturbation application position determination operation by the information processing apparatus according to the fifth embodiment.
  • the perturbation position determination unit 130 first calculates the slope information calculated by the slope information calculation unit 120 (i.e., the first gradient information of the degree of similarity between the information feature amount and the second information feature amount) is acquired (step S501). Then, the perturbation position determination unit 130 compares the slope information calculated by the slope information calculation unit 120 with a predetermined threshold (step S502). Note that the "predetermined threshold” here is a threshold that is set in advance to determine the perturbation application position.
  • the perturbation position determining unit 130 determines an element whose slope information is higher than a predetermined threshold as an element to which a perturbation is to be applied (that is, a perturbation position) (step S503). Therefore, for example, when it is desired to determine a relatively small number of elements as perturbation application positions, the predetermined threshold value may be set to a relatively high value. On the other hand, if it is desired to determine a relatively large number of elements as perturbation positions, the predetermined threshold value may be set to a lower value. Thereafter, the perturbation applying position determination unit 130 outputs information regarding the element to which perturbation is applied to the perturbation applying unit 140 (step S404).
  • step S503 if there is no gradient information that is lower than the predetermined threshold value (that is, if all the gradient information is lower than the predetermined threshold value), the predetermined threshold value is reset to a lower value, and then steps S502 and The process of S503 may be performed.
  • the perturbation application position may be determined using the method already described in the third and fourth embodiments.
  • an element whose gradient information is larger than a predetermined threshold value is determined as a perturbation target.
  • the perturbation application position can be determined easily and appropriately based on the gradient information. Therefore, it is possible to appropriately generate hostile samples and evaluate the risks of authentication processing.
  • FIG. 9 An information processing device 10 according to a sixth embodiment will be described with reference to FIG. 9. Note that the sixth embodiment differs from the first to fifth embodiments described above only in some structural operations, and may be the same as the first to fifth embodiments in other parts. Therefore, in the following, parts that are different from each of the embodiments already described will be described in detail, and descriptions of other overlapping parts will be omitted as appropriate.
  • FIG. 9 is a flowchart showing the flow of risk evaluation operations by the information processing apparatus according to the sixth embodiment.
  • the risk evaluation unit 150 first performs an authentication process using a hostile sample (i.e., first information to which perturbation has been applied). The result is obtained (step S601). Then, the risk evaluation unit 150 calculates the probability of false authentication based on the obtained authentication result (step S602).
  • the erroneous authentication probability is the probability that an erroneous authentication result will be obtained, and can be calculated, for example, by dividing the number of times erroneous authentication occurs by the total number of authentications.
  • the risk evaluation unit 150 evaluates the risk of the authentication process based on the calculated false authentication probability (step S603). For example, the risk evaluation unit 150 may determine that the higher the false authentication probability is, the higher the risk is. Thereafter, the risk evaluation unit 150 outputs the evaluation result (step S604). The risk evaluation unit 150 may output the false authentication probability along with the evaluation result.
  • the risk is evaluated based on the false authentication probability calculated from the authentication result. In this way, it is possible to appropriately evaluate the risk of outputting an incorrect authentication result in response to hostile input.
  • FIGS. 10 to 12 An information processing device 10 according to a seventh embodiment will be described with reference to FIGS. 10 to 12. Note that the seventh embodiment differs from the first to sixth embodiments described above only in part of the configuration and operation, and may be the same as the first to sixth embodiments in other parts. Therefore, in the following, parts that are different from each of the embodiments already described will be described in detail, and descriptions of other overlapping parts will be omitted as appropriate.
  • FIG. 10 is a block diagram showing the functional configuration of an information processing device according to the seventh embodiment.
  • the same reference numerals are given to the same elements as those shown in FIG. 2.
  • the information processing device 10 includes a similarity calculation unit 110, a gradient information calculation unit 120, and a perturbation position determination unit 130 as components for realizing its functions. , a perturbation applying section 140 , and a risk evaluation section 150 .
  • the similarity calculation unit 110 according to the seventh embodiment is configured to receive a third information feature amount in addition to the first information feature amount and the second information feature amount.
  • the similarity calculation unit 110 calculates, in addition to the feature amount of the first information and the feature amount of the second information, the feature amount of the third information (hereinafter appropriately referred to as “third information feature amount”). is configured to be input. Then, in addition to the similarity between the first information feature amount and the second information feature amount (hereinafter referred to as “first similarity degree” as appropriate), the similarity calculation unit 110 calculates the similarity between the first information feature amount and the second information feature amount (hereinafter referred to as "first similarity degree”). It is configured to be able to calculate the degree of similarity (hereinafter referred to as "second degree of similarity” as appropriate) with the three information feature amounts.
  • the gradient information calculation unit 120 calculates the gradient information of the second similarity (hereinafter referred to as appropriate) in addition to the gradient information of the first similarity (hereinafter referred to as "first gradient information” as appropriate) that has already been described. (referred to as “second gradient information”).
  • first gradient information the gradient information of the first similarity
  • second gradient information the gradient information ⁇ L(X a , X s ) may be calculated as shown in equation (2) below.
  • the perturbation position determination unit 130 can determine the element to which perturbation is applied in the first information based on the first slope information and the second slope information calculated by the slope information calculation unit 120. It is configured. That is, the perturbation position determining unit 130 determines the element to which perturbation is to be applied based on the two pieces of gradient information. Note that a method for determining an element to which perturbation is to be applied using two pieces of gradient information will be described in detail in other embodiments to be described later.
  • the information processing device 10 may include the feature extraction unit 160 described in the second embodiment in addition to the above-described configuration.
  • the feature extraction unit 160 may receive a third image (ie, an image including the third living body) in addition to the first image and the second image.
  • the feature extraction unit 160 is configured to extract a first information feature from the first image, a second information feature from the second image, and a third information feature from the third image. It's fine.
  • FIG. 11 is a conceptual diagram showing an example of an attack on a face recognition gate at an airport.
  • the information processing device 10 may evaluate risks in an airport facial recognition system. For example, suppose there are a person A who is a collaborator and a person B who is a terrorist. In this case, Person A first submits a photo and applies for a passport. The photo submitted at this time is a photo that looks like Person A when viewed with the human eye, but resembles both Person A and Person B when viewed from the authentication device.
  • Person A transfers the passport to Person B.
  • Person B presents the passport transferred from Person A and attempts to pass through an unmanned airport gate (a gate that allows passage through facial recognition).
  • an unmanned airport gate a gate that allows passage through facial recognition.
  • authentication processing is performed at the gate using the photo (registered image) submitted at the time of passport application, but this registered image is similar to Person B as already explained. Therefore, at the unmanned gate, the authentication process for person B is successful (that is, the person B is erroneously authenticated as person A), and as a result, person B makes an unauthorized breakthrough.
  • the information processing device 10 has a high degree of similarity between two pieces of information (i.e., a degree of similarity between first information and second information, and a degree of similarity between first information and third information ) will be taken into consideration. Therefore, it is possible to evaluate the risk assuming an example of an attack by multiple users as described above.
  • FIG. 12 is a flowchart showing the flow of operations of the information processing apparatus according to the seventh embodiment. Note that in FIG. 12, processes similar to those shown in FIG. 3 are given the same reference numerals.
  • the similarity calculation unit 110 first calculates the first information feature amount, the second information feature amount, and the third information feature amount. The amount is acquired (step S701). Then, the similarity calculation unit 110 calculates a first similarity, which is the degree of similarity between the first information feature amount and the second information feature amount, and a second similarity, which is the degree of similarity between the first information feature amount and the third information feature amount. The degree of similarity is calculated (step S702). Information regarding the first and second similarities calculated by the similarity calculation unit 110 is output to the gradient information calculation unit 120.
  • the gradient information calculation unit 120 calculates first gradient information indicating the gradient of the first similarity calculated by the similarity calculation unit 110 and second gradient information indicating the gradient of the second similarity (Ste S703).
  • the first and second slope information calculated by the slope information calculation unit 120 are output to the perturbation position determination unit 130.
  • the perturbation application position determination unit 130 determines an element to which a perturbation is applied in the first information based on the first slope information and second slope information calculated by the slope information calculation unit 120 (step S704). Information regarding the elements determined by the perturbation position determining unit 130 is output to the perturbation applying unit 140.
  • the perturbation applying unit 140 applies perturbation to the element determined by the perturbation applying position determining unit 130 (step S105). That is, a perturbation is applied to the first information to generate an adversarial sample.
  • the adversarial samples generated by the perturbation adding unit 140 are used for authentication processing.
  • the risk evaluation unit 150 evaluates the risk in the authentication process based on the authentication result of the authentication process using the adversarial sample generated by the perturbation applying unit 140 (step S106).
  • the risk evaluation unit 150 may output a risk evaluation result.
  • adversarial samples are generated in consideration of third information in addition to first information and second information. Therefore, compared to the case where only the first information and the second information are considered, hostile samples can be generated more appropriately.
  • adversarial samples can be generated that take into account both the source image and target image described above. Therefore, it becomes possible to more appropriately evaluate the risk of authentication processing.
  • FIG. 13 is a flowchart showing the flow of the perturbation application position determination operation by the information processing apparatus according to the eighth embodiment.
  • the perturbation applying position determining unit 130 first calculates the first gradient information calculated by the slope information calculating unit 120 (i.e., Gradient information of the similarity between the first information feature and the second information feature) and second gradient information (that is, gradient information of the similarity between the first information feature and the third information feature) are obtained. (Step S801).
  • the perturbation position determination unit 120 calculates an index value from the first slope information and second slope information calculated by the slope information calculation unit 120 (step S802).
  • the "index value” here is a value used as an index for determining the perturbation application position.
  • the index value may be, for example, a value calculated as the product of the first gradient information and the second gradient information.
  • the index value may be a weighted sum of the first gradient information and the second gradient information.
  • the index value may be the sum of the absolute value of the first slope information and the absolute value of the second slope information.
  • the perturbation application position determination unit 130 determines the position to apply perturbation in the first information based on the calculated index value (step S803).
  • the perturbation position determination unit 130 may determine one element having the maximum index value as the perturbation position (see the third embodiment).
  • the perturbation position determining unit 130 may determine a predetermined number of elements as perturbation positions in descending order of index value (see the fourth embodiment).
  • the perturbation position determination unit 130 may determine an element whose index value is larger than a predetermined threshold value as a perturbation position (see the fifth embodiment).
  • the perturbation applying position determination unit 130 outputs information regarding the element to which perturbation is applied to the perturbation applying unit 140 (step S804).
  • the element to which perturbation is applied is determined based on the index value calculated from the first gradient information and the second gradient information.
  • the perturbation application position can be determined by considering the similarity between the first information and the second information, and the similarity between the first information and the third information. Therefore, it is possible to appropriately generate hostile samples and evaluate the risks of authentication processing.
  • Each embodiment also includes a processing method in which a program that operates the configuration of each embodiment described above is recorded on a recording medium, the program recorded on the recording medium is read as a code, and executed on a computer. Included in the category of form. That is, computer-readable recording media are also included within the scope of each embodiment. Furthermore, not only the recording medium on which the above-described program is recorded, but also the program itself is included in each embodiment.
  • each embodiment is not limited to a program that executes processing by itself as a program recorded on the recording medium, but also includes a program that operates on the OS and executes processing in collaboration with other software and functions of an expansion board. included in the category of Furthermore, the program itself may be stored on a server, and part or all of the program may be downloaded to the user terminal from the server.
  • the information processing device includes: a similarity calculation unit that calculates a similarity between a feature amount of first information and a feature amount of second information; and gradient information that calculates gradient information indicating a gradient of the similarity.
  • a calculation means a perturbation position determining means for determining an element to which a perturbation is to be applied in the first information based on the gradient information, and a perturbation to apply a perturbation to the element to be perturbed in the first information.
  • An information processing device comprising: an assignment unit; and a risk evaluation unit that evaluates a risk in the authentication process based on a result of an authentication process that compares the first information to which the perturbation has been applied and the second information. be.
  • the first information is a first image including a first living body
  • the second information is a second image including a second living body
  • the similarity calculation means includes: , the information processing device according to supplementary note 1, which calculates the degree of similarity between a feature amount related to the first living body extracted from the first image and a feature amount related to the second living body extracted from the second image. be.
  • the information processing apparatus is the information processing apparatus according to supplementary note 1 or 2, wherein the application position determining means determines one element to which the gradient information is maximum as the element to which the perturbation is applied. It is.
  • the information processing apparatus is the information processing apparatus according to supplementary note 1 or 2, wherein the application position determining means determines a predetermined number of elements in descending order of the gradient information as the elements to which the perturbation is applied. It is.
  • the information processing apparatus is the information processing apparatus according to supplementary note 1 or 2, wherein the application position determining means determines an element to which the gradient information is larger than a predetermined threshold value as the element to which the perturbation is applied. It is.
  • the information processing device is any one of appendices 1 to 5, wherein the risk evaluation means calculates a probability of false authentication in the authentication process, and evaluates the risk in the authentication process based on the probability of false authentication.
  • the information processing device according to item 1.
  • the similarity calculation means calculates the similarity between the feature amount of the first information and the feature amount of the second information, as well as the similarity between the feature amount of the first information and the third information.
  • the gradient information calculation means calculates the degree of similarity between the feature amount of the first information and the feature amount of the second information, and the gradient information calculation means calculates the similarity degree between the feature amount of the first information and the feature amount of the second information.
  • the perturbation applying position determining means calculates gradient information of the similarity between the feature amount of the first information and the feature amount of the third information, Information processing according to any one of Supplementary Notes 1 to 6, which determines the element to which the perturbation is applied based on gradient information of the degree of similarity between the feature amount of the first information and the feature amount of the third information. It is a device.
  • the perturbation position determining means is configured to determine the gradient information of the degree of similarity between the feature amount of the first information and the feature amount of the third information, and the feature amount of the first information and the feature amount of the third information.
  • the element to which the perturbation is applied is determined using at least one of a product, a weighted sum, and a sum of absolute values of gradient information of similarity with the feature amount of 3 information, It is an information processing device.
  • appendix 9 calculates, by at least one computer, a degree of similarity between a feature amount of the first information and a feature amount of the second information, and calculates gradient information indicating a gradient of the degree of similarity; determining an element to which perturbation is to be applied in the first information based on the gradient information, applying a perturbation to the element to which perturbation is to be applied in the first information, and determining the first information to which the perturbation is applied.
  • This information processing method evaluates the risk in the authentication process based on the result of the authentication process that compares the information and the second information.
  • the recording medium according to Supplementary note 10 calculates the similarity between the feature amount of the first information and the feature amount of the second information, calculates gradient information indicating the gradient of the similarity, and calculates the similarity between the feature amount of the first information and the feature amount of the second information. Based on the gradient information, an element to which a perturbation is to be applied in the first information is determined, a perturbation is applied to the element to be perturbed in the first information, and the first information to which the perturbation is applied is determined.
  • the recording medium is a recording medium on which a computer program for executing an information processing method that evaluates a risk in the authentication process based on the result of the authentication process that is compared with the second information is recorded.
  • the computer program causes at least one computer to calculate the degree of similarity between the feature amount of the first information and the feature amount of the second information, calculate gradient information indicating the gradient of the degree of similarity, and calculate the degree of similarity between the feature amount of the first information and the feature amount of the second information, Based on the gradient information, an element to which a perturbation is to be applied in the first information is determined, a perturbation is applied to the element to be perturbed in the first information, and the first information to which the perturbation is applied is determined.
  • the present invention is a computer program that executes an information processing method that evaluates a risk in the authentication process based on a result of the authentication process that is compared with the second information.
  • the information processing system includes: a similarity calculation unit that calculates the similarity between the feature amount of the first information and the feature amount of the second information; and gradient information that calculates gradient information indicating a gradient of the similarity.
  • a calculation means a perturbation position determining means for determining an element to which a perturbation is to be applied in the first information based on the gradient information, and a perturbation to apply a perturbation to the element to be perturbed in the first information.
  • An information processing system comprising: an assignment unit; and a risk evaluation unit that evaluates a risk in the authentication process based on a result of an authentication process that compares the first information to which the perturbation has been applied and the second information. be.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Artificial Intelligence (AREA)
  • Oral & Maxillofacial Surgery (AREA)
  • Human Computer Interaction (AREA)
  • Collating Specific Patterns (AREA)
  • Image Analysis (AREA)
  • Measurement Of The Respiration, Hearing Ability, Form, And Blood Characteristics Of Living Organisms (AREA)
PCT/JP2022/016935 2022-03-31 2022-03-31 情報処理装置、情報処理方法、及び記録媒体 Ceased WO2023188409A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2024511141A JP7711842B2 (ja) 2022-03-31 2022-03-31 情報処理装置、情報処理方法、及び記録媒体
US18/851,264 US20250217462A1 (en) 2022-03-31 2022-03-31 Information processing apparatus, information processing method, and non-transitory recording medium
PCT/JP2022/016935 WO2023188409A1 (ja) 2022-03-31 2022-03-31 情報処理装置、情報処理方法、及び記録媒体

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/016935 WO2023188409A1 (ja) 2022-03-31 2022-03-31 情報処理装置、情報処理方法、及び記録媒体

Publications (1)

Publication Number Publication Date
WO2023188409A1 true WO2023188409A1 (ja) 2023-10-05

Family

ID=88200483

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/016935 Ceased WO2023188409A1 (ja) 2022-03-31 2022-03-31 情報処理装置、情報処理方法、及び記録媒体

Country Status (3)

Country Link
US (1) US20250217462A1 (https=)
JP (1) JP7711842B2 (https=)
WO (1) WO2023188409A1 (https=)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434213A (zh) * 2020-10-15 2021-03-02 中国科学院深圳先进技术研究院 网络模型的训练方法、信息推送方法及相关装置
CN113792729A (zh) * 2021-08-11 2021-12-14 杭州电子科技大学 基于热图注意力机制与频域分析的行人重识别攻击方法
CN113869152A (zh) * 2021-09-14 2021-12-31 武汉大学 一种基于对抗性攻击的反人脸识别方法及系统
CN114049537A (zh) * 2021-11-19 2022-02-15 江苏科技大学 一种基于卷积神经网络的对抗样本防御方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434213A (zh) * 2020-10-15 2021-03-02 中国科学院深圳先进技术研究院 网络模型的训练方法、信息推送方法及相关装置
CN113792729A (zh) * 2021-08-11 2021-12-14 杭州电子科技大学 基于热图注意力机制与频域分析的行人重识别攻击方法
CN113869152A (zh) * 2021-09-14 2021-12-31 武汉大学 一种基于对抗性攻击的反人脸识别方法及系统
CN114049537A (zh) * 2021-11-19 2022-02-15 江苏科技大学 一种基于卷积神经网络的对抗样本防御方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DANNY KARMON; DANIEL ZORAN; YOAV GOLDBERG: "LaVAN: Localized and Visible Adversarial Noise", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 8 January 2018 (2018-01-08), 201 Olin Library Cornell University Ithaca, NY 14853 , XP081222395 *

Also Published As

Publication number Publication date
JPWO2023188409A1 (https=) 2023-10-05
US20250217462A1 (en) 2025-07-03
JP7711842B2 (ja) 2025-07-23

Similar Documents

Publication Publication Date Title
CN109948408B (zh) 活性测试方法和设备
US11074434B2 (en) Detection of near-duplicate images in profiles for detection of fake-profile accounts
US11250282B2 (en) Face spoofing detection using a physical-cue-guided multi-source multi-channel framework
CN104487993B (zh) 利用社交网络进行身份验证的系统及方法
KR102432600B1 (ko) 벡터 양자화를 이용한 중복 문서 탐지 방법 및 시스템
CN114730339A (zh) 检测计算机系统中未知的恶意内容
CN110245132A (zh) 数据异常检测方法、装置、计算机可读存储介质和计算机设备
EP2370932B1 (en) Method, apparatus and computer program product for providing face pose estimation
US12511942B2 (en) Detecting wrapped attacks on face recognition
Atee et al. Extreme learning machine based optimal embedding location finder for image steganography
Bashardoost et al. Replacement attack: A new zero text watermarking attack
WO2017214970A1 (en) Building convolutional neural network
WO2017192719A1 (en) User specific classifiers for biometric liveness detection
Al Ogaili et al. Malware cyberattacks detection using a novel feature selection method based on a modified whale optimization algorithm
CN115984975A (zh) 基于图卷积神经网络的电子签名验证方法、系统、设备及介质
CN112329012B (zh) 针对包含JavaScript的恶意PDF文档的检测方法及电子设备
Anandhi et al. Performance evaluation of deep neural network on malware detection: visual feature approach
CN110020593B (zh) 信息处理方法及装置、介质及计算设备
JP2019028984A (ja) 非常に大きな画像集合における近似重複画像をクラスタ化するためのシステム及び方法、複数の画像をクラスタ化するための方法及びシステム、プログラム、複数の内容項目をクラスタ化するための方法
JP2026015357A (ja) 情報処理装置、判定方法およびプログラム
CN116012959A (zh) 模型训练方法、活体人脸检测方法、装置、设备和介质
WO2023188409A1 (ja) 情報処理装置、情報処理方法、及び記録媒体
US20240144650A1 (en) Identifying whether a sample will trigger misclassification functionality of a classification model
CN113610904B (zh) 3d局部点云对抗样本生成方法、系统、计算机及介质
CN114170439B (zh) 姿态识别方法、装置、存储介质和电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22935547

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2024511141

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 18851264

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22935547

Country of ref document: EP

Kind code of ref document: A1

WWP Wipo information: published in national office

Ref document number: 18851264

Country of ref document: US