CN111461226A - Countermeasure sample generation method, device, terminal and readable storage medium - Google Patents
Countermeasure sample generation method, device, terminal and readable storage medium Download PDFInfo
- Publication number
- CN111461226A CN111461226A CN202010252297.6A CN202010252297A CN111461226A CN 111461226 A CN111461226 A CN 111461226A CN 202010252297 A CN202010252297 A CN 202010252297A CN 111461226 A CN111461226 A CN 111461226A
- Authority
- CN
- China
- Prior art keywords
- model
- sample
- confrontation
- countermeasure
- sample generation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2415—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
Landscapes
- Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Cheminformatics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method, a device, a terminal and a readable storage medium for generating a confrontation sample, wherein the method comprises the following steps: determining a target teacher model and a target attack algorithm corresponding to the sampling based on a countermeasure sample generation strategy, performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample, optimizing the countermeasure sample generation strategy based on the intermediate countermeasure sample, determining countermeasure samples participating in student model training based on the intermediate countermeasure sample, performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected, and finishing the iterative reinforcement learning training. One or more attack algorithms with the maximum attack strength and corresponding parameters are dynamically found for the current student model through the reinforcement learning algorithm, and then confrontation samples containing difficult samples are efficiently generated to train the student model, so that the robustness of the model to attack is remarkably improved while the model training is accelerated.
Description
Technical Field
The invention relates to the field of financial science and technology, in particular to a method, a device, a terminal and a readable storage medium for generating confrontation samples.
Background
At present, in the financial field, the human face nuclear body is widely used in business, and great convenience is brought. Meanwhile, the human face nuclear body is required to have extremely high accuracy and safety. However, at present, based on benefit driving, the human face core-body service is very easy to be attacked maliciously, and attack means and methods are also various. In recent years, deep learning develops very rapidly, and the mainstream face recognition technology is basically based on the deep learning technology. In the field of deep learning, there is a class of attack techniques known as counterattack that generate new image samples (also known as countersamples) as inputs by deliberately adding some imperceptible subtle perturbations to the input samples, resulting in the model outputting erroneous results with high confidence. For example: in the human face nuclear business, an attacker forges a countersample, so that the model identifies the photos of two different persons as the same person.
The existing model is not only vulnerable to the attack but also has the advantage that the accuracy of the model is greatly improved, and meanwhile, the model has higher and higher requirements on computing resources (storage resources and computing power), so that the model is difficult to deploy at a mobile end and an embedded end. The existing method lacks an integral scheme which considers the two methods simultaneously and solves the problems effectively, and the training time of the model is long and the robustness is poor.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, a device, a terminal and a readable storage medium for generating a countermeasure sample, and aims to solve the technical problems that a difficult sample cannot be generated efficiently in the existing integrated countermeasure training process which combines model compression and countermeasure attack, so that the training time of a model is long and the robustness is poor.
In order to achieve the above object, the present invention provides a challenge sample generation method, including the following steps:
acquiring a countermeasure sample generation strategy, and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the countermeasure sample generation strategy;
performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate confrontation sample, and optimizing the confrontation sample generation strategy based on the intermediate confrontation sample;
determining a confrontation sample participating in student model training based on the intermediate confrontation sample;
and performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until iterative stopping conditions are detected, and finishing the iterative reinforcement learning training.
Further, the step of performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample includes:
generating an intermediate countermeasure sample based on the target teacher model by adopting a target attack algorithm;
the step of optimizing the challenge sample generation strategy based on the intermediate challenge sample comprises:
calculating the attack probability of the intermediate confrontation sample on the student model, and determining an incentive value based on the attack probability and the time for generating the intermediate confrontation sample;
updating a countermeasure sample generation policy based on the reward value.
Further, the updating a challenge sample generation policy based on the reward value includes:
controlling the controller to sample the use probability of each teacher model, the use probability of each attack algorithm and use parameters at the next time based on the reward value;
and updating the countermeasure sample generation strategy according to the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time.
Further, the determining a confrontation sample participating in student model training based on the intermediate confrontation sample comprises:
obtaining a reward value corresponding to each countermeasure sample subset in an intermediate countermeasure sample, wherein the intermediate countermeasure sample consists of the countermeasure samples included in each countermeasure sample subset;
determining the selected preset number of reward values based on the reward values corresponding to the confrontation sample subsets respectively;
and determining the countermeasure sample subset corresponding to the selected preset number of reward values as the countermeasure sample participating in the student model training.
Further, before the step of obtaining a countermeasure sample generation policy and determining a target teacher model and a target attack algorithm corresponding to the present sampling based on the countermeasure sample generation policy, the method further includes:
training a preset intermediate teacher model based on local training data to obtain a trained teacher model, wherein the intermediate teacher model is a teacher model trained based on a public sample library;
the step of obtaining a countermeasure sample generation strategy and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the countermeasure sample generation strategy comprises the following steps:
and determining the target teacher model in the trained teacher model based on the confrontation sample generation strategy, and determining the target attack algorithm in a preset attack algorithm table.
Further, after the steps of determining a confrontation sample participating in student model training based on the intermediate confrontation sample, performing iterative reinforcement learning training based on the optimized confrontation sample generation strategy until an iteration stop condition is detected, and ending the iterative reinforcement learning training, the method further includes:
performing distillation learning and confrontation training on the student model simultaneously based on local training data, the confrontation sample and the trained teacher model to obtain a total loss function value;
and transferring the knowledge of the teacher model to the student model through the total loss function value to obtain the student model after distillation confrontation.
Further, the step of simultaneously performing distillation learning and countermeasure training on the student model based on the local training data, the countermeasure sample, and the trained teacher model to obtain a total loss function value includes:
inputting local training data into the teacher model and the student models respectively, performing optimization training on the student models by using a knowledge distillation algorithm, and determining a first loss function value;
inputting the confrontation sample into the student model, and calculating the second loss function value according to the real label of the confrontation sample;
and obtaining the total loss function value based on the first loss function value and the second loss function value.
Further, the step of migrating the knowledge of the teacher model to the student models through the total loss function values to obtain the student models after distillation confrontation comprises:
calculating to obtain gradient information corresponding to the student model by using a back propagation algorithm based on the total loss function value;
updating the student model based on the gradient information, and performing iterative distillation learning and confrontation training based on the updated student model;
and if the updated total loss function value is less than or equal to a preset threshold value, obtaining the student model after the distillation confrontation.
Further, before the step of initializing a countermeasure sample generation policy and determining a target teacher model and a target attack algorithm corresponding to the current sampling based on the countermeasure sample generation policy, the method further includes:
determining a network architecture search space corresponding to a student model, wherein the search space defines a network architecture search range;
initializing a search strategy of the student model, and searching in the search space based on the current search strategy to obtain an initial student model;
determining a model evaluation index, updating a search strategy based on the model evaluation index, and continuously searching a new student model in the search space by using the updated search strategy until a search stopping condition is detected to obtain the student model.
Further, the challenge sample generating device includes:
the determination module is used for acquiring an initialized confrontation sample generation strategy and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the confrontation sample generation strategy;
the reinforcement learning module is used for performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate confrontation sample, and optimizing the confrontation sample generation strategy based on the intermediate confrontation sample;
a generation module for determining a confrontation sample participating in student model training based on the intermediate confrontation sample;
and the iteration module is used for performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected and the iterative reinforcement learning training is finished.
In addition, to achieve the above object, the present invention also provides a countermeasure sample generation terminal, including: a memory, a processor, and a challenge sample generation program stored on the memory and executable on the processor, the challenge sample generation program when executed by the processor implementing the steps of any of the above-described challenge sample generation methods.
In addition, to achieve the above object, the present invention further provides a readable storage medium having a challenge sample generation program stored thereon, wherein the challenge sample generation program, when executed by a processor, implements the steps of the challenge sample generation method according to any one of the above aspects.
The method comprises the steps of obtaining a countermeasure sample generation strategy, determining a target teacher model and a target attack algorithm corresponding to the sampling based on the countermeasure sample generation strategy, then performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample, optimizing the countermeasure sample generation strategy based on the intermediate countermeasure sample, then determining countermeasure samples participating in student model training based on the intermediate countermeasure sample, and finally performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected, wherein the iterative reinforcement learning training is finished. One or more attack algorithms with the maximum attack strength and corresponding parameters are dynamically found for the current student model through the reinforcement learning algorithm, and then the confrontation samples containing difficult samples are efficiently generated to train the student model, so that the robustness of the model to attack is remarkably improved while the model training is accelerated.
Drawings
Fig. 1 is a schematic structural diagram of a terminal in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a first embodiment of the challenge sample generation method according to the present invention;
FIG. 3 is a schematic flow chart of reinforcement learning according to an embodiment of the confrontation sample generation method of the present invention;
FIG. 4 is a schematic flow chart of distillation countermeasure in an embodiment of the method for generating a countermeasure sample according to the present invention;
FIG. 5 is a schematic flow chart of neural structure search according to an embodiment of the method for generating a confrontation sample of the present invention;
FIG. 6 is a functional block diagram of an exemplary challenge sample generating device according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further described with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic structural diagram of a terminal in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the object detection system configuration shown in FIG. 1 does not constitute a limitation of the terminal, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a countermeasure sample generation program therein.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a user terminal and performing data communication with the user terminal; and the processor 1001 may be used to invoke the challenge sample generation program stored in the memory 1005.
In this embodiment, the terminal includes: the system comprises a memory 1005, a processor 1001 and a countermeasure sample generation program which is stored on the memory 1005 and can run on the processor 1001, wherein when the processor 1001 calls the countermeasure sample generation program stored in the memory 1005, the steps of the countermeasure sample generation method provided by each embodiment of the application are executed.
The invention also provides a countermeasure sample generation method, and referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the countermeasure sample generation method of the invention.
While a logical order is shown in the flowcharts, in some cases, the steps shown or described may be performed in an order different than presented herein.
In this embodiment, the countermeasure sample generation method includes:
step S10, obtaining a countermeasure sample generating strategy, and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the countermeasure sample generating strategy;
in the embodiment, with the development of artificial intelligence technology, deep learning based on neural network has achieved good performance on multiple machine learning tasks such as image classification, machine translation and speech recognition. Currently, in order to obtain the best network model output result, a deep neural network model containing a plurality of network layers and ultra-large-scale parameters is generally adopted, and although the complex network structure significantly improves the output result of the model, the complex network structure also causes difficulty in deployment on a mobile device with a small storage space, and on the other hand, causes too large inference delay on a low-power-consumption mobile device with poor computing performance and difficulty in practical value. Therefore, the complex neural network model is efficiently compressed, so that the model storage overhead is reduced, and the model reasoning speed is increased. For neural network model compression, common methods include parameter quantization, matrix decomposition, model pruning and knowledge distillation, wherein the knowledge distillation method can compress a model to reduce the complexity of the model and simultaneously relieve the problem of prediction accuracy reduction caused by model compression, and becomes the mainstream neural network model compression method at present.
In the knowledge distillation model compression method, a model with huge scale parameters and a complex network structure is generally called a teacher model, a model with fewer parameters and a relatively simple structure is called a student model, and the teacher model is used for guiding the training of the student model by acquiring the output information of the teacher model in the middle layer of the network or the classification information of the output layer, wherein the training generally adopts K L divergence, cross entropy and the like as optimization targets of knowledge distillation.
The confrontation sample generation method provided by the invention transfers the learned knowledge of a plurality of teacher models to one student model, dynamically finds one or more attack algorithms with the maximum attack strength and corresponding parameters aiming at the current student model through a reinforcement learning algorithm in the knowledge distillation process, further efficiently generates the confrontation sample containing a difficult sample for training the student model, and obviously improves the robustness of the model facing the attack while accelerating the generation of the confrontation sample.
Specifically, a teacher model is utilized through a reinforcement learning algorithm to generate an antagonistic sample participating in antagonistic training of students. Specifically, as shown in fig. 3, the countermeasure sample generation strategy is referred to as a sampling strategy S for short, and this strategy includes the usage probability of each teacher model, the usage probability of each attack algorithm, and the corresponding parameter selection of each attack algorithm. Obtaining a sampling strategy S, determining the use probability of each teacher model corresponding to the secondary confrontation sample according to the sampling strategy S, namely determining a target teacher model for generating the confrontation sample, and selecting a target attack algorithm from the attack algorithms according to the use probability of the attack algorithms. The preset attack algorithm may be: FGSM (Fast Gradient Sign Method), PGD (e Projected Gradient Descent), BIM (Basic iterative Method), CW attack (The Carlini and Wagner, CW attack), and The like.
Step S20, performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample, and optimizing the countermeasure sample generation strategy based on the intermediate countermeasure sample;
specifically, step S20 includes:
step S21, generating an intermediate countermeasure sample based on the target teacher model by adopting a target attack algorithm;
in the embodiment, a specific process of generating an intermediate countermeasure sample by using a target teacher model by using a target attack algorithm is that each piece of data in local training data includes image data and a result label corresponding to the image data, the intermediate countermeasure sample is obtained by adding small disturbance data on the basis of the image data of the local training data, the image data is X, the countermeasure sample is X ', the disturbance is η, and then X ' is X + η, wherein the disturbance η is obtained by using the target attack algorithm, model parameters of the target teacher model and the local training data are used as input data of the target attack algorithm, an optimal disturbance η is obtained by using the target attack algorithm, and the obtained disturbance data are respectively superposed on each piece of image data in the corresponding local training data, that is, X ' is X + η, so that the intermediate countermeasure sample is obtained.
It should be noted that the countermeasure sample generation strategy includes N sub-strategies, each sub-strategy is composed of the use probability of each teacher model, the use probability of each attack algorithm, and parameters, the N sub-strategies generate N pairs of countermeasure sample subsets, and the N pairs of countermeasure sample subsets are intermediate countermeasure samples.
Step S22, calculating the attack probability of the intermediate confrontation sample to the student model, and determining an incentive value based on the attack probability and the time for generating the intermediate confrontation sample;
in this embodiment, the attack probability of each set of confrontation sample subset on the current student model and the time for generating the confrontation sample are calculated, and a reward value R is obtained according to the attack probability and the time for generating the intermediate confrontation sample, wherein the higher the attack probability on the student model is, the shorter the time for generating the confrontation sample is, and the higher the reward value R is, which indicates that the strategy is more effective.
At step S23, the confrontational sample generation strategy is updated based on the reward value.
Specifically, step S23 includes:
step a, controlling the controller to sample the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time based on the reward value;
and b, updating the countermeasure sample generation strategy according to the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time.
The controller RNN may be updated by a policy gradient method, thereby updating the anti-sample generation policy. The Policy Gradient method (Policy Gradient) is an algorithm often used in reinforcement learning, and the Policy Gradient method is a direct optimization Policy, which directly performs back propagation through observation information, directly enhances and weakens the probability of a selected Policy through a reward value R, and increases the probability of next selection of a Policy that can acquire a larger reward value R, and vice versa. Specifically, a strategy is composed of the use probability of each teacher model, the use probability of each attack algorithm and corresponding parameters, and a strategy capable of obtaining a larger reward value R increases the probability of the teacher model used under the strategy, the probability of the corresponding attack algorithm and corresponding parameters. The specific process of updating the countermeasure sample generation strategy by using the reward value is as follows: and updating the parameters of the controller according to the reward value, controlling the controller to update and sample the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time, and further updating the countermeasure sample generation strategy according to the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time.
Step S30, determining a confrontation sample participating in student model training based on the intermediate confrontation sample;
specifically, step S30 includes:
step S31, obtaining a prize value corresponding to each countermeasure sample subset in an intermediate countermeasure sample, wherein the intermediate countermeasure sample is composed of the countermeasure samples included in each countermeasure sample subset;
in this embodiment, the countermeasure sample generation strategy includes N sub-strategies, each sub-strategy is composed of the usage probability of each teacher model, the usage probability of each attack algorithm, and parameters, and the N sub-strategies generate N pairs of countermeasure sample subsets, which are intermediate countermeasure samples. As described above, the reward value corresponding to each confrontation sample subset is obtained according to the attack probability of each confrontation sample subset to the current student model and the time for generating the confrontation sample, and can be directly obtained.
Step S32, determining the selected reward values of the preset number based on the reward values corresponding to the various confrontation sample subsets;
in step S33, the countermeasure sample subsets corresponding to the selected predetermined number of reward values are determined as the countermeasure samples participating in the student model training.
In the embodiment, part of the confrontation samples are selected as the confrontation samples participating in the student model training in all the intermediate confrontation samples by using the reward values corresponding to the respective subsets of the confrontation samples.
Specifically, the reward values corresponding to the various confrontation sample subsets are evaluated, and the strategy of the optimal preset number is selected. Since the higher the probability of attack on the student model, the shorter the time it takes to generate the confrontation sample, and the higher the reward value R, indicating that the strategy is more effective, the greater the reward value should be selected when selecting the best reward value. Setting an incentive threshold, and taking the confrontation sample subset corresponding to the k incentive values with the incentive values larger than the incentive threshold as confrontation samples participating in the training of the student model; or sequencing the reward values from large to small, and selecting the confrontation sample subset corresponding to the first k reward values as the confrontation sample participating in the student model training.
And step S40, performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected, and ending the iterative reinforcement learning training.
In this embodiment, a new target teacher model and a target attack algorithm are continuously determined by using the optimized countermeasure sample generation strategy, reinforcement learning is performed according to the new target teacher model and the new target attack algorithm to obtain a new intermediate countermeasure sample, the countermeasure sample generation strategy is updated based on the new intermediate countermeasure sample, next sampling is performed and a new intermediate countermeasure sample is generated, until an iteration stop condition is detected, and the iterative reinforcement learning training is finished. Wherein the iteration stop condition is as follows: and when the student model carries out distillation learning and confrontation training, sending a training stop message. When the training stop message is detected, the iterative reinforcement learning training also ends.
As shown in fig. 4, a plurality of teacher models are used according to a reinforcement learning algorithm to generate confrontation samples participating in student model training, and the student models are further subjected to distillation learning and confrontation training by using local training data and the generated confrontation samples, so that the knowledge of the teacher models is migrated into the student models, and the student models after distillation confrontation are obtained.
Further, in an embodiment, before the step S10, the method further includes:
step S50, determining a network architecture search space corresponding to the student model, wherein the search space defines the network architecture search range;
step S60, initializing a search strategy of the student model, and searching in the search space based on the current search strategy to obtain an initial student model;
and step S70, determining a model evaluation index, updating a search strategy based on the model evaluation index, and continuously searching a new student model in the search space by using the updated search strategy until a search stopping condition is detected to obtain the student model.
In this embodiment, the network structure of the student model may adopt the design of some existing efficient networks, and may also adopt another way, that is, use NAS (neural structure search) to find a network model with high efficiency and safety at the same time. Common NAS methods include reinforcement-based learning, genetic learning, gradient-based optimization, and the like. As shown in fig. 5, the principle of NAS is to search out the optimal network structure from a set of candidate neural network structures, called a search space, by a specific strategy. The quality of the searched neural network structure is measured by classification accuracy, calculation speed, capability of defending against samples and the like, and is called performance evaluation.
Further, in each iteration of the search process, samples are taken from the search space, resulting in a neural network structure, referred to as a subnetwork. The sub-networks are trained through the distillation method, the confrontation samples generated by the teacher model are used for integrated training, meanwhile, the attack probability of the confrontation samples on the sub-networks can be calculated, in the stage of searching the neural network structure, the lower the attack probability is, the higher the robustness of the network structure on the confrontation samples is, and the performance of the sub-networks is comprehensively evaluated by combining indexes such as classification accuracy and calculation speed. And updating the search strategy by integrating the indexes, and searching for a new sub-network structure. This step is looped until the optimal subnetwork is found. Finally, a student model which is high in calculation speed and robust to the confrontation sample can be obtained.
The countermeasure sample generation method provided by this embodiment obtains a countermeasure sample generation strategy, determines a target teacher model and a target attack algorithm corresponding to this sampling based on the countermeasure sample generation strategy, performs reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample, optimizes the countermeasure sample generation strategy based on the intermediate countermeasure sample, determines countermeasure samples participating in student model training based on the intermediate countermeasure sample, and performs iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected, and the iterative reinforcement learning training is completed. One or more attack algorithms with the maximum attack strength and corresponding parameters are dynamically found for the current student model through the reinforcement learning algorithm, and then confrontation samples containing difficult samples are efficiently generated to train the student model, so that the robustness of the model to attack is remarkably improved while the model training is accelerated.
A second embodiment of the countermeasure sample generation method according to the present invention is provided based on the first embodiment, and in this embodiment, before step S10, the method further includes:
step S80, training a preset intermediate teacher model based on local training data to obtain a trained teacher model, wherein the intermediate teacher model is a teacher model trained based on an open sample library;
in this embodiment, a teacher model and an initial student model are determined, where the student model may adopt a designed, simplified and low-computation-amount high-efficiency network structure, such as squeezenet, mobilene, shufflenet, etc.; alternatively, a Neural Architecture Search (NAS) method may be used to automatically find the network Architecture.
Further, one or more complex network recognition models (in face recognition, such as facenet, arcface, and the like; in image classification, such as inclusion, VGG, respet, and the like) are obtained as teacher models, such as teacher model 1, …, and teacher model N. And training the initial teacher model by using the public sample library to obtain a middle teacher model, wherein the public sample library is selected according to actual conditions, such as a MegaFace data set. And performing model test on the intermediate teacher model by using the local training data, and if the test is unqualified, further training the intermediate teacher model by using the local training data to obtain a trained teacher model so as to ensure that the prediction output of the teacher model is consistent when the same training data is input.
The step S10 includes: and determining the target teacher model in the trained teacher model based on the confrontation sample generation strategy, and determining the target attack algorithm in a preset attack algorithm table.
In the embodiment, a plurality of trained teacher models are provided, and a target teacher model is determined in the trained teacher models according to a confrontational sample generation strategy; the preset attack algorithms also comprise a plurality of preset attack algorithms, and the target attack algorithm is determined in a preset attack algorithm table according to the countermeasure sample generation strategy.
Further, in an embodiment, after the step S40, the method further includes:
step S90, distilling learning and confrontation training are carried out on the student model simultaneously based on local training data, the confrontation sample and the trained teacher model, and a total loss function value is obtained;
the overall loss function value is a sum of a first loss function value determined based on the local training data and a second loss function value determined based on the challenge sample.
Specifically, step S90 includes:
step S91, inputting local training data into the teacher model and the student model respectively, performing optimization training on the student model by using a knowledge distillation algorithm, and determining the first loss function value;
local training data are respectively input into a teacher model and a student model, the teacher model outputs a prediction result and an intermediate result (intermediate characteristic data), the prediction output of a teacher network is divided by a Temperature parameter (T) and then softmax transformation is carried out, and soft probability distribution (soft target) of softening (value distribution is slow) can be obtained. The hard target (hard label) is a real label of the local training data, and can be represented by a one-hot vector. The total loss function value can be expressed as:
wherein Q issThe predicted output of the student model is represented,
and
soft target values obtained by dividing the predicted outputs of the student model and the teacher model by the temperature parameter and then performing softmax transformation are respectively represented, Fce and Fkd respectively represent the cross entropy loss function value (cross entropy loss) and the K L divergence loss function value (Kullback-L eibler divergence L oss), α is used for adjusting FceAnd FkdT is a temperature parameter.
Meanwhile, feature maps in the middle of a teacher model network and feature maps of corresponding student models can be introduced, L2 loss between the two feature maps is calculated, the training speed of the student network is accelerated, and the distillation effect is improved.
Fl2Express L2 loss function values, Ws and Wt represent feature maps of the corresponding student and teacher models, note that the loss function values of the middle feature map are optional, and if not needed, β is 0.
Step S92, inputting the confrontation sample into the student model, and calculating the second loss function value according to the real label of the confrontation sample;
in this embodiment, after a teacher model is used to generate a confrontation sample participating in generation of a student confrontation sample according to a reinforcement learning algorithm, the confrontation sample is input into the student model, and a loss function value is determined according to a truth label of the confrontation sample, so that the student model can make a correct output for the confrontation sample.
Step S93, obtaining the total loss function value based on the first loss function value and the second loss function value.
In this embodiment, the total loss function value is equal to the sum of the first loss function value and the second loss function value, and the migration of the knowledge of the teacher model into the student model is achieved using the total loss function value.
And S100, transferring the knowledge of the teacher model to the student model through the total loss function value to obtain the student model after distillation confrontation.
Specifically, step S100 includes:
step S110, based on the total loss function value, calculating by using a back propagation algorithm to obtain gradient information corresponding to the student model;
step S120, updating the student model based on the gradient information, and performing iterative distillation learning and confrontation training based on the updated student model;
and step S130, if the updated total loss function value is less than or equal to a preset threshold value, obtaining the student model after the distillation confrontation.
In this embodiment, in each training round, a total loss function value (loss) of the training round is calculated, Gradient information corresponding to the student model is determined by using a back propagation algorithm according to the total loss function value, and an optimization algorithm (e.g., a SGD, a Stochastic Gradient algorithm) is selected to update the student model parameter values. And when the preset training round is reached or the loss value is lower than the preset value, finishing the training process and obtaining the student model after the distillation confrontation training.
Specifically, according to the total loss function value, gradient information corresponding to the student model is obtained through calculation by using a back propagation algorithm, the student model is updated according to the gradient information, iterative distillation learning and confrontation training are carried out according to the updated student model, and when the updated total loss function value is smaller than or equal to a preset threshold value, iteration is stopped, and the student model after distillation confrontation is obtained. For example, the preset value may be 0.001, and after a plurality of iterations, the total loss function value is continuously decreased to approach the preset threshold, which is determined according to the actual situation and is generally a positive number close to 0. For example, when the stopping condition is a training turn, the preset value may be 1000 times, or 20000 times if the stopping condition is a loss value.
According to the countermeasure sample generation method provided by the embodiment, one or more attack algorithms with the maximum attack strength and corresponding parameters are dynamically found for the current student model through the reinforcement learning algorithm, so that the countermeasure sample containing the difficult sample is efficiently generated, the local training data, the countermeasure sample and the teacher model are used for simultaneously carrying out distillation learning and countermeasure training on the student model, model compression and countermeasure training are considered, and the robustness of the model to attack is remarkably improved while the model training is accelerated.
The present invention further provides a challenge sample generating device, referring to fig. 6, fig. 6 is a functional block diagram of an embodiment of the challenge sample generating device of the present invention.
The determination module 10 is configured to acquire an initial countermeasure sample generation strategy, and determine a target teacher model and a target attack algorithm corresponding to the current sampling based on the countermeasure sample generation strategy;
the reinforcement learning module 20 is configured to perform reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample, and optimize the countermeasure sample generation strategy based on the intermediate countermeasure sample;
a generating module 30, configured to determine a confrontation sample participating in student model training based on the intermediate confrontation sample;
and the iteration module 40 is configured to perform iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected and the iterative reinforcement learning training is finished.
Further, the reinforcement learning module 20 is further configured to:
generating an intermediate countermeasure sample based on the target teacher model by adopting a target attack algorithm;
the step of optimizing the challenge sample generation strategy based on the intermediate challenge sample comprises:
calculating the attack probability of the intermediate confrontation sample on the student model, and determining an incentive value based on the attack probability and the time for generating the intermediate confrontation sample;
updating a countermeasure sample generation policy based on the reward value.
Further, the reinforcement learning module 20 is further configured to:
controlling the controller to sample the use probability of each teacher model, the use probability of each attack algorithm and use parameters at the next time based on the reward value;
and updating the countermeasure sample generation strategy according to the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time.
Further, the generating module 30 is further configured to:
obtaining a reward value corresponding to each countermeasure sample subset in an intermediate countermeasure sample, wherein the intermediate countermeasure sample consists of the countermeasure samples included in each countermeasure sample subset;
determining the selected preset number of reward values based on the reward values corresponding to the confrontation sample subsets respectively;
and determining the countermeasure sample subset corresponding to the selected preset number of reward values as the countermeasure sample participating in the student model training.
Further, the challenge sample generation apparatus further comprises:
the training module is used for training a preset intermediate teacher model based on local training data to obtain a trained teacher model, wherein the intermediate teacher model is a teacher model trained based on a public sample library;
the determining module 10 is further configured to determine the target teacher model in the trained teacher model based on the confrontation sample generating strategy, and determine the target attack algorithm in a preset attack algorithm table.
Further, the challenge sample generation apparatus further comprises:
the distillation antagonistic module is used for simultaneously carrying out distillation learning and antagonistic training on the student model based on local training data, the antagonistic sample and the trained teacher model to obtain a total loss function value;
and the migration module is used for migrating the knowledge of the teacher model to the student model through the total loss function value to obtain the student model after distillation confrontation.
Further, the distillation antagonizing module is further configured to:
inputting local training data into the teacher model and the student models respectively, performing optimization training on the student models by using a knowledge distillation algorithm, and determining a first loss function value;
inputting the confrontation sample into the student model, and calculating the second loss function value according to the real label of the confrontation sample;
and obtaining the total loss function value based on the first loss function value and the second loss function value.
Further, the distillation antagonizing module is further configured to:
calculating to obtain gradient information corresponding to the student model by using a back propagation algorithm based on the total loss function value;
updating the student model based on the gradient information, and performing iterative distillation learning and confrontation training based on the updated student model;
and if the updated total loss function value is less than or equal to a preset threshold value, obtaining the student model after the distillation confrontation.
Further, the challenge sample generation apparatus further comprises:
the system comprises a screening module, a network architecture searching module and a network architecture searching module, wherein the screening module is used for determining a network architecture searching space corresponding to a student model, and the searching space defines the network architecture searching range;
the search module is used for initializing a search strategy of the student model and searching in the search space based on the current search strategy to obtain an initial student model;
and the updating training module is used for determining the model evaluation index, updating the search strategy based on the model evaluation index, and continuously searching a new student model in the search space by using the updated search strategy until a search stopping condition is detected to obtain the student model.
In addition, an embodiment of the present invention further provides a readable storage medium, where a countermeasure sample generation program is stored, and when the countermeasure sample generation program is executed by a processor, the steps of the countermeasure sample generation method in each of the above embodiments are implemented.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a readable storage medium (such as ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a system device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by the contents of the present specification and drawings, or used directly or indirectly in other related fields, are included in the scope of the present invention.
Claims (12)
1. A challenge sample generation method, comprising:
acquiring a countermeasure sample generation strategy, and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the countermeasure sample generation strategy;
performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate confrontation sample, and optimizing the confrontation sample generation strategy based on the intermediate confrontation sample;
determining a confrontation sample participating in student model training based on the intermediate confrontation sample;
and performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stopping condition is detected, and finishing the iterative reinforcement learning training.
2. The countermeasure sample generation method of claim 1, wherein the step of performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate countermeasure sample comprises:
generating an intermediate countermeasure sample based on the target teacher model by adopting a target attack algorithm;
the step of optimizing the challenge sample generation strategy based on the intermediate challenge sample comprises:
calculating the attack probability of the intermediate confrontation sample on the student model, and determining an incentive value based on the attack probability and the time for generating the intermediate confrontation sample;
updating a countermeasure sample generation policy based on the reward value.
3. The countermeasure sample generation method of claim 2, wherein the step of updating the countermeasure sample generation policy based on the reward value comprises:
controlling the controller to sample the use probability of each teacher model, the use probability of each attack algorithm and use parameters at the next time based on the reward value;
and updating the countermeasure sample generation strategy according to the use probability of each teacher model, the use probability of each attack algorithm and the use parameters at the next time.
4. The confrontation sample generation method of claim 2, wherein said determining the confrontation sample to participate in the student model training based on the intermediate confrontation sample comprises:
obtaining a reward value corresponding to each countermeasure sample subset in an intermediate countermeasure sample, wherein the intermediate countermeasure sample consists of the countermeasure samples included in each countermeasure sample subset;
determining the selected preset number of reward values based on the reward values corresponding to the various confrontation sample subsets;
and determining the countermeasure sample subset corresponding to the selected preset number of reward values as the countermeasure sample participating in the student model training.
5. The countermeasure sample generation method of claim 1, wherein before the step of obtaining a countermeasure sample generation policy, determining a target teacher model and a target attack algorithm corresponding to the current sampling based on the countermeasure sample generation policy, the method further comprises:
training a preset intermediate teacher model based on local training data to obtain a trained teacher model, wherein the intermediate teacher model is a teacher model trained based on a public sample library;
the method comprises the steps of obtaining a countermeasure sample generation strategy, and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the countermeasure sample generation strategy, wherein the steps comprise:
and determining the target teacher model in the trained teacher model based on the confrontation sample generation strategy, and determining the target attack algorithm in a preset attack algorithm table.
6. The countermeasure sample generation method of claim 1, wherein the iterative reinforcement learning training is performed based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected, and after the step of the iterative reinforcement learning training ending, the method further comprises:
performing distillation learning and confrontation training on the student model simultaneously based on local training data, the confrontation sample and the trained teacher model to obtain a total loss function value;
and transferring the knowledge of the teacher model to the student model through the total loss function value to obtain the student model after distillation confrontation.
7. The resistance sample generation method according to claim 6, wherein the step of performing simultaneous distillation learning and resistance training on the student model based on the local training data, the resistance sample, and the trained teacher model to obtain the total loss function value comprises:
inputting local training data into the teacher model and the student models respectively, performing optimization training on the student models by using a knowledge distillation algorithm, and determining a first loss function value;
inputting the confrontation sample into the student model, and calculating the second loss function value according to the real label of the confrontation sample;
and obtaining the total loss function value based on the first loss function value and the second loss function value.
8. The confrontation sample generating method according to claim 6, wherein said step of migrating the knowledge of said teacher model to said student model by said total loss function value, and obtaining a student model after distillation confrontation comprises:
calculating to obtain gradient information corresponding to the student model by using a back propagation algorithm based on the total loss function value;
updating the student model based on the gradient information, and performing iterative distillation learning and confrontation training based on the updated student model;
and if the updated total loss function value is less than or equal to a preset threshold value, obtaining the student model after the distillation confrontation.
9. The countermeasure sample generation method of any of claims 1-8, wherein the initializing a countermeasure sample generation policy, determining a target teacher model and a target attack algorithm corresponding to the present sampling based on the countermeasure sample generation policy, is preceded by the steps of:
determining a network architecture search space corresponding to a student model, wherein the search space defines a network architecture search range;
initializing a search strategy of the student model, and searching in the search space based on the current search strategy to obtain an initial student model;
determining a model evaluation index, updating a search strategy based on the model evaluation index, and continuously searching a new student model in the search space by using the updated search strategy until a search stopping condition is detected to obtain the student model.
10. A challenge sample generating device, characterized in that it comprises:
the determination module is used for acquiring an initialized confrontation sample generation strategy and determining a target teacher model and a target attack algorithm corresponding to the sampling based on the confrontation sample generation strategy;
the reinforcement learning module is used for performing reinforcement learning based on the target teacher model and the target attack algorithm to obtain an intermediate confrontation sample, and optimizing the confrontation sample generation strategy based on the intermediate confrontation sample;
a generation module for determining a confrontation sample participating in student model training based on the intermediate confrontation sample;
and the iteration module is used for performing iterative reinforcement learning training based on the optimized countermeasure sample generation strategy until an iteration stop condition is detected and the iterative reinforcement learning training is finished.
11. A countermeasure sample generation terminal, the terminal comprising: a memory, a processor and a challenge sample generation program stored on the memory and executable on the processor, the challenge sample generation program when executed by the processor implementing the steps of the challenge sample generation method of any of claims 1 to 9.
12. A readable storage medium, on which the countermeasure sample generation program is stored, which when executed by a processor implements the steps of the countermeasure sample generation method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010252297.6A CN111461226A (en) | 2020-04-01 | 2020-04-01 | Countermeasure sample generation method, device, terminal and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010252297.6A CN111461226A (en) | 2020-04-01 | 2020-04-01 | Countermeasure sample generation method, device, terminal and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111461226A true CN111461226A (en) | 2020-07-28 |
Family
ID=71681611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010252297.6A Pending CN111461226A (en) | 2020-04-01 | 2020-04-01 | Countermeasure sample generation method, device, terminal and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111461226A (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111767711A (en) * | 2020-09-02 | 2020-10-13 | 之江实验室 | Compression method and platform of pre-training language model based on knowledge distillation |
| CN112329930A (en) * | 2021-01-04 | 2021-02-05 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN112329929A (en) * | 2021-01-04 | 2021-02-05 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN112364641A (en) * | 2020-11-12 | 2021-02-12 | 北京中科闻歌科技股份有限公司 | Chinese countermeasure sample generation method and device for text audit |
| CN112381209A (en) * | 2020-11-13 | 2021-02-19 | 平安科技(深圳)有限公司 | Model compression method, system, terminal and storage medium |
| CN112613036A (en) * | 2020-12-29 | 2021-04-06 | 北京天融信网络安全技术有限公司 | Malicious sample enhancement method, malicious program detection method and corresponding devices |
| CN112883874A (en) * | 2021-02-22 | 2021-06-01 | 中国科学技术大学 | Active defense method aiming at deep face tampering |
| CN113222074A (en) * | 2021-06-15 | 2021-08-06 | 百度在线网络技术(北京)有限公司 | Method and device for evaluating target detection model |
| CN113221979A (en) * | 2021-04-27 | 2021-08-06 | 北京市商汤科技开发有限公司 | Sample generation method, neural network training method and device |
| CN113435334A (en) * | 2021-06-28 | 2021-09-24 | 中国科学院上海微***与信息技术研究所 | Small target face recognition method based on deep learning |
| CN113487889A (en) * | 2021-07-19 | 2021-10-08 | 浙江工业大学 | Traffic state anti-disturbance generation method based on single intersection signal control of rapid gradient descent |
| CN113721456A (en) * | 2021-03-03 | 2021-11-30 | 京东城市(北京)数字科技有限公司 | Control model training method and device, computer equipment and storage medium |
| CN113869529A (en) * | 2021-12-02 | 2021-12-31 | 支付宝(杭州)信息技术有限公司 | Method for generating countermeasure sample, model evaluation method, device and computer equipment |
| CN114169392A (en) * | 2021-10-29 | 2022-03-11 | 阿里巴巴(中国)有限公司 | Model training method and device, task processing method, storage medium and processor |
| WO2022057468A1 (en) * | 2020-09-18 | 2022-03-24 | 苏州浪潮智能科技有限公司 | Deep learning model inference acceleration method and system, and device and medium |
| DE102021200643B3 (en) | 2021-01-25 | 2022-03-31 | Volkswagen Aktiengesellschaft | Method for environment recognition for semi-autonomous or autonomous driving functions of a motor vehicle using a neural network |
| CN115085805A (en) * | 2022-06-09 | 2022-09-20 | 南京信息工程大学 | Few-mode multi-core fiber optical performance monitoring method, system and device based on anti-distillation model and storage medium |
| CN115131599A (en) * | 2022-04-19 | 2022-09-30 | 浙江大学 | Image classification method based on deviation resistance and robustness knowledge distillation |
| CN116738429A (en) * | 2023-08-15 | 2023-09-12 | 之江实验室 | Target detection engine optimization method, device and system based on generation countermeasure |
| CN117493496A (en) * | 2023-12-27 | 2024-02-02 | 环球数科集团有限公司 | Generation countermeasure type sample processing system of natural language model |
| CN117765484A (en) * | 2023-12-04 | 2024-03-26 | 淮阴工学院 | Intelligent vehicle line pressing detection method and device based on countermeasure distillation and real-time target detection |
-
2020
- 2020-04-01 CN CN202010252297.6A patent/CN111461226A/en active Pending
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111767711A (en) * | 2020-09-02 | 2020-10-13 | 之江实验室 | Compression method and platform of pre-training language model based on knowledge distillation |
| US11341326B2 (en) | 2020-09-02 | 2022-05-24 | Zhejiang Lab | Compression method and platform of pre-training language model based on knowledge distillation |
| GB2608919A (en) * | 2020-09-02 | 2023-01-18 | Zhejiang Lab | Knowledge distillation-based compression method for pre-trained language model, and platform |
| WO2021248868A1 (en) * | 2020-09-02 | 2021-12-16 | 之江实验室 | Knowledge distillation-based compression method for pre-trained language model, and platform |
| WO2022057468A1 (en) * | 2020-09-18 | 2022-03-24 | 苏州浪潮智能科技有限公司 | Deep learning model inference acceleration method and system, and device and medium |
| CN112364641A (en) * | 2020-11-12 | 2021-02-12 | 北京中科闻歌科技股份有限公司 | Chinese countermeasure sample generation method and device for text audit |
| CN112381209B (en) * | 2020-11-13 | 2023-12-22 | 平安科技(深圳)有限公司 | Model compression method, system, terminal and storage medium |
| CN112381209A (en) * | 2020-11-13 | 2021-02-19 | 平安科技(深圳)有限公司 | Model compression method, system, terminal and storage medium |
| WO2021197223A1 (en) * | 2020-11-13 | 2021-10-07 | 平安科技(深圳)有限公司 | Model compression method, system, terminal, and storage medium |
| CN112613036A (en) * | 2020-12-29 | 2021-04-06 | 北京天融信网络安全技术有限公司 | Malicious sample enhancement method, malicious program detection method and corresponding devices |
| CN112329930B (en) * | 2021-01-04 | 2021-04-16 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN112329929B (en) * | 2021-01-04 | 2021-04-13 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN112329929A (en) * | 2021-01-04 | 2021-02-05 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN112329930A (en) * | 2021-01-04 | 2021-02-05 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| DE102021200643B3 (en) | 2021-01-25 | 2022-03-31 | Volkswagen Aktiengesellschaft | Method for environment recognition for semi-autonomous or autonomous driving functions of a motor vehicle using a neural network |
| CN112883874A (en) * | 2021-02-22 | 2021-06-01 | 中国科学技术大学 | Active defense method aiming at deep face tampering |
| CN112883874B (en) * | 2021-02-22 | 2022-09-06 | 中国科学技术大学 | Active defense method aiming at deep face tampering |
| CN113721456A (en) * | 2021-03-03 | 2021-11-30 | 京东城市(北京)数字科技有限公司 | Control model training method and device, computer equipment and storage medium |
| CN113221979A (en) * | 2021-04-27 | 2021-08-06 | 北京市商汤科技开发有限公司 | Sample generation method, neural network training method and device |
| CN113222074A (en) * | 2021-06-15 | 2021-08-06 | 百度在线网络技术(北京)有限公司 | Method and device for evaluating target detection model |
| CN113222074B (en) * | 2021-06-15 | 2023-08-22 | 百度在线网络技术(北京)有限公司 | Method and device for evaluating target detection model |
| CN113435334B (en) * | 2021-06-28 | 2024-02-27 | 中国科学院上海微***与信息技术研究所 | Small target face recognition method based on deep learning |
| CN113435334A (en) * | 2021-06-28 | 2021-09-24 | 中国科学院上海微***与信息技术研究所 | Small target face recognition method based on deep learning |
| CN113487889A (en) * | 2021-07-19 | 2021-10-08 | 浙江工业大学 | Traffic state anti-disturbance generation method based on single intersection signal control of rapid gradient descent |
| CN114169392A (en) * | 2021-10-29 | 2022-03-11 | 阿里巴巴(中国)有限公司 | Model training method and device, task processing method, storage medium and processor |
| CN113869529A (en) * | 2021-12-02 | 2021-12-31 | 支付宝(杭州)信息技术有限公司 | Method for generating countermeasure sample, model evaluation method, device and computer equipment |
| CN115131599A (en) * | 2022-04-19 | 2022-09-30 | 浙江大学 | Image classification method based on deviation resistance and robustness knowledge distillation |
| CN115085805A (en) * | 2022-06-09 | 2022-09-20 | 南京信息工程大学 | Few-mode multi-core fiber optical performance monitoring method, system and device based on anti-distillation model and storage medium |
| CN115085805B (en) * | 2022-06-09 | 2024-03-19 | 南京信息工程大学 | Fiber optical performance monitoring method and system based on anti-distillation model |
| CN116738429A (en) * | 2023-08-15 | 2023-09-12 | 之江实验室 | Target detection engine optimization method, device and system based on generation countermeasure |
| CN116738429B (en) * | 2023-08-15 | 2023-11-14 | 之江实验室 | Target detection engine optimization method, device and system based on generation countermeasure |
| CN117765484A (en) * | 2023-12-04 | 2024-03-26 | 淮阴工学院 | Intelligent vehicle line pressing detection method and device based on countermeasure distillation and real-time target detection |
| CN117493496A (en) * | 2023-12-27 | 2024-02-02 | 环球数科集团有限公司 | Generation countermeasure type sample processing system of natural language model |
| CN117493496B (en) * | 2023-12-27 | 2024-04-16 | 环球数科集团有限公司 | Generation countermeasure type sample processing system of natural language model |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111461226A (en) | Countermeasure sample generation method, device, terminal and readable storage medium | |
| KR102422729B1 (en) | Learning Data Augmentation Policy | |
| US11790238B2 (en) | Multi-task neural networks with task-specific paths | |
| EP3711000B1 (en) | Regularized neural network architecture search | |
| CN113657465B (en) | Pre-training model generation method and device, electronic equipment and storage medium | |
| CN113408743A (en) | Federal model generation method and device, electronic equipment and storage medium | |
| US20240135191A1 (en) | Method, apparatus, and system for generating neural network model, device, medium, and program product | |
| CN111382868A (en) | Neural network structure search method and neural network structure search device | |
| US11423307B2 (en) | Taxonomy construction via graph-based cross-domain knowledge transfer | |
| CN107392919A (en) | Gray threshold acquisition methods, image partition method based on self-adapted genetic algorithm | |
| CN113158554B (en) | Model optimization method and device, computer equipment and storage medium | |
| CN112560985A (en) | Neural network searching method and device and electronic equipment | |
| CN114492601A (en) | Resource classification model training method and device, electronic equipment and storage medium | |
| WO2023215658A1 (en) | Implementing monotonic constrained neural network layers using complementary activation functions | |
| CN115910062A (en) | Audio recognition method, device, equipment and storage medium | |
| KR20240034804A (en) | Evaluating output sequences using an autoregressive language model neural network | |
| KR20220134627A (en) | Hardware-optimized neural architecture discovery | |
| CN113240430A (en) | Mobile payment verification method and device | |
| CN113128677A (en) | Model generation method and device | |
| Huang et al. | Elastic DNN Inference with Unpredictable Exit in Edge Computing | |
| US20240046068A1 (en) | Information processing device for improving quality of generator of generative adversarial network (gan) | |
| US20230403204A1 (en) | Method, electronic device, and computer program product for information-centric networking | |
| CN114926856A (en) | Knowledge anti-forgetting earthquake survivor identification method and device | |
| CN114418122A (en) | Hyper-parameter configuration method and device of machine learning model and readable storage medium | |
| CN116910653A (en) | Federal semi-supervised learning method, medium and equipment suitable for accurate classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |