CN111914928A - Method for defending confrontation sample for image classifier - Google Patents

Method for defending confrontation sample for image classifier Download PDF

Info

Publication number
CN111914928A
CN111914928A CN202010749009.8A CN202010749009A CN111914928A CN 111914928 A CN111914928 A CN 111914928A CN 202010749009 A CN202010749009 A CN 202010749009A CN 111914928 A CN111914928 A CN 111914928A
Authority
CN
China
Prior art keywords
image
model
training data
mini
image training
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010749009.8A
Other languages
Chinese (zh)
Other versions
CN111914928B (en
Inventor
诸渝
许封元
仲盛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN202010749009.8A priority Critical patent/CN111914928B/en
Publication of CN111914928A publication Critical patent/CN111914928A/en
Application granted granted Critical
Publication of CN111914928B publication Critical patent/CN111914928B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a method for defending a confrontation sample for an image classifier, which comprises the steps of firstly constructing a model, preparing image training data and initializing a hyper-parameter; secondly, dividing the image training data into a plurality of batches; updating model parameters using a batch of image training data, comprising: generating a countermeasure sample, mixing the countermeasure sample with image training data, adjusting the relative position of the image data in the countermeasure sample, and updating model parameters by using a back propagation algorithm; the image training data of the rest batches are repeatedly used to update the model parameters; restarting a new round of training until the training is finished; and outputting the trained model. The invention combines the Siamese framework with the countertraining, is an improvement on the traditional countertraining algorithm, and can better cope with the attack of countersamples in the image classifier.

Description

Method for defending confrontation sample for image classifier
Technical Field
The invention relates to a method for defending confrontation samples for an image classifier, which is an image classifier based on a neural network and belongs to the field of image classification.
Background
In recent years, with explosive growth of data size and computing power, deep learning has been rapidly developed, in which neural networks serve a wide range of applications with excellent performance. For example, in image classification, an image classifier using a neural network technique can achieve an excellent classification effect. However, neural networks also face severe safety issues, and countermeasure samples are one typical example.
The countermeasure sample is a malicious picture formed by adding weak disturbance to a normal picture by a human means, and can mislead an image classification model based on a neural network to generate wrong output. The robustness of the classification model is seriously threatened by the existence of the confrontation samples, and the threat is even more serious especially when the security requirements involved in the model are high.
Resistance training is widely used as an effective defense method. The core idea is that in each iteration of model training, a confrontation sample is dynamically generated by means of a current model and a certain attack algorithm, and is used as training data to realize the training of the current round of the model together with original image training data. The model obtained through the confrontation training can remarkably improve the self defending ability of the confrontation sample. However, the use of image training data for countertraining is not sufficient, and the interrelationship between different image data is neglected, so that certain disadvantages exist. On the feature space of the model trained through countermeasures, the same-class data features are not close enough, and the different-class data features are not far enough apart and overlap with each other, so that the robustness of the model is not influenced.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the problems and the defects in the prior art, the invention provides the method for defending the confrontation sample for the image classifier, so that the defects of the confrontation training algorithm of the traditional image classifier are effectively overcome, and the defending capability of the classification model in dealing with the confrontation sample attack is further improved.
There are three relationships between any set of challenge samples and normal image data: 1) the confrontation sample is generated by normal image data, and the confrontation sample and the normal image data correspond to each other one by one; 2) the confrontation sample and the normal image data belong to the same category, but do not correspond to each other one by one; 3) the countermeasure sample and the normal image data belong to different categories. The invention combines the traditional confrontation training algorithm with the Siamese framework, and designs the rearrangement mechanism of the confrontation sample, thereby fully utilizing the three relations between the confrontation sample and the normal image data, effectively reducing the class internal distance and expanding the class distance on the characteristic space, and leading the trained model to have stronger resisting capability to the confrontation sample.
The technical scheme is as follows: a method of countering sample defense for an image classifier, comprising the steps of:
step 1, constructing a model and preparing image training data;
step 2, randomly dividing the image training data into a plurality of mini-batch;
step 3, realizing one-time parameter updating of the model by means of image training data of a mini-batch;
a) selecting image training data of a mini-batch which does not participate in calculation, and generating a corresponding confrontation sample;
b) mixing the confrontation sample generated in the last step with corresponding image training data, and adjusting the relative position of each image data in the confrontation sample;
c) updating the model parameters for the first time by means of a back propagation algorithm;
step 4, repeating the step 3 until all the mini-batch divided in the step 2 participates in the calculation;
step 5, repeating the steps 2-4 until the model is trained;
and 6, outputting the model which is trained in the step 5.
Stochastic partitioning of an image training dataset into a plurality of mini-batch
Assuming that the image training set contains D pieces of image training data, the preset mini-batch size is n. Firstly, randomly disordering D pieces of image training data, and then sequentially selecting the image training data according to the size of the mini-batch, so that the image training set is divided into m mini-batches.
Figure BDA00026094042500000220
Selecting image training data of the mini-batch which does not participate in the calculation yet, and generating a corresponding confrontation sample
Any set of not-used mini-batch image training data X ═ X (X)1,x2,…,xn),Under the current model, a certain counterattack algorithm is adopted to generate X corresponding countersample
Figure BDA0002609404250000021
Mixing the generated confrontation sample with corresponding image training data, and adjusting the relative position of each image data in the confrontation sample
Presetting a division ratio lambda, lambda belongs to [0,1 ∈]Confrontation of samples according to lambda
Figure BDA0002609404250000022
Is divided into two parts
Figure BDA0002609404250000023
And
Figure BDA0002609404250000024
wherein:
Figure BDA0002609404250000025
random adjustment
Figure BDA0002609404250000026
In which each image instance is
Figure BDA0002609404250000027
Is located at a position of, thus is
Figure BDA0002609404250000028
Performing rearrangement and splicing
Figure BDA0002609404250000029
And after rearrangement
Figure BDA00026094042500000210
To obtain
Figure BDA00026094042500000211
The same operation is carried out on the data label Y of the image training data X to obtain a confrontation sample
Figure BDA00026094042500000212
Corresponding label
Figure BDA00026094042500000213
Calculating identity T ═ T (T)1,t2,…,tn) When x isiAnd
Figure BDA00026094042500000214
of the same kind, i.e. xiAnd
Figure BDA00026094042500000215
corresponding data tag yiAnd
Figure BDA00026094042500000216
equal time t i1, otherwise ti=0。
Updating primary model parameters by means of back propagation algorithm
Assuming that the parameter of the model is W, the learning rate is set to a. The loss function is defined as follows:
Figure BDA00026094042500000217
wherein alpha, beta and gamma are preset hyper-parameters, l (-) is a cross entropy loss function, lcon(. cndot.) is a comparative loss function. When training, a Siam framework, X and
Figure BDA00026094042500000218
at the same time, as the input of the network, the gradient of W is calculated by using a loss function L (-) to
Figure BDA00026094042500000219
And update
Figure BDA0002609404250000031
Repeating the steps 2-4 until the model finishes training
Presetting the number N of training rounds, randomly dividing the image training set into m mini-batchs in each round, realizing m times of parameter updating of the model, and finishing model training.
The hyper-parameters include: the model learning rate, the size of the mini-batch, the maximum iteration number, coefficients alpha, beta and gamma of each component of the loss function and the division ratio of the confrontation sample.
The model is an image classifier based on a neural network.
The image training data is data in a picture format.
The certain counter attack algorithm comprises: target attack or non-target attack, iterative attack or single-step attack, and attack with different norms, wherein the different norms comprise: l is0、L1、L2And L
Has the advantages that: compared with the prior art, the method for defending the confrontation sample for the image classifier provided by the invention has the following advantages: the invention combines the countermeasure training with the Siamese framework for the first time, designs the rearrangement mechanism of the countermeasure sample, enables the image classification model to fully utilize the interrelation between image data in the training process, and further improves the defense capability of the image classification model to the countermeasure sample.
Drawings
Fig. 1 is a Siamese framework diagram in an embodiment of the present invention.
Detailed Description
The present invention is further illustrated by the following examples, which are intended to be purely exemplary and are not intended to limit the scope of the invention, as various equivalent modifications of the invention will occur to those skilled in the art upon reading the present disclosure and fall within the scope of the appended claims.
The present invention will be described in detail with respect to the classification of the Cifar10 dataset. The cfar 10 data set contained 60000 color pictures of 32 x 32, grouped into 10 categories, 5000 training pictures and 1000 test pictures for each category. We chose neural network ResNet18 as the classification model to classify the Cifar10 dataset. It should be noted that the classification of the Cifar10 data set is merely illustrative and not restrictive, and that various equivalent modifications of the invention may be made by those skilled in the art within the scope of the invention as defined in the appended claims.
For the classification problem of the Cifar10 data set, the specific implementation corresponds to the following specific steps:
step 1, constructing a neural network ResNet18 as an image classifier, preparing 50000 pictures of a Cifar10 training data set, and setting a hyper-parameter: the learning rate of the model is 0.1, the size of the mini-batch is 256, the maximum iteration number is 100, each classification coefficient alpha of the loss function classification is 0.5, beta is 0.5, gamma is 1.0, and the confrontation sample segmentation proportion is 0.5;
step 2, randomly dividing the training data into m mini-batch according to the preset size of the mini-batch,
wherein
Figure BDA00026094042500000416
And 3, realizing one-time parameter updating of the model by virtue of the training data of a mini-batch. Before the algorithm is implemented, a PGD algorithm is selected for generation of a challenge sample, and the number S of PGD algorithm iterations is set to 7, the step size is set to α 2/255, and the perturbation time is set to 8/255. Then, the method is sequentially executed according to the following steps:
a) taking the current model as a target model, and changing the training data X of a group of mini-batch into (X)1,x2,…,xn) Generating corresponding confrontation samples with PGD algorithm
Figure BDA0002609404250000041
The PGD algorithm recursion formula is as follows:
Figure BDA0002609404250000042
Figure BDA0002609404250000043
Figure BDA0002609404250000044
wherein,
Figure BDA0002609404250000045
is from xiTo
Figure BDA0002609404250000046
The intermediate result of t iterations is the perturbation last, yiIs xiCorresponding data tags, Clip function to limit output range, sign is sign function,
Figure BDA0002609404250000047
the function calculates the gradient of the loss function/to the input.
b) Adjusting the position of each element in the batch countermeasure sample generated in a). Since the preset division ratio λ is 0.5, first, the method starts with
Figure BDA0002609404250000048
Is divided into two equal parts
Figure BDA0002609404250000049
And
Figure BDA00026094042500000410
random arrangement
Figure BDA00026094042500000411
To make the confrontation sample
Figure BDA00026094042500000412
Under the condition that the normal training data X do not correspond one to one, the data label corresponding to the countermeasure sample is obtained in the same way
Figure BDA00026094042500000413
Calculating identity T ═ T (T)1,t2,…,tn);
c) Let the model parameters of the current ResNet18 be W and b. Two ResNet18 with the same parameters are combined into a form of a Siamese architecture, as shown in FIG. 1, and a countermeasure sample and normal training data are respectively used as input of a network. The gradient of the parameter is calculated using the loss function as follows:
Figure BDA00026094042500000414
wherein, beta is 0.5, gamma is 1.0. Updating the parameters of the model:
Figure BDA00026094042500000415
and 4, repeating the step 3, and updating the model parameters W and b by using the divided mini-batch in sequence until all the mini-batch participate in calculation.
And 5, repeating the steps 2, 3 and 4 for 100 times according to the preset maximum iteration number, wherein each repetition completes one round of training of the model. Meanwhile, in order to obtain a better effect for the training of the model, the learning rate of the model is attenuated. Specifically, the learning rate is reduced to 1/10 as it is every 40 rounds.
And 6, outputting the trained ResNet18 model. As the Siamese framework is composed of two ResNet18 with the same parameters, one of the parameters can be output arbitrarily.
We label the classification model obtained according to the above procedure as SAT. Meanwhile, in order to better evaluate the model performance, a traditional confrontation training method is adopted, the network structure is kept unchanged, basic hyper-parameters are consistent, and a classification model of the Cifar10 data set is obtained and is marked as AT. Table one compares the model accuracy of the two against different attacks.
TABLE-comparison of model accuracy under different attacks on Cifar10 dataset
Figure BDA0002609404250000051
The performance of the algorithm is evaluated by adopting model accuracy, wherein the model accuracy is the number of correctly classified confrontation samples/total test confrontation samples. 5 common attacks FGSM, PGD, BIM, CW and JSMA were chosen, where PGD was also used for model training. The model accuracy of the confrontation training algorithm provided by the invention in dealing with the attack is higher than that of the traditional confrontation training algorithm, and the amplification is between 2 and 7.3 percent, so that the attack of the confrontation sample can be better defended.
Common counterattack algorithms are found in the following papers:
FGSM,GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples[J].arXiv preprint arXiv:1412.6572,2014;
PGD,MADRY A,MAKELOV A,SCHMIDT L,et al.Towards deep learning models resistant to adversarial attacks[J].arXiv preprint arXiv:1706.06083,2017;
BIM,KURAKIN A,GOODFELLOW I,BENGIO S.Adversarial machine learning at scale[J].arXiv preprint arXiv:1611.01236,2016;
CW,CARLINI N,WAGNER D.Towards Evaluating the Robustness of Neural Networks[C]//2017IEEE Symposium on Security and Privacy(SP).2017:39–57.;
JSMA,PAPERNOT N,MCDANIEL P,JHA S,et al.The limitations of deep learning in adversarial settings[C]//2016IEEE European symposium on security and privacy(EuroS&P).2016:372–387。

Claims (9)

1. a method of countering sample defense for an image classifier, comprising the steps of:
step 1, constructing a model and preparing image training data;
step 2, randomly dividing the image training data into a plurality of mini-batch;
step 3, realizing one-time parameter updating of the model by means of image training data of a mini-batch;
a) selecting image training data of a mini-batch which does not participate in calculation, and generating a corresponding confrontation sample;
b) mixing the confrontation sample generated in the last step with corresponding image training data, and adjusting the relative position of each image data in the confrontation sample;
c) updating the model parameters for the first time by means of a back propagation algorithm;
step 4, repeating the step 3 until all the mini-batch divided in the step 2 participates in the calculation;
step 5, repeating the steps 2-4 until the model is trained;
and 6, outputting the model which is trained in the step 5.
2. The method of claim 1, wherein the random partitioning of the image training data set into a plurality of mini-batchs is implemented as follows:
assuming that the image training set contains D pieces of image training data, the preset mini-batch size is n. Firstly, randomly disordering D pieces of image training data, and then sequentially selecting the image training data according to the size of the mini-batch, so that an image training set is divided into m mini-batches;
Figure FDA00026094042400000116
3. the method of claim 1, wherein the method for defending the image classifier against the challenge sample is implemented by selecting an image training data of a mini-batch that does not participate in the calculation yet and generating the corresponding challenge sample as follows:
any set of not-used mini-batch image training data X ═ X (X)1,x2,...,xn) Under the current model, a certain counterattack algorithm is adopted to generate X corresponding countersample
Figure FDA0002609404240000011
4. The method of claim 1, wherein the generated confrontation samples are mixed with corresponding image training data, and the relative position of each image data in the confrontation samples is adjusted by:
presetting a division ratio lambda, lambda belongs to [0,1 ∈]Confrontation of samples according to lambda
Figure FDA0002609404240000012
Is divided into two parts
Figure FDA0002609404240000013
And
Figure FDA0002609404240000014
wherein:
Figure FDA0002609404240000015
random adjustment
Figure FDA0002609404240000016
In which each image instance is
Figure FDA0002609404240000017
Is located at a position of, thus is
Figure FDA00026094042400000117
Performing rearrangement and splicing
Figure FDA0002609404240000018
And after rearrangement
Figure FDA0002609404240000019
To obtain
Figure FDA00026094042400000110
Figure FDA00026094042400000111
The same operation is carried out on the data label Y of the image training data X to obtain a confrontation sample
Figure FDA00026094042400000112
Corresponding label
Figure FDA00026094042400000113
Calculating identity T ═ T (T)1,t2,...,tn) When x isiAnd
Figure FDA00026094042400000114
of the same kind, i.e. yiAnd
Figure FDA00026094042400000115
equal time ti1, otherwise ti=0。
5. The method of claim 1, wherein the model parameters are updated once by a back propagation algorithm, and the method comprises the following steps:
assuming that the parameter of the model is W, and setting the learning rate as a; the loss function is defined as follows:
Figure FDA0002609404240000021
wherein alpha, beta and gamma are preset hyper-parameters, l (-) is a cross entropy loss function, lcon(. cndot.) is a contrast loss function; when training, a Siam framework, X and
Figure FDA0002609404240000022
at the same time, as the input of the network, the gradient of W is calculated by using a loss function L (-) to
Figure FDA0002609404240000023
And update
Figure FDA0002609404240000024
6. The method of claim 1, wherein steps 2-4 are repeated until the model is trained; presetting the number N of training rounds, randomly dividing the image training set into m mini-batchs in each round, realizing m times of parameter updating of the model, and finishing model training.
7. The method of claim 1, wherein the model hyper-parameters comprise: the model learning rate, the size of the mini-batch, the maximum iteration number, coefficients alpha, beta and gamma of each component of the loss function and the division ratio of the confrontation sample.
8. The method of claim 1, wherein the image training data is in a picture format.
9. The method of claim 1, wherein the certain counterattack algorithm comprises: target attack or non-target attack, iterative attack or single-step attack, and attack with different norms, wherein the different norms comprise: l is0、L1、L2And L
CN202010749009.8A 2020-07-30 2020-07-30 Method for defending countersamples for image classifier Active CN111914928B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010749009.8A CN111914928B (en) 2020-07-30 2020-07-30 Method for defending countersamples for image classifier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010749009.8A CN111914928B (en) 2020-07-30 2020-07-30 Method for defending countersamples for image classifier

Publications (2)

Publication Number Publication Date
CN111914928A true CN111914928A (en) 2020-11-10
CN111914928B CN111914928B (en) 2024-04-09

Family

ID=73287643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010749009.8A Active CN111914928B (en) 2020-07-30 2020-07-30 Method for defending countersamples for image classifier

Country Status (1)

Country Link
CN (1) CN111914928B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112329931A (en) * 2021-01-04 2021-02-05 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model
CN112329894A (en) * 2021-01-04 2021-02-05 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model and computing equipment
CN112560901A (en) * 2020-12-01 2021-03-26 南京航空航天大学 Method for defending and confronting sample based on combination of image preprocessing and confronting training
CN112597993A (en) * 2020-11-24 2021-04-02 中国空间技术研究院 Confrontation defense model training method based on patch detection
CN112651459A (en) * 2020-12-31 2021-04-13 厦门易仕特仪器有限公司 Defense method, device, equipment and storage medium for confrontation sample of deep learning image
CN112699737A (en) * 2020-12-10 2021-04-23 陈艳 Genus species identification system and identification method based on biological three-dimensional contour
CN113837370A (en) * 2021-10-20 2021-12-24 北京房江湖科技有限公司 Method and apparatus for training a model based on contrast learning
CN114638322A (en) * 2022-05-20 2022-06-17 南京大学 Full-automatic target detection system and method based on given description in open scene
CN115797732A (en) * 2023-02-15 2023-03-14 杭州实在智能科技有限公司 Image retrieval model training method and system used in open category scene

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832353A (en) * 2017-10-23 2018-03-23 同济大学 A kind of social media platform deceptive information recognition methods
CN108681774A (en) * 2018-05-11 2018-10-19 电子科技大学 Based on the human body target tracking method for generating confrontation network negative sample enhancing
CN110674938A (en) * 2019-08-21 2020-01-10 浙江工业大学 Anti-attack defense method based on cooperative multi-task training

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107832353A (en) * 2017-10-23 2018-03-23 同济大学 A kind of social media platform deceptive information recognition methods
CN108681774A (en) * 2018-05-11 2018-10-19 电子科技大学 Based on the human body target tracking method for generating confrontation network negative sample enhancing
CN110674938A (en) * 2019-08-21 2020-01-10 浙江工业大学 Anti-attack defense method based on cooperative multi-task training

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
XIAN ZHONG等: "Visible-infrared Person Re-identification via Colorization-based Siamese Generative Adversarial Network", 《ICMR \'20: PROCEEDINGS OF THE 2020 INTERNATIONAL CONFERENCE ON MULTIMEDIA RETRIEVAL》, pages 421 *
YU ZHU等: "Improving Deep Neural Network Robustness with Siamese Empowered Adversarial Training", 《INTERNATIONAL CONFERENCE ON SECURITY, PRIVACY AND ANONYMITY IN COMPUTATION, COMMUNICATION AND STORAGE》, pages 62 *
王志豪: "基于深度学习的行人再识别鲁棒性研究", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 08, pages 138 - 698 *
诸渝: "基于对抗样本的深度学习安全性研究", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 09, pages 140 - 29 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112597993B (en) * 2020-11-24 2024-05-31 中国空间技术研究院 Patch detection-based countermeasure model training method
CN112597993A (en) * 2020-11-24 2021-04-02 中国空间技术研究院 Confrontation defense model training method based on patch detection
CN112560901A (en) * 2020-12-01 2021-03-26 南京航空航天大学 Method for defending and confronting sample based on combination of image preprocessing and confronting training
CN112699737A (en) * 2020-12-10 2021-04-23 陈艳 Genus species identification system and identification method based on biological three-dimensional contour
CN112651459A (en) * 2020-12-31 2021-04-13 厦门易仕特仪器有限公司 Defense method, device, equipment and storage medium for confrontation sample of deep learning image
CN112329931B (en) * 2021-01-04 2021-05-07 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model
CN112329931A (en) * 2021-01-04 2021-02-05 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model
CN112329894A (en) * 2021-01-04 2021-02-05 北京智源人工智能研究院 Countermeasure sample generation method and device based on proxy model and computing equipment
CN113837370A (en) * 2021-10-20 2021-12-24 北京房江湖科技有限公司 Method and apparatus for training a model based on contrast learning
CN113837370B (en) * 2021-10-20 2023-12-05 贝壳找房(北京)科技有限公司 Method and apparatus for training a model based on contrast learning
CN114638322A (en) * 2022-05-20 2022-06-17 南京大学 Full-automatic target detection system and method based on given description in open scene
CN114638322B (en) * 2022-05-20 2022-09-13 南京大学 Full-automatic target detection system and method based on given description in open scene
CN115797732A (en) * 2023-02-15 2023-03-14 杭州实在智能科技有限公司 Image retrieval model training method and system used in open category scene

Also Published As

Publication number Publication date
CN111914928B (en) 2024-04-09

Similar Documents

Publication Publication Date Title
CN111914928A (en) Method for defending confrontation sample for image classifier
Su et al. One pixel attack for fooling deep neural networks
Olatunji et al. Membership inference attack on graph neural networks
Wang et al. Defensive dropout for hardening deep neural networks under adversarial attacks
CN110334742B (en) Graph confrontation sample generation method based on reinforcement learning and used for document classification and adding false nodes
KR102304661B1 (en) Attack-less Adversarial Training Method for a Robust Adversarial Defense
CN110322003B (en) Gradient-based graph confrontation sample generation method for document classification by adding false nodes
Li et al. Semi-supervised robust training with generalized perturbed neighborhood
CN112668044A (en) Privacy protection method and device for federal learning
Liu et al. Generative model: Membership attack, generalization and diversity
Zhang et al. Broadening differential privacy for deep learning against model inversion attacks
Sitawarin et al. Demystifying the adversarial robustness of random transformation defenses
Guo et al. Resisting distributed backdoor attacks in federated learning: A dynamic norm clipping approach
CN114494771B (en) Federal learning image classification method capable of defending back door attack
Xue et al. Use the spear as a shield: An adversarial example based privacy-preserving technique against membership inference attacks
Hooda et al. Towards adversarially robust deepfake detection: an ensemble approach
Goodman Transferability of adversarial examples to attack cloud-based image classifier service
CN116644433A (en) Data privacy and model safety test method for longitudinal federal learning
Peng et al. Evaluating deep learning for image classification in adversarial environment
CN111368908A (en) HRRP (high-resolution Radar) non-target confrontation sample generation method based on deep learning
CN115510986A (en) Countermeasure sample generation method based on AdvGAN
CN115187449A (en) Method for improving anti-sample mobility based on perspective transformation
Stock et al. Lessons learned: How (not) to defend against property inference attacks
CN112215272A (en) Bezier curve-based image classification neural network attack method
Zhang et al. Confined gradient descent: Privacy-preserving optimization for federated learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant