CN113052167B - Grid map data protection method based on countercheck patch - Google Patents

Grid map data protection method based on countercheck patch Download PDF

Info

Publication number
CN113052167B
CN113052167B CN202110255017.1A CN202110255017A CN113052167B CN 113052167 B CN113052167 B CN 113052167B CN 202110255017 A CN202110255017 A CN 202110255017A CN 113052167 B CN113052167 B CN 113052167B
Authority
CN
China
Prior art keywords
patch
geographic
target image
image
map data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110255017.1A
Other languages
Chinese (zh)
Other versions
CN113052167A (en
Inventor
宋军
吴雅笛
黄秀文
陈诺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China University of Geosciences
Original Assignee
China University of Geosciences
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China University of Geosciences filed Critical China University of Geosciences
Priority to CN202110255017.1A priority Critical patent/CN113052167B/en
Publication of CN113052167A publication Critical patent/CN113052167A/en
Application granted granted Critical
Publication of CN113052167B publication Critical patent/CN113052167B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/20Image preprocessing
    • G06V10/25Determination of region of interest [ROI] or a volume of interest [VOI]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/29Geographical information databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/50Information retrieval; Database structures therefor; File system structures therefor of still image data
    • G06F16/56Information retrieval; Database structures therefor; File system structures therefor of still image data having vectorial format
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Databases & Information Systems (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Probability & Statistics with Applications (AREA)
  • Multimedia (AREA)
  • Health & Medical Sciences (AREA)
  • Remote Sensing (AREA)
  • Image Analysis (AREA)
  • Image Processing (AREA)

Abstract

The invention provides a grid map data protection method based on a countercheck patch, which comprises the following steps: acquiring a geographic target image; initializing a patch, and inputting the initialized patch and the geographic target image to a constructed neural network model together; guiding a neural network to iteratively update the value of the patch by using a random gradient descent method and a scrambling degree evaluation method so as to train the patch, and finally selecting the patch with the highest expected probability of classifying the geographic target image into a target class as a counterpatch generation result; acquiring the area position of the geographic target on the geographic target image by using an area correction method; jointly deciding an application mode of the anti-patch in the region where the geographic target is located by using an Actor-Critic method and an image similarity evaluation method based on multiple features; a geographic target image with a countermeasure patch is obtained. The invention has the beneficial effects that: the purpose of effectively resisting the network model of the attacker to identify the sensitive geographic target is achieved, and the safety of the raster map data is improved.

Description

Grid map data protection method based on countercheck patch
Technical Field
The invention relates to the field of geological data desensitization and deep learning, in particular to a grid map data protection method based on a confrontation patch.
Background
The grid map data includes important information such as national important facilities, national defense important target symbols, buildings, identifications and the like. The existing grid map data security protection method mainly focuses on the aspects of a data encryption method, a digital watermarking method and the like. For example, the inventor has proposed a grid map copyright protection method based on BFA and LSB in zhou lin, what the inventor has proposed a geographic information data composite encryption system, and the like. In recent years, object extraction and object recognition on grid map data have gradually been changed from a manual processing mode to a machine automation interpretation mode due to rapid development of deep learning technology, for example, deep learning technology is used for identifying and classifying buildings on grid maps. Because the grid map data has complex characteristics such as spatial positioning characteristics and attribute precision characteristics which are different from those of common images, under the background of deep learning, the problem of how to prevent sensitive information contained in the grid map from being intelligently extracted and identified by a neural network constructed by a malicious user becomes difficult.
The existing grid map data protection technology mainly has the following three problems: firstly, the existing data encryption method is usually established on the basis of a computational complexity theory, and the problems of low encryption efficiency, easy damage to an original data structure, expansion of data volume and the like generally exist in the encryption of raster map data; the existing grid map digital watermark protection technology generally utilizes carrier data redundancy to embed watermark information to provide aspects such as copyright protection, anti-counterfeiting tracing, hidden identification, authentication and safe hidden communication, and provides safety characteristics such as data integrity, concealment, robustness and tamper resistance, but generally cannot ensure the confidentiality of data. Secondly, the existing method focuses on optimization and improvement of algorithm function and efficiency, and the integration processing of data, and the like, and has the problem that fine desensitization protection is difficult to be performed on sensitive data of a specific type, a specific area or a specific attribute. Finally, the existing method is difficult to realize automatic and intelligent data desensitization processing, and cannot provide guarantee for grid map data security under the deep learning background due to the low processing efficiency caused by coarse-grained data processing.
Disclosure of Invention
In order to overcome the defects, the invention provides a grid map data protection method based on a countermeasure patch. The invention can mislead and disturb the grid map data intelligent identification system, so that the network of an attacker outputs wrong classification results, the purpose of effectively resisting the network model of the attacker to identify the sensitive geographic target is achieved, and the safety of the grid map data is improved.
The invention provides a grid map data protection method based on a countercheck patch, which specifically comprises the following steps:
s101: acquiring a geographic target image;
s102: initializing a patch, and inputting the initialized patch and the geographic target image to a constructed neural network model together;
s103: guiding a neural network to iteratively update the value of the patch by using a random gradient descent method and a scrambling degree evaluation method so as to train the patch, and finally selecting the patch with the highest expected probability of classifying the geographic target image into a target class as a counterpatch generation result;
s104: acquiring the area position of the geographic target on the geographic target image by using an area correction method;
s105: jointly deciding an application mode of the anti-patch in the region where the geographic target is located by using an Actor-Critic method and an image similarity evaluation method based on multiple features;
s106: a geographic target image with a countermeasure patch is obtained.
Further, the neural network model in step S102 includes inclusion v3, Resnet50, Xception, VGG16, and VGG 19.
Further, in step S102, the classification target class of the neural network includes: a category for which it is desirable to misclassify the geographic object and a category for which it is desirable to correctly classify the geographic object.
Further, the patch initialization specifically includes: one target category image is designated as an initial patch or one target category image is randomly selected as an initial patch.
Step S103 specifically includes:
s201: setting iteration times of patch training;
s202: randomly generating the placement position, the scaling size and the rotation angle of the patch on the geographic target image;
s203: the patch is added on the geographic target image through an operator of the patch application, and the calculation method comprises the following steps:
img′=G(img,p,l,t(s,z))
wherein img represents a geographical target image, p represents a patch, l represents a patch placement position, a function t represents a transformation operation performed on the patch, s represents a scaling, z represents a rotation angle, and img' represents the geographical target image after the patch is applied;
s204: guiding patch updating by using a random gradient descent method and a scrambling degree evaluation method;
s205: calculating the expected probability of img' being classified into the correct target class, and taking the patch which can maximize the expected probability as the updating result, wherein the calculation formula is as follows:
Figure GDA0003778480070000031
wherein
Figure GDA0003778480070000032
Representing the correct target category, I is a geographic target image set, T is the distribution of patch conversion, L is the distribution of image positions, and Pr operation represents probability calculation;
s206: judging whether the preset iteration times are reached, if so, finishing the training, and turning to step 207; otherwise, returning to the step 202 and continuing the iteration;
s207: and outputting and recording the anti-patch generation result of the last iteration.
Further, step S104 specifically includes:
s301: generating a candidate region by using a region correction method;
s302: selecting a candidate region with the highest regional score as the regional position of the geographic target on the geographic target image; wherein a region is scored as a classification probability that the region contains a geographic object.
Further, in step S105, the Actor-Critic algorithm passes through the policy function pi θ (as) learning the patch placement strategy and applying a function V to the value of the current strategy φ (s) estimating.
In step S105, the distribution characteristics of the gray scale, the chromaticity, and the texture are comprehensively considered based on the multi-characteristic image similarity evaluation, and the calculation formula is as follows:
S=(D g ≥h g )∩(D c ≥h c )∩(D k ≥h k )
wherein D is g And h g Respectively representing the degree of similarity of the grey scale distribution and the corresponding threshold, D c And h c Respectively representing the chroma distribution similarity and a corresponding threshold, D k And h k Respectively representing the similarity of the texture features and the corresponding threshold values.
The beneficial effects provided by the invention are as follows: the invention can mislead and disturb the grid map data intelligent identification system, so that the network of an attacker outputs wrong classification results, the purpose of effectively resisting the network model of the attacker to identify the sensitive geographic target is achieved, and the safety of the grid map data is improved. The grid map sensitive information protection method and the grid map sensitive information protection device can be suitable for providing guarantee for grid map sensitive information protection in different application scenes, and make up for the blank field of grid map sensitive information protection in deep learning background at home at present.
Drawings
FIG. 1 is a flow chart of a method for raster map data protection based on a countercheck patch according to the present invention;
FIG. 2 is a schematic diagram of the generation of a countermeasure training;
FIG. 3 is a schematic diagram of the application of a countermeasure patch;
FIG. 4 is a diagram of the effectiveness of anti-patch generation;
FIG. 5 is a diagram of the effectiveness of the application of a countermeasure patch;
FIG. 6 is a diagram of the effect of geographic object recognition before and after application of a countermeasure patch;
fig. 7 is a diagram of the effect of the attack against the patch under different environments.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be further described with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for protecting raster map data based on countermeasures for patches according to the present invention; a grid map data protection method based on countercheck patches comprises the following steps:
s101: acquiring a geographic target image;
s102: initializing a patch, and inputting the initialized patch and the geographic target image to a constructed neural network model together;
s103: guiding a neural network to iteratively update the value of the patch by using a random gradient descent method and a scrambling degree evaluation method so as to train the patch, and finally selecting the patch which can enable the geographic target image to be classified into a target class and has the highest expected probability as a countercheck patch generation result;
s104: acquiring the area position of the geographic target on the geographic target image by using an area correction method;
s105: jointly deciding an application mode of the anti-patch in the region where the geographic target is located by using an Actor-Critic method and a multi-feature-based image similarity evaluation method;
s106: a geographic target image with a countermeasure patch is obtained.
The neural network model in step S102 includes inclusion v3, respet 50, Xception, VGG16, and VGG 19.
In step S102, the classification target class of the neural network includes: a category for which it is desirable to misclassify the geographic object and a category for which it is desirable to correctly classify the geographic object.
The patch initialization specifically comprises the following steps: one target category image is designated as an initial patch or one target category image is randomly selected as an initial patch.
Step S103 specifically includes:
s201: setting iteration times of patch training;
s202: randomly generating the placement position, the scaling size and the rotation angle of the patch on the geographic target image;
s203: the patch is added on the geographic target image through an operator of the patch application, and the calculation method comprises the following steps:
img′=G(img,p,l,t(s,z))
the method comprises the following steps that img represents a geographic target image, p represents a patch, l represents a patch placement position, a function t represents transformation operation on the patch, s represents a scaling ratio, z represents a rotation angle, and img' represents the geographic target image after the patch is applied;
s204: guiding patch updating by using a random gradient descent method and a scrambling degree evaluation method;
s205: calculating the expected probability of the img' being classified into the correct target class, and taking the patch which can maximize the expected probability as the updating result, wherein the calculation formula is as follows:
Figure GDA0003778480070000061
wherein
Figure GDA0003778480070000062
Representing the correct target category, I is a geographic target image set, T is the distribution of patch conversion, L is the distribution of image positions, and Pr operation represents probability calculation;
s206: judging whether the preset iteration times are reached, if so, finishing the training, and turning to step 207; otherwise, returning to the step 202 and continuing the iteration;
s207: and outputting and recording the counterwork patch generation result of the last iteration.
Preferably, the present invention provides an embodiment for generating a countermeasure patch; referring to fig. 2, fig. 2 is a schematic diagram of the generation of anti-patch training;
firstly, defining a target category, and selecting a random patch initialization mode or self-defining a corresponding target category image as an initial patch according to the target category. Secondly, the initialized patch is randomly applied to the geographic target image through a patch application operator, the processed target image is placed into a generator model, and the training and optimization of the patch are realized through continuously iteratively updating the value of the patch. The patch application operator is calculated as:
img'=G(img,p,l,t(s,z))
wherein img represents the geographic target image, p represents the patch, l represents the patch placement position, the function t represents the transformation operation performed on the patch, s represents the scaling, z represents the rotation angle, and img' represents the geographic target image after the patch is applied. In the patch training phase, the change operation of the patch is random selection.
And finally, in the process of patch training, evaluating and restraining the interference degree of the anti-patch on the target image by using the scrambling degree, and taking the evaluation result as a guidance basis for updating and optimizing the patch in the next iteration. And performing iterative training and updating optimization on the patch according to the self-defined iteration times to finally generate the counterpatch. Referring to fig. 4, fig. 4 is a diagram illustrating the effect of generating anti-patch.
Step S104 specifically includes:
s301: generating a candidate region by using a region correction method;
s302: selecting a candidate region with the highest regional score as the regional position of the geographic target on the geographic target image; wherein a region is scored as a classification probability that the region contains a geographic object.
In step S105, the Actor-Critic algorithm passes through a policy function pi θ (as) learning the patch placement strategy and applying a function V to the value of the current strategy φ (s) estimating.
In step S105, the distribution characteristics of the gray scale, the chromaticity, and the texture are comprehensively considered based on the multi-characteristic image similarity evaluation, and the calculation formula is as follows:
S=(D g ≥h g )∩(D c ≥h c )∩(D k ≥h k )
wherein D is g And h g Respectively representing the degree of similarity of the grey scale distribution and the corresponding threshold, D c And h c Respectively representing the chroma distribution similarity and a corresponding threshold, D k And h k Respectively representing the similarity of the texture features and the corresponding threshold values.
Preferably, as an embodiment of step S104, please refer to fig. 3; as shown in fig. 3, the position area of the geographic target in the image is found by the area correction method. Firstly, a plurality of candidate regions with different sizes and different positions are generated, and correction parameters are obtained through linear regression. And then translating the candidate region according to the correction parameters and correcting the size of the candidate region. And finally, calculating the probability of the target contained in each corrected candidate region as a region score, selecting the candidate region with the highest score as a finally selected region range, and then making a patch application decision in the region.
Still referring to fig. 3, the Actor-criticic algorithm and the multi-feature based image similarity evaluation method combine the placement position of the decision patch on the target image and the transformation manner of the patch. The strategy function pi is passed in the Actor-Critic algorithm θ (as) learning a patch placement policy, and estimating a value function of a current policy. The strategy function and the value function are continuously optimized between games, the strategy function executes a better patch application strategy to obtain higher return, and the value function adjusts the scoring standard of the value function according to the return.
The image similarity evaluation method based on multiple features evaluates the camouflage effect of the patch on a sensitive geographic target and guides optimization of a policy function in an Actor-Critic algorithm, and integrates the gray distribution similarity, the chroma distribution similarity and the texture feature similarity. The gray distribution similarity can be expressed as:
Figure GDA0003778480070000081
where L represents the total number of gray levels in the grid map target image, r k The k-th gray scale value is P (r) k ) Is to r k Is a histogram of this image, P 1 (r k ) For the gray level r in the patched target image img k The probability (frequency) of occurrence of the pixel of (P) 2 (r k ) For gray level r in original target image img k The probability of occurrence of the pixel.
The chroma distribution similarity can be expressed as:
Figure GDA0003778480070000082
wherein A and B are the total number of a, B chromaticity levels in the uniform color space of the grid map target image at L, a, B, respectivelyThe chromaticity of (a, b) is (r) a ,r b ),P r1 (r a ,r b ) To add a chroma histogram, P, of the anti-patched target image img r2 (r a ,r b ) Is a chrominance histogram of the original target image img.
The texture feature similarity can be expressed as:
Figure GDA0003778480070000091
wherein D is k And h k The 4 eigenvalue similarities and corresponding thresholds represent the energy, contrast, correlation and moment of inverse difference of img' and img, respectively.
Because the gray level similarity, the chrominance similarity and the texture feature similarity are all focused on evaluating the similarity of a certain aspect, in an actual situation, any feature difference can cause the existence of a counterpatch to be found, therefore, the intersection of all the single indexes is taken as the comprehensive similarity, namely, the comprehensive similarity of the two images img' and img is considered to meet the corresponding threshold requirement only if the similarity of each single feature reaches a certain threshold. The overall similarity can be expressed as:
S=(D g ≥h g )∩(D c ≥h c )∩A Tex
wherein h is g Threshold value, h, corresponding to the degree of similarity of the gray-scale distribution c And representing the corresponding threshold value of the chroma distribution similarity.
The method realizes the application of the anti-patch on the geographic image. Fig. 5 is a diagram of the effect of the application of the anti-patch, wherein z represents the scaling of the anti-patch in the current diagram, and each sub-diagram shows the effect of the placement of the anti-patch on different targets with a specific size, angle and placement position. Fig. 6 is a graph of the effect of recognizing geographic objects before and after the anti-patch application, comparing the probability of classifying objects into buildings in the same recognition system for the object image without the patch and the object image with the patch. Wherein the target image is exemplified by the 8 images shown in fig. 5. Fig. 7 is a diagram of the effect of the anti-patch attack in different environments, where the three curves from top to bottom are: whiteBox, BlackBox and BaseLine represent the success rate of attacks against patches in white-box environment, black-box environment and BaseLine mode, respectively.
The beneficial effects provided by the invention are as follows: the invention provides a grid map data protection method based on a countermeasure patch, aiming at the situation that the information protection technology of grid map data in an intelligent scene does not appear in the domestic market at present. The method guides the patch updating optimization by applying the scrambling degree evaluation method to the initial patch, and generates the confrontation patch with antagonism, robustness and concealment. And the position of the geographic target in the image is positioned by using a regional correction method, the patch placement range is narrowed, and the patch application efficiency is improved. The intelligent application of the anti-patch is realized by jointly deciding the application mode of the patch on the sensitive geographic target image through an Actor-Critic algorithm and an image similarity evaluation method based on multiple features. Through the mode, the intelligent identification system for the grid map data can mislead and disturb the intelligent identification system for the grid map data, so that the network of an attacker outputs wrong classification results, the purpose of effectively resisting the network model of the attacker to identify the sensitive geographic target is achieved, and the safety of the grid map data is improved. The grid map sensitive information protection method and the grid map sensitive information protection device can be suitable for providing guarantee for grid map sensitive information protection in different application scenes, and make up for the blank field of grid map sensitive information protection in deep learning background at home at present.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (6)

1. A raster map data protection method based on countercheck patches is characterized by comprising the following steps: the method specifically comprises the following steps:
s101: acquiring a geographic target image;
s102: initializing a patch, and inputting the initialized patch and the geographic target image to a constructed neural network model together;
s103: guiding a neural network to iteratively update the value of the patch by using a random gradient descent method and a scrambling degree evaluation method so as to train the patch, and finally selecting the patch with the highest expected probability of classifying the geographic target image into a target class as a counterpatch generation result;
s104: acquiring the area position of the geographic target on the geographic target image by using an area correction method;
s105: jointly deciding an application mode of the anti-patch in the region where the geographic target is located by using an Actor-Critic method and an image similarity evaluation method based on multiple features;
in step S105, the Actor-Critic algorithm passes through a policy function pi θ (as) learning the patch placement strategy and applying a function V to the value of the current strategy φ (s) performing an estimation;
in step S105, the distribution characteristics of the gray scale, the chromaticity, and the texture are comprehensively considered based on the multi-characteristic image similarity evaluation, and the calculation formula is as follows:
S=(D g ≥h g )∩(D c ≥h c )∩(D k ≥h k )
wherein D is g And h g Respectively representing the degree of similarity of the grey scale distribution and the corresponding threshold, D c And h c Respectively representing the chroma distribution similarity and corresponding threshold, D k And h k Respectively representing the similarity of the texture features and corresponding threshold values;
s106: a geographic object image with the countermeasure patch is obtained.
2. The method for grid map data protection based on countermeasures patch as claimed in claim 1, wherein: the neural network model in step S102 includes inclusion v3, Resnet50, Xception, VGG16, and VGG 19.
3. The method for protecting grid map data based on counterpatch as claimed in claim 1, wherein: in step S102, the classification target class of the neural network includes: a category for which it is desirable to misclassify the geographic object and a category for which it is desirable to correctly classify the geographic object.
4. The method for protecting grid map data based on counterpatch as claimed in claim 3, wherein: the patch initialization specifically comprises: one target category image is designated as an initial patch or one target category image is randomly selected as an initial patch.
5. The method for protecting grid map data based on counterpatch as claimed in claim 1, wherein: step S103 specifically includes:
s201: setting iteration times of patch training;
s202: randomly generating the placement position, the scaling size and the rotation angle of the patch on the geographic target image;
s203: the patch is added on the geographic target image through an operator of the patch application, and the calculation method comprises the following steps:
img′=G(img,p,l,t(s,z))
wherein img represents a geographical target image, p represents a patch, l represents a patch placement position, a function t represents a transformation operation performed on the patch, s represents a scaling, z represents a rotation angle, and img' represents the geographical target image after the patch is applied;
s204: guiding patch updating by using a random gradient descent method and a scrambling degree evaluation method;
s205: calculating the expected probability of img' being classified into the correct target class, and taking the patch which can maximize the expected probability as the updating result, wherein the calculation formula is as follows:
Figure FDA0003778480060000021
wherein
Figure FDA0003778480060000022
Representing the correct target category, I is a geographic target image set, T is the distribution of patch conversion, L is the distribution of image positions, and Pr operation represents probability calculation;
s206: judging whether the preset iteration times are reached, if so, finishing the training, and turning to step 207; otherwise, returning to the step 202 and continuing the iteration;
s207: and outputting and recording the counterwork patch generation result of the last iteration.
6. The method for protecting grid map data based on counterpatch as claimed in claim 1, wherein: step S104 specifically includes:
s301: generating a candidate region by using a region correction method;
s302: selecting a candidate region with the highest regional score as the regional position of the geographic target on the geographic target image; wherein a region is scored as a classification probability that the region contains a geographic object.
CN202110255017.1A 2021-03-09 2021-03-09 Grid map data protection method based on countercheck patch Active CN113052167B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110255017.1A CN113052167B (en) 2021-03-09 2021-03-09 Grid map data protection method based on countercheck patch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110255017.1A CN113052167B (en) 2021-03-09 2021-03-09 Grid map data protection method based on countercheck patch

Publications (2)

Publication Number Publication Date
CN113052167A CN113052167A (en) 2021-06-29
CN113052167B true CN113052167B (en) 2022-09-30

Family

ID=76510458

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110255017.1A Active CN113052167B (en) 2021-03-09 2021-03-09 Grid map data protection method based on countercheck patch

Country Status (1)

Country Link
CN (1) CN113052167B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10997470B2 (en) * 2019-08-30 2021-05-04 Accenture Global Solutions Limited Adversarial patches including pixel blocks for machine learning
CN111340008B (en) * 2020-05-15 2021-02-19 支付宝(杭州)信息技术有限公司 Method and system for generation of counterpatch, training of detection model and defense of counterpatch
CN111626925B (en) * 2020-07-24 2020-12-01 支付宝(杭州)信息技术有限公司 Method and device for generating counterwork patch
CN112085069B (en) * 2020-08-18 2023-06-20 中国人民解放军战略支援部队信息工程大学 Multi-target countermeasure patch generation method and device based on integrated attention mechanism
CN112364745B (en) * 2020-11-04 2021-09-14 北京瑞莱智慧科技有限公司 Method and device for generating countermeasure sample and electronic equipment
CN112364915B (en) * 2020-11-10 2024-04-26 浙江科技学院 Imperceptible countermeasure patch generation method and application

Also Published As

Publication number Publication date
CN113052167A (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN109948658B (en) Feature diagram attention mechanism-oriented anti-attack defense method and application
CN111754519B (en) Class activation mapping-based countermeasure method
WO2021179157A1 (en) Method and device for verifying product authenticity
CN113222802B (en) Digital image watermarking method based on anti-attack
Hamid et al. A Comparison between using SIFT and SURF for characteristic region based image steganography
Ulutas et al. A new copy move forgery detection method resistant to object removal with uniform background forgery
CN115168210A (en) Robust watermark forgetting verification method based on confrontation samples in black box scene in federated learning
Caldelli et al. On the effectiveness of local warping against SIFT-based copy-move detection
CN114998080B (en) Face tamper-proof watermark generation method, tamper detection method and attribute detection method
CN113435264A (en) Face recognition attack resisting method and device based on black box substitution model searching
CN114244538A (en) Digital watermark method for generating media content perception hash based on multiple attacks
Cui et al. Multitask identity-aware image steganography via minimax optimization
Liu et al. Data protection in palmprint recognition via dynamic random invisible watermark embedding
CN114881838A (en) Bidirectional face data protection method, system and equipment for deep forgery
CN113052167B (en) Grid map data protection method based on countercheck patch
CN112907431A (en) Steganalysis method for resisting steganography robustness
CN110163163B (en) Defense method and defense device for single face query frequency limited attack
CN111284157B (en) Commodity package anti-counterfeiting printing and verifying method based on fractional order steganography technology
CN112200075A (en) Face anti-counterfeiting method based on anomaly detection
CN113222480B (en) Training method and device for challenge sample generation model
CN114299327A (en) Anti-patch camouflage generation method based on content features
Lorch et al. On the security of the one-and-a-half-class classifier for SPAM feature-based image forensics
Paunwala et al. Dct watermarking approach for security enhancement of multimodal system
Shkilev et al. Fortifying textual integrity: Evolutionary optimization-powered watermarking for tampering attack detection in digital documents
CN114254274B (en) White-box deep learning model copyright protection method based on neuron output

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant