CN113591975A - Countermeasure sample generation method and system based on Adam algorithm - Google Patents
Countermeasure sample generation method and system based on Adam algorithm Download PDFInfo
- Publication number
- CN113591975A CN113591975A CN202110865402.8A CN202110865402A CN113591975A CN 113591975 A CN113591975 A CN 113591975A CN 202110865402 A CN202110865402 A CN 202110865402A CN 113591975 A CN113591975 A CN 113591975A
- Authority
- CN
- China
- Prior art keywords
- sample
- countermeasure
- input image
- model
- adam algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- ORILYTVJVMAKLC-UHFFFAOYSA-N Adamantane Natural products C1C(C2)CC3CC1CC2C3 ORILYTVJVMAKLC-UHFFFAOYSA-N 0.000 title claims abstract description 45
- 230000000007 visual effect Effects 0.000 claims abstract description 17
- 230000003042 antagnostic effect Effects 0.000 claims abstract description 14
- 238000003062 neural network model Methods 0.000 claims abstract description 13
- 230000008569 process Effects 0.000 claims description 15
- 238000005457 optimization Methods 0.000 claims description 10
- 238000012804 iterative process Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 6
- 238000013480 data collection Methods 0.000 claims description 6
- 230000000452 restraining effect Effects 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 2
- 230000001537 neural effect Effects 0.000 claims 1
- 230000006870 function Effects 0.000 abstract description 25
- 238000013135 deep learning Methods 0.000 abstract description 3
- 238000013145 classification model Methods 0.000 abstract description 2
- 235000000332 black box Nutrition 0.000 description 8
- 238000002474 experimental method Methods 0.000 description 6
- 241000282414 Homo sapiens Species 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000006467 substitution reaction Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000009825 accumulation Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 230000007423 decrease Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 239000013598 vector Substances 0.000 description 2
- 230000008485 antagonism Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Image Analysis (AREA)
Abstract
The invention belongs to the technical field of computer visual image recognition, and particularly relates to an Adam algorithm-based confrontation sample generation method and system, wherein sample data for visual image classification recognition is collected, and the sample data comprises an input image and label data corresponding to the input image; constructing a neural network model for resisting sample generation; aiming at sample data, limiting the antagonistic disturbance between an input image and a generated antagonistic sample in the sample data by using an infinite norm, optimizing a neural network model loss function, performing iterative solution on the optimized model by using an Adam algorithm, and generating the antagonistic sample by using an attenuation step length and maximizing a target loss function of the model in the iterative solution of the antagonistic sample. According to the method, the higher-quality confrontation samples are obtained by increasing the mobility of the confrontation samples among the models by using the attenuation step length, so that the robustness of the deep learning classification model is improved, and the quality and the efficiency of visual image classification identification can be effectively guaranteed.
Description
Technical Field
The invention belongs to the technical field of computer vision image recognition, and particularly relates to a confrontation sample generation method and system based on an Adam algorithm.
Background
In the field of image recognition, convolutional neural networks are capable of classifying images with human accuracy, however, researchers find neural networks vulnerable to attack. In the existing research, a small amount of disturbance is added, so that a neural network model gives an error output with high confidence, and an image added with the disturbance is a countermeasure sample. Typically, the challenge perturbation is invisible to the naked eye, i.e., the challenge sample is not significantly different from the original sample in the perception of the human eye. To the extent that the model is known, counterattacks can be classified as white-box attacks and black-box attacks. Given the model structure and parameters, there are a number of ways to generate challenge samples and make white-box attacks on the model. In general, the countermeasure samples have certain mobility, that is, the countermeasure samples generated for one model may be countered to another model, which makes black box attack possible, and is the important reason for the threat. The reason why the countermeasure samples have mobility is that the countermeasure disturbance is highly similar to the model weight, and different models learn similar decision boundaries in the same image classification task and have similar model weights, so that the countermeasure samples show certain generalization performance among different models.
Although the challenge sample has a certain mobility, how to further improve the mobility of the challenge sample for effective black box attack remains to be researched. In a white-box scene, the success rate of the attack of the countermeasure samples generated by the iterative attack is often higher than that of the attack of the countermeasure samples generated by the single-step attack, but if the countermeasure samples are input into other black-box networks for testing, the success rate of the single-step attack is higher, that is, the countermeasure samples generated based on the single-step gradient have stronger mobility. This is due to the trade-off between attack performance and mobility against samples, in a white-box attack, an iterative attack exhibits a powerful white-box attack capability due to overfitting certain network parameters, but it is difficult to efficiently generalize antagonism to other models. The challenge samples are over-fitted, and the attack ability of the same challenge samples under the white box and the black box is similar to the performance difference of the same neural network on the training set and the testing set. Compared with the white box attack, the black box attack is more suitable for the actual attack scene, and the black box attack is mainly carried out in three ways at present: 1) based on the decision-making attack, namely an attacker can not access the structure and parameters of the model, only can query the model for multiple times, input the image into the model and then obtain the classification result of the model, and generate a countermeasure sample according to the classification result; 2) the method comprises the following steps that (1) a substitution model attack is carried out, wherein an attacker inputs an image into a model and obtains an output label, and then a substitution model capable of simulating a target model is trained; 3) based on the migration attack, the unknown model is subjected to black box attack by generating a countermeasure sample with better migration under the white box condition. Both of the first two black-box attack methods require a large number of queries to the model, which is impractical for large-scale datasets like ImageNet.
Disclosure of Invention
Therefore, the method for generating the confrontation sample based on the Adam algorithm is provided, the higher-quality confrontation sample is obtained by increasing the mobility of the confrontation sample among models by using the attenuation step length, the robustness of the deep learning classification model is improved, and the quality and the efficiency of visual image classification and identification can be effectively guaranteed.
According to the design scheme provided by the invention, the countermeasure sample generation method based on the Adam algorithm is used for visual image classification and identification and comprises the following contents:
collecting sample data for visual image classification and identification, wherein the sample data comprises an input image and label data corresponding to the input image;
constructing a neural network model for resisting sample generation;
aiming at sample data, limiting the countermeasure disturbance between an input image and a generated countermeasure sample in the sample data by using an infinite norm, optimizing a target loss function of a neural network model, performing iterative solution on the optimized model by using an Adam algorithm, and generating the countermeasure sample by using an attenuation step length and maximizing the target loss function of the network model in the iterative solution of the countermeasure sample.
As the method for generating the confrontation sample based on the Adam algorithm, further, the target loss function of the neural network model is expressed as follows: j (theta, x, y), where x is the input image, y is the label corresponding to the input image x, theta is the parameter of the neural network model, and the confrontation sample x corresponding to the input image x is generated by maximizing J (theta, x, y)*。
As the method for generating the confrontation sample based on the Adam algorithm, further, the network model optimization problem of the confrontation disturbance limitation is expressed as follows:
s.t.||x*-x||∞ε is the magnitude of the opposing perturbation.
As the method for generating the confrontation sample based on the Adam algorithm, the optimization model is further iteratively solved by setting an iteration step gradient and utilizing the Adam algorithm.
As the method for generating the confrontation sample based on the Adam algorithm, further, in the iterative solution, the gradients of all rounds in the iterative process are collected and combined with the corresponding attenuation factors to generate the first momentum in the current iterative round process, the squares of the gradients of all rounds in the iterative process are collected and combined with the corresponding attenuation factors to generate the second momentum in the current iterative round process, and the gradient updating direction is obtained through the first momentum, the second momentum and the denominator stability coefficient; determining the step length of gradient updating by using the attenuation factor corresponding to the gradient and the attenuation factor corresponding to the square of the gradient, and obtaining the attenuation step length; and (3) restraining the confrontation sample generated in the current iteration round process in an infinite norm range by using a clipping function by adopting the attenuation step length under the constraint of a two-norm and combining the gradient updating direction.
As the method for generating the confrontation sample based on the Adam algorithm, further, in the iterative solution, the solution process is ended by judging whether the current iteration meets the set iteration round number.
As the antagonistic sample generation method based on the Adam algorithm, the attenuation step is further calculated by using an attenuation formula consisting of attenuation factors corresponding to gradients and gradient squares.
As the antagonistic sample generation method based on the Adam algorithm, further, the attenuation step length alpha of the current iteration round ttThe calculation formula is expressed as:
wherein T is the number of iteration rounds, beta1、β2Total step size for attenuation factors corresponding to gradient and gradient squared, respectively
ε is the magnitude of the opposing perturbation and N is the input image dimension.
As the confrontation sample generation method based on the Adam algorithm, further, a clipping function is expressed as
Where x is the input image, xt+1 *Is the confrontation sample generated in the current iteration round t.
Further, the invention also provides a confrontation sample generation system based on the Adam algorithm, which is used for visual image classification and identification and comprises the following components: a data collection module, a model construction module, and a confrontation sample generation module, wherein,
the data collection module is used for collecting sample data for visual image classification and identification, wherein the sample data comprises an input image and label data corresponding to the input image;
the model construction module is used for constructing a neural network model for resisting sample generation;
and the countermeasure sample generation module is used for limiting the countermeasure disturbance between the input image in the sample data and the generated countermeasure sample by using an infinite norm, optimizing a network model target loss function, performing iterative solution on the optimization model by using an Adam algorithm, and generating the countermeasure sample by using an attenuation step length and maximizing the target loss function of the network model in the iterative solution of the countermeasure sample.
The invention has the beneficial effects that:
according to the method, the countermeasure sample with strong mobility is generated under the white-box condition to attack the black-box model, the attenuation step length is used in the iteration process of the countermeasure sample, and the mobility of the countermeasure sample on the black-box model is improved. And further, the test is carried out on the multiple network models under the condition of the white box and the black box, so that the higher attack success rate is shown on the black box model, meanwhile, the multiple network integration models can be attacked, the generation quality of the confrontation sample is improved, the accuracy and the efficiency of the visual image classification and identification can be effectively guaranteed, and the method has a better application prospect.
Description of the drawings:
FIG. 1 is a schematic diagram of an antagonistic sample generation flow based on Adam algorithm in the embodiment;
FIG. 2 is an illustration of the attack success rate of different network models affected by the attenuation factor in the embodiment;
FIG. 3 is a schematic diagram illustrating the attack success rate of different network models affected by the number of iteration rounds in the embodiment;
fig. 4 is an illustration of the attack success rate of different network models affected by the magnitude of the counterdisturbance in the embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The convolutional neural network has reached a level exceeding that of human beings in the task of image recognition, but is still vulnerable to a challenge sample, and the presence of the challenge sample is a noise which is added on the basis of an original image and is invisible to human vision, so that the potential security threat can be brought to a deep learning system. The countermeasure sample with strong attack performance can also be used as an important tool for evaluating the robustness of the model. However, in the case of black boxes, the success rate of the attack against the sample still remains to be improved. The embodiment of the invention provides a confrontation sample generation method based on an Adam algorithm, which is used for visual image classification and identification and comprises the following contents as shown in figure 1:
s101, collecting sample data for visual image classification and identification, wherein the sample data comprises an input image and label data corresponding to the input image;
s102, constructing a neural network model for generation of a countermeasure sample;
s103, aiming at sample data, limiting the countermeasure disturbance between an input image and the generated countermeasure sample in the sample data by using an infinite norm, optimizing a network model target loss function, performing iterative solution on the optimized model by using an Adam algorithm, and generating the countermeasure sample by using an attenuation step length in the iterative solution of the countermeasure sample and maximizing the target loss function of the countermeasure network model.
The Adam algorithm is applied to an iterative process of generation of countermeasure samples, and the countermeasure samples are generated by performing fast gradient iteration by using attenuation step length, so that the mobility of the countermeasure samples and the robustness of a network model are improved.
As a countermeasure sample generation method based on Adam algorithm in the embodiment of the present invention, further, a countermeasure network model target loss function is expressed as: j (theta, x, y), where x is the input image, y is the label corresponding to the input image x, and theta is the parameter of the countermeasure network model, and the countermeasure sample x corresponding to the input image x is generated by maximizing J (theta, x, y)*. Typically a cross entropy loss function. In challenge sample generation, our goal is to generate a challenge sample x that is visually indistinguishable from x by maximizing J (θ, x, y)*To fool the model, i.e. to let the model's predictive label ypreNot equal to y. Further, in the embodiment of the present invention, the network model optimization problem against disturbance limitation is expressed as:
s.t.||x*-x||∞ε is the magnitude of the opposing perturbation.
As the countermeasure sample generation method based on the Adam algorithm in the embodiment of the invention, further, the optimization model is iteratively solved by setting an iteration step gradient and utilizing the Adam algorithm.
The Adam algorithm is an optimization algorithm combining a momentum method and RMSProp, not only accumulates a speed vector along the gradient direction of a loss function in an iteration process, but also performs weighted accumulation on the square of the gradient, and adjusts parameters to be updated according to the step length of gradual attenuation after the parameter updating direction is obtained by combining the two vectors, so as to accelerate the reduction of the loss function on the dimension with smaller gradient, jump out a local minimum value and make the loss function better converge.
As the method for generating the confrontation sample based on the Adam algorithm in the embodiment of the invention, further, in the iterative solution, the gradients of all rounds in the iterative process are collected and combined with the corresponding attenuation factors to generate the first momentum in the current iterative round process, the squares of the gradients of all rounds in the iterative process are collected and combined with the corresponding attenuation factors to generate the second momentum in the current iterative round process, and the gradient updating direction is obtained through the first momentum, the second momentum and the denominator stability coefficient; determining the step length of gradient updating by using the attenuation factor corresponding to the gradient and the attenuation factor corresponding to the square of the gradient, and obtaining the attenuation step length; and (3) restraining the confrontation sample generated in the current iteration round process in an infinite norm range by using a clipping function by adopting the attenuation step length under the constraint of a two-norm and combining the gradient updating direction. Further, in the iterative solution, the solution process is ended by judging whether the current iteration meets the set iteration round number. Further, the attenuation step is calculated using an attenuation formula consisting of the gradient and an attenuation factor corresponding to the gradient squared.
Fast Gradient Signal Method (FGSM) is one of the simplest countermeasure sample generation methods, in which the Gradient direction of the loss function with respect to the input
Finding a confrontation sample, and generating the confrontation sample by calculating the following formula when the confrontation noise is limited to the maximum norm:
iterative Fast Gradient signal Method (I-FGSM) is an Iterative version of the FGSM Method, with the idea of dividing the Gradient operations in FGSM into multiple iterations, which can be expressed as follows:
the method comprises the steps of obtaining a Clip function, wherein the Clip function is used for limiting a confrontation sample in an epsilon neighborhood of an original image x to meet infinite norm constraint, and the Clip function is used for limiting a confrontation sample in the epsilon neighborhood of the original image x.
The Momentum is applied to the generation process of the confrontation sample by the motion Iterative Fast Gradient Signal Method (MI-FGSM), the updating direction of the Gradient is stabilized, the local minimum point is helped to jump out, and compared with the I-FGSM, the difference is that the updating direction of the confrontation sample is different:
μ is the decay factor of the momentum term, giIs the gradient weighted accumulation of the previous i-round iterations.
In order to solve the problem that both the I-FGSM and the MI-FGSM adopt a fixed step length in iteration, when the algorithm is executed to a later stage, the algorithm oscillates around a local maximum value and cannot converge well, in the embodiment of the present disclosure, an Adam algorithm is improved and introduced into Gradient iteration, and an Iterative Fast Gradient Method (AI-FGM) based on the Adam algorithm is provided, as shown in algorithm 1:
In particular, the gradient for each iteration step with respect to the update direction
To pass through its own L1The distance is normalized because the gradient difference between different iteration rounds is very large. Similar to MI-FGSM, mtCollecting the gradient of the first t iterations, wherein the attenuation factor is beta1And, as shown in equation 10, may be referred to as a first momentum. v. oftI.e. the second momentum, collects the squares of the gradients of the previous t iterations with an attenuation factor of beta2Note that the squaring operation here is performed on a per element basis, i.e., g, as shown in equation 11t 2From gtEach element in the solution is squared to obtain a hyper-parameter beta1And beta2Values are usually between (0, 1). The direction of x update is given by equation 12, where δ is a stability factor set to prevent the denominator from being zero, which has the advantage of speeding up the update of x in the dimension where the gradient is small.
For walking on a cascadeLong, if beta1And beta2The selection is proper, and the selection is proper,
will decrease with increasing T, when T changes from 0 to T-1, a decreasing sequence can be formed, and this sequence is normalized to obtain the weight of each iteration step in the total step α, and thus a decaying step sequence can be obtained, as shown in equation 13.
In the embodiment of the present application, infinite norm limitation is applied to anti-noise, and different from the previous method, we do not apply a method of taking a sign function for gradient to meet the requirement of infinite norm limitation, but apply a step length and a gradient direction under a corresponding two-norm constraint, and then apply a clipping function clip to constrain a countersample within a corresponding infinite norm range, as shown in equations 14 and 15. The relationship of the two-norm limit α to the infinite norm limit ε is defined in equation 8, where N is the dimension of the input image.
Because if one challenge sample is competing against multiple networks, it is more likely to be transferred to another model, i.e., with a stronger black-box attack capability. Therefore, the embodiment of the present disclosure further provides an integration strategy, that is, a plurality of models are attacked by fusing logic values of different models:
wherein lk(x) Is the logical value of the kth model, ωkIs the integrated weight andk≥0,
further, based on the above method, an embodiment of the present invention further provides a confrontation sample generation system based on Adam algorithm, for classification and identification of visual images, including: a data collection module, a model construction module, and a confrontation sample generation module, wherein,
the data collection module is used for collecting sample data for visual image classification and identification, wherein the sample data comprises an input image and label data corresponding to the input image;
the model construction module is used for constructing a neural network model for resisting sample generation;
and the countermeasure sample generation module is used for limiting the countermeasure disturbance between the input image in the sample data and the generated countermeasure sample by using an infinite norm, optimizing a network model target loss function, performing iterative solution on the optimization model by using an Adam algorithm, and generating the countermeasure sample by using an attenuation step length and maximizing the target loss function of the network model in the iterative solution of the countermeasure sample.
To verify the validity of the scheme, the following further explanation is made by combining experimental data:
data set: if the original images cannot be correctly classified by the network, it is also of little interest to generate countermeasure samples based on these images. Thus, 1000 images from 1000 categories of the ImageNet validation set can be randomly selected, which all can be correctly classified by the network being tested. All images are scaled to 299 × 299 × 3, and therefore, N may be set to 299 × 299 × 3.
Network: seven networks can be selected, including four common networks, namely, inclusion-v 3(Inc-v3), inclusion-v 4(Inc-v4), inclusion-Resnet-v 2 (Inc-v 2) and Resnet-v2-152(Res-152), and three networks trained against them, namely, ens 3-adv-inclusion-v 3(Inc-v3 24)ens3),ens4-adv-Inception-v3(Inc-v3ens4) And ens-adv-inclusion-ResNet-v 2(IncRes-v2)ens)。
All experiments were performed based on infinite norm, for the momentum method, the attenuation factor μ is set to 1 in equation 5, and the stability factor δ is 10 in equation 12-8. The attack is first performed on a single network, and using FGSM, I-FGSM, MI-FGSM and AI-FGM to generate countermeasure samples against Inc-v3, Inc-v4, Inc Res-v2 and Res-152, all networks are then attacked. As shown in table 1, the success rate refers to the error rate of model classification with the challenge sample as input. In the experiment, the maximum disturbance16, number of iterations T10, attenuation factor β in AI-FGM10.99 and beta2=0.999。
It can be observed from the results in the table that the three iterative methods can attack the white box model with a success rate close to 100%, and the AI-FGM is superior to the other three methods in all black box models. For example, if the countermeasure sample is generated for the Inc-v3, the attack success rate of AI-FGM on the Inc-v4 is 52.4%, while the MI-FGSM is 48.0%, and the sum of FGSM and I-FGSM is no more than 30.0%, which proves the effectiveness of the algorithm in the scheme.
Table 1 success rate (%) of attacking a single model on seven networks, respectively, with white box attacks on diagonals in the table, and black box attacks on the rest
β1And beta2Determines the attenuation amplitude of the step size and mtAnd vtThe cumulative strength of the historical gradients can have a significant impact on attack success rates. Therefore, a grid search method can be applied in experiments to find an optimal set of beta1And beta2The value of (c). The perturbation size epsilon may be set to 16 and the number of iteration rounds T to 10. Attenuation factor beta1And beta2From 0 to 1. Note that in order to study β as comprehensively as possible1And beta2In addition to uniformly varying from 0.1 to 0.9, several values close to 0 and 1 were taken, as shown in FIG. 2, when β was1And beta2In the change between (0,1), generation of anti-sample attack Inc-v3 (white box), Inc-v4 (common trained network, black box), Inc-v3 against Inc-v3ens4(success rate against training network, black box). The scheme algorithm AI-FGM in the present case is used for generating a countermeasure sample for the Inc-v3 and pairing the Inc-v3, the Inc-v4 and the Inc-v3ens4To carry outAttack, as can be seen from the figure, for the white-box model, no matter beta1And beta2How to change, the attack success rate is about 100%. For the black-box model, whether a normally trained network or an anti-trained network, the attack success rate seems to be for β1And is more sensitive. And when beta1And beta2When the attack success rate is close to 1, the attack success rate reaches the maximum.
Influence of the iteration round number T on the attack success rate of the iteration method. In experiments, the perturbation magnitude ε may be set to 16, the attenuation factor β1=0.99,β20.999. The number of iteration rounds varied uniformly from 1 to 20, and the challenge samples were generated for Inc-v3 using I-FGSM, MI-FGSM and AI-FGM to attack Inc-v3 and Inc-v4, with the result that, as shown in fig. 3, when the number of iteration rounds varied, the success rate (%) of challenge samples for attacking Inc-v3 (white box) and Inc-v4 (black box) was generated for Inc-v3 using I-FGSM, MI-FGSM and AI-FGM to attack Inc-v3, noting that the three curves for attacking Inc-v3 in the figure coincide. As can be seen from FIG. 3, as the number of iteration rounds increases, the success rate of black box attack of several iteration methods decreases, but under the condition that the number of iteration rounds is the same, the AI-FGM algorithm corresponding to the scheme of the present application is always higher than the MI-FGSM and the I-FGSM algorithms.
The effect of the disturbance magnitude epsilon on the attack success rate. In an experiment, the iteration round number T may be set to 10, the attenuation factor β1=0.99,β2When the disturbance size was varied, attack success rates (%) for attacking Inc-v3 (white box) and Inc-v4 (black box) with I-FGSM, MI-FGSM and AI-FGM were generated against Inc-v3 as shown in fig. 4, noting that the three curves of Inc-v3 in the figure coincide, and as shown in fig. 4, the challenge sample attack was generated against Inc-v3 and Inc-v4 with I-FGSM, MI-FGSM and AI-FGM against Inc-v 3. As can be seen from fig. 4, for the white-box attack, the attack success rate can reach 100% quickly, and for the black-box attack, the attack success rate steadily increases with the increase of epsilon. Under the condition that the disturbance size is the same, the AI-FGM corresponding to the scheme is always higher than the MI-FGSM and the I-FGSM, namely the AI-FGM can achieve the specified black box attack success rate with smaller disturbance size.
Although it is seen from the above experimental results that the AI-FGM can increase the mobility of the challenge sample on the black box model, the black box attack success rate can be further increased by attacking the integrated model. In the embodiment of the scheme, the attack can be carried out by integrating a plurality of network logic values. The 7 networks can be used to generate the countermeasure sample by integrating the FGSM, I-FGSM, MI-FGSM and AI-FGM with respect to the six networks, and attack the integrated network and the remaining reserved network. In the experiment, the attenuation factor beta can be adjusted1=0.99,β20.999, the number of iteration rounds in the iteration method T is 10, the disturbance size epsilon is 16, the integration weight of each network is equal, namely omegakResults are shown in table 2, 1/6.
Table 2 success rate (%) of attack on the integrated network, "-" symbol indicates that the network is a reserved network, a first behavior integration model (white box), a second behavior reservation model (black box)
As can be seen from the table, in the case of white box, AI-FGM maintains a high attack success rate, and in the case of black box, AI-FGM has a higher attack success rate than the other three methods. For example, when-Inc-v 4 is a reserved network, the success rate of AI-FGM attack-Inc-v 4 is 76.7%, while FGSM, I-FGSM, MI-FGSM are 38.3%, 48.2%, 69.8%, respectively.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A countermeasure sample generation method based on Adam algorithm is used for visual image classification and identification, and is characterized by comprising the following steps:
collecting sample data for visual image classification and identification, wherein the sample data comprises an input image and label data corresponding to the input image;
constructing a neural network model for resisting sample generation;
aiming at sample data, limiting the countermeasure disturbance between an input image and a generated countermeasure sample in the sample data by using an infinite norm, optimizing a network model target loss function, performing iterative solution on the model by using an Adam algorithm, and generating the countermeasure sample by using an attenuation step length in the iterative solution of the countermeasure sample and maximizing the target loss function of the countermeasure network model.
2. The Adam algorithm-based countermeasure sample generation method of claim 1, wherein the neural network model objective loss function is expressed as: j (theta, x, y), where x is the input image, y is the label corresponding to the input image x, theta is the neural networkParameters of the model, generating a confrontation sample x corresponding to the input image x by maximizing J (theta, x, y)*。
3. The method for generating antagonistic samples based on the Adam algorithm according to claim 2, characterized in that the network model optimization problem of the antagonistic disturbance limitation is expressed as:
ε is the magnitude of the opposing perturbation.
4. The method for generating antagonistic samples based on the Adam algorithm according to claim 1, characterized in that the optimization model is iteratively solved by setting an iteration step gradient and using the Adam algorithm.
5. The method for generating the antagonistic sample based on the Adam algorithm according to claim 4, wherein in the iterative solution, the gradients of all rounds in the iterative process are collected and combined with the corresponding attenuation factors to generate the first momentum in the current iterative round process, the squares of the gradients of all rounds in the iterative process are collected and combined with the corresponding attenuation factors to generate the second momentum in the current iterative round process, and the gradient updating direction is obtained through the first momentum, the second momentum and the denominator stability coefficient; determining the step length of gradient updating by using the attenuation factor corresponding to the gradient and the attenuation factor corresponding to the square of the gradient, and obtaining the attenuation step length; and (3) restraining the confrontation sample generated in the current iteration round process in an infinite norm range by using a clipping function by adopting the attenuation step length under the constraint of a two-norm and combining the gradient updating direction.
6. The method for generating the antagonistic sample based on the Adam algorithm according to claim 4 or 5, wherein in the iterative solution, the solution process is ended by judging whether the current iteration meets the set iteration round number.
7. The Adam algorithm-based antagonistic sample generation method according to claim 5, characterized in that the attenuation step is calculated using an attenuation formula consisting of attenuation factors corresponding to gradients and gradient squares.
8. The method for generating antagonistic samples based on the Adam algorithm as claimed in claim 7, characterized in that the attenuation step α of the current iteration round ttThe calculation formula is expressed as:
wherein T is the number of iteration rounds, beta1、β2Total step size for attenuation factors corresponding to gradient and gradient squared, respectively
ε is the magnitude of the opposing perturbation and N is the input image dimension.
9. The method of claim 8, wherein the clipping function is expressed as
Where x is the input image, xt+1 *Is the confrontation sample generated in the current iteration round t.
10. A countermeasure sample generation method based on Adam algorithm is used for visual image classification and identification, and is characterized by comprising the following steps: a data collection module, a model construction module, and a confrontation generation module, wherein,
the data collection module is used for collecting sample data for visual image classification and identification, wherein the sample data comprises an input image and label data corresponding to the input image;
the model construction module is used for constructing a neural network model for resisting sample generation;
and the countermeasure sample generation module is used for limiting the countermeasure disturbance between the input image in the sample data and the generated countermeasure sample by using an infinite norm, optimizing a network model target loss function, performing iterative solution on the optimization model by using an Adam algorithm, and generating the countermeasure sample by using an attenuation step length and maximizing the target loss function of the network model in the iterative solution of the countermeasure sample.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110865402.8A CN113591975A (en) | 2021-07-29 | 2021-07-29 | Countermeasure sample generation method and system based on Adam algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110865402.8A CN113591975A (en) | 2021-07-29 | 2021-07-29 | Countermeasure sample generation method and system based on Adam algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113591975A true CN113591975A (en) | 2021-11-02 |
Family
ID=78252062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110865402.8A Pending CN113591975A (en) | 2021-07-29 | 2021-07-29 | Countermeasure sample generation method and system based on Adam algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113591975A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114359672A (en) * | 2022-01-06 | 2022-04-15 | 云南大学 | Adam-based iterative rapid gradient descent anti-attack method |
| CN114531274A (en) * | 2022-01-13 | 2022-05-24 | 西安电子科技大学 | Intelligent countermeasure method, system, medium and device for communication signal modulation recognition |
| CN115544499A (en) * | 2022-11-30 | 2022-12-30 | 武汉大学 | Migratable black box anti-attack sample generation method and system and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108257116A (en) * | 2017-12-30 | 2018-07-06 | 清华大学 | A kind of method for generating confrontation image |
| WO2020239196A1 (en) * | 2019-05-27 | 2020-12-03 | Toyota Motor Europe | System and method for training a generative adversarial model generating image samples of different brightness levels |
-
2021
- 2021-07-29 CN CN202110865402.8A patent/CN113591975A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108257116A (en) * | 2017-12-30 | 2018-07-06 | 清华大学 | A kind of method for generating confrontation image |
| WO2020239196A1 (en) * | 2019-05-27 | 2020-12-03 | Toyota Motor Europe | System and method for training a generative adversarial model generating image samples of different brightness levels |
Non-Patent Citations (2)
| Title |
|---|
| HENG YIN ET.AL: ""Improving the Transferability of Adversarial Examples with the Adam Optimizer" * |
| 郭清杨;: "基于生成对抗网络的对抗样本生成" * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114359672A (en) * | 2022-01-06 | 2022-04-15 | 云南大学 | Adam-based iterative rapid gradient descent anti-attack method |
| CN114531274A (en) * | 2022-01-13 | 2022-05-24 | 西安电子科技大学 | Intelligent countermeasure method, system, medium and device for communication signal modulation recognition |
| CN114531274B (en) * | 2022-01-13 | 2022-11-04 | 西安电子科技大学 | Intelligent countermeasure method, system, medium and equipment for communication signal modulation recognition |
| CN115544499A (en) * | 2022-11-30 | 2022-12-30 | 武汉大学 | Migratable black box anti-attack sample generation method and system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Jandial et al. | Advgan++: Harnessing latent layers for adversary generation | |
| CN113591975A (en) | Countermeasure sample generation method and system based on Adam algorithm | |
| CN108446765A (en) | The multi-model composite defense method of sexual assault is fought towards deep learning | |
| CN111709435B (en) | Discrete wavelet transform-based countermeasure sample generation method | |
| CN114066912A (en) | Intelligent countermeasure sample generation method and system based on optimization algorithm and invariance | |
| JP2015095212A (en) | Identifier, identification program, and identification method | |
| CN112215292B (en) | Image countermeasure sample generation device and method based on mobility | |
| Suzuki et al. | Adversarial example generation using evolutionary multi-objective optimization | |
| CN112200243B (en) | Black box countermeasure sample generation method based on low query image data | |
| CN111178504B (en) | Information processing method and system of robust compression model based on deep neural network | |
| CN113627543B (en) | Anti-attack detection method | |
| CN111835707A (en) | Malicious program identification method based on improved support vector machine | |
| Kwon et al. | Restricted evasion attack: Generation of restricted-area adversarial example | |
| Zhuo et al. | Attack and defense: Adversarial security of data-driven FDC systems | |
| CN110827330A (en) | Time sequence integrated multispectral remote sensing image change detection method and system | |
| Chen et al. | Lie to me: A soft threshold defense method for adversarial examples of remote sensing images | |
| CN114387449A (en) | Image processing method and system for coping with adversarial attack of neural network | |
| CN113487015A (en) | Countermeasure sample generation method and system based on image brightness random transformation | |
| CN116996272A (en) | Network security situation prediction method based on improved sparrow search algorithm | |
| Mangla et al. | AdvGAN++: Harnessing latent layers for adversary generation | |
| Huayu et al. | A Survey of Adversarial Attacks and Defenses for image data on Deep Learning | |
| Vyas et al. | Evaluation of adversarial attacks and detection on transfer learning model | |
| CN113822443A (en) | Method for resisting attack and generating resisting sample | |
| Naqvi et al. | Adversarial attacks on visual objects using the fast gradient sign method | |
| Feng et al. | A novel approach for trajectory feature representation and anomalous trajectory detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20211102 |
|
| WD01 | Invention patent application deemed withdrawn after publication |