CN113988293A - Method for generating network by antagonism of different hierarchy function combination - Google Patents
Method for generating network by antagonism of different hierarchy function combination Download PDFInfo
- Publication number
- CN113988293A CN113988293A CN202111269497.3A CN202111269497A CN113988293A CN 113988293 A CN113988293 A CN 113988293A CN 202111269497 A CN202111269497 A CN 202111269497A CN 113988293 A CN113988293 A CN 113988293A
- Authority
- CN
- China
- Prior art keywords
- data
- loss function
- network
- clean
- features
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000008485 antagonism Effects 0.000 title claims description 5
- 230000006870 function Effects 0.000 claims abstract description 100
- 238000012549 training Methods 0.000 claims abstract description 43
- 230000000607 poisoning effect Effects 0.000 claims abstract description 25
- 231100000572 poisoning Toxicity 0.000 claims abstract description 22
- 238000013528 artificial neural network Methods 0.000 claims description 32
- 238000004364 calculation method Methods 0.000 claims description 4
- 230000000644 propagated effect Effects 0.000 claims description 2
- 230000001902 propagating effect Effects 0.000 claims description 2
- 238000003860 storage Methods 0.000 claims description 2
- 230000000694 effects Effects 0.000 abstract description 10
- 230000010354 integration Effects 0.000 abstract description 4
- 238000013135 deep learning Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000000052 comparative effect Effects 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000013434 data augmentation Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 241001669679 Eleotris Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000005314 correlation function Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/084—Backpropagation, e.g. using gradient descent
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Computing Systems (AREA)
- Molecular Biology (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Image Analysis (AREA)
Abstract
The invention discloses a method for generating a network by resisting different hierarchical function combinations, which finally destroys the whole learning process by destroying training data through data poisoning, thereby effectively improving the poisoning effect of a poisoning sample. The invention uses the combined loss function and processes the data at different stages, thereby achieving the purpose of error identification. Meanwhile, in order to further achieve the effect of identifying the picture by mistake, the invention applies the contrast learning in the field of self-supervision learning to the process of intelligent model training. The form of the data pairs is used when the data are loaded, and the data are processed in a characteristic integration mode in the training process, so that the poisoning capability of the data during pollution is enhanced, and the attack effect of the attack pattern under the condition that the attack pattern is not recognized by naked eyes as far as possible is ensured.
Description
Technical Field
The invention relates to the technical field of image processing, in particular to a method for generating a network by antagonism of different hierarchical function combinations.
Background
In recent years, with the progress of deep learning technology, even though there are many tasks that are expressed beyond the human level, the technology has been widely used in daily life, such as face recognition, fingerprint recognition, and network security, and applications with high failure costs, such as automatic driving. However, researches show that the deep neural network is extremely vulnerable to attack against samples, and an attacker can learn inaccurate characteristics by adding a few tiny disturbances to an image or a detected target, so that a wrong prediction result is obtained. This process is referred to as "countering attacks," where the countering sample is a modified version of the clean image that is deliberately disturbed (e.g., by adding noise) to fool machine learning techniques, such as deep neural networks.
There are many ways to disrupt deep learning, an adversary may attempt to manipulate the collection of data, or to disrupt a target model, etc. Therefore, many attack methods are proposed to achieve the goal of destroying the network learning. Two common types of attacks are the Poisoning Attack (Poisoning attach) and the escape Attack (Evasion attach).
The concept of data poisoning attack aiming at a machine learning algorithm is firstly proposed by Biggio and the like in 2012, and an attacker tries to combine malicious data points in a training phase aiming at a vulnerability of a support vector machine algorithm, so that the classification error is hopefully improved to the maximum extent. The poisoning attack attempts to contaminate the training data, which occurs during training, by corrupting the training data and ultimately corrupting the entire learning process. The main method of using it is to make the network prediction wrong by elaborated poisoning samples. While evasive attacks attempt to fool the target system by adjusting the malicious sample during the testing phase.
According to the logic flow, the data poisoning method at the present stage comprises a black box attack and a white box attack. The former is to inject a small portion of the sample into the training process without access to the model and training process. The latter has strong access to the parameters, architecture and training details of the model and can use this information to carefully construct poisoned samples. Since neural networks require a large number of data sets to train, it is common practice to use training samples collected from other sources (e.g., the internet), and careful examination of these data sets is costly, they are vulnerable to deliberate malicious noise that is deliberately introduced by attackers.
The countercheck learning is a machine learning method, and the realization method is that two networks compete against each other, the capabilities of a generator and a discriminator are continuously enhanced through repeated countercheck until a balance is achieved, and finally the generator can generate a high-quality picture which is just like a fake. Conventional gradient-based countermeasure sample generation algorithms have limitations, and therefore it has been proposed later to generate hostile samples based on the generation of countermeasure network (GAN) algorithms.
Contrast Learning (contrast Learning) is a very popular Self-Supervised Learning (Self-Supervised Learning) technique, and one of the main differences from the generation network is that the algorithm does not necessarily focus on every detail of a sample, as long as the learned features can distinguish it from other samples. Comparative learning may benefit from larger batches and longer training than supervised learning. As with supervised learning, contrast learning also benefits from deeper and broader networks.
At present, the prior art has the following defects:
(1) data enhancement aspects
The data is important for the effect of model learning, and the larger the data scale is, the higher the quality is, the better generalization ability can be possessed by the model. However, in actual engineering, there are often problems of too small Data amount (relative to the model), unbalanced samples, and difficult coverage of all scenes, and a common effective way to solve such problems is to make model learning obtain better generalization performance through Data Augmentation (Data Augmentation). However, the enhancement method is generally mechanical and may sometimes have little effect on training performance.
(2) Loss function aspects to optimize model orientation
At present, most of counterlearning is to use a function of a classification level to perform back transmission, so that network parameters are optimized, and the aim of successfully identifying images is achieved. For example, deep fuse can successfully deceive the image recognition system, but the accuracy, the generation efficiency, and the like are still to be improved because the influence of the hierarchy such as features, gradients, and the like is not comprehensively considered.
Therefore, the invention improves the technical defects, designs and constructs positive and negative sample learning characteristics, and adds different levels of the loss function to guide the learning of the model.
Disclosure of Invention
The invention aims to provide a method for generating a network by antagonism of different hierarchical function combinations, which can generate good pollution effect by adding micro disturbance to data under the condition of using the same data set, namely, can successfully mislead a classification result when the same data set is used as a training set to train a model.
In order to achieve the above purpose, the invention provides the following technical scheme:
a method of adversarial generation of networks of different hierarchical combinations of functions, comprising the steps of:
s1, loading data, and comparing and classifying the data;
s2, integrating the noise data generated by the noise generator and the original data together, transmitting the integrated data into a deep neural network f for learning to obtain poisoning data characteristics, collecting a track update f 'updated by the deep neural network, transmitting the integrated data characteristics into a combiner D by using the data characteristics obtained by the neural network f, and collecting a track update D' updated by the deep neural network;
s3, transmitting the original data into f' to obtain clean data features and classification results thereof, predicting the probability of classifying the data into each class by using a classification loss function, and calculating the distance between the poisoned data features and the clean data features by using a feature loss function;
s4, on the basis of extracting the features, integrating the clean data features, transmitting the clean data features into D', and calculating the distance between the integrated feature value and the expected corresponding feature value by using a loss function;
and S5, reversely propagating the network model by using the comprehensive loss function to update the network parameters so as to enable the network model to learn the expected characteristics.
Further, step S1 uses the form of data pairs when loading data.
Further, step S1 is a classification formula as follows:
fθ:x→{0,1}K
f is the learned classified neural network, theta is the network parameter, X is the network input, K is the classified category, if the data is of the same category, the label is marked as 1, otherwise, the label is marked as 0.
Further, the definition of the noise generator in step S2 is:
gξx → X, so that
E is the size of the disturbance amplitude, and g is the common codec network.
Further, the classification loss function in step S3 employs a cross-entropy loss function:
further, the characteristic loss function in step S3 adopts a Cosine similarity loss function:
or mean square error loss function:
further, the loss function used in step S4 is a cross-entropy loss function:
further, the training process of step S5 is a process of minimizing a loss function:
theta is the network parameter, D is the training data set, L is the synthetic loss function, and (x, y) are the samples and labels.
Further, the calculation formula of the synthetic loss function L of step S5 is as follows:
L=αloss_cls+βloss_fab+γloss_ab
wherein alpha, beta and gamma are weights.
Further, the method for generating the network by the countermeasure of the different hierarchical function combination comprises the following steps:
s1, loading data in a data pair mode, loading DataA and DataB at the same time, comparing the data DataA and the DataB to generate a storage label, if the DataA and the DataB are in the same type, marking the label as 1, otherwise marking the label as 0;
s2, integrating the noise data generated by the noise generator and the original data together, transmitting the integrated data into a deep neural network f for learning to obtain poisoning data features fa and fb, collecting updated track updates f 'of the deep neural network, transmitting the integrated data features into a combiner D by using the data features obtained by the neural network f, and collecting updated track updates D' of the deep neural network;
s3, transmitting the original data into f', obtaining clean data features fa _ clean, fb _ clean and classification results thereof, predicting the probability of classifying into each class by using a classification loss function shown in a formula (3), and calculating the distance between the poisoned data feature and the clean data feature by using a feature loss function shown in a formula (4) or (5);
s4, on the basis of extracting the features, integrating the clean data features a _ clean and fb _ clean, and calculating the distance between the integrated feature value and the expected corresponding feature value by using the loss function of the formula (6);
s5, the network model is propagated reversely by using the formula (9) comprehensive loss function to update the network parameters, so that the expected characteristics are learned:
L=αloss_cls+βloss_fab+γloss_ab (9)
wherein alpha, beta and gamma are weights.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a method for resisting a generation network (DPGAN) with different hierarchical function combinations, which finally destroys the whole learning process by destroying training data through data poisoning, thereby effectively improving the poisoning effect of a poisoning sample. And the combined loss function is used and the data is processed at different stages, so that the aim of misidentification is fulfilled. Meanwhile, in order to further achieve the effect of picture error recognition, the method applies contrast learning in the field of self-supervision learning to the process of intelligent model training. The form of the data pairs is used when the data are loaded, and the data are processed in a characteristic integration mode in the training process, so that the poisoning capability of the data during pollution is enhanced, and the attack effect of the attack pattern under the condition that the attack pattern is not recognized by naked eyes as far as possible is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present application or technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a general model training flow diagram.
FIG. 2 is a flow chart of a multi-layer loss function training model.
Fig. 3 is an architecture diagram of a method for generating a network by countering different hierarchical function combinations according to an embodiment of the present invention.
Detailed Description
The image recognition system based on deep learning is easy to be influenced by elaborated adversarial examples because the image recognition system depends on the training of a neural network, and the neural network is easy to be attacked by counterattack to cause misjudgment. Researchers continue to propose new methods of combating attacks, however, while neural networks are powerful enough to learn robust models in the presence of natural noise, collecting data from untrusted sources makes neural networks easily attacked successfully. The invention provides a method for resisting a generation network (DPGAN) by using different hierarchical function combinations, which finally destroys the whole learning process by destroying training data through data poisoning, thereby effectively improving the poisoning effect of a poisoned sample.
For a better understanding of the present solution, the method of the present invention is described in detail below with reference to the accompanying drawings.
We first discuss the impact of different levels of the loss function. Since the raw data of an image is often highly dimensional, containing much redundant information or being sufficiently sparse or computationally intensive, training with raw data is feasible, but training directly with raw data is often inefficient. Feature extraction is necessary in most cases.
The cross-entropy loss is based on the concept of "entropy", which is used to measure the uncertainty of information. When entropy is used for classification problems, the better the classification result is, the lower the uncertainty is, the smaller the entropy is; conversely, the worse the classification result, the stronger the uncertainty at that point, the higher the entropy. Thus, the cross entropy loss function can be used in classification problems.
Among the classification loss functions, cross entropy loss function (CrossEntropyLoss) is one of the most commonly used loss functions, and is used to determine the closeness of an actual output to an expected output, i.e., measure the difference between the output of a network and a tag, and use the difference to update network parameters through back propagation. After data are transmitted into a network, the actually obtained output result is compared with an expected output result, and the degree of proximity between the actually obtained output result and the expected output result is judged. FIG. 1 shows a general flow chart for training a model using deep learning, in which only a classification loss function is generally used.
In image processing, feature extraction starts with an initial set of data and establishes derived values (features) that are intended to provide information and non-redundancy, thereby facilitating subsequent learning and generalization steps, and in some cases, leading to better interpretability. Therefore, series of operations such as feature extraction and feature measurement have important influence on the training of the network model.
We explore increasing the loss function using feature levels, and on the basis of guaranteeing classification, add feature loss functions, such as cosine function, MSE function, KL divergence, etc., so that we can learn features at the feature level as much as possible, and from the aspect of feature metrics, enlarge the distance between the poisoned data feature and the clean data feature. A flow chart of model training for a multi-level loss function is shown in fig. 2.
The identification method based on the potential space contrast learning recently shows great prospect, and a plurality of new achievements are obtained. Compared with supervised learning, the comparative learning is more beneficial to batch learning and more training steps, and is more beneficial to promoting good comparative characterization learning. Since the combination of multiple data enhancement operations is critical to defining the contrast prediction task that produces a valid representation, and unsupervised contrast learning benefits from stronger data enhancement than supervised learning. Inspired by contrast learning algorithms, we propose an algorithmic model-a confrontational generation network (DPGAN) of different hierarchical function combinations to learn representations by maximizing consistency between different enhanced views of the same data example through contrast loss in the underlying space. The key architecture is shown in fig. 3.
The conventional classification task is to learn the sample distribution in the data set, i.e. the features of each class, and then classify the target class to be actually identified according to the learned parameters. The mathematical formula is used to represent the following:
fθ:x→{0,1}K (1)
where f is the learned classification neural network, X is the network input, and K is the classification category. The total number of the classes is 10, after data is loaded each time, the data _ A is taken as a reference, the label of the same class is 1, and the label of the different class is 0.
In order to learn the optimal classification neural network, we need to measure the error between the current classification result and the real result by using a loss function and continuously optimize the network parameters through back propagation. The whole training process can be abstracted into a process of minimizing a loss function as formula (2):
θ*=argminθ∑(x,y)~D[L(fθ(x),y)] (2)
theta is the network parameter, D is the training data set, L is the synthetic loss function, and (x, y) are the samples and labels. The loss function of the classification level during training is a cross entropy loss function, and is shown in formula (3); the loss function for measuring the feature level similarity is a Cosine similarity loss function or a Mean Square Error (MSE) loss function, the Cosine similarity loss function is shown in formula (4), the mean square error loss function is shown in formula (5), and the classification loss function used after the data are integrated with the features is a cross entropy loss function, which is shown in formula (6).
Or
Our goal is to generate small perturbations that are imperceptible to a data observer to contaminate a data set, first we define the noise generator as: gξ: χ → χ. The method is characterized in that an original sample of a target data set is input, a pollution sample added with disturbance information is output, the disturbance information needs to be as small as possible, and the disturbance information can be expressed by a mathematical language as follows:
here e is the magnitude of the perturbation we define and g is the usual codec network (noise generator). The flow of training the disturbance generator can be abstracted as:
maxξ∑(x,y)~D[L(fθ*(ξ)(x),y)], (7)
s.tθ*(ξ)=argminθ∑(x,y)~D[L(fθ(x+gξ(x)),y)] (8)
the calculation formula of the comprehensive loss function L is as follows, wherein alpha, beta and gamma are weights:
L=αloss_cls+βloss_fab+γloss_ab (9)
in summary, the basic idea of the invention is: f is alternately updated by gradient descent from the confrontational training data (deep learning model) and g is updated by gradient ascent from the clean data (noise generator). To stabilize this process, f is updated according to the confrontation training data, and the updated trajectory of f is collected, and then the confrontation training data and g are updated by calculating the pseudo-update of f at each time step according to the collected trajectory (D, same).
Specifically, the invention provides a method for generating a network by countermeasures of different hierarchical function combinations, which comprises the following steps:
first, when loading data, we load DataA and DataB simultaneously in the form of a data pair (data pair). Then compare DataA and DataB to generate n _ label (tensor of stored label), i.e. if DataA and DataB are of the same class, label is marked as 1, otherwise label is marked as 0. For later calculation of the classification loss function loss _ fab.
Secondly, the noise data generated by the noise generator and the original data are integrated together, the data are introduced into a deep neural network f for learning to respectively obtain data characteristics fa and fb, the updated track updating f 'of the deep neural network is collected, the data characteristics obtained by the neural network f are used for integration, and then the data are introduced into a combiner D, and the updated track updating D' of the deep neural network is collected.
Then, the original data is transmitted into f', and the characteristics fa _ clean, fb _ clean and the classification result of the clean data are obtained. The probability of classifying into each class is predicted using the classification loss function equation (3). At the feature level, the distance between the feature of the poisoned data and the feature of the clean data is calculated using the loss function formula (4) or (5).
Furthermore, on the basis of extracting the features, different features of the data pair, namely, fa _ clean and fb _ clean, are integrated and transmitted into D', and the distance between the integrated feature value and the expected corresponding feature value is calculated by using the loss function formula (6) so as to gradually approach other feature classes and move away from the feature classes.
And finally, using three comprehensive loss function formulas (9) to reversely transmit the network model, thereby updating the parameters, enabling the parameters to learn the expected characteristics and achieving the purpose of data poisoning.
In the invention, a combined loss function is designed and used to better modify the model, wherein only two methods of combination of an MSE loss function and a cross entropy loss function and combination of a cosine loss function and a cross entropy loss function are used, but the loss functions of different levels can be combined as much as possible and added into the training process or the introduction of a gradient correlation function is increased. Such as the MAE function or other perceptual loss function, etc.
Besides adopting data poisoning attack in the training stage, the method can also simultaneously carry out evasion attack on the test data and carry out poisoning attack on the training data, thereby achieving the purpose of improving the error classification accuracy.
For the purpose of misclassification, a trigger is placed in the input of the model, the vulnerability is activated during reasoning, gradient matching is adopted, data selection is adopted, and the target model is retrained in the manufacturing process. The Sleeper Agent based on this is the first hidden trigger backdoor attack that is effective against a de novo trained neural network.
In conclusion, the data poisoning method based on the anti-generation network has a good attack effect on the image recognition system. The invention provides a method for processing data in different stages by using a combined loss function, thereby achieving the aim of error identification. Meanwhile, in order to further achieve the effect of picture error recognition, the method applies contrast learning in the field of self-supervision learning to the process of intelligent model training. The form of the data pairs is used when the data are loaded, and the data are processed in a characteristic integration mode in the training process, so that the poisoning capability of the data during pollution is enhanced, and the attack effect of the attack pattern under the condition that the attack pattern is not recognized by naked eyes as far as possible is ensured.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: it is to be understood that modifications may be made to the technical solutions described in the foregoing embodiments, or equivalents may be substituted for some of the technical features thereof, but such modifications or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A method for generating a network by antagonism of different hierarchical function combinations, comprising the steps of:
s1, loading data, and comparing and classifying the data;
s2, integrating the noise data generated by the noise generator and the original data together, transmitting the integrated data into a deep neural network f for learning to obtain poisoning data characteristics, collecting a track update f 'updated by the deep neural network, transmitting the integrated data characteristics into a combiner D by using the data characteristics obtained by the neural network f, and collecting a track update D' updated by the deep neural network;
s3, transmitting the original data into f' to obtain clean data features and classification results thereof, predicting the probability of classifying the data into each class by using a classification loss function, and calculating the distance between the poisoned data features and the clean data features by using a feature loss function;
s4, on the basis of extracting the features, integrating the clean data features, transmitting the clean data features into D', and calculating the distance between the integrated feature value and the expected corresponding feature value by using a loss function;
and S5, reversely propagating the network model by using the comprehensive loss function to update the network parameters so as to enable the network model to learn the expected characteristics.
2. The method for generating a network against different hierarchical function combinations according to claim 1, wherein step S1 uses the form of data pair when loading data.
3. The method for generating a network against different hierarchical function combinations according to claim 1, wherein step S1 is classified as follows:
fθ:x→{0,1}K
f is the learned classified neural network, theta is the network parameter, X is the network input, K is the classified category, if the data is of the same category, the label is marked as 1, otherwise, the label is marked as 0.
4. The method for generation of network against different hierarchical function combination according to claim 1, wherein the definition of the noise generator in step S2 is:
gξ: x → X, make
E is the size of the disturbance amplitude, and g is the common codec network.
5. The method for generating network against different levels of function combination according to claim 1, wherein the classification loss function in step S3 adopts cross entropy loss function:
6. the method for generating a network against different hierarchical function combinations according to claim 1, wherein the characteristic loss function in step S3 adopts a Cosine similarity loss function:
or mean square error loss function:
7. the method for generating a network against different hierarchical function combinations according to claim 1, wherein the loss function used in step S4 is a cross-entropy loss function:
8. the method for generating a network against different hierarchical function combinations according to claim 1, wherein the training process of step S5 is a process for minimizing a loss function:
theta is the network parameter, D is the training data set, L is the synthetic loss function, and (x, y) are the samples and labels.
9. The method for generating a network against different hierarchical function combinations according to claim 8, wherein the calculation formula of the synthetic loss function L of step S5 is as follows:
L=αloss_cls+βloSS_fab+γloss_ab
wherein alpha, beta and gamma are weights.
10. The method for adversarial generation of networks of different hierarchical function combinations according to claim 1, characterized in that it comprises the following steps:
s1, loading data in a data pair mode, loading DataA and DataB at the same time, comparing the data DataA and the DataB to generate a storage label, if the DataA and the DataB are in the same type, marking the label as 1, otherwise marking the label as 0;
s2, integrating the noise data generated by the noise generator and the original data together, transmitting the integrated data into a deep neural network f for learning to obtain poisoning data features fa and fb, collecting updated track updates f 'of the deep neural network, transmitting the integrated data features into a combiner D by using the data features obtained by the neural network f, and collecting updated track updates D' of the deep neural network;
s3, transmitting the original data into f', obtaining clean data features fa _ clean, fb _ clean and classification results thereof, predicting the probability of classifying into each class by using a classification loss function shown in a formula (3), and calculating the distance between the poisoned data feature and the clean data feature by using a feature loss function shown in a formula (4) or (5);
s4, on the basis of extracting the features, integrating the clean data features a _ clean and fb _ clean, and calculating the distance between the integrated feature value and the expected corresponding feature value by using the loss function of the formula (6);
s5, the network model is propagated reversely by using the formula (9) comprehensive loss function to update the network parameters, so that the expected characteristics are learned:
L=αloss_cls+βloss_fab+γloss_ab (9)
wherein alpha, beta and gamma are weights.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111269497.3A CN113988293B (en) | 2021-10-29 | 2021-10-29 | Method for generating network by antagonism of different level function combinations |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111269497.3A CN113988293B (en) | 2021-10-29 | 2021-10-29 | Method for generating network by antagonism of different level function combinations |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113988293A true CN113988293A (en) | 2022-01-28 |
| CN113988293B CN113988293B (en) | 2024-07-12 |
Family
ID=79744169
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111269497.3A Active CN113988293B (en) | 2021-10-29 | 2021-10-29 | Method for generating network by antagonism of different level function combinations |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113988293B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866341A (en) * | 2022-06-17 | 2022-08-05 | 哈尔滨工业大学 | Vulnerability amplification type backdoor attack security assessment method for network intrusion detection system |
| CN115530842A (en) * | 2022-11-30 | 2022-12-30 | 合肥心之声健康科技有限公司 | Method for enhancing robustness of neural network model for classifying electrocardiosignals |
| WO2024025152A1 (en) * | 2022-07-27 | 2024-02-01 | 숭실대학교 산학협력단 | Adversarial learning apparatus and method for simultaneously training denoising network and deep neural network, and computer-readable recording medium having recorded thereon program for executing method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190122077A1 (en) * | 2016-03-15 | 2019-04-25 | Impra Europe S.A.S. | Method for classification of unique/rare cases by reinforcement learning in neural networks |
| CN110334808A (en) * | 2019-06-12 | 2019-10-15 | 武汉大学 | A kind of confrontation attack defense method based on confrontation sample training |
| CN110598400A (en) * | 2019-08-29 | 2019-12-20 | 浙江工业大学 | Defense method for high hidden poisoning attack based on generation countermeasure network and application |
| US20210117760A1 (en) * | 2020-06-02 | 2021-04-22 | Intel Corporation | Methods and apparatus to obtain well-calibrated uncertainty in deep neural networks |
| CN113378910A (en) * | 2021-06-07 | 2021-09-10 | 浙江工业大学 | Poisoning attack method based on electromagnetic signal modulation type identification of pure tag |
-
2021
- 2021-10-29 CN CN202111269497.3A patent/CN113988293B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190122077A1 (en) * | 2016-03-15 | 2019-04-25 | Impra Europe S.A.S. | Method for classification of unique/rare cases by reinforcement learning in neural networks |
| CN110334808A (en) * | 2019-06-12 | 2019-10-15 | 武汉大学 | A kind of confrontation attack defense method based on confrontation sample training |
| CN110598400A (en) * | 2019-08-29 | 2019-12-20 | 浙江工业大学 | Defense method for high hidden poisoning attack based on generation countermeasure network and application |
| US20210117760A1 (en) * | 2020-06-02 | 2021-04-22 | Intel Corporation | Methods and apparatus to obtain well-calibrated uncertainty in deep neural networks |
| CN113378910A (en) * | 2021-06-07 | 2021-09-10 | 浙江工业大学 | Poisoning attack method based on electromagnetic signal modulation type identification of pure tag |
Non-Patent Citations (3)
| Title |
|---|
| 刘旭;***;丁益民;包新华;张良苗;刘亮;吴静慰;: "模式识别改进Victor Meyer法测定相对分子质量实验", 实验室研究与探索, no. 11, 15 November 2010 (2010-11-15) * |
| 周彧聪;刘轶;王锐: "互补学习:一种面向图像应用和噪声标注的深度神经网络训练方法", 计算机研究与发展, vol. 54, no. 12, 15 December 2017 (2017-12-15) * |
| 许勐璠;李兴华;刘海;钟成;马建峰: "基于半监督学习和信息增益率的入侵检测方案", 计算机研究与发展, vol. 54, no. 10, 15 October 2017 (2017-10-15) * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866341A (en) * | 2022-06-17 | 2022-08-05 | 哈尔滨工业大学 | Vulnerability amplification type backdoor attack security assessment method for network intrusion detection system |
| CN114866341B (en) * | 2022-06-17 | 2024-03-05 | 哈尔滨工业大学 | Vulnerability amplification type back door attack security assessment method for network intrusion detection system |
| WO2024025152A1 (en) * | 2022-07-27 | 2024-02-01 | 숭실대학교 산학협력단 | Adversarial learning apparatus and method for simultaneously training denoising network and deep neural network, and computer-readable recording medium having recorded thereon program for executing method |
| CN115530842A (en) * | 2022-11-30 | 2022-12-30 | 合肥心之声健康科技有限公司 | Method for enhancing robustness of neural network model for classifying electrocardiosignals |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113988293B (en) | 2024-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Farahnakian et al. | A deep auto-encoder based approach for intrusion detection system | |
| Jeong et al. | Ood-maml: Meta-learning for few-shot out-of-distribution detection and classification | |
| Park et al. | An enhanced AI-based network intrusion detection system using generative adversarial networks | |
| CN113988293A (en) | Method for generating network by antagonism of different hierarchy function combination | |
| US20210303695A1 (en) | Measuring Overfitting of Machine Learning Computer Model and Susceptibility to Security Threats | |
| Shi et al. | Evasion and causative attacks with adversarial deep learning | |
| CN112396129A (en) | Countermeasure sample detection method and general countermeasure attack defense system | |
| CN115186816B (en) | Back door detection method based on decision shortcut search | |
| Aryal et al. | Analysis of label-flip poisoning attack on machine learning based malware detector | |
| Macas et al. | Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systems | |
| Hu et al. | EAR: an enhanced adversarial regularization approach against membership inference attacks | |
| Tuna et al. | Closeness and uncertainty aware adversarial examples detection in adversarial machine learning | |
| Lee et al. | CoNN-IDS: Intrusion detection system based on collaborative neural networks and agile training | |
| CN113240080A (en) | Prior class enhancement based confrontation training method | |
| Naqvi et al. | Adversarial attacks on visual objects using the fast gradient sign method | |
| CN115277065B (en) | Anti-attack method and device in abnormal traffic detection of Internet of things | |
| Mulo et al. | Towards an adversarial machine learning framework in cyber-physical systems | |
| Pavlitskaya et al. | Measuring overfitting in convolutional neural networks using adversarial perturbations and label noise | |
| Li et al. | Information-theoretic bias assessment of learned representations of pretrained face recognition | |
| Van et al. | A Combination of Temporal Sequence Learning and Data Description for Anomaly-based NIDS | |
| Stock et al. | Lessons learned: How (not) to defend against property inference attacks | |
| Ibrahim et al. | On the security of deep learning novelty detection | |
| Sivaslioglu et al. | A generative model based adversarial security of deep learning and linear classifier models | |
| Wang et al. | Semantic preserving adversarial attack generation with autoencoder and genetic algorithm | |
| Kaiser | Cognitive discriminative feature selection using variance fractal dimension for the detection of cyber attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |