CN114299341A - Method, system and storage medium for detecting confrontation sample based on posterior probability - Google Patents
Method, system and storage medium for detecting confrontation sample based on posterior probability Download PDFInfo
- Publication number
- CN114299341A CN114299341A CN202111653725.7A CN202111653725A CN114299341A CN 114299341 A CN114299341 A CN 114299341A CN 202111653725 A CN202111653725 A CN 202111653725A CN 114299341 A CN114299341 A CN 114299341A
- Authority
- CN
- China
- Prior art keywords
- sample
- image
- model
- training
- confrontation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Image Analysis (AREA)
Abstract
The invention relates to a method, a system and a storage medium for detecting a confrontation sample based on posterior probability, which comprises the following steps: s1, constructing a classification model for image classification; s2, constructing a discrimination model for confronting sample detection; s3, putting the image sample to be distinguished into a classification model, and obtaining the probability distribution corresponding to the image sample; and S4, putting the probability distribution corresponding to the image sample into the discriminant model as the input of the discriminant model for processing, and obtaining the detection result of the confrontation sample. According to the method, the classification model and the discrimination model are constructed, the output of the anti-sample and the normal image after passing through the classification model is learned by utilizing the two classification models, and the difference between the two models is mined to detect the anti-sample, so that the effective anti-sample detection method is realized.
Description
Technical Field
The invention relates to the technical field of image recognition in the field of deep learning, in particular to a method and a system for detecting a confrontation sample based on posterior probability and a storage medium.
Background
Deep learning represented by a convolutional neural network is widely applied to pattern recognition tasks, such as image classification, face recognition, target detection and the like, and the attention of people to artificial intelligent security problems is increasingly enhanced. Among them, the safety problem of confrontation samples is one of the most popular and focused fields in the field of artificial intelligence at present. The confrontation sample refers to a sample image which is elaborately made, and can cause the recognition model to generate misjudgment after disturbance which is difficult to be detected by human eyes is added on a normal image. The countersample makes the application of deep learning in the actual society, such as automatic driving, face payment and the like face a significant challenge.
The existing methods for defending and resisting samples are mainly divided into three types: input reconstruction, modifying network structure, utilizing auxiliary networks, such as countermeasure training, image noise reduction, and the like. The input reconstruction aims at removing disturbance added by man-made malice, so that the model can normally identify the image; the network structure is modified to enhance the robustness of the model, so that the model has stronger anti-interference and anti-noise capabilities; the auxiliary network is used for enhancing the effectiveness of classification model identification or detecting malicious samples through the auxiliary network.
The invention patent publication 112884069 discloses a method of countering the detection of network samples. The method mainly comprises the step of constructing a detection model for detecting the confrontation sample, wherein the detection model comprises a feature extraction unit, a feature reconstruction unit, a graph classifier, a difference calculation unit, a discrimination unit and the like. Specifically, the method comprises the steps of extracting the features of an image to be detected, reconstructing the features of the image to be detected by utilizing a generated countermeasure network, putting the original image features and the reconstructed features into a graph classifier as input to obtain the corresponding output of the original image features and the reconstructed features, namely probability distribution, calculating the difference between the original image features and the reconstructed features, judging whether the difference exceeds a preset threshold value, if so, determining the image as a countermeasure sample, and if not, determining the image as a normal image. The threshold is set as the mean value of the features extracted from each image in the training image set of the graph classifier and the difference of the features reconstructed by the generated countermeasure network after passing through the graph classifier.
The invention patent publication No. 112766324 discloses an image confrontation sample detection method, system, storage medium, terminal and application. The method comprises the steps of carrying out noise reduction on an image to be detected to obtain an image after noise reduction, putting an original image and the image after noise reduction into an image classifier as input, extracting a logits value which is normalized by softmax and corresponds to the original image and the image after noise reduction, calculating the difference between the original image and the image after noise reduction, judging whether the difference exceeds a preset threshold value, if so, judging as a countersample, otherwise, judging as the countersample. The threshold value of the method is the mean value of logits values obtained by each image in a training image set of the image classifier and the noise-reduced image through the image classifier.
The two invention patents disclose methods, which are used for judging whether the image to be detected is a countermeasure sample or not according to the comparison result of the difference output by the classification model before and after the processing of the image to be detected and the difference before and after the processing of the normal image after the processing of the image to be detected. However, in the first method, feature reconstruction needs to be performed on all images to be detected, certain resources need to be consumed for design of a generation countermeasure network and training of a generation model, and different feature reconstruction modes may affect the performance of detection differently, which may affect the final detection effect; the second method needs to perform noise reduction processing on all images, the noise reduction mode may also affect the detection effect, and the setting of the two judgment thresholds depends on a normal image set, so that certain limitations are provided.
Disclosure of Invention
In order to solve the technical problems in the prior art, the invention provides the confrontation sample detection method based on the posterior probability.
The method is realized by adopting the following technical scheme: the method for detecting the confrontation sample based on the posterior probability comprises the following steps:
s1, constructing a classification model for image classification, and performing feature extraction and processing on the input image sample to obtain probability distribution corresponding to the input image sample;
s2, constructing a discrimination model for confrontation sample detection, and performing feature extraction and processing on probability distribution corresponding to the image samples acquired by the classification model to discriminate the confrontation samples;
s3, putting the image sample to be distinguished into a classification model, and obtaining the probability distribution corresponding to the image sample;
and S4, putting the probability distribution corresponding to the image sample into the discriminant model as the input of the discriminant model for processing, and obtaining the detection result of the confrontation sample.
The system of the invention is realized by adopting the following technical scheme: a posteriori probability based challenge sample detection system comprising:
a classification model construction module: the method is used for image classification, and the method is used for performing feature extraction and processing on an input image sample to obtain probability distribution corresponding to the input image sample;
a discrimination model construction module: the system is used for detecting the confrontation sample, extracting and processing the characteristics of the probability distribution corresponding to the image sample obtained by the classification model, and judging the confrontation sample;
a probability distribution acquisition module: putting an image sample to be distinguished into a classification model, and acquiring probability distribution corresponding to the image sample;
the confrontation sample detection result acquisition module: and taking the probability distribution corresponding to the image sample as the input of the discrimination model, and putting the input into the discrimination model for processing to obtain the detection result of the confrontation sample.
The invention also proposes a storage medium on which a computer program is stored which, when executed by a processor, carries out the steps of the method of the invention for confrontational sample detection.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. according to the method, the classification model and the discrimination model are constructed, the output of the anti-sample and the normal image after passing through the classification model is learned by utilizing the two classification models, and the difference between the two models is mined to detect the anti-sample, so that the effective anti-sample detection method is realized.
2. The method does not need to modify the structure of the original classification model and elaborately generate a large number of confrontation samples for training the discrimination model, has small model invasiveness, strong generalization capability and lower calculation cost and time complexity, and can achieve good confrontation sample detection effect.
Drawings
FIG. 1 is a flow chart of a method of the present invention;
FIG. 2 is a flowchart of the present invention's work flow of constructing and training a classification model;
FIG. 3 is a flowchart of the operation of constructing and training a discriminant model according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples and drawings, but the present invention is not limited thereto.
Examples
As shown in fig. 1, the method for detecting a challenge sample based on posterior probability in the present embodiment includes the following steps:
s1, constructing a classification model for image classification, and performing feature extraction and processing on the input image sample to obtain probability distribution corresponding to the input image sample;
s2, constructing a discrimination model for confrontation sample detection, and performing feature extraction and processing on probability distribution corresponding to the image samples acquired by the classification model to discriminate the confrontation samples;
s3, putting the image sample to be distinguished into a classification model, and obtaining the probability distribution corresponding to the image sample;
and S4, putting the probability distribution corresponding to the image sample into the discriminant model as the input of the discriminant model for processing, and obtaining the detection result of the confrontation sample.
In this embodiment, after the image sample is input in step S1, the image sample is divided into a training sample set and a testing sample set, the image sample in the training sample set is used to optimize the classification model parameters, and the image sample in the testing sample set is used to test the classification model effect and generate the corresponding countermeasure sample. Since there are more classical image datasets in the field of computer vision, some image datasets, such as MNIST, CIFAR10, etc. can be directly used.
In this embodiment, the classification model constructed in step S1 includes a feature extraction unit and a feature processing unit, and performs feature extraction and processing on the input image sample, and performs image sample classification using these features; the structure of the classification model adopts a convolutional neural network structure, such as Resnet, Googlenet and the like, to train the classification model.
As shown in fig. 2, in this embodiment, the operation principle of the classification model is as follows:
the method comprises the steps of utilizing convolution neurons contained in a convolution neural network to extract features of an input image sample, determining a useful convolution kernel of the preliminarily extracted features by continuously changing the convolution kernel, obtaining an output matrix, reducing the dimensionality of training parameters and feature vectors and retaining the useful features through pooling neurons, completing extraction of the features of the image sample, and finally completing classification of the image through a full connection layer.
Training the classification model by using a training sample set obtained after the image sample set is divided; when the image samples in the training sample set are used for optimizing the parameters of the classification model, the loss function can adopt a cross entropy loss function, such as SGD (generalized minimum) as a training optimizer to optimize the parameters, and after the training is finished, the classification effect of the classification model is verified by using the test sample set.
As shown in fig. 3, in this embodiment, the specific process of constructing the discriminant model in step S2 is as follows:
s21, constructing data samples and generating a confrontation sample set aiming at the classification model;
s22, putting the confrontation sample set and the normal image set into a classification model as input, and obtaining posterior probability corresponding to each image;
s23, processing the posterior probability corresponding to each image, only intercepting the three with the highest probability values in the posterior probabilities, sequencing the three according to the sequence from high to low, and labeling the three, wherein the label corresponding to the probability value corresponding to the countermeasure sample is 1, and the normal image is 0;
s24, dividing the data into a training set and a testing set; after the two probability values are mixed according to the ratio of 1:1, dividing a data set according to the ratio of 4:1 of a training set to a test set to obtain a training data set and a test data set which are used for training and constructing a discriminant model, wherein each element in the data set is an array with the shape of (1,4), the first three elements are model input data, and the last data is a label;
and S25, training and constructing a discriminant model by taking the confrontation sample set, the normal image set and the corresponding labels as training data.
Specifically, in this embodiment, the specific process of step S21 is as follows:
s211, generating a confrontation sample set with the same size as the test sample set by using the test sample set of the classification model; the algorithm for generating the countermeasure sample comprises FGSM, PGD, C & W and other generation algorithms;
s212, verifying the attack effect of the generated countermeasure sample set, and selecting an countermeasure sample which can successfully attack the classification model;
s213, screening the test sample set of the classification model, and selecting an image sample which can be correctly classified by the classification model;
s214, the number of the adopted confrontation samples is equal to the number of normal image samples which can be correctly classified.
In this embodiment, the operation principle of the discriminant model is as follows:
the discrimination model can learn the difference output after the normal image sample and the confrontation sample pass through the classification model to classify the input data; when the discrimination model outputs 0, the image sample corresponding to the data is shown as a normal image; when the output of the discriminant model is 1, the image sample corresponding to the data is a confrontation sample.
The discrimination model can adopt any model structure which can be used for secondary classification, such as a perceptron, Softmax and the like; and optimizing the discrimination model parameters by using a training data set, and training by using an optimization trainer such as SGD.
And after the construction and the training of the discrimination model are completed, verifying the detection effect of the discrimination model countercheck sample by using the test data set.
Based on the same inventive concept, the invention also provides a challenge sample detection system based on posterior probability, which comprises:
a classification model construction module: the method is used for image classification, and the method is used for performing feature extraction and processing on an input image sample to obtain probability distribution corresponding to the input image sample;
a discrimination model construction module: the system is used for detecting the confrontation sample, extracting and processing the characteristics of the probability distribution corresponding to the image sample obtained by the classification model, and judging the confrontation sample;
a probability distribution acquisition module: putting an image sample to be distinguished into a classification model, and acquiring probability distribution corresponding to the image sample;
the confrontation sample detection result acquisition module: and taking the probability distribution corresponding to the image sample as the input of the discrimination model, and putting the input into the discrimination model for processing to obtain the detection result of the confrontation sample.
Furthermore, the invention also proposes a storage medium based on the same inventive concept.
The storage medium of the present invention has stored thereon computer instructions which, when executed by the processor, perform steps S1-S4 of the challenge sample detection method of the present invention.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.
Claims (9)
1. The method for detecting the confrontation sample based on the posterior probability is characterized by comprising the following steps:
s1, constructing a classification model for image classification, and performing feature extraction and processing on the input image sample to obtain probability distribution corresponding to the input image sample;
s2, constructing a discrimination model for confrontation sample detection, and performing feature extraction and processing on probability distribution corresponding to the image samples acquired by the classification model to discriminate the confrontation samples;
s3, putting the image sample to be distinguished into a classification model, and obtaining the probability distribution corresponding to the image sample;
and S4, putting the probability distribution corresponding to the image sample into the discriminant model as the input of the discriminant model for processing, and obtaining the detection result of the confrontation sample.
2. The method for detecting a countermeasure sample based on a posterior probability according to claim 1, wherein in step S1, after the image sample is inputted, the image sample is divided into a training sample set and a testing sample set, the classification model parameters are optimized by using the image sample in the training sample set, the classification model effect is tested by using the image sample in the testing sample set, and a corresponding countermeasure sample is generated.
3. The method of claim 1, wherein the classification model constructed in step S1 includes a feature extraction unit and a feature processing unit, and the classification model is trained using a convolutional neural network structure by performing feature extraction and processing on the input image samples, and performing image sample classification using the features.
4. The method for detecting the confrontation sample based on the posterior probability as claimed in claim 3, wherein the concrete process of training the classification model by adopting the convolutional neural network structure is as follows:
performing feature extraction on an input image sample by using convolution neurons contained in a convolution neural network, determining a useful convolution kernel of the preliminarily extracted features by changing the convolution kernel, obtaining an output matrix, reducing the dimensionality of training parameters and feature vectors and retaining the useful features through pooling neurons, completing the extraction of the image sample features, and finally completing the classification of the image through a full connection layer;
training the classification model by using a training sample set obtained after the image sample set is divided; when the image samples in the training sample set are used for optimizing the parameters of the classification model, a cross entropy loss function is used as a training optimizer for parameter optimization, and after training is completed, the classification effect of the classification model is verified by using the test sample set.
5. The method for detecting the confrontation sample based on the posterior probability as claimed in claim 1, wherein the specific process of constructing the discriminant model in step S2 is as follows:
s21, constructing data samples and generating a confrontation sample set aiming at the classification model;
s22, putting the confrontation sample set and the normal image set into a classification model as input, and obtaining posterior probability corresponding to each image;
s23, processing the posterior probability corresponding to each image, intercepting the three with the highest probability values in the posterior probabilities, sequencing the three according to the sequence from high to low, and labeling the three, wherein the label corresponding to the probability value corresponding to the countermeasure sample is 1, and the normal image is 0;
s24, dividing the data into a training set and a testing set; after the two probability values are mixed according to the ratio of 1:1, dividing a data set according to the ratio of 4:1 of a training set to a test set to obtain a training data set and a test data set which are used for training and constructing a discriminant model, wherein each element in the data set is an array with the shape of (1,4), the first three elements are model input data, and the last data is a label;
and S25, training and constructing a discriminant model by taking the confrontation sample set, the normal image set and the corresponding labels as training data.
6. The posterior probability-based confrontation sample detection method according to claim 1, wherein the specific process of step S21 is as follows:
s211, generating a confrontation sample set with the same size as the test sample set by using the test sample set of the classification model; wherein, the algorithm for generating the confrontation sample comprises FGSM, PGD, C & W generation algorithm;
s212, generating an anti-sample set attack effect, verifying, and selecting an anti-sample for attacking the classification model;
s213, screening the test sample set of the classification model, and selecting an image sample of the classification model for correct classification;
s214, the number of the adopted confrontation samples is equal to the number of the correctly classified normal image samples.
7. The method for detecting the confrontation sample based on the posterior probability as claimed in claim 1, wherein the discriminant model adopts a model structure containing a perceptron, and Softmax is used for two classifications; and optimizing the discrimination model parameters by using a training data set, and training by using an optimization trainer.
8. A posteriori probability based challenge sample detection system, comprising:
a classification model construction module: the method is used for image classification, and the method is used for performing feature extraction and processing on an input image sample to obtain probability distribution corresponding to the input image sample;
a discrimination model construction module: the system is used for detecting the confrontation sample, extracting and processing the characteristics of the probability distribution corresponding to the image sample obtained by the classification model, and judging the confrontation sample;
a probability distribution acquisition module: putting an image sample to be distinguished into a classification model, and acquiring probability distribution corresponding to the image sample;
the confrontation sample detection result acquisition module: and taking the probability distribution corresponding to the image sample as the input of the discrimination model, and putting the input into the discrimination model for processing to obtain the detection result of the confrontation sample.
9. A storage medium having stored thereon a computer program for implementing the steps of the challenge sample detection method of any of claims 1 to 7 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111653725.7A CN114299341A (en) | 2021-12-30 | 2021-12-30 | Method, system and storage medium for detecting confrontation sample based on posterior probability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111653725.7A CN114299341A (en) | 2021-12-30 | 2021-12-30 | Method, system and storage medium for detecting confrontation sample based on posterior probability |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114299341A true CN114299341A (en) | 2022-04-08 |
Family
ID=80973041
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111653725.7A Pending CN114299341A (en) | 2021-12-30 | 2021-12-30 | Method, system and storage medium for detecting confrontation sample based on posterior probability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114299341A (en) |
-
2021
- 2021-12-30 CN CN202111653725.7A patent/CN114299341A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cui et al. | Identifying materials of photographic images and photorealistic computer generated graphics based on deep CNNs. | |
| CN113554089B (en) | Image classification countermeasure sample defense method and system and data processing terminal | |
| Pourreza et al. | G2d: Generate to detect anomaly | |
| CN111753881B (en) | Concept sensitivity-based quantitative recognition defending method against attacks | |
| CN111914873A (en) | Two-stage cloud server unsupervised anomaly prediction method | |
| CN111652290B (en) | Method and device for detecting countermeasure sample | |
| Salman et al. | Classification of real and fake human faces using deep learning | |
| CN112560596B (en) | Radar interference category identification method and system | |
| CN103839033A (en) | Face identification method based on fuzzy rule | |
| CN117155706B (en) | Network abnormal behavior detection method and system | |
| CN113194094B (en) | Abnormal flow detection method based on neural network | |
| CN110705694A (en) | Electric larceny monitoring method facing edge data center based on feature extraction | |
| CN112434599A (en) | Pedestrian re-identification method based on random shielding recovery of noise channel | |
| CN112949469A (en) | Image recognition method, system and equipment for face tampered image characteristic distribution | |
| Lee et al. | Neuralfp: out-of-distribution detection using fingerprints of neural networks | |
| CN114332536A (en) | Forged image detection method, system and storage medium based on posterior probability | |
| CN117118718A (en) | Intrusion detection method and system based on multi-generator GAN data enhancement | |
| CN111858343A (en) | Countermeasure sample generation method based on attack capability | |
| CN116628612A (en) | Unsupervised anomaly detection method, device, medium and equipment | |
| CN114299341A (en) | Method, system and storage medium for detecting confrontation sample based on posterior probability | |
| CN116070137A (en) | Open set identification device and method for malicious traffic detection | |
| CN116232699A (en) | Training method of fine-grained network intrusion detection model and network intrusion detection method | |
| CN114842242A (en) | Robust countermeasure sample generation method based on generative model | |
| CN114618167A (en) | Anti-cheating detection model construction method and anti-cheating detection method | |
| CN115063870B (en) | Fake video portrait detection method based on facial action unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |