CN114661940A - Method for rapidly acquiring voice countermeasure sample under black box attack - Google Patents

Method for rapidly acquiring voice countermeasure sample under black box attack Download PDF

Info

Publication number
CN114661940A
CN114661940A CN202210106435.9A CN202210106435A CN114661940A CN 114661940 A CN114661940 A CN 114661940A CN 202210106435 A CN202210106435 A CN 202210106435A CN 114661940 A CN114661940 A CN 114661940A
Authority
CN
China
Prior art keywords
attack
curr
sample
area
black box
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210106435.9A
Other languages
Chinese (zh)
Other versions
CN114661940B (en
Inventor
董理
邓佳程
王让定
王冬华
彭成斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ningbo University
Original Assignee
Ningbo University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ningbo University filed Critical Ningbo University
Priority to CN202210106435.9A priority Critical patent/CN114661940B/en
Publication of CN114661940A publication Critical patent/CN114661940A/en
Application granted granted Critical
Publication of CN114661940B publication Critical patent/CN114661940B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/60Information retrieval; Database structures therefor; File system structures therefor of audio data
    • G06F16/63Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a method for rapidly obtaining a voice countermeasure sample under black box attack, which comprises the steps of S1, determining a decision boundary of an original audio x by adopting a binary query algorithm, and performing iteration by matching with a sliding window method to select an optimal attack area [ S: e ], wherein the initial value of S is 0, the initial value of e is l, and l is the length of the original audio; and S2, adding disturbance in the low-frequency area in the selected attack area [ S: e ], determining an updating step length by calculating the gradient direction, updating the disturbance, and obtaining the countermeasure sample of the next iteration by using a binary query algorithm until the set sampling times are completed to obtain the final countermeasure sample x. The method improves the generation efficiency of the confrontation sample and improves the attack efficiency.

Description

Method for rapidly acquiring voice countermeasure sample under black box attack
Technical Field
The invention relates to the field of voice processing, in particular to a method for quickly acquiring a voice confrontation sample under black box attack.
Background
The black box resisting sample attack is a fair index and means for evaluating the security of the model, and the resisting sample is generated by adopting a mode of querying the model. The main application objects of the existing black box attack are models in the image field, and corresponding work is not developed in the voice field.
The audio data is a time sequence, is one-dimensional data which contains less information and is difficult to estimate accurate gradient information, and the image is two-dimensional data which contains more information and has stronger information dependence on space and more information can be utilized; the common sampling point per second of the audio is more than 16000, while the audio of a speaker usually has more than 4s of time, which results in that the audio information has tens of thousands of data points in a single dimension, and the image has only hundreds of sampling points in a dimension, so that compared with the image, the audio is difficult to acquire an accurate updating direction; the image, after normalization, is typically in the range of [0, 1] and the audio corresponds to typically [ -1, 1 ].
Due to the above reasons, the voice has a larger difference compared with the image, so that more query times are needed when the black box attack is applied to the audio field, the difficulty in resisting the sample is increased, the attack efficiency is low, and fair judgment cannot be provided.
Disclosure of Invention
In view of the above problems, the present invention provides a method suitable for black box attack, which can greatly reduce the number of queries for attack, improve the attack efficiency, and quickly generate countersamples.
In order to achieve the purpose, the technical scheme of the invention is as follows: a method for rapidly obtaining a voice countercheck sample under the attack of a black box is characterized by comprising the following steps: the method comprises the following steps of,
s1, determining the decision boundary of the original audio x by adopting a binary query algorithm, and performing iteration by matching with a sliding window method to select the optimal attack area [ S: e ], wherein the initial value of S is 0, the initial value of e is l, l is the length of the original audio,
and S2, adding disturbance in the low-frequency area in the selected attack area [ S: e ], determining an updating step length by calculating the gradient direction, updating the disturbance, and obtaining the countermeasure sample of the next iteration by using a binary query algorithm until the set sampling times are completed to obtain the final countermeasure sample x.
Further, the S1 specifically includes,
s11, S taking temporary value ScurrTo s tocurrPerforming minimum function assignment on the area initialized to 0 to obtain a temporary end point e of the areacurrMin (s + l α, l) and temporary audio xcurr[scurr:ecurr]=xt[scurr:ecurr]Wherein x istAlpha represents the length ratio of the attack region to the original audio frequency as the target audio frequency;
s12, performing dichotomy query according to the distance between the temporary audio frequency and the original audio frequency, and judging the residual error scale d between the dichotomy query and the original audio frequencycurr=||B(x,xcurr)-x||2Whether d is less than d and temporary audio xcurrOutput f (x) after passing model fcurr) Whether t is equal, wherein d represents the size of the minimum perturbation searched before, and t represents the label of the target speaker;
s13, when dcurr < d and f (xcurr) ═ t, updating the current optimal disturbance scale d ═ dcurr, updating the attack area S ═ scurr, e ═ ecurr, and S12 is repeated until S is reached after the next value is taken by scurr with w as the sliding step lengthcurrIf l is greater than or equal to l, executing S14;
s14, updating the contracted attack area α by 0.9 × α, and if the current flag is no, ending the selection of the attack area, and taking the previous attack area as the best attack area.
Further, the S2 calculates the current gradient direction by using monte carlo and finite difference method, and the formula is
Figure RE-GDA0003653294120000021
Figure RE-GDA0003653294120000022
Wherein H represents the number of samples, uhTo representThe perturbation of the random sampling is carried out,
Figure RE-GDA0003653294120000023
representing a confrontation sample in the ith iteration, wherein epsilon is a minimum constant and takes a value of 0.001, and phi represents an indication function and is used for determining the gradient direction.
Further, the step S2 specifically includes the following steps,
s21, setting the optimal attack area S: e]Is l' ← beta. · (e-s), initializing the disturbance confrontation sample
Figure RE-GDA0003653294120000024
S22 at the position from [0, 1]]Randomly sampling a variable u of length lhAnd is in uhPost-filling l-l' with length of 0, and changing u by Inverse Discrete Cosine Transform (IDCT)hConversion from frequency domain back to time domain uh←IDCT(uh) And clearing the disturbance outside the attack region, i.e. uh[0:s)←0、uh(e:l]Step of ← 0, when the number of times of sampling is greater than H, step S23 is executed;
s23, passing formula
Figure RE-GDA0003653294120000025
Calculating gradient and calculating step size xi by using grid search step size methodiUpdating the disturbance using the following formula
Figure RE-GDA0003653294120000026
S24, updating the confrontation sample
Figure RE-GDA0003653294120000027
Obtaining the confrontation sample of the (i + 1) th iteration until the value of i reaches the preset query times, and obtaining the confrontation sample as the final confrontation sample by the last iteration.
Further, the value of the beta is 0.65.
Compared with the prior art, the invention has the advantages that:
the acquisition process of the countermeasure sample is divided into two stages, the best attack area is obtained in the first stage by combining a binary query algorithm with a sliding window algorithm, the final countermeasure sample is obtained through iteration by combining a binary query algorithm with a gradient direction calculation on the basis of the best attack area selected in the first stage, the range of added disturbance is reduced, the query times of attack are greatly reduced, the generation speed of the countermeasure sample is increased, and the attack efficiency is improved.
Drawings
Fig. 1 is a block diagram of an overall structure of a method for rapidly acquiring a countermeasure sample under black box attack according to the present application.
FIG. 2 is a schematic diagram of an iterative algorithm structure corresponding to the addition of low-frequency disturbance.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
Fig. 1-2 show a schematic representation of a method for rapidly obtaining a challenge sample under a black box attack, which specifically includes the following,
s1, determining the decision boundary of the original audio x by adopting a binary query algorithm, and performing iteration by matching with a sliding window method to select the optimal attack area [ S: e ], wherein the initial value of S is 0, the initial value of e is l, l is the length of the original audio,
and S2, adding disturbance in the low-frequency region in the selected attack region [ S: e ], determining an updating step length by calculating the gradient direction, updating the disturbance, and obtaining the confrontation sample of the next iteration by using a binary query algorithm until the set sampling times are completed to obtain the final confrontation sample x.
The black box attack algorithm is applied to the query cost in the speaker identification field, the whole attack process is shown in figure 1, the attack process is divided into two steps, the first step is to search an optimal local attack area so as to reduce the attack range and improve the query accuracy, and the second step adopts an iterative query algorithm to add disturbance in a local low-frequency area of audio, because the voice energy of a speaker is gathered in a medium-low frequency area, the attack efficiency can be effectively prompted in the low-frequency area. By this method, high quality challenge samples can be produced more quickly.
For S1, it specifically includes,
s11, S taking temporary value ScurrTo scurrPerforming minimum function assignment on the region initialized to 0 to obtain a temporary end point e of the regioncurrMin (s + l α, l) and temporary audio xcurr[scurr:ecurr]=xt[scurr:ecurr]Wherein x istAlpha represents the length ratio of the attack region to the original audio frequency as the target audio frequency;
s12, performing dichotomy query according to the distance between the temporary audio frequency and the original audio frequency, and judging the residual error scale d between the dichotomy query and the original audio frequencycurr=||B(x,xcurr)-x||2Whether d is less than d and the provisional audio xcurrOutput f (x) after passing model fcurr) Whether t is equal, wherein d represents the size of the minimum perturbation searched before, and t represents the label of the target speaker;
s13, when dcurr < d and f (xcurr) t, updating the current optimal disturbance scale d ═ dcurr, updating the attack region S ═ scurr, e ═ ecurr, and repeating S12 after the attack region S ═ scurr is subjected to the next value taking w as the sliding step length until S12 is reachedcurrIf l is greater than or equal to l, executing S14;
s14, updating the contracted attack area α by 0.9 × α, and if the current flag is no, ending the selection of the attack area, and taking the previous attack area as the best attack area.
Since the time sequence signal of the audio is a one-dimensional signal, one second usually contains 16000 sampling values, which results in the audio sequence being too lengthy in a single dimension, and the original residual x is directly addedtThe x is used as the initial disturbance direction to cause the initial disturbance to be overlarge so as to reduce the optimization efficiency, so that the invention adopts a continuously reduced sliding window to search an attack area with smaller disturbanceThe body is shown in the table box below, where B represents the binary query algorithm.
Figure RE-GDA0003653294120000041
Algorithm B includes two inputs x1,x2The objective of the algorithm is to find a linear division point γ · x between the two inputs1+(1-γ)x2So that data around a partition point, often referred to as a decision boundary of the model, is classified by the model into different results.
The above block diagram uses the distance of the decision boundary of the selected local region from the original audio as the selection criterion in order to make the generated residual as small as possible. If a more suitable area is searched in a certain round of iteration, the algorithm displayed in the table frame reduces the size of the sliding window in the next round of sliding search so as to find a smaller attack area, if no more suitable area is searched in a certain round, a loop is skipped, and the last obtained attack area is taken as the best area.
The human speaking frequency is gathered at the middle and low frequencies, so that the voice information of the middle and low frequencies is richer, and therefore, the boundary attack algorithm is adopted to add low-frequency disturbance to a local area as an optimization process on the basis of local attack. The whole process is an iterative updating algorithm as shown in fig. 2, and each iteration is divided into three steps: including gradient direction estimation, step search, and binary search decision boundaries.
In the gradient direction estimation step, we estimate the current gradient direction by using monte carlo plus finite difference estimation, and the formula is as follows,
Figure RE-GDA0003653294120000051
Figure RE-GDA0003653294120000052
wherein H represents the number of samples, uhWhich represents a perturbation of a random sample,
Figure RE-GDA0003653294120000053
representing a confrontation sample in the ith iteration, wherein epsilon is a minimum constant and takes a value of 0.001, and phi represents an indication function and is used for determining the gradient direction.
After the gradient direction is inquired, the step length updated along the gradient direction needs to be determined, and the grid search step length method is used for searching the step length xiiUpdating the perturbation formula after querying the step size is as follows:
Figure RE-GDA0003653294120000054
then the third step
Figure RE-GDA0003653294120000055
And obtaining the confrontation sample of the (i + 1) th iteration.
The corresponding block diagram algorithm is as follows:
Figure RE-GDA0003653294120000056
Figure RE-GDA0003653294120000061
in short, S2 specifically includes the following steps,
s21, setting the optimal attack area S: e]Is l' ← beta. · (e-s), initializing the disturbance confrontation sample
Figure RE-GDA0003653294120000062
S22 at the position from [0, 1]]Randomly sampling a variable u of length lhAnd is in uhPost-filling l-l' with length of 0, and changing u by Inverse Discrete Cosine Transform (IDCT)hConversion from frequency domain back to time domainuh←IDCT(uh) And clearing the disturbance outside the attack region, i.e. uh[0:s)←0、uh(e:l]Step ← 0, when the number of samples is greater than H, execute S23;
s23, passing formula
Figure RE-GDA0003653294120000063
Calculating gradient, and calculating step size xi by using grid search step size methodiUpdating the disturbance using the following formula
Figure RE-GDA0003653294120000064
S24, updating the confrontation sample
Figure RE-GDA0003653294120000065
Obtaining the confrontation sample of the (i + 1) th iteration until the value of i reaches the preset query times, and obtaining the confrontation sample as the final confrontation sample by the last iteration.
Therefore, the acquisition process of the countermeasure sample is divided into two stages, the optimal attack area is obtained by adopting a binary query algorithm in combination with a sliding window algorithm in the first stage, the final countermeasure sample is obtained by iteration by utilizing gradient direction calculation in combination with the binary query algorithm on the basis of the optimal attack area selected in the first stage in the second stage, the range of adding disturbance is reduced, the query times of attack is greatly reduced, the attack efficiency is improved, the countermeasure sample is generated more quickly, and a fairer and fair security evaluation means is provided for a speaker identification system,
the method is not based on the assumption of attack transferability, does not need to acquire information of the model or the training set, attacks only by accessing the prediction result of the model, does not relate to details, privacy and the like of the user model in the evaluation process, protects the privacy of the user model while evaluating the security of the model, enhances the evaluation capability of the security of the model, and makes up the blank problem of black box attack in the speaker recognition field.
While embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.

Claims (5)

1. A method for rapidly obtaining a voice countercheck sample under the attack of a black box is characterized by comprising the following steps: the method comprises the following steps of,
s1, determining a decision boundary of an original audio x by adopting a binary query algorithm, and performing iteration by matching with a sliding window method to select an optimal attack area [ S: e ], wherein the initial value of S is 0, the initial value of e is l, and l is the length of the original audio;
and S2, adding disturbance in the low-frequency area in the selected attack area [ S: e ], determining an updating step length by calculating the gradient direction, updating the disturbance, and obtaining the countermeasure sample of the next iteration by using a binary query algorithm until the set sampling times are completed to obtain the final countermeasure sample x.
2. The method for rapidly obtaining the voice countermeasure sample under the black box attack as claimed in claim 1, wherein: the S1 may specifically include the following steps,
s11, S taking temporary value ScurrTo s tocurrPerforming minimum function assignment on the region initialized to 0 to obtain a temporary end point e of the regioncurrMin (s + l α, l) and temporary audio xcurr[scurr:ecurr]=xt[scurr:ecurr]Wherein x istAlpha represents the length ratio of the attack region to the original audio frequency as the target audio frequency;
s12, performing dichotomy query according to the distance between the temporary audio frequency and the original audio frequency, and judging the residual error scale d between the dichotomy query and the original audio frequencycurr=||B(x,xcurr)-x||2Whether d is less than d and temporary audio xcurrOutput f (x) after passing model fcurr) Whether t is equal, wherein d represents the size of the minimum perturbation searched before, and t represents the label of the target speaker;
s13, when dcurr < d and f (xcurr) ═ t, updating the currentD, scurr, e, ecrur, w is the sliding step length, S12 is repeated until S is the next valuecurrIf l is greater than or equal to l, executing S14;
s14, updating the contracted attack area α by 0.9 × α, and if the current flag is no, ending the selection of the attack area, and taking the previous attack area as the best attack area.
3. The method for rapidly obtaining the voice countermeasure sample under the black box attack as claimed in claim 2, wherein: s2, calculating the current gradient direction by adopting Monte Carlo combined with finite difference method, wherein the formula is
Figure RE-FDA0003653294110000011
Figure RE-FDA0003653294110000012
Wherein H represents the number of samples, uhWhich represents a perturbation of a random sample of,
Figure RE-FDA0003653294110000013
representing the confrontation sample in the ith iteration, wherein epsilon is a minimum constant, the value is 0.001, and phi represents an indication function and is used for determining the gradient direction.
4. The method for rapidly obtaining the voice countermeasure sample under the black box attack as claimed in claim 3, wherein: the S2 specifically includes the following steps,
s21, setting the optimal attack area S: e]The length of the low frequency region of l' ← beta · (e-s), initialize the perturbation countermeasure sample
Figure RE-FDA0003653294110000021
S22 at the position from [0, 1]]Random miningVariable u of sample length lhAnd is in uhPost-filling l-l' with length of 0, and changing u by Inverse Discrete Cosine Transform (IDCT)hConversion from frequency domain back to time domain uh←IDCT(uh) And clearing the disturbance outside the attack region, i.e. uh[0:s)←0、uh(e:l]Step of ← 0, when the number of times of sampling is greater than H, step S23 is executed;
s23, passing formula
Figure RE-FDA0003653294110000022
Calculating gradient, and calculating step size xi by using grid search step size methodiThe disturbance is updated using the following formula
Figure RE-FDA0003653294110000023
S24, updating the confrontation sample
Figure RE-FDA0003653294110000024
Obtaining the confrontation sample of the (i + 1) th iteration until the value of i reaches the preset query times, and obtaining the confrontation sample as the final confrontation sample by the last iteration.
5. The method for rapidly obtaining the voice countermeasure sample under the black box attack as claimed in claim 3, wherein:
the value of beta is 0.65.
CN202210106435.9A 2022-01-28 2022-01-28 Method suitable for quickly acquiring voice countermeasure sample under black box attack Active CN114661940B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210106435.9A CN114661940B (en) 2022-01-28 2022-01-28 Method suitable for quickly acquiring voice countermeasure sample under black box attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210106435.9A CN114661940B (en) 2022-01-28 2022-01-28 Method suitable for quickly acquiring voice countermeasure sample under black box attack

Publications (2)

Publication Number Publication Date
CN114661940A true CN114661940A (en) 2022-06-24
CN114661940B CN114661940B (en) 2023-08-08

Family

ID=82026211

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210106435.9A Active CN114661940B (en) 2022-01-28 2022-01-28 Method suitable for quickly acquiring voice countermeasure sample under black box attack

Country Status (1)

Country Link
CN (1) CN114661940B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110321790A (en) * 2019-05-21 2019-10-11 华为技术有限公司 The detection method and electronic equipment of a kind of pair of resisting sample
CN110444208A (en) * 2019-08-12 2019-11-12 浙江工业大学 A kind of speech recognition attack defense method and device based on gradient estimation and CTC algorithm
CN110992934A (en) * 2019-10-28 2020-04-10 浙江工业大学 Defense method and defense device for black box attack model of voice recognition system
CN111507384A (en) * 2020-04-03 2020-08-07 厦门大学 Method for generating confrontation sample of black box depth model
CN111709435A (en) * 2020-05-18 2020-09-25 杭州电子科技大学 Countermeasure sample generation method based on discrete wavelet transform
CN112017669A (en) * 2020-11-02 2020-12-01 鹏城实验室 Voice countercheck sample detection method and device, terminal equipment and storage medium
US20200395035A1 (en) * 2019-06-14 2020-12-17 Robert Bosch Gmbh Automatic speech recognition system addressing perceptual-based adversarial audio attacks
US20200410228A1 (en) * 2019-06-28 2020-12-31 Baidu Usa Llc Systems and methods for fast training of more robust models against adversarial attacks
CN112200257A (en) * 2020-10-16 2021-01-08 支付宝(杭州)信息技术有限公司 Method and device for generating confrontation sample
CN112216296A (en) * 2020-09-25 2021-01-12 脸萌有限公司 Audio anti-disturbance testing method and device and storage medium
CN113571067A (en) * 2021-06-21 2021-10-29 浙江工业大学 Voiceprint recognition countermeasure sample generation method based on boundary attack

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110321790A (en) * 2019-05-21 2019-10-11 华为技术有限公司 The detection method and electronic equipment of a kind of pair of resisting sample
US20200395035A1 (en) * 2019-06-14 2020-12-17 Robert Bosch Gmbh Automatic speech recognition system addressing perceptual-based adversarial audio attacks
US20200410228A1 (en) * 2019-06-28 2020-12-31 Baidu Usa Llc Systems and methods for fast training of more robust models against adversarial attacks
CN110444208A (en) * 2019-08-12 2019-11-12 浙江工业大学 A kind of speech recognition attack defense method and device based on gradient estimation and CTC algorithm
CN110992934A (en) * 2019-10-28 2020-04-10 浙江工业大学 Defense method and defense device for black box attack model of voice recognition system
CN111507384A (en) * 2020-04-03 2020-08-07 厦门大学 Method for generating confrontation sample of black box depth model
CN111709435A (en) * 2020-05-18 2020-09-25 杭州电子科技大学 Countermeasure sample generation method based on discrete wavelet transform
CN112216296A (en) * 2020-09-25 2021-01-12 脸萌有限公司 Audio anti-disturbance testing method and device and storage medium
CN112200257A (en) * 2020-10-16 2021-01-08 支付宝(杭州)信息技术有限公司 Method and device for generating confrontation sample
CN112017669A (en) * 2020-11-02 2020-12-01 鹏城实验室 Voice countercheck sample detection method and device, terminal equipment and storage medium
CN113571067A (en) * 2021-06-21 2021-10-29 浙江工业大学 Voiceprint recognition countermeasure sample generation method based on boundary attack

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
WENQING LIU等: "Defending Adversarial Examples via DNN Bottleneck Reinforcement", 《ACM MM 2020》, pages 1 - 9 *
YASH SHARMA等: "On the Effectiveness of Low Frequency Perturbations", 《IJCAI\'19: PROCEEDINGS OF THE 28TH INTERNATIONAL JOINT CONFERENCE ON ARTIFICIAL INTELLIGENCE》, pages 3389 *
张兆阳: "黑盒环境下语音识别模型的普适性对抗样本生成方法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, pages 136 - 299 *
张思思等: "深度学习中的对抗样本问题", 《计算机学报》, pages 1886 - 1904 *
都娟: "针对人工智能的对抗样本生成算法的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》, pages 138 - 2088 *

Also Published As

Publication number Publication date
CN114661940B (en) 2023-08-08

Similar Documents

Publication Publication Date Title
CN108614992B (en) Hyperspectral remote sensing image classification method and device and storage device
CN111709435B (en) Discrete wavelet transform-based countermeasure sample generation method
CN111445108B (en) Data-driven power distribution network line variation relation diagnosis method, device and system
Park 2D discrete Fourier transform on sliding windows
CN112163145B (en) Website retrieval method, device and equipment based on editing distance and cosine included angle
CN111104398A (en) Detection method and elimination method for approximate repeated record of intelligent ship
CN111564179A (en) Species biology classification method and system based on triple neural network
CN113569632A (en) Small sample local surface slow-speed moving object classification method based on WGAN
JP6099032B2 (en) Signal processing apparatus, signal processing method, and computer program
CN117033657A (en) Information retrieval method and device
KR101708042B1 (en) Cylinder estimation device and method by ransac algorithm in point cloud
Salman et al. Comparative Study of QPSO and other methods in Blind Source Separation
CN112711032B (en) Radar target detection method and system based on graph data and GCN
CN114661940B (en) Method suitable for quickly acquiring voice countermeasure sample under black box attack
CN112037813B (en) Voice extraction method for high-power target signal
CN111695444B (en) Wave atom transformation-based radiation source individual feature extraction method
JP3507083B2 (en) Polynomial filters for high-order correlation and multi-input information integration
CN117119377A (en) Indoor fingerprint positioning method based on filtering transducer
CN109377447B (en) Contourlet transformation image fusion method based on rhododendron search algorithm
CN113177078B (en) Approximate query processing algorithm based on condition generation model
Gao et al. Aspects of 2D-adaptive Fourier decompositions
CN112434716B (en) Underwater target data amplification method and system based on condition countermeasure neural network
CN113111774A (en) Radar signal modulation mode identification method based on active incremental fine adjustment
JP4460277B2 (en) Corresponding point search method of image, corresponding point search device, and corresponding point search program
CN114663329A (en) Point cloud quality evaluation method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant