CN114996496A - Query-based black box attack method for image retrieval model - Google Patents
Query-based black box attack method for image retrieval model Download PDFInfo
- Publication number
- CN114996496A CN114996496A CN202210701607.7A CN202210701607A CN114996496A CN 114996496 A CN114996496 A CN 114996496A CN 202210701607 A CN202210701607 A CN 202210701607A CN 114996496 A CN114996496 A CN 114996496A
- Authority
- CN
- China
- Prior art keywords
- picture
- retrieval
- sequence
- query
- disturbance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 230000008569 process Effects 0.000 claims abstract description 4
- 238000009826 distribution Methods 0.000 claims description 11
- 230000008859 change Effects 0.000 abstract description 7
- 230000000694 effects Effects 0.000 description 11
- 238000013528 artificial neural network Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 2
- 230000003042 antagnostic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012733 comparative method Methods 0.000 description 1
- 235000009508 confectionery Nutrition 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
- G06F16/53—Querying
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Biophysics (AREA)
- Evolutionary Computation (AREA)
- Biomedical Technology (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a black box attack method based on inquiry aiming at an image retrieval model, which relates to the technical field of counterattack in image retrieval, wherein the method comprises the following steps of searching disturbance which can minimize differentiable counterattack loss by a black box optimizer, superposing the disturbance on an inquiry picture and sending the disturbance into the image retrieval model so as to change the position of a specific picture in a retrieval picture sequence, and comprises the following steps of S1: selecting a target picture and defining an expected retrieval picture sequence; step S2: initializing the disturbance into a random tensor with the same size as the query picture; step S3: superposing the disturbance on the query picture and sending the disturbance into a picture retrieval model to obtain a retrieval picture sequence; step S4: calculating the countermeasure loss according to the current retrieval picture sequence and the expected retrieval picture sequence; step S5: updating the disturbance by one step by means of a black box optimizer; step S6: if the termination condition is met, returning to disturbance and ending; otherwise, the process returns to step S3 to continue execution.
Description
Technical Field
The invention relates to the technical field of attack resistance in picture retrieval, in particular to a black box attack method based on query and aiming at a picture retrieval model.
Background
Picture retrieval is an important task in computer vision. A user inputs a picture to the picture retrieval model, and the model needs to select a picture with high correlation with the picture to be inquired from the database and feed back the picture to the user. The correlation between pictures is given by the depth metric learning neural network. Research shows that the image retrieval model is difficult to resist attack, namely, a malicious attacker adds invisible tiny disturbance to a query image to construct a resisting sample so that the image retrieval model can return an incorrect retrieval image sequence. According to the degree of understanding of an attacker on an attacked model, the existing attack resisting methods can be divided into two categories: 1) the white box attack method comprises the following steps: the method assumes that an attacker knows all information of an attacked model, including a database of an image retrieval model and the structure, weight and the like of a depth measurement learning neural network adopted by the database, and the attacker can easily construct a countersample by using the information; 2) the black box attack method comprises the following steps: such methods typically assume that an attacker does not know the internal information of the attacked model, and can only initiate queries to the attacker and obtain corresponding query results (i.e., retrieval picture sequences) within a limited number of times. It is clear that the latter is also more challenging and therefore receives more attention for more realistic application scenarios.
The existing black box attack aiming at the picture retrieval model can only realize some simple attack targets, such as 'enabling pictures at the front end of a retrieval picture sequence to appear at the tail end of the sequence' or 'changing the position of a specific picture appearing in the retrieval picture sequence', but the attack targets under the actual application scene can be more complex. For example, in a product recommendation system based on picture retrieval, a malicious seller may want its product to appear at a certain front position in a recommendation list, while a competitor's product appears behind its product. In such an attack scenario, an attacker (i.e., a malicious seller) needs to change both the "position of a certain picture appearing in the recommendation list" and the relative order of two pictures in the recommendation list, and thus cannot be realized by the existing black box attack method for picture retrieval. The invention fills the research blank, makes 'eliminating potential safety hazard in picture retrieval service' and 'training robust picture retrieval model' possible, and has important practical significance.
Disclosure of Invention
The invention aims to: the method overcomes the defects of the existing black box anti-attack method in the field of picture retrieval, and provides a black box attack method based on query for a picture retrieval model.
The invention specifically adopts the following technical scheme for realizing the purpose:
a query-based black box attack method for a picture retrieval model, wherein a black box optimizer is used for searching for disturbance which minimizes differentiable confrontation loss, and the disturbance is superimposed on a query picture and is fed into the picture retrieval model so as to change the position of a specific picture in a retrieval picture sequence, and the method specifically comprises the following steps:
step S1: selecting a target picture and defining an expected retrieval picture sequence;
step S2: initializing the disturbance into a random tensor with the same size as the query picture;
step S3: superposing the disturbance on the query picture and sending the disturbance into a picture retrieval model to obtain a retrieval picture sequence;
step S4: calculating the countermeasure loss according to the current retrieval picture sequence and the expected retrieval picture sequence;
step S5: updating the disturbance by one step by means of a black box optimizer;
step S6: if the termination condition is met, returning to disturbance and ending; otherwise, the execution is continued by returning to step S3.
As an optional technical solution, the step S1 specifically includes:
step S11: selecting a set of target pictures
The database C of the picture retrieval model f is defined as a set comprising N non-repeating pictures:
C={c 1 ,c 2 ,...,c N },
for the query picture q, f returns K pictures with the highest relevance with q in C as a retrieval picture sequence L (f, q), and the sequence is arranged in a descending way according to the relevance; if the C is known to the attacker, directly selecting a target picture set from the C; otherwise, selecting a target picture set from the sequence L (f, q);
step S12: defining an expected sequence of search pictures R t :
R t Has a length of
Containing no repeating elements and wherein each element is [0, K]Is an integer of (1).
As an optional technical solution, the perturbation δ in step S2 should be initialized to a random tensor having the same size as the query picture, the number of channels being C, the height being H, and the width being W, and the following conditions are satisfied:
||δ|| ∞ ≤∈,
wherein | · | purple ∞ Represents an infinite norm; e represents the infinite norm of the maximum perturbation that can be tolerated.
As an optional technical solution, the step S3 specifically includes:
step S31: superposing the disturbance delta to the query picture q to obtain
Step S32: will be provided with
Sending the image into an image retrieval model f to obtain a current retrieval image sequence
As an optional technical solution, the step S4 specifically includes:
step S41: selecting a reference picture set B: if C is known, directly selecting a reference picture set from C; otherwise, selecting a reference picture set from the sequence L (f, q);
step S42: defining a set of sample pairs S:
wherein (·, ·) denotes a disordered doublet; b is an element in B, and B is an element in B,
is that
The elements of (1);
step S43: for each sample pair
Defining its two-point distribution on the current search picture sequence R:
wherein<·,·>The ordered even-pairs are represented as,
to represent
Rank in R, k denotes the hyper-parameter that needs to be specified, e denotes the natural constant, and R (b) denotes the rank of picture b in list R.
The same applies to the expected retrieval of the picture sequence R t Two-point distribution of (1):
wherein
Represent
At R t Rank of (1);
step S44: for each sample pair
Calculating it at R and R t The KL divergence between the two point distributions on this sample pair is taken as the loss on this sample pair:
wherein log (-) represents a logarithmic function;
step S45: the losses over all sample pairs were averaged as the penalty loss:
where | represents the number of elements in the set.
As an optional technical solution, the specific form of the black box optimizer BO in the step S5 is as follows:
BO with perturbation delta and its penalty function
As an input, the perturbation is updated in one step in a direction that can reduce the penalty on confrontation and the updated perturbation is returned.
As an optional technical solution, the termination condition in step S6 specifically includes:
1) the number of queries initiated to the image retrieval model reaches a maximum value;
2) the current retrieval picture sequence is the same as the expected retrieval picture sequence;
the beneficial effects of the invention can be terminated by satisfying one of the two conditions as follows:
1. the invention allows an attacker to select a certain number of target pictures and change the relative order between these target pictures and the positions where they appear in the sequence of retrieved pictures by adjusting the perturbations enough to cope with most attack scenarios.
2. The penalty designed in the present invention is differentiable, which means that the black box optimizer can obtain continuous feedback from the penalty function, speeding up convergence while reducing the risk of getting into a local extreme point.
Drawings
FIG. 1 is a flow chart of an implementation of the present invention;
FIG. 2 is a schematic illustration of an embodiment of the invention;
FIG. 3 is a diagram showing the attack effect on CUB-200 and SOP two picture retrieval datasets according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
The invention provides a black box attack method based on query for an image retrieval model, a work flow chart of which is shown in figure 1, and the method specifically comprises the following steps:
step S1: selecting a target picture and defining an expected retrieval picture sequence;
step S2: initializing the disturbance into a random tensor with the same size as the query picture;
step S3: superposing the disturbance to the query picture and sending the disturbance to a picture retrieval model to obtain a retrieval picture sequence;
step S4: calculating the countermeasure loss according to the current retrieval picture sequence and the expected retrieval picture sequence;
step S5: updating the disturbance by one step by means of a black box optimizer;
step S6: if the termination condition is met, returning to disturbance and ending; otherwise, the execution is continued by returning to step S3.
The step S1 specifically includes:
step S11: selecting a set of target pictures
The database C of the picture retrieval model f is defined as a set comprising N non-repeating pictures:
C={c 1 ,c 2 ,...,c N },
for the query picture q, f returns K pictures with the highest correlation to q in C as a retrieval picture sequence L (f, q), which is arranged in descending order of correlation. If the C is known to the attacker, directly selecting a target picture set from the C; otherwise, selecting a target picture set from the sequence L (f, q).
Step S12: from
Select a set of relative target pictures
And absolute target Picture set
The following conditions are satisfied:
Wherein
Representing an empty set;
step S13: defining an expected relative search picture sequence R r And an expected absolute search picture sequence R a Wherein R is r Is a sequence of integers
A substitution of (A), R a Is of length of
And each element is [0, K]Integer list of non-repeating elements of medium integers.
The disturbance δ in step S2 should be initialized to be a random tensor with the same size as the query picture q (the number of channels is C, the height is H, and the width is W), and the following conditions are satisfied:
||δ|| ∞ ≤∈,
wherein | · | purple sweet ∞ Represents an infinite norm; e represents the infinite norm of the maximum perturbation that can be tolerated.
The step S3 specifically includes:
step S31: superposing the disturbance delta to the query picture q to obtain
Step S32: will be provided with
Sending the image into an image retrieval model f to obtain a current retrieval image sequence
The step S4 specifically includes:
step S41: defining a set S of relative sample pairs r :
Wherein, (-) represents a disordered doublet;
step S42: for each sample pair
Define its two-point distribution on R:
wherein <, > represents an ordered pair. R (-) represents the ranking of a certain picture in R.
The same definition is in R r Two points on:
wherein R is r (. represents a picture in R r Rank of (1);
step S43: for each sample pair
Calculating it at R and R r The KL divergence between the two point distributions on this sample pair is taken as the loss on this sample pair:
wherein log (·) represents a logarithmic function;
step S44: calculating S r Average value of all samples in the upper loss is used as relative rank loss
Wherein, | · | represents the number of elements in the set;
step S45: selecting an absolute reference picture set B a : if C is known, directly from
Selecting; else from the sequence
Selecting.
Step S46: defining a set S of absolute sample pairs a :
Wherein, (-) represents a disordered doublet;
step S47: for each sample pair
Define its two-point distribution on R:
the same definition is in R a Two-point distribution of (1):
step S48: for each sample pair
Calculating it at R and R a The KL divergence between the two point distributions on this sample pair is taken as the loss on this sample pair:
step S49: calculating S a Average of all sample pairs loss as absolute rank loss
Step S4A: calculating relative rank loss
And absolute rank loss
As a weighted sum of the opposing losses
Wherein β is a balance factor.
The specific form of the black box optimizer BO in the step S5 is as follows:
BO with perturbation delta and its penalty function
As an input, the perturbation is updated in one step in a direction that can reduce the penalty and the updated perturbation is returned.
The termination condition in step S6 specifically includes:
1) the number of times of inquiry initiated to the retrieval model reaches the maximum;
2) the current retrieved picture sequence is the same as the expected retrieved picture sequence.
One of the above two conditions is satisfied and the process is terminated.
Example 2:
as shown in FIG. 2, the invention provides a query-based black box attack method for a picture retrieval model, which allows an attacker to select a certain number of target pictures, and under the condition that a database of the attacked model and a depth metric learning neural network parameter are unknown, only the disturbance is adjusted according to the retrieval result to change the relative order among the target pictures in the retrieval picture sequence and the appearance positions of the target pictures. In addition, the invention also designs a differentiable antagonistic loss which can provide continuous feedback for the black box optimizer, thereby accelerating the search process and improving the attack efficiency. It is noted that the invention does not specify the black box optimizer used and any black box optimizer that satisfies the form defined in the invention is feasible.
The embodiment selects two data sets of a widely-used depth metric learning neural network BN-inclusion, CUB-200 and SOP to test the attack effect of the proposed method. The CUB-200 dataset contained 11,788 bird pictures from 200 categories. The SOP dataset contains 120,000 pictures of the network commodity from 23,000 categories. The embedded feature dimension adopted by the deep metric learning neural network is 512, and the deep metric learning neural network is trained through the multi-level correlation loss which performs the best currently. For the CUB-200 dataset, the present embodiment trains with the first 100 classes and tests with the remaining 100 classes; for the SOP dataset, the present embodiment was trained with 11,318 classes and tested with 11,316 classes. In order to achieve better retrieval effect, random cutting and random horizontal turning are adopted on the two data sets for data enhancement. The effect of the trained picture retrieval model on both data sets (measured by Recall @ K) is shown in Table 1.
TABLE 1 Effect of attacked Picture retrieval model
Then, the embodiment selects 1,000 pictures from the test data sets of the CUB-200 and the SOP respectively as query pictures and attacks the trained model.
In this embodiment, the maximum number of queries is set to 2,000 and the magnitude e of the maximum perturbation is set to 0.05. The embodiment selects four different black box optimizers to optimize the proposed countermeasure loss, and the required hyperparameters of the black box optimizers are determined by random search. Because the invention can change the relative sequence of the target picture in the retrieval picture sequence (called as relative attack) and also can change the specific position of the target picture in the retrieval picture sequence (called as absolute attack), the following two indexes are introduced to respectively evaluate the effects of the two attacks:
1) regularized rank correlation coefficient: is defined as S r In which R and R are r Logarithm of samples and | S in consistent relative order r The ratio of | is used for evaluating the relative attack effect;
2) attack success rate: is defined as
In which R and R are a The number of target pictures with the same middle position is equal to
Is used to evaluate the absolute attack effect.
In order to visually demonstrate the effectiveness of the proposed method, two other comparison methods are provided in this embodiment. It can be seen from tables 2 and 3 that under the same experimental setup, compared with the two comparative methods, the method provided by the present invention can achieve higher regularization rank correlation coefficient and attack success rate on different black box optimizers, which means that the method provided by the present invention achieves better effects on both relative attacks and absolute attacks.
TABLE 2 relative attack Effect (measured by regularized rank correlation coefficient)
TABLE 3 Absolute attack Effect (measured by success Rate of attack)
Fig. 3 shows the first column of the query picture and the confrontation sample constructed by different black box optimizers, and the rest columns of the query picture and the confrontation sample are the retrieval picture sequences returned by the picture retrieval model according to the decreasing relevance. It can be seen that the difference between the confrontation sample generated by the invention and the normal picture can hardly be distinguished by human eyes, but the retrieval picture sequence returned by the model can be obviously changed (the picture with changed position is marked by a red frame). This shows that the countermeasure sample constructed by the invention can generate enough security threat to the image retrieval model without being perceived by human, and proves the effectiveness of the method proposed by the invention.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and should not be taken as limiting the scope of the present invention, and any modifications, equivalents and improvements made by those skilled in the art within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (7)
1. A query-based black box attack method for a picture retrieval model, wherein a perturbation minimizing differentiable countermeasure loss is searched by a black box optimizer, and the position of a specific picture appearing in a retrieval picture sequence is changed by superimposing the perturbation on a query picture and feeding the perturbation into the picture retrieval model, the method specifically comprising:
step S1: selecting a target picture and defining an expected retrieval picture sequence;
step S2: initializing the disturbance into a random tensor with the same size as the query picture;
step S3: superposing the disturbance on the query picture and sending the disturbance into a picture retrieval model to obtain a retrieval picture sequence;
step S4: calculating the countermeasure loss according to the current retrieval picture sequence and the expected retrieval picture sequence;
step S5: updating the disturbance by one step by means of a black box optimizer;
step S6: if the termination condition is met, returning to disturbance and ending; otherwise, the execution is continued by returning to step S3.
2. The method for black box attack based on query on picture retrieval model according to claim 1, wherein the step S1 specifically includes:
step S11: selecting a set of target pictures
The database C of the picture retrieval model f is defined as a set comprising N non-repeating pictures:
C={c 1 ,c 2 ,...,c N },
for the query picture q, f returns K pictures with the highest relevance with q in C as a retrieval picture sequence L (f, q), and the sequence is arranged in a descending way according to the relevance; if the C is known to the attacker, directly selecting a target picture set from the C; otherwise, selecting a target picture set from the sequence L (f, q);
step S12: defining an expected sequence of search pictures R t :
R t Has a length of
Containing no repeating elements and wherein each element is [0, K]The whole number in (1).
3. The method of claim 1, wherein the perturbation δ in step S2 is initialized to a random tensor with the same size as the query picture q, the number of channels C, the height H, and the width W, and the following conditions are satisfied:
||δ|| ∞ ≤∈,
wherein | · | purple ∞ Represents an infinite norm; e represents the infinite norm of the maximum perturbation that can be tolerated.
4. The method for black box attack based on query on picture retrieval model according to claim 1, wherein the step S3 specifically includes:
step S31: superposing the disturbance delta to the query picture q to obtain
Step S32: will be provided with
Sending the image into an image retrieval model f to obtain a current retrieval image sequence
5. The method for black box attack based on query on picture retrieval model according to claim 1, wherein the step S4 specifically includes:
step S41: selecting a reference picture set B: if C is known, directly selecting a reference picture set from C; otherwise, selecting a reference picture set from the sequence L (f, q);
step S42: defining a set of sample pairs S:
wherein (·, ·) denotes a disordered doublet; b is an element in the group B,
is that
The elements of (1);
step S43: for each sample pair
Defining its two-point distribution on the current search picture sequence R:
wherein<·,·>The ordered even-pairs are represented as,
represent
Rank in R, k denotes the hyper-parameter that needs to be specified, e denotes the natural constant, and R (b) denotes the rank of picture b in list R.
The same applies to the expected retrieval of the picture sequence R t Two-point distribution of (1):
wherein
Represent
At R t Rank of (1);
step S44: for each sample pair
Calculating it at R and R t The KL divergence between the two point distributions on this pair is taken as the loss on this sample pair:
wherein log (-) represents a logarithmic function;
step S45: the losses over all sample pairs were averaged as the penalty loss:
where | represents the number of elements in the set.
6. The method for black box attack based on query on image retrieval model as claimed in claim 1, wherein the black box optimizer BO in step S5 is in the following form:
BO with perturbation delta and its penalty function
As an input, the perturbation is updated in one step in a direction that can reduce the penalty and the updated perturbation is returned.
7. The method for black box attack based on query on picture retrieval model according to claim 1, wherein the termination condition in step S6 specifically includes:
1) the number of queries initiated to the image retrieval model reaches a maximum value;
2) the current retrieval picture sequence is the same as the expected retrieval picture sequence;
one of the above two conditions is satisfied and the process is terminated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210701607.7A CN114996496A (en) | 2022-06-20 | 2022-06-20 | Query-based black box attack method for image retrieval model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210701607.7A CN114996496A (en) | 2022-06-20 | 2022-06-20 | Query-based black box attack method for image retrieval model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114996496A true CN114996496A (en) | 2022-09-02 |
Family
ID=83036224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210701607.7A Pending CN114996496A (en) | 2022-06-20 | 2022-06-20 | Query-based black box attack method for image retrieval model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114996496A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110647645A (en) * | 2019-08-06 | 2020-01-03 | 厦门大学 | Attack image retrieval method based on general disturbance |
| US20200143079A1 (en) * | 2018-11-07 | 2020-05-07 | Nec Laboratories America, Inc. | Privacy-preserving visual recognition via adversarial learning |
| CN112215292A (en) * | 2020-10-19 | 2021-01-12 | 电子科技大学 | Image countermeasure sample generation device and method based on mobility |
| CN112464230A (en) * | 2020-11-16 | 2021-03-09 | 电子科技大学 | Black box attack type defense system and method based on neural network intermediate layer regularization |
| CN114240951A (en) * | 2021-12-13 | 2022-03-25 | 电子科技大学 | Black box attack method of medical image segmentation neural network based on query |
| CN114428954A (en) * | 2021-12-28 | 2022-05-03 | 复旦大学 | Black box attack system based on dynamic network structure learning |
-
2022
- 2022-06-20 CN CN202210701607.7A patent/CN114996496A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200143079A1 (en) * | 2018-11-07 | 2020-05-07 | Nec Laboratories America, Inc. | Privacy-preserving visual recognition via adversarial learning |
| CN110647645A (en) * | 2019-08-06 | 2020-01-03 | 厦门大学 | Attack image retrieval method based on general disturbance |
| CN112215292A (en) * | 2020-10-19 | 2021-01-12 | 电子科技大学 | Image countermeasure sample generation device and method based on mobility |
| CN112464230A (en) * | 2020-11-16 | 2021-03-09 | 电子科技大学 | Black box attack type defense system and method based on neural network intermediate layer regularization |
| CN114240951A (en) * | 2021-12-13 | 2022-03-25 | 电子科技大学 | Black box attack method of medical image segmentation neural network based on query |
| CN114428954A (en) * | 2021-12-28 | 2022-05-03 | 复旦大学 | Black box attack system based on dynamic network structure learning |
Non-Patent Citations (3)
| Title |
|---|
| JIAN PU等: "Defense against Adversarial Attacks with an Induced Class", 《2021 INTERNATIONAL JOINT CONFERENCE ON NEURAL NETWORKS (IJCNN)》, 20 September 2021 (2021-09-20), pages 1 - 15 * |
| 李思远: "面向图像理解的组合优化黑盒对抗攻击研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, 15 April 2024 (2024-04-15), pages 138 - 1663 * |
| 郭静: "基于对抗性深度学习的图像处理算法研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, 15 March 2021 (2021-03-15), pages 138 - 568 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220222920A1 (en) | Content processing method and apparatus, computer device, and storage medium | |
| CN106021364B (en) | Foundation, image searching method and the device of picture searching dependency prediction model | |
| CA2571172C (en) | Interactive web information retrieval using graphical word indicators | |
| US8965891B1 (en) | Training scoring models optimized for highly-ranked results | |
| US8321398B2 (en) | Method and system for determining relevance of terms in text documents | |
| CN112119388A (en) | Training image embedding model and text embedding model | |
| CN107944035B (en) | Image recommendation method integrating visual features and user scores | |
| US20130024448A1 (en) | Ranking search results using feature score distributions | |
| CN108573041B (en) | Probability matrix decomposition recommendation method based on weighted trust relationship | |
| US8527564B2 (en) | Image object retrieval based on aggregation of visual annotations | |
| CN107590232B (en) | Resource recommendation system and method based on network learning environment | |
| CN109800317B (en) | Image query answering method based on image scene map alignment | |
| CN112074828A (en) | Training image embedding model and text embedding model | |
| CN112765484B (en) | Short video pushing method and device, electronic equipment and storage medium | |
| CN112800207B (en) | Commodity information recommendation method and device and storage medium | |
| CN108415928B (en) | Book recommendation method and system based on weighted mixed k-nearest neighbor algorithm | |
| CN105677838A (en) | User profile creating and personalized search ranking method and system based on user requirements | |
| CN106022362A (en) | Reference-free image quality objective evaluation method for JPEG2000 compression distortion | |
| CN114996496A (en) | Query-based black box attack method for image retrieval model | |
| KR102156249B1 (en) | Indexing system and method using variational recurrent autoencoding | |
| CN108710620B (en) | Book recommendation method based on k-nearest neighbor algorithm of user | |
| CN115618127A (en) | Collaborative filtering algorithm of neural network recommendation system | |
| Banouar et al. | Enriching SPARQL queries by user preferences for results adaptation | |
| CN110287348A (en) | A kind of GIF format picture searching method based on machine learning | |
| CN116186384A (en) | Article recommendation method and system based on article implicit feature similarity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |