CN116167912A - Anti-sample generation method, anti-attack detection device and electronic equipment - Google Patents
Anti-sample generation method, anti-attack detection device and electronic equipment Download PDFInfo
- Publication number
- CN116167912A CN116167912A CN202310271058.9A CN202310271058A CN116167912A CN 116167912 A CN116167912 A CN 116167912A CN 202310271058 A CN202310271058 A CN 202310271058A CN 116167912 A CN116167912 A CN 116167912A
- Authority
- CN
- China
- Prior art keywords
- patch
- initialization
- area
- pixel
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 18
- 230000002194 synthesizing effect Effects 0.000 claims abstract description 8
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 12
- 230000009466 transformation Effects 0.000 claims description 12
- 238000012937 correction Methods 0.000 claims description 9
- 238000013519 translation Methods 0.000 claims description 5
- 230000015572 biosynthetic process Effects 0.000 claims description 2
- 238000003786 synthesis reaction Methods 0.000 claims description 2
- 238000013473 artificial intelligence Methods 0.000 abstract description 5
- 238000013135 deep learning Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 15
- 238000004891 communication Methods 0.000 description 8
- 230000008859 change Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000012549 training Methods 0.000 description 5
- 238000013136 deep learning model Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 210000002569 neuron Anatomy 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 241000283070 Equus zebra Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Image Processing (AREA)
Abstract
The disclosure provides an anti-sample generation method, an anti-attack detection device and electronic equipment, and relates to the technical field of artificial intelligence, in particular to the technical fields of deep learning, cloud computing, computer vision and automatic driving in artificial intelligence, wherein the anti-sample generation method comprises the following steps: acquiring an initialization patch, wherein the initialization patch is a patch for processing a target image; identifying a pixel mean value of the pixel points included in the initialization patch; correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch; and synthesizing the challenge patch and the target image to obtain a challenge sample.
Description
Technical Field
The disclosure relates to the technical field of artificial intelligence, in particular to the technical fields of deep learning, cloud computing, computer vision and automatic driving in artificial intelligence, and specifically relates to a method for generating an countermeasure sample, a method and a device for detecting the countermeasure, and electronic equipment.
Background
With the continuous development of the deep learning model, the deep learning model is widely applied in a plurality of fields and has excellent performance, and meanwhile, the safety and the robustness of the deep learning model are also attracting attention. Challenge samples can be currently employed to detect the anti-attack performance of the deep learning model, while challenge samples are easily obscured.
Disclosure of Invention
The disclosure provides an anti-sample generation method, an anti-attack detection device and electronic equipment.
According to a first aspect of the present disclosure, there is provided an challenge sample generating method comprising:
acquiring an initialization patch, wherein the initialization patch is a patch for processing a target image;
identifying a pixel mean value of the pixel points included in the initialization patch;
correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch;
and synthesizing the challenge patch and the target image to obtain a challenge sample.
According to a second aspect of the present disclosure, there is provided a method of attack resistance detection, comprising:
inputting a challenge sample into a model to be detected for sample recognition, and outputting a recognition result, wherein the recognition result is used for representing image classification of the challenge sample, and the model to be detected is a detection model for classifying images;
determining an anti-attack result of the model to be detected on the challenge sample according to the identification result and preset classification information of a target image acquired in advance;
wherein the challenge sample is a sample generated according to the method provided in the first aspect.
According to a third aspect of the present disclosure, there is provided an challenge sample generating device comprising:
the acquisition module is used for acquiring an initialization patch, wherein the initialization patch is a patch for processing a target image;
the identification module is used for identifying the pixel mean value of the pixel points included in the initialization patch;
the correction module is used for correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch;
and the synthesis module is used for synthesizing the countermeasure patch with the target image to obtain a countermeasure sample.
According to a fourth aspect of the present disclosure, there is provided a tamper resistant detection apparatus comprising:
the sample recognition module is used for inputting the countermeasure sample into a model to be detected for sample recognition and outputting a recognition result, wherein the recognition result is used for representing image classification of the countermeasure sample, and the model to be detected is a detection model for classifying images;
the determining module is used for determining an anti-attack result of the model to be detected on the challenge sample according to the identification result and preset classification information of the target image acquired in advance;
wherein the challenge sample is a sample generated by an apparatus provided according to the second aspect.
According to a fifth aspect of the present disclosure, there is provided an electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform any one of the methods of the first aspect.
According to a sixth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform any one of the methods of the first aspect.
According to a seventh aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements any of the methods of the first aspect.
In the embodiment of the disclosure, the initialization patch is corrected according to the pixel mean value to obtain the countermeasure patch, so that the shielded part in the initialization patch can be completely supplemented according to the pixel mean value of the pixel points included in the initialization patch to obtain the countermeasure patch, and the display effect of the countermeasure patch is better.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
FIG. 1 is one of the flow diagrams of the challenge sample generating method provided by the embodiments of the present disclosure;
FIG. 2 is a second flow chart of a challenge sample generation method according to an embodiment of the present disclosure;
FIG. 3 is a third flow chart of a challenge sample generation method according to an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a quantum gate challenge sample generating device provided by an embodiment of the present disclosure;
fig. 5 is a schematic block diagram of an example electronic device used to implement embodiments of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
In order to detect the anti-attack capability of the object to be detected, a target image may be camouflaged to obtain an anti-attack sample, and then the anti-attack sample is input into the model to be detected, and the anti-attack capability of the model to be detected is determined according to the detection result output by the object to be detected and the actual result of the target image, but the target image is often easily blocked, so that the detection result of the anti-attack capability of the model to be detected is poor, and thus the quality of the anti-attack sample needs to be improved. In order to improve the quality of the challenge sample, the following solutions are proposed.
Referring to fig. 1, fig. 1 is a flowchart of a challenge sample generating method according to an embodiment of the present disclosure, as shown in fig. 1, including the following steps:
step S101, acquiring an initialization patch, wherein the initialization patch is a patch for processing a target image.
The type of the target image is not limited herein, and the target image may be an image collected by a vehicle-mounted camera of the automatic driving vehicle, or the target image may be data of a target object collected by an image collecting device disposed at a roadside, where the target object may be a zebra crossing or an intersection.
The specific manner of initializing the patch is not limited herein, for example: the initialization patch may be obtained directly, or an original patch may be obtained first, and then the original patch is initialized to obtain the initialization patch.
The manner of the initialization process is not limited herein, and examples include: the initialization process may include at least one of: white initialization, black initialization, gray initialization, random initialization. The size of the initialization patch may be matched with the size of the original patch, or the size of the initialization patch may be not matched with the size of the original patch, and the size of the initialization patch may be specified according to the input of the user.
The initialization patch is a patch for processing the target image, optionally, the initialization patch may be used for camouflage processing the target image, so that the category of the target image may be changed, and the target image after the initialization patch is processed is input into the model to be detected, so as to detect the recognition capability of the model to be detected on the target image after the camouflage processing, where the detection manner may be understood as the attack resistance capability of the model to be detected.
Note that the camouflage process may include: the initialization patch is attached to at least a partial area of the target image, that is, the display content of the at least partial area is replaced, or an average value of the pixel value of the initialization patch and the pixel value of the display content of the at least partial area of the target image may be calculated, and the average value may be corrected to the pixel value of the display content of the at least partial area. The specific manner is not limited herein.
As an alternative embodiment, the acquiring the initialization patch includes:
acquiring a first patch;
initializing the first patch to obtain a second patch;
adjusting target parameters of a first target area of the second patch to obtain the initialization patch;
wherein the target parameter is a display parameter, and the display parameter includes at least one of the following parameters: display size, scale parameters, brightness, contrast, noise, position, angle.
The first patch may be understood as the original patch, and the initialization process may refer to the related expression.
The adjusting the target parameter of the first target area of the second patch to obtain the initialization patch can be described as follows: the second patch may be understood as a patch in the digital world, the counter patch may be understood as a patch in the physical world, and the physical world may be understood as the real world or the real world, i.e. the process of adjusting the target parameters of the first target area of the second patch to obtain the initialization patch may be understood as the process of mapping the patch in the digital world into the patch in the real world by adjusting the target parameters of the first target area of the patch in the digital world.
Patches in the real world may also appear to be diverse due to real world complexity, for example: the duty cycle of the patch in the image may change, resulting in a change in the patch, or the patch may be blocked, etc. rendering the countermeasure patch ineffective. Meanwhile, when a model to be detected is detected using an countermeasure patch obtained from an initialization patch, the size of the countermeasure patch is generally fixed, so that the countermeasure patch duty ratio may vary depending on the size of the object and the distance of the lens, and the countermeasure patch is easily blocked in the real world.
The ratio parameter may be a random ratio parameter, which may also be understood as: the proportion parameter is a proportion parameter which is determined randomly, namely, the proportion parameter of the countermeasure patch obtained according to the initialization patch does not use a fixed proportion parameter, but a proportion parameter is determined randomly as the proportion parameter of the countermeasure patch obtained according to the initialization patch, so that the problem of proportion change caused by target change and lens distance in the real world physical attack of the countermeasure patch obtained according to the initialization patch can be solved, and the robustness of the countermeasure patch is enhanced.
The display size may be understood as a display size, and since the target parameter of the first target area of the second patch is adjusted, the first target area of the second patch may also be referred to as a change enhanced area, and thus may be understood as adjusting the display size of the change enhanced area, for example: the first target area of the second patch may be edge-repaired, so that the display size of the initialization patch obtained after edge-repair may be matched with the target image.
In an embodiment of the present disclosure, a target parameter of a first target area of a second patch is adjusted to obtain an initialization patch, where the target parameter is a display parameter, and the display parameter includes at least one of the following parameters: the proportion parameter, brightness, contrast, noise, position and angle can improve the robustness of the initialization patch, and further the robustness of the countermeasure patch obtained according to the initialization patch is enhanced.
Meanwhile, various changing factors in the real world can be better simulated due to the fact that the display parameters comprise various kinds, so that the countermeasure patch meets the real world requirements more, various changing factors in the real world can be simulated more truly, and the reality of the countermeasure patch is enhanced.
As an optional implementation manner, the adjusting the target parameter of the first target area of the second patch to obtain the initialization patch includes:
adjusting target parameters of a first target area of the second patch to obtain a third patch;
carrying out affine transformation on the second target area of the third patch to obtain the initialization patch, wherein the affine transformation comprises at least one of the following steps: scaling, rotation, translation.
In an embodiment of the present disclosure, the initialization patch is obtained by performing affine transformation on the second target area of the third patch, where the affine transformation includes at least one of: scaling, rotation, translation, which may further enhance the robustness of the initialization patch.
It should be noted that, referring to fig. 3, fig. 3 illustrates a process of enhancing various changes to the first patch to finally obtain the challenge sample.
Step S102, identifying a pixel mean value of the pixel points included in the initialization patch.
The method comprises the steps that pixel values of pixel points included in an initialization patch can be obtained, and a pixel mean value is obtained through calculation according to the pixel values; alternatively, the pixel mean value may be pre-stored data, and the pixel mean value and the initialization patch may be stored in a binding manner, and the initialization patch may be obtained and the pixel mean value may be obtained at the same time. The specific manner is not limited herein.
And step S103, correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch.
The specific manner of correcting the initialization patch according to the pixel mean value to obtain the countermeasure patch is not limited herein.
As an alternative embodiment, the product of the pixel mean value and the scene coefficient may be calculated, and the product may be used to replace the pixel value of a partial area in the initialization patch, where the partial area may be understood as an occluded area in the initialization patch, and the scene coefficient may be determined according to the content of the initialization patch, for example: the scene coefficients are different if the scene represented by the content of the initialization patch is different.
As an optional implementation manner, the correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch includes:
identifying a first area and a second area included in the initialization patch, wherein the second area is an area except the first area in the initialization patch;
and replacing the pixel value of the pixel point in the first area with a preset pixel value, and replacing the pixel value of the pixel point in the second area with the pixel mean value to obtain the countermeasure patch, wherein the preset pixel value is different from the pixel mean value.
The first area may be referred to as a stop area or a stop display area, and the specific value of the preset pixel value is not limited herein, for example: the preset pixel value may be a pixel value corresponding to a transparent pixel point or a pixel value corresponding to a white pixel point.
In this embodiment of the present disclosure, the present disclosure may be applied to a model to be detected, where the model to be detected may include a Dropout layer, and the pixel value of the pixel point of the first area may be replaced with a preset pixel value by using the Dropout layer, and when the preset pixel value is a pixel value corresponding to a transparent pixel point, it may be understood that the pixel point of the first area stops working, that is, an countermeasure patch blocked in the first area may be simulated, so that diversity of the countermeasure patches obtained by simulation is increased. In addition, the complex adaptability between neurons of the model to be detected can be reduced, so that the model to be detected does not depend on the combined action between certain specific neurons and other neurons, the robustness of the model to be detected is better, and the occurrence of the overfitting phenomenon of the model to be detected is reduced.
In addition, since the value range of the pixel values of the pixel points in the second area of the initialization patch is between 0 and 1, the pixel values of the pixel points in the second area of the initialization patch cannot be divided by the probability p to keep the whole unchanged, so that the pixel values of the pixel points in the second area can be replaced by the pixel mean value, the obtained whole unchanged countermeasure patch can be ensured, and the display effect of the countermeasure patch can be enhanced.
As an optional implementation manner, the identifying the first area and the second area included in the initialization patch includes:
randomly determining a first area included in the initialization patch;
and determining the second area according to the first area.
In this embodiment of the present disclosure, since the first area is randomly determined, when the steps in the embodiments of the present disclosure are performed multiple times, a plurality of countermeasure patches may be finally determined, and the positions of the first areas where each of the countermeasure patches is blocked are different, so that the shapes of the plurality of countermeasure patches are different, that is, the countermeasure patches with different shapes are obtained, and finally, robustness and diversity of the countermeasure patches may be improved.
As an optional implementation manner, the correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch includes:
predicting the probability of correcting the initialization patch;
and correcting the initialization patch according to the pixel mean value under the condition that the probability of correcting the initialization patch is larger than the preset probability, so as to obtain an countermeasure patch.
In the embodiment of the disclosure, the probability of correcting the initialization patch can be predicted by the model to be detected, and the initialization patch can be corrected according to the pixel mean value only when the probability of correcting the initialization patch is larger than the preset probability, so as to obtain the countermeasure patch, that is, the initialization patch is corrected not after the initialization patch is obtained each time, so that the robustness and diversity of the finally obtained countermeasure patch can be further improved.
And step S104, synthesizing the countermeasure patch and the target image to obtain a countermeasure sample.
In the prior art, the challenge patch can be attached to any position of the target image, and the challenge sample obtained by attaching the challenge patch to any position of the target image has a smaller difference in the detection effect of the challenge result of the model to be detected. Thus, the efficiency of synthesizing the countermeasure patch with the target image can be improved.
As an optional implementation manner, the embodiment of the present disclosure further provides a method for detecting attack resistance, including:
inputting a challenge sample into a model to be detected for sample recognition, and outputting a recognition result, wherein the recognition result is used for representing image classification of the challenge sample, and the model to be detected is a detection model for classifying images;
and determining an anti-attack result of the model to be detected on the challenge sample according to the identification result and preset classification information of the target image acquired in advance.
The challenge sample in the embodiments of the present disclosure may be generated by using the method in the foregoing embodiments, and each technical feature in the embodiments of the present disclosure may refer to a corresponding expression in the foregoing embodiments, which is not described herein in detail.
In the embodiment of the disclosure, the challenge sample can be input into the model to be detected for sample recognition, the recognition result is output, and meanwhile, the anti-attack result of the model to be detected on the challenge sample is determined according to the recognition result and the preset classification information of the target image obtained in advance, so that the anti-attack result of the model to be detected on the challenge sample is detected, the accuracy of the detection result is higher, and the detection mode is more convenient.
It should be noted that, according to the recognition result and the preset classification information of the pre-acquired target image, the determination of the anti-attack result of the model to be detected on the challenge sample may be described as follows: when the identification result is matched with the preset classification information of the target image, the anti-attack result of the model to be detected on the challenge sample is considered to be poor; or when the identification result is not matched with the preset classification information of the target image, the anti-attack result of the model to be detected on the countermeasure sample is considered to be good.
It should be noted that, the model to be detected may be a detection model for classifying an image obtained by training in advance, and each step in the above embodiment may be understood as an application process, and the application process may refer to steps 201 to 206 in fig. 2. Meanwhile, each step in the above embodiment may be understood as a step performed by the model to be detected in one training iteration process, and the challenge patch and the challenge sample may be updated by back propagation according to a loss function of the model to be detected. For example: the training process of the model to be detected can be seen by repeating steps 201 to 206 a plurality of times.
In addition, in the training process, the loss function of the model to be detected can comprise the following three parts: score loss, fully differential loss, non-printability score loss are detected.
Wherein, the loss of score is detected: the loss of detection score is the maximum of the detection scores in the challenge sample, and minimizing the loss allows training the challenge sample to disable the model to be detected. The detection score may include a variety of patterns, such as: the confidence of the detection frame, or the score of the attacked class, or the product of the confidence of the detection frame and the score of the attacked class, may be used.
Fully differential loss: the calculation formula of the full-differential loss can be shown as formula (1), and the difference between each pixel point and surrounding pixel points is represented, so that the loss function is minimized, the learned color change of the countermeasure sample is smooth, and noise is reduced.
Wherein p is i,j And representing the pixel value of the pixel point corresponding to the i and j positions in the countermeasure sample.
Non-printability score loss: the calculation formula of the non-printability score loss may be shown in formula (2), which represents the difference between the pixel values in the challenge sample and the pixel values that can be printed by a normal printer, and minimizes the loss, so that the difference between the printed physical patch (i.e., the challenge sample obtained from the challenge patch) and the digital patch (which may be understood as the second patch in the above embodiment) is minimized, which is advantageous for implementation of the physical attack.
Wherein p is patch Representing pixel points in the challenge sample, c print Representing one printable color value in the printable color set.
Referring to fig. 4, an embodiment of the present disclosure provides a schematic structural diagram of an challenge sample generating device, as shown in fig. 4, a challenge sample generating device 400, including:
an obtaining module 401, configured to obtain an initialization patch, where the initialization patch is a patch for processing a target image;
an identifying module 402, configured to identify a pixel mean value of a pixel point included in the initialization patch;
a correction module 403, configured to correct the initialization patch according to the pixel mean value to obtain an countermeasure patch;
and a synthesizing module 404, configured to synthesize the challenge patch with the target image to obtain a challenge sample.
Optionally, the correction module 403 includes:
the identification sub-module is used for identifying a first area and a second area included in the initialization patch, wherein the second area is an area except the first area in the initialization patch;
and the replacing sub-module is used for replacing the pixel value of the pixel point in the first area with a preset pixel value, and replacing the pixel value of the pixel point in the second area with the pixel mean value to obtain the countermeasure patch, wherein the preset pixel value is different from the pixel mean value.
Optionally, the identifying sub-module includes:
a first determining unit, configured to randomly determine a first area included in the initialization patch;
and the second determining unit is used for determining the second area according to the first area.
Optionally, the correction module 403 includes:
the prediction sub-module is used for predicting the probability of correcting the initialization patch;
and the correction sub-module is used for correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch when the probability of correcting the initialization patch is larger than a preset probability.
Optionally, the acquiring module 401 includes:
an acquisition sub-module for acquiring a first patch;
the initialization processing sub-module is used for initializing the first patch to obtain a second patch;
the adjusting sub-module is used for adjusting the target parameters of the first target area of the second patch to obtain the initialization patch;
wherein the target parameter is a display parameter, and the display parameter includes at least one of the following parameters: display size, scale parameters, brightness, contrast, noise, position, angle.
Optionally, the adjusting submodule includes:
the adjusting unit is used for adjusting the target parameters of the first target area of the second patch to obtain a third patch;
an affine transformation unit, configured to perform affine transformation on the second target area of the third patch to obtain the initialization patch, where the affine transformation includes at least one of the following: scaling, rotation, translation.
Optionally, the embodiment of the present disclosure further provides an attack resistant detection apparatus, including:
the sample recognition module is used for inputting the countermeasure sample into a model to be detected for sample recognition and outputting a recognition result, wherein the recognition result is used for representing image classification of the countermeasure sample, and the model to be detected is a detection model for classifying images;
the determining module is used for determining an anti-attack result of the model to be detected on the challenge sample according to the identification result and preset classification information of the target image acquired in advance;
the challenge sample is a sample generated according to the above challenge sample generation method embodiment or the above challenge sample generation device.
The challenge sample generating device 400 provided in the embodiments of the present disclosure may implement each process implemented by the embodiments of the challenge sample generating method, and the anti-attack detecting device provided in the embodiments of the present disclosure may implement each process implemented by the embodiments of the anti-attack detecting method, and may achieve the same beneficial effects, so that repetition is avoided, and no further description is given here.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 5 illustrates a schematic block diagram of an example electronic device 500 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the apparatus 500 includes a computing unit 501 that can perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 502 or a computer program loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the device 500 can also be stored. The computing unit 501, ROM 502, and RAM 503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Various components in the device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, etc.; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508 such as a magnetic disk, an optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 501 performs the respective methods and processes described above, such as the challenge sample generation method or the challenge detection method. For example, in some embodiments, the challenge sample generation method or the challenge detection method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM 502 and/or the communication unit 509. When the computer program is loaded into the RAM 503 and executed by the computing unit 501, one or more steps of the challenge sample generation method or the challenge detection method described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the challenge sample generation method or the challenge detection method by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (17)
1. A challenge sample generation method, comprising:
acquiring an initialization patch, wherein the initialization patch is a patch for processing a target image;
identifying a pixel mean value of the pixel points included in the initialization patch;
correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch;
and synthesizing the challenge patch and the target image to obtain a challenge sample.
2. The method of claim 1, wherein said modifying the initialization patch according to the pixel mean value results in an countermeasure patch, comprising:
identifying a first area and a second area included in the initialization patch, wherein the second area is an area except the first area in the initialization patch;
and replacing the pixel value of the pixel point in the first area with a preset pixel value, and replacing the pixel value of the pixel point in the second area with the pixel mean value to obtain the countermeasure patch, wherein the preset pixel value is different from the pixel mean value.
3. The method of claim 2, wherein the identifying the first and second regions included in the initialization patch comprises:
randomly determining a first area included in the initialization patch;
and determining the second area according to the first area.
4. The method of claim 1, wherein said modifying the initialization patch according to the pixel mean value results in an countermeasure patch, comprising:
predicting the probability of correcting the initialization patch;
and correcting the initialization patch according to the pixel mean value under the condition that the probability of correcting the initialization patch is larger than the preset probability, so as to obtain an countermeasure patch.
5. The method of claim 1, wherein the acquiring an initialization patch comprises:
acquiring a first patch;
initializing the first patch to obtain a second patch;
adjusting target parameters of a first target area of the second patch to obtain the initialization patch;
wherein the target parameter is a display parameter, and the display parameter includes at least one of the following parameters: display size, scale parameters, brightness, contrast, noise, position, angle.
6. The method of claim 5, wherein said adjusting the target parameters of the first target area of the second patch to obtain the initialization patch comprises:
adjusting target parameters of a first target area of the second patch to obtain a third patch;
carrying out affine transformation on the second target area of the third patch to obtain the initialization patch, wherein the affine transformation comprises at least one of the following steps: scaling, rotation, translation.
7. A method of attack resistance detection, comprising:
inputting a challenge sample into a model to be detected for sample recognition, and outputting a recognition result, wherein the recognition result is used for representing image classification of the challenge sample, and the model to be detected is a detection model for classifying images;
determining an anti-attack result of the model to be detected on the challenge sample according to the identification result and preset classification information of a target image acquired in advance;
wherein the challenge sample is a sample generated according to the method of any one of claims 1 to 6.
8. An challenge sample generating device, comprising:
the acquisition module is used for acquiring an initialization patch, wherein the initialization patch is a patch for processing a target image;
the identification module is used for identifying the pixel mean value of the pixel points included in the initialization patch;
the correction module is used for correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch;
and the synthesis module is used for synthesizing the countermeasure patch with the target image to obtain a countermeasure sample.
9. The apparatus of claim 8, wherein the correction module comprises:
the identification sub-module is used for identifying a first area and a second area included in the initialization patch, wherein the second area is an area except the first area in the initialization patch;
and the replacing sub-module is used for replacing the pixel value of the pixel point in the first area with a preset pixel value, and replacing the pixel value of the pixel point in the second area with the pixel mean value to obtain the countermeasure patch, wherein the preset pixel value is different from the pixel mean value.
10. The apparatus of claim 9, wherein the identification sub-module comprises:
a first determining unit, configured to randomly determine a first area included in the initialization patch;
and the second determining unit is used for determining the second area according to the first area.
11. The apparatus of claim 8, wherein the correction module comprises:
the prediction sub-module is used for predicting the probability of correcting the initialization patch;
and the correction sub-module is used for correcting the initialization patch according to the pixel mean value to obtain an countermeasure patch when the probability of correcting the initialization patch is larger than a preset probability.
12. The apparatus of claim 8, wherein the acquisition module comprises:
an acquisition sub-module for acquiring a first patch;
the initialization processing sub-module is used for initializing the first patch to obtain a second patch;
the adjusting sub-module is used for adjusting the target parameters of the first target area of the second patch to obtain the initialization patch;
wherein the target parameter is a display parameter, and the display parameter includes at least one of the following parameters: display size, scale parameters, brightness, contrast, noise, position, angle.
13. The apparatus of claim 12, wherein the adjustment sub-module comprises:
the adjusting unit is used for adjusting the target parameters of the first target area of the second patch to obtain a third patch;
an affine transformation unit, configured to perform affine transformation on the second target area of the third patch to obtain the initialization patch, where the affine transformation includes at least one of the following: scaling, rotation, translation.
14. An attack-resistant detection device comprising:
the sample recognition module is used for inputting the countermeasure sample into a model to be detected for sample recognition and outputting a recognition result, wherein the recognition result is used for representing image classification of the countermeasure sample, and the model to be detected is a detection model for classifying images;
the determining module is used for determining an anti-attack result of the model to be detected on the challenge sample according to the identification result and preset classification information of the target image acquired in advance;
wherein the challenge sample is a sample generated by the apparatus according to any one of claims 8 to 13.
15. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
16. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-7.
17. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310271058.9A CN116167912A (en) | 2023-03-16 | 2023-03-16 | Anti-sample generation method, anti-attack detection device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310271058.9A CN116167912A (en) | 2023-03-16 | 2023-03-16 | Anti-sample generation method, anti-attack detection device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116167912A true CN116167912A (en) | 2023-05-26 |
Family
ID=86411477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310271058.9A Pending CN116167912A (en) | 2023-03-16 | 2023-03-16 | Anti-sample generation method, anti-attack detection device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116167912A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117253094A (en) * | 2023-10-30 | 2023-12-19 | 上海计算机软件技术开发中心 | Method, system and electronic equipment for generating contrast sample by image classification system |
-
2023
- 2023-03-16 CN CN202310271058.9A patent/CN116167912A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117253094A (en) * | 2023-10-30 | 2023-12-19 | 上海计算机软件技术开发中心 | Method, system and electronic equipment for generating contrast sample by image classification system |
| CN117253094B (en) * | 2023-10-30 | 2024-05-14 | 上海计算机软件技术开发中心 | Method, system and electronic equipment for generating contrast sample by image classification system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110569782A (en) | Target detection method based on deep learning | |
| US8340433B2 (en) | Image processing apparatus, electronic medium, and image processing method | |
| CN113066002A (en) | Generation method of countermeasure sample, training method of neural network, training device of neural network and equipment | |
| CN112651953B (en) | Picture similarity calculation method and device, computer equipment and storage medium | |
| CN113850783B (en) | Sea surface ship detection method and system | |
| CN105095835A (en) | Pedestrian detection method and system | |
| CN116167912A (en) | Anti-sample generation method, anti-attack detection device and electronic equipment | |
| KR20210128491A (en) | Hazardous driving behavior identification method, device, electronic equipment and storage medium | |
| CN114092947B (en) | Text detection method and device, electronic equipment and readable storage medium | |
| CN115170978A (en) | Vehicle target detection method and device, electronic equipment and storage medium | |
| CN115937409A (en) | Anti-visual intelligent anti-attack texture generation method | |
| CN109242882B (en) | Visual tracking method, device, medium and equipment | |
| CN111932530B (en) | Three-dimensional object detection method, device, equipment and readable storage medium | |
| US20120170861A1 (en) | Image processing apparatus, image processing method and image processing program | |
| CN116486151A (en) | Image classification model training method, image classification method, device and storage medium | |
| CN114677566B (en) | Training method of deep learning model, object recognition method and device | |
| CN116229584A (en) | Text segmentation recognition method, system, equipment and medium in artificial intelligence field | |
| CN114332982A (en) | Face recognition model attack defense method, device, equipment and storage medium | |
| CN115456917B (en) | Image enhancement method, device, equipment and medium beneficial to accurate target detection | |
| CN114882312B (en) | Method and device for generating confrontation image sample, electronic equipment and storage medium | |
| Liang et al. | An image augmentation‐based ice monitoring method for safe navigation of polar ships | |
| CN116071625B (en) | Training method of deep learning model, target detection method and device | |
| CN111710009B (en) | Method and device for generating people stream density, electronic equipment and storage medium | |
| Zhang et al. | Imperceptible and reliable adversarial attack | |
| CN114581302A (en) | License plate sample image generation method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |