CN-115830218-B - Self-adaptive parameter anti-attack method for three-dimensional face reconstruction system

Abstract

The invention discloses a self-adaptive parameter attack countermeasure method for a three-dimensional face reconstruction system, which comprises the steps of initializing parameter weights according to output parameter types of a three-dimensional face reconstruction network, wherein the output parameter types comprise shape parameters, expression parameters, position parameters, material parameters, illumination parameters and camera parameters, inputting an attack countermeasure sample according to the parameter weights to attack a three-dimensional face reconstruction model, continuously updating the parameter weights by using the self-adaptive method, continuously updating the attack countermeasure sample by using a gradient descent method, and optimizing the attack countermeasure sample by semantic constraint until reaching preset conditions, thereby completing the attack task on a target image. The invention has high generalization capability and good attack effect on different three-dimensional face reconstruction systems, and can be widely applied to the technical field of computers.

Inventors

• LIU NING
• LIAO YONGXIAN
• HUANG LIFENG

Assignees

• 中山大学

Dates

Publication Date

20260508

Application Date

20220920

Claims (9)

1. 1. The self-adaptive parameter attack resisting method for three-dimensional face reconstruction system is characterized by comprising the following steps: initializing parameter weights according to output parameter types of the three-dimensional face reconstruction network, wherein the output parameter types comprise shape parameters, expression parameters, position parameters, material parameters, illumination parameters and camera parameters; inputting an antagonistic sample to attack the three-dimensional face reconstruction model according to the parameter weight; Continuously updating the parameter weights by using an adaptive method; Continuously updating the countermeasure sample by using a gradient descent method, and optimizing the countermeasure sample by semantic constraint until reaching a preset condition, so as to finish the attack task on the target image; The optimizing the challenge sample by semantic constraints includes: projecting the countermeasure sample into a small-range infinite norm space of a natural image, and restricting to generate a numerical range of the countermeasure sample; Wherein the constraint is expressed as: Wherein project is a Projection function; Representing a clean image; Is the maximum disturbance range; is a constrained challenge sample.
2. 2. The method for resisting attack by adaptive parameters of a three-dimensional face reconstruction system according to claim 1, wherein the inputting the challenge sample attacks the three-dimensional face reconstruction model according to the parameter weight comprises: Generating a random noise matrix based on uniform random distribution, and initializing the countermeasure sample; And optimizing the countermeasure sample based on the weight calculation parameter loss of the parameter according to the output parameter of the countermeasure sample and the output parameter of the clean image, and misleading the output result of the three-dimensional face reconstruction network.
3. 3. The method for resisting attack by using adaptive parameters of a three-dimensional face reconstruction system according to claim 1, wherein the step of continuously updating the parameter weights by using the adaptive method comprises the steps of: Based on the self-adaptive optimization iteration driven by the parameter loss, the optimal parameter weight is searched each time, so that the distance between the countermeasure sample and the clean image is larger and larger, and the similarity between the output parameters of the countermeasure sample and the clean image is reduced.
4. 4. The method for resisting attack by using adaptive parameters of a three-dimensional face reconstruction system according to claim 1, wherein the step of continuously updating the parameter weights by using the adaptive method comprises the steps of: adaptively updating the parameter weight through boundary loss and extremum loss; Wherein, the expression of the boundary loss is: the extremum loss is expressed as: Wherein, the Representing boundary loss; representing the output of the three-dimensional face reconstruction system; Representing a clean image; representing the maximum disturbance range; Representing extremum loss; representing a challenge sample; an output representing the current worst challenge sample; representing the output of the currently optimal challenge sample.
5. 5. The method for resisting attack by adaptive parameters of three-dimensional face reconstruction system according to claim 1, wherein in the step of continuously updating the challenge sample by using a gradient descent method, an update formula of the challenge sample is as follows: Wherein, the Representing a challenge sample; representing the maximum disturbance range; Representing the maximum number of iterations; Representing a symbol taking operation; Representative pair challenge sample Obtaining a gradient; representing a loss function.
6. 6. An apparatus for implementing the adaptive parameter challenge-tolerance method for a three-dimensional face reconstruction system according to any one of claims 1-5, comprising: The system comprises a first module, a second module and a third module, wherein the first module is used for initializing parameter weights according to the output parameter types of the three-dimensional face reconstruction network, and the output parameter types comprise shape parameters, expression parameters, position parameters, material parameters, illumination parameters and camera parameters; the second module is used for inputting an anti-sample to attack the three-dimensional face reconstruction model according to the parameter weight; a third module, configured to continuously update the parameter weights using an adaptive method; And a fourth module, configured to continuously update the challenge sample by using a gradient descent method, and optimize the challenge sample through semantic constraint until a preset condition is reached, so as to complete an attack task on the target image.
7. 7. An electronic device comprising a processor and a memory; the memory is used for storing programs; The processor executing the program implements the method of any one of claims 1 to 5.
8. 8. A computer-readable storage medium, characterized in that the storage medium stores a program that is executed by a processor to implement the method of any one of claims 1 to 5.
9. 9. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.

Description

Self-adaptive parameter anti-attack method for three-dimensional face reconstruction system Technical Field The invention relates to the technical field of computers, in particular to a self-adaptive parameter attack resistance method for a three-dimensional face reconstruction system. Background Deep neural networks exhibit powerful capabilities in handling various computer vision tasks, such as image classification, face recognition, and three-dimensional reconstruction. In recent years, however, deep neural networks have proven to be susceptible to well-designed perturbation images. The attacker adds some imperceptible noise to the clean data and forces the deep learning model to output erroneous results. Therefore, the existence of the countermeasure sample and the generation of the novel countermeasure sample are deeply studied, the safety and the reliability of the artificial intelligence are improved, and the method is very important for wider application and popularization of the artificial intelligence technology. Research on challenge samples in the 2D field is becoming more and more abundant at present. However, there is relatively little research associated with 3D scenes. Recent challenge-against studies in the 3D field have focused mainly on classification of 3D point clouds or 3D meshes, lacking in related studies in terms of 3D face reconstruction tasks. The 3D face reconstruction is widely applied to the fields of animation production, game production, 3D face recognition and the like, and if the 3D face reconstruction model lacks the capability of defending against attacks, serious safety problems can be caused. Disclosure of Invention In view of this, the embodiment of the invention provides a self-adaptive parameter attack resistance method with high generalization capability for a three-dimensional face reconstruction system, so as to improve the robustness of a 3D face reconstruction model. An aspect of the embodiment of the invention provides a self-adaptive parameter attack resistance method for a three-dimensional face reconstruction system, which comprises the following steps: initializing parameter weights according to output parameter types of the three-dimensional face reconstruction network, wherein the output parameter types comprise shape parameters, expression parameters, position parameters, material parameters, illumination parameters and camera parameters; inputting an antagonistic sample to attack the three-dimensional face reconstruction model according to the parameter weight; Continuously updating the parameter weights by using an adaptive method; And continuously updating the countermeasure sample by using a gradient descent method, and optimizing the countermeasure sample by semantic constraint until reaching a preset condition, thereby completing the attack task on the target image. Optionally, the attack on the three-dimensional face reconstruction model by the challenge sample is input according to the parameter weight, including: Generating a random noise matrix based on uniform random distribution, and initializing the countermeasure sample; And optimizing the countermeasure sample based on the weight calculation parameter loss of the parameter according to the output parameter of the countermeasure sample and the output parameter of the clean image, and misleading the output result of the three-dimensional face reconstruction network. Optionally, the updating the parameter weights continuously by using an adaptive method includes: Based on the self-adaptive optimization iteration driven by the parameter loss, the optimal parameter weight is searched each time, so that the distance between the countermeasure sample and the clean image is larger and larger, and the similarity between the output parameters of the countermeasure sample and the clean image is reduced. Optionally, the updating the parameter weights continuously by using an adaptive method includes: adaptively updating the parameter weight through boundary loss and extremum loss; Wherein, the expression of the boundary loss is: Ebd＝f(x0+∈)-f(x0-∈) the extremum loss is expressed as: Wherein E bd represents boundary loss, f () represents the output of the three-dimensional face reconstruction system, x 0 represents a clean image, E represents a maximum disturbance range, E wb represents extremum loss; Representing the challenge sample, f w () representing the current worst challenge sample output, and f b () representing the current best challenge sample output. Optionally, in the step of continuously updating the challenge sample by using a gradient descent method, the updating formula of the challenge sample is: Wherein, the E represents the maximum disturbance range, T represents the maximum iteration number, sign represents the symbol taking operation; Representative pair challenge sample Gradient is calculated, L represents the loss function. Optionally, the optimizing the challenge sample by se