Search

CN-115830369-B - Method and system for generating countermeasure sample based on deep neural network

CN115830369BCN 115830369 BCN115830369 BCN 115830369BCN-115830369-B

Abstract

The invention belongs to the technical field of computer vision processing, and particularly relates to a method and a system for generating an countermeasure sample based on a deep neural network, wherein an original image in sample data is converted into a saliency map; the method comprises the steps of defining a significant region for adding disturbance in an original image of sample data by using a significant image, obtaining a significant mask by carrying out binarization processing on pixel values of the significant image, inputting the original image in the sample data into an image classification model, iteratively generating a globally disturbed countersample by using Nadam optimization algorithm and gradient information in a convolutional neural network reverse transmission process, differencing the countersample and the original image to obtain globally counternoise, obtaining the counternoise in the significant region by using Hadamard product of the globally counternoise and the significant mask, and obtaining a finally output significant region countersample by combining the counternoise and the original image. The method and the device can improve the quality of the generated samples, and are convenient for testing and improving the safety and the robustness of the image classification model.

Inventors

  • ZHANG HENGWEI
  • TAN JINGLEI
  • LIU XIAOHU
  • ZHANG YUCHEN
  • LI ZHEMING
  • ZHANG XIAONING
  • MI YAN
  • SUN PENGYU
  • LI CHENWEI
  • YANG BO
  • ZHANG CHANG
  • WANG JINDONG

Assignees

  • 中国人民解放军战略支援部队信息工程大学

Dates

Publication Date
20260512
Application Date
20221124

Claims (7)

  1. 1. The method for generating the countermeasure sample based on the deep neural network is characterized by comprising the following steps: The method comprises the steps of obtaining a salient mask by carrying out binarization processing on pixel values of salient image, namely converting an original image in sample data into a salient image according to image semantic information in the sample data, and defining a salient region for adding disturbance in the original image of the sample data by utilizing the salient image; inputting an original image in sample data into an image classification model, and iteratively generating a global disturbance countermeasure sample by utilizing gradient information in a Nadam optimization algorithm and convolutional neural network reverse transmission process; Obtaining the contrast noise in the salient region by utilizing the Hadamard product of the global contrast noise and the salient mask, and obtaining the finally output salient region contrast sample by combining the contrast noise and the original image; Converting the original image in the sample data into a saliency map by utilizing a trained variability convolution and feature attention DCFA network model, and converting the original image into a gray scale map with pixel values between 0 and 255, wherein the gray scale map is used as the saliency map, and the DCFA network model acquires the boundary of the saliency map by extracting uneven context features from low-level details and high-level semantics of the original image and distributing feature self-adaptive weights in a space domain and a channel domain; In the countermeasure sample for iteratively generating global disturbance, based on gradient calculation of a loss function in a backward propagation process of a convolutional neural network, obtaining a classification error label by gradually increasing a loss function value in an image classification process, and integrating an updating process of the loss function in a momentum accumulation mode so as to stabilize an updating direction of the loss function; In the updating process of the loss function, a Nesterov algorithm for optimizing an updating path and a RMSprop algorithm for optimizing a learning rate are introduced to form a Nadam algorithm, and gradient historical data and estimated data are accumulated by using a Nadam algorithm so as to optimize the updating path and the learning rate of the loss function at the same time.
  2. 2. The method for generating an countermeasure sample based on a deep neural network according to claim 1, wherein the process of binarizing the salient image pixel values is expressed as: Where S i,j is the (i, j) th pixel value of the saliency map S, phi is the corresponding pixel threshold, and M i,j is the (i, j) th pixel value of the binarized saliency mask M.
  3. 3. The method for generating the challenge sample based on the deep neural network according to claim 1, wherein in the nester ov algorithm, the estimated gradient change in the progressive process of the loss function is assisted by gradient jump in the generation process of the challenge sample, and the estimated gradient change is counted in the gradient accumulation process.
  4. 4. The method for generating a challenge sample based on a deep neural network according to claim 1 or 2, wherein RMSprop is an algorithm for dynamically adjusting a learning rate in a forward process of a loss function by using a gradient magnitude in the generation process of the challenge sample, and avoiding repetitive concussion near a final extreme point by adjusting a dynamic step in an update process of the loss function.
  5. 5. An antagonism sample generation system based on a deep neural network is characterized by comprising a sample data processing module, a first sample generation module and a second sample generation module, wherein, The system comprises a sample data processing module, a salient mask, a first image processing module, a second image processing module and a third image processing module, wherein the sample data processing module is used for converting an original image in sample data into a salient image according to image semantic information in the sample data; The first sample generation module is used for inputting an original image in sample data into an image classification model, and iteratively generating a global disturbance countermeasure sample by utilizing gradient information in a Nadam optimization algorithm and convolutional neural network reverse transmission process; the second sample generation module is used for making difference between the countermeasure sample and the original image to obtain global countermeasure noise, utilizing the Hadamard product of the global countermeasure noise and the salient mask to obtain the countermeasure noise in the salient region, and obtaining the finally output salient region countermeasure sample by combining the countermeasure noise and the original image; Converting the original image in the sample data into a saliency map by utilizing a trained variability convolution and feature attention DCFA network model, and converting the original image into a gray scale map with pixel values between 0 and 255, wherein the gray scale map is used as the saliency map, and the DCFA network model acquires the boundary of the saliency map by extracting uneven context features from low-level details and high-level semantics of the original image and distributing feature self-adaptive weights in a space domain and a channel domain; In the countermeasure sample for iteratively generating global disturbance, based on gradient calculation of a loss function in a backward propagation process of a convolutional neural network, obtaining a classification error label by gradually increasing a loss function value in an image classification process, and integrating an updating process of the loss function in a momentum accumulation mode so as to stabilize an updating direction of the loss function; In the updating process of the loss function, a Nesterov algorithm for optimizing an updating path and a RMSprop algorithm for optimizing a learning rate are introduced to form a Nadam algorithm, and gradient historical data and estimated data are accumulated by using a Nadam algorithm so as to optimize the updating path and the learning rate of the loss function at the same time.
  6. 6. The electronic equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus; a memory for storing a computer program; A processor for executing a program stored on a memory and for implementing the method steps of any one of claims 1 to 4 when the program is executed.
  7. 7. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein a computer program which, when executed by a processor, implements the method steps of any of claims 1-4.

Description

Method and system for generating countermeasure sample based on deep neural network Technical Field The invention belongs to the technical field of computer vision processing, and particularly relates to a method and a system for generating an countermeasure sample based on a deep neural network. Background In the image classification task, the convolutional neural network-based image classification model has reached or even exceeded the level of capability of the human eye. However, research has shown that convolutional neural networks can classify errors with high probability when certain perturbations are added to the original image. More importantly, these disturbances are not noticeable to both the human eye and the machine. The existence of the challenge sample brings great challenges to the safety of the deep neural network, and seriously hinders the actual deployment and application of the model. Meanwhile, the countermeasure sample is used as a technical detection means, and a good tool is provided for testing and improving the safety and the robustness of the image classification model. The attack performance of the countermeasure sample is mainly characterized in that the attack performance of the countermeasure sample is firstly capable of cheating a model to make an image classification model with good performance wrong classification, and secondly capable of cheating human eyes, namely that the human eyes cannot effectively distinguish the countermeasure sample from an original image. The challenge sample attacks can be classified into white-box attacks and black-box attacks according to how well an attacker knows the model. White-box attacks require an attacker to master the structure and parameters of the model, but because a protection mechanism is usually arranged in the actual model deployment, the attacker often has difficulty in obtaining the internal information of the model. Therefore, FGSM (FAST GRADIENT SIGN Method) in black box attack uses mobility of the challenge sample to perform black box attack, and MI-FGSM (Momentum ITERATIVE FAST GRADIENT SIGN Method) which introduces Momentum item into generation process of the challenge sample to stabilize updating direction of loss function in back propagation process, so as to increase success rate of black box attack of the challenge sample. However, in the method, the countermeasure noise is added to the original image in a global disturbance manner, so that the generated countermeasure sample has a large visual difference from the original image, and the countermeasure sample is easily perceived by human eyes due to excessive countermeasure texture features. With the progressive depth of research on challenge samples, the requirement of challenge test cannot be met by simply improving the success rate of the challenge samples, and the problem of reduced concealment of the challenge due to oversized challenge disturbance needs to be considered. Disclosure of Invention Therefore, the invention provides a method and a system for generating an countermeasure sample based on a deep neural network, which are convenient for testing and improving the safety and the robustness of an image classification model by considering the problem of concealment of the countermeasure attack, reducing the countermeasure disturbance adding area while keeping the higher success rate of the black box attack of the countermeasure sample, reducing the possibility that the countermeasure sample is found, and improving the quality of the generated sample. According to the design scheme provided by the invention, the invention provides a countermeasure sample generation method based on a deep neural network, which comprises the following steps: The method comprises the steps of obtaining a salient mask by carrying out binarization processing on pixel values of salient image, namely converting an original image in sample data into a salient image according to image semantic information in the sample data, and defining a salient region for adding disturbance in the original image of the sample data by utilizing the salient image; inputting an original image in sample data into an image classification model, and iteratively generating a global disturbance countermeasure sample by utilizing gradient information in a Nadam optimization algorithm and convolutional neural network reverse transmission process; The method comprises the steps of obtaining a global countermeasure noise by differentiating the countermeasure sample and an original image, obtaining the countermeasure noise in a salient region by utilizing the Hadamard product of the global countermeasure noise and a salient mask, and obtaining a finally output salient region countermeasure sample by combining the countermeasure noise and the original image. As an countermeasure sample generating method based on a deep neural network in the invention, further, converting an original image in sample data into a s