CN-116310722-B - Image attack method for countering target detection

Abstract

The invention discloses an image attack method for resisting target detection, which comprises the steps of setting a preset target V of the attack, extracting a neural network structure and weight data of the target detector of the attack and establishing a target detection data set, the Step3 of distinguishing the type condition of an object of interest according to positioning information of detection output of the target detector by the target detection data set, the Step4 of judging a detection frame type D in a detection result of the target detector to be attacked according to the type of the object of interest, the Step5 of calculating a difference vector M, the Step6 of calculating a preset optimization function L (M) according to the difference vector M, the Step7 of updating a tensor P by utilizing the calculation result of the preset optimization function L (M), the Step8 of judging whether the attack method is ended, and entering the Step9 when the vector M is a 0 vector, otherwise returning to the Step4, and the Step9 of outputting a judgment result of the target detector to be attacked.

Inventors

• SHI ZAIFENG
• DING CHENG
• LUO TAO
• WANG RUOQI
• XU JIANGTAO

Assignees

• 天津大学

Dates

Publication Date

20260505

Application Date

20230311

Claims (3)

1. 1. An image attack method for countering target detection, comprising the steps of: step1, setting a preset target V of attack; Step2, extracting the neural network structure and weight data of the target detector for attack and establishing a target detection data set, wherein the target detection data set comprises an image and a corresponding target detection label, and the target detection label comprises a first detection frame, the confidence level of the object of interest in the image, the position and the size of the object of interest and the class information of the object of interest; step3, distinguishing the category condition of the object of interest according to the positioning information which is detected and output by the target detector through the target detection data set, wherein: judging whether the confidence coefficient captures the object of interest or not by setting a first scalar a, wherein the confidence coefficient is larger than the scalar a, and the object of interest is captured, otherwise, the object of interest is not captured; Judging the positioning condition of the confidence coefficient on the object of interest by setting second scalar quantities b1 and b2, wherein b1 is more than or equal to 0 and less than or equal to 1 and b2 is more than or equal to 1; Calculating the intersection ratio of the object area marked by the first detection frame and the area marked in the real image tag to obtain a target detection tag category, wherein the intersection ratio U is the ratio of the intersection and the union of the two areas, and is over-deviation in positioning when U < b1 is more than or equal to 0, slight deviation in positioning when U < b2 is more than or equal to b1, and accurate in positioning when U is more than or equal to b2 and less than or equal to 1; step4, judging a detection frame type D in a detection result of the target detector to be attacked according to the type of the object of interest, wherein: adding the created tensor P to the target detection dataset image and truncating the data to within [0,1 ]; inputting the added image result of the target detection data set into a target detector to be attacked to obtain a vector W of a detection frame in the target detection data set; Step5, calculating a difference vector M, wherein the difference vector M= (M 1 , m 2 , m 3 , m 4 , m 5 , m 6 , m 7 ) is the result of logical exclusive-or operation of a preset target V and a vector W of a detection frame; step6, calculating a preset optimization function according to the difference vector M ; Step7, utilizing a preset optimization function Updating the tensor P according to the calculation result of the tensor P; step8, judging whether the attack method is terminated, entering Step9 when the vector M is a 0 vector, otherwise returning to Step4; Step9, outputting a judgment result of the target detector to be attacked.
2. 2. The method for image attack against object detection according to claim 1, wherein the Step6 constructs an optimization function process: constructing a difference value by combining the confidence loss function L 1 , the cross-ratio loss function L 2 and the classification loss function L 3 , wherein: The confidence loss function L 1 (D) is used for calculating the accumulation of cross entropy results of confidence and 1 for all detection frames with the type D of the detection frames, the cross-over loss L 2 (D) is used for calculating the accumulation of results of subtracting the cross-over from 1 for all detection frames with the type D of the detection frames, the classification loss function L 3 (D) is used for calculating the accumulation of cross entropy results of class vectors and label classes of the detection frames for all detection frames with the type D of the detection frames, wherein: when the preset target V is set to (0, 1, 0, 0, 0, 0, 0), the first optimization function is: When the preset target V is set to (0, 0, 1, 0, 0, 0, 0), the second optimization function is: 。
3. 3. the image attack method for countering object detection according to claim 1, wherein the step 7 uses a preset optimization function The tensor P is updated according to the calculation result of the (a): After calculation of the optimization function, the optimization function is minimized with back propagation and the value of the tensor P is updated, Attack step c=0.004, step coefficients for use in updating the value of tensor P; the disturbance intensity limit d=0.039 is used to limit the modification range of the element in the tensor P to be within [ -0.039, 0.039], and if the element exceeds the range, the value is set as the boundary of the interval.

Description

Image attack method for countering target detection Technical field: the invention belongs to the field of security of anti-attack and artificial intelligence systems, and particularly relates to an attack method for anti-target detection. The background technology is as follows: With the rapid development of deep learning in recent years, many advanced deep neural networks are successively developed, and remarkable breakthroughs and achievements are achieved. Object detection is a fundamental task in computer vision, whose purpose is to generate a detection frame to capture objects of interest in an image, to annotate their position and size with the boundaries of the detection frame, and to classify objects within an area. The finally obtained interpretation of the image content is referred to as detection result. The target detector based on the deep neural network can excellently complete the target detection task, so that the target detector is widely applied to the actual tasks such as automatic driving, face recognition, industrial defect detection, focus detection, remote sensing image recognition and the like. Commonly used target detectors are divided into one-segment and two-segment, representing target detectors YOLOv, YOLOv, and Fast R-CNN, respectively. In the field of computer vision, after adding carefully made tiny noise to an input image, the added new image can deceive the deep neural network to output an erroneous result, and the human eyes have difficulty in distinguishing images before and after noise addition, so that a method for disturbing the identification process is called image attack, and compared with classical attack methods, such as FGSM, C & W, deepfool and the like. These attack methods can reveal the security problems of the target detector based on the deep neural network and evaluate the robustness thereof. The images employed by the attack method are typically derived from a public dataset that contains the images and corresponding tags. The basic flow of the attack method is that the structure and weight information of the deep neural network are obtained, noise variables are added into the image, and then an optimization function is constructed and minimized to change the noise variables. Attack methods can be classified into two categories according to the methods used in minimizing the optimization function. The iterative method comprises the steps of calculating the minimum optimizing function through multiple iterations, and the single-step method comprises the step of calculating the minimum optimizing function through only one iteration. The iterative method has better interference effect than the single-step method, but the single-step method has faster calculation speed. The invention comprises the following steps: Aiming at the problems existing in the prior art, the invention designs an image attack method for resisting target detection, which is used for interfering the target detector to identify the object of interest and misleading the detection result in directivity according to the preset target specification. The invention can disturb the identification function of the target detector and has important research value and significance in the field of artificial intelligence system safety along with the effect of disturbing the target identification intention. In order to solve the problems existing in the prior art, the invention adopts the following technical scheme: An image attack method for countering target detection, comprising the steps of: step1, setting a preset target V of attack; Step2, extracting the neural network structure and weight data of the target detector for attack and establishing a target detection data set, wherein the target detection data set comprises an image and a corresponding target detection label, and the target detection label comprises a first detection frame, the confidence level of the object of interest in the image, the position and the size of the object of interest and the class information of the object of interest; step3, distinguishing the category condition of the object of interest according to the positioning information which is detected and output by the target detector through the target detection data set, wherein: judging whether the confidence coefficient captures the object of interest or not by setting a first scalar a, wherein the confidence coefficient is larger than the scalar a, and the object of interest is captured, otherwise, the object of interest is not captured; Judging the positioning condition of the confidence coefficient on the object of interest by setting second scalar quantities b1 and b2, wherein b1 is more than or equal to 0 and less than or equal to 1 and b2 is more than or equal to 1; Calculating the intersection ratio of the object area marked by the first detection frame and the area marked in the real image tag to obtain a target detection tag category, wherein the intersec