Search

CN-116664922-B - Intelligent anti-attack sample generation method and system based on scaling transformation

CN116664922BCN 116664922 BCN116664922 BCN 116664922BCN-116664922-B

Abstract

The invention relates to the technical field of image processing, in particular to an intelligent anti-attack sample generation method and system based on scaling transformation, which are used for acquiring original image data and a corresponding priori label thereof, wherein disturbance is added into the original image data based on an iteration optimization method to generate an anti-attack sample and output the anti-attack sample, the image data of the anti-attack sample generated in the previous iteration is subjected to multiple scaling expansion processing in each iteration, the image data after the scaling expansion processing is input into a network model and a target loss function gradient is calculated by utilizing a gradient optimization method, the disturbance in the current iteration is acquired according to the target loss function gradient, and the disturbance is added into the anti-attack sample generated in the previous iteration to generate the anti-attack sample of the current iteration. The invention can effectively expand the training set, lighten the overfitting in the process of generating the countermeasure sample, improve the mobility of the countermeasure sample and the success rate of the black box attack, improve the generation quality of the countermeasure sample, and facilitate the scene application of image classification, target detection, face recognition and the like.

Inventors

  • ZHANG HENGWEI
  • DONG SHUQIN
  • LI CHENWEI
  • ZHANG XIAONING
  • YANG BO
  • WANG JINDONG
  • LIU XIAOHU
  • TAN JINGLEI
  • ZHANG YUCHEN
  • WANG YONGWEI

Assignees

  • 中国人民解放军战略支援部队信息工程大学

Dates

Publication Date
20260512
Application Date
20230519

Claims (7)

  1. 1. An intelligent challenge sample generation method based on scaling transformation is characterized by comprising the following steps: acquiring original image data and a corresponding priori label thereof; adding disturbance in original image data based on an iteration optimization method to generate and output a countermeasure sample, wherein in each iteration, the image data of the countermeasure sample generated in the previous iteration is subjected to multiple scaling expansion processing, the image data after the scaling expansion processing is input into a network model and a gradient optimization method is utilized to calculate a target loss function gradient, the disturbance in the current iteration is obtained according to the target loss function gradient, and the disturbance is added to the countermeasure sample generated in the previous iteration to generate the countermeasure sample of the current iteration; The method comprises the steps of firstly setting a cross entropy function as a target loss function, then obtaining the target loss function gradient corresponding to the image data after each scaling expansion treatment by using the network model, then obtaining a weighted loss function gradient by adding the target loss function gradient corresponding to the image data after each scaling expansion treatment according to weight, obtaining a loss function gradient accumulation according to the weighted loss function gradient and a preset gradient attenuation factor, wherein the calculation process of the loss function gradient accumulation is expressed as follows: mu is an attenuation factor; the method for obtaining the weighted loss function gradient by adding the target loss function gradient corresponding to the image data after each scaling expansion processing according to the weight comprises the following steps: Firstly, setting a gradient calculation formula according to preset loss function gradient weight, network model parameters, an countermeasure sample generated by the previous iteration, an image data priori labeler and the current iteration round image scaling expansion processing times, wherein the gradient calculation formula is expressed as M is the number of times of image scaling expansion processing, w i is the gradient weight of the loss function corresponding to the ith scaling expansion processing, Generating a challenge sample for the previous iteration n ) The ith scaling expansion process, θ is a network model parameter, A target loss function gradient corresponding to the ith scaling expansion process; then, the gradient calculation formula is used to obtain the gradient of the weighted loss function in the current iteration.
  2. 2. The scaling-based intelligent challenge sample generation method according to claim 1, wherein the scaling expansion process is performed on the original image data a plurality of times in each iteration, and the method comprises: Firstly, setting the image expansion processing times in the current iteration by using a probability model; and then, carrying out corresponding multiple scaling processing on the countermeasure sample image data generated in the previous iteration according to the set current iteration image expansion processing times.
  3. 3. The method for generating intelligent challenge sample based on scaling transformation according to claim 2, wherein the expanding process of scaling the challenge sample image data generated in the previous iteration is performed multiple times in each iteration, and further comprising filling the periphery of the scaled image with a preset probability, so that the filled image is restored to the original image pixel size, wherein the size of the periphery filling is randomly set.
  4. 4. The method for generating intelligent challenge sample based on scaling transformation according to claim 1, wherein the image data after scaling expansion is input to a network model and the gradient of the target loss function is calculated by using a gradient optimization method, further comprising setting the network model as an integrated model composed of K different network models, inputting the image data to the integrated model and obtaining the logic value of the integrated model according to the weighted summation of the logic values of the K different network models, and obtaining the target loss function for calculating the gradient of the target loss function according to the logic value of the integrated model, wherein the logic value of the network model is the input value of a network model softmax layer.
  5. 5. The scaling-based intelligent challenge sample generation method of claim 4, wherein the calculation formula of the integrated model logic value is expressed as: Where x is the input image data, w k is the kth network model logic value weight, l k (x,θ k ) is the kth model logic value, θ k is the kth network model parameter.
  6. 6. A scaling transformation-based intelligent anti-attack sample generation system is characterized by comprising a data acquisition module and a data output module, wherein, The data acquisition module is used for acquiring original image data and the corresponding prior label thereof; The data output module is used for adding disturbance in the original image data based on an iteration optimization method to generate and output a countermeasure sample, wherein in each iteration, the countermeasure sample image data generated in the previous iteration is subjected to multiple scaling expansion processing, the image data after the scaling expansion processing is input into a network model and a gradient optimization method is utilized to calculate a target loss function gradient, the disturbance in the current iteration is obtained according to the target loss function gradient, and the disturbance is added to the countermeasure sample generated in the previous iteration to generate the countermeasure sample of the current iteration; The method comprises the steps of firstly setting a cross entropy function as a target loss function, then obtaining the target loss function gradient corresponding to the image data after each scaling expansion treatment by using the network model, then obtaining a weighted loss function gradient by adding the target loss function gradient corresponding to the image data after each scaling expansion treatment according to weight, obtaining a loss function gradient accumulation according to the weighted loss function gradient and a preset gradient attenuation factor, wherein the calculation process of the loss function gradient accumulation is expressed as follows: mu is an attenuation factor; the method for obtaining the weighted loss function gradient by adding the target loss function gradient corresponding to the image data after each scaling expansion processing according to the weight comprises the following steps: Firstly, setting a gradient calculation formula according to preset loss function gradient weight, network model parameters, an countermeasure sample generated by the previous iteration, an image data priori labeler and the current iteration round image scaling expansion processing times, wherein the gradient calculation formula is expressed as M is the number of times of image scaling expansion processing, w i is the gradient weight of the loss function corresponding to the ith scaling expansion processing, Generating a challenge sample for the previous iteration n ) The ith scaling expansion process, θ is a network model parameter, A target loss function gradient corresponding to the ith scaling expansion process; then, the gradient calculation formula is used to obtain the gradient of the weighted loss function in the current iteration.
  7. 7. An electronic device, comprising a memory and a processor, wherein the processor and the memory complete communication with each other through a bus, the memory stores program instructions executable by the processor, and the processor invokes the program instructions to perform the method according to any one of claims 1 to 5.

Description

Intelligent anti-attack sample generation method and system based on scaling transformation Technical Field The invention relates to the technical field of image processing, in particular to an intelligent anti-attack sample generation method and system based on scaling transformation. Background Convolutional neural networks (Convolution Neural Network, CNN) are widely used in the field of image processing, such as image classification, object detection, face recognition, etc., and their performance has even exceeded human average levels. However, when a specific disturbance which is difficult to be perceived by human eyes is added into an image, the network model is influenced by the specific disturbance, so that an error result is output, and the vulnerability of the network model is reflected. These images that add specific perturbations are also called contrast samples. Because the countermeasure sample brings potential safety hazard to the network model, the research on the countermeasure sample can also reversely strengthen the robustness and the safety of the network model, and help to make up for the shortages of the algorithm for training the network model. The method for resisting the sample attack is mainly divided into white box attack and black box attack. Under the white box attack condition, an attacker completely knows the network model structure and parameters, and can obtain better attack effect only by iterating the attack mode for a plurality of times. The success rate of the mainstream countermeasure sample generation method is considerable under the white box attack condition. However, in the real world, white-box attack conditions are relatively difficult to implement, and in most cases, an attacker only knows partially, or even not at all, about the network model, and the attack conditions are in a black-box state. Under the condition of black box attack, an attacker generally uses a known network model to generate an antagonism sample, and then applies the antagonism sample to an unknown network model needing attack, and the success rate is far less than that of a white box condition although partial attacks can be effective due to the difference between the network models. This property of the challenge sample is also known as mobility. The process of generating the countermeasure sample is similar to that of training the network model, the phenomenon of fitting can be generated, the training set can reach very high success rate when the network model is trained, but the success rate of the test set is not ideal, and relatively large oscillation can be generated when verification is performed. Typical gradient iterative algorithms have higher success rates under white-box conditions, but have lower success rates for black-box attacks that migrate to other network models, and have poorer migration properties, sometimes even inferior to single-step algorithms. . Disclosure of Invention Therefore, the invention provides an intelligent anti-attack sample generation method and system based on scaling transformation, which solve the problem of low success rate of the existing generated anti-sample black box attack and improve the generation quality of the anti-sample. According to the design scheme provided by the invention, an intelligent anti-attack sample generation method based on scaling transformation is provided, which comprises the following steps: acquiring original image data and a corresponding priori label thereof; And adding disturbance in the original image data based on an iteration optimization method to generate and output a countermeasure sample, wherein the countermeasure sample image data generated in the previous iteration is subjected to multiple scaling expansion processing in each iteration, the image data subjected to the scaling expansion processing is input into a network model, a gradient optimization method is utilized to calculate a target loss function gradient, the disturbance in the current iteration is acquired according to the target loss function gradient, and the disturbance is added to the countermeasure sample generated in the previous iteration to generate the countermeasure sample of the current iteration. As the intelligent anti-attack sample generation method based on scaling transformation, the invention further carries out multiple scaling expansion processing on the original image data in each iteration, and comprises the following steps: Firstly, setting the image expansion processing times in the current iteration by using a probability model; and then, carrying out corresponding multiple scaling processing on the countermeasure sample image data generated in the previous iteration according to the set current iteration image expansion processing times. The intelligent anti-attack sample generation method based on scaling transformation further comprises the steps of performing expansion processing of scaling on anti-sample image data gene