CN-121744272-B - Frame-level alignment boundary attack countermeasure method, system, device, equipment and medium for sequence identification model

Abstract

The invention provides a frame-level alignment boundary anti-attack method, a system, a device, equipment and a medium aiming at a sequence recognition model, belonging to the fields of computer vision, voice processing and anti-machine learning. The method comprises the steps of S1, inputting samples to a target sequence identification model in a test stage to obtain an initial reference alignment label sequence, S2, constructing an alignment boundary between a reference alignment label and a competitive label based on the initial reference alignment label sequence, S3, generating dynamic continuous gating weight based on the alignment boundary, constructing a gating weighted marginal optimization target and carrying out iterative updating to obtain candidate countermeasure samples, and S4, executing total variation TV smoothing and amplitude scaling search under successful keeping constraint on the candidate countermeasure samples to generate high-fidelity countermeasure samples. The invention can improve the attack resistance efficiency and success rate, and can be used for scenes such as robustness assessment, privacy protection, copyright protection and the like of the sequence identification model.

Inventors

• XU ZHIHENG
• XU YIKUN
• LI YUE

Assignees

• 东华大学
• 中国传媒大学

Dates

Publication Date

20260508

Application Date

20260302

Claims (7)

1. 1. A method of frame-level alignment boundary challenge-attack for a sequence recognition model, comprising: Step S1, inputting an original sample of a data set into a target sequence identification model in a test stage to obtain a frame level logarithmic probability matrix corresponding to each sample, and constructing an initial reference alignment tag sequence, wherein the data set comprises an image set or an audio set and a corresponding correct tag sequence; Step S2, based on the initial reference alignment label sequence and the correct label sequence, screening samples which can be correctly identified by a target sequence identification model, and constructing an alignment boundary according to the reference alignment label sequence and a frame level logarithmic probability matrix corresponding to the samples; Step S3, based on the alignment boundary margin, generating dynamic continuous gating weight by utilizing smooth mapping, constructing gating weight alignment boundary margin loss for iterative updating, and obtaining candidate countermeasure samples by self-adapting balance attack strength through a search mechanism, wherein the method specifically comprises the following steps: step S301 initializing disturbance Setting the maximum iteration times of the attack resisting algorithm And learning rate And initializing trade-off coefficients And binary search parameters thereof, wherein the binary search parameters comprise binary search times Search lower bound Upper bound of search And continuing the iteration times after the attack is successful ; Step S302, starting the trade-off coefficient Is searched for the outer loop in (1) In the secondary balance coefficient searching process, determining the current balance coefficient And performing inner layer iterative updating; step S303, inner layer iteration update In the wheel, the disturbance will occur Added to the original sample And performing numerical clipping to obtain a current candidate countermeasure sample , wherein, In order to tailor the function of the object, And Respectively inputting upper and lower boundaries of a preset effective value range of a sample Inputting the target sequence recognition model to obtain a frame-level logarithmic probability matrix ; Step S304, based on the frame-level logarithmic probability matrix Constructing gating weighted marginal optimization targets with reference alignment tag sequences and combining the perturbed marginal optimization targets Norm term and current trade-off coefficient Calculating to obtain a gating weighting alignment boundary marginal Loss, specifically including: Step S3041 logarithmic probability matrix from frame level based on reference alignment tag sequence Extracting the logarithmic probability value of the corresponding reference alignment label of each time step as a reference score ; Step S3042 for each time step Logarithmic probability matrix at the frame level Excluding a reference alignment label corresponding item and a preset invalid symbol item from the corresponding predictive vector, and selecting a maximum logarithmic probability value from the rest items as an effective competition score ; Step S3043 calculating alignment boundary margin of each time step And calculates the marginal loss , Is an activation function; Step S3044 alignment boundary margin for each time step Sorting, selecting the front with the smallest marginal value The individual time steps are taken as a fragile time step set; Step S3045, performing soft-min smoothing minimization operation on the alignment boundary margin of the fragile time step set to obtain an aggregation boundary value, and mapping the aggregation boundary value through a Sigmoid function to obtain an original gating coefficient ; Step S3046 introducing a preheating factor pair Preheating and mixing to obtain Wherein the preheating factor , For presetting the preheating iteration times, i represents the ith iteration and sets a non-zero lower bound for the gating weight Obtaining dynamic continuous gating weight ; S3047 based on Calculating an identification confidence factor Wherein Identifying the time steps generated in the forward reasoning of the model for the target sequence and combining the weighing coefficients Dynamic continuous gating weight Marginal loss Construction attack loss : ; Step S3048 of losing and disturbing the attack Adding norm items to obtain gating weighting alignment boundary marginal loss : ; Step S305, calculating the Loss with respect to disturbance Gradient of (2) ; Step S306, pair Performing gradient norm clipping processing to ensure that the two norms of the updating direction do not exceed a preset threshold value ; Step S307, gradient-based optimization algorithm using Adam Updating disturbances ; Step S308, based on the updated perturbation Generating candidate challenge samples And cutting the result according to the numerical value to disturb Performing projection updating; Step S309, candidate challenge samples obtained by iteration of the current inner layer Judging the success of the attack, if the attack is successful, and when the attack is successful, the disturbance norm Less than currently recorded Will be As an optimal candidate challenge sample And uses the current Updating , wherein, The optimum perturbation norm is represented and, Representation of Norms of, while not exceeding the number of successive iterations Continuing the iteration to further reduce the disturbance if the attack fails and the maximum number of iterations is not reached Then return to step S303 to step S309; step S310 is completed After searching the secondary trade-off coefficient, according to whether the current trade-off coefficient is present or not Under the condition of obtaining candidate countermeasure samples with successful attack, updating weighing coefficients Lower search bound of (2) Or search the upper bound Repeating steps S302 to S310 until the binary search times are reached Outputting the candidate countermeasure sample with the smallest disturbance norm in the searching process as a final candidate countermeasure sample; Step S4, executing total variation TV smoothing and amplitude scaling search under successful keeping constraint on the candidate countermeasure samples to generate high-fidelity countermeasure samples, wherein the method specifically comprises the following steps: Step S401 of obtaining candidate challenge samples Original sample And let the optimal disturbance Construction of a stabilized objective function under successful retention constraints , wherein, Including success retention constraint terms for maintaining attack success status and total variation regularization terms for smoothing disturbances , wherein, As a result of the overall coefficient of variation, As a total variation function; step S402, based on the stabilized objective function Iterative update perturbation And performing numerical clipping after each update And cutting the result according to the numerical value to disturb Performing projection updating; Step S403, in the stabilizing iterative process, obtaining a temporary sample based on disturbance update each time And judging whether the decoding result meets the successful retention constraint or not through the decoding result Updating and recording the current optimal countermeasure disturbance when the successful maintenance constraint is satisfied When the successful maintaining constraint is not satisfied, the optimal record is not updated, and iteration is continued until the preset smooth iteration times are reached ; Step S404, after the total variation TV smoothing process is completed, the smoothed disturbance is subjected to Performing an amplitude scaling search to cause scaling factors Initializing 、 And recording the optimal scaling factor ; Step S405. Execute scaling factor In (b) binary search of (c) Secondary search center command Constructing scaled candidate samples And tested Whether a successful retention constraint is satisfied, if so, then And update If not, update Repeating the process until reaching the preset binary search times ; Step S406, outputting high-fidelity countermeasure sample 。
2. 2. The method for frame-level alignment boundary attack resistance for sequence recognition model according to claim 1, wherein the step S1 is to input original samples of a dataset into a target sequence recognition model in a test stage to obtain a frame-level logarithmic probability matrix corresponding to each sample and construct an initial reference alignment tag sequence, wherein the dataset comprises an image set or an audio set and a corresponding correct tag sequence, and the method specifically comprises the following steps: step S101, acquiring a data set, wherein the data set comprises an image set or an audio set and a corresponding correct tag sequence; step S102, obtaining the architecture, weight parameters and gradient information of a target sequence identification model; step S103, converting the target sequence identification model from a training mode to a test mode; Step S104, inputting original samples in the data set into the target sequence identification model to obtain a frame level logarithmic probability matrix corresponding to each sample; And step 105, taking a maximum value index of the prediction vector of each time step in the frame-level logarithmic probability matrix as a reference alignment label of the corresponding time step, wherein the reference alignment label forms an initial reference alignment label sequence according to the time step.
3. 3. The method for frame-level alignment boundary attack resistance according to claim 2, wherein the step S2 is to screen samples correctly identified by the target sequence identification model based on the initial reference alignment tag sequence and the correct tag sequence, and construct an alignment boundary according to the reference alignment tag sequence and the frame-level logarithmic probability matrix corresponding to the samples, and specifically comprises: Step S201, comparing the correct tag sequence with the initial reference alignment tag sequence, deleting samples which cannot be correctly identified by the target sequence identification model from the data set, and obtaining correctly identified samples and corresponding reference alignment tag sequences; Step S202, obtaining a frame level logarithmic probability matrix corresponding to a correctly identifiable sample; Step S203, based on the frame-level logarithmic probability matrix and the reference alignment label sequence, determining a competition label of each time step, and constructing an alignment boundary margin, wherein the competition label is a maximum logarithmic probability value index excluding a reference alignment label corresponding item and an invalid symbol corresponding item, and the alignment boundary margin is the difference between the logarithmic probability value of the reference alignment label and the logarithmic probability value of the competition label.
4. 4. A frame-level alignment boundary challenge-attack system for a sequence recognition model, comprising the following modules: The data and prediction output acquisition module is used for inputting original samples of a data set into a target sequence identification model in a test stage to obtain a frame level logarithmic probability matrix corresponding to each sample and constructing an initial reference alignment tag sequence, wherein the data set comprises an image set or an audio set and a corresponding correct tag sequence; The alignment boundary construction module is used for screening samples which can be correctly identified by the target sequence identification model based on the initial reference alignment label sequence and the correct label sequence, and constructing an alignment boundary according to the reference alignment label sequence and the frame level logarithmic probability matrix corresponding to the samples; The candidate countermeasure sample generation module is configured to generate dynamic continuous gating weights by using smooth mapping based on the alignment boundary margin, construct gating weighted alignment boundary margin loss for iterative updating, and self-adaptively balance attack strength by a search mechanism to obtain candidate countermeasure samples, and specifically includes: step S301 initializing disturbance Setting the maximum iteration times of the attack resisting algorithm And learning rate And initializing trade-off coefficients And binary search parameters thereof, wherein the binary search parameters comprise binary search times Search lower bound Upper bound of search And continuing the iteration times after the attack is successful ; Step S302, starting the trade-off coefficient Is searched for the outer loop in (1) In the secondary balance coefficient searching process, determining the current balance coefficient And performing inner layer iterative updating; step S303, inner layer iteration update In the wheel, the disturbance will occur Added to the original sample And performing numerical clipping to obtain a current candidate countermeasure sample , wherein, In order to tailor the function of the object, And Respectively inputting upper and lower boundaries of a preset effective value range of a sample Inputting the target sequence recognition model to obtain a frame-level logarithmic probability matrix ; Step S304, based on the frame-level logarithmic probability matrix Constructing gating weighted marginal optimization targets with reference alignment tag sequences and combining the perturbed marginal optimization targets Norm term and current trade-off coefficient Calculating to obtain a gating weighting alignment boundary marginal Loss, specifically including: Step S3041 logarithmic probability matrix from frame level based on reference alignment tag sequence Extracting the logarithmic probability value of the corresponding reference alignment label of each time step as a reference score ; Step S3042 for each time step Logarithmic probability matrix at the frame level Excluding a reference alignment label corresponding item and a preset invalid symbol item from the corresponding predictive vector, and selecting a maximum logarithmic probability value from the rest items as an effective competition score ; Step S3043 calculating alignment boundary margin of each time step And calculates the marginal loss , Is an activation function; Step S3044 alignment boundary margin for each time step Sorting, selecting the front with the smallest marginal value The individual time steps are taken as a fragile time step set; Step S3045, performing soft-min smoothing minimization operation on the alignment boundary margin of the fragile time step set to obtain an aggregation boundary value, and mapping the aggregation boundary value through a Sigmoid function to obtain an original gating coefficient ; Step S3046 introducing a preheating factor pair Preheating and mixing to obtain Wherein the preheating factor , For presetting the preheating iteration times, i represents the ith iteration and sets a non-zero lower bound for the gating weight Obtaining dynamic continuous gating weight ; S3047 based on Calculating an identification confidence factor Wherein Identifying the time steps generated in the forward reasoning of the model for the target sequence and combining the weighing coefficients Dynamic continuous gating weight Marginal loss Construction attack loss : ; Step S3048 of losing and disturbing the attack Adding norm items to obtain gating weighting alignment boundary marginal loss : ; Step S305, calculating the Loss with respect to disturbance Gradient of (2) ; Step S306, pair Performing gradient norm clipping processing to ensure that the two norms of the updating direction do not exceed a preset threshold value ; Step S307, gradient-based optimization algorithm using Adam Updating disturbances ; Step S308, based on the updated perturbation Generating candidate challenge samples And cutting the result according to the numerical value to disturb Performing projection updating; Step S309, candidate challenge samples obtained by iteration of the current inner layer Judging the success of the attack, if the attack is successful, and when the attack is successful, the disturbance norm Less than currently recorded Will be As an optimal candidate challenge sample And uses the current Updating , wherein, The optimum perturbation norm is represented and, Representation of Norms of, while not exceeding the number of successive iterations Continuing the iteration to further reduce the disturbance if the attack fails and the maximum number of iterations is not reached Then return to step S303 to step S309; step S310 is completed After searching the secondary trade-off coefficient, according to whether the current trade-off coefficient is present or not Under the condition of obtaining candidate countermeasure samples with successful attack, updating weighing coefficients Lower search bound of (2) Or search the upper bound Repeating steps S302 to S310 until the binary search times are reached Outputting the candidate countermeasure sample with the smallest disturbance norm in the searching process as a final candidate countermeasure sample; the high-fidelity countermeasure sample generation module is used for executing total variation TV smoothing and amplitude scaling search under successful keeping constraint on the candidate countermeasure samples to generate high-fidelity countermeasure samples, and specifically comprises the following steps: Step S401 of obtaining candidate challenge samples Original sample And let the optimal disturbance Construction of a stabilized objective function under successful retention constraints , wherein, Including success retention constraint terms for maintaining attack success status and total variation regularization terms for smoothing disturbances , wherein, As a result of the overall coefficient of variation, As a total variation function; step S402, based on the stabilized objective function Iterative update perturbation And performing numerical clipping after each update And cutting the result according to the numerical value to disturb Performing projection updating; Step S403, in the stabilizing iterative process, obtaining a temporary sample based on disturbance update each time And judging whether the decoding result meets the successful retention constraint or not through the decoding result Updating and recording the current optimal countermeasure disturbance when the successful maintenance constraint is satisfied When the successful maintaining constraint is not satisfied, the optimal record is not updated, and iteration is continued until the preset smooth iteration times are reached ; Step S404, after the total variation TV smoothing process is completed, the smoothed disturbance is subjected to Performing an amplitude scaling search to cause scaling factors Initializing 、 And recording the optimal scaling factor ; Step S405. Execute scaling factor In (b) binary search of (c) Secondary search center command Constructing scaled candidate samples And tested Whether a successful retention constraint is satisfied, if so, then And update If not, update Repeating the process until reaching the preset binary search times ; Step S406, outputting high-fidelity countermeasure sample 。
5. 5. A frame-level alignment boundary challenge device for a sequence recognition model, comprising one or more electronic devices, wherein the one or more electronic devices are configured to implement the frame-level alignment boundary challenge method for a sequence recognition model of any of claims 1 to 3.
6. 6. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the electronic device to implement the frame-level alignment boundary countermeasure attack method for a sequence recognition model of any of claims 1 to 3.
7. 7. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to implement the frame-level alignment boundary countermeasure attack method for a sequence recognition model according to any of claims 1 to 3.

Description

Frame-level alignment boundary attack countermeasure method, system, device, equipment and medium for sequence identification model Technical Field The invention belongs to the fields of computer vision, voice processing and countermeasure machine learning, and particularly relates to a frame-level alignment boundary countermeasure attack method, a system, a device, equipment and a medium aiming at a sequence recognition model. Background In recent years, deep learning technology has made remarkable progress in the fields of computer vision and speech processing, and sequence recognition tasks have been widely used. For example, scene text recognition can be used for reading traffic signs and caption text, recognizing product labels, scanning mobile terminals and other scenes, and automatic voice recognition is widely used for vehicle-mounted voice interaction, intelligent assistant, conference transfer and other systems. The task generally outputs a tag sequence with variable length, and a connection time sequence classification (CTC) or an attention mechanism is commonly adopted in engineering implementation to complete time-step prediction and alignment decoding. However, deep neural networks are vulnerable to challenge environments, and an attacker can superimpose small and imperceptible disturbance-induced system output error results in the input. For sequence recognition applications such as sequence recognition models STR and ASR, false recognition may bring potential risks in security sensitive scenes such as automatic driving, security evidence taking and man-machine interaction, and therefore, the construction of a challenge sample and the development of a challenge test have important significance. The existing attack method aiming at the sequence recognition task mostly adopts a general disturbance iteration optimization framework, and is often focused on the optimization of the overall output loss or the overall sequence score. Since the decoding result of the sequence recognition model is usually dominated by the competition relationship on a small number of time steps, when the optimization target does not explicitly characterize the competition boundary, disturbance update may be unevenly distributed in the time step dimension or deviate from the key competition time step, so that larger disturbance amplitude or more search attempts are often required for inducing the deviation of the output sequence, and thus, it is difficult to simultaneously combine attack efficiency and disturbance concealment. In addition, the candidate countermeasure sample obtained by only relying on one-time iterative optimization has large fluctuation in terms of perceived quality and disturbance controllability, and lacks a mechanism for further refining disturbance under the constraint of 'keeping attack success', so that stability and usability of a countermeasure test are affected. Based on this, it is necessary to propose a frame-level alignment boundary challenge attack method and system for a sequence recognition model, so that an optimization target is consistent with a frame-level alignment competition boundary, and candidate challenge samples are refined under the constraint of keeping the success of the attack, so as to keep higher perceived quality while reducing the disturbance amplitude. Disclosure of Invention In order to solve the technical problems, the invention provides a frame-level alignment boundary anti-attack method and a system for a sequence identification model. The method comprises the following steps: Step S1, inputting an original sample of a data set into a target sequence identification model in a test stage to obtain a frame level logarithmic probability matrix corresponding to each sample, and constructing an initial reference alignment tag sequence, wherein the data set comprises an image set or an audio set and a corresponding correct tag sequence; Step S2, based on the initial reference alignment label sequence and the correct label sequence, screening samples which can be correctly identified by a target sequence identification model, and constructing an alignment boundary according to the reference alignment label sequence and a frame level logarithmic probability matrix corresponding to the samples; S3, generating dynamic continuous gating weight by utilizing smooth mapping based on the alignment boundary margin, constructing gating weight alignment boundary margin loss for iterative updating, and self-adaptively balancing attack intensity through a search mechanism to obtain candidate countermeasure samples; and S4, executing total variation TV smoothing and amplitude scaling search under successful keeping constraint on the candidate countermeasure samples, and generating high-fidelity countermeasure samples. The beneficial effects are that: 1. According to the invention, the frame-level prediction and alignment characteristics of the sequence identification model are utiliz