Search

CN-121982425-A - Method and related device for optimizing robustness countermeasure of image classification model

CN121982425ACN 121982425 ACN121982425 ACN 121982425ACN-121982425-A

Abstract

The invention belongs to the field of image processing, and discloses an anti-robustness tuning method and a related device for an image classification model, wherein the method comprises the steps of obtaining a source image sample and a plurality of guide image samples with different categories from the source image sample; the method comprises the steps of constructing a feature search space according to a source image sample and a plurality of guide image samples by utilizing a non-uniform feature level convex interpolation method with independent combination coefficients of different feature dimensions, searching in the feature search space by taking the classification loss of a maximized image classification model as an optimization target to obtain a key countermeasure image sample, constructing an enhanced countermeasure data set based on the key countermeasure image sample, and performing countermeasure fine tuning training on the image classification model based on the enhanced countermeasure data set to obtain a tuned image classification model. The method has the advantages that the recognition accuracy is maintained, meanwhile, the effective improvement of safety performance is realized, and the problems that the model robustness is limited and the image classification accuracy is reduced due to the limitation of search space and single feature processing in the existing countermeasure training method are solved.

Inventors

  • LI QIAN
  • WU DI
  • SHEN CHAO
  • LIN CHENHAO
  • YANG LE
  • ZHAO ZHENGYU
  • WANG JIAN
  • GUAN XIAOHONG

Assignees

  • 西安交通大学

Dates

Publication Date
20260505
Application Date
20260228

Claims (10)

  1. 1. An image classification model anti-robustness tuning method, comprising: acquiring a source image sample and a plurality of guide image samples with different categories from the source image sample; constructing a feature search space by utilizing a non-uniform feature level convex interpolation method with independent combination coefficients of different feature dimensions according to a source image sample and a plurality of guide image samples; Taking the classification loss of the maximized image classification model as an optimization target, and searching in a feature search space to obtain a key countermeasure image sample; And constructing an enhanced countermeasure data set based on the key countermeasure image sample, and performing countermeasure fine tuning training on the image classification model based on the enhanced countermeasure data set to obtain a tuned and optimized image classification model.
  2. 2. The method for optimizing robustness against image classification model according to claim 1, wherein the model prediction confidence of the guided image sample based on the image classification model is greater than a preset prediction confidence threshold, and the number of the guided image samples is not less than 4.
  3. 3. The method of claim 1, wherein constructing a feature search space using a non-uniform feature level convex interpolation with independent combination coefficients of different feature dimensions based on a source image sample and a plurality of guide image samples comprises: setting a combination coefficient with the dimension consistent with the image dimension for the source image sample and each guide image sample; Building feature search spaces by : , Wherein, the Is that And each is provided with The combined coefficient vector is composed of the components, For the combined coefficients of the source image samples, In order to product the product element by element, For the source image sample to be a source image, In order to guide the number of image samples, Is the first The combining coefficients of the individual guided image samples, Is the first The image samples are guided by a plurality of images, Is that Is the first of (2) The value of the dimension is used to determine, Is that Is the first of (2) Dimension values.
  4. 4. The method for optimizing robustness against image classification model according to claim 3, wherein searching in the feature search space with the maximized classification loss of the image classification model as an optimization target, to obtain the key countermeasure image sample comprises: Constructing objective function by taking maximized classifying loss of image classifying model as optimizing target : Wherein, the In order to guide the weight vector, In order for the coefficient of balance to be present, Is that Is used to determine the leading weight of the (c), In order to classify the loss function, Is that And (3) with Is a classification loss of (a), Is that Based on the predicted class of the image classification model, Is that Is a label class of (2); solving an objective function Obtaining an optimal combination coefficient vector and a guiding weight vector; And fusing the source image sample and each guide image sample according to the optimal combination coefficient vector and the guide weight vector to obtain a key countermeasure image sample.
  5. 5. The method for robust against image classification model according to claim 4, characterized in that the solving objective function The obtaining of the optimal combined coefficient vector and the guiding weight vector comprises the following steps: initializing a combined coefficient vector and a guide weight vector; Iteratively executing the first fixed updating step and the second fixed updating step until the preset iteration times or objective functions are reached The first fixed updating step comprises the steps of fixing the combined coefficient vector according to the classification loss of each guided image sample and utilizing The second fixed updating step comprises the steps of fixing the guide weight vector, updating the combined coefficient vector by using a box constraint optimization algorithm, and carrying out normalization processing on the updated combined coefficient vector.
  6. 6. The image classification model robust against tuning method of claim 1, wherein said constructing an enhanced challenge data set based on key challenge image samples comprises: And constructing neighborhood distribution of the key countermeasure image samples by using a Gaussian mixture model, sampling in the neighborhood distribution to obtain a plurality of expanded countermeasure image samples, setting label categories of the expanded countermeasure image samples as label categories of corresponding source image samples, and adding the label categories to a training set of an image classification model to obtain an enhanced countermeasure data set.
  7. 7. The method of claim 6, wherein constructing a neighborhood distribution of key challenge image samples using a gaussian mixture model comprises: Taking the disturbance direction of the key contrast image sample relative to the source image sample as the mean value and taking the preset variance as the mean value A gaussian distribution is constructed for the standard deviation as a neighborhood distribution of key challenge image samples.
  8. 8. An image classification model robust against tuning system, comprising: the sample acquisition module is used for acquiring a source image sample and a plurality of guide image samples with different categories from the source image sample; the space construction module is used for constructing a feature search space by utilizing a non-uniform feature level convex interpolation method with independent combination coefficients of different feature dimensions according to a source image sample and a plurality of guide image samples; the sample generation module is used for searching in the characteristic search space by taking the classification loss of the maximized image classification model as an optimization target to obtain a key countermeasure image sample; The model tuning module is used for constructing an enhanced countermeasure data set based on the key countermeasure image sample, and performing countermeasure fine tuning training on the image classification model based on the enhanced countermeasure data set to obtain a tuned image classification model.
  9. 9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method for antagonizing robustness tuning of an image classification model according to any one of claims 1 to 7 when the computer program is executed.
  10. 10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method for antagonizing robustness tuning of an image classification model according to any one of claims 1 to 7.

Description

Method and related device for optimizing robustness countermeasure of image classification model Technical Field The invention belongs to the field of image processing, and relates to an anti-robustness tuning method and a related device for an image classification model. Background Deep learning technology has made breakthrough progress in the fields of image recognition, automatic driving, biological feature recognition and the like, and becomes a core driving force for artificial intelligence application. However, due to the high degree of nonlinearity and complexity of the deep neural network, the image classification model based on the deep neural network presents a great vulnerability when facing the challenge sample, i.e. the superposition of small disturbances on the input image, which are not noticeable to the naked human eye, can induce the image classification model to output erroneous results with high confidence, which constitutes a serious challenge for applications in the security-sensitive field. To defend against such attacks, challenge training is considered one of the most effective defense mechanisms at present. According to the method, the countering sample generated by the attack algorithm is introduced in the training process, the model parameters are continuously corrected through the game process of 'attack and defense', and the decision boundary of the model is tried to be pushed away from the data point, so that the tolerance of the model to disturbance is improved. Existing mainstream schemes typically model potential attacks and strengthen model defenses based on gradient optimization or specific regularization constraints by finding perturbations in the tiny neighborhood of the input image that can maximize model loss. Although the existing mode improves the defensive ability to a certain extent, the method still has obvious technical defects, and further improvement of the robustness of the image classification model is restricted. First, existing challenge sample generation methods typically severely limit the search space to a very small surrounding original samplesSuch overly conservative constraints within the norm sphere cannot adaptively detect widely existing "fuzzy regions" near decision boundaries, resulting in an overly restricted distribution of the generated challenge samples that cannot fully expose boundary defects of the image classification model. Secondly, in exploring potential countermeasure regions, the existing method mainly adopts a linear interpolation strategy at the sample level, i.e. applies the same blending ratio to all feature dimensions of the input image. The processing mode seriously ignores the difference of the contribution degree of different feature dimensions to the image classification model decision, and cannot flexibly construct an effective path crossing a complex nonlinear decision boundary. In addition, pure optimization-based attack methods often lack interpretable geometric constraints, the generated antagonism samples are similar to 'blind spots' in a feature space, and lack geometric association guidance with other types of samples, so that when the samples are utilized for fine tuning, an image classification model is difficult to learn a truly robust classification boundary, and the robustness is often improved, and meanwhile, the recognition accuracy of the original image samples is obviously reduced. Disclosure of Invention The invention aims to overcome the defects of the prior art and provide an anti-robustness optimizing method and a related device for an image classification model. In order to achieve the purpose, the invention is realized by adopting the following technical scheme: compared with the prior art, the invention has the following beneficial effects: According to the robustness resisting optimization method of the image classification model, a flexible characteristic-level convex multi-cell-shaped characteristic search space is constructed by introducing a non-uniform characteristic-level convex interpolation mechanism between a source image sample and a guide image sample of a mutually disjoint type, the characteristic search space abandons the single proportion limitation of the traditional sample-level interpolation, and different characteristic dimensions are allowed to have independent mixing coefficients, so that complex fuzzy areas and blind spots near a decision boundary of the model can be adaptively detected and positioned. Therefore, based on the key countermeasure image sample generated by the feature search space, accurate gradient information about decision boundary defects can be provided in the fine tuning process of the model, and the key countermeasure image sample and neighborhood distribution thereof are utilized for countermeasure fine tuning, so that not only is the defending capability of the model to various powerful countermeasure attacks remarkably enhanced, but also the excessive dist