Search

CN-121982451-A - Method, device and storage medium for generating movable challenge sample based on wavelet transformation and multi-scale filling

CN121982451ACN 121982451 ACN121982451 ACN 121982451ACN-121982451-A

Abstract

The invention relates to a method, a device and a storage medium for generating a movable countermeasure sample based on wavelet transformation and multi-scale filling, wherein the method comprises the following steps of obtaining an input image, converting the input image from a space domain to a frequency domain by adopting wavelet transformation, and carrying out random block scrambling on a high-frequency component block to obtain a preprocessed image; and carrying out sample updating based on MI-FGSM on the preprocessed image, wherein in the updating process, a global random multi-scale filling method is used for transforming the input of the MI-FGSM from a space domain-frequency domain multi-angle mode, combining a plurality of substitution models, calculating combined gradient loss, and training to obtain an antagonistic sample. Compared with the prior art, the invention has the advantages of obviously improving the migration capability of the countermeasure sample among a plurality of black box models, improving the attack success rate and the like.

Inventors

  • LIU JISHUN
  • ZHANG XUEQIN
  • SUN YONGQING
  • GENG PEILIN
  • Xiang Tianxu
  • XUE HUIXIA

Assignees

  • 公安部第三研究所
  • 华东理工大学

Dates

Publication Date
20260505
Application Date
20260127

Claims (10)

  1. 1. A method for generating a mobile challenge sample based on wavelet transformation and multi-scale filling, comprising the steps of: An input image is obtained, the input image is converted from a space domain to a frequency domain by wavelet transformation, and random block scrambling is carried out on a high-frequency component block, so that a preprocessed image is obtained; and carrying out sample updating based on MI-FGSM on the preprocessed image, wherein in the updating process, a global random multi-scale filling method is used for transforming the input of the MI-FGSM from a space domain-frequency domain multi-angle mode, combining a plurality of substitution models, calculating combined gradient loss, and training to obtain an antagonistic sample.
  2. 2. The method for generating a movable challenge sample based on wavelet transform and multi-scale filling according to claim 1, wherein converting the input image from spatial domain to frequency domain comprises decomposing the input image into a low frequency sub-band and three high frequency sub-bands of horizontal, vertical and diagonal directions.
  3. 3. The wavelet transform and multi-scale filling based movable challenge sample generation method of claim 1, wherein Haar wavelet is employed to transform the input image from spatial domain to frequency domain.
  4. 4. The wavelet transform and multi-scale filling based movable challenge sample generation method of claim 1, wherein said random block scrambling is performed using BS algorithm.
  5. 5. The method for generating a movable challenge sample based on wavelet transform and multi-scale filling according to claim 1, wherein the preprocessing image is obtained by performing image reconstruction in combination with a low-frequency component block after performing the random block scrambling on a high-frequency component block.
  6. 6. The wavelet transform and multi-scale filling based mobilizable challenge sample generation method according to claim 1, wherein in the global random multi-scale filling method, the sample update process is controlled by randomly generated bernoulli training parameters and scaling dimensions.
  7. 7. The method for generating a movable challenge sample based on wavelet transform and multi-scale filling according to claim 6, wherein said input of multi-angle transform MI-FGSM comprises: Before each input batch enters the MI-FGSM calculation process, generating a Bernoulli training parameter, randomly generating a scaling size when the Bernoulli training parameter is smaller than a set threshold value, adjusting the size of an input tensor to match the scaling size by adopting a bilinear interpolation method, and filling 0 into four sides according to the calculated residual width and height.
  8. 8. The method for generating a movable challenge sample based on wavelet transform and multi-scale filling according to claim 1, wherein in the joint multiple substitution models, a gradient update formula is expressed as: Wherein, the The weights taken up in computing the joint gradient loss for each surrogate model, In order for the attenuation factor to be a factor, Is the first The input at the time of the iteration is, To use the gradient information of the first t iterations of the decay factor accumulation, Gradient information obtained for the t +1 iteration, For each of the accessible parameters of the surrogate model, N is the number of surrogate models, As a function of the loss, Is a real tag.
  9. 9. A wavelet transform and multi-scale filling based mobile challenge sample generating device comprising the steps of: The preprocessing module is used for acquiring an input image, converting the input image from a space domain to a frequency domain by adopting wavelet transformation, and carrying out random block scrambling on a high-frequency component block to obtain a preprocessed image; And the transformation generating module is used for carrying out sample updating based on the MI-FGSM on the preprocessed image, and in the updating process, using a global random multi-scale filling method to transform the input of the MI-FGSM from the airspace-frequency domain in a multi-angle way, combining a plurality of substitution models, calculating the joint gradient loss and training to obtain an antagonistic sample.
  10. 10. A computer-readable storage medium comprising one or more programs for execution by one or more processors of an electronic device, the one or more programs including instructions for performing the wavelet transform and multi-scale filling based migratable challenge sample generation method of any of claims 1-8.

Description

Method, device and storage medium for generating movable challenge sample based on wavelet transformation and multi-scale filling Technical Field The present invention relates to the field of image processing technologies, and in particular, to a method and apparatus for generating a movable challenge sample based on wavelet transform and multi-scale filling, and a storage medium. Background In recent years, artificial intelligence technology based on deep neural networks (Deep Neural Networks, DNN) has been developed in breakthrough in recent years, and DNN has been excellent in performance in computer vision tasks such as image classification, object detection, change capture, etc., but the following safety problems have also been increasingly highlighted. In 2013, researchers first found the presence of a challenge sample in the field of computer vision, i.e., DNNs could easily be fooled into misclassification or recognition by adding imperceptible, fine perturbations to benign pictures. More threatening, challenge samples tend to be somewhat mobile, and by training the challenge sample with an alternative model, attacks can be initiated against multiple actual target models. The discovery of the challenge sample brings great attention to DNN safety, and particularly in the sensitive fields with extremely high requirements on robustness and safety, such as face recognition, automatic driving of vehicles, auxiliary medical treatment and the like. To enhance model security to fit these high security requirement scenarios, research into challenge sample generation has become one of the hot spots in the field of deep learning security research in recent years. When using challenge samples as training data for large models, the resulting model may have significantly improved immunity to attacks. Meanwhile, the defensive ability of the model to the challenge sample can be verified through a simulated attack test in the verification stage. Therefore, research on the anti-sample generation technology is not only a key means for analyzing inherent vulnerability of the DNN model, but also a core premise for constructing a safe and reliable deep learning system and guaranteeing technical compliance and landing. The challenge samples are classified into white box samples and black box samples. White-box samples refer to the fact that the practitioner has full access to the internal information of the target model, so that the gradient of the loss function can be accurately calculated to generate an efficient challenge sample. Whereas black box samples refer to the fact that the practitioner is unaware of the internal structure and parameters of the target model. The application scene of the black box sample is closer to the real world, and the hidden security holes of the model in actual deployment can be exposed, so that the black box sample is more used in the actual scene. Currently, black box challenge sample generation methods can be classified into query-based methods, migration-based methods, and generative model-based methods, such as FAST GRADIENT SIGN Method (FGSM), hopSkipJump Attack (HSJA), advGAN, and the like. According to the migration-based method, the countermeasures are generated by locally training the substitution model (proxy model), and the countermeasures are migrated to the target model to perform misleading deception, so that the efficiency is high, and the application is wider. In a migration-based challenge sample generation scenario, an implementer cannot directly access the structure and parameters of a target model, and only one or more controllable alternative models can be used for generating a challenge sample, and the migration of the challenge sample among different models is utilized, so that an unknown target model can be subjected to misclassification effect. Methods commonly used by researchers today include image transformation, gradient control, and model interlayer perturbation. However, the generalized threat performance and attack success rate of the existing method are still not high enough, the dependence on the target model structure is strong, the influence of the high-frequency component of the image on the model classification result cannot be effectively focused, and the characteristic can be used as a strategy for further improving the threat against the sample. Disclosure of Invention The invention aims to overcome the defects of the prior art and provide a method, a device and a storage medium for generating a movable challenge sample based on wavelet transformation and multi-scale filling, which are used for remarkably improving the migration capability of the challenge sample among a plurality of black box models and improving the attack success rate. The aim of the invention can be achieved by the following technical scheme: A method of generating a mobilizable challenge sample based on wavelet transformation and multi-scale filling, comprising the steps of: A