Search

CN-122021786-A - Method for enhancing resistance of YOLO11 model to challenge sample

CN122021786ACN 122021786 ACN122021786 ACN 122021786ACN-122021786-A

Abstract

The invention provides a method for enhancing the resistance of a YOLO11 model to an antagonistic sample, which comprises the steps of firstly constructing a sample generation module, analyzing YOLOv an input data format of the model and common malicious tampering types, setting a diversified disturbance strategy based on the input data format, and generating an antagonistic sample set by combining an original sample data set by applying a gradient-based algorithm. And then constructing an immune training frame, merging the countermeasure samples into a normal training sample queue according to a specific rule, finely setting key parameters such as training rounds, learning rate and the like, promoting the deep learning of the characteristics of the countermeasure samples during model training, continuously adjusting the connection weight of internal neurons, enabling YOLOv11 to master and distinguish normal and falsified target capability step by step, achieving the effect of immune malicious falsification interference, and improving the recognition accuracy and stability of the model.

Inventors

  • YU ZISHAN
  • LI JIYANG
  • GAN HONGYI
  • DENG WENXIN
  • LI YAXUAN
  • ZHOU LINGYI
  • CHEN XIWEN
  • LI CHENXUE

Assignees

  • 上海理工大学

Dates

Publication Date
20260512
Application Date
20251224

Claims (5)

  1. 1. A method of enhancing the resistance of a YOLO11 model to challenge samples, comprising the generation of challenge samples and immune training; The method comprises the steps of generating a challenge sample, namely generating an initial challenge sample set aiming at a YOLOv model based on a batch of original sample data by utilizing a gradient-based iterative algorithm according to sensitive characteristic dimensions of each layer of the model to input data, dynamically adjusting disturbance calculation according to gradient information of a model loss function to ensure that the generated challenge sample is similar to the original sample in a preset visual similarity range and can induce the model to make error identification; the immune training method comprises the steps of constructing a mixed training data set, mixing the complete challenge sample set and an original training sample set according to a dynamic proportion, setting an initial proportion according to initial training stability and challenge of the challenge sample of a model, adjusting the initial proportion in real time according to performance feedback in an iterative training process of the model, configuring YOLOv immune training parameters of the model, setting an attenuation learning rate strategy, gradually reducing the learning rate according to training rounds, adopting a small batch random gradient descent training mode, dynamically optimizing the batch size according to the convergence speed of the model, carrying out joint counter propagation calculation aiming at different output results of a normal sample and the challenge sample in the mixed data set in the training process of the model, continuously correcting the internal weight parameters of the model, enabling the model to gradually have the capability of accurately distinguishing the normal and malicious tampering targets until the preset immune training convergence standard is achieved, and ensuring that the model maintains high accuracy recognition performance when facing the malicious tampering recognition targets.
  2. 2. The method for enhancing the resistance of the YOLO11 model to the challenge sample according to claim 1, wherein in the generation of the challenge sample, the disturbance calculation is dynamically adjusted according to the gradient information of a model loss function, namely the gradient-guided disturbance generation step is that a disturbance generation mode based on gradient guidance is developed by deeply analyzing the network structure of the YOLO11 model and the gradient change condition of each layer when the image is processed, the gradient information of the model to the input image is acquired by utilizing a back propagation algorithm, key areas and characteristic dimensions which have great influence on the model output decision are accurately positioned, then tiny disturbance is added at the key positions according to the direction and the strength of the gradient, the amplitude of the disturbance is strictly controlled, the generated challenge sample is hardly distinguished from the original image in human eye vision, and the disturbance parameter is sufficiently misled to the YOLO11 model, and meanwhile, an iteration update mechanism is adopted, the feedback result of the generated sample is continuously adjusted until the effective challenge sample is successfully constructed.
  3. 3. The method for enhancing the resistance of the YOLO11 model to the challenge sample according to claim 1 is characterized by constructing a multi-modal disturbance fusion strategy in consideration of possible limitation of a single disturbance mode in the generation of the challenge sample, organically fusing pixel-level disturbance, disturbance based on image transformation and disturbance at a semantic level, flexibly allocating the proportion and combination modes of different modal disturbance according to different application scene requirements and characteristics of target detection objects, so as to generate a diversified and stronger-attack challenge sample set, and improving the spoofing success rate of the challenge sample to the YOLO11 model.
  4. 4. The method of claim 1, wherein in the step of immune training, the step of constructing a mixed training data set comprises collecting a plurality of original normal images and the challenge sample constructed by the challenge sample generation method, and for the input sample x and the model J (x, y; Θ), wherein y is a real label, 0 is a model parameter, and the generation formula of the challenge sample ad is as follows: xadu=x+ε·sign(▽xJ(x,y;θ)); for the update of the model parameter θ, a random gradient descent algorithm is used: θ=θ-α·▽θJ(x,y;θ); where α is the learning rate and θJ (x, y; θ) is the gradient of the loss function with respect to the model parameter θ; The method comprises the steps of mixing the two data according to a scientific and reasonable proportion to form a data set for immune training, carrying out comprehensive and detailed labeling on each sample in the data set, clearly marking whether the sample is a normal sample or an opposite sample, recording key information such as the real category of a corresponding target object, and the like, providing accurate supervision and reference basis for subsequent model training, so that the model can effectively learn the difference characteristics between the normal sample and the opposite sample from the data, wherein in immune training, the total training loss can be expressed as normal training loss: Ltotal=Lnormal+λLadv, wherein Lnormal is the loss of normal samples, ladv is the loss of challenge samples, and λ is a weight coefficient used to balance the importance of normal training and challenge training.
  5. 5. The method for enhancing the resistance of a YOLO11 model to an challenge sample according to claim 1, wherein in the step of immune training, a special challenge sample identification module and an adaptive immune adjustment layer are embedded on the basis of the original basic framework of the YOLO11 model, the challenge sample identification module extracts multi-scale features and statistical feature distribution by performing deep analysis on features of an input sample to judge whether the input sample is the challenge sample in real time, the adaptive immune adjustment layer immediately acts once the input sample is judged to be the challenge sample, and the feature processing modes and weight parameters of all layers in the model are dynamically adjusted according to the specific feature expression of the challenge sample, so that adverse effects of the challenge sample on a final detection result of the model are reduced, and the model is guided to output a correct target detection result.

Description

Method for enhancing resistance of YOLO11 model to challenge sample Technical Field The invention relates to the technical field of neural network model optimization in the countermeasure and defending technology, in particular to a method for enhancing the resistance of a YOLO11 model to a countermeasure sample. Background Computer vision technology is widely used in critical fields. YOLOv11 due to its rapid detection speed and high accuracy, is widely deployed in such fields as security monitoring, intelligent transportation, etc. However, lawbreakers may override misleading information by simple means, and the traditional YOLOv model is extremely vulnerable to this interference. From the technical principle parsing YOLOv is built based on a deep learning framework, which itself has the characteristic of being excessively sensitive to small changes in input data. An attacker can make the model output deviate from a real result by using the weakness of the model and only carefully constructing the fine disturbance data. The previous researches on model safety are focused on single type attack prevention, and lack of comprehensive response to complex malicious tampering situations, or the improvement measures seriously slow down the model detection speed, so that the application scene with strict real-time requirements cannot be met. Therefore, an innovative and efficient method is urgently needed, and the capability of resisting malicious tampering is enhanced specifically for YOLOv to fill the blank of the prior art, so that the model can be ensured to run stably and reliably under complex interference. Disclosure of Invention The invention aims to provide a method for enhancing the resistance of a YOLO11 model to a challenge sample, so as to enhance the resistance of the YOLO11 model to the challenge sample, ensure that the model can still maintain higher target detection accuracy and reliable performance when facing potential challenge sample interference, further expand the application range and better serve various practical application scenes. To achieve the above object, the present invention provides a method for enhancing the resistance of YOLO11 model to challenge samples, including challenge sample generation and immune training; Setting initial disturbance amplitude and direction by using a gradient-based iterative algorithm according to sensitive characteristic dimensions of each layer of the model on input data; generating an initial countermeasure sample set aiming at a YOLOv model based on a batch of original sample data, dynamically adjusting disturbance calculation according to gradient information of a model loss function, ensuring that the generated countermeasure sample is similar to the original sample within a preset visual similarity range and can induce the model to make error identification; The immune training comprises the steps of constructing a mixed training data set, mixing a complete anti-sample set and an original training sample set according to a dynamic proportion, setting the initial proportion according to initial training stability and anti-sample aggressiveness of a model, adjusting the initial proportion in real time according to performance feedback in a model iterative training process, configuring YOLOv immune training parameters of the model, setting an attenuated learning rate strategy, gradually reducing the learning rate according to training rounds, adopting a small batch random gradient descent training mode, dynamically optimizing batch size according to model convergence speed, carrying out joint counter propagation calculation aiming at different output results of a normal sample and an anti-sample in the mixed data set by the model in the training process, continuously correcting weight parameters in the model, enabling the model to gradually have the capability of accurately distinguishing normal and malicious tampering targets until the preset immune training convergence standard is achieved, and ensuring that the model maintains high-accuracy recognition performance when facing the malicious tampering recognition targets. Further, in the generation of the countermeasure sample, the disturbance calculation is dynamically adjusted according to the gradient information of the model loss function, namely the gradient-guided disturbance generation step is that a disturbance generation mode based on gradient guidance is developed by deeply analyzing the network structure of the YOLO11 model and the gradient change condition of each layer when the image is processed, the gradient information of the model to the input image is acquired by using a back propagation algorithm, key areas and characteristic dimensions which have great influence on the model output decision are precisely positioned, then tiny disturbance is added at the key positions according to the direction and the strength of the gradient, the amplitude of the disturbance is strictly controll