CN-122023957-A - Countermeasure sample generation method based on wavelet transformation

Abstract

The invention discloses a countermeasure sample generation method based on Wavelet transformation, which comprises the following steps of S1 generator G and discriminator D composition, S2 Wavelet transformation, S3ELA, S4 countermeasure training, S5 data enhancement, S6Wavelet-AdVGAN, S7Frequency Sub-band Discrepancy, S8WaveletTransform Local Features, S9 experimental data set, S10 evaluation index and S11 comparison method. Compared with the prior art, the Wavelet-AdvGAN method has the advantages that the sparsity of disturbance is improved through the FSD and WTLF modules, and the amplitude of disturbance is limited through adding boundary loss taking FSD loss as a reference into a loss function, so that the authenticity of an antagonistic sample is improved. In CRFAR-10 data sets, wavelet-AdvGAN generates high sparsity against sample disturbance and has higher attack success rate to the target model.

Inventors

• BI MENG
• WANG BAIYU
• YU WEI
• LIU JIAFENG

Assignees

• 沈阳工业大学

Dates

Publication Date

20260512

Application Date

20250326

Claims (10)

1. 1. The method for generating the countermeasure sample based on wavelet transformation is characterized by comprising the following steps of S1 generating G and a discriminator D, wherein G generates data from random noise, the target is approximate to real sample distribution, D classifies input data, and judges whether the input data is from real distribution or G generation; S2, wavelet transformation, namely decomposing signals into wavelet functions with different scales to be overlapped, wherein the wavelet transformation can provide localized information in a time domain and a frequency domain simultaneously; S3ELA, namely accurately capturing local and global features, effectively improving the performance of image classification and target detection tasks, and simultaneously reducing the number of parameters; S4, countermeasure training, wherein the model is trained together by using the original sample and the countermeasure sample (such as FGSM generation) to enhance the robustness of the model; s5, data enhancement, namely enhancing diversity, dynamically adjusting enhancement intensity, introducing a regularizer and adopting a spatial combination technology, so that the countermeasure training process can be obviously optimized, the fitting problem is relieved, and the model robustness is improved; S6Wavelet-AdVGAN and Wavelet-AdvGAN are composed of four parts, namely a generator G, a discriminator D, a target model f and a frequency sub-band difference module; S7Frequency Sub-band Discrepancy, after the original sample X real and the countermeasure sample X adv are subjected to two-dimensional discrete wavelet transformation, obtaining Frequency diagrams of different frequencies respectively; s8WaveletTransform Local Features, designing inspiration of the wavelet transformation local feature module is derived from a two-dimensional wavelet convolution and an ELA attention mechanism, and a new deep learning model is provided by combining the advantages of the two technologies; s9, experimental data sets, design inspiration of the wavelet transformation local feature module is derived from two-dimensional wavelet convolution and an ELA attention mechanism, and a novel deep learning model is provided by combining the advantages of the two technologies; S10, evaluating indexes, namely, the attack success rate, namely, ASR is used for measuring the attack effect of the countersample on the target model, and the higher the attack success rate is, the more effective the countersample is on the model is; S11 comparison method, the test selects AdvGAN, AIGAN, GE-AdvGAN, FGSM, PGD and C & W as comparison methods to evaluate Wavelet-AdvGAN method.
2. 2. The method for generating a countermeasure sample based on wavelet transform as claimed in claim 1, wherein in said step S1, an initial stage, a sample quality of a G output is poor, and D can easily distinguish between true and false samples and is optimized by using true and generated data. Then, G continuously adjusts parameters through the gradient fed back by D, so that the generated samples gradually approach to the real distribution.
3. 3. The method for generating a countermeasure sample based on wavelet transform according to claim 1, wherein the same type of wavelet basis functions in step S2 are implemented by translation, expansion, decomposition and reconstruction operations, so as to realize local feature expression of signals on multiple scales.
4. 4. The method of generating a challenge sample based on wavelet transform of claim 1, wherein ELA exhibits significant performance improvement and lower computational cost over multiple visual tasks in step S3 as compared to conventional spatial attention methods.
5. 5. The method for generating a challenge sample based on wavelet transform as claimed in claim 1, wherein the step S4 is characterized in that the existing research emphasizes importance of challenge training in improving deep neural network challenge disturbance defense, and covers effectiveness of the challenge training in different application scenarios, such as backdoor attack defense, generalization performance optimization, cross-domain application and discussion of economy and future research directions.
6. 6. The method for generating a challenge sample based on wavelet transform as claimed in claim 1, wherein said online instance-level data enhancement strategy in step S5 not only effectively reduces the search cost of the enhancement strategy, but also further improves the stability and reliability of the model under challenge.
7. 7. The method for generating a challenge sample based on wavelet transform as claimed in claim 1, wherein in said step S6, G is responsible for generating a disturbance, and D is responsible for discriminating between a generated sample and an original sample and guiding G training.
8. 8. The method for generating a challenge sample based on wavelet transform according to claim 1, wherein the algorithm for generating a challenge sample by wavelet-AdvGAN in step S6 is as follows:
9. 9. The method for generating a challenge sample based on wavelet transform as claimed in claim 1, wherein said step S7 is characterized by calculating a frequency subband difference loss:
10. 10. The method for generating challenge samples based on wavelet transform according to claim 1, wherein a certain challenge sample generating method in S10 generates m challenge samples, wherein n successful attack target models exist, and the attack success rate can be calculated by the following formula 6: The L 0 norm refers to the number of different elements between the challenge sample and the original sample. The measure is against the number of pixels in the sample that are changed. The L 2 norm, also known as Euclidean distance, measures the square root of the sum of the squared differences between the challenge sample and the original sample. The L ∞ norm measures the maximum difference between the challenge sample and the original sample in any dimension. These three norms provide different measures of disturbance, with smaller values representing smaller magnitudes of disturbances added to the challenge sample.

Description

Countermeasure sample generation method based on wavelet transformation Technical Field The invention relates to the technical field of countermeasure samples, in particular to a method for generating a countermeasure sample based on wavelet transformation. Background Challenge samples are key tools to evaluate the robustness of deep neural networks and reveal their potential security vulnerabilities. The challenge sample generation method based on the generation of the challenge network makes remarkable progress in the generation of the image challenge sample, but there are still disadvantages in terms of sparseness and migration of the challenge sample. In order to solve the problems, the present study proposes an image challenge sample generation method, wavelet-AdvGAN, and designs a Frequency Subband Difference (FSD) module and a Wavelet Transform Local Feature (WTLF) extraction module, evaluates the difference between an original sample and a challenge sample from the perspective of a frequency domain to limit the amplitude of disturbance, can strengthen a feature region, further enhance the attack effect of the challenge sample, and improve the sparsity and mobility thereof, and experimental results show that the Wavelet-AdvGAN method improves the attack success rate by 1.26% on average and improves the attack mobility by 2.7% on average in two defense strategies of data enhancement and challenge training. In addition, the research method has a lower l 0 norm, has better disturbance sparsity, and can effectively evaluate the robustness of the deep neural network. Disclosure of Invention The technical problem to be solved by the invention is to overcome the technical defects and provide an countermeasure sample generation method based on wavelet transformation. In order to solve the problems, the method for generating the countermeasure sample based on wavelet transformation comprises the following steps of S1 generating G and a discriminator D, wherein G generates data from random noise, the target is approximate to real sample distribution, D classifies input data, and judges whether the input data is from real distribution or G generation; S2, wavelet transformation, namely decomposing signals into wavelet functions with different scales to be overlapped, wherein the wavelet transformation can provide localized information in a time domain and a frequency domain simultaneously; S3ELA, namely accurately capturing local and global features, effectively improving the performance of image classification and target detection tasks, and simultaneously reducing the number of parameters; S4, countermeasure training, wherein the model is trained together by using the original sample and the countermeasure sample (such as FGSM generation) to enhance the robustness of the model; s5, data enhancement, namely enhancing diversity, dynamically adjusting enhancement intensity, introducing a regularizer and adopting a spatial combination technology, so that the countermeasure training process can be obviously optimized, the fitting problem is relieved, and the model robustness is improved; S6Wavelet-AdVGAN and Wavelet-AdvGAN are composed of four parts, namely a generator G, a discriminator D, a target model f and a frequency sub-band difference module; S7Frequency Sub-band Discrepancy, after the original sample X real and the countermeasure sample X adv are subjected to two-dimensional discrete wavelet transformation, obtaining Frequency diagrams of different frequencies respectively; S8WaveletTransform Local Features, designing inspiration of a Wavelet Transformation Local Feature (WTLF) module is derived from a two-dimensional wavelet convolution and ELA attention mechanism, and a new deep learning module is provided by combining the advantages of the two technologies; s9, experimental data sets, design inspiration of the wavelet transformation local feature module is derived from two-dimensional wavelet convolution and an ELA attention mechanism, and a novel deep learning model is provided by combining the advantages of the two technologies; S10, evaluating indexes, namely, the attack success rate, namely, ASR is used for measuring the attack effect of the countersample on the target model, and the higher the attack success rate is, the more effective the countersample is on the model is; S11 comparison method, the test selects AdvGAN, AIGAN, GE-AdvGAN, FGSM, PGD and C & W as comparison methods to evaluate Wavelet-AdvGAN method. Further, in the initial stage of the step S1, the quality of the sample output by the G is poor, and the D can easily distinguish between the true and false samples and optimize with the true and generated data. Then, G continuously adjusts parameters through the gradient fed back by D, so that the generated samples gradually approach to the real distribution. Further, the wavelet basis functions of the same type in the step S2 realize the local feature expression of the signals on multip