Search

CN-122023969-A - Method and system for generating countermeasure sample based on multi-scale frequency domain decomposition

CN122023969ACN 122023969 ACN122023969 ACN 122023969ACN-122023969-A

Abstract

The invention discloses a method and a system for generating an countermeasure sample based on multi-scale frequency domain decomposition, and belongs to the field of artificial intelligence safety. The invention relates to a deep learning model challenge and robustness evaluation technology, which is characterized in that an input image is decomposed into a plurality of frequency scale spaces, and targeted disturbance is adaptively applied on different frequency bands by combining human eye visual perception characteristics and deep neural network frequency domain sensitivity analysis, so that a challenge sample with high concealment and strong migration is generated.

Inventors

  • CHEN QIANGPU
  • Pan Zulie
  • LI YUWEI
  • XU CHENGXI
  • SHEN YI
  • ZHENG YIFAN
  • LI LI

Assignees

  • 中国人民解放军国防科技大学

Dates

Publication Date
20260512
Application Date
20260413

Claims (7)

  1. 1. A method of challenge sample generation based on multi-scale frequency domain decomposition, the method comprising: S1, receiving an original image and a target deep learning model at an input layer; s2, calling a multi-scale frequency domain decomposition module, and performing wavelet decomposition on the original image to obtain sub-band decomposition results of different frequency levels; s3, calling a frequency band sensitivity analysis module, quantifying the sensitivity degree of the target deep learning model to different frequency bands based on a sub-band decomposition result, and generating a frequency band weight graph; s4, calling a visual perception constraint module, and describing human eye visual characteristics by using a contrast sensitivity function so as to determine disturbance upper boundaries of different frequency bands; s5, calling a disturbance and generation optimization module, and executing multi-scale joint optimization based on disturbance upper bounds of different frequency bands and a frequency band weight graph to obtain optimal frequency band disturbance; s6, reconstructing the countermeasure sample according to the optimal frequency band disturbance at the output layer.
  2. 2. The method for generating an countermeasure sample based on multi-scale frequency domain decomposition according to claim 1, wherein in S2, a multi-scale frequency domain decomposition module is called to perform wavelet decomposition on an original image to obtain subband decomposition results of different frequency levels, wherein: Representing the number of decomposition layers, LL representing the low frequency approximation subband, LH representing the horizontal detail subband, HL representing the vertical detail subband, HH representing the diagonal detail subband; The first level decomposition acts on the original image to obtain a first level low frequency approximate sub-band Horizontal detail subband Vertical detail subband Diagonal detail subband ; The second level decomposition only works on the low frequency approximation subbands of the first level Obtaining a second-stage low-frequency approximate sub-band Horizontal detail subband Vertical detail subband Diagonal detail subband ; And so on, the first Stage decomposition is effected on the first Low frequency approximation subband of the stage Sub-bands, get the Low frequency approximation subband of the stage Horizontal detail subband Vertical detail subband Diagonal detail subband , ; The final sub-band decomposition results of different frequency levels include the nth low frequency approximation sub-band And Detail subbands of different frequency levels, denoted as 。
  3. 3. The method for generating the challenge sample based on the multi-scale frequency domain decomposition according to claim 2, wherein in S3, a frequency band sensitivity analysis module is invoked to quantify the sensitivity of the target deep learning model to different frequency bands based on the sub-band decomposition result and generate a frequency band weight map, comprising: S31, decomposing the sub-band The organization is a differentiable tensor representation; S32, learning model based on target depth The forward propagation computation classification loss of (1), wherein: For non-targeted attacks, classification loss , Representing the original image, CE represents the cross entropy, Is an original real label; for target attacks, classification loss , Representing a target label; S33, based on sub-band decomposition result Is used to calculate the classification loss using an automatic differentiation mechanism Gradient for each wavelet coefficient, wherein: Sub-band The decomposition coefficient matrix of (a) is The gradient matrix of the subband is Absolute value of gradient value Describing the influence degree of the change of the decomposition coefficient on the classification result; s34, calculating sensitivity index for each sub-band : Wherein, the Representing balance coefficients, mean represents mean, std represents standard deviation; S35, carrying out normalization processing on sensitivity indexes of all sub-bands to generate a frequency band weight graph, wherein the frequency band weight graph is expressed as follows: Wherein, the As a function of the temperature parameter(s), Representing all candidate subbands.
  4. 4. A method for generating a challenge sample based on multi-scale frequency domain decomposition according to claim 3, wherein in S4, a visual perception constraint module is invoked to describe human eye visual characteristics by using contrast sensitivity functions to determine upper boundaries of disturbances of different frequency bands, specifically comprising: the minimum contrast required by human eyes to detect visual stimuli with different spatial frequencies is described by contrast sensitivity function CSF, and CSF modeling is performed by using Mannos-Sakrison model, and the expression is as follows: Wherein, the Is a sub-band Spatial frequency of (a); Setting a visibility threshold for subbands based on CSF : Wherein, the Is a proportionality constant; disturbance of the upper bound The method comprises the following steps: Wherein, the Is a safety factor.
  5. 5. The method for generating a challenge sample based on multi-scale frequency domain decomposition according to claim 4, wherein in S5, a disturbance and generation optimization module is invoked to perform multi-scale joint optimization based on disturbance upper bounds of different frequency bands and a frequency band weight graph to obtain an optimal frequency band disturbance, and the method specifically comprises: S51, initializing disturbance in a frequency domain to obtain initialized disturbance Setting the iteration times Basic learning rate ; S52, performing iterative optimization for the first And (3) iterating: Reconstructing an image of the currently disturbed frequency domain coefficient through inverse wavelet transformation; Calculating the comprehensive loss And its gradient to each subband coefficient ; Adjusting the gradient according to the frequency band weight graph to obtain a weighted gradient , , Representing element-by-element multiplication; updating disturbance, wherein an updating formula is as follows: Wherein, the Represent the first Disturbance in +1 iteration, Represent the first The perturbation in the number of iterations is, A function representing element-by-element acquisition of numerical symbols for the gradient vector to update the perturbation along the gradient direction; Projecting the updated perturbation into the feasible region, for the sub-bands Performing: Wherein, the Represent the first After a plurality of iterations, in sub-bands A disturbance factor on the model; as an element-wise truncated function, which limits the input to intervals An inner part; s53, performing convergence judgment; If the attack is successful, the iteration is terminated in advance, otherwise, the iteration is continued until the maximum number of times ; S54, obtaining the optimal frequency band disturbance.
  6. 6. The method for generating a challenge sample based on multi-scale frequency domain decomposition of claim 5, wherein in S6, the challenge sample is reconstructed from the optimal frequency band disturbance at the output layer, comprising: reconstructing a spatial domain image based on the optimal frequency band disturbance, and obtaining a final countermeasure sample through numerical clipping, data type conversion and color space conversion.
  7. 7. An challenge sample generation system based on multi-scale frequency domain decomposition, the system comprising: an input module configured to receive an original image and a target deep learning model; the multi-scale frequency domain decomposition module is configured to carry out wavelet decomposition on an original image to obtain sub-band decomposition results of different frequency levels; The frequency band sensitivity analysis module is configured to quantify the sensitivity degree of the target deep learning model to different frequency bands based on the sub-band decomposition result and generate a frequency band weight graph; a visual perception constraint module configured to describe human eye visual characteristics using a contrast sensitivity function to determine upper boundaries of disturbances of different frequency bands; the disturbance and generation optimization module is configured to execute multi-scale joint optimization based on disturbance upper bounds of different frequency bands and the frequency band weight graph to acquire optimal frequency band disturbance; An output module configured to reconstruct the challenge samples from the optimal band perturbations.

Description

Method and system for generating countermeasure sample based on multi-scale frequency domain decomposition Technical Field The invention belongs to the field of artificial intelligence safety, and particularly relates to a method and a system for generating an countermeasure sample based on multi-scale frequency domain decomposition. Background The deep neural network (Deep Neural Networks, DNNs) has achieved remarkable success in computer vision tasks such as image classification, target detection, semantic segmentation and the like, and has been widely applied to key fields such as automatic driving, medical diagnosis, face recognition, security monitoring and the like. However, research shows that deep neural networks are extremely sensitive to well-designed small perturbations, and that an attacker can add perturbations on the original input image that are not noticeable to the human eye, generating so-called challenge samples, so that a deep learning model that would otherwise perform well produces false predictions. This potential safety hazard poses a serious threat to critical application systems that rely on deep learning techniques, for example, in an autopilot scenario, the challenge sample may lead to misjudgement of traffic signs by the vehicle, causing serious safety accidents. Therefore, the research on the generation mechanism and the defense method of the countermeasure sample has important theoretical and practical significance for improving the robustness and the safety of the deep learning system. Currently, research into anti-sample generation methods is mainly focused on the spatial domain, and representative methods include Fast Gradient Symbology (FGSM), projection gradient descent-based attacks (PGD), C & W attacks, deepFool, and the like. According to the method, the attack purpose is achieved by calculating gradient information of a loss function on an input image and directly adding disturbance in an image space domain. Specifically, the FGSM method rapidly generates an countermeasure sample through single-step gradient rising, is high in calculation efficiency and limited in attack success rate, the PGD method enhances attack effects through multi-step iteration and projection operation, is high in calculation cost, and the C & W attack finds minimum disturbance through optimizing an objective function, so that the attack effects are good, and the optimization process is complex and time-consuming. Although these spatial domain methods achieve certain effects in certain scenarios, there are three general limitations. First, the disturbances added by the spatial domain method are typically concentrated on the high frequency components of the image, presenting a noise-like texture pattern. Although the high-frequency disturbance mode meets the imperceptibility constraint on the pixel level, the high-frequency disturbance mode presents obvious abnormal characteristics on the frequency domain distribution, and is easy to detect and filter by a defense method based on frequency domain analysis. In recent years, various defense methods such as JPEG compression, gaussian filtering, feature compression, etc. are designed based on high-frequency characteristics against disturbance, and these defense means can effectively attenuate or even eliminate the countermeasure effect generated by the spatial domain attack method. Second, challenge samples generated by spatial domain methods tend to have poor mobility, i.e., challenge samples generated for a particular model are difficult to effectively attack other models. This limitation arises mainly from the fact that spatial domain perturbations are overfitted to specific decision boundaries of the target model, and lack effective utilization of the model's general vulnerability. In an actual black box attack scenario, an attacker typically cannot obtain detailed information of the target model, so the mobility of the challenge sample is crucial for the actual security assessment. Third, existing spatial domain methods do not consider the perceptual characteristics of the human eye vision system much less when designing disturbances, and rely mainly on simple norm constraints (e.g., L-infinity, L2-norm) to limit the amplitude of the disturbance. However, there is a significant difference in the sensitivity of the human eye to different frequency components, and simple norm constraints do not fully exploit this visual characteristic to optimize the concealment of the disturbance. With respect to the above limitations of the spatial domain approach, some researchers have begun to explore the frequency domain challenge approach. These methods typically employ a Discrete Cosine Transform (DCT) or a fourier transform to convert the image to the frequency domain, and then add a perturbation to the frequency domain coefficients. However, the existing frequency domain method has the following defects that firstly, most of the frequency domain methods