[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN112200380B - Method and device for optimizing risk detection model - Google Patents

Method and device for optimizing risk detection model Download PDF

Info

Publication number
CN112200380B
CN112200380B CN202011147798.4A CN202011147798A CN112200380B CN 112200380 B CN112200380 B CN 112200380B CN 202011147798 A CN202011147798 A CN 202011147798A CN 112200380 B CN112200380 B CN 112200380B
Authority
CN
China
Prior art keywords
sample
risk
loss
original
detection model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011147798.4A
Other languages
Chinese (zh)
Other versions
CN112200380A (en
Inventor
李辉
李勇锋
金宏
王维强
宋乐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202011147798.4A priority Critical patent/CN112200380B/en
Publication of CN112200380A publication Critical patent/CN112200380A/en
Application granted granted Critical
Publication of CN112200380B publication Critical patent/CN112200380B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/067Enterprise or organisation modelling
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Game Theory and Decision Science (AREA)
  • General Business, Economics & Management (AREA)
  • Development Economics (AREA)
  • Educational Administration (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the specification provides a method and a device for optimizing a risk detection model, wherein the method comprises the steps of firstly acquiring a sample set, wherein the sample set comprises a normal sample with a first label value and an original risk sample with a second label value. And for each original risk sample, determining an antagonism risk sample obtained by carrying out potential attack transformation on the original risk sample by an attacker according to a loss function used for training the risk detection model and the current risk detection model. Then determining a first predicted loss of the risk detection model for each challenge risk sample and a second predicted loss for each normal sample based on the loss function; and determining a total predicted loss based at least on the first and second predicted losses. The model parameters of the risk detection model are then adjusted to optimize the risk detection model with the goal of minimizing the total predictive loss.

Description

Method and device for optimizing risk detection model
Technical Field
One or more embodiments of the present specification relate to the field of machine learning, and more particularly, to a method and apparatus for optimizing a risk detection model.
Background
The rapid development of machine learning has led to the application of various machine-learned models in a wide variety of business scenarios. For example, in a security and wind control scenario, some risk detection models have been trained by machine learning for identifying objects that are at risk or have potential safety hazards. For example, identifying spam accounts through risk detection models, identifying high risk transactions, identifying high risk operations, and so forth. Such risk objects are often intercepted after they are identified to ensure the security of the system and the user.
In view of the fact that the existing risk detection model is often insufficient in terms of robustness, an improved scheme is hoped to be provided, and the risk detection model can be optimized to improve the robustness, so that the method is better suitable for the attack and defense characteristics in a risk detection scene.
Disclosure of Invention
One or more embodiments of the present specification describe a method and apparatus for optimizing a risk detection model, which can optimize the risk detection model from the point of attack and defense countermeasure, and enhance the robustness and safety thereof.
According to a first aspect, there is provided a method of optimizing a risk detection model, comprising:
obtaining a sample set, wherein the sample set comprises a normal sample with a first label value and an original risk sample with a second label value;
for each original risk sample in the sample set, determining an antagonism risk sample obtained by potential attack transformation of an attacker on the original risk sample according to a loss function used for training the risk detection model and a current risk detection model;
determining a first predicted loss of the risk detection model for each challenge risk sample and a second predicted loss for each normal sample based on the loss function;
Determining a total predicted loss for the sample set based at least on the first predicted loss and a second predicted loss;
and adjusting model parameters of the risk detection model to optimize the risk detection model with the aim of minimizing the total prediction loss.
According to one embodiment, the loss value calculated for the first tag value using the loss function is reduced for the challenge risk sample relative to the corresponding original risk sample.
In one embodiment, determining an challenge risk sample obtained by performing potential attack transformation on the original risk sample by an attacker specifically includes: determining a transformation generating function for generating a transformation that minimizes a loss value calculated for the first tag value for the challenge risk sample after applying the transformation; and generating the attack transformation aiming at the original risk sample by utilizing the transformation generating function to obtain a corresponding countermeasure risk sample.
Further, in one example, determining the transform generation function may include: generating a first intermediate transformation by using a current generating function aiming at any first original risk sample in the sample set, and obtaining a first intermediate sample by superposing the first intermediate transformation on the first original risk sample; calculating a predicted value of a first intermediate sample by using a current risk detection model, and substituting the predicted value and the first label value into the loss function to obtain the countermeasures of the first intermediate sample against the first label value; determining an objective function comprising at least the sum of the countermeasures against losses of the intermediate samples corresponding to the respective original risk samples; and adjusting parameters in the current generation function with the aim of minimizing the target function, and determining the adjusted current generation function as the transformation generation function.
Further, in a specific example, the objective function further includes a sum or a square sum of absolute values of transformation amounts of the intermediate transformations corresponding to the respective original risk samples.
According to another embodiment, the challenge risk sample is increased relative to a corresponding original risk sample by a loss value calculated for a second tag value using the loss function.
In one embodiment, a corresponding challenge risk sample is determined based on a characteristic gradient of the loss function relative to the original risk sample such that a loss value between a predicted value of the current risk detection model for the challenge risk sample and the second label value is maximized.
Further, in one example, determining the corresponding challenge risk sample specifically includes: acquiring an original characteristic value of a sample characteristic of the original risk sample; determining a feature gradient of the loss function relative to the sample feature; determining the attack transformation according to the characteristic gradient and a preset transformation boundary by using a symbol function; and superposing the attack transformation on the original characteristic value to obtain a corresponding countermeasure risk sample.
In another example, determining the corresponding challenge risk sample may include performing a plurality of iterations, and obtaining a feature value from the plurality of iterations, where each iteration includes: acquiring a previous characteristic value of a sample characteristic of the original risk sample in a previous iteration; determining the current feature gradient of the loss function relative to the sample feature; and determining the updated characteristic value after the iteration according to the previous characteristic value, the characteristic gradient and a preset projection function.
In one embodiment, the method further comprises determining a third predicted loss of the risk detection model for each original risk sample based on the loss function; in such a case, the total predicted loss may be determined as a weighted sum of the first, second, and third predicted losses.
According to one embodiment, adjusting model parameters of the risk detection model specifically includes: determining a parameter gradient of the total predicted loss relative to the model parameter; and adjusting the parameter value of the model parameter along the direction of the decline of the parameter gradient.
In various embodiments, the sample may be one of the following: account number, transaction, text segment, user operation.
According to a second aspect, there is provided an apparatus for optimizing a risk detection model, comprising:
a sample set acquisition unit configured to acquire a sample set including a normal sample having a first tag value and an original risk sample having a second tag value;
the antagonism sample determining unit is configured to determine, for each original risk sample in the sample set, a antagonism risk sample obtained by performing potential attack transformation on the original risk sample by an attacker according to a loss function used for training the risk detection model and a current risk detection model;
A prediction unit configured to determine, based on the loss function, a first predicted loss of the risk detection model for each challenge risk sample and a second predicted loss for each normal sample;
a total loss determination unit configured to determine a total predicted loss for the sample set based at least on the first predicted loss and the second predicted loss;
and an adjustment unit configured to adjust model parameters of the risk detection model to optimize the risk detection model with the total prediction loss minimized as a target.
According to a third aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.
According to a fourth aspect, there is provided a computing device comprising a memory and a processor, characterised in that the memory has executable code stored therein, the processor implementing the method of the first aspect when executing the executable code.
According to the method and the device provided by the embodiment of the specification, in the countermeasure scene of risk detection, the corresponding countermeasure black sample is obtained by simulating attack transformation possibly performed on the black sample by an attacker, and then the risk detection model is optimized based on the countermeasure black sample. The risk detection model after optimization can improve the recognition efficiency on the anti-black sample, so that the anti-attack of the anti-black sample is well defended, and the robustness and the safety are enhanced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a schematic diagram of an optimized risk detection model according to one embodiment;
FIG. 2 illustrates a method flow diagram for optimizing a risk detection model, according to one embodiment;
FIG. 3 illustrates the steps of determining a transform generation function in one embodiment;
FIG. 4 illustrates a schematic diagram of an optimization apparatus according to one embodiment.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
As previously mentioned, in security and wind-controlled scenarios, in order to identify high-risk business objects, some risk detection models have been trained by machine learning for detecting risk objects for interception or further security processing thereof.
Although various existing risk detection models have good effects in aspects of feature processing comprehensiveness, prediction accuracy and the like, the inventor realizes that a risk detection scene is actually a game scene of attack and defense countermeasure: on the one hand, the model algorithm tries to perform comprehensive analysis on the business object to identify the risk object, and on the other hand, tries to get around the analysis algorithm of the model by the partner of the risk object to make a profit, or attacks the model to try to break through the identification of the model. Therefore, the inventor proposes to optimize the risk detection model from the attack and defense angle so as to improve the robustness, better resist potential model attack and improve the attack and defense safety.
FIG. 1 illustrates a schematic diagram of an optimized risk detection model, according to one embodiment. As shown in fig. 1, the risk detection model is trained based on a training sample set. For better training, in general, the training sample set will include some normal samples, or white samples, and some risk samples, or black samples, to learn from different angles of the positive and negative samples. The sample may correspond to an object to be detected, such as an account number, a transaction, a user operation, text, and so forth. Based on such a sample set, a primarily trained risk detection model M0 may be obtained.
In the challenge scenario of risk detection, it is assumed that an attacker will typically transform a black sample in order for the risk detection model not to recognize it as a black sample. Thus, according to the embodiment of the present specification, the attack transformation that may be performed by an attacker can be simulated based on the current risk detection model, so as to obtain a corresponding anti-black sample. Such a challenge black sample is a challenge sample that an attacker may use, which reduces the detection efficacy of the risk detection model.
On the basis, the risk detection model is optimized based on the samples in the original sample set and the obtained anti-black samples, wherein the optimization goal comprises the reduction of the prediction loss of the anti-black samples, so that the identification efficiency of the anti-black samples is improved. Therefore, the robustness of the optimized risk detection model M1 is enhanced, and the attack of an attacker can be better resisted.
The implementation of the above inventive concept is described below.
It is to be understood that before optimizing the risk detection model, the model is first trained based on the sample set to obtain a preliminarily trained, current risk detection model.
Any ith sample in the set of samples can be denoted as (x i ,y i ) Wherein x is i Sample characteristics, y, representing the ith sample i Representing a corresponding tag value for showing whether the sample is a risk sample. Typically, the normal sample and the risk sample are represented by two different tag values, namely a first tag value and a second tag value, respectively. Typically, in the context of identifying risk samples, a white sample is usually represented by 0 and a black sample is represented by 1.
The sample may be various business objects to be detected, such as account numbers, transactions, text, user operations, and so on.
In one specific example, the sample is an account number. Accordingly, the risk sample may be a spam account, a water army account, a stolen account, or the like. For account number samples, sample characteristics may include, for example, a registration duration of the account number, registration information, a frequency of use for a recent period of time, a frequency of posting comments, and so forth.
In another example, the sample is a transaction. Accordingly, the risk sample may be a high risk transaction for fraud, cashing, etc. For a transaction sample, sample characteristics may include, for example, transaction amount, transaction time, payment channel, transaction party attribute information, and so forth.
In yet another example, the sample is text. Accordingly, the risk sample may be spam/text, advertising mail/text, illegal content text, etc. For text samples, sample characteristics mainly include characters in the text, text release time, source, and so on.
In other examples, the sample may also be other business objects. And not described in detail herein.
Based on the above sample set containing black and white samples, a risk detection model may be initially trained. The algorithmic process of the risk detection model may use a classification function f θ (x) The parameters of the classification function (i.e., model parameters) are denoted by θ, the input of the function is the sample feature x, and the output is the classification predicted value for the sample.
In the process of training the risk detection model, the current predicted loss condition of the model is measured by using a loss function L. Specifically, the input of the loss function L includes a predicted value of the model for a sample, and a label value y of the sample, the output of which has a loss value reflecting a difference between the predicted value and the label value. In different embodiments, the specific form of the loss function L may include, but is not limited to, a mean square error loss, a cross entropy loss, and the like.
In the model training process, the classification function f is continuously adjusted θ (x) The model parameter value theta in the model is calculated by using the loss function L, and the loss value of the batch samples tends to be the minimum value, and at the moment, the preliminary training of the model is finished, so that the current risk detection model is obtained.
On the basis, the risk detection model can be further optimized based on the thought of the attack and defense countermeasure game. FIG. 2 illustrates a method flow diagram for optimizing a risk detection model, according to one embodiment. It is understood that the method may be performed by any apparatus, device, platform, cluster of devices having computing, processing capabilities. As shown in fig. 2, the method includes the following steps.
First, in step 21, a sample set is obtained, which includes a normal sample having a first tag value and an original risk sample having a second tag value. As previously mentioned, any sample in the sample set can be denoted as (x) i ,y i ) When y is i At the first label value, the sample i is shown to be a normal sample or a white sample, when y i In the case of the second label value, this sample i is shown as a risk sample or a black sample. Typically, the first tag value may take a value of 0 and the second tag value may take a value of 1. In the following description, a set of normal samples is denoted as W (white samples), and a set of risk samples is denoted as B (black samples).
Next, in step 22, for each original risk sample, an opposing risk sample obtained by performing potential attack transformation on the original risk sample by an attacker is determined according to the loss function L used for training the risk detection model and the current risk detection model.
In this step, it is assumed that the purpose of the attacker's attack is to make the recognition ability of the risk detection model for the black sample lower. This may be embodied such that the generated challenge risk samples are reduced in loss value calculated for white sample label values or increased in loss value calculated for black sample label values using the loss function L relative to the corresponding original risk samples. Therefore, the method can be used for simulating the attack transformation of an attacker on the original risk sample, and obtaining the potential countermeasure risk sample.
Next, in step 23, a first predicted loss of the risk detection model for each challenge risk sample and a second predicted loss for each normal sample are determined using the loss function L.
Then, at step 24, a total predicted loss for the sample set is determined based at least on the first predicted loss and the second predicted loss.
Optionally, a third predicted loss of the risk detection model for each original risk sample may also be determined, and the total predicted loss may be obtained based on the first predicted loss, the second predicted loss, and the third predicted loss.
Then, in step 25, model parameters of the risk detection model are adjusted to optimize the risk detection model, targeting the minimization of the total predictive loss.
Specific implementations of the individual steps are described below in conjunction with specific examples.
According to one embodiment, in step 22, the objective of modeling the challenge risk samples is to reduce the loss value calculated for the white sample tag value using the loss function, such that the predicted value of the risk detection model for the challenge risk samples is closer to the white sample tag value, and thus easier to identify as a white sample.
In one embodiment, the behavior of an attacker is modeled under the above objectives, assuming that the attacker employs a transformation generation function to generate the transformation that minimizes the loss value calculated for the white sample tag value for the challenge risk sample after the transformation is applied. The transform generation function may be expressed as ρ s (x) Where s is a parameter of the transform generation function and x is a sample feature of the original black sample.
Thus, the step 22 of determining the challenge risk sample may include first determining the transformation generating function by simulating the behavior of an attacker; then, with this transformation generating function, an attack transformation is generated for each original risk sample, and then a corresponding challenge risk sample is obtained.
The transformation object of the transformation generating function can be used to determine the transformation generating function ρ in a variety of ways s (x) A. The invention relates to a method for producing a fibre-reinforced plastic composite Fig. 3 illustrates the steps of determining a transform generation function in one embodiment.
As shown in fig. 3, at step 31, for any original risk sample i (the sample feature is x i ) Generating an intermediate transformation ρ using a current generation function s (x i ) And by taking the original sample feature x i The intermediate transformation is superimposed to obtain an intermediate sample x is (x i )。
In step 32, the current risk detection model f is utilized θ Calculating the predicted value of the intermediate sample, i.e. f θ (x is (x i ) And substituting the predicted value and the white sample label value into a loss function L to obtain the counterloss of the intermediate sample for the white sample label value.
In step 33, an objective function J is determined on the basis of this, which comprises at least the sum of the challenge losses of the intermediate samples corresponding to the respective original risk samples.
Specifically, in one example, assuming that one of the white sample tag value and the black sample tag value is 0 and one is 1, the objective function J may be expressed as:
in the above formula (1), (x) i ,y i ) E B indicates that the operation is directed to black sample i in black sample set B, and therefore y i For black sample label value, 1-y i A white sample tag value; ρ s (x i ) For intermediate transformation, f θ (x is (x i ) A predicted value of the current risk detection model for the intermediate sample, and L is a loss function. Therefore, the objective function reflects the sum of the countermeasures against the loss of the white sample tag value for the intermediate samples corresponding to the respective black samples calculated using the loss function L.
Thus, in step 34, the generating function ρ may be continuously adjusted in the direction in which the objective function J decreases s So that the objective function J tends to reach a minimum. The thus adjusted generation function may be used as a desired transformation generation function.
In another example, the objective function J may be expressed as:
in the formula (2), c is a preset constant, and II is II 2 The magnitude of the vector can be indicated as the second-order norm, correspondingly, |ρ s (x i )‖ 2 The absolute value of the transform quantity of the intermediate transform may be indicated. It can be seen that in equation (2) the square of the norm of its intermediate transformation is calculated for each sample, in other examples only the second order norm itself (i.e. the first power) may be taken.
Inclusion of intermediate transformed normative terms in the objective function corresponds to the transform generation function ρ s Additional constraints are imposed. Such an objective function requires, in addition to the transformation generated by the transformation generating function, that the smaller the above-mentioned countermeasure loss is, the better the smaller the generated transformation amount is.
The desired transformation generating function can be obtained by continuously adjusting the parameter s of the transformation generating function in the direction in which the objective function decreases. In one example, the parameter s is graded by using the objective function J, and the parameter s is iteratively updated by means of gradient descent, so as to obtain a final transformation generating function.
In determining the transformation-generation function ρ employed by an attacker s On the basis of the above, a corresponding attack transformation can be generated for each original risk sample, so that a corresponding challenge risk sample is obtained.
Returning to fig. 2, in the next steps 23-24, the Loss function L may be utilized to determine the total predicted Loss of the risk detection model for the sample set containing the challenge risk samples.
In one specific example, the total predicted Loss may be expressed as:
the first term in the total loss of equation (3) is calculated for all samples in the original sample set (i.e., the union of white sample W and black sample B). In other embodiments, the first term may be simplified by performing an operation only on the white samples, so as to obtain the aforementioned second prediction loss.
The second term of equation (3) corresponds to the aforementioned first predictive loss, where λ is a preset weight coefficient, x is (x i ) I.e. the challenge risk samples obtained after applying the challenge transformation by means of the transformation generating function. Note that, equation (3) is a Loss used for optimizing the risk detection model, the label value of the Loss calculation for each sample is an original label value, and correspondingly, the label value in the second term is a black sample label value.
Then, next in step 25, the risk detection model f may be adjusted with the objective of minimizing the total predicted Loss shown in the above equation (3) θ To optimize the risk detection model. Specifically, in one example, the model parameter θ may be biased to obtain a gradient thereof, and the model parameter θ may be adjusted and updated in a gradient descent manner to optimize the model.
According to another embodiment, in step 22, the objective of simulating the challenge risk sample is to increase the loss value calculated for the black sample label value using the loss function, such that the risk detection model detects a decrease in efficacy for the predicted value of the challenge risk sample away from its true black sample label value.
In one embodiment, modeling the behavior of an attacker under the above objective, it is assumed that the attacker performs attack transformation δ for each black sample, and the attack transformation δ maximizes the loss value calculated for the black sample tag value for the anti-risk sample thus obtained. In other words, it is assumed that the attack transformation performed by the attacker for each black sample is the "worst case" attack transformation for the current risk detection model.
For the original black sample x i The "worst case" attack transformationCan be expressed as:
where S is a predefined transform space.
To determine the "worst case" attack transformation, in one embodiment, a corresponding challenge risk sample may be determined based on the aforementioned feature gradient of the loss function L relative to the original risk sample, such that a loss value between a predicted value for the challenge risk sample and a black sample label value for a current risk detection model calculated using the loss function is maximized.
More specifically, in one example, fast gradient symbology FGSM may be used to determine a worst case challenge risk sample for each black sample. Specifically, the process may include, for a certain risk sample, obtaining an original feature value of a sample feature x thereof; determining a feature gradient of a loss function L relative to the sample featureIn this step, the model parameter θ is set as a constant, and the sample feature x is set as a variable. Then using a sign function according to the characteristic gradient +.>And a preset transformation boundary E, determining attack transformation; and superposing the attack transformation on the original characteristic value to obtain a corresponding challenge risk sample.
In one specific example, the challenge risk sample may be expressed as:
wherein, E is a preset transformation boundary, which is used for defining the transformation space; all transforms δ in the transform space S need to be satisfied, the infinite order norm not being greater than the transform boundary, namely:sgn is a sign function, outputting either +1 or-1, depending on whether the input is greater than zero.
In another example, a projection gradient PGD may be used to determine a worst case challenge risk sample for each black sample. Gradient projection can be considered as performing FGSM iteratively in multiple steps. Specifically, any t+1st iteration of the multi-step iterations of the process may include, for a certain risk sample, obtaining a previous feature value xt of its sample feature x in a previous iteration (t-th iteration); determining the present feature gradient of the loss function L relative to the sample featureIn this step, the model parameter θ is used as a constant, the sample feature x is used as a variable, and the characteristic gradient value of this time is obtained by substituting the characteristic value xt of the previous time after solving the gradient representation. Then according to the previous characteristic value xt, the characteristic gradient of this time +.>And a preset projection function, determining an updated characteristic value x after the iteration t+1
In a specific example, the above t+1st iteration process may be expressed as:
Wherein, alpha is learning rate and is equivalent to a single-step transformation boundary; pi-shaped structure x+S (.) is a projection function for mapping the transformation to the transformation space S when the transformation is too large beyond the predetermined transformation space S.
In other examples, other formulas, algorithms may also be used to determine the challenge risk sample that maximizes the loss value based on the feature gradient of the loss function L to the sample feature x. For example, a momentum iteration MI-FGSM mode may be adopted, where a momentum value is introduced in each iteration step, and feature iteration is performed based on both the momentum value and the gradient value.
Thus, by the various means above, a "worst case" challenge risk sample may be determined.
Then in the next step 23-24, the Loss function L can be used to determine the total predicted Loss of the risk detection model for the sample set containing the challenge risk sample.
In one specific example, the total predicted Loss may be expressed as:
the first term in equation (7) is calculated for the white samples W in the original sample set, resulting in the aforementioned second prediction loss. In other embodiments, the first term may also be extended to operate on all samples in the original sample set, including white samples and black samples. That is, a third prediction loss for the original black sample is added on the basis of equation (7).
The second term of equation (7) corresponds to the aforementioned first predictive loss, in whichDefined by equation (4). In one embodiment, a weight factor may be set for the first and second terms of equation (7), so that the total prediction Loss is a weighted sum of the prediction losses.
Then, next in step 25, the risk detection model f may be adjusted with the objective of minimizing the total predicted Loss shown in the above equation (7) θ To optimize the risk detection model. In one embodiment, the overall predicted loss may be biased against the model parameter θ to yield a parameter gradient. Specifically, the parameter gradient based on equation (7)Can be expressed as:
thus, the model parameter θ can be adjusted and updated in a gradient descent manner based on the above-described parameter gradient to optimize the model.
From a review of the above process, it can be seen that in the challenge scenario of risk detection, by simulating the possible attack transformation of an attacker on a black sample, a corresponding challenge black sample is obtained, and then the risk detection model is optimized based on the challenge black sample. The risk detection model after optimization can improve the recognition efficiency on the anti-black sample, so that the anti-attack of the anti-black sample is well defended, and the robustness and the safety are enhanced.
According to an embodiment of another aspect, there is further provided an apparatus for optimizing a risk detection model, where the apparatus may be deployed on any device or platform having computing and processing capabilities. FIG. 4 illustrates a schematic diagram of an optimization apparatus according to one embodiment. As shown in fig. 4, the optimizing apparatus 400 includes:
a sample set acquisition unit 41 configured to acquire a sample set including a normal sample having a first tag value and an original risk sample having a second tag value;
an challenge sample determining unit 42 configured to determine, for each original risk sample in the sample set, a challenge risk sample obtained by performing potential attack transformation on the original risk sample by an attacker according to a loss function used for training the risk detection model and a current risk detection model;
a prediction unit 43 configured to determine a first predicted loss of the risk detection model for each challenge risk sample and a second predicted loss for each normal sample based on the loss function;
a total loss determination unit 44 configured to determine a total predicted loss for the sample set based at least on the first predicted loss and the second predicted loss;
An adjustment unit 45 configured to adjust model parameters of the risk detection model with the objective of minimizing the total predictive loss to optimize the risk detection model.
According to one embodiment, the challenge risk sample is reduced with respect to a corresponding original risk sample, a loss value calculated for a first tag value using the loss function.
In one embodiment, the challenge sample determining unit 42 includes (not shown):
a transformation function determination module configured to determine a transformation generation function for generating an attack transformation, the transformation generation function minimizing a loss value calculated for the first tag value for the challenge risk sample after applying the transformation;
and the challenge sample generation module is configured to generate the attack transformation aiming at the original risk sample by utilizing the transformation generation function so as to obtain a corresponding challenge risk sample.
Further, in one example, the transformation function determining module is specifically configured to:
generating a first intermediate transformation by using a current generating function aiming at any first original risk sample in the sample set, and obtaining a first intermediate sample by superposing the first intermediate transformation on the first original risk sample;
Calculating a predicted value of a first intermediate sample by using a current risk detection model, and substituting the predicted value and the first label value into the loss function to obtain the countermeasures of the first intermediate sample against the first label value;
determining an objective function comprising at least the sum of the countermeasures against losses of the intermediate samples corresponding to the respective original risk samples;
and adjusting parameters in the current generation function with the aim of minimizing the target function, and determining the adjusted current generation function as the transformation generation function.
Further, in a specific example, the objective function further includes a sum or a sum of squares of absolute values of transformation amounts of the intermediate transformations corresponding to the respective original risk samples.
According to another embodiment, the challenge risk sample is increased relative to a corresponding original risk sample by a loss value calculated for a second tag value using the loss function.
In one embodiment, the challenge sample determining unit 42 is configured to:
and determining a corresponding countermeasure risk sample based on the characteristic gradient of the loss function relative to the original risk sample, so that a loss value between a predicted value of the current risk detection model aiming at the countermeasure risk sample and the second label value reaches the maximum.
Further, in one example, the challenge sample determining unit 42 is specifically configured to:
acquiring an original characteristic value of a sample characteristic of the original risk sample;
determining a feature gradient of the loss function relative to the sample feature;
determining the attack transformation according to the characteristic gradient and a preset transformation boundary by using a symbol function;
and superposing the attack transformation on the original characteristic value to obtain a corresponding countermeasure risk sample.
In another example, the challenge sample determining unit 42 is specifically configured to: performing multiple iterations, and obtaining corresponding countermeasure risk samples according to feature values obtained after the multiple iterations, wherein each iteration comprises:
acquiring a previous characteristic value of a sample characteristic of the original risk sample in a previous iteration;
determining the current feature gradient of the loss function relative to the sample feature;
and determining the updated characteristic value after the iteration according to the previous characteristic value, the characteristic gradient and a preset projection function.
In an embodiment, the above-mentioned prediction unit 43 is further configured to determine a third predicted loss of the risk detection model for each original risk sample based on the loss function; the total loss determination unit 44 is configured to determine the total predicted loss as a weighted sum of the first, second, and third predicted losses.
According to one embodiment, the adjustment unit 45 is configured to:
determining a parameter gradient of the total predicted loss relative to the model parameter;
and adjusting the parameter value of the model parameter along the direction of the decline of the parameter gradient.
Through the device, the risk detection model can be optimized from the angle of attack and defense countermeasure, and the robustness and safety of the risk detection model are enhanced.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2.
According to an embodiment of yet another aspect, there is also provided a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method described in connection with fig. 2.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.

Claims (22)

1. A method of optimizing a risk detection model for identifying business objects that are at risk or have a potential safety hazard, comprising:
obtaining a sample set formed by service objects, wherein the sample set comprises a normal sample corresponding to a normal service object with a first label value and an original risk sample corresponding to a risk service object with a second label value, the service object is an account number, a transaction or a text, and when the service object is the account number, sample characteristics of the normal sample and the original risk sample comprise at least one of the following: the registration time of the account number, registration information, the use frequency of the last period and the frequency of comment posting; when the business object is a transaction, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: transaction amount, transaction time, payment channel and attribute information of both transaction sides; when the business object is text, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: characters in the text, text release time and sources;
For sample features of each original risk sample in the sample set corresponding to a risk business object, determining a transformation generating function for generating a transformation according to a loss function used for training the risk detection model and a current risk detection model, wherein the transformation generating function enables a loss value calculated by the countermeasure risk sample after the transformation is applied for a first label value to be minimum; generating attack transformation by using the transformation generating function according to the sample characteristics of the original risk sample to obtain sample characteristics of a corresponding countermeasure risk sample, wherein the countermeasure risk sample is reduced relative to the corresponding original risk sample by using the loss value calculated by using the loss function according to the first label value;
determining, based on the loss function, a first predicted loss corresponding to sample features of each challenge risk sample and a second predicted loss corresponding to sample features of each normal sample to be processed by the risk detection model;
determining a total predicted loss for the sample set based at least on the first predicted loss and a second predicted loss;
and adjusting model parameters of the risk detection model to optimize the risk detection model with the aim of minimizing the total prediction loss.
2. The method of claim 1, wherein determining a transform generation function for generating a transform comprises:
generating a first intermediate transformation by using a current generating function aiming at any first original risk sample in the sample set, and obtaining a first intermediate sample by superposing the first intermediate transformation on sample characteristics of the first original risk sample;
calculating a predicted value of a first intermediate sample by using a current risk detection model, and substituting the predicted value and the first label value into the loss function to obtain the countermeasures of the first intermediate sample against the first label value;
determining an objective function comprising at least the sum of the countermeasures against losses of the intermediate samples corresponding to the respective original risk samples;
and adjusting parameters in the current generation function with the aim of minimizing the target function, and determining the adjusted current generation function as the transformation generation function.
3. The method of claim 2, wherein the objective function further comprises a sum or a square sum of absolute values of transformation quantities of the intermediate transformations corresponding to the respective original risk samples.
4. The method of claim 1, further comprising determining a third predicted loss of the risk detection model for each original risk sample based on the loss function;
Determining a total predicted loss for the sample set includes determining the total predicted loss as a weighted sum of the first, second, and third predicted losses.
5. The method of claim 1, wherein adjusting model parameters of the risk detection model comprises:
determining a parameter gradient of the total predicted loss relative to the model parameter;
and adjusting the parameter value of the model parameter along the direction of the decline of the parameter gradient.
6. A method of optimizing a risk detection model for identifying business objects that are at risk or have a potential safety hazard, comprising:
obtaining a sample set formed by service objects, wherein the sample set comprises a normal sample corresponding to a normal service object with a first label value and an original risk sample corresponding to a risk service object with a second label value, the service object is an account number, a transaction or a text, and when the service object is the account number, sample characteristics of the normal sample and the original risk sample comprise at least one of the following: the registration time of the account number, registration information, the use frequency of the last period and the frequency of comment posting; when the business object is a transaction, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: transaction amount, transaction time, payment channel and attribute information of both transaction sides; when the business object is text, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: characters in the text, text release time and sources;
For sample characteristics of each original risk sample corresponding to a risk business object in the sample set, determining sample characteristics of a corresponding challenge risk sample based on a characteristic gradient of a loss function used for training the risk detection model relative to the sample characteristics of the original risk sample, so that a loss value between a predicted value of the current risk detection model for the challenge risk sample and the second label value reaches the maximum, and the loss value calculated by using the loss function for the second label value is increased relative to the corresponding original risk sample;
determining, based on the loss function, a first predicted loss corresponding to sample features of each challenge risk sample and a second predicted loss corresponding to sample features of each normal sample to be processed by the risk detection model;
determining a total predicted loss for the sample set based at least on the first predicted loss and a second predicted loss;
and adjusting model parameters of the risk detection model to optimize the risk detection model with the aim of minimizing the total prediction loss.
7. The method of claim 6, wherein determining sample characteristics of the corresponding challenge risk sample comprises:
Acquiring an original characteristic value of a sample characteristic of the original risk sample;
determining a feature gradient of the loss function relative to the sample feature;
determining attack transformation according to the characteristic gradient and a preset transformation boundary by using a symbol function;
and superposing the attack transformation on the original characteristic value to obtain the sample characteristics of the corresponding anti-risk sample.
8. The method of claim 6, wherein determining sample characteristics of the corresponding challenge risk sample comprises performing a plurality of iterations, deriving sample characteristics of the corresponding challenge risk sample from feature values derived after the plurality of iterations, wherein each iteration comprises:
acquiring a previous characteristic value of a sample characteristic of the original risk sample in a previous iteration;
determining the current feature gradient of the loss function relative to the sample feature;
and determining the updated characteristic value after the iteration according to the previous characteristic value, the characteristic gradient and a preset projection function.
9. The method of claim 6, further comprising, based on the loss function, determining a third predicted loss of the risk detection model for each original risk sample;
determining a total predicted loss for the sample set includes determining the total predicted loss as a weighted sum of the first, second, and third predicted losses.
10. The method of claim 6, wherein adjusting model parameters of the risk detection model comprises:
determining a parameter gradient of the total predicted loss relative to the model parameter;
and adjusting the parameter value of the model parameter along the direction of the decline of the parameter gradient.
11. An apparatus for optimizing a risk detection model for identifying a business object that is at risk or has a potential safety hazard, comprising:
the sample set obtaining unit is configured to obtain a sample set formed by service objects, wherein the sample set comprises a normal sample corresponding to a normal service object with a first label value and an original risk sample corresponding to a risk service object with a second label value, the service object is an account number, a transaction or a text, and when the service object is the account number, sample characteristics of the normal sample and the original risk sample comprise at least one of the following: the registration time of the account number, registration information, the use frequency of the last period and the frequency of comment posting; when the business object is a transaction, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: transaction amount, transaction time, payment channel and attribute information of both transaction sides; when the business object is text, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: characters in the text, text release time and sources;
The challenge sample determining unit comprises a transformation function determining module configured to determine, for sample features of each original risk sample in the sample set corresponding to a risk business object, a transformation generating function for generating a transformation in accordance with a loss function used for training the risk detection model and a current risk detection model, the transformation generating function minimizing a loss value calculated for a first tag value for a challenge risk sample after applying the transformation; the system further comprises a challenge sample generation module configured to generate an attack transformation for sample characteristics of the original risk samples using the transformation generation function, resulting in sample characteristics of corresponding challenge risk samples that are reduced relative to the corresponding original risk samples by loss values calculated for the first tag values using the loss function;
a prediction unit configured to determine, based on the loss function, a first predicted loss corresponding to sample features of each challenge risk sample and a second predicted loss corresponding to sample features of each normal sample to be processed by the risk detection model;
a total loss determination unit configured to determine a total predicted loss for the sample set based at least on the first predicted loss and the second predicted loss;
And an adjustment unit configured to adjust model parameters of the risk detection model to optimize the risk detection model with the total prediction loss minimized as a target.
12. The apparatus of claim 11, wherein the transformation function determination module is specifically configured to:
generating a first intermediate transformation by using a current generating function aiming at any first original risk sample in the sample set, and obtaining a first intermediate sample by superposing the first intermediate transformation on sample characteristics of the first original risk sample;
calculating a predicted value of a first intermediate sample by using a current risk detection model, and substituting the predicted value and the first label value into the loss function to obtain the countermeasures of the first intermediate sample against the first label value;
determining an objective function comprising at least the sum of the countermeasures against losses of the intermediate samples corresponding to the respective original risk samples;
and adjusting parameters in the current generation function with the aim of minimizing the target function, and determining the adjusted current generation function as the transformation generation function.
13. The apparatus of claim 12, wherein the objective function further comprises a sum or a square sum of absolute values of transform quantities of the intermediate transforms for each original risk sample.
14. The apparatus of claim 11, the prediction unit further configured to determine a third predicted loss of the risk detection model for each original risk sample based on the loss function;
the total loss determination unit is configured to determine the total predicted loss as a weighted sum of the first, second, and third predicted losses.
15. The apparatus of claim 11, wherein the adjustment unit is configured to:
determining a parameter gradient of the total predicted loss relative to the model parameter;
and adjusting the parameter value of the model parameter along the direction of the decline of the parameter gradient.
16. An apparatus for optimizing a risk detection model for identifying a business object that is at risk or has a potential safety hazard, comprising:
the sample set obtaining unit is configured to obtain a sample set formed by service objects, wherein the sample set comprises a normal sample corresponding to a normal service object with a first label value and an original risk sample corresponding to a risk service object with a second label value, the service object is an account number, a transaction or a text, and when the service object is the account number, sample characteristics of the normal sample and the original risk sample comprise at least one of the following: the registration time of the account number, registration information, the use frequency of the last period and the frequency of comment posting; when the business object is a transaction, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: transaction amount, transaction time, payment channel and attribute information of both transaction sides; when the business object is text, the sample characteristics of the normal sample and the original risk sample comprise at least one of the following: characters in the text, text release time and sources;
An countermeasure sample determination unit configured to determine, for sample features of each of the original risk samples in the sample set that correspond to the risk business object, sample features of a corresponding countermeasure risk sample based on feature gradients of a loss function used to train the risk detection model with respect to the sample features of the original risk sample such that a loss value between a predicted value of the current risk detection model for the countermeasure risk sample and the second tag value reaches a maximum, the countermeasure risk sample having an increased loss value calculated for the second tag value using the loss function with respect to the corresponding original risk sample;
a prediction unit configured to determine, based on the loss function, a first predicted loss corresponding to sample features of each challenge risk sample and a second predicted loss corresponding to sample features of each normal sample to be processed by the risk detection model;
a total loss determination unit configured to determine a total predicted loss for the sample set based at least on the first predicted loss and the second predicted loss;
and an adjustment unit configured to adjust model parameters of the risk detection model to optimize the risk detection model with the total prediction loss minimized as a target.
17. The apparatus of claim 16, wherein the challenge sample determination unit is specifically configured to:
acquiring an original characteristic value of a sample characteristic of the original risk sample;
determining a feature gradient of the loss function relative to the sample feature;
determining attack transformation according to the characteristic gradient and a preset transformation boundary by using a symbol function;
and superposing the attack transformation on the original characteristic value to obtain the sample characteristics of the corresponding anti-risk sample.
18. The apparatus of claim 16, wherein the challenge sample determination unit is specifically configured to: performing multiple iterations, and obtaining sample characteristics of the corresponding countermeasure risk sample according to the characteristic values obtained after the multiple iterations, wherein each iteration comprises:
acquiring a previous characteristic value of a sample characteristic of the original risk sample in a previous iteration;
determining the current feature gradient of the loss function relative to the sample feature;
and determining the updated characteristic value after the iteration according to the previous characteristic value, the characteristic gradient and a preset projection function.
19. The apparatus of claim 16, the prediction unit further configured to determine a third predicted loss of the risk detection model for each original risk sample based on the loss function;
The total loss determination unit is configured to determine the total predicted loss as a weighted sum of the first, second, and third predicted losses.
20. The apparatus of claim 16, wherein the adjustment unit is configured to:
determining a parameter gradient of the total predicted loss relative to the model parameter;
and adjusting the parameter value of the model parameter along the direction of the decline of the parameter gradient.
21. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-10.
22. A computing device comprising a memory and a processor, wherein the memory has executable code stored therein, which when executed by the processor, implements the method of any of claims 1-10.
CN202011147798.4A 2020-10-23 2020-10-23 Method and device for optimizing risk detection model Active CN112200380B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011147798.4A CN112200380B (en) 2020-10-23 2020-10-23 Method and device for optimizing risk detection model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011147798.4A CN112200380B (en) 2020-10-23 2020-10-23 Method and device for optimizing risk detection model

Publications (2)

Publication Number Publication Date
CN112200380A CN112200380A (en) 2021-01-08
CN112200380B true CN112200380B (en) 2023-07-25

Family

ID=74011238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011147798.4A Active CN112200380B (en) 2020-10-23 2020-10-23 Method and device for optimizing risk detection model

Country Status (1)

Country Link
CN (1) CN112200380B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112884161B (en) * 2021-02-02 2021-11-02 山东省计算中心(国家超级计算济南中心) Cooperative learning method, device, equipment and medium for resisting label turning attack
CN113222480B (en) * 2021-06-11 2023-05-12 支付宝(杭州)信息技术有限公司 Training method and device for challenge sample generation model
CN113283804B (en) * 2021-06-18 2022-05-31 支付宝(杭州)信息技术有限公司 Training method and system of risk prediction model
CN114091902A (en) * 2021-11-22 2022-02-25 支付宝(杭州)信息技术有限公司 Risk prediction model training method and device, and risk prediction method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108932527A (en) * 2018-06-06 2018-12-04 上海交通大学 Using cross-training model inspection to the method for resisting sample
CN109034632A (en) * 2018-08-03 2018-12-18 哈尔滨工程大学 A kind of deep learning model safety methods of risk assessment based on to resisting sample
CN110334808A (en) * 2019-06-12 2019-10-15 武汉大学 A kind of confrontation attack defense method based on confrontation sample training
CN111046379A (en) * 2019-12-06 2020-04-21 支付宝(杭州)信息技术有限公司 Anti-attack monitoring method and device
CN111241287A (en) * 2020-01-16 2020-06-05 支付宝(杭州)信息技术有限公司 Training method and device for generating generation model of confrontation text
CN111340143A (en) * 2020-05-15 2020-06-26 支付宝(杭州)信息技术有限公司 Method and system for obtaining confrontation sample generation model
CN111353548A (en) * 2020-03-11 2020-06-30 中国人民解放军军事科学院国防科技创新研究院 Robust feature deep learning method based on confrontation space transformation network
CN111738374A (en) * 2020-08-28 2020-10-02 北京智源人工智能研究院 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109934706B (en) * 2017-12-15 2021-10-29 创新先进技术有限公司 Transaction risk control method, device and equipment based on graph structure model

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108932527A (en) * 2018-06-06 2018-12-04 上海交通大学 Using cross-training model inspection to the method for resisting sample
CN109034632A (en) * 2018-08-03 2018-12-18 哈尔滨工程大学 A kind of deep learning model safety methods of risk assessment based on to resisting sample
CN110334808A (en) * 2019-06-12 2019-10-15 武汉大学 A kind of confrontation attack defense method based on confrontation sample training
CN111046379A (en) * 2019-12-06 2020-04-21 支付宝(杭州)信息技术有限公司 Anti-attack monitoring method and device
CN111241287A (en) * 2020-01-16 2020-06-05 支付宝(杭州)信息技术有限公司 Training method and device for generating generation model of confrontation text
CN111353548A (en) * 2020-03-11 2020-06-30 中国人民解放军军事科学院国防科技创新研究院 Robust feature deep learning method based on confrontation space transformation network
CN111340143A (en) * 2020-05-15 2020-06-26 支付宝(杭州)信息技术有限公司 Method and system for obtaining confrontation sample generation model
CN111738374A (en) * 2020-08-28 2020-10-02 北京智源人工智能研究院 Multi-sample anti-disturbance generation method and device, storage medium and computing equipment

Also Published As

Publication number Publication date
CN112200380A (en) 2021-01-08

Similar Documents

Publication Publication Date Title
CN112200380B (en) Method and device for optimizing risk detection model
CN109948658B (en) Feature diagram attention mechanism-oriented anti-attack defense method and application
CN111738374B (en) Multi-sample anti-disturbance generation method and device, storage medium and computing equipment
Wang et al. Amora: Black-box adversarial morphing attack
CN108427927B (en) Object re-recognition method and apparatus, electronic device, program, and storage medium
CN113435583A (en) Countermeasure generation network model training method based on federal learning and related equipment thereof
CN112231703B (en) Malicious software countermeasure sample generation method combined with API fuzzy processing technology
CN110969243B (en) Method and device for training countermeasure generation network for preventing privacy leakage
CN113792526B (en) Training method of character generation model, character generation method, device, equipment and medium
CN110795714A (en) Identity authentication method and device, computer equipment and storage medium
CN113808165B (en) Point disturbance anti-attack method for three-dimensional target tracking model
CN114565513A (en) Method and device for generating confrontation image, electronic equipment and storage medium
CN113222480B (en) Training method and device for challenge sample generation model
CN114220097A (en) Anti-attack-based image semantic information sensitive pixel domain screening method and application method and system
CN113935396A (en) Manifold theory-based method and related device for resisting sample attack
Kwon et al. Toward backdoor attacks for image captioning model in deep neural networks
CN114612688B (en) Countermeasure sample generation method, model training method, processing method and electronic equipment
CN112488225A (en) Learning countermeasure defense model method for quantum fuzzy machine
Choi et al. EEJE: Two-step input transformation for robust DNN against adversarial examples
CN116343301A (en) Personnel information intelligent verification system based on face recognition
CN112882382B (en) Geometric method for evaluating robustness of classified deep neural network
CN113159317B (en) Antagonistic sample generation method based on dynamic residual corrosion
CN116188439A (en) False face-changing image detection method and device based on identity recognition probability distribution
CN115880530A (en) Detection method and system for resisting attack
CN115410257A (en) Image protection method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant