[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113947704A - Confrontation sample defense system and method based on attention ranking - Google Patents

Confrontation sample defense system and method based on attention ranking Download PDF

Info

Publication number
CN113947704A
CN113947704A CN202111175218.7A CN202111175218A CN113947704A CN 113947704 A CN113947704 A CN 113947704A CN 202111175218 A CN202111175218 A CN 202111175218A CN 113947704 A CN113947704 A CN 113947704A
Authority
CN
China
Prior art keywords
attention
feature
sample
model
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111175218.7A
Other languages
Chinese (zh)
Inventor
王恒友
李文
吴佳薇
宋艳飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Civil Engineering and Architecture
Original Assignee
Beijing University of Civil Engineering and Architecture
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Civil Engineering and Architecture filed Critical Beijing University of Civil Engineering and Architecture
Priority to CN202111175218.7A priority Critical patent/CN113947704A/en
Publication of CN113947704A publication Critical patent/CN113947704A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/048Activation functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides an attention ranking-based confrontation sample defense system and method. The method comprises the following steps: s101, pre-training a classification model to obtain a confrontation sample; s102, preprocessing a challenge sample through a first module discrete cosine transform layer of a challenge sample defense model to eliminate partial attacks; s103, the feature map passes through an attention module to obtain attention weight; and S104, according to the attention weight, recovering the feature vector with the global features. And S105, training the network according to the loss function, and storing the model. The countermeasure sample defense method improves the problems that more hardware resources and longer time are needed in the training process of the model in the prior art by using a network modification mode, and the influence of key points is considered when the network is modified.

Description

Confrontation sample defense system and method based on attention ranking
Technical Field
The invention relates to the technical field of computer attack and defense, in particular to an anti-sample defense system and method based on attention ranking.
Background
In real life, images are often contaminated with noise. There are many sources of noise, such as channel instability during image transmission, system equipment imperfections, etc. Deep neural networks are vulnerable to countering noise, which threatens the security of deep learning applications by adding human-indistinguishable subtle perturbations to the inputs, creating antagonistic samples, thus spoofing the neural network to produce false outputs with high probability.
There are two main approaches to combat attacks to generate deep neural networks: in the face of these powerful attacks, both the sign-gradient-based approach and the optimization-based approach are crucial to defend against the attacks.
However, from the perspective of data preprocessing, the existing defense method needs more hardware resources and longer time consumption in the training process of the model, and also brings more time consumption to the testing link.
Disclosure of Invention
The invention aims to provide an attention ranking-based confrontation sample defense system and method, and the attention ranking-based confrontation sample defense system can solve the problems that in the prior art, more hardware resources and longer time are needed in the training process of a model, and the problem of key points is considered for the attack characteristics.
In order to achieve the above purpose, the invention provides the following technical scheme:
an attention ranking-based confrontation sample defense method, which specifically comprises the following steps:
s101, pre-training a classification model to obtain a confrontation sample;
s102, preprocessing a challenge sample through a first module discrete cosine transform layer of a challenge sample defense model to eliminate partial attacks;
s103, the feature map passes through an attention module to obtain attention weight;
and S104, according to the attention weight, recovering the feature vector with the global features.
And S105, training the network according to the loss function, and storing the model.
On the basis of the technical scheme, the invention can be further improved as follows:
further, the S101 specifically includes:
s1011, inputting original images of a training set, and obtaining weights through pre-training;
and S1012, generating a confrontation sample by using the weight.
Further, the S102 specifically includes:
s1021, after the confrontation sample passes through the first convolution layer, Discrete Cosine Transform (DCT) is used;
s1022, using the designed activation function eta (x) in the frequency domain to eliminate the partial attack, wherein eta (x) is as follows:
Figure RE-RE-GDA0003372647460000021
s1023, restoring to the space domain by using inverse discrete cosine transform to obtain a characteristic diagram for eliminating partial attacks.
Further, the S103 specifically includes:
s1031, respectively obtaining feature vector sets by sequentially passing the feature map through four residual blocks
Figure RE-RE-GDA0003372647460000031
S1032,L4Obtaining a global vector g through average pooling, and simultaneously adding LsS is the dimension of {1,2,3} and is mapped into the dimension n of g;
s1033, local feature ls iConnecting the global feature g in a mode of adding item by item, mapping the obtained feature into an attention weight C by learning an FC mapping, and calculating the attention weight C to define the attention weight C as a formula 2;
Figure RE-RE-GDA0003372647460000032
wherein,
Figure RE-RE-GDA0003372647460000033
indicating a post-lifting at each residual blockA set of feature vectors is taken, where s ∈ {1,2,3},
Figure RE-RE-GDA0003372647460000034
representing a set of feature vectors LsThe ith of the n feature vectors; g represents the global feature vector output by the fully-connected layer in figure 7,
Figure RE-RE-GDA0003372647460000035
and the dimensions of g are both n.
Further, the S104 specifically includes:
s1041, converting the characteristic diagram LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }; wherein n is H × W, { Ls(n) is a feature vector of channel size C;
s1042, from the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)};
S1043, calculating a global vector g based on the key points through a formula 2s
gs=Cs(k)e Ls(k) Formula 3;
wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner product between each channel of.
Further, the S105 specifically includes:
s1051, calculating loss according to the classification type, reversely propagating and updating model weight, and finely adjusting the model, wherein a cross entropy loss function is used as a formula 4 for a loss function;
Figure RE-RE-GDA0003372647460000041
and S1052, loading the test set to generate confrontation samples through the trained model, calculating the accuracy to judge and evaluate the performance of the model, and storing the optimal model weight.
An attention-ranking based confrontation sample defense system comprising:
the countermeasure sample defense system modifies the base model Resnet 18. The whole system is divided into three modules: the system comprises a discrete cosine transform activation module, an attention module and a key point sorting module. A Discrete Cosine Transform (DCT) active layer is introduced after the first layer convolutional layer to effectively suppress noise modes based on gradient attacks. And in the attention module and the key point sorting module, dynamically selecting key points on the feature map for classification based on an attention mechanism so as to reduce the influence of other attacked pixel points.
Further, the discrete cosine transform activation module is configured to:
after the challenge samples pass through the first convolutional layer, Discrete Cosine Transform (DCT) is used;
and eliminating partial attack by using a designed activation function eta (x) in a frequency domain, wherein eta (x) is as follows:
Figure RE-RE-GDA0003372647460000042
and restoring to the space domain again by using the inverse discrete cosine transform to obtain a characteristic diagram for eliminating partial attacks. Further, the attention module is to:
calculating attention weight by using LsIs mapped as dimension n of g;
local features
Figure RE-RE-GDA0003372647460000043
Connecting the global feature g in a mode of adding item by item, mapping the obtained feature into an attention weight C by learning an FC mapping, and calculating the attention weight C to define the attention weight C as a formula 2;
Figure RE-RE-GDA0003372647460000044
wherein,
Figure RE-RE-GDA0003372647460000051
representing a set of feature vectors extracted after each residual block, where s e 1,2,3,
Figure RE-RE-GDA0003372647460000052
representing a set of feature vectors LsThe ith of the n feature vectors; g represents the global feature vector output by the fully-connected layer in figure 7,
Figure RE-RE-GDA0003372647460000053
and the dimensions of g are both n; l will be calculated before the attention weight is calculatedsIs mapped to dimension n of g.
Further, the keypoint ranking module is further to:
will feature map LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }; wherein n is H × W, { Ls(n) is a feature vector of channel size C;
from the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)};
Calculating a global vector g based on the keypoints by equation 3s
gs=Cs(k)e Ls(k) Formula 3;
wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner product between each channel of.
The invention has the following advantages:
according to the defense method for the confrontation sample based on attention sequencing, the discrete cosine transform active layer is introduced, partial confrontation attack is eliminated to a certain extent, and meanwhile, the back propagation of the gradient is effectively inhibited in a white-box attacker. And the residual part of the antagonistic noise is eliminated by the dynamic key point selection of the attention mechanism, and a correct classification result is obtained. The new Resnet18 network architecture provided by the invention has a good defense effect against attacks, solves the problems that more hardware resources and longer time consumption are needed in the training process of the existing defense model, and considers the influence of key points when modifying the network.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a defense method against a sample in an embodiment of the invention;
FIG. 2 is a flowchart illustrating an embodiment of S101;
FIG. 3 is a flowchart illustrating the detailed process of S102 according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating the detailed process of S103 according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating S104 according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating an embodiment of S105;
FIG. 7 is a block diagram of an attention-ranked defense network framework for confrontation samples in accordance with an embodiment of the invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the method for defending a confrontation sample based on attention ranking specifically comprises:
s101, obtaining a confrontation sample;
in the step, a classification model is pre-trained to obtain a confrontation sample;
s102, preprocessing a challenge sample;
in the step, the countermeasure sample is preprocessed through a first module discrete cosine transform layer of the countermeasure sample defense model to eliminate partial attacks;
s103, obtaining attention weight;
in the step, the feature map passes through an attention module to obtain attention weight;
s104, obtaining a feature vector with global features;
in this step, a feature vector having global features is retrieved according to the attention weight.
And S105, training the network according to the loss function, and storing the model.
The discrete cosine transform active layer is introduced into the convolutional layer, partial counterattack is eliminated to a certain extent, and simultaneously the backward propagation of the gradient is effectively inhibited in a white-box attacker. And the residual part of the antagonistic noise is eliminated by the dynamic key point selection of the attention mechanism, and a correct classification result is obtained. The new Resnet18 network architecture provided by the invention has good effect of defending against attacks.
The invention refers to the following anti-attack: the method for destroying the recognition system by utilizing the deep learning disadvantage can be generally called as resisting attack, namely, the method is specially changed aiming at the recognition object, so that no abnormity can be seen by naked eyes of people, but the recognition model can be caused to be out of order.
The countermeasure sample mentioned in the present invention refers to: some perturbation imperceptible to the human eye is added to the original sample (such perturbation does not affect human recognition but easily fools the model), causing the machine to make an erroneous decision.
The confrontational defenses referred to herein refer to: a series of defense strategies are developed to defend against attacks.
The attention model referred to in the present invention refers to: the attention model in deep learning is similar to a selective visual attention mechanism of human beings in nature, and the core target is to select information which is more critical to the current task target from a plurality of information and inhibit other useless information, so that the efficiency and the accuracy of information processing are improved.
The Discrete Cosine Transform (DCT) mentioned in this invention refers to: the discrete cosine transform is a transform defined on a real signal, and a real signal is obtained in a frequency domain after the transform. DCT also has a very important property (energy concentration property): since most of natural signals (audio and video) have energy concentrated in a low-frequency portion after discrete cosine transform, DCT is widely used for (audio and video) data compression.
The ResNet18 mentioned in the present invention refers to: is a neural network structure in deep learning. Also called deep residual networks, can solve the degradation problem that occurs as the network depth increases. The network structure therein is called a residual block.
The invention provides an anti-sample defense method based on attention key point sequencing, which is used for defending attacks and improving the robustness of a deep neural network. The existing method adds an external model to preprocess an input image, and the external model is more and more complex for better defense and attack. The invention improves the robustness of the deep neural network by modifying the form of the network and selecting key points on the attention map, and introduces discrete cosine transform and an activation function in the network to effectively inhibit a noise mode based on gradient attack.
The present invention is motivated by the human eye classifying images and recognizing objects without analyzing the images pixel by pixel based on a grid structure. Instead, they can quickly detect discriminative keypoints (or object portions) from the image, extracting features from these keypoints, to infer decisions for image classification or object detection. Therefore, the invention adopts the method of extracting key points on the attention map, designs a new network architecture to support the dynamic key point selection of the attention mechanism, and improves the robustness of the deep learning network. Meanwhile, discrete cosine transform and an activation function are introduced into the network, so that a noise mode based on gradient attack is effectively inhibited.
On the basis of the technical scheme, the invention can be further improved as follows:
as shown in fig. 2, further, the S101 specifically includes:
s1011, obtaining the weight;
in the step, an original image of a training set is input, and a weight is obtained through pre-training;
s1012, generating a confrontation sample;
in this step, the weights are used to generate confrontation samples for training the robustness network.
As shown in fig. 3, the S102 specifically includes:
s1021, after the confrontation sample passes through the first convolution layer, Discrete Cosine Transform (DCT) is used;
s1022, using the designed activation function eta (x) in the frequency domain to eliminate the partial attack, wherein eta (x) is as follows:
Figure RE-RE-GDA0003372647460000091
s1023, restoring to the space domain by using inverse discrete cosine transform to obtain a characteristic diagram for eliminating partial attacks.
As shown in fig. 4, the S103 specifically includes:
s1031, respectively obtaining feature vector sets by sequentially passing the feature map through four residual blocks
Figure RE-RE-GDA0003372647460000092
S1032,L4Obtaining a global vector g through average pooling, and simultaneously adding LsS is the dimension of {1,2,3} and is mapped into the dimension n of g;
s1033, local feature
Figure RE-RE-GDA0003372647460000093
Connecting the global feature g in a mode of adding item by item, mapping the obtained feature into an attention weight C by learning an FC mapping, and calculating the attention weight C to define the attention weight C as a formula 2;
Figure RE-RE-GDA0003372647460000094
wherein,
Figure RE-RE-GDA0003372647460000095
representing a set of feature vectors extracted after each residual block, where s e 1,2,3,
Figure RE-RE-GDA0003372647460000101
representing a set of feature vectors LsThe ith of the n feature vectors; g represents the global feature vector output by the fully-connected layer in figure 7,
Figure RE-RE-GDA0003372647460000102
and the dimensions of g are both n.
As shown in fig. 5, further, the S104 specifically includes:
s1041, converting the characteristic diagram LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }; wherein n is H × W, { Ls(n) is a feature vector of channel size C;
s1042, from the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)};
S1043, calculating a global vector g based on the key points through a formula 2s
gs=Cs(k)e Ls(k) Formula 3;
wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner product between each channel of.
As shown in fig. 6, the S105 specifically includes: s1051, calculating loss according to the classification type, reversely propagating and updating model weight, and finely adjusting the model, wherein a cross entropy loss function is used as a formula 4 for a loss function;
Figure RE-RE-GDA0003372647460000103
and S1052, loading the test set to generate confrontation samples through the trained model, calculating the accuracy to judge and evaluate the performance of the model, and storing the optimal model weight.
The invention provides a novel model algorithm, and relates to an attention-ranking-based confrontation sample defense method, which is shown in figure 7. Our proposed confrontational defense network based on the ordering of key points in an attention-graph has two main ideas: (1) a Discrete Cosine Transform (DCT) active layer is introduced after the first layer convolutional layer to effectively suppress noise modes based on gradient attacks. The motivation for this design is that the reactive noise convolution process is gradually amplified and leads to erroneous classification, so called error amplification effect, so we do not directly perform DCT transform on the original image. (2) In order to eliminate the residual interference of the antagonistic noise, the key points are dynamically selected on the feature map for classification based on the attention mechanism, so that the influence of other attacked pixel points is reduced.
The whole process is as follows: image X*First, it is preprocessed by convolutional layer and transferred to Discrete Cosine Transform (DCT) active layer, where most of the reactive noise is destroyed, and then the feature pattern X% is recovered by Inverse Discrete Cosine Transform (IDCT). X% will continue to enter the backbone network of Resnet18, as shown by the 4 residual layers, with the output of each layer being L1,L2,L3,L4。L4After average pooling, an n-dimensional feature vector g is obtained, which has global information of the entire image. Next, we do not follow the network of Resnet18 to fully concatenate the global vector g, resulting in its classification category. Instead, a global vector g is used, respectively with L1,L2,L3Fusing to obtain the discrimination weight c1,c2,c3I.e. attention-deficit diagram. Then c1,c2,c3And L1,L2,L3Are respectively turned offDetecting and sorting the key points, and multiplying the key points correspondingly to obtain a new feature vector g corresponding to each layer with different scales1,g2,g3,g1,g2,g3And after splicing, carrying out full connection to obtain the classification category.
An attention-ranking based confrontation sample defense system comprising:
the countermeasure sample defense system modifies the base model Resnet 18. The whole system is divided into three modules: the system comprises a discrete cosine transform activation module, an attention module and a key point sorting module. A Discrete Cosine Transform (DCT) active layer is introduced after the first layer convolutional layer to effectively suppress noise modes based on gradient attacks. And in the attention module and the key point sorting module, dynamically selecting key points on the feature map for classification based on an attention mechanism so as to reduce the influence of other attacked pixel points.
Further, the discrete cosine transform activation module is configured to:
after the challenge samples pass through the first convolutional layer, Discrete Cosine Transform (DCT) is used;
and eliminating partial attack by using a designed activation function eta (x) in a frequency domain, wherein eta (x) is as follows:
Figure RE-RE-GDA0003372647460000111
and restoring to the space domain again by using the inverse discrete cosine transform to obtain a characteristic diagram for eliminating partial attacks.
Further, the attention module is to:
calculating attention weight by using LsIs mapped as dimension n of g;
local features
Figure RE-RE-GDA0003372647460000121
Connecting the global feature g in a mode of adding item by item, mapping the obtained feature into an attention weight C by learning an FC mapping, and calculating the attention weight C to define the attention weight C as a formula 2;
Figure RE-RE-GDA0003372647460000122
wherein,
Figure RE-RE-GDA0003372647460000123
representing a set of feature vectors extracted after each residual block, where s e 1,2,3,
Figure RE-RE-GDA0003372647460000124
representing a set of feature vectors LsThe ith of the n feature vectors; g represents the global feature vector output by the fully-connected layer in figure 7,
Figure RE-RE-GDA0003372647460000125
and the dimensions of g are both n; l will be calculated before the attention weight is calculatedsIs mapped to dimension n of g.
The keypoint ranking module is further to:
will feature map LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }; wherein n is H × W, { Ls(n) is a feature vector of channel size C;
from the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)};
Calculating a global vector based on the key points through formula 3;
gs=Cs(k)e Ls(k) formula 3;
wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner product between each channel of.
The Discrete Cosine Transform (DCT) active layer, the attention module and the key point sorting are designed and used for the invention.
1. Discrete Cosine Transform (DCT) active layer
In the spatial domain, the countersample and the original image are very similar visually, so it is very difficult to separate the counternoise from the original image, and conventional image denoising usually converts it into the frequency domain to solve it. Therefore, we choose to use a block-wise two-dimensional Discrete Cosine Transform (DCT) [34], where the two-dimensional Discrete Cosine Transform (DCT) is defined as follows:
Figure RE-RE-GDA0003372647460000131
after this transformation, the noise of the image is in its high frequency part in the discrete cosine transform result, and the amplitude of the high frequency part is generally small. Therefore, the following activation function η (x) is designed:
Figure RE-RE-GDA0003372647460000132
after the image transfer activation function eta (x) of DCT transformation, on one hand, the antagonistic noise is partially removed; on the other hand, it is not easily attacked by the existing white-box attack methods. This is because most existing white-box attacks are based on gradient backpropagation, where gradients cannot easily propagate through the Discrete Cosine Transform (DCT) active layer.
2. Attention module
Note the book
Figure RE-RE-GDA0003372647460000133
Representing the set of feature vectors extracted after each residual block, where s e {1,2,3 }.
Figure RE-RE-GDA0003372647460000134
Representing a set of feature vectors LsThe ith of the n feature vectors, g, represents the global feature vector output by the fully connected layer in fig. 7. Local features
Figure RE-RE-GDA0003372647460000135
And the global feature g is connected in a way of adding item by item, the obtained feature is mapped into an attention weight C by learning an FC mapping (namely an FC layer with the weight of u), and then the attention weight C is calculated and defined as
Figure RE-RE-GDA0003372647460000136
Here, the
Figure RE-RE-GDA0003372647460000137
The dimensions of the sum g are both n, and since the number of channels corresponding to different s eigenvectors is different, L will be calculated before the attention weight is calculatedsIs mapped to dimension n, which is g.
Thus, attention weight is obtained through the attention module
Figure RE-RE-GDA0003372647460000141
Attention weights identify significant image regions and amplify their effect while suppressing irrelevant and potentially confusing information in other regions. Thus, this score plays a role in attention.
3. Key point ranking
And dynamically selecting the most discriminating characteristic points from the generated characteristic map. The selection process is dynamic and is influenced by the input conditions. The selected feature points may differ for different images.
Attention weight learned via network attention module
Figure RE-RE-GDA0003372647460000142
Representing the discriminative weight of each feature point. Specifically, the secondary size is [ W, H, C]Input feature map L ofsIn this way, it predicts a same space size [ W, H ] by the attention module]Attention diagram CsIn which C iss(i, j) represents a feature Ls(i, j) point of attention. From the feature map LsIn (1), our goal is to select the C with the highest attentionsThe first K characteristic points of (i, j) are obtained again to obtain a new globalAnd (5) vector quantity.
This keypoint detection and ranking comprises the following main steps:
will feature map LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }. Here, n is H × W, { Ls(n) is a feature vector of channel size C.
From the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)}。
Computing a keypoint-based global vector gs
gs=Cs(k)e Ls(k).
Wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner products between each channel (reconstructed as a one-dimensional array).
Finally, we train the modified network using a cross entropy loss function. The loss of the original image and the challenge sample are calculated separately and then summed.
Figure RE-RE-GDA0003372647460000151
The invention designs a new network architecture to support the dynamic key point selection of the attention mechanism so as to improve the robustness of the deep learning network. Discrete cosine transform and activation function are introduced into the network to effectively suppress noise patterns based on gradient attack.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of this document and is not intended to limit this document. Various modifications and changes may occur to those skilled in the art from this document. Any modifications, equivalents, improvements, etc. which come within the spirit and principle of the disclosure are intended to be included within the scope of the claims of this document.

Claims (10)

1. An attention ranking-based confrontation sample defense method is characterized by specifically comprising the following steps:
s101, pre-training a classification model to obtain a confrontation sample;
s102, preprocessing a challenge sample through a first module discrete cosine transform layer of a challenge sample defense model to eliminate partial attacks;
s103, the feature map passes through an attention module to obtain attention weight;
s104, according to the attention weight, obtaining a feature vector with global features again;
and S105, training the network according to the loss function, and storing the model.
2. The method for defending a confrontational sample based on attention ranking according to claim 1, wherein the S101 specifically comprises:
s1011, inputting original images of a training set, and obtaining weights through pre-training;
and S1012, generating a confrontation sample by using the weight.
3. The method for defending a confrontational sample based on attention ranking according to claim 1, wherein the S102 specifically comprises:
s1021, after the confrontation sample passes through the first convolution layer, Discrete Cosine Transform (DCT) is used;
s1022, using the designed activation function eta (x) in the frequency domain to eliminate the partial attack, wherein eta (x) is as follows:
Figure RE-RE-FDA0003372647450000011
s1023, restoring to the space domain by using inverse discrete cosine transform to obtain a characteristic diagram for eliminating partial attacks.
4. The method for defending a confrontational sample based on attention ranking according to claim 1, wherein the S103 specifically comprises:
s1031, respectively obtaining feature vector sets by sequentially passing the feature map through four residual blocks
Figure RE-RE-FDA0003372647450000021
S1032,L4Obtaining a global vector g through average pooling, and simultaneously adding LsS is the dimension of {1,2,3} and is mapped into the dimension n of g;
s1033, local feature
Figure RE-RE-FDA0003372647450000026
Connecting the global feature g in a mode of adding item by item, mapping the obtained feature into an attention weight C by learning an FC mapping, and calculating the attention weight C to define the attention weight C as a formula 2;
Figure RE-RE-FDA0003372647450000022
wherein,
Figure RE-RE-FDA0003372647450000023
representing a set of feature vectors extracted after each residual block, where s e 1,2,3,
Figure RE-RE-FDA0003372647450000024
representing a set of feature vectors LsThe ith of the n feature vectors; g represents the global feature vector output by the fully-connected layer in figure 7,
Figure RE-RE-FDA0003372647450000025
and the dimensions of g are both n.
5. The method for defending a confrontational sample based on attention ranking according to claim 1, wherein the S104 specifically comprises:
s1041, converting the characteristic diagram LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }; wherein n is H × W, { Ls(n) is a feature vector of channel size C;
s1042, from the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)};
S1043, calculating a global vector g based on the key points through a formula 2s
gs=Cs(k)eLs(k) Formula 3;
wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner product between each channel of.
6. The method for defending a confrontational sample based on attention ranking according to claim 1, wherein the S105 specifically comprises:
s1051, calculating loss according to the classification type, reversely propagating and updating model weight, and finely adjusting the model, wherein a cross entropy loss function is used as a formula 4 for a loss function;
Figure RE-RE-FDA0003372647450000031
and S1052, loading the test set to generate confrontation samples through the trained model, calculating the accuracy to judge and evaluate the performance of the model, and storing the optimal model weight.
7. An attention-ranking based confrontational sample defense system, comprising:
the countermeasure sample defense system modifies the base model Resnet 18; the whole system is divided into three modules: the system comprises a discrete cosine transform activation module, an attention module and a key point sequencing module; a Discrete Cosine Transform (DCT) active layer is introduced after the first convolution layer so as to effectively restrain a noise mode based on gradient attack; and in the attention module and the key point sorting module, dynamically selecting key points on the feature map for classification based on an attention mechanism so as to reduce the influence of other attacked pixel points.
8. The attention-ranking based confrontation sample defense system according to claim 6, wherein the discrete cosine transform activation module is configured to:
after the challenge samples pass through the first convolutional layer, Discrete Cosine Transform (DCT) is used;
and eliminating partial attack by using a designed activation function eta (x) in a frequency domain, wherein eta (x) is as follows:
Figure RE-RE-FDA0003372647450000032
and restoring to the space domain again by using the inverse discrete cosine transform to obtain a characteristic diagram for eliminating partial attacks.
9. The attention-ranking based confrontation sample defense system of claim 6, wherein the attention module is to:
calculating attention weight by using LsIs mapped as dimension n of g;
local features
Figure RE-RE-FDA0003372647450000041
Connecting the global feature g in a mode of adding item by item, mapping the obtained feature into an attention weight C by learning an FC mapping, and calculating the attention weight C to define the attention weight C as a formula 2;
Figure RE-RE-FDA0003372647450000042
wherein,
Figure RE-RE-FDA0003372647450000043
representing a set of feature vectors extracted after each residual block, where s e 1,2,3,
Figure RE-RE-FDA0003372647450000044
representing a set of feature vectors LsThe ith of the n feature vectors; g represents the global feature vector output by the fully-connected layer in figure 7,
Figure RE-RE-FDA0003372647450000045
and the dimensions of g are both n; l will be calculated before the attention weight is calculatedsIs mapped to dimension n of g.
10. The attention-ranking based confrontation sample defense system of claim 6 wherein the keypoint ranking module is further to:
will feature map LsAnd predicted attention map CsReshaped into a one-dimensional array, respectively consisting of { Ls(n) } and { Cs(n) }; wherein n is H × W, { Ls(n) is a feature vector of channel size C;
from the attention map { Cs(n) } selecting the first K values { Cs(k) Record their point locations from a profile Ls(n) } these positions of extracted feature points { Ls(k)};
Calculating a global vector g based on the keypoints by equation 3s
gs=Cs(k)eLs(k) Formula 3;
wherein e represents a key point { Cs(k) And a feature map Ls(k) Inner product between each channel of.
CN202111175218.7A 2021-10-09 2021-10-09 Confrontation sample defense system and method based on attention ranking Pending CN113947704A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111175218.7A CN113947704A (en) 2021-10-09 2021-10-09 Confrontation sample defense system and method based on attention ranking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111175218.7A CN113947704A (en) 2021-10-09 2021-10-09 Confrontation sample defense system and method based on attention ranking

Publications (1)

Publication Number Publication Date
CN113947704A true CN113947704A (en) 2022-01-18

Family

ID=79329423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111175218.7A Pending CN113947704A (en) 2021-10-09 2021-10-09 Confrontation sample defense system and method based on attention ranking

Country Status (1)

Country Link
CN (1) CN113947704A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114596277A (en) * 2022-03-03 2022-06-07 北京百度网讯科技有限公司 Method, device, equipment and storage medium for detecting countermeasure sample
CN114742170A (en) * 2022-04-22 2022-07-12 马上消费金融股份有限公司 Countermeasure sample generation method, model training method, image recognition method and device
CN114912550A (en) * 2022-07-14 2022-08-16 南京理工大学 Countermeasure sample detection and identification method based on frequency domain transformation

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111598805A (en) * 2020-05-13 2020-08-28 华中科技大学 Confrontation sample defense method and system based on VAE-GAN
WO2020263389A1 (en) * 2019-06-26 2020-12-30 Hrl Laboratories, Llc System and method fdr detecting backdoor attacks in convolutional neural networks
US20210012188A1 (en) * 2019-07-09 2021-01-14 Baidu Usa Llc Systems and methods for defense against adversarial attacks using feature scattering-based adversarial training
WO2021051561A1 (en) * 2019-09-18 2021-03-25 平安科技(深圳)有限公司 Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium
CN112560901A (en) * 2020-12-01 2021-03-26 南京航空航天大学 Method for defending and confronting sample based on combination of image preprocessing and confronting training
CN112949822A (en) * 2021-02-02 2021-06-11 中国人民解放军陆军工程大学 Low-perceptibility confrontation sample forming method based on double attention mechanism
WO2021169292A1 (en) * 2020-02-24 2021-09-02 上海理工大学 Adversarial optimization method for training process of generative adversarial neural network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020263389A1 (en) * 2019-06-26 2020-12-30 Hrl Laboratories, Llc System and method fdr detecting backdoor attacks in convolutional neural networks
US20210012188A1 (en) * 2019-07-09 2021-01-14 Baidu Usa Llc Systems and methods for defense against adversarial attacks using feature scattering-based adversarial training
WO2021051561A1 (en) * 2019-09-18 2021-03-25 平安科技(深圳)有限公司 Adversarial defense method and apparatus for image classification network, electronic device, and computer-readable storage medium
WO2021169292A1 (en) * 2020-02-24 2021-09-02 上海理工大学 Adversarial optimization method for training process of generative adversarial neural network
CN111598805A (en) * 2020-05-13 2020-08-28 华中科技大学 Confrontation sample defense method and system based on VAE-GAN
CN112560901A (en) * 2020-12-01 2021-03-26 南京航空航天大学 Method for defending and confronting sample based on combination of image preprocessing and confronting training
CN112949822A (en) * 2021-02-02 2021-06-11 中国人民解放军陆军工程大学 Low-perceptibility confrontation sample forming method based on double attention mechanism

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
THI THU THAO KHONG等: "Flexible Bayesian Inference by Weight Transfer for Robust Deep Neural Networks", IEICE TRANS. INF. & SYST, 28 July 2021 (2021-07-28) *
ZHIQUN ZHAO等: "Removing Adversarial Noise via Low-Rank Completion of High-Sensitivity Points", IEEE, 10 June 2021 (2021-06-10) *
刘西蒙;谢乐辉;王耀鹏;李旭如;: "深度学习中的对抗攻击与防御", 网络与信息安全学报, no. 05, 13 October 2020 (2020-10-13) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114596277A (en) * 2022-03-03 2022-06-07 北京百度网讯科技有限公司 Method, device, equipment and storage medium for detecting countermeasure sample
CN114742170A (en) * 2022-04-22 2022-07-12 马上消费金融股份有限公司 Countermeasure sample generation method, model training method, image recognition method and device
CN114742170B (en) * 2022-04-22 2023-07-25 马上消费金融股份有限公司 Countermeasure sample generation method, model training method, image recognition method and device
CN114912550A (en) * 2022-07-14 2022-08-16 南京理工大学 Countermeasure sample detection and identification method based on frequency domain transformation

Similar Documents

Publication Publication Date Title
CN113947704A (en) Confrontation sample defense system and method based on attention ranking
CN113554089B (en) Image classification countermeasure sample defense method and system and data processing terminal
CN111475797B (en) Method, device and equipment for generating countermeasure image and readable storage medium
CN113538202B (en) Image steganography method and system based on generation type steganography contrast
Rajaratnam et al. Noise flooding for detecting audio adversarial examples against automatic speech recognition
Zhang Machine learning with feature selection using principal component analysis for malware detection: a case study
CN109214973A (en) For the confrontation safety barrier generation method of steganalysis neural network
Dziedzic et al. On the difficulty of defending self-supervised learning against model extraction
Dziedzic et al. Dataset inference for self-supervised models
Laykaviriyakul et al. Collaborative Defense-GAN for protecting adversarial attacks on classification system
CN113627543B (en) Anti-attack detection method
CN116962047A (en) Interpretable threat information generation method, system and device
Nowroozi et al. Resisting deep learning models against adversarial attack transferability via feature randomization
CN113034332A (en) Invisible watermark image and backdoor attack model construction and classification method and system
Das et al. CNN based image resizing detection and resize factor classification for forensic applications
CN114745187A (en) Internal network anomaly detection method and system based on POP flow matrix
Liu et al. Defend Against Adversarial Samples by Using Perceptual Hash.
Sharma et al. Towards secured image steganography based on content-adaptive adversarial perturbation
CN112765606A (en) Malicious code homology analysis method, device and equipment
CN118038210A (en) Training sample selection method of DNN model based on semantic features
CN113591892A (en) Training data processing method and device
CN114638356B (en) Static weight guided deep neural network back door detection method and system
Mu et al. Enhancing robustness in video recognition models: Sparse adversarial attacks and beyond
CN115834251A (en) Hypergraph transform based threat hunting model establishing method
CN116662982A (en) Fraud detection method and device based on associated fraud perception

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination