Directed attack anti-patch generation method and device

A patch and counter-sample technology, applied in neural learning methods, biological neural network models, instruments, etc., can solve the problems of weak migration ability and low success rate of the model's focus area, so as to improve the effect of targeted attacks, improve the success rate, and facilitate the effect of implementation

Active Publication Date: 2021-10-01
BEIJING UNIV OF POSTS & TELECOMM
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] Embodiments of the present invention provide a method and device for generating targeted attack adversarial patches, which are used to solve the problems in the prior art that the generated adversarial patches ignore the features of common concern between models, have weak migration capabilities for model attention areas, and are not sensitive to structural differences. The problem of low success rate when the determined black box model conducts targeted attacks

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Directed attack anti-patch generation method and device
  • Directed attack anti-patch generation method and device
  • Directed attack anti-patch generation method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0104] This embodiment provides a directed attack anti-patch generation method, which is used to conduct directed attacks on black-box models that perform specific tasks, such as image 3 and Figure 4 As shown, the specific steps include:

[0105] 1. Obtain multiple white-box models with the same task as the black-box model to be attacked, and the model structure and parameters of each white-box model are different.

[0106] 2. Obtain a random initial anti-patch, and determine the target category of the targeted attack, and use each white box model to update and iterate the initial anti-patch in multiple consecutive iteration cycles to obtain the target general anti-patch. Through multiple white-box models with known structures and parameters, the anti-patch is continuously iteratively updated, so that the final anti-patch can be universal to all white-box models, that is, it can realize the orientation of the black-box model to be attacked under this task attack.

[0107]...

Embodiment 2

[0114] On the basis of Example 1, such as Figure 5 and Figure 6 As shown, in each iterative cycle, the adversarial samples of each update iteration are input to the black-box model to be attacked to output the first confidence degree about the target category, and the first confidence degree is used as the update stop condition. When the first When the confidence reaches the preset confidence, the update in the current iterative cycle is stopped, and the current first confrontation patch is output.

[0115] The advantage of the present invention is that most of the existing attack methods generate pixel-level micro-perturbations superimposed on the original image, so it is difficult to realize in the physical world, and the anti-patch generated by the present invention can be printed out and applied to In the physical world, it has certain practical significance. The existing methods ignore the features of common concern between models, and do not use the features of commo...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The present invention provides a method and device for generating a directional attack adversarial patch. The method adopts a plurality of consecutive white-box models with different structures to iteratively update the adversarial patch, so that the obtained target general adversarial patch can be better for the black-box model with unknown structure. attack effect. By introducing the triplet loss, the success rate of the output target category can be improved during the directed attack. By introducing the attention shift loss, the migration effect of the target general adversarial patch to the model attention area can be improved, so as to greatly improve the directional attack effect of the target general adversarial patch. By introducing a smoothing loss, it is possible to reduce the gap between the pixel points of the target common adversarial patch, which is not easy to attract the attention of the human eye. Furthermore, by adding anti-patches, targeted attacks can be carried out at the physical and digital levels at the same time, which is easier to implement.

Description

[0001] Directed attack anti-patch generation method and device technical field [0002] The invention relates to the field of artificial intelligence security technology, in particular to a method and device for generating a directed attack anti-patch. Background technique [0003] Deep neural networks (DNNs) have made great achievements in the fields of image classification, object detection, text classification and speech recognition, and have been widely used in production and life. However, research in recent years has shown that deep learning networks are fragile and susceptible to adversarial examples. Adversarial examples modify and perturb clean samples to make the trained neural network misclassify or misidentify, so that it cannot complete the target task. [0004] The existence of adversarial samples has two sides. On the one hand, adversarial samples will attack or mislead applications based on deep learning, such as car driving and face recognition systems, the...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06K9/62G06N3/04G06N3/08
CPCG06N3/084G06N3/047G06N3/045G06F18/2415G06F18/241
Inventor 蒋玲玲罗娟娟
Owner BEIJING UNIV OF POSTS & TELECOMM
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap