39results about How to "Improve attack success rate" patented technology

The invention discloses a small adversarial patch generation method and device, and the method comprises the steps: carrying out the random initialization of an adversarial patch image, adding the initialized adversarial patch image to a selected pasting region on a target object in training data, and manufacturing an adversarial sample; transmitting the adversarial samples into a deep learning model for adversarial feature extraction, and transmitting benign samples without adversarial patch images into the deep learning model for benign feature extraction; jointly inputting the adversarial features and the benign features into a feature enhancement loss function for loss calculation to obtain a loss result; adding a loss result into a model loss function, and updating a pixel value of the adversarial patch through an optimizer after back propagation; and after preset times of iteration, enabling the adversarial patch to enable the deep learning model to output an error result, and ending the adversarial patch processing process. According to the method, the size of the anti-patch in the physical world can be smaller, the manufacturing cost is reduced, the identifiability of the anti-patch is reduced, and a defense method based on detection is broken through more easily.

Embodiments of the invention provide an adversarial sample generation method and device, electronic equipment and a storage medium. The method comprises the steps of obtaining an original text; determining a replacement word candidate set of each word in the original text; and based on a particle swarm optimization algorithm, searching a sample of the attack target model from a discrete space formed by the combination of the replacement word candidate sets, and generating an adversarial sample. According to the embodiment of the invention, the particle swarm optimization algorithm is used forsearching the adversarial sample, and the particle swarm optimization is more efficient than the genetic algorithm as a meta-heuristic group evolution calculation method, so that the search speed canbe increased when the algorithm is used for searching the adversarial sample, and the attack success rate can also be increased. For different natural language processing models, the embodiment of theinvention can quickly and efficiently generate a large number of high-quality confrontation samples, successfully cheat the target model and further expose the vulnerability of the target model, andhas good practicability.

The invention discloses a migratable adversarial sample attack method based on an attention mechanism, and the method comprises the steps of selecting a local replacement network model, constructing afeature library, and enabling an original image to be mapped into a feature space; adopting an iterative fast gradient symbol attack method based on momentum accumulation to enable the characteristics of the original picture to be far away from the original category area and to be close to the target category area; and inputting an adversarial sample obtained by attacks into a black box classification model, and outputting a target category by a misleading model. According to the invention, a triple loss function is used to destroy an area which is rich in information and is mainly concernedby the model in an attacked model characteristic space; the problems of low white-box target attack success rate and low black-box target mobility of an existing attack method in a classification taskof a complex data set are solved, and misleading of a classification model is effectively realized under the condition of considering a white-box scene and a black-box scene.

The invention relates to a black box adversarial sample attack method for a power quality signal neural network classification model, which is characterized by specifically comprising the following steps: a target model and a local substitution model of an attacker are subjected to training; the attacker generates general disturbance for the local training model; and the attacker attacks the target model by using the generated general disturbance. According to the method, the vulnerability of the neural network and the mobility of the adversarial sample are effectively utilized, the actual situation of attacks is met, and the attack success rate is high.

The invention belongs to the technical field of artificial intelligence model robustness judgment, and discloses a method for effectively attacking an unknown model under the condition of not knowing an artificial intelligence model and a training data set. The method comprises the following steps: capturing shallow shared features of an original data set, and generating a corresponding target sample according to an input condition, wherein the artificial intelligence model to be tested is used for predicting the output of the target sample, and the output is compared with the formal label to obtain the corresponding loss, and the generated target sample is used for training the substitution model and obtaining corresponding output; comparing the output of the same sample under the condition of two different models to obtain comparison loss so as to ensure that the substitution model well learns all functions of the artificial intelligence model to be tested; employing some mature attack algorithms for attacking the substitution model to obtain corresponding adversarial samples, and employing the adversarial samples for attacking an unknown artificial intelligence model so as to judge the robustness of the artificial intelligence model.

The invention provides a chosen plaintext side channel energy analysis method for an ECC algorithm of a P domain, and relates to the filed of cryptographic algorithm implementation, side channel energy analysis and the like. To carry out side channel energy analysis on implementation of non-defense methods and defense methods of the ECC algorithm, the novel side channel energy analysis method of an elliptic curve on a prime field on the basis of chosen plaintext is provided, so that an energy consumption difference of multiply operation of a scalar in the ECC algorithm is produced, and secret key information is obtained. According to the technical scheme, the method includes the following steps: (1) energy tracks of two sets of kP operations are collected; (2) side channel energy analysis is carried out based on the energy tracks obtained in the step (1) to recognize hidden point add operations; (3) different portions in the point add operations are mapped to the energy tracks to carry out side channel energy analysis, and a secret key sequence of k is concluded. The method provides a theoretical basis for implementation of chosen plaintext side channel energy analysis for the ECC algorithm of the P domain.

The invention belongs to the technical field of image recognition data processing, and particularly relates to an intelligent adversarial sample generation method and system based on an optimization algorithm and invariance. The method comprises the steps: collecting original image data with a correct label; constructing a neural network model for adversarial sample generation and a model loss function, and optimizing adversarial disturbance between an original input image and a corresponding output adversarial sample by maximizing the model loss function; based on original image data and a neural network model, an Adazief iterative quick gradient method and a cutting invariance method are used for iterative solution, and a finally generated adversarial sample is obtained according to an iteration termination condition. From the perspective that the generation process of the adversarial sample is similar to the neural network training process, the convergence process is optimized through the Adazief iteration quick gradient method, the over-fitting phenomenon in the adversarial attack is avoided by using the cutting invariance, the adversarial sample with better mobility can be generated, the robustness of the network model is improved, and the practical scene application is facilitated.

The invention discloses a method for modular multiplication remainder input side channel energy analysis attacks aiming at M-ary implementation of an RSA cryptographic algorithm. The core of the method is that when M-ary implementation is used by modular exponentiation, modular multiplication remainder input serves as an attack target to implement CPA (correlation power analysis) attacks. The method comprises the steps that (1) signals are acquired, and a sampling matrix is established; (2) the modular multiplication remainder input is selected to serve as the attack target; (3) a correlation model is determined; (4) cycle index values are guessed, and a median matrix is calculated; (5) a simulated energy consumption matrix is calculated; (6) linear correlation coefficients between corresponding measuring points in the step (1) and the matrix determined in the step (5) are calculated, correct modular multiplication remainder input values of all cycles are attacked, and all corresponding correct cycle indexes are found out, and are connected in series, so that a complete index is obtained. According to the method, a novel M-ary side channel attack method is provided, and the flexibility, the effectiveness and the success rate of RSA cryptographic algorithm analysis attacks are improved.

The invention discloses a voiceprint recognition confrontation sample generation method based on boundary attack. The method comprises the following steps: 1) performing data preprocessing on a used voice data set; 2) building a voiceprint recognition model; and 3) an algorithm for generating a confrontation sample through boundary attack, wherein the process comprises the following steps: selecting an initial point of a boundary attack algorithm, selecting a walking direction, and adjusting hyper-parameters. When the voiceprint identity is classified, traditional acoustic feature methods are not adopted, the voice is converted into the spectrogram for training, the advantage that the convolutional neural network extracts features on the image can be fully utilized, and the precision is greatly improved; and the method belongs to black box attacks, the structure and parameters of an original model do not need to be known, only classification labels of the model are needed, the application range is wider, and the practical significance is higher. The attack success rate is high, and generated confrontation samples cannot be perceived by naked eyes.

The invention discloses a gradient-based adversarial sample generation method and system. The method comprises the following steps: acquiring an original image sample and a neural network model to be attacked; inputting the original image sample into a neural network model, and obtaining loss information of the original image sample according to a cross entropy loss function; a corresponding gradient symbol matrix is obtained according to the loss information, disturbance information is generated, disturbance is added to the original image sample through the disturbance information, and a first noise image sample is obtained; performing filtering operation and cutting operation on the first noise image sample to obtain a second noise image sample; and judging whether the second noise image sample meets the requirements of the adversarial sample, if not, inputting the second noise image sample into the neural network model for next iteration, and otherwise, taking the second noise image sample as the adversarial sample and stopping iteration. According to the method, the adversarial sample with higher attack success rate and smaller noise visibility can be generated, so that the ability of the neural network model to resist adversarial attacks is enhanced.

The invention relates to an image confrontation sample generation method with rotation robustness in a physical world, and relates to the technical field of artificial intelligence security. The method mainly comprises the following steps: 1, initializing algorithm parameters and preprocessing an image to obtain a current confrontation sample; 2, rotating the current adversarial sample to obtain a rotated adversarial sample; 3, judging whether an iteration termination condition is met, if so, outputting a final confrontation sample and executing the step 7, otherwise, executing the step 4; 4, calculating a rotation invariant joint gradient matrix; 5, performing mean filtering on the rotation invariant joint gradient matrix; 6, updating the current confrontation sample, and returning to the step 23; and 7, testing by using the final confrontation sample in a real physical world, and observing confrontation attack effects at different rotation angles. The confrontation sample generated by the method has rotation robustness in the physical world, the problem that attack failure exists after the confrontation sample is rotated is solved, and the attack success rate is further improved.

The invention relates to the technical field of adversarial text generation, in particular to an adversarial text generation method and a system for a black box text classification model and a medium. The method comprises the following steps: collecting an original corpus and a classification label of a black box text classification model; performing word segmentation on the original corpus to obtain a word sequence corresponding to the original corpus; respectively obtaining a preset number of synonyms of each word in the word sequence; sequentially replacing the positions of the words in the candidate sentences with synonyms of the words to form new sentences, and forming a new candidate text set; and taking each sentence in the new candidate text set as the input of the black box text classification model in sequence to obtain a corresponding output result, and screening out K sentences with the lowest probability value of the original tag corresponding to the original corpus to form a confrontation text set. The invention has better performance in the aspects of confrontation sample quality and effectiveness control and attack success rate, and the generated confrontation sample has smoothness and fluency.

The invention discloses a multi-prior-based black box adversarial test sample generation method and device. The method comprises the steps of setting a plurality of hyper-parameters required for adversarial sample generation; initializing the adversarial sample and starting iteration; obtaining a plurality of different priors to obtain a group of orthogonal bases; estimating the similarity between the real gradient and each orthogonal vector; optimizing the objective function, and minimizing the expected difference between the estimated gradient and the real gradient; sampling a plurality of random vectors; estimating gradients according to a stochastic gradient estimation method. Therefore, the attack success rate of the neural network can be improved, or under the condition of the same attack success rate, the sampling frequency for estimating the gradient is reduced, and the generation of adversarial samples is accelerated.

The invention relates to a physical world confrontation sample generation method and device, electronic equipment and a storage medium, and is applied to the technical field of artificial intelligence. The method comprises the steps: obtaining a target disturbance image which is an image projected to a holographic film and generated based on an adversarial attack algorithm, and obtaining a target image, wherein the target image comprises a target disturbance image and a first face image of the first user, and determining the target image as a target confrontation sample. The anti-disturbance image of the digital world displayed in the electronic equipment can be converted into the real physical world in a holographic imaging mode, the anti-disturbance image does not need to be printed, so that unknown loss introduced in the printing process is avoided, the attack success rate of the physical world anti-disturbance sample is improved, and the global disturbance attack can be realized in the physical world.

The invention relates to the technical field of side channel attacks, and discloses a side channel attack method and system based on a convolutional neural network, and the attack method comprises the following steps: S1, collecting energy trace data; s2, extracting feature points; s3, constructing a data set; s4, constructing a convolutional neural network; s5, model training; s6, model evaluation; and S7, key recovery. The problems that in the prior art, template matching is difficult, and universality is low are solved.

The invention relates to an adversarial sample dynamic generation method and device, electronic equipment and a storage medium. The method comprises the following steps: acquiring a first face image of a first user in real time; performing target detection and tracking on the first face image, and generating a candidate frame for marking a face in the first face image; adjusting the target confrontation pattern projected on the holographic film based on the candidate frame to generate a target disturbance image; and obtaining a target confrontation sample, wherein the target confrontation sample comprises the first face image and the target disturbance image. According to the method and the device, the anti-disturbance image of the digital world displayed in the electronic equipment can be converted into the real physical world in a holographic imaging manner, and the anti-disturbance image does not need to be printed, so that the attack success rate of the physical world anti-disturbance sample can be improved; and the confrontation pattern can be correspondingly adjusted along with the adjustment of the face, so that the matching degree between the confrontation pattern and the face in the obtained target confrontation sample is improved.