Method for generating adversarial image

An image and original image technology, applied in the field of generating confrontation images, can solve the problems of high accuracy of deep neural networks, and achieve the effect of reducing coupling, improving accuracy and good robustness

Inactive Publication Date: 2018-07-06
TSINGHUA UNIV
View PDF1 Cites 62 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Existing methods for generating adversarial images for deep neural network models, it is difficult for the generated images to have a high attack success rate against both white-box and black-box models, so that the deep neural network cannot achieve high performance under adversarial conditions. accuracy rate

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for generating adversarial image
  • Method for generating adversarial image
  • Method for generating adversarial image

Examples

Experimental program
Comparison scheme
Effect test

example 1

[0170] Example 1, based on the Inc-v3, Inc-v4, IncRes-v2 and Res-152 models, generate L ∞ Constrained Adversarial Images for Untargeted Attacks.

[0171] The method provided by the present invention may be called a momentum-based iterative fast gradient sign method (MomentumIteration Fast Gradient Sign Method, MI-FGSM for short). In the process of generating images used in confrontation training, the noise threshold ε=16, the number of iterations T is 10, and the attenuation coefficient of the momentum item μ=1.0.

[0172] The Fast Gradient Sign Method (FGSM for short) without momentum term and the Iteration Fast Gradient Sign Method (I-FGSM for short) are compared with the method provided by the present invention.

[0173] MI-FGSM, FGSM and I-FGSM can also be called attack methods of deep neural networks.

[0174] Using models based on Inc-v3, Inc-v4, IncRes-v2 and Res-152 to generate L ∞ Constrained images used in adversarial training for untargeted attacks, attacking Inc...

example 2

[0178] Example 2, based on the Inc-v3, Inc-v4, IncRes-v2 and Res-152 models, generate L 2 Constrained Adversarial Images for Untargeted Attacks.

[0179] The method provided by the present invention may be called a momentum-based iterative fast gradient method (Momentum Iteration Fast Gradient Method, MI-FGM for short). In the process of generating an adversarial image, the noise threshold n is the dimension of the original image, the number of iterations T is 10, and the attenuation coefficient of the momentum item μ=1.0.

[0180] The Fast Gradient Method (FGM for short) without momentum term and the Iteration Fast Gradient Method (I-FGM for short) are compared with the method provided by the present invention.

[0181] MI-FGM, FGM, and I-FGM can also be called attack methods of deep neural networks.

[0182] Using models based on Inc-v3, Inc-v4, IncRes-v2 and Res-152 to generate L 2 Constrained images used in adversarial training for untargeted attacks, attacking Inc-v3...

example 3

[0186] Example 3: Integrate any three of the Inc-v3, Inc-v4, IncRes-v2 and Res-152 models with a neural network to obtain an integrated model. The weight of each model is equal, and the unintegrated model is used as the corresponding integrated model black box model. Obtain the loss of the integrated model according to the unnormalized probability, predicted probability and loss respectively, and generate the loss satisfying L ∞ Constrained Adversarial Images for Untargeted Attacks. In the process of generating adversarial images, the noise threshold ε=16, the number of iterations T is 20, and the attenuation coefficient of the momentum item μ=1.0.

[0187] The Inc-v3, Inc-v4, IncRes-v2 and Res-152 models are respectively used as black box models, and the corresponding training samples are used to attack the integrated model and the black box model, and the attack success rate obtained is shown in Table 3.

[0188] Table 3 satisfies L ∞ Constrained Attack Success Rate of Ad...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method for generating an adversarial image. The method comprises: on the basis of a gradient algorithm, a loss value of a first deep neural network model is obtained accordingto an image obtained by last-turn iteration, and a momentum of current-turn iteration is generated based on the loss value; and on the basis of the momentum of current-turn iteration, an image obtained by current-turn iteration is generated based on the image obtained by the last-turn iteration until iteration reaches a preset iteration turn number, and the image obtained by the last-turn iteration is used as an adversarial image. According to the method provided by the invention, iteration of an original image is carried out by using the momentum and the adversarial image being capable of attach the deep neural network model is obtained, so that coupling between a white-box attack success rate and a migration performance is reduced effectively. The high attack success rates of the whitebox model and the black box model are realized. The method can be used for adversarial training, thereby improving the correction rate of image classification by using the deep neural network model and also can be used for attacking the deep neural network model.

Description

technical field [0001] The present invention relates to the technical field of machine learning, and more specifically, to a method for generating confrontational images. Background technique [0002] As a type of machine learning method, deep neural network has gained widespread attention in recent years due to its remarkable results in many fields such as speech recognition, image classification, and object detection. However, deep neural network models that can achieve high accuracy on many tasks are vulnerable to attacks in adversarial environments. In the adversarial environment, the deep neural network will be input with some maliciously constructed adversarial samples based on normal samples, such as image or voice information. These adversarial examples are easily misclassified by deep learning models, but it is difficult for human observers to detect the difference between adversarial examples and normal examples. Since adversarial examples can measure the robustn...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06T7/00G06N3/04G06K9/62
CPCG06T7/0002G06T2207/20081G06N3/045G06F18/214G06F18/24
Inventor 朱军董胤蓬廖方舟庞天宇苏航胡晓林
Owner TSINGHUA UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap