Adversarial sample generation method based on Bayesian optimization

An anti-sample and iterative technology, applied to biological neural network models, instruments, platform integrity maintenance, etc., can solve problems such as large query overhead, and achieve the effect of reducing impact

Active Publication Date: 2019-09-24
HANGZHOU DIANZI UNIV
9 Cites 16 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0005] The main purpose of the present invention is to propose a black-box attack method based on Bayesian optimization to g...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Abstract

The invention discloses an adversarial sample generation method based on Bayesian optimization. An existing black box attack method needs to inquire a large number of models to obtain optimization information. The adversarial sample generation method is characterized by taking an original picture as input, and determining the position to be optimized by calculating the gradient of the structural similarity of a disturbance picture and the original picture; performing sampling optimization in a selected position by using Bayesian optimization to obtain a disturbance value capable of increasing the loss function at the position; and selecting and optimizing a plurality of positions in an iteration mode to obtain a disturbance value, and stopping until the classification result of the disturbed image is changed or the maximum number of iterations is reached. According to the invention, the number of times of querying the target DNN model can be effectively reduced, and the number of disturbed pixel points is small.

Application Domain

Character and pattern recognitionPlatform integrity maintainance +1

Technology Topic

Classification resultBayesian optimization +5

Image

  • Adversarial sample generation method based on Bayesian optimization
  • Adversarial sample generation method based on Bayesian optimization
  • Adversarial sample generation method based on Bayesian optimization

Examples

  • Experimental program(1)

Example Embodiment

[0027] The present invention takes an original image as input, calculates the structural similarity between the original image and the random Gaussian image, calculates its gradient, and selects the dimension corresponding to the smallest gradient value. Use Bayesian optimization dimension by dimension to get the best perturbation value. The disturbances obtained by multiple iterations are added together until the category prediction result of the DNN classifier is changed.
[0028] The following examples illustrate the specific implementation of the entire process of the present invention as follows (see the effect diagram of each step figure 2 ):
[0029] Step 1: Obtain the true category y of the source image x c And its probability M c
[0030] x is the original image vector (e.g. figure 1 Shown), Δx is an all-zero disturbance vector with the same dimension as x, x G Is a random vector sampled from a Gaussian distribution with the same dimension as x (such as figure 2 Shown). Take the original image x as the input of the target DNN classifier to obtain the probability output vector M(x; θ) of the original image; take the category corresponding to the maximum value in the probability output vector as the category prediction y of the original image c , The maximum value in the probability output vector is M c.
[0031] Step 2: Determine the objective function to be optimized
[0032] Since the image vector x has a higher dimension, and generating adversarial samples does not need to add perturbation to all dimensions, in this method, only one dimension is perturbed at a time, and other dimensions are not changed to generate experimental perturbation Δx. Input x+Δx into the DNN classifier to obtain the predicted output vector M(x+Δx; θ). Let M(x+Δx; θ) divide y c The maximum probability value outside the category is M t , The corresponding category is y t , The objective function is defined as B(z)=log(M c )-log(M t ). The goal of optimization is B(z)≤0, thereby changing the classification result of the disturbed image by the target DNN classifier.
[0033] Step 3: Determine the coordinates and channels that need to be optimized in this iteration
[0034] In the Tth iteration, calculate the current disturbance image x′=x+Δx and the random image x G SSIM(x′,x t ):
[0035]
[0036] Here μ x′ , Denote x′ and x G The mean of, x′ and x G Variance, Denote x′ and x G Covariance of, ∈ 1 And ∈ 2 Is a small scalar to ensure that the denominator is not zero. Then find the gradient of the structural similarity with respect to the original image x′, and obtain a gradient vector with the same dimension as the original image
[0037]
[0038] Select the coordinate s and channel c corresponding to the smallest gradient value as the next optimized coordinates:
[0039]
[0040] Step 4: Use Bayesian optimization for specific pixels
[0041] 1) Use the Gaussian process to proxy the objective function to be optimized, and use the EI strategy as the acquisition function. Set the maximum number of test points I, and the current number of test points i=0; first randomly select several disturbance values ​​for testing, and generate the initial observation data set D 1:t , Contains t observed data points.
[0042] 2) According to the observed data set D 1:t The obtained posterior distribution constructs an ET acquisition function α t (z; D 1:t ):
[0043]
[0044] Where v * Represents the current optimal function value, φ(·) is the probability density function of the standard normal distribution, μ t (z) and σ t (z) respectively represent D 1:t Mean and variance of data points in.
[0045] 3) Select the next evaluation point z by maximizing the acquisition function t+1 =max z ∈ z α t (z; D 1:t ), z t+1 Assign a value to the corresponding dimension s of Δx, and evaluate the objective function value B(z t+1 ), in z t+1 After the evaluation, the evaluation value is added to the observation data set D. i+=1, if i≤I, go to (2).
[0046] 4) Output the minimum function value B(z) in the observed data set and its corresponding disturbance value z.
[0047] Step 5: Assign the best disturbance value z obtained in Step 4 to the disturbance vector Δx (the final disturbance image is as image 3 As shown, a total of 36 pixels are disturbed, and 891 evaluation times). If B(z)<0, the attack is considered successful, and the disturbed picture x+Δx is output as the adversarial sample (the final adversarial image is Figure 4 (Shown), if B(z)≥0, it is considered that the attack is unsuccessful in this iteration, jump to step 3, and continue to the next iteration based on the current disturbance vector Δx.
[0048] Experimental results: 100 pictures are randomly selected from CIFAR10 as experimental data. In the experimental results, the average number of disturbed pixels is 95.22, the median is 78.5, the average number of evaluations is 2364.85, and the median is 1944.5. The number of evaluations is significantly less than the One Pixel Attacks method and the Boundary Attacks method.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Similar technology patents

Measuring Optical System, And Color Luminance Meter and Colorimeter using the Same

ActiveUS20130021611A1Reduce the impactColor/spectral properties measurementsBundled fibre light guideTransmittanceInterference filter
Owner:KONICA MINOLTA OPTICS

Improved image segmentation training method based on full convolutional neural network

InactiveCN107862695AProminent lesionReduce the impactImage enhancementImage analysisSkin melanomaLesion segmentation
Owner:UNIV OF ELECTRONIC SCI & TECH OF CHINA

Cereal flow measuring device of combine-harvester and yield measure method of combine-harvester

InactiveCN101248721AReduce the impactHigh precisionMowersWeighing apparatus for continuous material flowWater contentMeasurement device
Owner:JIANGSU UNIV

Combination of sulfonamide compound and tafluprost

InactiveUS20140018350A1Good effectReduce the impactBiocideOintment deliveryTherapy medicationBenzyl group
Owner:SANTEN PHARMA CO LTD +1

Text handling method and system

InactiveCN101021838AReduce the impactImprove reliabilitySpecial data processing applicationsMachine learningModel parameters
Owner:HUAWEI TECH CO LTD

Classification and recommendation of technical efficacy words

  • Reduce the impact

People also interested in

AlgorithmDegree of similarityNeural architectures
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2023 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap