Adversarial sample defense method based on spoofing attacker

A technology against samples and attackers, applied in the fields of instrument, calculation, character and pattern recognition, etc., can solve the problems of inappropriate defense methods and can not significantly improve defense performance, and achieve the effect of improving security performance

Active Publication Date: 2020-02-28
DALIAN UNIV OF TECH
View PDF7 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

We don't know if the perturbation produced by this method is general or specific to each classifier, but this method produces more perturbations than just attacking one classifier
By investigating several defense methods, He et al. show that using multiple defense methods simultaneously does not significantly improve defense performance
However, it seems that this conclusion does not apply to all defense methods

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Adversarial sample defense method based on spoofing attacker
  • Adversarial sample defense method based on spoofing attacker
  • Adversarial sample defense method based on spoofing attacker

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0050] Defense performance against non-target generated adversarial examples:

[0051] Assumption 1: We assume that the attacker uses an iterative method to generate adversarial examples. The iterative goal of generating adversarial examples is misclassification. When the attacker achieves the goal, it turns to generate an adversarial example for the next image.

[0052] We first consider the case of processing a single image. The initial value of the buffer is set to a matrix of 0 with a size of image length × image width × 3. When the attacker adopts TRCS as the original classifier, the input will be stored in m1. Next, the images saved in m1 will be transferred to m2, and the newly generated images will be stored in m1 again. When the attacker performs t+1 iterations, the buffer will overflow. We denote the overflow value as P. If P is not a 0 matrix, we calculate the difference D between the current m1 and P. The L1 norm or MSE value is used to calculate the differe...

Embodiment 2

[0081] Defensive Performance Against Targeted Generative Adversarial Sample Attacks

[0082] The training process is not interrupted until the classifier achieves the target attack or the number of iterations reaches the upper limit. While the buffer controls the generation process, classifier 2 will output its classification results. At this point, the result needs to meet the requirements for determining the target classification. However, untrained networks cannot achieve this goal. So, we can use other trained networks. We adopt a network that generalizes poorly to the original classifier as classifier 2. When we feed the same images into the classifier, both the original classifier and classifier 2 can classify them correctly, but the output labels are different.

[0083] As mentioned above, detectors cannot classify adversarial examples well. The low detection performance of the front detector will greatly affect the normal classification of the system. At the same...

Embodiment 3

[0089] A defense method for adversarial samples based on deceiving attackers, the steps are as follows:

[0090] S1. Train the classifier 2 so that the generalization performance of the classifier 2 and the original classifier is poor. Specifically, the adversarial samples generated by the attack classifier 2 can be accurately identified by the original classifier;

[0091] S2. A buffer is constructed, and the buffer and the classifier are connected in parallel.

[0092] S3. Constructing a detector for detecting adversarial samples generated by a single-step or less-step attack. The detector is preceded by the original classifier.

[0093] S4. Construct a standard library and a comparator, which can replace the detector. The comparator is a non-gradient defense method, which can effectively defend against gradient attacks. after the original classifier.

[0094] Further, the specific steps of steps S1-S3 are as follows:

[0095] T1. Train the classifier 2 so that both the ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an adversarial sample defense method based on a spoofing attacker, and belongs to the technical field of computer image processing. According to the technical scheme, a classification system is constructed on the basis that the classification performance of an original classifier is not changed, a buffer is added into the classification system in a parallel mode, and an attacker is well cheated by constructing a classifier 2 poor in generalization performance with the original classifier; an additional detector is arranged in front of an original classifier, single-stepattacks are defended, the difficulty of the attack process is improved, and only the original classifier is adopted to classify images classified into normal labels by the detected device; a comparator or an ensemble learning block is adopted to replace a detector, better classification performance and non-gradient return characteristics are obtained, and the comparator does not bear any specificattack strategy and disturbance mode. The method has the beneficial effects that the generation process of the adversarial sample is hindered by adopting the buffer, the comparator and the like, andthe defensive performance of the classification network on the adversarial sample is improved under the condition that the classification performance of the normal sample is not influenced.

Description

technical field [0001] The invention belongs to the technical field of computer image processing, and in particular relates to an adversarial sample defense method based on deceiving attackers. Background technique [0002] Recently, with the advent of deep learning and the establishment of large databases, deep neural networks have significantly improved the performance of image classification and other similar tasks. Until now, deep neural networks still work like black boxes. pointed out that small perturbations to the original image will lead to misclassification by the classification network. Meanwhile, Goodfellow et al. show that it is the high linearity of deep learning that leads to the generation of adversarial examples. Based on this, they propose the Fast Gradient Sign Method (FGSM). FGSM only performs one-step gradient update along the direction of the gradient sign at the image pixel. In order to improve the attack performance of FGSM, Dong et al. use moment...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06K9/62
CPCG06F18/241G06F18/214
Inventor 王波赵梦楠
Owner DALIAN UNIV OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap