Black box depth model adversarial sample generation method

A deep model and adversarial sample technology, applied in neural learning methods, biological neural network models, character and pattern recognition, etc., can solve problems such as high overhead and achieve the effect of reducing the number of queries

Active Publication Date: 2020-08-07
XIAMEN UNIV
View PDF5 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This type of method can usually achieve a high attack success rate, but requires thousands of queries to the model
This is expensive in real scenarios and is easily defended by the online system by limiting the frequency

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Black box depth model adversarial sample generation method
  • Black box depth model adversarial sample generation method
  • Black box depth model adversarial sample generation method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0048] In this embodiment, a black-box depth model adversarial sample generation method is as follows:

[0049] Step 1. Input the dimension d of the image x, set the number of frequencies m, the low frequency limit parameter r and the maximum number of queries max_iter;

[0050] Step 2. Construct a dimensionality reduction projection matrix W;

[0051] Step 2.1, initialize the dimensionality reduction projection matrix W with all zeros, and initialize the frequency j=0;

[0052] Step 2.2, if the frequency j is less than the number of frequencies m, from the matrix I r×d Randomly pick a base v from j , let W[j,:]=DCT(v j ), j=j+1;

[0053] Step 2.3, repeating step 2.2 until the frequency j is equal to the number of frequencies m; at this time, the dimensionality reduction projection matrix W is output;

[0054] Step 3, optimize the amplitude α;

[0055] Step 3.1, initializing the amplitude α=0, query times t=0;

[0056] Step 3.2. Randomly sample the vector Δα within a ce...

Embodiment 2

[0060] On the basis of the first embodiment, when optimizing the amplitude, the amplitude is constrained to a discrete three-valued space. In this embodiment, a black-box depth model adversarial sample generation method is as follows:

[0061] Step 1. Input the dimension d of the image x, set the number of frequencies m, the low frequency limit parameter r and the maximum number of queries max_iter;

[0062] Step 2. Construct a dimensionality reduction projection matrix W;

[0063] Step 2.1, initialize the dimensionality reduction projection matrix W with all zeros, and initialize the frequency j=0;

[0064] Step 2.2, if the frequency j is less than the number of frequencies m, from I r×d Randomly pick a base v from j , let W[j,:]=DCT(v j ), j=j+1;

[0065] Step 2.3, repeating step 2.2 until the frequency j is equal to the number of frequencies m; at this time, the dimensionality reduction projection matrix W is output;

[0066] Step 3, optimize the amplitude α;

[0067...

Embodiment 3

[0072] In this embodiment, on the basis of the first embodiment, when optimizing the amplitude, the amplitude is constrained to a discrete three-valued space, and a probability-driven optimal sampling method is adopted. A black-box depth model adversarial sample generation method in this embodiment is specifically as follows:

[0073] Step 1. Input the dimension d of the image x, set the number of frequencies m, the low frequency limit parameter r and the maximum number of queries max_iter;

[0074] Step 2. Construct a dimensionality reduction projection matrix W;

[0075] Step 2.1, initialize the dimensionality reduction projection matrix W with all zeros, and initialize the frequency j=0;

[0076] Step 2.2, if the frequency j is less than the number of frequencies m, from I r×d Randomly pick a base v from j , let W[j,:]=DCT(vj), j=j+1;

[0077] Step 2.3, repeating step 2.2 until the frequency j is equal to the number of frequencies m; at this time, the dimensionality red...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a black box depth model adversarial sample generation method, which can effectively reduce the query frequency of a model. The method aims at solving the problems that a traditional black box attack method is large in solution space, difficult to optimize and high in query frequency. For an input picture, a low-frequency frequency-based anti-noise space is randomly selected, and a high-dimensional optimization problem of anti-noise is converted into a low-dimensional optimization problem of corresponding amplitude, so that the purpose of effectively reducing the queryfrequency of the model is achieved.

Description

technical field [0001] The invention relates to the field of black-box attacks, in particular to a method for generating black-box depth model adversarial samples. Background technique [0002] In recent years, with the rapid development of hardware GPU and the advent of the era of big data, deep learning has developed rapidly and has swept all fields of artificial intelligence, including speech recognition, image recognition, video tracking, natural speech processing, etc. , Video field. Deep learning technology breaks through traditional technical methods and greatly improves the recognition performance in various fields. However, deep neural networks have been proven to be vulnerable to small perturbations, which has raised security concerns in many fields such as autonomous driving and face verification. [0003] Black-box attack refers to the attack scenario where the attacker does not know the internal information of the attacked model, such as the network architectu...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06K9/62G06N3/08
CPCG06N3/08G06F18/214
Inventor 纪荣嵘李杰
Owner XIAMEN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap