Black box attack method based on migration model Jacobian matrix feature vector disturbance

A technology of eigenvectors and models, which is applied in the field of black-box attack based on the disturbance of eigenvectors of the transfer model Jacobian array, can solve the problem of low attack efficiency, achieve the effect of small attack cost, save time and cost, and optimize attack efficiency

Active Publication Date: 2020-12-15
TSINGHUA UNIV
View PDF2 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In the former scheme, a white-box network is generally trained through some training samples, and then the known white-box network parameters are used to guide each iteration of the black-box attack, which is characterized by the need for a large number of pre-training samples, and the pre-training samples It is best to be closer to the classification task of the black-box network; in the latter scheme, the idea of ​​zero-order gradient optimization is usually used to estimate the gradient of the black-box network at a certain input point by sampling, so that the gradient descent iteratively finds an adversarial sample , which is characterized by no need for pre-training samples, but the attack efficiency is low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Black box attack method based on migration model Jacobian matrix feature vector disturbance

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0030] A black-box attack method based on the disturbance of the eigenvector of the migration model Jacobian array proposed by the present invention is described in detail in conjunction with the accompanying drawings and an embodiment as follows:

[0031] The invention proposes a black-box attack method based on the disturbance of the eigenvector of the migration model Jacobian array, which is applicable to any general black-box attack model. This embodiment uses ResNet-50 to carry out black-box attacks on ImageNet image samples, and uses pre-trained ResNet-18 as a migration pre-training model (wherein, the migration pre-training model and the black-box model belong to the same category of models; for example, if the The black box model of the model is an image classification model, then the migration pre-training model is also an image classification model; and when the task correlation of these two models is stronger, the performance of the method of the present invention is...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a black box attack method based on migration model Jacobian matrix feature vector disturbance, and belongs to the technical field of machine learning system security and black box attack. The method comprises the following steps: firstly, determining a to-be-attacked black box model and a migration pre-training model, obtaining a to-be-attacked original sample and a label thereof, continuously applying disturbance to the original sample, and continuously updating the disturbance through iterative computation by utilizing a singular value decomposition result of a Jacobian matrix calculated by the migration pre-training model, and finally, the disturbed sample being no longer corresponding to a correct label through black box model classification. The method has the advantages that only one migratable pre-training network is needed, no training sample is needed, and the attack efficiency of a traditional black box model can be greatly improved.

Description

technical field [0001] The invention belongs to the technical field of machine learning system security and black-box attack, and particularly proposes a black-box attack method based on disturbance of Jacobian eigenvector of migration model. Background technique [0002] With the development of deep learning, the security issues of deep learning systems have gradually attracted the attention of the machine learning community. Since providers of general deep learning systems do not disclose the specific implementation of their systems, black-box attacks are often an effective means of attacking deep learning systems. Specifically, the black-box attack constructs a series of system input samples iteratively, and gradually reduces the degree of recognition of the samples by the deep learning system while ensuring that the difference between each input sample and the sample to be attacked is small, and finally reaches When a certain input, the output classification is complete...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06K9/62G06N3/04G06N3/08
CPCG06N3/08G06N3/045G06F18/2415G06F18/214
Inventor 崔鹏周琳钧
Owner TSINGHUA UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap