Black box aggressive defense system and method based on neural network interlayer regularization

Abstract

The invention relates to the field of artificial intelligence security, in particular to a black box aggressive defense system based on neural network interlayer regularization, which comprises a first source model, a second source model and a third source model, a black box aggressive defense method based on neural network interlayer regularization comprises the steps of S1, inputting a picture into a first source model for white box attack and outputting a first adversarial sample sequence, S2, inputting the first adversarial sample sequence into a second source model, outputting a second adversarial sample sequence, and S3, outputting a second adversarial sample sequence. and S3, inputting the second adversarial sample sequence into a third source model for black box attack, and outputting a third identification sample sequence, S4, inputting the third identification sample sequence into the third source model for adversarial training, and updating the third source model. An adversarial sample generated by using the algorithm has the characteristic of high mobility to a target model, and the target model can also be effectively defended from being attacked through adversarial training.

Description

technical field [0001] The invention relates to the field of artificial intelligence security, in particular to a black-box attack defense system and method based on the regularization of the middle layer of a neural network. Background technique [0002] When a small perturbation is added to the image signal, and the perturbed image signal is input to the convolutional neural network for classification tasks, it will be misrecognized by the network. This technology is widely used in vehicle detection systems. Deceiving the vehicle detection system with a small disturbance will help to improve the robustness and robustness of the vehicle detection system; in the face recognition detection system, it will help to deceive the face recognition detection system It is used to test the robustness and security of the face recognition network; in the unmanned driving system, it is helpful to test the robustness of the object classification and target detection network in machine vis...

AI Technical Summary

Problems solved by technology

[0003] Now the more common attack methods are black-box attack and white-box attack. Black-box attack is divided into migration-based training replacement model attack method and decision-based multiple query estimation gradient attack method. The two methods are close to black-box After the model is substituted and estimated to be close to the gradient of the black-box model, the mainstream white-box attack method is used to attack. When training the substitute model, most of the former need to know the training data set of the attacked model, as well as the input and output of the model. There is a lot of information other than internal parameters, and this information, especially the training data set, is difficult to know in practical applications, or the number of acquisitions is limited, so the method of generating alternative models through the above methods is limited in many cases The latter is to query the input and output of the adversarial model multiple times and estimate the gradient. When the number of queries is large enough, the estimated gradient will be close to the real gradient of the adversarial model to obtain the decision boundary. However, the problem with this method is that when multiple queries bring At the same time, it cannot make progress in the black-box model that limits the number of queries, which seriously affects the efficiency of black-box attacks

Images