Black-box attack defense system and method based on neural network middle layer regularization

Abstract

The invention relates to the field of artificial intelligence security, in particular to a black-box attack defense system based on the regularization of the middle layer of the neural network, including a first source model, a second source model and a third source model; The box attack defense method includes S1, inputting pictures into the first source model for white-box attack, outputting the first adversarial sample sequence, S2, inputting the first adversarial sample sequence into the second source model, and outputting the second adversarial sample sequence , S3, inputting the second adversarial sample sequence into the third source model for black-box attack, outputting the third recognition sample sequence, S4, inputting the third recognition sample sequence into the third source model for adversarial training, updating the third source model ; The adversarial samples generated by this algorithm have the characteristics of high transferability to the target model, and can also effectively defend the target model from being attacked through confrontation training.

Description

technical field [0001] The invention relates to the field of artificial intelligence security, in particular to a black-box attack defense system and method based on the regularization of the middle layer of a neural network. Background technique [0002] When a small perturbation is added to the image signal, and the perturbed image signal is input to the convolutional neural network for classification tasks, it will be misrecognized by the network. This technology is widely used in vehicle detection systems. Deceiving the vehicle detection system with a small disturbance will help to improve the robustness and robustness of the vehicle detection system; in the face recognition detection system, it will help to deceive the face recognition detection system It is used to test the robustness and security of the face recognition network; in the unmanned driving system, it is helpful to test the robustness of the object classification and target detection network in machine vis...

AI Technical Summary

Problems solved by technology

[0003] Now the more common attack methods are black-box attack and white-box attack. Black-box attack is divided into migration-based training replacement model attack method and decision-based multiple query estimation gradient attack method. The two methods are close to black-box After the model is substituted and estimated to be close to the gradient of the black-box model, the mainstream white-box attack method is used to attack. When training the substitute model, most of the former need to know the training data set of the attacked model, as well as the input and output of the model. There is a lot of information other than internal parameters, and this information, especially the training data set, is difficult to know in practical applications, or the number of acquisitions is limited, so the method of generating alternative models through the above methods is limited in many cases The latter is to query the input and output of the adversarial model multiple times and estimate the gradient. When the number of queries is large enough, the estimated gradient will be close to the real gradient of the adversarial model to obtain the decision boundary. However, the problem with this method is that when multiple queries bring At the same time, it cannot make progress in the black-box model that limits the number of queries, which seriously affects the efficiency of black-box attacks

Images