Image confrontation sample generation method with rotation robustness in physical world

Abstract

The invention relates to an image confrontation sample generation method with rotation robustness in a physical world, and relates to the technical field of artificial intelligence security. The method mainly comprises the following steps: 1, initializing algorithm parameters and preprocessing an image to obtain a current confrontation sample; 2, rotating the current adversarial sample to obtain a rotated adversarial sample; 3, judging whether an iteration termination condition is met, if so, outputting a final confrontation sample and executing the step 7, otherwise, executing the step 4; 4, calculating a rotation invariant joint gradient matrix; 5, performing mean filtering on the rotation invariant joint gradient matrix; 6, updating the current confrontation sample, and returning to the step 23; and 7, testing by using the final confrontation sample in a real physical world, and observing confrontation attack effects at different rotation angles. The confrontation sample generated by the method has rotation robustness in the physical world, the problem that attack failure exists after the confrontation sample is rotated is solved, and the attack success rate is further improved.

Description

technical field [0001] The present invention relates to the technical field of artificial intelligence security, in particular to an image adversarial sample generation method with rotational robustness in the physical world. Background technique [0002] In the field of image recognition, the experimental results on some standard test sets show that the recognition ability of deep models has reached or even exceeded the level of human intelligence. While deep learning brings great convenience to people, it also has some security problems. For an abnormal input, whether the deep model can still obtain satisfactory results. The hidden security issues have gradually attracted attention, and many scholars have begun to pay attention to the anti-interference ability of the deep model. Among them, the adversarial sample refers to the sample that is misclassified and misidentified by the deep learning algorithm after the malicious attacker adds a small perturbation to the origina...

AI Technical Summary

Problems solved by technology

However, the disadvantage of this method is that this method can only process images in the digital world to generate image adversarial samples, and lacks the ability to generate image adversarial samples in the physical world

However, the disadvantage of this method is that the attack success rate of this method is relatively low after the image is added with the anti-perturbation after rotation.

Images