Model robustness detection method and device, equipment and medium
A detection method and a robust technology, applied in the computer field, can solve problems such as lack of pertinence and interference, and achieve the effect of facilitating safety and reliability
Active Publication Date: 2022-04-29
BEIJING REALAI TECH CO LTD
11 Cites 0 Cited by
AI-Extracted Technical Summary
Problems solved by technology
However, such a solution is not targeted in the face of adversarial attacks, and will still be interfered by the judgment of ...
Abstract
The embodiment of the invention relates to the technical field of computers, and provides a model robustness detection method and device, equipment and a medium, and the method comprises the steps: obtaining a target image set which comprises at least one adversarial sample image; inputting at least one confrontation sample image to the to-be-attacked target model; obtaining an output result of the target model, wherein the output result comprises the similarity between the original sample image and each adversarial sample image of the input target image set; obtaining robustness detection data of the target model based on the output result and a preset similarity threshold value of the target model; and determining a robustness diagnosis result of the target model according to the robustness detection data. According to the scheme, an objective and accurate robustness diagnosis result can be output for the target model, so that a user can quickly judge the security and reliability of the target model when facing an attack of an adversarial sample.
Application Domain
Character and pattern recognitionNeural architectures +1
Technology Topic
Sample imageEngineering +6
Image
Examples
- Experimental program(1)
Example Embodiment
[0029] In order to better understand the above purposes, features and advantages of the application, the scheme of the application will be further described below. It should be noted that the embodiments of the present application and the features in the embodiments can be combined with each other without conflict.
[0030] Many specific details are set forth in the following description to facilitate a full understanding of the application, but the application can also be implemented in other ways different from those described herein; Obviously, the embodiments in the specification are only part of the embodiments of the application, not all of the embodiments.
[0031]Deep neural network is widely used in the field of computer vision to enhance the deep learning model. Despite the continuous improvement of the performance of the model, the existing deep learning model is very unreliable in the face of resisting samples (i.e. misleading the neural network with the input made by slight disturbance). This may seriously damage the security of the system. More and more studies show that countering attacks may lead to serious effects on the physical world, and the scenes in the real world may exceed the expectations of the laboratory. For example, generating a hostile facial patch through genap and printing it can unlock the smartphone and make the facial recognition system error. Recognizing this increasingly serious security challenge, many regional, national and international institutions have launched guidelines to regulate the use of artificial intelligence technology and set standards for obtaining technical robustness to deal with security risks. This indicates that it is necessary to make computer vision engineers, as users and builders of models, aware of the potential risks of countering attacks. However, in the current practice, the detection and defense methods to reduce potential counter threats are mainly proposed by the attack and defense Algorithm Engineers after deploying the deep learning model in the computer vision application, and the computer vision engineers rarely participate in this process. Therefore, both enterprise departments and computer vision engineers have the need to evaluate the robustness of the model used.
[0032] Evasion attack is the most common attack on the reasoning process of machine learning model. It refers to the design / calculation of an input, which can be correctly recognized by humans under normal conditions, but will be incorrectly classified by the model. A typical example is to change some pixels in the picture before uploading so that the image recognition system cannot classify the results. In fact, this confrontational example can deceive humans. Add noise to the original picture, and then output the recognition results that are quite different from the original picture, for example, the image of the Alps is recognized as the image of a dog; After adding an eyeglass frame to the image of user a, it is output to another user B.
[0033] Based on this, in the field of security, face recognition model is used to recognize people. When facing the threat of samples, the main solution is to improve the amount of data collected and expand the training set, so as to improve the accuracy of model recognition. However, such a solution is not targeted against the counter attack, and will still be disturbed by the counter sample to the model judgment. The reason for this situation is that most CV engineers have no knowledge reserve and experience in the field of attack and defense, do not know how to deal with the threat of countermeasure samples, and do not know from what aspect to evaluate the countermeasure robustness of their own model. Therefore, CV engineers or relevant departments in the industry need a method to detect or evaluate the anti robustness of the model to help them diagnose the robustness of the model, provide suggestions on model modification and improvement, and horizontally evaluate the safety development of the industry.
[0034] Based on this, the embodiment of the application provides a model robustness detection method, device, equipment and medium. The scheme inputs at least one countermeasure sample image to the target model to be attacked, obtains and uses the output result of the target model, that is, the similarity between the original sample image and the attack target model of the countermeasure sample object, detects the robustness of the target model, obtains the robustness detection data, and determines the robustness diagnosis result of the target model according to the robustness detection data of the attack behavior. The scheme can better realize the simulation of the target model and the actual combat drill attack, fill the gap in the detection and defense of the counter attack in the field of computer vision, and output objective and accurate robustness diagnosis results for the target model, which is convenient for users to quickly judge the security and reliability of the target model in the face of the attack of the counter sample. For ease of understanding, the embodiments of the present application are shown and described below.
[0035] The flow chart of the robustness detection method of the model provided by the embodiment of the application is executed by electronic devices, such as mobile phones, computers, servers and other devices. It should be noted that the embodiment of the application only takes the robustness detection method of the model as an example to explain the application. In the embodiment of the application, the electronic device can be connected with the projector and the image acquisition device respectively, and the picture of the electronic device is displayed on the holographic film through the projector. Figure 1 A structural example diagram of a holographic imaging based anti sample image attack target model provided for an embodiment of the present application, such as Figure 1 As shown, the electronic device 110 is connected with the projector 120 and the image acquisition device 130 respectively. Through the projector 120, the content displayed in the picture of the electronic device 110 can be displayed on the holographic film 140. After the electronic device 110 is connected with the projector 120, the focal length and distortion of the projector can be adjusted by the staff so that the picture of the electronic device 110 can be clearly displayed on the holographic film 140. When the anti disturbance is displayed in the picture of the electronic device 110 and the face appears on the other side of the holographic film 140, the image acquisition device 130 collects photos in the direction of the holographic film 140, and can capture the original image as the attack object and the anti image used to attack the original image, so as to realize the attack behavior on the target model. Figure 1 The robustness detection scenario of the model shown has the advantages of wide application range, easy convergence, easy debugging and easy detection. It can simulate and practice attacks on the target model, and output objective and accurate robustness diagnosis results for the target model.
[0036] It can be understood that the image acquisition device adopted in the embodiment of the application can be an independent image acquisition device or a camera built in the electronic device. The application only takes the image acquisition device independent of the electronic device as an example to explain the application, and cannot be used as a limitation of the application.
[0037] In addition, the scheme provided by the embodiment of the application relates to artificial intelligence (AD), natural language processing (NLP), machine learning (ML) and other technologies. Specifically, it is described by the following embodiments:
[0038] Among them, AI is a theory, method, technology and application system that uses digital computers or machines controlled by digital computers to simulate, extend and expand human intelligence, perceive the environment, acquire knowledge and use knowledge to obtain the best results. In other words, artificial intelligence is a comprehensive technology of computer science. It attempts to understand the essence of intelligence and produce a new intelligent machine that can respond in a similar way to human intelligence. Artificial intelligence is to study the design principles and implementation methods of various intelligent machines. Make the machine have the functions of perception, reasoning and decision-making.
[0039] AI technology is a comprehensive discipline, involving a wide range of fields, including both hardware level technology and software level technology. Basic AI technologies generally include sensors, special AI chips, cloud computing, distributed storage, big data processing technology, operation / interaction system, mechatronics and other technologies. Artificial intelligence software technology mainly includes computer vision technology, speech processing technology, natural language processing technology and machine learning / deep learning.
[0040] NLP is an important direction in the field of computer science and artificial intelligence. It studies various theories and methods that can realize effective communication between human and computer with natural language. Natural language processing is a science integrating linguistics, computer science and mathematics. Therefore, the research in this field will involve natural language, that is, people's daily language, so it is closely related to the research of linguistics. Natural language processing technology usually includes text processing, semantic understanding, machine translation, robot question answering, knowledge map and so on.
[0041] Figure 2 The flow chart of the robustness detection method of the model provided for the embodiment of the present application is executed by electronic devices, such as mobile phones, computers, servers and other devices. The method comprises the following steps:
[0042] In step S102, a target image set including at least one countermeasure sample image is acquired.
[0043]In different tasks such as image recognition, image comparison and image tracking, the target image sets obtained are different. For example, in the face comparison task, the countermeasure sample image in the target image set is an image containing faces, and the faces contained usually belong to different objects. The countermeasure sample image can be obtained by adding invisible small disturbances to the original image, for example, adding masks, glasses and other obstructions to the face of the original image to obtain the countermeasure sample image; Alternatively, a small noise disturbance invisible to the human eye is added to the original image to obtain the countermeasure sample image. The counter sample image can make the model make wrong judgment.
[0044] In step S104, at least one countermeasure sample image is input to the target model to be attacked.
[0045] Taking the above face comparison task as an example, the target model can be a face comparison model. The input data of the target model includes the countermeasure sample image, and the output data includes the similarity between the original sample image and the countermeasure sample image; Among them, the original sample image is the image of the attack object, and the counter sample image is the image of the attack original sample image.
[0046] In step S106, the output result of the target model is obtained.
[0047] Wherein the output result includes the similarity between the original sample image and each countermeasure sample image input into the target image set.
[0048] In this embodiment, the similarity between the original sample image and each countermeasure sample image of the target image set is calculated through the target model, that is, the countermeasure sample image is used to attack the target model once, and the obtained similarity represents: the matching degree between the original sample image and the countermeasure sample image is calculated through the target model.
[0049] In step S108, the robustness detection data of the target model is obtained based on the output result and the preset similarity threshold of the target model.
[0050] This embodiment obtains the robustness detection data of the target model based on the similarity in the output result and the preset similarity threshold of the target model. Among them, the robustness detection data can include but are not limited to: the real similarity between the original sample image and the countermeasure sample image, the result of recognition accuracy, the result of attack success and the time of attack behavior. The similarity threshold is a characteristic value inherent in the target model.
[0051] In step S110, the robustness diagnosis result of the target model is determined according to the robustness detection data.
[0052] The robustness detection method of the model provided by the embodiment of the application uses the output result of the target model, that is, the similarity between the original sample image and the target model attacked by the sample object, detects the robustness of the target model, obtains the robustness detection data, and determines the robustness diagnosis result of the target model according to the robustness detection data of the attack behavior. The scheme can better realize the simulation of the target model and the actual combat drill attack, fill the gap in the detection and defense of the counter attack in the field of computer vision, and output objective and accurate robustness diagnosis results for the target model, which is convenient for users to quickly judge the security and reliability of the target model in the face of the attack of the counter sample.
[0053] For ease of understanding, the robustness detection method of the model provided by the embodiment of the application is described in detail below.
[0054] In one embodiment, the target model to be attacked can be selected from a plurality of candidate models constructed in advance.
[0055] According to the target model and its tasks such as face recognition, the original sample image as the attack object and the countermeasure sample image of the attack original sample image are obtained from the target image set. Wherein, the original sample image and the countermeasure sample image correspond to different user objects Figure 3 As shown, the original sample image can be a female image with ID: 126457, and the counter sample image can be a male image with ID: 116822. The original sample image and countermeasure sample image can come from the same image set or different image sets, which is not limited here.
[0056] Considering that there are great differences in the focus of model detection in different fields and users, in order to meet the personalized detection needs of different users and widely adapt to the robustness detection needs of models in more scenarios, another embodiment is provided here, which can provide users with the query of customized diagnosis to realize the personalized customized diagnosis needs, including: responding to the user's upload operation for customized diagnosis, Obtain the target model and target image set to be attacked uploaded by the user, and obtain the original sample image as the attack object and the countermeasure sample image of the attack original sample image from the target image set.
[0057] In this embodiment, the target model, the original sample image and the countermeasure sample image are obtained based on the user's upload operation, and the attack behavior based on this can meet the user's personalized diagnosis needs.
[0058] According to the above embodiment, after obtaining the original sample image and countermeasure sample image, input the countermeasure sample image to the target model to be attacked, and obtain the output result of the target model. In an implementation method of obtaining the output result of the target model, first obtain the calculation logic of the target model; Then, finding a historical model matching the calculation logic of the target model from the preset historical diagnosis database; Then, the output result of the target model is determined according to the historical output result of the historical model. The output result is the final diagnostic data of the target model, that is, the final diagnostic data of the target model is output in combination with the historical diagnostic data of the historical model (and the confidence is given).
[0059] In another implementation, reference Figure 3 , in the process of obtaining the output result of the target model, first select the area, wearable devices (such as glasses, masks and stickers) and features (such as face, nose, mouth and eyes) to determine the attack area; Then, the target model calculates the similarity between the original sample image and the countermeasure sample image at the attack area; The similarity refers to the similarity between the original sample image and the countermeasure sample image calculated after the target model is attacked, which is used as the output result of the target model.
[0060] This embodiment provides a method for obtaining the robustness detection data of the target model based on the output result and the similarity threshold, including the following steps 1 to 3.
[0061] Step 1: if the similarity included in the output result is greater than the similarity threshold, the first detection data is recorded. The first detection data includes at least one of the following: error identification result, identification failure record, attack success record and first attack duration record.
[0062] Specifically, the comparison output results include the similarity between the target model and the similarity threshold of the target model. The similarity threshold can be the inherent characteristic value of the target model, for example, 0.28. The similarity included in the output result is greater than the similarity threshold, which indicates the countermeasure sample image attacked by the product service party on the target model, so that when the target model recognizes the face corresponding to the original sample image, the face will be recognized as the countermeasure sample image (i.e. the male with ID: 116822). However, in fact, the female image with ID: 126457 should be output. Therefore, it can be seen that this recognition error, that is, the attack is successful. At this time, the first detection data corresponding to this attack can be recorded: error identification result, identification failure record, attack success record and first attack duration record. It can be understood that the first detection data indicates that the robustness of the target model is general, the security and reliability are poor, and it is easy to be attacked.
[0063] Step 2: if the similarity included in the output result is not greater than the similarity threshold, record the second detection data, which includes at least one of the following: identification success record, attack failure record and second attack duration record.
[0064]In contrast to step 1, the similarity included in the output result is not greater than the similarity threshold, which indicates the counter sample image attacked by the product service party on the target model, so that the target model can resist the attack when recognizing the face corresponding to the original sample image, and output accurate recognition results. The target model has good robustness and is not vulnerable to attack.
[0065] Step 3: take the first detection data or the second detection data as the robustness detection data corresponding to the attack behavior.
[0066] Specifically, in an attack, the first detection data or the second detection data is used as the robustness detection data of the attack according to the comparison result of the similarity and the similarity threshold included in the output result.
[0067] By attacking the target model at least once in the above way, at least one robustness detection data is obtained, and the robustness diagnosis result of the target model is determined. The implementation process is shown below.
[0068] (1) Calculating the robustness index of the target model according to the first detection data corresponding to at least one attack; The robustness index includes: recognition accuracy, attack success rate and / or attack success time information.
[0069] Specifically, the recognition accuracy rate is calculated according to the proportion of the number of identification failure records in the first detection data to the total number of attack behaviors, the attack success rate is calculated according to the proportion of the number of successful attack records to the total number of attack behaviors, and the attack success time information is obtained according to the average duration of the first attack duration records in the plurality of first detection data.
[0070] (2) According to the robustness index, the breakthrough difficulty coefficient of the target model is calculated.
[0071] (3) The first detection data, the second detection data, the robustness index and the breakthrough difficulty coefficient are processed and visually displayed to obtain the robustness diagnosis results.
[0072] Among them, the robustness diagnosis results of visual display can be referred to Figure 5 Examples provided, such as: attack algorithm, attack times, attack task; Data involved by different enterprise users in attack behavior: model name, data set name, model robustness, attack success rate and attack time; The broken line diagram of horizontal comparison of enterprise models in the aspects of confrontation robustness, recognition accuracy, breakthrough difficulty coefficient and data acquisition difficulty; Various radar charts of this product and similar products, etc.
[0073] The robustness detection method of the model provided in the above embodiment can be applied to a variety of different scenarios, and the robustness diagnosis can be carried out for the model with arbitrary requirements. Based on this, reference Figure 6 , the method provided in this embodiment can also include: in the preset shooting range environment, the robustness detection method based on the model simulates and diagnoses the target model to obtain the robustness diagnosis simulation result of the target model.
[0074] Specifically, when implementing the robustness detection method of the model, in response to the user's upload operation for user-defined diagnosis, obtain the target model and target image set to be attacked uploaded by the user, and obtain the original sample image as the attack object and the countermeasure sample image attacking the original sample image from the target image set; Then, inputting at least one countermeasure sample image to the target model to be attacked; Obtaining the following output results of the target model: the similarity between the original sample image and the countermeasure sample image input into the target image set; The robustness detection data of the target model is obtained based on the output result and the preset similarity threshold of the target model.
[0075] For ease of understanding, the following provides examples of two possible range environments.
[0076] Example 1 is to simulate the shooting range environment of a bank. reference Figure 7 , in the bank identity recognition system, the robustness detection of face recognition model is helpful to prevent the model from being interfered by anti samples, resulting in recognition errors and financial risks. It is used for the self-improvement of the security of the bank's technical department, the analysis of the advantages of similar businesses of the bank, etc. At present, some businesses of some banks operate through ID card brushing and face recognition, which leads to the fact that if the original owner of the non ID card wears some facial decoration or processed glasses, he can be recognized as the original owner of the ID card in front of the camera, resulting in financial security accidents. Therefore, the simulation diagnosis of the robustness of the face recognition model through the method provided in this embodiment can avoid the successful matching of the original owner of the object's non ID card with the attacker who fought the attack. In the process of use, first generate the corresponding countermeasure sample image according to the face data set and target model provided by the test enterprise, and then use the countermeasure sample image and the original sample image in the face data set to detect the robustness of the target model, synthesize the robustness detection data such as recognition accuracy, attack success rate and attack time, and calculate the robustness index and safety coefficient of the target model, Give the improvement direction and suggestions of the target model used by the current test bank, and compare several attack indicators before and after.
[0077] Example 2 is to simulate the shooting range environment of a taxi. reference Figure 8 , detecting the robustness of the face recognition model used to identify the driver's identity is helpful to prevent the model from being interfered by the anti sample, resulting in recognition errors and security risks caused by mistaken identification of the driver's identity. It is used for safety self-improvement of taxi enterprises, safety advantage analysis of competitive products, etc. The camera in the car will recognize the driver's face and detect whether it is the registered driver. Considering the possibility that the driver may upload the confrontation sample image in advance through grey industrial means or wear the facial decoration with other people's facial features during the detection, even if he is not operating the vehicle, the model without robustness diagnosis will still give the conclusion that he is the registered driver after comparing the above input images. Therefore, the robustness of the face recognition model is simulated and diagnosed through the method provided in this embodiment to avoid the successful matching of the confrontation sample of the subject driver's own photo with others, that is, after comparing the above input image with the target model after robustness diagnosis, it will give the conclusion that it is not the registered driver. In the process of use, first generate the corresponding countermeasure sample image according to the face data set and model provided by the testing enterprise, then use the countermeasure sample image and the original sample image in the face data set to detect the robustness of the model, and calculate the robustness index of the model by integrating the recognition accuracy, attack success rate and the time taken to break through, At the same time, according to the historical analysis results, it shows the strength of the anti robustness of similar taxi products, and gives the improvement direction and suggestions of the current test enterprises.
[0078] The user oriented detection method of this example can be applied to both the enterprise and the individual. Generally speaking, enterprise users develop their own solutions, but they do not understand the stability of the model and do not have the ability to distinguish. For individual users, such as a model written by a R & D personnel, a self compiled model diagnosis tool is needed to continuously optimize the model, so as to deliver a more robust model.
[0079] The robustness detection method of the model provided by this embodiment does not require whether the target person using the target model is a technician or any ordinary user without technical knowledge. For users, they usually only need to provide the target model to be detected, so they can get the robustness diagnosis results and provide intuitive visual suggestions for users quickly and accurately.
[0080] reference Figure 9 , for enterprise users and individual users, different implementation schemes of the robustness detection method of the application model are provided here.
[0081]When facing individual users, firstly, according to the user's upload operation, obtain the user-defined input data set and the self uploaded target model, and obtain the original sample image as the attack object and the countermeasure sample image of the attack original sample image from the data set. Then attack the target model based on the countermeasure sample image, that is, calculate the similarity between the original sample image and the countermeasure sample image through the target model to obtain the image similarity; Based on the image similarity and similarity threshold, the robustness detection data of the target model is obtained. The robustness of the above model is diagnosed. Finally, the robustness detection data such as key feature points, attack success time information and attack success rate are labeled, sorted and visually displayed to obtain the robustness diagnosis results. Specifically, the robustness diagnosis results can be referred to Figure 4 Examples provided are displayed in the form of reports; The robustness diagnosis results can include: model name, data set name, model robustness before and after attack, key feature points, confidence sequence and image similarity, attack time and attack success rate, etc.
[0082] When facing enterprise users, first obtain the robustness diagnosis results according to the robustness detection method of the model provided in the above embodiment. Then, the business models of different enterprise users can be compared horizontally, which is suitable for competitive product analysis, Industry Research Report and other needs. Specifically, based on the data of current enterprise users, adjust the attention mechanism to each sample, and generate targeted countermeasure sample images based on different upload operations for user-defined diagnosis; Then a targeted attack target model based on the countermeasure sample image is proposed. Among them, enterprise users can include concerns, strengths, weaknesses, R & D direction distribution data of enterprise employees, professional data of R & D employees in professional fields, historical data of enterprises in professional fields, etc. Among them, the above enterprise data can be the enterprise portrait drawn by the service party through crawling in advance, or the enterprise portrait provided by the enterprise on its own initiative, which is not limited here.
[0083] In order to provide better promotion effect for individual users and enterprise users, this embodiment provides several methods for horizontal comparison of robustness diagnosis results.
[0084] reference Figure 10 , in one embodiment, the first historical diagnosis data is obtained, the first historical diagnosis data includes the robustness diagnosis data of a plurality of reference models, and the robustness diagnosis data of each reference model is diagnosed by using the robustness detection method of the model or a plurality of model robustness diagnosis tools; Among them, multiple reference models (reference model 1, reference model 2,..., reference model I) are models with the same type and different sources as the target model.
[0085] In the implementation process, the robustness diagnosis data of each reference model can be obtained by using the robustness detection method of the model provided in the application, or by using a variety of model robustness diagnosis tools; Specifically, for example, different reference models adopt different model robustness diagnosis tools to obtain their own robustness diagnosis data.
[0086] Horizontally comparing the robustness detection data of the target model with the first historical diagnosis data.
[0087] By horizontally comparing the robustness detection data of the target model with the first historical diagnosis data, the embodiment can compare and display the comparison difference between the robustness detection method of the model provided by the application and the diagnosis data of other similar reference models.
[0088] reference Figure 11 , in another embodiment, the second historical diagnosis data is obtained, and the second historical diagnosis data includes the robustness diagnosis data of the target model diagnosed by a variety of model robustness diagnosis tools; Wherein, the diagnosis method adopted by the model robustness diagnosis tool is different from the model robustness detection method provided in the application, and each model robustness diagnosis tool is respectively; Model robustness diagnosis tool 1, model robustness diagnosis tool 2,..., model robustness diagnosis tool I.
[0089] Horizontally comparing the robustness detection data of the target model with the second historical diagnosis data.
[0090] For the same target model, this embodiment makes a horizontal comparison of the diagnostic data obtained by using different diagnostic methods, and can compare and display the diagnostic differences between the robustness detection method of the model provided in this application and other similar diagnostic tools on the target model. Based on this, compared with other similar diagnostic tools, it can more intuitively reflect the advantages of the robustness detection method of the model in this application. Exemplary, reference Figure 5 The multidimensional radar chart is compared between this product (i.e. the robustness detection method of the model in this application) and similar products (i.e. other similar diagnostic tools) in terms of data acquisition speed, diagnostic information richness, algorithm operation time and diagnostic cycle. The multi-dimensional radar chart intuitively shows the obvious advantages of this product in data acquisition speed and richness of diagnostic information, and maintains the same level with similar products in algorithm operation time and diagnosis cycle.
[0091] To sum up, the robustness detection method of the model provided by the embodiment of the application can, on the one hand, fill the gap in the field of computer vision that currently pays attention to business indicators such as model accuracy and recall, but lacks the detection and defense against attacks, so as to greatly improve the security of large-scale application of the model and reduce the occurrence of personal safety, financial security and other events. On the other hand, this scheme can simulate and practice the attack on the target model, and output objective and accurate robustness diagnosis results for the target model, which is convenient for users to quickly judge the security and reliability of the target model in the face of the attack against samples.
[0092] reference Figure 12 , the embodiment of the application also provides a model robustness detection device for implementing the robustness detection method of the above model, which comprises the following modules:
[0093] An input and output module 1202 for acquiring a target image set, which includes at least one countermeasure sample image;
[0094] A processing module 1204 for inputting at least one of the countermeasure sample images to the target model to be attacked; Obtaining an output result of the target model, the output result including the similarity between the original sample image and each countermeasure sample image input into the target image set; Obtaining the robustness detection data of the target model based on the output result and the preset similarity threshold of the target model; Determining the robustness diagnosis result of the target model according to the robustness detection data.
[0095] In addition, the robustness detection device of the above model can also include a display module (not shown in the figure), which is used to display the robustness diagnosis result of the target model.
[0096] In some embodiments, the processing module 1204 is specifically used to:
[0097] If the similarity included in the output result is greater than the similarity threshold, the first detection data is recorded, and the first detection data includes at least one of the following: error recognition result, recognition failure record, attack success record and first attack duration record; If the similarity included in the output result is not greater than the similarity threshold, record the second detection data, and the second detection data includes at least one of the following: identification success record, attack failure record and second attack duration record; Taking the first detection data or the second detection data as the robustness detection data corresponding to the attack behavior.
[0098] In some embodiments, the processing module 1204 is specifically used to:
[0099] Calculating at least one robustness index of the target detection model according to the first attack behavior; The robustness index includes: recognition accuracy rate, attack success rate and / or attack success time information; Calculating a breaking difficulty coefficient of the target model according to the robustness index; Perform data processing and visual display on multiple items of the first detection data, the second detection data, the robustness index and the breakthrough difficulty coefficient to obtain the robustness diagnosis result.
[0100] In some embodiments, the above processing module 1204 is also used to:
[0101] Acquiring the first historical diagnosis data, the first historical diagnosis data includes the robustness diagnosis data of a plurality of reference models, and the robustness diagnosis data of each reference model is diagnosed by using the robustness detection method of the model or a plurality of model robustness diagnosis tools; Wherein, a plurality of reference models are models of the same type and different sources as the target model; Horizontally comparing the robustness detection data of the target model with the first historical diagnosis data.
[0102] In some embodiments, the above processing module 1204 is also used to:
[0103] Acquiring the second historical diagnosis data, which includes the robustness diagnosis data of the target model diagnosed by a variety of model robustness diagnosis tools; Horizontally comparing the robustness detection data of the target model with the second historical diagnosis data.
[0104] In some embodiments, the above processing module 1204 is also used to simulate and diagnose the target model based on the robustness detection method of the model in the preset shooting range environment, and obtain the robustness diagnosis simulation result of the target model.
[0105] In some embodiments, the above processing module 1204 is specifically used for:
[0106] Obtain the calculation logic of the target model; Finding a historical model matching the calculation logic of the target model from the preset historical diagnosis library; Determining the output result of the target model according to the historical output result of the historical model.
[0107] In some embodiments, the input / output module 1202 is also used to obtain the target model and target image set to be attacked uploaded by the user in response to the user's upload operation for custom diagnosis, and obtain the original sample image as the attack object and the countermeasure sample image attacking the original sample image from the target image set.
[0108] The implementation principle and technical effect of the device provided in this embodiment are the same as those in the above method embodiment. For a brief description, refer to the corresponding contents in the above method embodiment for anything not mentioned in the device embodiment.
[0109] Figure 13 A structural diagram of an electronic device provided for the embodiment of the present application. as Figure 13 As shown, the electronic device 1300 includes one or more processors 1301 and memory 1302.
[0110] The processor 1301 may be a central processing unit (CPU) or other form of processing unit with data processing capability and / or instruction execution capability, and may control other components in the electronic device 1300 to perform desired functions.
[0111] The memory 1302 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and / or nonvolatile memory. The volatile memory may include, for example, a random access memory (RAM) and / or a cache memory (CACHE). The nonvolatile memory may include, for example, a read only memory (ROM), a hard disk, a flash memory, and the like. One or more computer program instructions may be stored on the computer-readable storage medium, and the processor 1301 may run the program instructions to realize the robustness detection method and / or other desired functions of the model of the embodiment of the present application described above. Various contents such as input signal, signal component, noise component and the like can also be stored in the computer-readable storage medium.
[0112] In one example, the electronic device 1300 may also include an input device 1303 and an output device 1304, which are interconnected by a bus system and / or other forms of connection mechanism (not shown).
[0113] In addition, the input device 1303 may also include, for example, a keyboard, a mouse, and the like.
[0114] The output device 1304 can output various information to the outside, including determined distance information, direction information, etc. The output device 1304 may include, for example, a display, a speaker, a printer, a communication network and its connected remote output device, and the like.
[0115] Of course, to simplify, Figure 13 Only some of the components related to the present application in the electronic device 1300 are shown, and components such as bus, input / output interface, etc. are omitted. In addition, the electronic device 1300 may include any other appropriate components according to the specific application.
[0116] Further, the embodiment also provides a computer-readable storage medium, which stores a computer program for executing the robustness detection method of the above model.
[0117] The computer program product of a model robustness detection method, device, electronic device and medium provided by the embodiment of the application includes a computer-readable storage medium storing program code. The instructions included in the program code can be used to execute the method described in the previous method embodiment. For the specific implementation, please refer to the method embodiment and will not be repeated here.
[0118] It should be noted that in this paper, relational terms such as "first" and "second" are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "include", "include" or any other variation thereof are intended to cover non exclusive inclusion, so that a process, method, article or equipment including a series of elements includes not only those elements, but also other elements not explicitly listed, or elements inherent in such process, method, article or equipment. Without further restrictions, the elements defined by the statement "including a..." do not exclude the existence of other identical elements in the process, method, article or equipment including the elements.
[0119] The above is only the specific embodiment of the application, so that those skilled in the art can understand or realize the application. Various modifications to these embodiments will be apparent to those skilled in the art, and the general principles defined herein can be implemented in other embodiments without departing from the spirit or scope of the present application. Therefore, the present application will not be limited to these embodiments described herein, but will conform to the widest scope consistent with the principles and novel features disclosed herein.
PUM


Description & Claims & Application Information
We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.