Image class adversarial sample identification method and detector based on third-order cascade detector

Abstract

The present application relates to a kind of image class adversarial sample identification method and detector based on third-order cascade detector, read and parse the parameter in the deep neural network model after pre-training is completed, extract the key path of deep neural network model, construct third-order cascade detector based on normal sample and adversarial sample, according to cascade strategy combination third-order cascade detector, complete the detection and identification of adversarial sample.The present application realizes the fast calculation and positioning of the key path of deep neural network classifier based on layer-by-layer correlation propagation algorithm, which helps to extract and analyze the structural features of samples.The constructed method has good generality and robustness and high adversarial sample detection accuracy, which not only helps to accurately identify adversarial samples formed by existing attack methods and effectively resist adversarial samples formed by unknown attack methods, but also helps to increase the difficulty of simultaneously attacking classifier and detector.

Description

Technical Field

[0001] This invention relates to the technical field of computation, calculation, or counting, and in particular to an image-based adversarial sample recognition method and detector based on a three-level sequential detector. Background Technology

[0002] In recent years, deep neural networks have been widely and deeply applied in many challenging tasks such as face / object recognition, image classification, and autonomous driving, outperforming traditional machine learning methods and even human performance.

[0003] However, due to the lack of interpretability and the absence of clearly defined decision boundaries, deep neural networks are vulnerable to a wide range of cyberattacks, including poisoning, evasion, backdoors, and model inversion. Evasion attacks (also known as adversarial attacks), one of the most damaging, involve attackers adding subtle, imperceptible perturbations to the pixels of input samples to create adversarial examples for their own purposes. These alterations are often invisible to the naked eye compared to the original natural samples, but they can deceive a misled classifier into making highly confident but incorrect predictions. The existence of adversarial examples poses significant security risks to deep learning in fields such as finance and autonomous driving. Therefore, identifying and detecting such adversarial examples is a key issue of current industry focus.

[0004] To achieve these goals, researchers have made numerous attempts. A commonly used strategy is to construct detectors based on the inherent characteristics of the samples. This involves analyzing the differences in inherent statistical properties between normal and adversarial samples, including but not limited to differences in sample distance, kernel density, and local intrinsic dimension. While this strategy can effectively distinguish between normal and adversarial samples by defining a high-quality statistical metric, the uncertainty of detection increases with the proliferation of adversarial attack methods. This leads to detectors performing well against some attacks but poorly against others. Furthermore, this strategy is highly sensitive to the confidence parameters of attack deployment and is susceptible to the influence of unknown adversarial samples. Another detection method based on model parameters extracts important parameters of the samples in the model, such as neuron activation values ​​or importance information, through training on a large number of normal and adversarial samples, thereby constructing a detector to detect the samples. However, existing methods are insufficient in terms of detector generalization and robustness, and suffer from the drawback of simultaneously balancing accuracy and complexity during detection. Summary of the Invention

[0005] To overcome the shortcomings of existing methods in terms of detector generalization and robustness, this invention proposes an image-based adversarial sample identification method and detector based on a three-stage cascaded detector. It achieves the identification of different image-based adversarial samples by extracting the key paths of corresponding input samples and constructing related three-stage cascaded detectors. Leveraging the strong aggregation ability of graph neural networks in graph feature extraction and the low false recognition rate and high robustness of cascaded detectors, the key paths in the deep neural network are constructed into a graph form as input for identification. By cascading multiple detectors, the detection effect against unknown attack methods is enhanced, and the problem of attackers simultaneously mastering the internal parameters of both the neural network classifier and the detector, thus attacking both the detector and the neural network classifier together and causing identification failure, is solved.

[0006] The technical solution adopted by this invention to solve its technical problem is an image adversarial sample recognition method based on a three-stage cascaded detector. The method reads and parses the parameters of a pre-trained deep neural network model, such as a convolutional neural network, extracts the key path of the deep neural network model, constructs a three-stage cascaded detector based on normal samples and adversarial samples, and combines the three-stage cascaded detector according to a cascaded strategy to complete the detection and recognition of adversarial samples.

[0007] Preferably, extracting the critical path of a deep neural network model includes the following steps:

[0008] Step 1.1: For k attack methods, randomly select a specified proportion of normal samples from the normal sample set to construct k adversarial samples. Merge these into k normal sample sets and corresponding k adversarial sample sets. Divide each normal sample set and adversarial sample set into a training set and a test set according to a preset ratio, such as 8:2, and label them as D. i and D′ i Where i is the group, i = 1, 2, 3, ..., k, k is a positive integer, and D is the group. ij and D′ ij These refer to the j-th sample drawn from the i-th training set and the sample set to be tested, respectively, where j = 1, 2, 3, ..., n, and n is the number of samples in that set;

[0009] Step 1.2: For D ij and D′ ij The importance of each neuron in M ​​is quantified using the layer-by-layer correlation propagation algorithm, and the corresponding critical paths are extracted.

[0010] Preferably, step 1.2 includes the following steps:

[0011] Step 1.2.1: Place D ij With D′ ijThe input is fed into a deep neural network model M, and the activation level a, network weight w, and confidence level cf of the predicted class of each neuron are directly extracted; among them, the network weight w is directly related to the training result of M.

[0012] Step 1.2.2: Based on a and w, starting from the output of the last fully connected layer before the softmax layer of M, importance backpropagation is performed using the layer importance conservation law shown in Equation (1) to obtain the importance information of each neuron.

[0013]

[0014] Among them, a u w represents the activation level of the u-th neuron. uv sR represents the weights connecting the u-th and v-th neurons. u pR represents the importance value of the u-th neuron in the preceding layer of an adjacent layer. v Represents the importance value of the v-th neuron in the next layer of the adjacent layer. ∈ is used to enhance saliency, ∈ ∈ [0, 1], such as 0.5. U is the number of neurons in the previous layer of the adjacent layer, and V is the number of neurons in the next layer of the adjacent layer.

[0015] Step 1.2.3: For each D ij and D′ ij A certain percentage, such as 30%, of the most important nodes in each layer of M are selected as the key nodes of that layer. In the last fully connected layer, only the most important neuron is selected as the key node of that layer. Then, the key nodes that are connected between adjacent layers are connected to form the key path in M ​​for the current sample.

[0016] Preferably, the three-stage sequential detector comprises:

[0017] The first detector is constructed based on the significant differences in the point distribution of normal samples and adversarial samples after dimensionality reduction by principal component analysis;

[0018] The second detector is constructed based on the significant difference in the dispersion of neuron importance between normal samples and adversarial samples in a deep neural network model;

[0019] The third detector is constructed based on the significant differences between normal samples and adversarial samples in the critical path of a deep neural network model.

[0020] Preferably, the construction of the first detector and the identification of adversarial examples include the following steps:

[0021] Step 2.1: Training set D for adversarial examples i Principal component analysis was used to flatten and reduce the dimensionality of the samples, which were then labeled as P. iTraining set D i The j-th sample in the data corresponds to the point P after dimensionality reduction. ij Specifically, the j-th sample D drawn from the training set... ij After tiling a multidimensional matrix of data into a 1×H matrix (where H represents the total number of pixels in the sample), the dimensionality is reduced to 2D feature data, which is then treated as a point P in a Cartesian coordinate system. ij ;

[0022] Step 2.2: Initialize the distance threshold DS, which is obtained through iterative calculation of training samples. Calculate P. i The Euclidean distance between each pair of elements in P i Select P ij The remaining coordinates that are less than the threshold DS are designated as P. ij For points within the neighborhood, the statistics P ij The number of points in the neighborhood that belong to the normal sample set and the adversarial sample set, respectively, is denoted as a and b.

[0023] Step 2.3: Initialize the proportional threshold PS, Equation (2), and Equation (3)

[0024] a>(a+b)×PS (2)

[0025] b>(a+b)×PS (3)

[0026] If a and b satisfy equation (2), then determine D. ij If a sample is considered normal and satisfies equation (3), then D is determined to be normal. ij For adversarial examples;

[0027] Step 2.4: Train and calculate the optimal DS and PS through steps 2.2 and 2.3. Here, optimal means a trade-off between accuracy and recognition rate. This is something that those skilled in the art can easily understand. Those skilled in the art can choose the optimal distance threshold and ratio threshold based on their needs.

[0028] Step 2.5: Using the methods from Steps 2.1 to 2.3 and the trained DS and PS, proceed to the test sample set D′. i Medium sample D′ ij The category is detected, if D′ ij If equations (2) and (3) are not satisfied, then it is denoted as RM′. ij It is detected by subsequent detectors of the three-stage cascade detector.

[0029] Preferably, the construction of the second detector and the identification of adversarial examples include the following steps:

[0030] Step 3.1: For RM′ ijThe importance of neurons in each layer of the deep neural network model M is sorted from largest to smallest, and the lower quartile Q1 and upper quartile Q3 are extracted.

[0031] Step 3.2: Calculate D using equation (4) respectively. i The average interquartile range (IQR) between the normal sample set and the adversarial sample set in the l-th layer of the deep neural network model M.

[0032] IQR = Q3 - Q1 (4)

[0033] Let the IQR of the normal sample set and the adversarial sample set at layer l be respectively denoted as ... and Current sample RM′ ij The discreteness of the l-th layer is l = 1, 2, ..., L, where L is the total number of layers in the deep neural network model M;

[0034] Step 3.3: Calculate RM′ ij In M, the confidence scores for each layer belonging to normal samples and adversarial samples are given by equations (5) to (8).

[0035]

[0036]

[0037]

[0038]

[0039] If layer l is a convolutional layer in M, then RM′ is calculated using equations (5) and (7) respectively. ij The confidence level c of normal samples and adversarial samples in this layer n1 (l) and c a1 (l);

[0040] If layer l is a linear layer in M, then RM′ is calculated using equations (6) and (8) respectively. ij The confidence level c of normal samples and adversarial samples in this layer n2 (l) and c a2 (l);

[0041] Step 3.4: Calculate RM′ using equations (9) and (10) respectively. ij The average layer confidence C of normal samples and adversarial samples n and C a ,

[0042]

[0043]

[0044] Step 3.5: Set the layer average confidence threshold to QS;

[0045] If C n If the value is greater than or equal to QS, then the sample is considered a normal sample.

[0046] If C a If the value is greater than or equal to QS, then the sample is considered an adversarial sample.

[0047] If neither of the above two conditions is met, it is denoted as RM″. ij It is detected by subsequent detectors of the three-stage cascade detector.

[0048] Preferably, Q1 is the 25th percentile and Q3 is the 75th percentile, that is, the 75th and 25th percentiles ranked in a descending array.

[0049] Preferably, the construction of the third detector and the identification of adversarial examples include the following steps:

[0050] Step 4.1: Use D respectively ij and RM″ ij The corresponding critical paths, neuron information, and their confidence information cf in M ​​are used to construct graph data consisting of a graph node table, a graph edge table, and a graph category table, labeled Z and Z′, respectively. The graph node table consists of the graph number of the node, the importance information and activation degree of the corresponding neuron, and its relative position in the layer of M. The graph edge table consists of all line segments that constitute the critical path. The graph category table stores the confidence cf of all graphs and their corresponding categories, including the normal sample set and the adversarial sample set.

[0051] Step 4.2: Transform Z and Z′ into feature embedding vectors and connection embedding vectors according to the correspondence between nodes and features and the connection relationship between nodes, denoted as X and A respectively. For example, T features of S nodes form an S×T matrix X, and the connection relationship between nodes also forms an S×S adjacency matrix A.

[0052] Step 4.3: Construct a graph convolutional neural network model G based on X and A, and propagate the features between its layers according to equation (11).

[0053]

[0054] in, I is the identity matrix. yes The degree matrix, H (l) These are features of the l-th layer, where H is X from the input layer, σ is a non-linear activation function, and W... (l)It is the weight vector of the l-th layer;

[0055] Step 4.4: Train the graph convolutional neural network model G using equation (12) and Z until it converges.

[0056]

[0057] Where (z, y) represents a graph data z consisting of a single sample and its corresponding true class y, (Z, Y) represents all graph data Z used for training and their corresponding true class set Y, A z and X z represent the connection embedding vector and feature embedding vector of z, respectively, and ls is the loss value between the model output and the true class;

[0058] Step 4.5: Use G to determine the category of z′, z′∈Z′, and output the final detection result.

[0059] A detector, constructed using an image-based adversarial example recognition method based on a three-level sequential detector, includes:

[0060] The first detector is constructed based on the significant differences in the point distribution of normal samples and adversarial samples after dimensionality reduction by principal component analysis;

[0061] The second detector is constructed based on the significant difference in the dispersion of neuron importance between normal samples and adversarial samples in a deep neural network model;

[0062] The third detector is constructed based on the significant differences between normal samples and adversarial samples in the critical path of a deep neural network model.

[0063] Preferably, the first detector, the second detector, and the third detector are arranged in sequence. Once the category of any sample to be detected is determined by the first detector or the second detector, it will not be detected by the next level detector. The first detector, the second detector, or the third detector outputs the category of the sample to be detected.

[0064] This invention relates to an image adversarial sample recognition method and detector based on a three-level cascaded detector. The method reads and parses the parameters in a pre-trained deep neural network model, extracts the key path of the deep neural network model, constructs a three-level cascaded detector based on normal samples and adversarial samples, and combines the three-level cascaded detector according to a cascaded strategy to complete the detection and recognition of adversarial samples.

[0065] The technical concept of this invention is to construct a detector based on the characteristics of the samples themselves by analyzing the significant differences in the statistical attributes of normal samples and adversarial samples; and to construct a detector based on model parameters by analyzing the significant differences in the key paths and parameter values ​​of normal samples and adversarial samples in a deep neural network model. By cascading these two detectors, the detector achieves high detection accuracy while possessing strong generalization and robustness.

[0066] The beneficial effects of this invention are mainly reflected in:

[0067] (1) The critical path of the deep neural network classifier is quickly calculated and located based on the layer-by-layer correlation propagation algorithm, which helps to extract and analyze the structural features of the samples;

[0068] (2) The image adversarial sample identification method based on the three-class linked detector has good generalization and robustness as well as high adversarial sample detection accuracy. This not only helps to accurately identify adversarial samples formed by existing attack methods and effectively resist adversarial samples formed by unknown attack methods, but also helps to increase the difficulty of attacking the classifier and detector at the same time. Attached Figure Description

[0069] Figure 1 This is a flowchart of the method of the present invention;

[0070] Figure 2 This is a schematic diagram of the detector of the present invention. Detailed Implementation

[0071] The present invention will be further described in detail below with reference to embodiments, but the scope of protection of the present invention is not limited thereto.

[0072] This invention relates to an image-based adversarial example recognition method based on a three-stage cascaded detector. The method reads and parses the parameters in a pre-trained deep neural network model, which is pre-trained using an image dataset, including but not limited to people, animals, scenery, or objects. The method extracts the key paths of the deep neural network model, constructs a three-stage cascaded detector based on normal and adversarial samples, and combines the three-stage cascaded detectors according to a cascaded strategy to complete the detection and recognition of adversarial samples.

[0073] The key path for extracting a deep neural network model includes the following steps:

[0074] Step 1.1: For k attack methods, randomly select a specified proportion of normal samples from the normal sample set to construct k adversarial samples. These are then merged into k normal sample sets and corresponding k adversarial sample sets. These sets are then divided into a training set and a test set according to a preset ratio, such as 8:2, and labeled as D. i and D′i Where i is the group, i = 1, 2, 3, ..., k, k is a positive integer, and D is the group. ij and D′ ij These refer to the j-th sample drawn from the i-th training set and the sample set to be tested, respectively, where j = 1, 2, 3, ..., n, and n is the number of samples in that set;

[0075] Step 1.2: For D ij and D′ ij The importance of each neuron in M ​​is quantified using the layer-by-layer correlation propagation algorithm, and the corresponding critical paths are extracted.

[0076] Step 1.2 includes the following steps:

[0077] Step 1.2.1: Place D ij With D′ ij The input is fed into the deep neural network model M, and the activation level a, network weight w, and confidence level cf of the predicted class of each neuron are directly extracted.

[0078] Step 1.2.2: Based on a and w, starting from the output of the last fully connected layer before the softmax layer of M, importance backpropagation is performed using the layer importance conservation law shown in Equation (1) to obtain the importance information of each neuron.

[0079]

[0080] Among them, a u w represents the activation level of the u-th neuron. uv sR represents the weights connecting the u-th and v-th neurons. u pR represents the importance value of the u-th neuron in the preceding layer of an adjacent layer. v represents the importance value of the v-th neuron in the next layer of the adjacent layer, ∈ [0, 1], and is set to 0.5 here to enhance significance. U represents the number of neurons in the previous layer of the adjacent layer, and V represents the number of neurons in the next layer of the adjacent layer.

[0081] Step 1.2.3: For each D ij and D′ ij The top 30% of important nodes in each layer of M are selected as the key nodes of that layer. In the last fully connected layer, only the most important neuron is selected as the key node of that layer. Then, the key nodes that are connected between adjacent layers are connected to form the key path in M ​​for the current sample.

[0082] The three-stage coupled detector includes:

[0083] The first detector is constructed based on the significant differences in the point distribution of normal samples and adversarial samples after dimensionality reduction by principal component analysis;

[0084] The second detector is constructed based on the significant difference in the dispersion of neuron importance between normal samples and adversarial samples in a deep neural network model;

[0085] The third detector is constructed based on the significant differences between normal samples and adversarial samples in the critical path of a deep neural network model.

[0086] The construction of the first detector and its adversarial example identification include the following steps:

[0087] Step 2.1: Training set D for adversarial examples i Principal component analysis was used to flatten and reduce the dimensionality of the samples, which were then labeled as P. i The j-th sample D extracted from the training set ij A multidimensional matrix of data is flattened into a 1xH matrix (where H represents the total number of pixels in the sample), then the dimensionality is reduced to 2D feature data, which are used as the X-axis and Y-axis coordinates to form a point in a Cartesian coordinate system, labeled P. ij ;

[0088] Step 2.2: Initialize the distance threshold DS and calculate P. i The Euclidean distance between each pair of elements in P i Select P ij The remaining coordinates that are less than the threshold DS are designated as P. ij For points within the neighborhood, the statistics P ij The number of points in the neighborhood that belong to the normal sample set and the adversarial sample set, respectively, is denoted as a and b.

[0089] Step 2.3: Initialize the proportional threshold PS, Equation (2), and Equation (3)

[0090] a>(a+b)×PS (2)

[0091] b>(a+b)×PS (3)

[0092] If a and b satisfy equation (2), then determine D. ij If a sample is considered normal and satisfies equation (3), then D is determined to be normal. ij For adversarial examples;

[0093] Step 2.4: Train and compute the optimal DS and PS through steps 2.2 and 2.3. The most suitable DS and PS are a trade-off between accuracy and recognition rate.

[0094] Step 2.5: Using the methods from Steps 2.1 to 2.3 and the trained DS and PS, proceed to the test sample set D′. i Medium sample D′ ij The category is detected, if D′ ij If equations (2) and (3) are not satisfied, then it is denoted as RM′. ij It is detected by subsequent detectors of the three-stage cascade detector.

[0095] The construction of the second detector and its adversarial example identification include the following steps:

[0096] Step 3.1: For RM′ ij The importance of neurons in each layer of the deep neural network model M is sorted from largest to smallest, and the lower quartile Q1 and upper quartile Q3 (i.e. the 75th and 25th percentiles of a descending array) are extracted.

[0097] Step 3.2: Calculate D using equation (4) respectively. i The average interquartile range (IQR) between the normal sample set and the adversarial sample set in the l-th layer of the deep neural network model M.

[0098] IQR = Q3 - Q1 (4)

[0099] Let the IQR of the normal sample set and the adversarial sample set at layer l be respectively denoted as ... and Current sample RM′ ij The discreteness of the l-th layer is l = 1, 2, ..., L, where L is the total number of layers in the deep neural network model M;

[0100] Step 3.3: Calculate RM′ ij In M, the confidence scores for each layer belonging to normal samples and adversarial samples are given by equations (5) to (8).

[0101]

[0102]

[0103]

[0104]

[0105] If layer l is a convolutional layer in M, then RM′ is calculated using equations (5) and (7) respectively. ij The confidence level c of normal samples and adversarial samples in this layer n1 (l) and c a1 (l);

[0106] If layer l is a linear layer in M, then RM′ is calculated using equations (6) and (8) respectively. ij The confidence level c of normal samples and adversarial samples in this layer n2 (l) and c a2 (l);

[0107] Step 3.4: Calculate RM′ using equations (9) and (10) respectively. ij The average layer confidence C of normal samples and adversarial samples n and C a ,

[0108]

[0109]

[0110] Where L is the total number of layers in the deep neural network model M;

[0111] Step 3.5: Set the layer average confidence threshold to QS;

[0112] If C n If the value is greater than or equal to QS, then the sample is considered a normal sample.

[0113] If C a If the value is greater than or equal to QS, then the sample is considered an adversarial sample.

[0114] If neither of the above two conditions is met, it is denoted as RM″. ij It is detected by subsequent detectors of the three-stage cascade detector.

[0115] Q1 is the 25th percentile, and Q3 is the 75th percentile.

[0116] The construction of the third detector and its adversarial sample identification include the following steps:

[0117] Step 4.1: Use D respectively ij and RM″ ij The corresponding critical paths, neuron information, and their confidence information cf in M ​​are used to construct graph data consisting of a graph node table, a graph edge table, and a graph category table, labeled Z and Z′, respectively. The graph node table consists of the graph number of the node, the importance information and activation degree of the corresponding neuron, and its relative position in the layer of M. The graph edge table consists of all line segments that constitute the critical paths. The graph category table stores the confidence cf of all graphs and their corresponding categories, including normal samples and adversarial samples.

[0118] Step 4.2: Transform Z and Z′ into feature embedding vectors and connection embedding vectors according to the correspondence between nodes and features and the connection relationship between nodes, and denote them as X and A respectively. For example, T features of S nodes form an S×T matrix X, and the relationship between each node will also form an S×S adjacency matrix A.

[0119] Step 4.3: Construct a graph convolutional neural network model G based on X and A, and propagate the features between its layers according to equation (11).

[0120]

[0121] in, I is the identity matrix. yes The degree matrix, H (l) These are features of the l-th layer, where H is X from the input layer, σ is a non-linear activation function, and W... (l) It is the weight vector of the l-th layer;

[0122] Step 4.4: Train the graph convolutional neural network model G using equation (12) and Z until it converges.

[0123]

[0124] Where (z, y) represents the graph data consisting of a single sample and its corresponding true class, (Z, Y) represents all the graph data used for training and their corresponding true class set, A z and X z represent the connection embedding vector and feature embedding vector of z, respectively, and ls is the loss value between the model output and the true class;

[0125] Step 4.5: Use G to determine the category of z′, z′∈Z′, and output the final detection result.

[0126] This invention also relates to a detector constructed using an image-based adversarial example recognition method based on a three-level sequential detector, comprising:

[0127] The first detector is constructed based on the significant differences in the point distribution of normal samples and adversarial samples after dimensionality reduction by principal component analysis;

[0128] The second detector is constructed based on the significant difference in the dispersion of neuron importance between normal samples and adversarial samples in a deep neural network model;

[0129] The third detector is constructed based on the significant differences between normal samples and adversarial samples in the critical path of a deep neural network model.

[0130] The first detector, the second detector, and the third detector are set up in sequence. Once the category of any sample to be detected is determined by the first detector or the second detector, it will no longer be detected by the next level detector. The first detector, the second detector, or the third detector outputs the category of the sample to be detected.

[0131] In this invention, three detectors are combined according to a cascade strategy to complete the detection and identification of adversarial samples. Once the category of the sample to be detected is determined, the result is output and the sample does not continue to the next level of detector.

Claims

1. An image-based adversarial example recognition method based on a three-stage sequential detector, characterized in that: The method reads and parses the parameters in the pre-trained deep neural network model, extracts the key path of the deep neural network model, and constructs a three-stage concatenation detector based on normal samples and adversarial samples. The three-stage concatenation detector includes: The first detector is constructed based on the significant differences in the point distribution of normal samples and adversarial samples after dimensionality reduction by principal component analysis; The second detector is constructed based on the significant difference in the dispersion of neuron importance between normal samples and adversarial samples in a deep neural network model; The third detector is constructed based on the significant differences between normal samples and adversarial samples in the critical paths of deep neural network models; The three-stage cascaded detectors are combined according to the cascade strategy. The first detector, the second detector, and the third detector are set in sequence. Once the category of any sample to be detected is determined by the first detector or the second detector, it will no longer be detected by the next level detector. The first detector, the second detector, or the third detector outputs the category of the sample to be detected. Complete the detection and identification of adversarial examples.

2. The image-based adversarial example recognition method based on a three-stage sequential detector according to claim 1, characterized in that: The key path for extracting a deep neural network model includes the following steps: Step 1.1: For k attack methods, randomly select a specified proportion of normal samples from the normal sample set to construct k adversarial samples. These are then merged into k normal sample sets and corresponding k adversarial sample sets. These sets are further divided into training sets and test sets according to a preset ratio and labeled as follows: and Where i represents the group, i = 1, 2, 3, …, k, and k is a positive integer. and These refer to the j-th sample drawn from the i-th training set and the sample set to be tested, respectively, where j = 1, 2, 3, …, n, and n is the number of samples in that set. Step 1.2: Targeting and The importance of each neuron in M ​​is quantified using the layer-by-layer correlation propagation algorithm, and the corresponding critical paths are extracted.

3. The image-based adversarial example recognition method based on a three-stage sequential detector according to claim 2, characterized in that: Step 1.2 includes the following steps: Step 1.2.1: [The text appears to be incomplete and contains several grammatical errors. A more accurate translation would require the full context.] and The input is fed into the deep neural network model M, and the activation level a, network weight w, and confidence level cf of the predicted class of each neuron are directly extracted. Step 1.2.2: Based on a and w, starting from the output of the last fully connected layer before the softmax layer of M, importance backpropagation is performed using the layer importance conservation law shown in Equation (1) to obtain the importance information of each neuron. (1) in, Represents the activation level of the u-th neuron. This represents the weights connecting the u-th and v-th neurons. This represents the importance value of the u-th neuron in the preceding layer of an adjacent layer. This represents the importance value of the v-th neuron in the next layer of an adjacent layer. Used to enhance saliency, U is the number of neurons in the previous layer in the adjacent layer, and V is the number of neurons in the next layer in the adjacent layer. Step 1.2.3: For each and A certain proportion of the most important nodes in each layer of M are selected as the key nodes of that layer. In the last fully connected layer, only the most important neuron is selected as the key node of that layer. Then, the key nodes that are connected between adjacent layers are connected to form the key path in M ​​for the current sample.

4. The image-based adversarial example recognition method based on a three-stage sequential detector according to claim 1, characterized in that: The construction of the first detector and its adversarial example identification include the following steps: Step 2.1: Training set for adversarial examples Principal component analysis was used to flatten and reduce the dimensionality of the samples, and they were labeled as follows. training set The j-th sample in the array corresponds to the point after dimensionality reduction. ; Step 2.2: Initialize the distance threshold DS and calculate... The Euclidean distance between each pair of elements in the matrix, from Select with The remaining coordinates that are less than the threshold DS are used as... Statistical analysis of points within the neighborhood The number of points in the neighborhood that belong to the normal sample set and the adversarial sample set, respectively, is denoted as a and b. Step 2.3: Initialize the proportional threshold PS, equation (2), and equation (3). （2） （3） If a and b satisfy equation (2), then determine If a sample is considered normal and satisfies equation (3), then it is determined that... For adversarial examples; Step 2.4: Train and compute the optimal DS and PS using steps 2.2 and 2.3; Step 2.5: Using the methods from Steps 2.1 to 2.3 and the trained DS and PS to test the sample set. medium sample The category is used for detection, if If equations (2) and (3) are not satisfied, then it is denoted as It is detected by subsequent detectors of the three-stage cascade detector.

5. The image-based adversarial example recognition method based on a three-stage sequential detector according to claim 4, characterized in that: The construction of the second detector and its adversarial example identification include the following steps: Step 3.1: Targeting The importance of neurons in each layer of the deep neural network model M is ranked from highest to lowest, and the lower quartiles are extracted. and upper quartiles ; Step 3.2: Calculate using equation (4) respectively The average interquartile range (IQR) between the normal sample set and the adversarial sample set in the l-th layer of the deep neural network model M. （4） Let the IQR of the normal sample set and the adversarial sample set at layer l be respectively denoted as ... and Current sample The discreteness of the l-th layer is l = 1, 2, …, L, where L is the total number of layers in the deep neural network model M; Step 3.3: Calculation In M, the confidence scores for each layer belonging to normal samples and adversarial samples are given by equations (5) to (8). （5） （6） （7） （8） If layer l is a convolutional layer in M, then use equations (5) and (7) to calculate respectively. Confidence levels of normal and adversarial samples in this layer and ; If layer l is a linear layer in M, then use equations (6) and (8) to calculate respectively. Confidence levels of normal and adversarial samples in this layer and ; Step 3.4: Calculate using equations (9) and (10) respectively. Layer average confidence scores for normal and adversarial samples and , （9） （10） Step 3.5: Set the layer average confidence threshold to QS; like If the value is greater than or equal to QS, then the sample is considered a normal sample. like If the value is greater than or equal to QS, then the sample is considered an adversarial sample. If neither of the above two conditions is met, then it is recorded as It is detected by subsequent detectors of the three-stage cascade detector.

6. The image-based adversarial example recognition method based on a three-stage sequential detector according to claim 5, characterized in that: The 25th percentile It is the 75th percentile.

7. The image adversarial example recognition method based on a three-stage sequential detector according to claim 5, characterized in that: The construction of the third detector and its adversarial sample identification include the following steps: Step 4.1: Use them respectively and The corresponding critical paths, neuron information, and their confidence information cf in M ​​are used to construct graph data consisting of a graph node table, a graph edge table, and a graph category table, labeled Z and Z respectively. The graph node table consists of the graph number of the node, the importance information and activation degree of the corresponding neuron, and the relative position of the node in the layer M. The graph edge table consists of all the line segments that constitute the critical path. The graph category table stores the confidence cf of all graphs and their corresponding categories, including the normal sample set and the adversarial sample set. Step 4.2: [The text appears to be incomplete and contains several grammatical errors. A more accurate translation would require the full context.] and Based on the correspondence between nodes and features, as well as the connection relationships between nodes, the vectors are transformed into feature embedding vectors and connection embedding vectors, denoted as X and A, respectively. Step 4.3: Construct a graph convolutional neural network model G based on X and A, and propagate the features between its layers according to equation (11). （11） in, , It is the identity matrix. yes The degree matrix, These are features of the l-th layer, and input features of the l-th layer. For X, It is a non-linear activation function. It is the weight vector of the l-th layer; Step 4.4: Train the graph convolutional neural network model G using equation (12) and Z until it converges. （12） in, This represents a graph data z consisting of a sample and its corresponding true class y. This represents all the graph data Z used for training and the corresponding set of true classes Y. and represent the connection embedding vector and feature embedding vector of z, respectively, and ls is the loss value between the model output and the true class; Step 4.5: Use G to determine Category It then outputs the final detection result.

8. A detector, characterized in that: The image class adversarial example recognition method based on a three-stage sequential detector, as described in any one of claims 1 to 7, is constructed, comprising: The first detector is constructed based on the significant differences in the point distribution of normal samples and adversarial samples after dimensionality reduction by principal component analysis; The second detector is constructed based on the significant difference in the dispersion of neuron importance between normal samples and adversarial samples in a deep neural network model; The third detector is constructed based on the significant differences between normal samples and adversarial samples in the critical path of a deep neural network model.

9. A detector according to claim 8, characterized in that: The first detector, the second detector, and the third detector are set up in sequence. Once the category of any sample to be detected is determined by the first detector or the second detector, it will no longer be detected by the next level detector. The first detector, the second detector, or the third detector outputs the category of the sample to be detected.

Images