A method, apparatus and device for detecting an attack
By training and generating a lightweight model based on the interrelationships of facial features, and deploying it on both the client and server sides, the problem of accuracy in detecting adversarial attacks in face recognition is solved, and efficient detection is achieved through end-to-end cloud integration.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ALIPAY (HANGZHOU) INFORMATION TECH CO LTD
- Filing Date
- 2022-12-28
- Publication Date
- 2026-06-26
AI Technical Summary
In existing technologies, facial recognition models fail to effectively utilize the interrelationships between facial features when detecting adversarial attacks, resulting in insufficient recognition accuracy.
A first model is trained and generated. Based on the facial features and the relationships between them, a lightweight second model with the same structure is generated. These two models are then deployed to the client and server respectively to jointly detect adversarial attacks.
It achieves end-to-end cloud-based adversarial attack detection, improving detection accuracy and user experience while balancing detection accuracy and performance.
Smart Images

Figure CN115966007B_ABST
Abstract
Description
Technical Field
[0001] This specification relates to the field of Internet technology, and in particular to a method, apparatus, and device for detecting anti-attack attacks. Background Technology
[0002] With the development of internet technology, the application of facial recognition has become increasingly widespread. However, this has also led to adversarial attacks becoming one of the most significant threats to facial recognition in recent years. Adversarial attacks typically involve attaching adversarial stickers to the facial area, particularly the facial features or areas close to them, causing the facial recognition system to misidentify the user. Conventional methods for detecting adversarial attacks do not prioritize the relationships between facial features, resulting in insufficient accuracy in detecting such attacks.
[0003] Therefore, a solution is needed that can accurately detect adversarial attacks based on the features between the five senses. Summary of the Invention
[0004] This specification provides an embodiment of a method, apparatus, device, and storage medium for detecting adversarial attacks, in order to solve the following technical problem: the need for a solution that can achieve accurate adversarial attack detection based on features between the five senses.
[0005] To solve the above-mentioned technical problems, one or more embodiments of this specification are implemented as follows:
[0006] In a first aspect, embodiments of this specification provide an adversarial attack detection method, comprising: training and generating a first model, wherein the first model is trained based on facial features and the relationships between facial features; training and generating a second model based on the first model, wherein the second model is a lightweight model with the same structure as the first model; deploying the second model to the client side and deploying the first model to the server side; receiving an image to be identified, and performing adversarial attack detection on the image to be identified by combining the second model and the first model.
[0007] In a second aspect, embodiments of this specification provide an adversarial attack detection device, comprising: a first model training module for training and generating a first model, wherein the first model is trained based on facial features and the relationships between facial features; a second model training module for training and generating a second model based on the first model, wherein the second model is a lightweight model with the same structure as the first model; a deployment module for deploying the second model to the client side and the first model to the server side; and an attack detection module for receiving an image to be identified and performing adversarial attack detection on the image to be identified by combining the second model and the first model.
[0008] In a third aspect, one or more embodiments of this specification provide an electronic device, comprising:
[0009] At least one processor; and,
[0010] A memory communicatively connected to the at least one processor; wherein,
[0011] The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the method as described in the first aspect.
[0012] In a fourth aspect, embodiments of this specification provide a non-volatile computer storage medium storing computer-executable instructions, which, when read by a computer from the storage medium, cause one or more processors to perform the method described in the first aspect.
[0013] The above-described at least one technical solution adopted in one or more embodiments of this specification can achieve the following beneficial effects: a first model is generated through training, wherein the first model is trained based on facial features and the interrelationships between facial features; a second model is generated based on the first model, wherein the second model is a lightweight model with the same structure as the first model; the second model is deployed to the client side, and the first model is deployed to the server side; an image to be identified is received, and the second model and the first model are combined to perform adversarial attack detection on the image to be identified, thereby realizing the training of two models that can be adapted to both the server and the client simultaneously based on the facial features and the interrelationships between facial features, and achieving accurate end-to-end cloud adversarial attack detection. Attached Figure Description
[0014] To more clearly illustrate the technical solutions in the embodiments or prior art of this specification, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0015] Figure 1 This is a flowchart illustrating an adversarial attack detection method provided in an embodiment of this specification.
[0016] Figure 2 A schematic diagram of the architecture of a first model provided in the embodiments of this specification;
[0017] Figure 3 A schematic diagram of the training architecture of a second model provided in the embodiments of this specification;
[0018] Figure 4 This is a schematic diagram of the structure of an anti-attack detection device provided in the embodiments of this specification;
[0019] Figure 5 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this specification. Detailed Implementation
[0020] This specification provides an embodiment of a method, apparatus, device, and storage medium for detecting anti-attack attacks.
[0021] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this application.
[0022] In the first aspect, such as Figure 1 As shown, Figure 1 A flowchart illustrating an adversarial attack detection method provided in an embodiment of this specification includes:
[0023] S101, train and generate the first model, wherein the first model is trained based on facial features and the relationships between facial features.
[0024] In the embodiments of this specification, facial features are feature vectors obtained by a deep learning model through hierarchical calculation of facial regions. Similarly, facial feature vectors are corresponding feature vectors obtained by a deep learning model through hierarchical calculation of facial feature images.
[0025] For example, a training sample might be a face image containing facial features. The model can extract the corresponding facial feature images (e.g., images of the left eye, right eye, lips, nose, ears, eyebrows, etc.). After feature extraction processing such as encoding, convolution, activation, and deconvolution, the model outputs a corresponding high-dimensional feature. For instance, inputting a left eye image might output a corresponding 128-dimensional feature.
[0026] Correspondingly, since there may be many extracted facial feature images (each image may contain 5 or 6 facial features), there will also be multiple corresponding facial feature characteristics, and thus there will be interrelationships between these facial feature characteristics.
[0027] This relationship often manifests very differently in normal images and adversarial attack images. This is because, in adversarial attacks, the attacker often uses a texture of a facial feature to replace the actual image for the attack (for example, the attacker might use a texture of the left eye). In this adversarial attack, the textured facial feature image will appear relatively abnormal compared to other facial feature images. This abnormality can be characterized by the relationship between the facial features.
[0028] Specifically, the relationship between facial features can be represented by the cosine similarity matrix between the feature vectors of the facial features. For example, considering facial features and face features, a total of 6 features, a 6*6 relationship matrix can be formed. In this matrix, any element A in the i-th row and j-th column... ij In fact, it reflects the relationship between the i-th facial feature and the j-th facial feature.
[0029] The first model can be trained from the first initial model. The first initial model may include the following modules: the first part is the face feature encoding module, the second part is the facial feature encoding module, and the third part is the feature relationship learning module.
[0030] The input to the face feature encoder is a complete face image (containing facial features) included in the training samples, and the output is the features obtained from the face image and the corresponding adversarial attack classification results.
[0031] The facial feature encoding module takes as input the facial feature images contained in the training samples. It encodes these images, generates facial feature characteristics, and then generates a facial feature classification result based on these characteristics. It should be noted that each facial feature image can be processed independently during this process. For example, assuming there are 5 facial feature images, 5 corresponding facial feature characteristics can be generated, and each characteristic will have a corresponding classification result. The classification result represents the probability of adversarial attacks within the facial feature. The facial feature images are images of a portion of the training samples, and each image contains only one facial feature within that region. For example, an image containing the left eye would generate a facial feature corresponding to the left eye. When there are multiple facial feature characteristics, these can be processed (overlayed, combined, or merged) into a single feature for further processing.
[0032] The feature relationship learning module generates a feature relationship matrix representing the relationships between the facial features, and then generates a feature relationship classification result based on the feature relationship matrix. In other words, the input module of the feature relationship learning module is face features and facial feature features, and the output is the feature relationship matrix and the adversarial attack classification result obtained based on the feature relationship matrix.
[0033] In one implementation, the representation of the relationship between facial features can be achieved by: determining two feature vectors corresponding to any two facial features; using the cosine similarity between the two feature vectors to represent the relationship between the two facial features, thereby generating a facial feature relationship matrix.
[0034] In this way, the initial model can obtain three loss values during the training process:
[0035] The first part of the loss is the conventional face classification loss: the training samples contain labels to characterize whether the entire face is an adversarial attack or a normal face, and the difference between the face classification result obtained by the model and the label is the face classification loss.
[0036] The second part of the loss is the facial feature classification loss: the training samples contain labels to characterize which facial features are adversarial attacks and which are normal images. The model classifies each facial feature separately, and the difference between the resulting facial feature classification and the label is the facial feature classification loss. When there are multiple loss values for facial features, the sum of the loss values for multiple facial features can be used as the facial feature classification loss.
[0037] The third part is the loss for classifying facial feature relationships: In the training samples, the facial feature relationship matrix has been given (the values of the facial feature relationship matrix in normal samples and adversarial attack samples will differ). During the training process, the facial feature relationship matrix calculated by the facial features will have a certain difference from the given facial feature relationships, which is the loss for classifying facial feature relationships.
[0038] During the training of the initial model, the aforementioned loss values can be incorporated. For example, the total loss value = facial feature classification loss + facial feature relationship classification loss, or the total loss value = face classification loss + facial feature classification loss + facial feature relationship classification loss. Figure 2 As shown, Figure 2 This is a schematic diagram of the architecture of a first model provided in the embodiments of this specification.
[0039] In the final trained first model, the values of the facial feature classification loss and the facial feature relationship classification loss are both relatively small, as expected. In other words, the final trained first model can accurately represent facial features and the relationships between them using vectors or matrices, and based on these vectors or matrices, it can accurately identify whether adversarial attacks exist.
[0040] S103, a second model is generated based on the first model, wherein the second model is a lightweight model with the same structure as the first model.
[0041] The second model has the same structure as the first model, but it is computationally more lightweight.
[0042] The identical structure means that the second model also includes the aforementioned face feature encoding module, facial feature encoding module, and feature relationship learning module. Furthermore, the input and output features of the face feature encoding module, facial feature encoding module, and feature relationship learning module are also the same as those described above.
[0043] Lightweight refers to being lightweight in several different ways: First, the same functional module contains fewer network layers and fewer channels. For example, in the first model, the face feature encoding module might contain 10 hidden layers, while in the second model it might only have 5. Second, the same functional module requires less computation. For example, in the first model, convolution on the input face might use a 9x9 convolution kernel, while in the second model it might use a 3x3 kernel. Third, the same functional module contains fewer parameters to be trained. For example, in the first model, a fully connected layer might contain 200 parameters to be trained, while in the second model, a fully connected layer might contain only 50.
[0044] In the embodiments of this specification, generating a second model based on the first model specifically refers to training a second model based on the information provided by the first model, using a second initial model (which is a lightweight version of the first initial model). For example, conventional methods such as knowledge distillation, pruning, quantization, weight sharing, low-rank decomposition, lightweight attention modules, dynamic network architectures / training methods, lighter network architecture designs, NAS (Neural Architecture Search), and hardware support can be used to achieve lightweighting of the first model.
[0045] S105, the second model is deployed to the client side, and the first model is deployed to the server side.
[0046] Traditional adversarial attack detection methods are purely client-side or purely cloud-based solutions, which cannot balance the accuracy of adversarial attack detection with the user experience. Therefore, this section aims to achieve a balance between the two by deploying the two models in different environments.
[0047] Lightweight model deployment: Deploy the second model to the client, directly receive data and provide judgment results, and filter data that needs to be judged again in the cloud based on the judgment results; High-performance model deployment: Deploy the "first model" to the cloud server, receive data returned from the client side, and return the corresponding judgment results.
[0048] S107, Receive the image to be identified, and perform adversarial attack detection on the image to be identified by combining the second model and the first model.
[0049] The image to be identified is an image containing both a face and facial features.
[0050] After obtaining the image to be identified, the client can first use the second model on the client side to perform adversarial attack detection on the image to be identified and generate a second detection result. When the second detection result indicates a high risk (for example, the probability of the image containing an adversarial attack exceeds the threshold T2 given by the second model), the client sends the image to be identified to the server so that the server can use the first model to perform adversarial attack detection on the image to be identified and generate a first detection result. The client receives the first detection result returned by the server and performs adversarial attack warning based on the first detection result.
[0051] During this process, when the client side uses the second model to detect adversarial attacks, it can identify three types of probabilities: face attack probability P1, facial feature attack probability P2, and facial feature relationship attack probability P3.
[0052] Specifically, the second model extracts the face image and facial feature image contained in the image to be identified; the second model determines the face classification result, facial feature classification result, and facial feature relationship classification result based on the face image and facial feature image, respectively; a face attack probability P1 is generated based on the face classification result, a facial feature attack probability P2 is generated based on the facial feature classification result, and a facial feature relationship attack probability P3 is generated based on the facial feature relationship classification result; P1, P2, and P3 are fused to generate a second detection result.
[0053] Among these, the face probability P1 represents the probability that the image as a whole contains adversarial attacks, the facial feature attack probability P2 represents the probability that there may be adversarial attacks among the facial features, and the facial feature relationship attack probability P3 represents the probability that there may be adversarial attacks due to abnormal relationships between facial features.
[0054] When fusing P1, P2, and P3 to generate the second detection result, one feasible fusion method is to set the client risk probability as P = (P1 + P2 + P3) / 3, which is the average of the three probability values. Another feasible fusion method can be to assign three different weight values to the probabilities. For example, the weights of P1, P2, and P3 can be W1, W2, and W3, respectively, resulting in a client risk probability of P = P1*W1 + P2*W2 + P3*W3.
[0055] In practical applications, to highlight the importance of facial features and their relationships on the client side, higher weight values can be assigned to W2 and W3. For example, W1=0.2 and W2=W3=0.4, allowing the second model to emphasize whether the detection of facial features and their corresponding relationships represents adversarial attacks. This approach can be applied to scenarios where adversarial attacks occur frequently.
[0056] When the client's second model indicates that the input image to be identified may have a high risk of adversarial attacks, the client can then transmit the image to the cloud server for re-detection by the high-performance first model on the server side.
[0057] The detection method of the first model can be similar to that of the second model. However, since the performance of the first model is much higher than that of the second model, the detection results will be more accurate. For example, the first model can also obtain the face attack probability P1, generate the facial feature attack probability P2 based on the facial feature classification results, and fuse the aforementioned three detection probabilities to obtain the corresponding cloud risk probability P. 云 If P 云 If the value exceeds a pre-set threshold T1, the image to be identified is determined to be an adversarial attack; otherwise, it is directly determined to be a normal sample.
[0058] During this process, the client will rely on the detection results returned by the first model in the cloud, and the results given by the second model will no longer be valid.
[0059] The first model is generated through training, wherein the first model is trained based on facial features and the relationships between facial features.
[0060] A second model is generated based on the first model, wherein the second model is a lightweight model with the same structure as the first model; the second model is deployed on the client side, and the first model is deployed on the server side; an image to be identified is received, and the second model and the first model are combined to perform adversarial attack detection on the image to be identified, thereby realizing the training of two models that can be adapted to both the server and the client simultaneously based on the relationship between facial features and facial features, and achieving accurate end-to-end cloud adversarial attack detection.
[0061] In one implementation, training a second model based on the first model specifically includes: determining a first classification result of the first model on the training samples, and determining a second classification result of the second model on the training samples; determining the classification distillation loss caused by the difference between the first classification result and the second classification result, and training a second model based on the classification distillation loss.
[0062] In other words, during the training of the second model, the model will be computed in two parts simultaneously: the first part is the teacher network (i.e., the first model that has already been trained), and the second part is the lightweight student network (i.e., the second model to be trained). The student network and the teacher network have the same components, but each part is replaced with a lightweight network structure.
[0063] In this process, the training objective also includes training the second model to approximate the first model. Therefore, it is also necessary to calculate whether the classification results produced by the second model are sufficiently consistent with those of the first model. This consistency can be evaluated using classification distillation loss.
[0064] That is, firstly, the first classification result of the first model on the training samples is determined, and secondly, the second classification result of the second model on the training samples is determined; the classification distillation loss caused by the difference between the first classification result and the second classification result is determined, and the second model is trained and generated based on the classification distillation loss.
[0065] The first classification result here includes three classification results given by the first model: face attack classification result, facial feature attack classification result, and facial feature relationship classification result. The second classification result also includes the corresponding three classification results given by the second model. In this way, three classification distillation losses are generated (i.e., the inconsistency loss between the first model and the second model in face attack classification, the inconsistency loss in facial feature attack classification result, and the inconsistency loss in facial feature relationship classification result). Summing these three classification distillation losses gives the classification distillation loss of the second model and the first model in classification.
[0066] At this point, in addition to the three basic classification losses required during the training of the second model, the aforementioned classification distillation loss can be added to generate a total loss value for calculation (i.e., the total loss value of the second model = classification distillation loss + face classification loss + facial feature classification loss + facial feature relationship classification loss). This allows the classification result of the second model to approximate the classification result of the first model, maintaining the accuracy of the second model.
[0067] In one implementation, when training and generating the second model based on the first model, in addition to considering that the classification results of the second model should be consistent with the classification results of the first model, it can also be considered that the second model should be as consistent as possible with the first model in terms of facial features and the relationship between facial features.
[0068] In other words, the second facial features generated by the second model during the calculation process should be as consistent as possible with the first facial features generated by the first model during the calculation process; the relationship matrix of the second facial features generated by the second model during the calculation process should also be as consistent as possible with the relationship matrix of the first facial features generated by the first model during the calculation process.
[0069] Therefore, this consistency can also be evaluated using corresponding facial feature distillation loss and feature relationship distillation loss. Specifically, the process involves acquiring facial feature images contained in the training samples, obtaining the first facial feature and the first facial feature relationship matrix generated by the first model based on the facial feature images, obtaining the second facial feature and the second facial feature relationship matrix generated by the second model based on the facial feature images, determining the facial feature distillation loss generated by the first and second facial feature features, and determining the feature relationship distillation loss generated by the first and second facial feature relationship matrices, and fusing the facial feature distillation loss and the feature relationship distillation loss to train and obtain the second model.
[0070] In this approach, the training of the second model also relies on both facial feature distillation loss and feature relation distillation loss. Therefore, the total loss of the second model is calculated as: classification distillation loss + face classification loss + facial feature classification loss + facial feature relation classification loss + facial feature distillation loss + feature relation distillation loss. Figure 3 As shown, Figure 3 This is a schematic diagram illustrating the training architecture of a second model provided in an embodiment of this specification. The second model trained in this way can approximate the already trained first model in its representation of facial features and the relationships between these features, thereby enabling the training of a second model that accurately identifies adversarial attacks.
[0071] Based on the same idea, one or more embodiments of this specification also provide apparatus and devices corresponding to the above methods, such as... Figure 4 , Figure 5 As shown.
[0072] In the second aspect, such as Figure 4 As shown, Figure 4 This is a schematic diagram of a counter-attack detection device provided in an embodiment of this specification. The device includes:
[0073] The first model training module 401 trains and generates a first model, wherein the first model is trained based on facial features and the relationships between facial features.
[0074] The second model training module 403 trains a second model based on the first model, wherein the second model is a lightweight model with the same structure as the first model.
[0075] Deployment module 405 deploys the second model to the client side and the first model to the server side;
[0076] The attack detection module 407 receives the image to be identified and performs adversarial attack detection on the image to be identified by combining the second model and the first model.
[0077] Optionally, the first model training module 401 acquires facial feature images contained in the training samples, encodes the facial feature images, generates facial feature features, generates facial feature classification results based on the facial feature features, and determines facial feature classification loss; generates a facial feature relationship matrix representing the interrelationships between facial feature features based on the facial feature features, generates feature relationship classification results based on the facial feature relationship matrix, and determines the classification loss of facial feature relationships; and trains the model by fusing the facial feature classification loss and the classification loss of facial feature relationships to generate the first model.
[0078] Optionally, the first model training module 401 determines two facial feature vectors corresponding to any two facial features; uses the cosine similarity between the two facial feature vectors to characterize the relationship between the two facial features, and generates a facial feature relationship matrix.
[0079] Optionally, the first model training module 401 acquires face images contained in the training samples, determines the face classification result corresponding to the face image, and determines the face classification loss; it trains the model by fusing the face classification loss, the facial feature classification loss, and the classification loss of the facial feature relationship to generate the first model.
[0080] Optionally, the second model training module 403 determines the first classification result of the first model on the training samples, and determines the second classification result of the second model on the training samples; determines the classification distillation loss caused by the difference between the first classification result and the second classification result, and trains and generates the second model based on the classification distillation loss.
[0081] Optionally, the second model training module 403 acquires facial feature images contained in the training samples, acquires the first facial feature and the first facial feature relationship matrix generated by the first model based on the facial feature images; acquires the second facial feature and the second facial feature relationship matrix generated by the second model based on the facial feature images; determines the facial feature distillation loss generated by the first facial feature and the second facial feature, and determines the feature relationship distillation loss generated by the first facial feature relationship matrix and the second facial feature relationship matrix; and fuses the facial feature distillation loss and the feature relationship distillation loss to train and obtain the second model.
[0082] Optionally, the attack detection module 407 uses the second model to perform adversarial attack detection on the image to be identified and generates a second detection result; when the second detection result indicates a high risk, it sends the image to be identified to the server so that the server uses the first model to perform adversarial attack detection on the image to be identified and generates a first detection result; it receives the first detection result returned by the server and performs adversarial attack warning based on the first detection result.
[0083] Optionally, the attack detection module 407 extracts the face image and facial feature image contained in the image to be identified; uses the second model to determine the face classification result, facial feature classification result, and facial feature relationship classification result based on the face image and facial feature image, respectively; generates a face attack probability P1 based on the face classification result, generates a facial feature attack probability P2 based on the facial feature classification result, and generates a facial feature relationship attack probability P3 based on the facial feature relationship classification result; and fuses P1, P2, and P3 to generate a second detection result.
[0084] In the third aspect, such as Figure 5 As shown, Figure 5 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this specification. The device includes:
[0085] At least one processor; and,
[0086] A memory communicatively connected to the at least one processor; wherein,
[0087] The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the method as described in the first aspect.
[0088] In a fourth aspect, based on the same idea, embodiments of this specification also provide a non-volatile computer storage medium corresponding to the above method, storing computer-executable instructions, which, when read by a computer from the storage medium, cause one or more processors to execute the method described in the first aspect.
[0089] In the 1990s, improvements to a technology could be clearly distinguished as either hardware improvements (e.g., improvements to the circuit structure of diodes, transistors, switches, etc.) or software improvements (improvements to the methodology). However, with technological advancements, many methodological improvements today can be considered direct improvements to the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved methodology into the hardware circuit. Therefore, it cannot be said that a methodological improvement cannot be implemented using hardware physical modules. For example, a Programmable Logic Device (PLD) (such as a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic function is determined by the user programming the device. Designers can program and "integrate" a digital system onto a PLD themselves, without needing chip manufacturers to design and manufacture dedicated integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing integrated circuit chips, this programming is mostly implemented using "logic compiler" software. Similar to the software compiler used in program development, the original code before compilation must also be written in a specific programming language, called a Hardware Description Language (HDL). There are many HDLs, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, and RHDL (Ruby Hardware Description Language). Currently, the most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also understand that by simply performing some logic programming on the method flow using one of these hardware description languages and programming it into an integrated circuit, the hardware circuit implementing the logical method flow can be easily obtained.
[0090] The controller can be implemented in any suitable manner. For example, it can take the form of a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro)processor, logic gates, switches, application-specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers. Examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicon Labs C8051F320. A memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art will also recognize that, in addition to implementing the controller in purely computer-readable program code form, the same functionality can be achieved by logically programming the method steps to make the controller take the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, such a controller can be considered a hardware component, and the means included therein for implementing various functions can also be considered as structures within the hardware component. Alternatively, the means for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.
[0091] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.
[0092] For ease of description, the above devices are described in terms of function, divided into various units. Of course, in implementing this specification, the functions of each unit can be implemented in one or more software and / or hardware components.
[0093] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, the embodiments of this specification can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the embodiments of this specification can take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0094] This specification is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this specification. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0095] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0096] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0097] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0098] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0099] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0100] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0101] This specification can be described in the general context of computer-executable instructions that are executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a specific task or implement a specific abstract data type. This specification can also be practiced in distributed computing environments, where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0102] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the embodiments of apparatus, devices, and non-volatile computer storage media are basically similar to the method embodiments, so the descriptions are relatively simple; relevant parts can be referred to the descriptions of the method embodiments.
[0103] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.
[0104] The above description is merely one or more embodiments of this specification and is not intended to limit this specification. Various modifications and variations can be made to the one or more embodiments of this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principle of one or more embodiments of this specification should be included within the scope of the claims of this specification.
Claims
1. A method for detecting adversarial attacks, comprising: The first model is trained and generated, wherein the first model is trained based on facial features and the relationships between facial features, including: training the model by fusing facial feature classification loss and facial feature relationship classification loss; A second model is generated based on the first model, wherein the second model is a lightweight model with the same structure as the first model; The second model is deployed on the client side, and the first model is deployed on the server side; Receive the image to be identified, and combine the second model and the first model to perform adversarial attack detection on the image to be identified.
2. The method as described in claim 1, wherein, The first model is trained based on facial features and the relationships between them, including: The training samples contain images of facial features, which are then encoded to generate facial feature features. Based on these features, a classification result is generated, and the classification loss is determined. Based on the facial features, a facial feature relationship matrix is generated to represent the interrelationships between the facial features. Based on the facial feature relationship matrix, a feature relationship classification result is generated, and the classification loss of the facial feature relationship is determined. The model is trained by fusing the classification loss of the facial features and the classification loss of the relationship between the facial features to generate the first model.
3. The method as described in claim 2, wherein, Based on the aforementioned facial features, a facial feature relationship matrix is generated, representing the interrelationships between the facial features, including: Determine the two feature vectors corresponding to any two facial features; The cosine similarity between the two facial feature vectors is used to characterize the relationship between the two facial features, and a facial feature relationship matrix is generated.
4. The method of claim 2, wherein, The model is trained by fusing the classification loss of the facial features and the classification loss of the relationship between the facial features to generate a first model, including: Obtain the face images contained in the training samples, determine the face classification result corresponding to the face images, and determine the face classification loss; The model is trained by fusing the face classification loss, the facial feature classification loss, and the classification loss of the relationship between facial features to generate the first model.
5. The method of claim 1, wherein, A second model is generated based on the first model, including: Determine the first classification result of the first model on the training samples, and determine the second classification result of the second model on the training samples; The classification distillation loss resulting from the difference between the first classification result and the second classification result is determined, and a second model is trained and generated based on the classification distillation loss.
6. The method of claim 5, wherein, A second model is generated based on the first model, including: Obtain facial feature images contained in the training samples, and obtain the first facial feature and the first facial feature relationship matrix generated by the first model based on the facial feature images; Obtain the second facial feature and the second facial feature relationship matrix generated by the second model based on the facial feature image; Determine the facial feature distillation loss generated by the first facial feature and the second facial feature, and determine the feature relationship distillation loss generated by the first facial feature relationship matrix and the second facial feature relationship matrix; The second model is obtained by training by fusing the distillation loss of the five sensory features and the distillation loss of the feature relationships.
7. The method of claim 1, wherein, The adversarial attack detection of the image to be identified is performed by combining the second model and the first model, including: The second model is used to perform adversarial attack detection on the image to be identified, and a second detection result is generated; When the second detection result indicates a high risk, the image to be identified is sent to the server so that the server can use the first model to perform adversarial attack detection on the image to be identified and generate a first detection result. Receive the first detection result returned by the server, and issue an anti-attack warning based on the first detection result.
8. The method of claim 7, wherein, The second model is used to perform adversarial attack detection on the image to be identified, generating a second detection result, including: Extract the face image and facial features image contained in the image to be identified; The second model is used to determine the face classification result, the facial feature classification result, and the facial feature relationship classification result based on the face image and the facial feature image, respectively. Based on the face classification result, a face attack probability P1 is generated; based on the facial feature classification result, a facial feature attack probability P2 is generated; based on the facial feature relationship classification result, a facial feature relationship attack probability P3 is generated. The second detection result is generated by fusing P1, P2 and P3.
9. An anti-attack detection device, comprising: The first model training module trains and generates a first model, wherein the first model is trained based on facial features and the relationships between facial features, including: training the model by fusing facial feature classification loss and facial feature relationship classification loss; The second model training module generates a second model based on the first model, wherein the second model is a lightweight model with the same structure as the first model; The deployment module deploys the second model to the client side and the first model to the server side; The attack detection module receives the image to be identified and performs adversarial attack detection on the image to be identified by combining the second model and the first model.
10. An electronic device, comprising: At least one processor; as well as, A memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor, such that the at least one processor can perform the method as described in any one of claims 1 to 8.