A highly covert method of adversarial attack

By introducing global low-frequency constraints and frequency domain transformations into the feature space, highly covert adversarial examples are generated, solving the problems of insufficient covertness and low generalization in existing technologies and improving the success rate of adversarial example attacks.

CN118865012BActive Publication Date: 2026-06-19UNIV OF ELECTRONICS SCI & TECH OF CHINA

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
UNIV OF ELECTRONICS SCI & TECH OF CHINA
Filing Date
2024-06-21
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies lack sufficient concealment and have low generalization when generating adversarial examples, making them particularly difficult to apply in black-box scenarios and susceptible to image compression and filtering techniques.

Method used

By introducing global low-frequency constraints in the feature space, and utilizing frequency domain transformation and gradient optimization methods, highly concealed adversarial examples are generated, including discrete cosine transform, fast Fourier transform, and Gaussian kernel filtering. Combined with gradient averaging optimization, the perturbations are limited to the high-frequency range, thereby improving concealment and generalization.

Benefits of technology

It effectively reduces the noise ripple of adversarial examples, improves the randomness and diversity of inputs to classification models, and increases the success rate of adversarial examples on different models.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118865012B_ABST
    Figure CN118865012B_ABST
Patent Text Reader

Abstract

This invention discloses a highly covert adversarial attack method, comprising the following steps: acquiring T+1 input sample images x r (r = 1, 2, 3, ..., T+1), where the input sample image x r The initial sample image x is included; the initial sample image x is optimized using a first perturbation gradient to obtain intermediate adversarial samples x. d1 The intermediate adversarial sample x is optimized using the second perturbation gradient. d1 Obtain intermediate adversarial sample x d2 Wherein, the first perturbation gradient is based on the input sample image x r The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample x. d1 Global low-frequency constraints with the initial sample image x; x d Denotes an intermediate adversarial example, x d1 Let x represent the first intermediate adversarial sample. d2 This represents the second intermediate adversarial example, and so on. It addresses the issues of insufficient generalization and significant perturbation in adversarial examples.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer vision processing technology, and specifically relates to a highly covert adversarial attack method. Background Technology

[0002] With the development of deep learning technology, computer vision has been widely applied in image recognition, object detection, and scene understanding. Deep learning models, especially convolutional neural networks, have become the main technical means to achieve these tasks. Although deep learning models have good performance on many tasks, they are exceptionally vulnerable to adversarial attacks. Adversarial examples, through carefully designed perturbations, can mislead deep learning models into making incorrect judgments. These examples are visually almost indistinguishable from the original examples and are difficult to detect. Their existence poses a potential threat to the security applications of deep learning models (such as facial recognition for payments and autonomous driving).

[0003] Current research on the robustness of neural networks is divided into two aspects: adversarial and defensive. Research on adversarial attacks can reveal potential weaknesses in neural networks, improve model robustness, and promote the joint development of offensive and defensive techniques. Current attack methods are mainly divided into white-box attacks and black-box attacks. In white-box attack scenarios, attackers have knowledge of the attack model and can directly create adversarial examples on the target model. In black-box model scenarios, attackers can only generate adversarial examples based on query results. In practical applications, black-box scenarios are more valuable.

[0004] Most current adversarial example generation methods focus on the spatial domain, generating adversarial perturbations by directly modifying pixel values ​​in an image. While this method can effectively mislead deep learning models, the generated adversarial examples often exhibit noticeable noise patterns, resulting in poor concealment and easy detection. Furthermore, spatial domain methods are susceptible to image compression and filtering techniques, reducing the effectiveness of the attack. To address this issue, existing techniques perform attacks in the feature space; however, it is difficult to determine the definite direction of the perturbation in the feature space, and the methods suffer from low generalization, making them unsuitable for black-box scenarios. Improving both the concealment and generalization capabilities of adversarial examples remains a worthwhile area of ​​research. Summary of the Invention

[0005] To address the aforementioned problems, this invention provides a highly covert adversarial attack method that solves the issues of insufficient generalization of adversarial samples and significant perturbations.

[0006] The technical solution adopted in this invention is as follows:

[0007] In the first aspect, this application discloses a highly covert adversarial attack method, comprising the following steps:

[0008] Get Input sample images The input sample image Includes initial sample images ;

[0009] The initial sample image is optimized using the first perturbation gradient. Obtain intermediate adversarial samples ;

[0010] The intermediate adversarial sample is optimized using the second perturbation gradient. Obtain intermediate adversarial samples ,

[0011] Wherein, the first perturbation gradient is based on the input sample image. The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample. Compared with the initial sample image Global low-frequency constraints; This represents an intermediate adversarial example. This represents the first intermediate adversarial sample. This indicates the second intermediate adversarial sample... and so on.

[0012] As an optional technical solution, the input sample image The acquisition includes: initial sample images Perform frequency domain transformation to obtain One copy of the image From the initial sample image With copy image The input sample image constitutes .

[0013] As an optional technical solution, the frequency domain transformation includes:

[0014] Use DCT transform to transform the initial sample image The formula for calculating the transformation from the spatial domain to the frequency domain is:

[0015]

[0016] The DCT transform is the discrete cosine transform. It is an orthogonal matrix. Equivalent to the identity matrix ;

[0017] Different spectrograms are generated through random spectral transformation to replace different attack models. Then, the inverse discrete cosine transform (IDCT) is used to transform the spectrograms back to the spatial domain. The calculation formula is as follows:

[0018]

[0019] in For Adama's product, It is a random variable sampled from a Gaussian distribution. It is a random variable sampled from a uniform distribution.

[0020] As an optional technical solution, the calculation of the first perturbation gradient includes:

[0021] From the input sample image Select a sample ,Right now Input into the classification model In the process, the feature vector is obtained. ;

[0022] Calculate the selected sample Other samples The feature similarity between them is measured using the cosine similarity function, where... The specific calculation formula is as follows:

[0023]

[0024] The sample with the highest feature similarity is selected as the reference for the perturbation update direction. The formula for calculating the first perturbation gradient is:

[0025]

[0026] in To optimize the variables, their initial values ​​are... , and It is its feature similarity score.

[0027] As an optional technical solution, the calculation of the second perturbation gradient includes:

[0028] The frequency values ​​of all pixel information are obtained using Fast Fourier Transform, providing a global preview of the image's frequency distribution. Then, intermediate adversarial examples are constructed based on this frequency information. Compared with the initial sample image The low-frequency reconstruction loss, expressed by the Fast Fourier Transform, is:

[0029]

[0030] This formula can transform the image Mapping from pixel space to Fourier spectrum space, where... ;

[0031] Next, Fourier's calculation result is transformed from the complex field to the real field. The calculation formula is as follows:

[0032]

[0033] in, This is a term added for numerical stability. They are respectively The real and imaginary parts;

[0034] The Gaussian kernel is used to filter the image and preserve its local low-frequency features. The calculation is performed using a low-frequency mask. The formula for the Gaussian kernel is:

[0035]

[0036] in Indicates spatial location within the image. Represent the variance of the Gaussian function; utilize the Gaussian kernel in the image The convolution is performed on the top layer, and the calculation formula is:

[0037]

[0038] in for Gaussian kernel index, ;

[0039] Combining the low-frequency constraints of Fourier and Gaussian kernels yields intermediate adversarial examples. Compared with the initial sample image Global low-frequency constraints:

[0040]

[0041] By incorporating this global low-frequency constraint into the first perturbation gradient, the generation range of the perturbation is further narrowed, resulting in the second perturbation gradient:

[0042] .

[0043] in, This indicates the feature similarity between the selected sample and the target sample.

[0044] As an optional technical solution, the highly covert adversarial attack method further includes: utilizing duplicate images and corresponding intermediate adversarial samples. The global low-frequency constraints between the points narrow the range of perturbation gradient generation, including the following process:

[0045] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the second perturbation gradient to obtain the third perturbation gradient. The third perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0046] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the third perturbation gradient to obtain the fourth perturbation gradient. The fourth perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0047] ...;

[0048] And so on;

[0049] Calculate the copy image Adversarial samples Global low-frequency constraints between them, and introduce these global low-frequency constraints into the first In the perturbation gradient, the first... Perturb the gradient, using the first Perturbation gradient optimization of intermediate adversarial examples Obtain intermediate adversarial samples ;

[0050] Finally, the average of the perturbation gradients corresponding to all replica images is calculated, i.e., the second perturbation gradient, the third perturbation gradient, ..., the ... The average value of the perturbation gradient is added to the initial sample image. In the process, the final adversarial sample is obtained.

[0051] In a second aspect, this application also discloses a highly covert anti-attack device, comprising:

[0052] The acquisition module is used to acquire... Input sample images The input sample image Includes initial sample images ;

[0053] The first perturbation gradient module is used to optimize the initial sample image using the first perturbation gradient. Obtain intermediate adversarial samples ;

[0054] The second perturbation gradient module is used to optimize the intermediate adversarial samples using the second perturbation gradient. Obtain intermediate adversarial samples ,

[0055] Wherein, the first perturbation gradient is based on the input sample image. The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample. Compared with the initial sample image Global low-frequency constraints; This represents an intermediate adversarial example. This represents the first intermediate adversarial sample. This indicates the second intermediate adversarial sample... and so on.

[0056] As an optional technical solution, the acquisition module is further configured to: process the initial sample image. Perform frequency domain transformation to obtain One copy of the image From the initial sample image With copy image The input sample image constitutes ;

[0057] The acquisition module is also used for:

[0058] Use DCT transform to transform the initial sample image The formula for calculating the transformation from the spatial domain to the frequency domain is:

[0059]

[0060] The DCT transform is the discrete cosine transform. It is an orthogonal matrix. Equivalent to the identity matrix ;

[0061] Different spectrograms are generated through random spectral transformation to replace different attack models. Then, the inverse discrete cosine transform (IDCT) is used to transform the spectrograms back to the spatial domain. The calculation formula is as follows:

[0062]

[0063] in For Adama's product, It is a random variable sampled from a Gaussian distribution. It is a random variable sampled from a uniform distribution.

[0064] As an optional technical solution, the first perturbation gradient module is also used for:

[0065] From the input sample image Select a sample ,Right now Input into the classification model In the process, the feature vector is obtained. ;

[0066] Calculate the selected sample Other samples The feature similarity between them is measured using the cosine similarity function, where... The specific calculation formula is as follows:

[0067]

[0068] The sample with the highest feature similarity is selected as the reference for the perturbation update direction. The formula for calculating the first perturbation gradient is:

[0069]

[0070] in To optimize the variables, their initial values ​​are... , and It is its feature similarity score.

[0071] As an optional technical solution, the second perturbation gradient module is also used for:

[0072] The frequency values ​​of all pixel information are obtained using Fast Fourier Transform, providing a global preview of the image's frequency distribution. Then, intermediate adversarial examples are constructed based on this frequency information. Compared with the initial sample image The low-frequency reconstruction loss, expressed by the Fast Fourier Transform, is:

[0073]

[0074] This formula can transform the image Mapping from pixel space to Fourier spectrum space, where... ;

[0075] Next, Fourier's calculation result is transformed from the complex field to the real field. The calculation formula is as follows:

[0076]

[0077] in, This is a term added for numerical stability. They are respectively The real and imaginary parts;

[0078] The Gaussian kernel is used to filter the image and preserve its local low-frequency features. The calculation is performed using a low-frequency mask. The formula for the Gaussian kernel is:

[0079]

[0080] in Indicates spatial location within the image. Represent the variance of the Gaussian function; utilize the Gaussian kernel in the image The convolution is performed on the top layer, and the calculation formula is:

[0081]

[0082] in for Gaussian kernel index, ;

[0083] Combining the low-frequency constraints of Fourier and Gaussian kernels yields intermediate adversarial examples. Compared with the initial sample image Global low-frequency constraints:

[0084]

[0085] By incorporating this global low-frequency constraint into the first perturbation gradient, the generation range of the perturbation is further narrowed, resulting in the second perturbation gradient:

[0086] .

[0087] in, This indicates the feature similarity between the selected sample and the target sample.

[0088] As an optional technical solution, the device further includes a copy reduction gradient module, used to utilize the copy image and the corresponding intermediate adversarial sample. The global low-frequency constraint between them narrows the range of perturbation gradient generation and is also used for:

[0089] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the second perturbation gradient to obtain the third perturbation gradient. The third perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0090] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the third perturbation gradient to obtain the fourth perturbation gradient. The fourth perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0091] ...;

[0092] And so on;

[0093] Calculate the copy image Adversarial samples Global low-frequency constraints between them, and introduce these global low-frequency constraints into the first In the perturbation gradient, the first... Perturb the gradient, using the first Perturbation gradient optimization of intermediate adversarial examples Obtain intermediate adversarial samples ;

[0094] Finally, the average of the perturbation gradients corresponding to all replica images is calculated, i.e., the second perturbation gradient, the third perturbation gradient, ..., the ... The average value of the perturbation gradient is added to the initial sample image. In the process, the final adversarial sample is obtained.

[0095] The beneficial effects of this invention are as follows:

[0096] 1. This invention introduces global frequency domain constraints in the feature space to further limit the perturbation of adversarial examples to the high-frequency range of the image, making the perturbation difficult to be detected by the human eye and reducing the problem of obvious noise ripples generated by traditional sample generation methods.

[0097] 2. This invention introduces frequency domain transformation to process the input image, improving the randomness and diversity of the classification model's input. Furthermore, averaging the gradient further refines the perturbation, preserving its generalization ability and improving its success rate in attacking different models. Attached Figure Description

[0098] Figure 1 This is a flowchart illustrating a highly covert adversarial attack method in an exemplary embodiment.

[0099] Figure 2 This is a schematic diagram of the data processing process of a highly covert adversarial attack method in an exemplary embodiment.

[0100] Figure 3 This is a schematic diagram of a highly covert anti-attack device in an exemplary embodiment. Detailed Implementation

[0101] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. The components of the embodiments of the present invention described and shown in the accompanying drawings can generally be arranged and designed in various different configurations. Therefore, the following detailed description of the embodiments of the present invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely to illustrate selected embodiments of the invention. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without inventive effort are within the scope of protection of the present invention.

[0102] The present invention will be further described below with reference to the accompanying drawings and specific embodiments.

[0103] Example

[0104] like Figure 1 and Figure 2 As shown, this embodiment discloses a highly covert adversarial attack method, including the following steps:

[0105] Get Input sample images The input sample image Includes initial sample images ;

[0106] The initial sample image is optimized using the first perturbation gradient. Obtain intermediate adversarial samples ;

[0107] The intermediate adversarial sample is optimized using the second perturbation gradient. Obtain intermediate adversarial samples ,

[0108] Wherein, the first perturbation gradient is based on the input sample image. The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample. Compared with the initial sample image Global low-frequency constraints; This represents an intermediate adversarial example. This represents the first intermediate adversarial sample. This represents the second intermediate adversarial sample… and so on. Wherein, Figure 2 In the equation, gradient formula 1 is the first perturbation gradient, and gradient formula 2 is the second perturbation gradient.

[0109] As an optional implementation, the input sample image The acquisition includes: initial sample images Perform frequency domain transformation to obtain One copy of the image From the initial sample image With copy image The input sample image constitutes .

[0110] As an optional implementation, the frequency domain transformation includes:

[0111] Use DCT transform to transform the initial sample image The formula for calculating the transformation from the spatial domain to the frequency domain is:

[0112]

[0113] The DCT transform is the discrete cosine transform. It is an orthogonal matrix. Equivalent to the identity matrix ;

[0114] Different spectrograms are generated through random spectral transformation to replace different attack models. Then, the inverse discrete cosine transform (IDCT) is used to transform the spectrograms back to the spatial domain. The calculation formula is as follows:

[0115]

[0116] in For Adama's product, It is a random variable sampled from a Gaussian distribution. It is a random variable sampled from a uniform distribution.

[0117] As an optional implementation, the calculation of the first perturbation gradient includes:

[0118] From the input sample image Select a sample ,Right now Input into the classification model In the process, the feature vector is obtained. ;

[0119] Calculate the selected sample Other samples The feature similarity between them is measured using the cosine similarity function, where... The specific calculation formula is as follows:

[0120]

[0121] The sample with the highest feature similarity is selected as the reference for the perturbation update direction. The formula for calculating the first perturbation gradient is:

[0122]

[0123] in To optimize the variables, their initial values ​​are... , and It is its feature similarity score.

[0124] As an optional implementation, the calculation of the second perturbation gradient includes:

[0125] The frequency values ​​of all pixel information are obtained using Fast Fourier Transform, providing a global preview of the image's frequency distribution. Then, intermediate adversarial examples are constructed based on this frequency information. Compared with the initial sample image The low-frequency reconstruction loss, expressed by the Fast Fourier Transform, is:

[0126]

[0127] This formula can transform the image Mapping from pixel space to Fourier spectrum space, where... ;

[0128] Next, Fourier's calculation result is transformed from the complex field to the real field. The calculation formula is as follows:

[0129]

[0130] in, This is a term added for numerical stability. They are respectively The real and imaginary parts;

[0131] The Gaussian kernel is used to filter the image and preserve its local low-frequency features. The calculation is performed using a low-frequency mask. The formula for the Gaussian kernel is:

[0132]

[0133] in Indicates spatial location within the image. Represent the variance of the Gaussian function; utilize the Gaussian kernel in the image The convolution is performed on the top layer, and the calculation formula is:

[0134]

[0135] in for Gaussian kernel index, ;

[0136] Combining the low-frequency constraints of Fourier and Gaussian kernels yields intermediate adversarial examples. Compared with the initial sample image Global low-frequency constraints:

[0137]

[0138] By incorporating this global low-frequency constraint into the first perturbation gradient, the generation range of the perturbation is further narrowed, resulting in the second perturbation gradient:

[0139] .

[0140] in, This indicates the feature similarity between the selected sample and the target sample.

[0141] As an optional implementation, the highly covert adversarial attack method further includes: utilizing duplicate images and corresponding intermediate adversarial samples. Global low-frequency constraints between them narrow the range of perturbation gradient generation, such as... Figure 2 As shown, the process includes the following:

[0142] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the second perturbation gradient to obtain the third perturbation gradient. The third perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0143] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the third perturbation gradient to obtain the fourth perturbation gradient. The fourth perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0144] ...;

[0145] And so on;

[0146] Calculate the copy image Adversarial samples Global low-frequency constraints between them, and introduce these global low-frequency constraints into the first In the perturbation gradient, the first... Perturb the gradient, using the first Perturbation gradient optimization of intermediate adversarial examples Obtain intermediate adversarial samples ;

[0147] Finally, the average of the perturbation gradients corresponding to all replica images is calculated, i.e., the second perturbation gradient, the third perturbation gradient, ..., the ... The average value of the perturbation gradient is added to the initial sample image. In this process, the final adversarial sample is obtained. Among them, Figure 2 The gradient formula 3 is the third perturbation gradient, the gradient formula 4 is the fourth perturbation gradient, and so on.

[0148] It should be noted that the third, fourth, ..., and The calculation process of the perturbation gradient involves introducing the global low-frequency constraints of the copy image and the corresponding intermediate adversarial sample into the previous perturbation gradient. This is an iterative process, and the calculation process of the second perturbation gradient can be referred to, so it will not be repeated here.

[0149] This embodiment proposes a highly covert adversarial attack method based on frequency domain transformation, which solves the problems of low covertness and low generalization of adversarial samples generated in existing adversarial sample generation schemes for black-box environments. The core technology lies in: using Fast Fourier Transform and Gaussian kernel to obtain the low-frequency difference between the original sample and the adversarial sample, introducing low-frequency constraints into the feature space attack, optimizing the generation range of perturbations, and improving the covertness of the adversarial samples. Discrete Cosine Transform / Inverse Discrete Cosine Transform is used to introduce frequency domain changes in the image, increasing the randomness and diversity of the input image, replacing different attack models. Gradient averaging optimization is combined to reduce the negative impact of subsamples, ultimately obtaining optimized generalized perturbations that are added to the original image.

[0150] To facilitate understanding, the method of this embodiment will be further explained below.

[0151] The overall design concept of the method in this embodiment is as follows: input an initial sample image. Then, a random frequency domain transformation of the image is performed using discrete cosine transform to obtain different duplicate images of the original image. These duplicate images are input into an image classification model to obtain feature vectors. The feature similarity values ​​between the attack image and other samples can be calculated. During the process of reducing the feature similarity values, image perturbation is obtained. The resulting adversarial samples are then compared with the initial sample images. Fourier and Gaussian kernel filtering are performed to obtain low-frequency constraints. These constraints are added to the perturbation update process to further optimize the range of the perturbation, limiting it to high-frequency components that are imperceptible to the human eye. Different copies generate different perturbation amounts. The perturbations generated from the same input sample are averaged and optimized to obtain the final perturbation, which is then added to the original image to obtain the final adversarial example.

[0152] The specific process can be divided into the following steps:

[0153] S1: Input the initial sample image For sample images A series of random frequency domain transformations are performed to obtain diverse input sample images.

[0154] Assume the original image is a sample image of length a and width b. First, random variables are sampled from a Gaussian distribution. The noise is then added to the original image at the same size to obtain a noisy image. Perform DCT transform on the noisy image to obtain the frequency domain of the noisy image. Random variables sampled from a uniform distribution Random transformation of the frequency domain of noisy images The perturbed frequency domain image is then converted to the spatial domain using an inverse transform. .

[0155] S2: The obtained series of samples are processed by a classification model to obtain feature space vectors, and the perturbation gradient is calculated based on feature similarity.

[0156] A series of diverse input samples can be obtained through S1, from which samples can be selected. The classification model is Different classification models can be set depending on the dataset. In this example, ResNet-20 is selected as the classification model, and the input samples are selected. The feature vector can then be obtained. By selecting other different types of samples to calculate feature vectors, we can obtain... The cosine similarity function is used to measure the similarity between two feature vectors:

[0157]

[0158] After calculating the feature similarity values ​​of the original image and other types of images, the sample with the highest feature similarity is selected as the reference sample for perturbation optimization, which is used to determine the direction of perturbation generation and development.

[0159] After obtaining the reference sample, the original sample is made closer to the reference sample in the feature space by continuously adding perturbations. The optimization formula is as follows:

[0160]

[0161] in To optimize the variables, their initial values ​​are... , and It is its feature similarity score.

[0162] This optimization can reduce the discrepancy in the feature space of an image, altering its informational features and achieving the purpose of the attack.

[0163] S3: Calculate the global low-frequency difference between the adversarial sample obtained through feature space optimization and the original image, add global low-frequency constraints, and further narrow the range of added perturbation.

[0164] For the original image and adversarial examples Its low-frequency reconstruction loss in Fourier space is: ,in Let be the real part of the Fourier transform space. The low-frequency reconstruction loss obtained using Gaussian kernel filtering is: ,in It is obtained by convolving the original image with a Gaussian kernel. Here, the Fourier transform represents the global low-frequency information difference of the image, and the Gaussian kernel represents the local low-frequency information difference of the image.

[0165] After obtaining the global and local low-frequency information differences between the adversarial sample and the original image, these differences are introduced into the optimization formula in S2. This further optimizes the range of perturbation addition, limiting it to a high-frequency range that is difficult to detect visually. The optimization formula is then:

[0166]

[0167] Introducing global frequency domain constraints can optimize the direction of the perturbation gradient, maintain the visual similarity of the image, and further enhance its concealment.

[0168] S4: The samples that have undergone different frequency domain changes will generate perturbations through optimization formulas. This series of gradient information needs to be optimized to obtain the final perturbation, which is then added to the original image.

[0169] The original input image is After a series of spectral transformations, a copy of the image is obtained. Calculate the difference in low frequencies between the copy and the adversarial sample (the original image is the initial adversarial sample). ,in, Indicates the first The first sample The result image of the iteration. Indicates the first The first sample The resulting image from the next iteration undergoes spectral transformation.

[0170] After obtaining the low-frequency difference, an optimization formula is introduced, and the update process of the adversarial example can then be described as follows:

[0171]

[0172] in To incorporate the feature space optimization formula with global low-frequency constraints, each input image copy can be used to obtain a perturbed gradient. To eliminate the adverse effects of random transformations, the different gradients are averaged.

[0173]

[0174] in, Indicates the first The perturbation gradient obtained from each sample.

[0175] The average gradients obtained are added to the original image to obtain the final adversarial sample. This process is repeated until the adversarial sample causes the classification network to misclassify.

[0176] like Figure 3 As shown, in another embodiment, a highly covert anti-attack device is also disclosed, comprising:

[0177] The acquisition module is used to acquire... Input sample images The input sample image Includes initial sample images ;

[0178] The first perturbation gradient module is used to optimize the initial sample image using the first perturbation gradient. Obtain intermediate adversarial samples ;

[0179] The second perturbation gradient module is used to optimize the intermediate adversarial samples using the second perturbation gradient. Obtain intermediate adversarial samples ,

[0180] Wherein, the first perturbation gradient is based on the input sample image. The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample. Compared with the initial sample image Global low-frequency constraints; This represents an intermediate adversarial example. This represents the first intermediate adversarial sample. This indicates the second intermediate adversarial sample... and so on.

[0181] As an optional implementation, the acquisition module is further configured to: process the initial sample image. Perform frequency domain transformation to obtain One copy of the image From the initial sample image With copy image The input sample image constitutes ;

[0182] The acquisition module is also used for:

[0183] Use DCT transform to transform the initial sample image The formula for calculating the transformation from the spatial domain to the frequency domain is:

[0184]

[0185] The DCT transform is the discrete cosine transform. It is an orthogonal matrix. Equivalent to the identity matrix ;

[0186] Different spectrograms are generated through random spectral transformation to replace different attack models. Then, the inverse discrete cosine transform (IDCT) is used to transform the spectrograms back to the spatial domain. The calculation formula is as follows:

[0187]

[0188] in For Adama's product, It is a random variable sampled from a Gaussian distribution. It is a random variable sampled from a uniform distribution.

[0189] As an optional implementation, the first perturbation gradient module is further used for:

[0190] From the input sample image Select a sample ,Right now Input into the classification model In the process, the feature vector is obtained. ;

[0191] Calculate the selected sample Other samples The feature similarity between them is measured using the cosine similarity function, where... The specific calculation formula is as follows:

[0192]

[0193] The sample with the highest feature similarity is selected as the reference for the perturbation update direction. The formula for calculating the first perturbation gradient is:

[0194]

[0195] in To optimize the variables, their initial values ​​are... , and It is its feature similarity score.

[0196] As an optional implementation, the second perturbation gradient module is further used for:

[0197] The frequency values ​​of all pixel information are obtained using Fast Fourier Transform, providing a global preview of the image's frequency distribution. Then, intermediate adversarial examples are constructed based on this frequency information. Compared with the initial sample image The low-frequency reconstruction loss, expressed by the Fast Fourier Transform, is:

[0198]

[0199] This formula can transform the image Mapping from pixel space to Fourier spectrum space, where... ;

[0200] Next, Fourier's calculation result is transformed from the complex field to the real field. The calculation formula is as follows:

[0201]

[0202] in, This is a term added for numerical stability. They are respectively The real and imaginary parts;

[0203] The Gaussian kernel is used to filter the image and preserve its local low-frequency features. The calculation is performed using a low-frequency mask. The formula for the Gaussian kernel is:

[0204]

[0205] in Indicates spatial location within the image. Represent the variance of the Gaussian function; utilize the Gaussian kernel in the image The convolution is performed on the top layer, and the calculation formula is:

[0206]

[0207] in for Gaussian kernel index, ;

[0208] Combining the low-frequency constraints of Fourier and Gaussian kernels yields intermediate adversarial examples. Compared with the initial sample image Global low-frequency constraints:

[0209]

[0210] By incorporating this global low-frequency constraint into the first perturbation gradient, the generation range of the perturbation is further narrowed, resulting in the second perturbation gradient:

[0211] ,

[0212] in, This indicates the feature similarity between the selected sample and the target sample.

[0213] As an optional technical solution, the device further includes a copy reduction gradient module, used to utilize the copy image and the corresponding intermediate adversarial sample. The global low-frequency constraint between them narrows the range of perturbation gradient generation and is also used for:

[0214] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the second perturbation gradient to obtain the third perturbation gradient. The third perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0215] Calculate the copy image Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the third perturbation gradient to obtain the fourth perturbation gradient. The fourth perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ;

[0216] ...;

[0217] And so on;

[0218] Calculate the copy image Adversarial samples Global low-frequency constraints between them, and introduce these global low-frequency constraints into the first In the perturbation gradient, the first... Perturb the gradient, using the first Perturbation gradient optimization of intermediate adversarial examples Obtain intermediate adversarial samples ;

[0219] Finally, the average of the perturbation gradients corresponding to all replica images is calculated, i.e., the second perturbation gradient, the third perturbation gradient, ..., the ... The average value of the perturbation gradient is added to the initial sample image. In the process, the final adversarial sample is obtained.

[0220] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the device described in the above embodiments can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0221] Those skilled in the art will understand that the above modules can be distributed in the device as described in the embodiments, or can be modified accordingly to be uniquely different from one or more devices in this embodiment. The modules of the above embodiments can be combined into one module, or can be further divided into multiple sub-modules (units).

[0222] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this application can be embodied in the form of a software product, which can be stored on a readable medium or on a network, including several instructions to cause an electronic device (which may be a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this application.

[0223] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. All technical solutions that fall within the scope of the claims of this invention are within the scope of protection of this invention.

Claims

1. A method for high-concealment adversarial attack, characterized in that, Includes the following steps: acquiring a plurality of input sample images , wherein the input sample images contain initial sample images ; optimizing the initial sample image using a first perturbation gradient , obtaining an intermediate adversarial sample ; optimizing the intermediate adversarial sample using a second perturbation gradient obtaining an intermediate adversarial sample , Wherein, the first perturbation gradient is based on the input sample image. The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample. Compared with the initial sample image Global low-frequency constraints; This represents an intermediate adversarial example. This represents the first intermediate adversarial sample. This indicates the second intermediate adversarial sample... and so on; The calculation of the first perturbation gradient includes: From the input sample image Select a sample ,Right now Input into the classification model In the process, the feature vector is obtained. ; Calculate the selected sample Other samples The feature similarity between them is measured using the cosine similarity function, where... The specific calculation formula is as follows: The sample with the highest feature similarity is selected as the reference for the perturbation update direction. The formula for calculating the first perturbation gradient is: in To optimize the variables, their initial values ​​are... , and Its feature similarity score; The calculation of the second perturbation gradient includes: The frequency values ​​of all pixel information are obtained using Fast Fourier Transform, providing a global preview of the image's frequency distribution. Then, intermediate adversarial examples are constructed based on this frequency information. Compared with the initial sample image The low-frequency reconstruction loss, expressed by the Fast Fourier Transform, is: This formula can transform the image Mapping from pixel space to Fourier spectrum space, where... ; Next, Fourier's calculation result is transformed from the complex field to the real field. The calculation formula is as follows: , in, This is a term added for numerical stability. They are respectively The real and imaginary parts; The Gaussian kernel is used to filter the image and preserve its local low-frequency features. The calculation is performed using a low-frequency mask. The formula for the Gaussian kernel is: in Indicates spatial location within the image. Represent the variance of the Gaussian function; utilize the Gaussian kernel in the image Convolution is performed on the top layer, and the calculation formula is: in for Gaussian kernel index, ; Combining the low-frequency constraints of Fourier and Gaussian kernels yields intermediate adversarial examples. Compared with the initial sample image Global low-frequency constraints: By incorporating this global low-frequency constraint into the first perturbation gradient, the generation range of the perturbation is further narrowed, resulting in the second perturbation gradient: ; in, This indicates the feature similarity between the selected sample and the target sample; It also includes using duplicate images and corresponding intermediate adversarial examples. The global low-frequency constraints between the points narrow the range of perturbation gradient generation, including the following process: Calculate duplicate images Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the second perturbation gradient to obtain the third perturbation gradient. The third perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ; Calculate duplicate images Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the third perturbation gradient to obtain the fourth perturbation gradient. The fourth perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ; ……; And so on; Calculate duplicate images Adversarial samples Global low-frequency constraints between them, and introduce these global low-frequency constraints into the first In the perturbation gradient, the first... Perturb the gradient, using the first Perturbation gradient optimization of intermediate adversarial examples Obtain intermediate adversarial samples ; Finally, the average of the perturbation gradients corresponding to all replica images is calculated, i.e., the second perturbation gradient, the third perturbation gradient, ..., the ... The average value of the perturbation gradient is added to the initial sample image. In the process, the final adversarial sample is obtained.

2. The highly covert counter-attack method according to claim 1, characterized in that, The input sample image The acquisition includes: initial sample images Perform frequency domain transformation to obtain One copy of the image From the initial sample image With copy image The input sample image constitutes .

3. The highly covert counter-attack method according to claim 2, characterized in that, The frequency domain transformation includes: Use DCT transform to transform the initial sample image The formula for calculating the transformation from the spatial domain to the frequency domain is: The DCT transform is the discrete cosine transform. It is an orthogonal matrix. Equivalent to the identity matrix ; Different spectrograms are generated through random spectral transformation to replace different attack models. Then, the inverse discrete cosine transform (IDCT) is used to transform the spectrograms back to the spatial domain. The calculation formula is as follows: in For Adama's product, It is a random variable sampled from a Gaussian distribution. It is a random variable sampled from a uniform distribution.

4. A highly concealed anti-attack device, characterized in that, include: The acquisition module is used to acquire... Input sample images The input sample image Includes initial sample images ; The first perturbation gradient module is used to optimize the initial sample image using the first perturbation gradient. Obtain intermediate adversarial samples ; The second perturbation gradient module is used to optimize the intermediate adversarial samples using the second perturbation gradient. Obtain intermediate adversarial samples , Wherein, the first perturbation gradient is based on the input sample image. The feature similarity is calculated in the feature space; the second perturbation gradient is obtained by introducing a global low-frequency constraint into the first perturbation gradient, and the global low-frequency constraint is the intermediate adversarial sample. Compared with the initial sample image Global low-frequency constraints; This represents an intermediate adversarial example. This represents the first intermediate adversarial sample. This indicates the second intermediate adversarial sample... and so on; The first perturbation gradient module is also used for: From the input sample image Select a sample ,Right now Input into the classification model In the process, the feature vector is obtained. ; Calculate the selected sample Other samples The feature similarity between them is measured using the cosine similarity function, where... The specific calculation formula is as follows: The sample with the highest feature similarity is selected as the reference for the perturbation update direction, and the common formula for the first perturbation gradient is calculated. The formula is: in To optimize the variables, their initial values ​​are... , and Its feature similarity score; The second perturbation gradient module is also used for: The frequency values ​​of all pixel information are obtained using Fast Fourier Transform, providing a global preview of the image's frequency distribution. Then, intermediate adversarial examples are constructed based on this frequency information. Compared with the initial sample image The low-frequency reconstruction loss, expressed by the Fast Fourier Transform, is: This formula can transform the image Mapping from pixel space to Fourier spectrum space, where... ; Next, Fourier's calculation result is transformed from the complex field to the real field. The calculation formula is as follows: , in, This is a term added for numerical stability. They are respectively The real and imaginary parts; The Gaussian kernel is used to filter the image and preserve its local low-frequency features. The calculation is performed using a low-frequency mask. The formula for the Gaussian kernel is: in Indicates spatial location within the image. Represent the variance of the Gaussian function; utilize the Gaussian kernel in the image Convolution is performed on the top layer, and the calculation formula is: in for Gaussian kernel index, ; Combining the low-frequency constraints of Fourier and Gaussian kernels yields intermediate adversarial examples. Compared with the initial sample image Global low-frequency constraints: By incorporating this global low-frequency constraint into the first perturbation gradient, the generation range of the perturbation is further narrowed, resulting in the second perturbation gradient: , in, This indicates the feature similarity between the selected sample and the target sample; It also includes a copy-downgrading module for utilizing the copy image with the corresponding intermediate adversarial examples. The global low-frequency constraint between them narrows the range of perturbation gradient generation and is also used for: Calculate duplicate images Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the second perturbation gradient to obtain the third perturbation gradient. The third perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ; Calculate duplicate images Adversarial samples The global low-frequency constraint between the two is determined and incorporated into the third perturbation gradient to obtain the fourth perturbation gradient. The fourth perturbation gradient is then used to optimize the intermediate adversarial samples. Obtain intermediate adversarial samples ; ……; And so on; Calculate duplicate images Adversarial samples Global low-frequency constraints between them, and introduce these global low-frequency constraints into the first In the perturbation gradient, the first... Perturb the gradient, using the first Perturbation gradient optimization of intermediate adversarial examples Obtain intermediate adversarial samples ; Finally, the average of the perturbation gradients corresponding to all replica images is calculated, i.e., the second perturbation gradient, the third perturbation gradient, ..., the ... The average value of the perturbation gradient is added to the initial sample image. In the process, the final adversarial sample is obtained.

5. The highly concealed anti-attack device according to claim 4, characterized in that: The acquisition module is also used for: processing the initial sample image. Perform frequency domain transformation to obtain One copy of the image From the initial sample image With copy image The input sample image constitutes ; The acquisition module is also used for: Use DCT transform to transform the initial sample image The formula for calculating the transformation from the spatial domain to the frequency domain is: The DCT transform is the discrete cosine transform. It is an orthogonal matrix. Equivalent to the identity matrix ; Different spectrograms are generated through random spectral transformation to replace different attack models. Then, the inverse discrete cosine transform (IDCT) is used to transform the spectrograms back to the spatial domain. The calculation formula is as follows: in For Adama's product, It is a random variable sampled from a Gaussian distribution. It is a random variable sampled from a uniform distribution.