Image interference method based on chaotic PGD algorithm
By introducing a chaotic system and a variable step size mechanism into the PGD algorithm, diverse adversarial images are generated, which solves the problem of poor performance of the PGD algorithm in complex scenes and improves the security and robustness of deep learning systems.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NORTHWEST NORMAL UNIVERSITY
- Filing Date
- 2025-01-20
- Publication Date
- 2026-06-23
Smart Images

Figure CN120088115B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of image interference technology, and in particular to an image interference method based on the chaotic PGD algorithm. Background Technology
[0002] With the rapid development of artificial intelligence technology, deep learning has made significant progress in tasks such as image recognition, object detection, intelligent monitoring, and autonomous driving. However, deep learning faces various security threats throughout its lifecycle, including data poisoning, reverse engineering, information theft, and adversarial attacks. These security challenges are particularly prominent in fields such as autonomous driving, intelligent monitoring, and medical diagnosis, because once a deep learning model is attacked, it may lead to erroneous decisions, resulting in property damage or even personal injury. For example, attackers can fine-tune road sign images, causing autonomous driving systems to misidentify road sign information, leading to incorrect vehicle decisions and increasing the risk of traffic accidents. In facial recognition or voice recognition systems, attackers can introduce adversarial perturbations, making it impossible for authentication systems to correctly identify users, or even misidentifying legitimate users as others, thereby achieving illegal purposes. Furthermore, attackers may also perform adversarial modifications to images or videos to evade monitoring and detection. These attack methods seriously affect the security and reliability of deep learning systems in practical applications.
[0003] Among these security threats, adversarial attacks have become an important tool for exploring the vulnerabilities of deep learning due to their ease of operation and high degree of automation. Adversarial attacks cause deep learning models to misclassify or make incorrect decisions by applying subtle and often imperceptible perturbations to the original data. These perturbations may be so small as to be invisible to the naked eye, but are enough to introduce significant bias into the model. The original data with added perturbations is called adversarial examples.
[0004] In 2018, Madry et al. proposed the Projected Gradient Descent (PGD) algorithm. This method initializes adversarial examples in the constraint space with uniformly distributed perturbations during multiple restarts, allowing attacks to be launched from different starting points and achieving superior attack performance. However, the PGD algorithm still has two limitations. First, although random initialization helps avoid getting stuck in a fixed initial solution, it can still cause the optimization process to remain at a local optimum, especially when the original data has multiple local extrema. Second, the PGD algorithm uses a fixed step size, which is not always suitable for handling different types of problems. If the step size is too large, especially when approaching the optimal solution, gradient updates may be over-updated, causing the algorithm to skip the optimal solution or even diverge; conversely, if the step size is too small, the convergence speed may be too slow, or even fail to reach an effective solution within a finite number of iterations. When dealing with complex problems, the objective function may change drastically, and a fixed step size cannot be dynamically adjusted according to such changes, thus limiting the algorithm's performance in complex optimization scenarios.
[0005] Therefore, this invention proposes an image perturbation method based on the chaotic PGD algorithm. This algorithm is based on the PGD algorithm and incorporates the pseudo-randomness, bounded ergodicity, and complex dynamic characteristics of chaotic systems. By introducing chaotic initial perturbation and chaotic variable step size, and combining the characteristics of targetless attacks with a PSNR mechanism, the chaotic PGD algorithm overcomes the parameter limitations of the traditional PGD algorithm, significantly improving its performance. Compared with the traditional PGD algorithm, the advantage of the chaotic PGD algorithm is that it can apply perturbation to the same input image, causing the classifier to produce the same misclassification result, but output different prediction probabilities, or even lead to completely different misclassification results. Furthermore, it requires no additional parameter settings, exhibiting greater versatility. This characteristic endows the chaotic PGD algorithm with higher diversity and unpredictability, thereby improving its stealth and effectiveness in adversarial attacks. Summary of the Invention
[0006] The purpose of this invention is to solve the above-mentioned problems by providing an image interference method based on the chaotic PGD algorithm.
[0007] To achieve the above objectives, the technical solution adopted by this invention is as follows: It includes methods for interfering with target images, characterized by constructing a stable dual-vortex chaotic system based on a chaotic system that can generate up to four vortex attractors through equilibrium point migration, combined with the Julia fractal process. The stable dual-vortex chaotic system is then used to generate the initial chaotic perturbation and the chaotic variable step size. The specific steps are as follows:
[0008] S1: Establish a novel three-dimensional chaotic system, which includes one nonlinear term and six linear terms. Its mathematical equation form is shown below:
[0009]
[0010] in, For state variables, For system parameters;
[0011] S2: Through equilibrium point migration, the novel three-dimensional chaotic system can generate up to four vortex attractors;
[0012] S3: Then the capacitor voltage is used as the state variable in equation (1), and the resistance ratio is used as the system parameter in equation (1), and the mathematical expression is directly converted into an analog circuit.
[0013] make Equation (1) is transformed by time scale, where Given the time scale transformation factor, we can obtain equation (2):
[0014]
[0015] Pick and substitute the parameters Equation (3) can be obtained:
[0016]
[0017] Construct the analog circuit corresponding to equation (1) using equation (3);
[0018] S4: After establishing equation (1), Julia fractals are introduced into equation (1) to transform the equation (1) into... Replace with Equation (4) is obtained:
[0019]
[0020] After Julia fractal processing, the novel three-dimensional chaotic system becomes a stable double-vortex chaotic system.
[0021] S5: Then, generate the initial chaotic perturbation and the chaotic variable step size through the dual-vortex chaotic system;
[0022] S6: Substitute the obtained chaotic initial perturbation and chaotic variable step size into the improvement of the original classic PGD algorithm to obtain the chaotic PGD algorithm;
[0023] S7: Use the chaotic PGD algorithm to disturb the target image.
[0024] Furthermore, the Julia fractal process in S4 is described below:
[0025]
[0026] in
[0027]
[0028]
[0029]
[0030] in, It is a complex constant. Substituting equations (6) and (7) into equation (5), we obtain the relationship shown in equation (9):
[0031]
[0032] In part of equation (4), a Julia fractal process is applied to achieve variable substitution, as shown in equation 10:
[0033]
[0034] Differentiating both sides of equation (10) yields equation (11):
[0035]
[0036] in,
[0037]
[0038] From equation (11), we can obtain:
[0039]
[0040] in,
[0041]
[0042] Combining equations (4) and (10), we can obtain equation (15).
[0043]
[0044] Combining equations (13) and (15), we can obtain the chaotic system generated by the combination of Julia fractals and the novel three-dimensional chaotic system, as shown below:
[0045]
[0046] in, For state variables, For system parameters,
[0047] Furthermore, the steps for generating the initial chaotic perturbation are as follows:
[0048] Step 1: Use the ODE solver to solve equation (16) numerically.
[0049]
[0050] Step 2: Scalar normalization, for Perform min-max normalization;
[0051]
[0052] Step 3: Generate the initial chaotic perturbation, from 150,528 values are randomly selected from the data and rearranged into a tensor of shape (1,3,224,224).
[0053]
[0054] The steps for generating the chaotic variable step size are as follows:
[0055] Step 1: Use the ODE solver to solve the numerical solution of equation (16);
[0056]
[0057] Step 2: To Perform min-max normalization;
[0058]
[0059] Step 3: From We randomly select one value from the given values as the step size for this iteration:
[0060]
[0061] Furthermore, the core of the chaotic PGD algorithm is as follows:
[0062]
[0063]
[0064]
[0065]
[0066]
[0067] in, Represents the original sample. Indicates adversarial examples, This represents the adversarial example after t iterations. This represents the initial chaotic perturbation generated by equation (16). This indicates resistance to disturbances. This represents the chaotic variable step size generated by equation (16). Represents a symbolic function. express gradient, Represents the loss function. Indicates the parameters of the classifier model. Labels representing the original samples, The label represents the adversarial example, and PSNR represents the peak signal-to-noise ratio between the two examples.
[0068] Compared with the prior art, the present invention has the following beneficial effects:
[0069] 1. The adversarial images generated by the chaotic PGD algorithm can cause classifiers to misclassify into multiple categories, revealing the potential overlap and ambiguity of the classifier's decision boundary between different categories. This indicates that the perturbation of the chaotic PGD algorithm has a wider coverage in the search space, enabling it to explore more potential perturbation methods and thus reveal the potential characteristics and vulnerabilities of the classifier at the multi-class decision boundary. This diversity in perturbation distribution not only reveals the classifier's vulnerabilities but also identifies more potential weaknesses, rather than focusing on a single specific vulnerability. Introducing a chaotic mechanism makes the generation path of adversarial images more complex, prompting attack algorithms to avoid explicit gradient directions, thereby generating uninterpretable samples. This complexity provides new insights for designing stronger defense mechanisms.
[0070] 2. The adversarial images generated by the chaotic PGD algorithm not only cause the classifier to misclassify them into multiple categories but also exhibit low confidence, indicating that the classifier's classification results for these samples are unstable. Low confidence means that the adversarial images generated by the chaotic PGD algorithm can more effectively disrupt the classifier's discriminative ability, leading to confusion between multiple categories. In contrast, while the classic PGD algorithm can cause misclassification, the classifier still maintains high confidence, indicating a strong inertia in its misclassification of specific adversarial images. This inertia may make it easier for defense mechanisms to identify and counteract the errors. The low confidence is significant for defense mechanisms because low-confidence samples can prompt them to strengthen their learning or optimization near the classification boundary, thereby improving the overall robustness of the classifier. Furthermore, due to the high discreteness and diversity in the distribution of low-confidence samples, their detection difficulty is relatively high. Defense strategies against these samples need to be more refined and flexible to effectively address the challenges posed by chaotic perturbations.
[0071] 3. While the "single-class high-confidence errors" generated by the classic PGD algorithm may be suitable for evaluating specific defense mechanisms, the "multi-class low-confidence errors" generated by the chaotic PGD algorithm more closely resemble the complex adversarial attack scenarios in real-world situations. The chaotic PGD algorithm simulates a wider range of realistic attack scenarios, thus having greater practical significance in improving the robustness of classifiers in complex environments. In practical applications, the distribution of adversarial images is usually complex and diverse. Diverse adversarial attacks can more comprehensively reveal the potential weaknesses of a classifier, rather than focusing solely on a specific vulnerability. If a defense mechanism performs well on adversarial images generated by the classic PGD algorithm but poorly on those generated by the chaotic PGD algorithm, it indicates that the defense mechanism may be overfitting to only one type of attack. Therefore, the low-confidence samples generated by the chaotic PGD algorithm can serve as a new standard for robustness evaluation, providing guidance for developing more general and robust defense methods. By studying low-confidence, diverse adversarial samples, defense mechanisms can more effectively cope with complex and variable attack scenarios, thereby improving the classifier's resistance to interference in various real-world scenarios.
[0072] 4. Classical PGD algorithms can quickly generate high-confidence error samples, primarily suitable for assessing the vulnerability of classifiers to specific classes. Chaotic PGD algorithms, by introducing complex chaotic dynamics, generate adversarial images with diversity, low confidence, and cross-class errors, thus enabling a more comprehensive evaluation of classifier robustness. This comparison not only provides a deeper perspective on classifier robustness evaluation but also offers important insights for improving adversarial defense strategies and future algorithmic innovation. The diversity and unpredictability of chaotic PGD algorithms give them a unique advantage in simulating complex attack scenarios, providing richer evidence for the design and optimization of defense mechanisms. Attached Figure Description
[0073] Figure 1 The system equation (1) phase diagram of this invention;
[0074] Figure 2 The periodically changing parameters of this invention and Schematic diagram of the generated four-vortex chaotic attractor;
[0075] Figure 3 This is the analog circuit for system equation 1 of the present invention;
[0076] Figure 4 The phase diagram is the system equation (16) of this invention;
[0077] Figure 5 A statistical characteristic diagram of generating chaotic initial perturbation and chaotic variable step size using the chaotic system equation (16) of the present invention is shown.
[0078] Figure 6 This is a schematic diagram of the chaotic PGD algorithm of the present invention;
[0079] Figure 7 The misclassification results of the classifier caused by the adversarial images generated by the chaotic PGD algorithm and the classical PGD algorithm of this invention. Detailed Implementation
[0080] To make the technical means, creative features, objectives and effects of this invention easier to understand, the invention will be further described below in conjunction with specific embodiments.
[0081] This invention first proposes a three-dimensional chaotic system, which contains only one nonlinear term and six linear terms, and its mathematical equation is very simple, as shown below:
[0082]
[0083] in, For state variables, These are system parameters. When system parameters... initial system value Phase diagram at time, such as Figure 1 As shown:
[0084] Figure 1 The diagram is a phase diagram of a single-vortex chaotic system, where (a) is the xy plane, (b) is the xz plane, and (c) is the yz plane.
[0085] When using a set of parameters that change periodically between positive and negative values and ,like Figure 2 As shown in (a)(b), replace the fixed parameter in equation (55). and You can get Figure 2 (c) shows the four-vortex attractor. In addition, we have listed six other methods for generating four-vortex attractors in Table 1. All six four-vortex attractors are generated by migrating the equilibrium point from a single-vortex attractor, and they have the same appearance, but the order of equilibrium point migration is completely different, greatly increasing the complexity of the four-vortex system.
[0086] Table 1. Six ways to generate four-vortex chaotic attractors
[0087]
[0088] By using the capacitor voltage as the state variable in equation (55) and the resistance ratio to describe the system parameters, the mathematical expression can be directly converted into an analog circuit.
[0089] make Equation (55) is transformed by time scale, where It is the time scale transformation factor, from which equation (56) can be obtained.
[0090]
[0091] Pick and substitute the parameters Equation (57) can be obtained.
[0092]
[0093] Based on equation (57), the circuit design of equation (55) can be obtained as follows: Figure 3 As shown. The operational amplifier is TL082CP, the multiplier is AD633, the positive power supply voltage VDD is 15V, and the negative power supply voltage VEE is -15V.
[0094] (1) Design of multi-vortex chaotic attractors based on Julia fractals
[0095] Equation (55) has the advantages of concise mathematical expression and simple circuit structure, but the control of the number of vortices depends on the switching of control switches, which makes the adjustment process relatively cumbersome. Therefore, Julia fractals are introduced into single-vortex chaotic systems.
[0096] For ease of subsequent analysis, the equation (55) will be modified. Replace with , thus obtaining system (58)
[0097]
[0098] Julia's fractal process can be expressed as follows:
[0099]
[0100] in
[0101]
[0102]
[0103]
[0104] in, As a complex constant, it is uniformly set in this invention as follows: Substituting equations (60) and (61) into equation (59), we obtain the relationship shown in equation (63).
[0105]
[0106] In equation (58), a Julia fractal process is applied to achieve variable substitution, as shown in equation (64):
[0107]
[0108] Differentiating both sides of equation (58) yields equation (65).
[0109]
[0110] in
[0111]
[0112] From equation (65), we can obtain
[0113]
[0114] in
[0115]
[0116] Combining equations (68) and (64), we can obtain equation (69).
[0117]
[0118] Combining equations (67) and (69), we can obtain the chaotic system generated by the combination of Julia fractal and single-vortex chaotic system, as shown below:
[0119]
[0120] in, For state variables, These are system parameters. When system parameters... System initial value The phase diagram of equation (70) is as follows Figure 4 As shown, it is not difficult to see that after Julia fractal processing, the single-vortex chaotic system becomes a stable double-vortex chaotic system.
[0121] Figure 4 In the diagram, (a) is the xy plane and (b) is the xz plane.
[0122] (2) Chaotic PGD Algorithm
[0123] The core of the chaotic PGD algorithm can be described as follows:
[0124]
[0125]
[0126]
[0127]
[0128]
[0129] in, Represents the original sample. Indicates adversarial examples, This represents the adversarial example after t iterations. This represents the initial chaotic perturbation generated by equation (70). This indicates resistance to disturbances. This represents the chaotic variable step size generated by equation (70). Represents a symbolic function. express gradient, Represents the loss function. Indicates the parameters of the classifier model. Labels representing the original samples, The label represents the adversarial example, and PSNR represents the peak signal-to-noise ratio between the two examples.
[0130] Among them, the initial chaotic perturbation and the chaotic step size are generated by the double-vortex chaotic system.
[0131] The steps for generating the initial chaotic perturbation are as follows:
[0132] Step 1: Solve the chaotic equation. Use the ODE solver to solve the numerical solution of equation (70).
[0133]
[0134] Step 2: Scalar normalization. For Perform min-max normalization.
[0135]
[0136] Step 3: Generate the initial chaotic perturbation. From 150,528 values are randomly selected (with replacement) and rearranged into a tensor of shape (1,3,224,224).
[0137]
[0138] from The frequency distribution of 150,528 randomly selected values (with replacement) is as follows: Figure 5 As shown in (a).
[0139] The steps for generating the chaotic variable step size are as follows:
[0140] Step 1: Solve the chaotic equation. Use the ODE solver to solve the numerical solution of equation (70).
[0141]
[0142] Step 2: Scalar normalization. For Perform min-max normalization.
[0143]
[0144] Step 3: Generate chaotic variable step size. From One value is randomly selected (with replacement) as the step size in this iteration.
[0145]
[0146] from The frequency distribution of 150,528 randomly selected values (with replacement) is as follows: Figure 5 As shown in (b).
[0147] The overall process of the chaotic PGD algorithm can be described as follows: Figure 6 As shown, the dashed line indicates that this process is executed only once when the algorithm begins its iteration.
[0148] Figure 7 shows the adversarial image results generated using the chaotic PGD algorithm and the classic PGD algorithm, respectively. It is worth noting that the adversarial images generated by the classic PGD algorithm typically cause the classifier to misidentify a fixed category with extremely high confidence, while the adversarial images generated by the chaotic PGD algorithm can cause the classifier to misidentify multiple categories with lower confidence, and the generated adversarial images are of higher quality. Figure 7 The paper showcases three adversarial image results generated by the chaotic PGD algorithm; due to space limitations, only a portion of the results are presented. In reality, the chaotic PGD algorithm can generate more adversarial images, and the misclassification categories and confidence distributions of each image are more diverse.
[0149] Figure 7 In the table, a1, b1, c1, d1, e1 represent the classifier misclassification results caused by the adversarial images generated by the classic PGD algorithm, while a2, a3, a4, b2, b3, b4, c2, c3, c4, d2, d3, d4, e2, e3, e4 represent the classifier misclassification results caused by the adversarial images generated by the chaotic PGD algorithm.
[0150] In addition, in a large number of experiments, we also discovered a special set of experimental results, such as Figure 7As shown in (c1) - (c4). In this set of experiments, adversarial images generated using both the chaotic PGD algorithm and the classic PGD algorithm caused the classifier to misclassify them as fixed categories with extremely high confidence. This phenomenon indicates that, under certain conditions, the perturbations generated by the two algorithms can produce similar attack effects, although in most cases, the chaotic PGD algorithm exhibits more diverse misclassification results.
[0151] The environment configuration for implementing this invention is shown in Table 2. The dataset used is ImageNet ISLVRC2012 and the Animal Image Dataset (90 Different Animals) provided by Sourav Banerjee on the Kaggle platform. [2] A mixed dataset of both methods was used. The image classification models employed included classic models such as VGG16, VGG19, ResNet18, and ResNet50. During the experiments, all image classification models used pre-trained versions without any modifications or improvements. The image data in the experiments were randomly selected from the dataset and underwent no preprocessing (such as data augmentation, illumination correction, denoising, or smoothing) to ensure the objectivity and validity of the results.
[0152] Table 2. Equipment environment and related configurations.
[0153]
[0154] It will be apparent to those skilled in the art that the present invention is not limited to the details of the exemplary embodiments described above, and that the invention can be implemented in other specific forms without departing from its spirit or essential characteristics. Therefore, the embodiments should be considered in all respects as exemplary and non-limiting, and the scope of the invention is defined by the appended claims rather than the foregoing description. Thus, all variations falling within the meaning and scope of equivalents of the claims are intended to be included within the present invention. No reference numerals in the claims should be construed as limiting the scope of the claims.
[0155] Furthermore, it should be understood that although this specification describes embodiments, not every embodiment contains only one independent technical solution. This narrative style is merely for clarity. Those skilled in the art should consider the specification as a whole, and the technical solutions in each embodiment can also be appropriately combined to form other embodiments that can be understood by those skilled in the art.
Claims
1. An image interference method based on a chaotic PGD algorithm, comprising methods for interfering with a target image, characterized in that, Based on a chaotic system that can generate up to four vortex attractors through equilibrium point migration, a stable double-vortex chaotic system was constructed by combining the Julia fractal process. The stable double-vortex chaotic system was then used to generate the initial chaotic perturbation and the chaotic variable step size. The specific steps are as follows: S1: Establish a novel three-dimensional chaotic system, which includes one nonlinear term and six linear terms. Its mathematical equation form is shown below: in, For state variables, For system parameters; S2: Through equilibrium point migration, the novel three-dimensional chaotic system can generate up to four vortex attractors; S3: Then the capacitor voltage is used as the state variable in equation (1), and the resistance ratio is used as the system parameter in equation (1), and the mathematical expression is directly converted into an analog circuit. make Equation (1) is transformed by time scale, where Given the time scale transformation factor, we can obtain equation (2): Pick and substitute the parameters Equation (3) can be obtained: Construct the analog circuit corresponding to equation (1) using equation (3); S4: After establishing equation (1), Julia fractals are introduced into equation (1) to transform the equation (1) into... Replace with Equation (4) is obtained: After Julia fractal processing, the novel three-dimensional chaotic system becomes a stable double-vortex chaotic system. S5: Then, generate the initial chaotic perturbation and the chaotic variable step size through the dual-vortex chaotic system; S6: Substitute the obtained chaotic initial perturbation and chaotic variable step size into the improvement of the original classic PGD algorithm to obtain the chaotic PGD algorithm; S7: Use the chaotic PGD algorithm to disturb the target image.
2. The image interference method based on the chaotic PGD algorithm according to claim 1, characterized in that: The Julia fractal process in S4 is described below: in in, It is a complex constant. Substituting equations (6) and (7) into equation (5), we obtain the relationship shown in equation (9): In part of equation (4), a Julia fractal process is applied to achieve variable substitution, as shown in equation 10: Differentiating both sides of equation (10) yields equation (11): in, From equation (11), we can obtain: in, Combining equations (4) and (10), we can obtain equation (15). Combining equations (13) and (15), we can obtain the chaotic system generated by the combination of Julia fractals and the novel three-dimensional chaotic system, as shown below: in, For state variables, These are system parameters.
3. The image interference method based on the chaotic PGD algorithm according to claim 2, characterized in that: In S5, the steps for generating the initial chaotic perturbation are as follows: Step 1: Use the ODE solver to solve equation (16) numerically. Step 2: Scalar normalization, for Perform min-max normalization; Step 3: Generate the initial chaotic perturbation, from 150,528 values are randomly selected from the data and rearranged into a tensor of shape (1,3,224,224). The steps for generating the chaotic variable step size are as follows: Step 1: Use the ODE solver to solve the numerical solution of equation (16); Step 2: To Perform min-max normalization; Step 3: From We randomly select one value from the given values as the step size for this iteration: 。 4. The image interference method based on the chaotic PGD algorithm according to claim 3, characterized in that: The core of the chaotic PGD algorithm is as follows: in, Represents the original sample. Indicates adversarial examples, This represents the adversarial example after t iterations. This represents the initial chaotic perturbation generated by equation (16). This indicates resistance to disturbances. This represents the chaotic variable step size generated by equation (16). Represents a symbolic function. express gradient, Represents the loss function. Indicates the parameters of the classifier model. Labels representing the original samples, The label represents the adversarial example, and PSNR represents the peak signal-to-noise ratio between the two examples.