[go: up one dir, main page]

CN116523000A - A neural network anti-sample defense method, electronic equipment and storage medium - Google Patents

A neural network anti-sample defense method, electronic equipment and storage medium Download PDF

Info

Publication number
CN116523000A
CN116523000A CN202310362917.5A CN202310362917A CN116523000A CN 116523000 A CN116523000 A CN 116523000A CN 202310362917 A CN202310362917 A CN 202310362917A CN 116523000 A CN116523000 A CN 116523000A
Authority
CN
China
Prior art keywords
image set
frequency image
target
frequency
low
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310362917.5A
Other languages
Chinese (zh)
Inventor
王玉龙
谢宏港
王红熳
苏森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202310362917.5A priority Critical patent/CN116523000A/en
Publication of CN116523000A publication Critical patent/CN116523000A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0475Generative networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/094Adversarial learning
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/20Image preprocessing
    • G06V10/26Segmentation of patterns in the image field; Cutting or merging of image elements to establish the pattern region, e.g. clustering-based techniques; Detection of occlusion
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/20Image preprocessing
    • G06V10/30Noise filtering
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/77Processing image or video features in feature spaces; using data integration or data reduction, e.g. principal component analysis [PCA] or independent component analysis [ICA] or self-organising maps [SOM]; Blind source separation
    • G06V10/774Generating sets of training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/77Processing image or video features in feature spaces; using data integration or data reduction, e.g. principal component analysis [PCA] or independent component analysis [ICA] or self-organising maps [SOM]; Blind source separation
    • G06V10/80Fusion, i.e. combining data from various sources at the sensor level, preprocessing level, feature extraction level or classification level
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V10/00Arrangements for image or video recognition or understanding
    • G06V10/70Arrangements for image or video recognition or understanding using pattern recognition or machine learning
    • G06V10/82Arrangements for image or video recognition or understanding using pattern recognition or machine learning using neural networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Multimedia (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Biomedical Technology (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Molecular Biology (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Image Processing (AREA)

Abstract

The application provides a neural network challenge sample defense method, an electronic device and a storage medium, wherein the method comprises the following steps: acquiring a countermeasure data set; dividing each image in the countermeasure data set according to a color channel to obtain a divided image set; processing the segmented image set according to a preset mask to obtain a target low-frequency image set and a target high-frequency image set; carrying out noise reduction treatment on the target high-frequency image set according to a preset noise reduction method to obtain a target noise reduction high-frequency image set; inputting the target low-frequency image set and the target noise reduction high-frequency image set into a preset target generator for fusion, and generating a defense countermeasure sample set. The defensive countermeasure sample generated by the method can be correctly classified only by removing noise in the high-frequency image, namely removing countermeasure disturbance distributed in the high-frequency component image, so that the countermeasure sample is closer to the original image.

Description

一种神经网络对抗样本防御方法、电子设备和存储介质A neural network anti-sample defense method, electronic equipment and storage medium

技术领域technical field

本申请涉及深度学习技术领域,尤其涉及一种神经网络对抗样本防御方法、电子设备和存储介质。The present application relates to the technical field of deep learning, and in particular to a neural network defense method against examples, electronic equipment and storage media.

背景技术Background technique

近年来,深度学习已然成为最活跃的计算机研究领域之一。研究发现,深度神经网络很容易受到微小输入扰动的干扰,这些干扰人类无法察觉却会引起机器的错误,这个引起错误的数据叫做对抗样本。对抗样本即在数据中加入细微扰动,会导致模型以较高的置信度给出错误的输出,这也是机器学习算法研究的一个盲点。对抗样本的存在引发人们对神经网络脆弱性的注意,例如,在自动驾驶、人脸识别等领域,对抗样本导致的错误分类会导致极其恶劣的后果,如引发交通事故或非法人员通过门禁等,因此,现有的对抗样本不具备防御性,导致恶劣后果的发生。In recent years, deep learning has become one of the most active fields of computer research. Studies have found that deep neural networks are easily disturbed by small input disturbances, which are undetectable to humans but can cause machine errors. This error-causing data is called an adversarial example. Adversarial examples add subtle perturbations to the data, which will cause the model to give wrong outputs with a high degree of confidence, which is also a blind spot in the research of machine learning algorithms. The existence of adversarial samples draws people's attention to the vulnerability of neural networks. For example, in the fields of automatic driving and face recognition, misclassification caused by adversarial samples can lead to extremely bad consequences, such as causing traffic accidents or illegal personnel passing through access control, etc. Therefore, the existing adversarial samples are not defensive, leading to bad consequences.

发明内容Contents of the invention

有鉴于此,本申请的目的在于提出一种神经网络对抗样本防御方法、电子设备和存储介质,以解决现有的对抗样本不具备防御性,导致恶劣后果的发生的问题。In view of this, the purpose of this application is to propose a neural network adversarial example defense method, electronic equipment and storage media to solve the problem that the existing adversarial examples are not defensive and lead to bad consequences.

基于上述目的,本申请第一方面提供了一种神经网络对抗样本防御方法,包括:Based on the above purpose, the first aspect of the present application provides a neural network adversarial sample defense method, including:

获取对抗数据集;Get the confrontation data set;

根据颜色信道将所述对抗数据集中的每个图像进行分割,得到分割图像集;Segmenting each image in the confrontation data set according to the color channel to obtain a segmented image set;

根据预设掩模对分割图像集进行处理,得到目标低频图像集和目标高频图像集;Process the segmented image set according to the preset mask to obtain the target low-frequency image set and the target high-frequency image set;

根据预设降噪方法对所述目标高频图像集进行降噪处理,得到目标降噪高频图像集;performing noise reduction processing on the target high-frequency image set according to a preset noise reduction method to obtain a target noise-reduced high-frequency image set;

将所述目标低频图像集、所述目标降噪高频图像集输入至预设目标生成器进行融合,生成防御对抗样本集。The target low-frequency image set and the target noise-reduced high-frequency image set are input to a preset target generator for fusion to generate a defensive confrontation sample set.

进一步地,所述颜色信道包括第一颜色信道、第二颜色信道、第三颜色信道,所述第一颜色通道为红色通道,所述第二颜色通道为绿色通道,所述第三颜色通道为蓝色通道;Further, the color channels include a first color channel, a second color channel, and a third color channel, the first color channel is a red channel, the second color channel is a green channel, and the third color channel is blue channel;

所述根据颜色信道将所述对抗数据集中的每个图像进行分割,得到分割图像集,包括:The step of segmenting each image in the confrontation data set according to the color channel to obtain a segmented image set includes:

根据第一颜色信道将所述对抗数据集中的每个图像进行分割,得到第一分割图像集;Segmenting each image in the confrontation data set according to the first color channel to obtain a first segmented image set;

根据第二颜色信道将所述对抗数据集中的每个图像进行分割,得到第二分割图像集;Segmenting each image in the confrontation data set according to a second color channel to obtain a second segmented image set;

根据第三颜色信道将所述对抗数据集中的每个图像进行分割,得到第三分割图像集;Segmenting each image in the confrontation data set according to a third color channel to obtain a third segmented image set;

将所述第一分割图像集、第二分割图像集和第三分割图像集组成集合,并作为分割图像集。The first set of segmented images, the second set of segmented images and the third set of segmented images are combined into a set and used as a set of segmented images.

进一步地,所述预设掩模包括第一预设掩模,所述第一预设掩模为低频图像掩模;Further, the preset mask includes a first preset mask, and the first preset mask is a low-frequency image mask;

所述根据预设掩模对分割图像集进行处理,得到目标低频图像集,包括:The processing of the segmented image set according to the preset mask to obtain the target low-frequency image set includes:

将所述第一预设掩模与所述第一分割图像集中的第一分割图像叠加,得到第一低频图像集;superimposing the first preset mask with the first segmented image in the first segmented image set to obtain a first low-frequency image set;

将所述第一预设掩模与所述第二分割图像集中的第二分割图像叠加,得到第二低频图像集;superimposing the first preset mask with the second segmented image in the second segmented image set to obtain a second low-frequency image set;

将所述第一预设掩模与所述第三分割图像集中的第三分割图像叠加,得到第三低频图像集;superimposing the first preset mask with the third segmented image in the third segmented image set to obtain a third low-frequency image set;

将所述第一低频图像集、所述第二低频图像集和所述第三低频图像集合并,得到目标低频图像集。Merging the first low-frequency image set, the second low-frequency image set, and the third low-frequency image set to obtain a target low-frequency image set.

进一步地,所述预设掩模包括第二预设掩模,第二预设掩模为高频图像掩模;Further, the preset mask includes a second preset mask, and the second preset mask is a high-frequency image mask;

所述根据预设掩模对分割图像集进行处理,得到目标高频图像集,包括:The processing of the segmented image set according to the preset mask to obtain the target high-frequency image set includes:

将所述第二预设掩模与所述第一分割图像集中的第一分割图像叠加,得到第一高频图像集;superimposing the second preset mask with the first segmented image in the first segmented image set to obtain a first high-frequency image set;

将所述第二预设掩模与所述第二分割图像集中的第二分割图像叠加,得到第二高频图像集;superimposing the second preset mask with the second segmented image in the second segmented image set to obtain a second high-frequency image set;

将所述第二预设掩模与所述第三分割图像集中的第三分割图像叠加,得到第三高频图像集;superimposing the second preset mask with the third segmented image in the third segmented image set to obtain a third high-frequency image set;

将所述第一高频图像集、所述第二高频图像集和所述第三高频图像集合并,得到目标高频图像集。Merge the first high-frequency image set, the second high-frequency image set, and the third high-frequency image set to obtain a target high-frequency image set.

进一步地,所述将所述目标低频图像集、所述目标降噪高频图像集输入至预设目标生成器进行融合,生成防御对抗样本集,包括:Further, the input of the target low-frequency image set and the target noise-reduced high-frequency image set to a preset target generator for fusion to generate a defensive confrontation sample set includes:

将所述目标低频图像集中的低频图像和与所述低频图像对应的降噪高频图像输入至预设目标生成器进行融合,生成所述防御对抗样本集。The low-frequency images in the target low-frequency image set and the noise-reduced high-frequency images corresponding to the low-frequency images are input to a preset target generator for fusion to generate the defensive confrontation sample set.

进一步地,所述预设目标生成器的训练过程,包括:Further, the training process of the preset target generator includes:

根据所述目标低频图像集和所述目标降噪高频图像集对生成器、判别器进行迭代训练;Iteratively training a generator and a discriminator according to the target low-frequency image set and the target noise-reduced high-frequency image set;

响应于确定迭代后的所述判别器的损失达到预设的阈值,将迭代后的所述生成器作为目标生成器。In response to determining that the loss of the iterated discriminator reaches a preset threshold, the iterated generator is used as a target generator.

进一步地,所述预设目标生成器的训练过程,包括:Further, the training process of the preset target generator includes:

根据所述目标低频图像集和所述目标降噪高频图像集对生成器、判别器进行迭代训练;Iteratively training a generator and a discriminator according to the target low-frequency image set and the target noise-reduced high-frequency image set;

响应于迭代轮数达到迭代轮数阈值,停止迭代训练,输出这一轮迭代训练出的生成器作为所述目标生成器。In response to the number of iterations reaching the threshold of the number of iterations, the iterative training is stopped, and the generator trained in this round of iterations is output as the target generator.

进一步地,根据所述目标低频图像集和所述目标降噪高频图像集对生成器、判别器进行迭代训练,包括:Further, iteratively training the generator and the discriminator according to the target low-frequency image set and the target noise-reduced high-frequency image set, including:

对于每一轮迭代训练执行如下操作:For each round of iterative training, perform the following operations:

将所述低频图像与对应的降噪高频图像进行拼接,并输入至所述生成器,得到融合图像;Stitching the low-frequency image with the corresponding noise-reduced high-frequency image, and inputting it to the generator to obtain a fused image;

将所述融合图像与该图像对应的原始样本输入至所述判别器,得到所述判别器的损失;Inputting the fused image and the original sample corresponding to the image to the discriminator to obtain the loss of the discriminator;

根据所述判别器的损失,对所述判别器进行更新得到下一轮迭代中的判别器;According to the loss of the discriminator, update the discriminator to obtain the discriminator in the next iteration;

根据所述下一轮迭代中的判别器对所述生成器进行更新,得到下一轮迭代中的生成器。The generator is updated according to the discriminator in the next iteration to obtain the generator in the next iteration.

基于上述目的,本申请二方面提供了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如上述任意一项所述的方法。Based on the above purpose, two aspects of the present application provide an electronic device, including a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, any one of the above-mentioned method described in the item.

基于上述目的,本申请第三方面提供了一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使计算机执行如上述任意一项所述的方法。Based on the above purpose, the third aspect of the present application provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions are used to make the computer perform any of the above-mentioned the method described.

从上面所述可以看出,本申请提供的一种神经网络对抗样本防御方法,首先获取对抗数据集,之后将所述对抗数据集中的每个图像进行分割,得到分割图像集;根据预设掩模对分割图像集进行处理,得到目标低频图像集和目标高频图像集;根据预设降噪方法对所述目标高频图像集进行降噪处理,得到目标降噪高频图像集;将所述目标低频图像集、所述目标降噪高频图像集输入至预设目标生成器进行融合,生成防御对抗样本集。该方法生成的防御对抗样本通过去除高频图像中的噪声,即去除了分布在高频分量图像中的对抗扰动,使对抗样本更接近原始图像,对抗样本才能够被正确分类。From the above, it can be seen that a neural network adversarial example defense method provided by this application first obtains an adversarial data set, and then divides each image in the adversarial data set to obtain a segmented image set; according to the preset mask Process the segmented image set to obtain a target low-frequency image set and a target high-frequency image set; perform noise reduction processing on the target high-frequency image set according to a preset noise reduction method to obtain a target noise-reduced high-frequency image set; The target low-frequency image set and the target noise-reduced high-frequency image set are input to a preset target generator for fusion to generate a defensive confrontation sample set. The defensive adversarial samples generated by this method remove the noise in the high-frequency image, that is, remove the adversarial disturbance distributed in the high-frequency component image, so that the adversarial samples are closer to the original image, and the adversarial samples can be correctly classified.

附图说明Description of drawings

为了更清楚地说明本申请或相关技术中的技术方案,下面将对实施例或相关技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the present application or related technologies, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments or related technologies. Obviously, the accompanying drawings in the following description are only for this application Embodiments, for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1为本申请实施例的一种神经网络对抗样本防御方法流程示意图;FIG. 1 is a schematic flow diagram of a neural network adversarial example defense method according to an embodiment of the present application;

图2为本申请实施例的一种神经网络对抗样本防御装置结构框架示意图;FIG. 2 is a schematic diagram of a structural framework of a neural network adversarial example defense device according to an embodiment of the present application;

图3为本申请实施例的电子设备硬件结构示意图。FIG. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本申请进一步详细说明。In order to make the purpose, technical solutions and advantages of the present application clearer, the present application will be further described in detail below in conjunction with specific embodiments and with reference to the accompanying drawings.

需要说明的是,除非另外定义,本申请实施例使用的技术术语或者科学术语应当为本申请所属领域内具有一般技能的人士所理解的通常意义。本申请实施例中使用的“第一”、“第二”以及类似的词语并不表示任何顺序、数量或者重要性,而只是用来区分不同的组成部分。“包括”或者“包含”等类似的词语意指出现该词前面的元件或者物件涵盖出现在该词后面列举的元件或者物件及其等同,而不排除其他元件或者物件。“连接”或者“相连”等类似的词语并非限定于物理的或者机械的连接,而是可以包括电性的连接,不管是直接的还是间接的。“上”、“下”、“左”、“右”等仅用于表示相对位置关系,当被描述对象的绝对位置改变后,则该相对位置关系也可能相应地改变。It should be noted that, unless otherwise defined, the technical terms or scientific terms used in the embodiments of the present application shall have the usual meanings understood by those skilled in the art to which the present application belongs. "First", "second" and similar words used in the embodiments of the present application do not indicate any order, quantity or importance, but are only used to distinguish different components. "Comprising" or "comprising" and similar words mean that the elements or items appearing before the word include the elements or items listed after the word and their equivalents, without excluding other elements or items. Words such as "connected" or "connected" are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "Up", "Down", "Left", "Right" and so on are only used to indicate the relative positional relationship. When the absolute position of the described object changes, the relative positional relationship may also change accordingly.

以下结合附图详细说明本申请的实施例。Embodiments of the present application will be described in detail below in conjunction with the accompanying drawings.

参考图1,一种神经网络对抗样本防御方法,包括:Referring to Figure 1, a neural network adversarial sample defense method, including:

步骤S100、获取对抗数据集。Step S100, acquiring a confrontation data set.

在本步骤中,对抗数据集是通过原始数据集使用攻击方法生成的对抗数据,其攻击方法采用FGSM、PGD、CW、DeepFool、自定义攻击方法中的任意一种。In this step, the adversarial data set is the adversarial data generated from the original data set using an attack method, and the attack method adopts any one of FGSM, PGD, CW, DeepFool, and a custom attack method.

所述原始数据集为公开的数据集,公开的数据集例如采用CIFAR-10、MNIST、自定义数据集等。The original data set is a public data set, and the public data set adopts CIFAR-10, MNIST, a custom data set, etc., for example.

步骤S200、根据颜色信道将对抗数据集中的每个图像进行分割,得到分割图像集。Step S200: Segment each image in the confrontation dataset according to the color channel to obtain a segmented image set.

在本步骤中,颜色信道指RGB颜色信道,将对抗数据集中的图像根据RGB颜色信道进行分割,得到与RGB颜色信道相对应的图像集,即分割图像集。In this step, the color channel refers to the RGB color channel, and the image in the confrontation dataset is segmented according to the RGB color channel to obtain an image set corresponding to the RGB color channel, that is, the segmented image set.

步骤S300、根据预设掩模对分割图像集进行处理,得到目标低频图像集和目标高频图像集。Step S300 , process the segmented image set according to a preset mask to obtain a target low-frequency image set and a target high-frequency image set.

在本步骤中,预设掩模为预先构建的与分割图像集中的图像大小相同的掩模(即图像掩模),预设掩模包括低频图像掩模和高频图像掩模,将低频图像掩模与分割图像集中的低频图像进行叠加,只保留图像的低频分量,得到目标低频图像集;将高频图像掩模与分割图像集中的高频图像进行叠加,只保留图像的高频分量,得到目标高频图像集。In this step, the preset mask is a pre-constructed mask with the same size as the image in the segmented image set (ie, an image mask). The preset mask includes a low-frequency image mask and a high-frequency image mask, and the low-frequency image The mask is superimposed on the low-frequency image in the segmented image set, and only the low-frequency component of the image is retained to obtain the target low-frequency image set; the high-frequency image mask is superimposed on the high-frequency image in the segmented image set, and only the high-frequency component of the image is retained. Get the target high-frequency image set.

步骤S400、根据预设降噪方法对所述目标高频图像集进行降噪处理,得到目标降噪高频图像集。Step S400: Perform noise reduction processing on the target high-frequency image set according to a preset noise reduction method to obtain a target noise-reduced high-frequency image set.

在本步骤中,预设降噪方法为:利用降噪公式将图像中的每个像素点进行计算,得到目标降噪像素点,根据目标降噪像素点,生成目标降噪高频图像,将目标高频图像集的所有图像进行降噪处理,得到目标降噪高频图像集。In this step, the preset noise reduction method is: use the noise reduction formula to calculate each pixel in the image to obtain the target noise reduction pixel, and generate the target noise reduction high-frequency image according to the target noise reduction pixel. All images in the target high-frequency image set are subjected to noise reduction processing to obtain the target noise-reduced high-frequency image set.

其中,降噪公式为:Among them, the noise reduction formula is:

其中,x表示当前处理的像素点;v′(x)表示x降噪后的像素点值;Ωx表示x的邻域的像素点的集合,邻域的范围需要根据实际情况选择;y表示Ωx中的像素点;v(y)表示降噪前y的像素点值;w(x,y)表示权重,由x和y的相似程度计算;n表示全部权重之和;Among them, x represents the currently processed pixel; v′(x) represents the pixel value of x after noise reduction; Ω x represents the set of pixels in the neighborhood of x, and the range of the neighborhood needs to be selected according to the actual situation; y represents Ω pixel in x ; v(y) represents the pixel value of y before noise reduction; w(x, y) represents the weight, calculated by the similarity between x and y; n represents the sum of all weights;

进一步地,w(x,y)的计算公式如下:Further, the calculation formula of w(x,y) is as follows:

其中,w′(x,y)表示临时权重;k表示预设相似度阈值,k的值需要根据实际情况选择;v(x)表示降噪前x的像素点值;v(y)表示降噪前y的像素点值。Among them, w'(x, y) represents the temporary weight; k represents the preset similarity threshold, and the value of k needs to be selected according to the actual situation; v(x) represents the pixel value of x before noise reduction; v(y) represents the reduced The pixel value of y before noise.

步骤S500、将所述目标低频图像集、所述目标降噪高频图像集输入至预设目标生成器进行融合,生成防御对抗样本集。Step S500, input the target low-frequency image set and the target noise-reduced high-frequency image set to a preset target generator for fusion to generate a defense and confrontation sample set.

在本步骤中,低频图像集中的低频图像与目标降噪高频图像集中降噪高频图像相对应。预设目标生成器通过低频图像与对应的降噪高频图像迭代训练得到。将低频图像与对应的降噪高频图像输入至预设目标生成器中进行融合,生成防御对抗样本集。In this step, the low-frequency images in the low-frequency image set correspond to the noise-reduced high-frequency images in the target noise-reduced high-frequency image set. The preset target generator is obtained by iterative training of low-frequency images and corresponding denoised high-frequency images. The low-frequency image and the corresponding noise-reduced high-frequency image are input into the preset target generator for fusion to generate a defensive confrontation sample set.

具体地,通过步骤S100-S500生成的防御对抗样本通过去除高频图像中的噪声,即去除了分布在高频分量图像中的对抗扰动,使对抗样本更接近原始图像,对抗样本才能够被正确分类。Specifically, the defensive adversarial samples generated through steps S100-S500 remove the noise in the high-frequency image, that is, remove the adversarial disturbance distributed in the high-frequency component image, so that the adversarial sample is closer to the original image, and the adversarial sample can be corrected. Classification.

在一些实施例中,在步骤S200中,所述颜色信道包括第一颜色信道、第二颜色信道、第三颜色信道,所述第一颜色通道为红色通道(即R颜色信道),所述第二颜色通道为绿色通道(即G颜色信道),所述第三颜色通道为蓝色通道(即B颜色信道);In some embodiments, in step S200, the color channels include a first color channel, a second color channel, and a third color channel, the first color channel is a red channel (that is, the R color channel), and the second color channel The second color channel is a green channel (i.e. the G color channel), and the third color channel is a blue channel (i.e. the B color channel);

所述根据颜色信道将所述对抗数据集中的每个图像进行分割,得到分割图像集,包括:The step of segmenting each image in the confrontation data set according to the color channel to obtain a segmented image set includes:

根据第一颜色信道将所述对抗数据集中的每个图像进行分割,得到第一分割图像集;Segmenting each image in the confrontation data set according to the first color channel to obtain a first segmented image set;

根据第二颜色信道将所述对抗数据集中的每个图像进行分割,得到第二分割图像集;Segmenting each image in the confrontation data set according to a second color channel to obtain a second segmented image set;

根据第三颜色信道将所述对抗数据集中的每个图像进行分割,得到第三分割图像集;Segmenting each image in the confrontation data set according to a third color channel to obtain a third segmented image set;

将所述第一分割图像集、第二分割图像集和第三分割图像集组成集合,并作为分割图像集。The first set of segmented images, the second set of segmented images and the third set of segmented images are combined into a set and used as a set of segmented images.

具体地,提取图像中的低频图像和高频图像时,需要通过傅里叶变换将图像转化为频谱图,利用掩膜对频谱图进行处理,分别得到低频图像和高频图像。由于傅里叶变换只能处理单个颜色的信道,因此,将对抗数据集中的每个图像分别分割为三个颜色信道的图像,即将每个图像分割为三个图像,将所有分割的图像进行组成集合,并作为分割图像集。Specifically, when extracting low-frequency images and high-frequency images in an image, it is necessary to convert the image into a spectrogram through Fourier transform, and process the spectrogram with a mask to obtain low-frequency images and high-frequency images respectively. Since the Fourier transform can only process a single color channel, each image in the confrontation dataset is divided into images of three color channels, that is, each image is divided into three images, and all the divided images are composed collection, and as a set of segmented images.

在一些实施例中,在步骤S300中,所述预设掩模包括第一预设掩模,所述第一预设掩模为低频图像掩模;In some embodiments, in step S300, the preset mask includes a first preset mask, and the first preset mask is a low-frequency image mask;

所述根据预设掩模对分割图像集进行处理,得到目标低频图像集,包括:The processing of the segmented image set according to the preset mask to obtain the target low-frequency image set includes:

将所述第一预设掩模与所述第一分割图像集中的第一分割图像叠加,得到第一低频图像集;superimposing the first preset mask with the first segmented image in the first segmented image set to obtain a first low-frequency image set;

将所述第一预设掩模与所述第二分割图像集中的第二分割图像叠加,得到第二低频图像集;superimposing the first preset mask with the second segmented image in the second segmented image set to obtain a second low-frequency image set;

将所述第一预设掩模与所述第三分割图像集中的第三分割图像叠加,得到第三低频图像集;superimposing the first preset mask with the third segmented image in the third segmented image set to obtain a third low-frequency image set;

将所述第一低频图像集、所述第二低频图像集和所述第三低频图像集合并,得到目标低频图像集。Merging the first low-frequency image set, the second low-frequency image set, and the third low-frequency image set to obtain a target low-frequency image set.

具体地,低频图像掩模为预先构造的,低频图像掩模的大小与分割图像集中的图像大小一致,将低频图像掩模的像素值全部设置为0,在低频图像掩模的中心区域设置一个正方形子区域(此子区域为图像的预设低频区域),将正方形子区域内的像素值都设置为1。Specifically, the low-frequency image mask is pre-constructed, and the size of the low-frequency image mask is consistent with the image size in the segmented image set. All the pixel values of the low-frequency image mask are set to 0, and a A square sub-area (this sub-area is a preset low-frequency area of the image), and all pixel values in the square sub-area are set to 1.

通过傅里叶变换将分割图像集中的图像转化为频谱图。The images in the segmented image set are converted into spectrograms by Fourier transform.

将第一分割图像与低频图像掩模进行叠加(即将低频图像掩模的像素点乘第一分割图像(频谱图)的像素点,得到仅保留低频的频谱图),第一分割图像位于正方形子区域的像素点不变,而正方形子区域外部区域的像素点值均变为0,即去除了第一分割图像的高频分量,仅保留低频分量,进行傅里叶逆变换,得到第一低频图像。Superimpose the first segmented image with the low-frequency image mask (i.e. multiply the pixels of the low-frequency image mask by the pixels of the first segmented image (spectrogram) to obtain only the low-frequency spectrogram), the first segmented image is located in the square The pixels in the area remain unchanged, while the pixel values in the outer area of the square sub-area all become 0, that is, the high-frequency components of the first segmented image are removed, and only the low-frequency components are retained, and the inverse Fourier transform is performed to obtain the first low-frequency image.

将第二分割图像与低频图像掩模进行叠加(即将低频图像掩模的像素点乘第二分割图像的像素点,得到仅保留低频的频谱图),第二分割图像位于正方形子区域的像素点不变,而正方形子区域外部区域的像素点值均变为0,即去除了第二分割图像的高频分量,仅保留低频分量,进行傅里叶逆变换,得到第二低频图像。Superimpose the second segmented image with the low-frequency image mask (that is, multiply the pixels of the low-frequency image mask by the pixels of the second segmented image to obtain a spectrogram that only retains low frequencies), and the second segmented image is located at the pixels of the square sub-region remains unchanged, while the pixel values in the outer area of the square sub-area all become 0, that is, the high-frequency component of the second segmented image is removed, and only the low-frequency component is retained, and the inverse Fourier transform is performed to obtain the second low-frequency image.

将第三分割图像与低频图像掩模进行叠加(即将低频图像掩模的像素点乘第三分割图像的像素点,得到仅保留低频的频谱图),第三分割图像位于正方形子区域的像素点不变,而正方形子区域外部区域的像素点值均变为0,即去除了第三分割图像的高频分量,仅保留低频分量,进行傅里叶逆变换,得到第三低频图像。Superimpose the third segmented image with the low-frequency image mask (i.e. multiply the pixels of the low-frequency image mask by the pixels of the third segmented image to obtain a spectrogram that only retains the low frequency), and the third segmented image is located at the pixel of the square sub-region remains unchanged, and the pixel values in the outer area of the square sub-area all become 0, that is, the high-frequency component of the third segmented image is removed, and only the low-frequency component is retained, and the inverse Fourier transform is performed to obtain the third low-frequency image.

上述第一低频图像(即R颜色信道的低频图像)、第二低频图像(即G颜色信道的低频图像)、第三低频图像(即B颜色信道的低频图像)相对应,即为一张图像的三个颜色信道的低频图像。将第一低频图像、第二低频图像、第三低频图像合并,得到完整颜色信道的低频图像,即为目标低频图像。依次将分割图像集中的所有图像按照上述方式进行处理,将所有的目标低频图像合并,得到目标低频图像集。The above-mentioned first low-frequency image (that is, the low-frequency image of the R color channel), the second low-frequency image (that is, the low-frequency image of the G color channel), and the third low-frequency image (that is, the low-frequency image of the B color channel) correspond to one image Low-frequency images of the three color channels of . The first low-frequency image, the second low-frequency image, and the third low-frequency image are combined to obtain a low-frequency image of a complete color channel, which is the target low-frequency image. All images in the segmented image set are sequentially processed in the above manner, and all target low-frequency images are combined to obtain a target low-frequency image set.

在一些实施例中,在步骤S300中,所述预设掩模包括第二预设掩模,第二预设掩模为高频图像掩模;In some embodiments, in step S300, the preset mask includes a second preset mask, and the second preset mask is a high-frequency image mask;

所述根据预设掩模对分割图像集进行处理,得到目标高频图像集,包括:The processing of the segmented image set according to the preset mask to obtain the target high-frequency image set includes:

将所述第二预设掩模与所述第一分割图像集中的第一分割图像叠加,得到第一高频图像集;superimposing the second preset mask with the first segmented image in the first segmented image set to obtain a first high-frequency image set;

将所述第二预设掩模与所述第二分割图像集中的第二分割图像叠加,得到第二高频图像集;superimposing the second preset mask with the second segmented image in the second segmented image set to obtain a second high-frequency image set;

将所述第二预设掩模与所述第三分割图像集中的第三分割图像叠加,得到第三高频图像集;superimposing the second preset mask with the third segmented image in the third segmented image set to obtain a third high-frequency image set;

将所述第一高频图像集、所述第二高频图像集和所述第三高频图像集合并,得到目标高频图像集。Merge the first high-frequency image set, the second high-frequency image set, and the third high-frequency image set to obtain a target high-frequency image set.

具体地,高频图像掩模为预先构造的,高频图像掩模的大小与分割图像集中的图像大小一致,将高频图像掩模的像素值全部设置为1,在高频图像掩模的中心区域设置一个正方形子区域(此子区域为图像的预设低频区域),将正方形子区域内的像素值都设置为0。Specifically, the high-frequency image mask is pre-constructed, and the size of the high-frequency image mask is consistent with the size of the image in the segmented image set. All the pixel values of the high-frequency image mask are set to 1. In the high-frequency image mask A square sub-area is set in the central area (this sub-area is the preset low-frequency area of the image), and the pixel values in the square sub-area are all set to 0.

将第一分割图像与高频图像掩模进行叠加(即将高频图像掩模的像素点乘第一分割图像的像素点,得到仅保留高频的频谱图),第一分割图像位于正方形子区域的像素点均变为0,而正方形子区域外部区域的像素点值不变,即去除了第一分割图像的低频分量,仅保留高频分量,进行傅里叶逆变换,得到第一高频图像。Superimpose the first segmented image with the high-frequency image mask (that is, multiply the pixels of the high-frequency image mask by the pixels of the first segmented image to obtain a spectrogram that only retains high frequencies), and the first segmented image is located in a square sub-region The pixels of all become 0, and the pixel values of the outer area of the square sub-area remain unchanged, that is, the low-frequency component of the first segmented image is removed, and only the high-frequency component is retained, and the Fourier inverse transform is performed to obtain the first high-frequency component image.

将第二分割图像与高频图像掩模进行叠加(即将高频图像掩模的像素点乘第二分割图像的像素点,得到仅保留高频的频谱图),第二分割图像位于正方形子区域的像素点均变为0,而正方形子区域外部区域的像素点值不变,即去除了第一分割图像的低频分量,仅保留高频分量,进行傅里叶逆变换,得到第二高频图像。Superimpose the second segmented image with the high-frequency image mask (that is, multiply the pixels of the high-frequency image mask by the pixels of the second segmented image to obtain a spectrogram that only retains high frequencies), and the second segmented image is located in a square sub-region The pixels of all become 0, while the pixel values of the outer area of the square sub-area remain unchanged, that is, the low-frequency components of the first segmented image are removed, and only the high-frequency components are retained, and the inverse Fourier transform is performed to obtain the second high-frequency image.

将第三分割图像与高频图像掩模进行叠加(即将高频图像掩模的像素点乘第三分割图像的像素点,得到仅保留高频的频谱图),第三分割图像位于正方形子区域的像素点均变为0,而正方形子区域外部区域的像素点值不变,即去除了第一分割图像的低频分量,仅保留高频分量,进行傅里叶逆变换,得到第三高频图像。Superimpose the third segmented image with the high-frequency image mask (that is, multiply the pixels of the high-frequency image mask by the pixels of the third segmented image to obtain a spectrogram that only retains high frequencies), and the third segmented image is located in a square sub-region The pixels of all become 0, and the pixel values of the outer area of the square sub-area remain unchanged, that is, the low-frequency components of the first segmented image are removed, and only the high-frequency components are retained, and the inverse Fourier transform is performed to obtain the third high-frequency image.

上述第一高频图像(即R颜色信道的高频图像)、第二高频图像(即G颜色信道的高频图像)、第三高频图像(即B颜色信道的高频图像)相对应,为一张图像的三个颜色信道的高频图像。将第一高频图像、第二高频图像、第三高频图像合并,得到完整颜色信道的高频图像,即为目标高频图像。依次将分割图像集中的所有图像按照上述方式进行处理,将所有的目标高频图像合并,得到目标高频图像集。The first high-frequency image (that is, the high-frequency image of the R color channel), the second high-frequency image (that is, the high-frequency image of the G color channel), and the third high-frequency image (that is, the high-frequency image of the B color channel) correspond to , is the high-frequency image of the three color channels of an image. The first high-frequency image, the second high-frequency image, and the third high-frequency image are combined to obtain a high-frequency image of a complete color channel, which is the target high-frequency image. All images in the segmented image set are sequentially processed in the above manner, and all target high-frequency images are combined to obtain a target high-frequency image set.

在一些实施例中,在步骤S500中,所述将所述目标低频图像集、所述目标降噪高频图像集输入至预设目标生成器进行融合,生成防御对抗样本集,包括:In some embodiments, in step S500, the input of the target low-frequency image set and the target noise-reduced high-frequency image set to a preset target generator for fusion to generate a defensive confrontation sample set includes:

将所述目标低频图像集中的低频图像和与所述低频图像对应的降噪高频图像输入至预设目标生成器进行融合,生成所述防御对抗样本集。The low-frequency images in the target low-frequency image set and the noise-reduced high-frequency images corresponding to the low-frequency images are input to a preset target generator for fusion to generate the defensive confrontation sample set.

具体地,目标低频图像集中的低频图像与目标降噪高频图像集中的降噪高频图像按照顺序相互对应,每个低频图像均对应一个降噪高频图像,将低频图像与对应的降噪高频图像输入至预设目标生成器中进行融合,生成防御对抗样本,将所有的防御对抗样本进行合并,得到防御对抗样本集,通过去除高频图像中的噪声,即去除了分布在高频分量图像中的对抗扰动,使对抗样本更接近原始图像,对抗样本才能够被正确分类。Specifically, the low-frequency images in the target low-frequency image set and the noise-reduced high-frequency images in the target noise-reduced high-frequency image set correspond to each other in sequence, each low-frequency image corresponds to a noise-reduced high-frequency image, and the low-frequency image and the corresponding noise-reduced The high-frequency images are input to the preset target generator for fusion to generate defensive adversarial samples, and all defensive adversarial samples are combined to obtain a defensive adversarial sample set. By removing the noise in the high-frequency image, the The adversarial perturbation in the component image makes the adversarial samples closer to the original image, so that the adversarial samples can be correctly classified.

在一些实施例中,所述预设目标生成器的训练过程,包括:In some embodiments, the training process of the preset target generator includes:

根据所述目标低频图像集和所述目标降噪高频图像集对生成器、判别器进行迭代训练;Iteratively training a generator and a discriminator according to the target low-frequency image set and the target noise-reduced high-frequency image set;

响应于确定迭代后的所述判别器的损失达到预设的阈值,将迭代后的所述生成器作为目标生成器。In response to determining that the loss of the iterated discriminator reaches a preset threshold, the iterated generator is used as a target generator.

具体地,生成器与判别器为对抗网络,判别器的作用是区分生成器生成的样本和真实样本,而生成器的作用是生成尽可能接近真实样本的生成样本,从而有效地捕捉真实数据的分布特征。训练完成后,生成器可以用于生成防御对抗样本。通过目标低频图像集中的低频图像与对应的降噪高频图像对生成器、判别器重复迭代训练,直至满足预先设定的终止条件。判断是否满足预先设定的终止条件,当判别器损失达到指定阈值时,算法停止运行,得到的生成器即所需的目标生成器。Specifically, the generator and the discriminator are an adversarial network, the role of the discriminator is to distinguish the samples generated by the generator from the real samples, and the role of the generator is to generate generated samples as close as possible to the real samples, so as to effectively capture the real data. distribution characteristics. After training, the generator can be used to generate defensive adversarial examples. The generator and the discriminator are repeatedly trained iteratively through the low-frequency images in the target low-frequency image set and the corresponding noise-reduced high-frequency images until the preset termination conditions are met. Judging whether the preset termination conditions are met, when the discriminator loss reaches the specified threshold, the algorithm stops running, and the obtained generator is the required target generator.

在一些实施例中,所述预设目标生成器的训练过程,包括:In some embodiments, the training process of the preset target generator includes:

根据所述目标低频图像集和所述目标降噪高频图像集对生成器、判别器进行迭代训练;Iteratively training a generator and a discriminator according to the target low-frequency image set and the target noise-reduced high-frequency image set;

响应于迭代轮数达到迭代轮数阈值,停止迭代训练,输出这一轮迭代训练出的生成器作为所述目标生成器。In response to the number of iterations reaching the threshold of the number of iterations, the iterative training is stopped, and the generator trained in this round of iterations is output as the target generator.

具体地,生成器与判别器为对抗网络,判别器的作用是区分生成器生成的样本和真实样本,而生成器的作用是生成尽可能接近真实样本的生成样本,从而有效地捕捉真实数据的分布特征。训练完成后,生成器可以用于生成防御对抗样本。通过目标低频图像集中的低频图像与对应的降噪高频图像对生成器、判别器重复迭代训练,直至满足预先设定的终止条件。判断是否满足预先设定的终止条件,当迭代轮数达到指定阈值时,算法停止运行,得到的生成器即所需的目标生成器。Specifically, the generator and the discriminator are an adversarial network, the role of the discriminator is to distinguish the samples generated by the generator from the real samples, and the role of the generator is to generate generated samples as close as possible to the real samples, so as to effectively capture the real data. distribution characteristics. After training, the generator can be used to generate defensive adversarial examples. The generator and the discriminator are repeatedly trained iteratively through the low-frequency images in the target low-frequency image set and the corresponding noise-reduced high-frequency images until the preset termination conditions are met. Judging whether the preset termination conditions are met, when the number of iteration rounds reaches the specified threshold, the algorithm stops running, and the obtained generator is the required target generator.

在一些实施例中,根据所述目标低频图像集和所述目标降噪高频图像集对生成器、判别器进行迭代训练,包括:In some embodiments, iteratively training the generator and the discriminator according to the target low-frequency image set and the target noise-reduced high-frequency image set, including:

对于每一轮迭代训练执行如下操作:For each round of iterative training, perform the following operations:

将所述低频图像与对应的降噪高频图像进行拼接,并输入至所述生成器,得到融合图像;Stitching the low-frequency image with the corresponding noise-reduced high-frequency image, and inputting it to the generator to obtain a fused image;

将所述融合图像与该图像对应的原始样本输入至所述判别器,得到所述判别器的损失;Inputting the fused image and the original sample corresponding to the image to the discriminator to obtain the loss of the discriminator;

根据所述判别器的损失,对所述判别器进行更新得到下一轮迭代中的判别器;According to the loss of the discriminator, update the discriminator to obtain the discriminator in the next iteration;

根据所述下一轮迭代中的判别器对所述生成器进行更新,得到下一轮迭代中的生成器。The generator is updated according to the discriminator in the next iteration to obtain the generator in the next iteration.

具体地,低频图像与对应的降噪高频图像进行拼接,输入至生成器即得到了防御对抗样本,将防御对抗样本与原始样本输入至判别器中,判断生成器中的扰动是否可以使判别器发生误分类,即是否可以骗过判别器。此时,判别器输出损失,根据判别器的损失对判别器更新,得到下一轮迭代中的判别器;根据所述下一轮迭代中的判别器对所述生成器进行更新,得到下一轮迭代中的生成器。Specifically, the low-frequency images are concatenated with the corresponding noise-reduced high-frequency images, and input to the generator to obtain defensive adversarial samples. The defensive adversarial samples and the original samples are input into the discriminator, and it is judged whether the disturbance in the generator can make the discriminant Misclassification occurs in the device, that is, whether it can fool the discriminator. At this time, the discriminator outputs a loss, and the discriminator is updated according to the loss of the discriminator to obtain the discriminator in the next iteration; the generator is updated according to the discriminator in the next iteration to obtain the next generator in round iterations.

需要说明的是,本申请的实施例还可以以下方式进一步描述:It should be noted that the embodiments of the present application can also be further described in the following manner:

初始化生成器G和判别器D的模型参数。Initialize the model parameters of generator G and discriminator D.

从原始数据集中抽取n个样本,并获取其对应的低频图像和降噪高频图像。Extract n samples from the original data set, and obtain their corresponding low-frequency images and denoised high-frequency images.

交替训练判别器和生成器,对于每一轮迭代,执行如下操作:Alternately train the discriminator and the generator, and for each iteration, do the following:

首先,固定生成器G的模型参数,训练判别器D。将所述低频图像与降噪高频图像在第0维进行拼接,拼接后的图像输入生成器,获得融合图像。将所述融合图像输入所述判别器,得到所述判别器的损失,通过该损失对判别器进行更新。First, the model parameters of the generator G are fixed, and the discriminator D is trained. The low-frequency image and the noise-reduced high-frequency image are spliced in the 0th dimension, and the spliced image is input into the generator to obtain a fusion image. The fused image is input into the discriminator to obtain the loss of the discriminator, and the discriminator is updated through the loss.

在判别器D训练k次后,固定判别器D的模型参数,训练生成器G。将所述低频对抗样本与降噪高频对抗样本在第0维进行拼接,拼接后的图像输入生成器,获得融合图像。将所述融合图像输入所述判别器,得到所述判别器的损失,通过该损失对生成器进行更新。训练的目标是使生成器生成的样本难以被判别器区分。After the discriminator D is trained k times, the model parameters of the discriminator D are fixed, and the generator G is trained. The low-frequency adversarial samples and the noise-reduced high-frequency adversarial samples are spliced in the 0th dimension, and the spliced image is input into the generator to obtain a fusion image. The fused image is input into the discriminator to obtain the loss of the discriminator, and the generator is updated through the loss. The goal of training is to make the samples generated by the generator indistinguishable from the discriminator.

在迭代结束时,最终判别器D无法区分生成器G生成的样本是真实原始样本,还是生成器G生成的生成样本,此时将生成样本判决为生成样本的置信度与判决为真实样本的置信度相等,均为0.5。At the end of the iteration, the final discriminator D cannot distinguish whether the sample generated by the generator G is the real original sample or the generated sample generated by the generator G. At this time, the confidence of the generated sample as the generated sample and the confidence of the judged as the real sample degrees are equal, both are 0.5.

其中样本的个数n、每一轮次迭代中判别器训练的次数k可根据实际情况选择。The number n of samples and the number k of discriminator training in each round of iteration can be selected according to the actual situation.

需要说明的是,本申请实施例的方法可以由单个设备执行,例如一台计算机或服务器等。本实施例的方法也可以应用于分布式场景下,由多台设备相互配合来完成。在这种分布式场景的情况下,这多台设备中的一台设备可以只执行本申请实施例的方法中的某一个或多个步骤,这多台设备相互之间会进行交互以完成所述的方法。It should be noted that the method in the embodiment of the present application may be executed by a single device, such as a computer or a server. The method of this embodiment can also be applied in a distributed scenario, and is completed by cooperation of multiple devices. In the case of such a distributed scenario, one of the multiple devices may only perform one or more steps in the method of the embodiment of the present application, and the multiple devices will interact with each other to complete all described method.

需要说明的是,上述对本申请的一些实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于上述实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。It should be noted that some embodiments of the present application are described above. Other implementations are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in an order different from those in the above-described embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain embodiments.

基于同一发明构思,与上述任意实施例方法相对应的,本申请还提供了一种神经网络对抗样本防御装置。Based on the same inventive concept, the present application also provides a neural network adversarial example defense device corresponding to the method in any of the above embodiments.

参考图2,所述神经网络对抗样本防御装置,包括:Referring to Fig. 2, the neural network anti-sample defense device includes:

获取模块201,用于获取对抗数据集;An acquisition module 201, configured to acquire a confrontation data set;

分割模块202,用于根据颜色信道将所述对抗数据集中的每个图像进行分割,得到分割图像集;A segmentation module 202, configured to segment each image in the confrontation data set according to the color channel to obtain a segmented image set;

第一处理模块203,用于根据预设掩模对分割图像集进行处理,得到目标低频图像集和目标高频图像集;The first processing module 203 is configured to process the segmented image set according to a preset mask to obtain a target low-frequency image set and a target high-frequency image set;

第二处理模块204,用于根据预设降噪方法对所述目标高频图像集进行降噪处理,得到目标降噪高频图像集;The second processing module 204 is configured to perform noise reduction processing on the target high-frequency image set according to a preset noise reduction method to obtain a target noise-reduced high-frequency image set;

生成模块205,将所述目标低频图像集、所述目标降噪高频图像集输入至预设目标生成器进行融合,生成防御对抗样本集。The generating module 205 inputs the target low-frequency image set and the target noise-reduced high-frequency image set to a preset target generator for fusion to generate a defensive confrontation sample set.

为了描述的方便,描述以上装置时以功能分为各种模块分别描述。当然,在实施本申请时可以把各模块的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above devices, functions are divided into various modules and described separately. Of course, when implementing the present application, the functions of each module can be realized in one or more pieces of software and/or hardware.

上述实施例的装置用于实现前述任一实施例中相应的一种神经网络对抗样本防御方法,并且具有相应的方法实施例的有益效果,在此不再赘述。The device in the above embodiment is used to implement a corresponding neural network adversarial sample defense method in any of the above embodiments, and has the beneficial effects of the corresponding method embodiment, which will not be repeated here.

基于同一发明构思,与上述任意实施例方法相对应的,本申请还提供了一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上任意一实施例所述的一种神经网络对抗样本防御方法。Based on the same inventive concept, and corresponding to the method in any of the above embodiments, the present application also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and operable on the processor, the processor A neural network adversarial example defense method described in any one of the above embodiments is realized when the program is executed.

图3示出了本实施例所提供的一种更为具体的电子设备硬件结构示意图,该设备可以包括:处理器1010、存储器1020、输入/输出接口1030、通信接口1040和总线1050。其中处理器1010、存储器1020、输入/输出接口1030和通信接口1040通过总线1050实现彼此之间在设备内部的通信连接。FIG. 3 shows a schematic diagram of a more specific hardware structure of an electronic device provided by this embodiment. The device may include: a processor 1010 , a memory 1020 , an input/output interface 1030 , a communication interface 1040 and a bus 1050 . The processor 1010 , the memory 1020 , the input/output interface 1030 and the communication interface 1040 are connected to each other within the device through the bus 1050 .

处理器1010可以采用通用的CPU(Central Processing Unit,中央处理器)、微处理器、应用专用集成电路(Application Specific Integrated Circuit,ASIC)、或者一个或多个集成电路等方式实现,用于执行相关程序,以实现本说明书实施例所提供的技术方案。The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit, central processing unit), a microprocessor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, and is used to execute related programs to realize the technical solutions provided by the embodiments of this specification.

存储器1020可以采用ROM(Read Only Memory,只读存储器)、RAM(Random AccessMemory,随机存取存储器)、静态存储设备,动态存储设备等形式实现。存储器1020可以存储操作系统和其他应用程序,在通过软件或者固件来实现本说明书实施例所提供的技术方案时,相关的程序代码保存在存储器1020中,并由处理器1010来调用执行。The memory 1020 may be implemented in the form of ROM (Read Only Memory, read only memory), RAM (Random Access Memory, random access memory), static storage device, dynamic storage device, and the like. The memory 1020 can store operating systems and other application programs. When implementing the technical solutions provided by the embodiments of this specification through software or firmware, the relevant program codes are stored in the memory 1020 and invoked by the processor 1010 for execution.

输入/输出接口1030用于连接输入/输出模块,以实现信息输入及输出。输入输出/模块可以作为组件配置在设备中(图中未示出),也可以外接于设备以提供相应功能。其中输入设备可以包括键盘、鼠标、触摸屏、麦克风、各类传感器等,输出设备可以包括显示器、扬声器、振动器、指示灯等。The input/output interface 1030 is used to connect the input/output module to realize information input and output. The input/output/module can be configured in the device as a component (not shown in the figure), or can be externally connected to the device to provide corresponding functions. The input device may include a keyboard, mouse, touch screen, microphone, various sensors, etc., and the output device may include a display, a speaker, a vibrator, an indicator light, and the like.

通信接口1040用于连接通信模块(图中未示出),以实现本设备与其他设备的通信交互。其中通信模块可以通过有线方式(例如USB、网线等)实现通信,也可以通过无线方式(例如移动网络、WIFI、蓝牙等)实现通信。The communication interface 1040 is used to connect a communication module (not shown in the figure), so as to realize the communication interaction between the device and other devices. The communication module can realize communication through wired means (such as USB, network cable, etc.), and can also realize communication through wireless means (such as mobile network, WIFI, Bluetooth, etc.).

总线1050包括一通路,在设备的各个组件(例如处理器1010、存储器1020、输入/输出接口1030和通信接口1040)之间传输信息。Bus 1050 includes a path that carries information between the various components of the device (eg, processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).

需要说明的是,尽管上述设备仅示出了处理器1010、存储器1020、输入/输出接口1030、通信接口1040以及总线1050,但是在具体实施过程中,该设备还可以包括实现正常运行所必需的其他组件。此外,本领域的技术人员可以理解的是,上述设备中也可以仅包含实现本说明书实施例方案所必需的组件,而不必包含图中所示的全部组件。It should be noted that although the above device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040, and the bus 1050, in the specific implementation process, the device may also include other components. In addition, those skilled in the art can understand that the above-mentioned device may only include components necessary to implement the solutions of the embodiments of this specification, and does not necessarily include all the components shown in the figure.

上述实施例的电子设备用于实现前述任一实施例中相应的一种神经网络对抗样本防御方法,并且具有相应的方法实施例的有益效果,在此不再赘述。The electronic device in the foregoing embodiments is used to implement a corresponding neural network adversarial example defense method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which will not be repeated here.

基于同一发明构思,与上述任意实施例方法相对应的,本申请还提供了一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行如上任一实施例所述的一种神经网络对抗样本防御方法。Based on the same inventive concept, the present application also provides a non-transitory computer-readable storage medium corresponding to the method in any of the above-mentioned embodiments, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions use The purpose is to make the computer execute a neural network adversarial sample defense method as described in any one of the above embodiments.

本实施例的计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。The computer-readable medium in this embodiment includes permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device.

上述实施例的存储介质存储的计算机指令用于使所述计算机执行如上任一实施例所述的一种神经网络对抗样本防御方法,并且具有相应的方法实施例的有益效果,在此不再赘述。The computer instructions stored in the storage medium of the above embodiment are used to make the computer execute a neural network adversarial sample defense method as described in any of the above embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here. .

所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本申请的范围(包括权利要求)被限于这些例子;在本申请的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,步骤可以以任意顺序实现,并存在如上所述的本申请实施例的不同方面的许多其它变化,为了简明它们没有在细节中提供。Those of ordinary skill in the art should understand that: the discussion of any of the above embodiments is exemplary only, and is not intended to imply that the scope of the application (including claims) is limited to these examples; under the thinking of the application, the above embodiments or Combinations of technical features in different embodiments are also possible, steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the application as described above, which are not provided in details for the sake of brevity.

另外,为简化说明和讨论,并且为了不会使本申请实施例难以理解,在所提供的附图中可以示出或可以不示出与集成电路(IC)芯片和其它部件的公知的电源/接地连接。此外,可以以框图的形式示出装置,以便避免使本申请实施例难以理解,并且这也考虑了以下事实,即关于这些框图装置的实施方式的细节是高度取决于将要实施本申请实施例的平台的(即,这些细节应当完全处于本领域技术人员的理解范围内)。在阐述了具体细节(例如,电路)以描述本申请的示例性实施例的情况下,对本领域技术人员来说显而易见的是,可以在没有这些具体细节的情况下或者这些具体细节有变化的情况下实施本申请实施例。因此,这些描述应被认为是说明性的而不是限制性的。In addition, for simplicity of illustration and discussion, and so as not to obscure the embodiments of the present application, well-known power/connections associated with integrated circuit (IC) chips and other components may or may not be shown in the provided figures. ground connection. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and this also takes into account the fact that details regarding the implementation of these block diagram devices are highly dependent on the implementation of the embodiments of the present application to be implemented. platform (ie, the details should be well within the purview of those skilled in the art). Where specific details (eg, circuits) have been set forth to describe exemplary embodiments of the present application, it will be apparent to those skilled in the art that other embodiments may be implemented without or with variations from these specific details. Implement the embodiment of the present application below. Accordingly, these descriptions should be regarded as illustrative rather than restrictive.

尽管已经结合了本申请的具体实施例对本申请进行了描述,但是根据前面的描述,这些实施例的很多替换、修改和变型对本领域普通技术人员来说将是显而易见的。例如,其它存储器架构(例如,动态RAM(DRAM))可以使用所讨论的实施例。Although the application has been described in conjunction with specific embodiments thereof, many alternatives, modifications and variations of those embodiments will be apparent to those of ordinary skill in the art from the foregoing description. For example, other memory architectures such as dynamic RAM (DRAM) may use the discussed embodiments.

本申请实施例旨在涵盖落入所附权利要求的宽泛范围之内的所有这样的替换、修改和变型。因此,凡在本申请实施例的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本申请的保护范围之内。The embodiments of the present application are intended to embrace all such alternatives, modifications and variations that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent replacements, improvements, etc. within the spirit and principles of the embodiments of the present application shall be included within the protection scope of the present application.

Claims (10)

1. A method of neural network challenge sample defense, comprising:
acquiring a countermeasure data set;
dividing each image in the countermeasure data set according to a color channel to obtain a divided image set;
processing the segmented image set according to a preset mask to obtain a target low-frequency image set and a target high-frequency image set;
carrying out noise reduction treatment on the target high-frequency image set according to a preset noise reduction method to obtain a target noise reduction high-frequency image set;
inputting the target low-frequency image set and the target noise reduction high-frequency image set into a preset target generator for fusion, and generating a defense countermeasure sample set.
2. The method of claim 1, wherein the color channels comprise a first color channel, a second color channel, and a third color channel, the first color channel being a red color channel, the second color channel being a green color channel, and the third color channel being a blue color channel;
dividing each image in the countermeasure data set according to the color channel to obtain a divided image set, including:
dividing each image in the countermeasure data set according to a first color channel to obtain a first divided image set;
dividing each image in the countermeasure data set according to a second color channel to obtain a second divided image set;
dividing each image in the countermeasure data set according to a third color channel to obtain a third divided image set;
and combining the first divided image set, the second divided image set and the third divided image set into a set, and taking the set as the divided image set.
3. The method of claim 2, wherein the pre-set mask comprises a first pre-set mask, the first pre-set mask being a low frequency image mask;
the processing the segmented image set according to a preset mask to obtain a target low-frequency image set comprises the following steps:
superposing the first preset mask and a first segmentation image in the first segmentation image set to obtain a first low-frequency image set;
superposing the first preset mask and a second segmentation image in the second segmentation image set to obtain a second low-frequency image set;
superposing the first preset mask and a third segmentation image in the third segmentation image set to obtain a third low-frequency image set;
and merging the first low-frequency image set, the second low-frequency image set and the third low-frequency image set to obtain a target low-frequency image set.
4. The method of claim 2, wherein the pre-set mask comprises a second pre-set mask, the second pre-set mask being a high frequency image mask;
the processing the segmented image set according to a preset mask to obtain a target frequency image set comprises the following steps:
superposing the second preset mask and a first segmentation image in the first segmentation image set to obtain a first high-frequency image set;
superposing the second preset mask and a second segmentation image in the second segmentation image set to obtain a second high-frequency image set;
superposing the second preset mask and a third segmentation image in the third segmentation image set to obtain a third high-frequency image set;
and merging the first high-frequency image set, the second high-frequency image set and the third high-frequency image set to obtain a target frequency image set.
5. The method of claim 1, wherein inputting the target low-frequency image set and the target noise-reduction high-frequency image set into a preset target generator for fusion, generating a defensive and countermeasure sample set, comprises:
and inputting the low-frequency image in the target low-frequency image set and the noise reduction high-frequency image corresponding to the low-frequency image into a preset target generator for fusion, and generating the defense countermeasure sample set.
6. The method of claim 1, wherein the training process of the preset target generator comprises:
performing iterative training on a generator and a discriminator according to the target low-frequency image set and the target noise reduction high-frequency image set;
and responding to the fact that the loss of the arbiter after iteration reaches a preset threshold value, and taking the generator after iteration as a target generator.
7. The method of claim 1, wherein the training process of the preset target generator comprises:
performing iterative training on a generator and a discriminator according to the target low-frequency image set and the target noise reduction high-frequency image set;
and stopping iterative training in response to the iteration round number reaching the iteration round number threshold value, and outputting a generator trained by the iteration round number as the target generator.
8. The method according to claim 6 or 7, wherein iteratively training a generator, a arbiter from the target low frequency image set and the target noise-reducing high frequency image set comprises:
for each round of iterative training, the following operations are performed:
splicing the low-frequency image and the corresponding noise-reduction high-frequency image, and inputting the spliced low-frequency image and the corresponding noise-reduction high-frequency image into the generator to obtain a fusion image;
inputting the fusion image and an original sample corresponding to the image into the discriminator to obtain the loss of the discriminator;
updating the discriminator according to the loss of the discriminator to obtain the discriminator in the next iteration;
updating the generator according to the discriminator in the next iteration to obtain the generator in the next iteration.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 8 when the program is executed by the processor.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 8.
CN202310362917.5A 2023-04-06 2023-04-06 A neural network anti-sample defense method, electronic equipment and storage medium Pending CN116523000A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310362917.5A CN116523000A (en) 2023-04-06 2023-04-06 A neural network anti-sample defense method, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310362917.5A CN116523000A (en) 2023-04-06 2023-04-06 A neural network anti-sample defense method, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116523000A true CN116523000A (en) 2023-08-01

Family

ID=87402094

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310362917.5A Pending CN116523000A (en) 2023-04-06 2023-04-06 A neural network anti-sample defense method, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116523000A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117173508A (en) * 2023-09-05 2023-12-05 贵州大学 Anti-attack image generation method, device, equipment and storage medium
CN119380132A (en) * 2024-09-19 2025-01-28 华南理工大学 Image classification adversarial sample defense method, device, electronic device and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117173508A (en) * 2023-09-05 2023-12-05 贵州大学 Anti-attack image generation method, device, equipment and storage medium
CN119380132A (en) * 2024-09-19 2025-01-28 华南理工大学 Image classification adversarial sample defense method, device, electronic device and medium

Similar Documents

Publication Publication Date Title
US12387527B2 (en) Detecting forged facial images using frequency domain information and local correlation
CN111368685B (en) Method and device for identifying key points, readable medium and electronic equipment
US10740912B2 (en) Detection of humans in images using depth information
CN109416727B (en) Method and device for removing glasses from face image
CN118097157B (en) Image segmentation method and system based on fuzzy clustering algorithm
CN114511041B (en) Model training method, image processing method, apparatus, equipment and storage medium
CN108229344A (en) Image processing method and device, electronic equipment, computer program and storage medium
CN111368668B (en) Three-dimensional hand recognition method and device, electronic equipment and storage medium
CN108734052A (en) Text detection method, device and system
CN106068537A (en) For the method and apparatus processing image
CN110070499A (en) Image processing method, device and computer readable storage medium
US9659234B1 (en) Adaptive selection of scale invariant image feature keypoints
CN111783777B (en) Image processing method, apparatus, electronic device, and computer readable medium
WO2020155984A1 (en) Facial expression image processing method and apparatus, and electronic device
CN116523000A (en) A neural network anti-sample defense method, electronic equipment and storage medium
CN111353325A (en) Key point detection model training method and device
CN114626118A (en) Building indoor model generation method and device
US20230351163A1 (en) Method and device for processing data based on multi-layer perceptrons
CN112070022A (en) Face image recognition method and device, electronic equipment and computer readable medium
CN111126248A (en) Method and device for identifying shielded vehicle
CN112950516B (en) Method and device for enhancing local contrast of image, storage medium and electronic equipment
CN111815656B (en) Video processing method, apparatus, electronic device and computer readable medium
WO2025021169A1 (en) Image processing method and device, and storage medium and program product
CN110070482A (en) Image processing method, device and computer readable storage medium
CN116778015A (en) Model edge tracing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination