CN111488898A

Movatterモバイル変換

Info

Publication number: CN111488898A
Application number: CN201910081343.8A
Authority: CN
Inventors: 申世伟
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2019-01-28
Filing date: 2019-01-28
Publication date: 2020-08-04
Anticipated expiration: 2039-01-28
Also published as: CN111488898B

Abstract

The disclosure relates to a countermeasure data acquisition method, a countermeasure data acquisition device, equipment and a storage medium, and belongs to the technical field of computers. The method comprises the following steps: acquiring first target data and second target data, wherein the category of the first target data is different from that of the second target data; acquiring a first feature of the first target data and a second feature of the second target data based on the feature extraction model; acquiring interference data according to the first characteristic and the second characteristic, wherein the interference data is used for describing the difference between the second characteristic and the first characteristic; and acquiring first countermeasure data corresponding to the first target data according to the first target data and the interference data, wherein the first countermeasure data and the second target data are divided into the same category. Because the acquisition process of the countermeasure data is irrelevant to the classification models, the countermeasure data acquired by the method provided by the embodiment of the disclosure can be applied to the training process of a plurality of classification models, so that the accuracy of the plurality of classification models is improved, and the applicability is improved.

Description

Countermeasure data acquisition method, device, equipment and storage medium

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a countermeasure data acquisition method, apparatus, device, and storage medium.

Background

The classification model based on the machine learning algorithm is widely applied by virtue of good learning performance and classification accuracy. However, due to the influence of various factors, the data is interfered, countermeasure data is formed, and the classification accuracy is influenced. Therefore, it is necessary to acquire countermeasure data and train a classification model based on the countermeasure data to obtain a classification model with higher accuracy.

The countermeasure data acquired in the scheme is determined based on a specific classification model, so that the countermeasure data is only suitable for the specific classification model and is not suitable for other classification models, the pertinence is strong, and the mobility is poor.

Disclosure of Invention

The present disclosure provides a countermeasure data acquisition method, apparatus, device, and computer-readable storage medium, which can overcome the problem in the related art that acquired countermeasure data is only applicable to a specific classification model and not applicable to other classification models.

According to a first aspect of embodiments of the present disclosure, there is provided a countermeasure data acquisition method, the method including:

acquiring first target data and second target data, wherein the category of the first target data is different from that of the second target data;

acquiring a first feature of the first target data and a second feature of the second target data based on a feature extraction model, wherein the first feature is used for describing the first target data, and the second feature is used for describing the second target data;

acquiring interference data according to the first characteristic and the second characteristic, wherein the interference data is used for describing the difference between the second characteristic and the first characteristic;

and acquiring first countermeasure data corresponding to the first target data according to the first target data and the interference data, wherein the first countermeasure data and the second target data are divided into the same category.

In a possible implementation manner, the obtaining interference data according to the first feature and the second feature includes:

acquiring the distance between the second feature and the first feature according to the first feature and the second feature;

and acquiring the interference data by adopting the following functions according to the distance and the first target data:

wherein J (theta, x)^targetFor the interference data, θ is a parameter of the function, x is the first target data, x^targetDistance (F) for the second target data_target-F_origin) Is the distance between the second feature and the first feature,

the gradient obtained after the first target data is subjected to partial derivation is obtained.

In another possible implementation manner, the obtaining, according to the first target data and the interference data, first countermeasure data corresponding to the first target data includes:

according to the first target data and the interference data, calculating by adopting the following functions to obtain the first antagonistic data:

x^adv＝x+∈·sign·J(θ，x，x^target)

wherein x is^advIs the first antagonizing data, x is the first target data, J (θ, x)^target) For the interference data, ∈ is a superposition coefficient and sign is a sign function.

In another possible implementation manner, the method further includes:

acquiring first original data;

acquiring a third feature of the first original data based on the feature extraction model, wherein the third feature is used for describing the first original data;

decoding the third characteristic based on a decoding model to obtain first data;

and training the feature extraction model and the decoding model according to the first data so as to lead the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data to tend to be minimum.

In another possible implementation manner, the training the feature extraction model and the decoding model according to the first data so that a difference between data processed based on the feature extraction model and the decoding model and corresponding original data tends to be minimum includes:

training the feature extraction model and the decoding model according to the first data and a preset loss function so as to lead the output value of the preset loss function to tend to be minimum;

and the difference between the data processed by the characteristic extraction model and the decoding model and the corresponding original data is positively correlated with the output value of the preset loss function.

In another possible implementation manner, the preset loss function is:

wherein, loss, x^rec) Is the predetermined loss function, theta is a parameter of the predetermined loss function, x^recW is the width of the pixel in the first original data, H is the height of the pixel in the first original data, x is the second data_w，hThe pixel points with width w and height h in the first original data,

the pixel points with width w and height h in the second data are located.

According to a second aspect of the embodiments of the present disclosure, there is provided a countermeasure data acquisition apparatus, the apparatus including:

a data acquisition unit configured to acquire first target data and second target data, the first target data having a category different from a category of the second target data;

a first feature obtaining unit configured to obtain a first feature of the first target data and a second feature of the second target data based on a feature extraction model, the first feature being used for describing the first target data, the second feature being used for describing the second target data;

an interference obtaining unit configured to obtain interference data describing a difference between the second feature and the first feature according to the first feature and the second feature;

the countermeasure acquisition unit is configured to acquire first countermeasure data corresponding to the first target data according to the first target data and the interference data, and the first countermeasure data and the second target data are classified into the same category.

In one possible implementation manner, the interference obtaining unit includes:

a distance acquisition subunit configured to acquire a distance between the first feature and the second feature according to the first feature and the second feature;

an interference obtaining subunit, configured to obtain, according to the distance and the first target data, the interference data by using the following function:

wherein J (theta, x)^target) For the interference data, θ is a parameter of the function, x is the first target data, x^targetDistance (F) for the second target data_target-F_origin) Is the distance between the second feature and the first feature,

In another possible implementation manner, the countermeasure acquisition unit includes:

a countermeasure acquisition subunit configured to acquire the first countermeasure data by performing a calculation using the following function according to the first target data and the interference data:

x^adv＝x+∈·sing·J(θ，x，x^target)

In another possible implementation manner, the apparatus further includes:

a raw acquisition unit configured to acquire first raw data;

a second feature obtaining unit configured to obtain a third feature of the first raw data based on the feature extraction model, the third feature being used for describing the first raw data;

a decoding unit configured to perform decoding processing on the third feature based on a decoding model to obtain first data;

a training unit configured to train the feature extraction model and the decoding model according to the first data so that a difference between data processed based on the feature extraction model and the decoding model and corresponding original data tends to be minimum.

In another possible implementation manner, the training unit includes:

a training subunit configured to train the feature extraction model and the decoding model according to the first data and a preset loss function so that an output value of the preset loss function tends to be minimum;

In another possible implementation manner, the preset loss function is:

wherein, loss (theta, x)^rec) Is the predetermined loss function, theta is a parameter of the predetermined loss function, x^recW is the width of the pixel in the first original data, H is the height of the pixel in the first original data, x is the second data_w，hThe pixel points with width w and height h in the first original data,

the pixel points with width w and height h in the second data are located.

According to a third aspect of the embodiments of the present disclosure, there is provided a processing apparatus that acquires countermeasure data, the processing apparatus including:

one or more processors;

volatile or non-volatile memory for the one or more storage processor executable commands;

wherein the one or more processors are configured to perform the countermeasure data acquisition method as described in the first aspect.

According to a fourth aspect of embodiments of the present disclosure, there is provided a non-transitory computer-readable storage medium having instructions therein, which when executed by a processor of a processing device, enable the processing device to perform the countermeasure data acquisition method as described in the first aspect.

According to a fifth aspect of embodiments of the present disclosure, there is provided a computer program product, wherein instructions of the computer program product, when executed by a processor of a processing device, enable the processing device to perform the countermeasure data acquisition method according to the first aspect.

According to the method, the device, the equipment and the storage medium provided by the embodiment of the disclosure, feature extraction is respectively carried out on first target data and second target data with different categories through a trained feature extraction model, interference data are obtained according to the difference between the extracted features of the first target data and the features of the second target data, first antagonistic data corresponding to the first target data are obtained according to the interference data and the first target data, and the first antagonistic data and the first target data are divided into different categories. Because the acquisition process of the countermeasure data is irrelevant to the classification models in the embodiment of the disclosure, the countermeasure data acquired by the method provided by the embodiment of the disclosure can be suitable for the training process of a plurality of classification models, the accuracy of the plurality of classification models is improved, and the applicability is improved.

And performing feature extraction on the first original data based on the feature extraction model to obtain a third feature, performing decoding processing on the third feature based on the decoding model to obtain first data, and training the feature extraction model and the decoding model according to the first data in a matching manner, so that the difference between the data processed by the feature extraction model and the decoding model and the corresponding original data tends to be minimum. The feature extraction model and the decoding model are trained according to the original data, so that the accuracy of the feature extraction model can be improved, and the data can be accurately described based on the features obtained after the feature extraction model is processed.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.

FIG. 1 is a flow diagram illustrating a countermeasure data acquisition method in accordance with an exemplary embodiment.

FIG. 2 is a flow diagram illustrating a countermeasure data acquisition method in accordance with an exemplary embodiment.

FIG. 3 is a schematic diagram illustrating a training flow of a feature extraction model and a decoding model according to an exemplary embodiment.

FIG. 4 is a schematic diagram illustrating a process for acquiring first countermeasure data according to an example embodiment.

Fig. 5 is a block diagram illustrating a countermeasure data acquisition device in accordance with an exemplary embodiment.

Fig. 6 is a block diagram illustrating a terminal for acquiring countermeasure data according to an example embodiment.

Fig. 7 is a schematic diagram illustrating a configuration of a server according to an example embodiment.

Detailed Description

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.

Fig. 1 is a flowchart illustrating a countermeasure data acquisition method according to an exemplary embodiment, where as shown in fig. 1, the countermeasure data acquisition method is used in a processing device, where the processing device may be a terminal such as a mobile phone, a computer, a tablet computer, a smart television, or the processing device may also be a server, and includes the following steps:

instep 101, a processing device acquires first target data and second target data, the category of the first target data being different from the category of the second target data.

Instep 102, the processing device obtains a first feature of the first target data and a second feature of the second target data based on the feature extraction model, wherein the first feature is used for describing the first target data, and the second feature is used for describing the second target data.

Instep 103, the processing device obtains interference data according to the first characteristic and the second characteristic, and the interference data is used for describing the difference between the second characteristic and the first characteristic.

Instep 104, the processing device obtains first countermeasure data corresponding to the first target data according to the first target data and the interference data, and the first countermeasure data and the second target data are classified into the same category.

According to the method provided by the embodiment of the disclosure, feature extraction is respectively performed on first target data and second target data with different categories through a trained feature extraction model, interference data is obtained according to the difference between the extracted features of the first target data and the features of the second target data, first antagonistic data corresponding to the first target data is obtained according to the interference data and the first target data, and the first antagonistic data and the first target data are divided into different categories. Because the acquisition process of the countermeasure data is irrelevant to the classification models in the embodiment of the disclosure, the countermeasure data acquired by the method provided by the embodiment of the disclosure can be suitable for the training process of a plurality of classification models, the accuracy of the plurality of classification models is improved, and the applicability is improved.

In one possible implementation manner, acquiring the interference data according to the first feature and the second feature includes:

and acquiring interference data by adopting the following functions according to the distance and the first target data:

wherein J (theta, x)^target) For the interference data, θ is a parameter of a function, x is a first target data, x^targetDistance (F) as second target data_target-F_origin) Is the distance between the second feature and the first feature,

the gradient obtained by partial derivation of the first target data is used.

In another possible implementation manner, acquiring first countermeasure data corresponding to the first target data according to the first target data and the interference data includes:

according to the first target data and the interference data, calculating by adopting the following functions to obtain first antagonistic data:

x^adv＝x+∈·sign·J(θ，x，x^target)

wherein x is^advIs the first antagonizing data, x is the first target data, J (theta, x)^target) For interference data ∈ is the superposition coefficient and sign is the sign function.

In another possible implementation manner, the method further includes:

acquiring first original data;

decoding the first data based on the decoding model to obtain first data;

the feature extraction model and the decoding model are trained on the first data such that differences between the data processed based on the feature extraction model and the decoding model and the corresponding original data tend to be minimized.

In another possible implementation manner, training the feature extraction model and the decoding model according to the first data so that the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data tends to be minimum includes:

training the feature extraction model and the decoding model according to the first data and the preset loss function so as to enable the output value of the preset loss function to tend to be minimum;

and based on the difference between the data processed by the feature extraction model and the decoding model and the corresponding original data, positively correlating the difference with the output value of the preset loss function.

In another possible implementation, the predetermined loss function is:

wherein, loss (theta, x)^rec) Is a predetermined loss function, theta is a parameter of the predetermined loss function, x^recW is the width of the pixel in the first original data, H is the height of the pixel in the first original data, x_w，hThe pixel points with width w and height h in the first original data,

the pixel points with width w and height h are located in the second data.

FIG. 2 is a flow diagram illustrating a countermeasure data acquisition method, as shown in FIG. 2, for use in the processing device of the embodiment shown in FIG. 1, according to an exemplary embodiment, the method including the steps of:

instep 201, a processing device acquires first raw data.

When the data to be classified is acquired, the data can be classified based on the classification model to obtain the category of the data. However, when the countermeasure data is classified based on the classification model after the original data is disturbed to form the countermeasure data due to the influence of various factors, the classification model is likely to misclassify the countermeasure data with high confidence, and the countermeasure data is misclassified into another category different from the original data category.

In order to avoid the above problem, at least one original data and its corresponding countermeasure data may be obtained as sample data, where the original data may be an image, an audio, a video, or the like, the countermeasure data is data obtained by adding interference to the original data, and the countermeasure data can mislead classification of the classification model, so that the classification model divides the original data and the countermeasure data into different categories. Training is carried out according to the obtained sample data to obtain a classification model, so that the data to be classified can be correctly classified based on the classification model no matter the data to be classified is original data or confrontation data.

To this end, the embodiment of the present disclosure first trains a feature extraction model according to at least one piece of raw data, and acquires countermeasure data having a content similar to that of the target data and a category different from that of the target data based on the feature extraction model, the target data, and another target data having a category different from that of the target data.

The processing device may be a terminal or a server, and if the processing device is a terminal, the raw data may be obtained by shooting by the terminal, or may be obtained by recording by the terminal, or may be downloaded from the internet by the terminal, or may be sent to the terminal by another device. If the processing device is a server, the raw data can be uploaded to the server by the terminal or uploaded to the server by other devices.

In the embodiment of the present disclosure, only the first original data is used as sample data to describe a process of training the feature extraction model, and therefore, the processing device first acquires the first original data. The process of training the feature extraction model according to other sample data is similar to the process of training the feature extraction model according to the first original data, and is not repeated here.

Instep 202, the processing device obtains a third feature of the first raw data based on the feature extraction model.

The feature extraction model is used for extracting features of the original data to obtain features of the original data.

In a possible implementation manner, when the data is subjected to feature extraction based on the feature extraction model, the obtained features may be high-dimensional expression features, the high-dimensional expression features include features of multiple dimensions of the data, and the data can be described from the multiple dimensions by extracting the features of the multiple dimensions, so that the data can be described as accurately as possible.

The processing equipment acquires a current feature extraction model, wherein the feature extraction model can be an initialized feature extraction model or a feature extraction model obtained after one or more times of training, and performs feature extraction on first original data based on the feature extraction model to obtain features of the first original data as third features, wherein the third features are used for describing the first original data.

In a possible implementation manner, the third feature may be a high-dimensional expression feature, and the first original data is obtained by performing feature extraction on the first original data according to multiple dimensions, so that the first original data can be described from multiple dimensions, and thus the first original data can be accurately described.

For example, the first original data is an image, feature extraction is performed on the first original data according to two dimensions of color and shape to obtain a two-dimensional expression feature of the first original data, wherein the feature in the color dimension is a feature obtained based on pixel points and is determined according to a pixel value of each pixel point, the feature in the shape dimension may include a contour feature or a region feature, the contour feature is used for describing a contour of an object in the image, and the region feature is used for describing a shape of the object. The two-dimensional expression characteristic can describe the color and the shape of an object contained in the image more accurately, namely the first original data more accurately.

Instep 203, the processing device performs decoding processing on the third feature based on the decoding model to obtain first data.

The processing device obtains a current decoding model, which may be an initialized decoding model or a decoding model obtained after one or more training, and performs decoding processing on the third feature based on the decoding model to obtain first data.

In thestep 202, when the feature extraction is performed based on the feature extraction model, the data format is changed, which results in that the data format of the first original data is different from that of the third feature, and when the decoding process is performed based on the decoding model in thestep 203, the format conversion can be performed, which converts the third feature into the first data, so that the data format of the first data is the same as that of the first original data, so as to compare the first data with the first original data and measure the difference between the first data and the first original data.

For example, the first original data is a matrix of m × n, and after feature extraction is performed based on the feature extraction model, a third feature is obtained, where the third feature is m₁× 1 decoding the third feature based on the decoding model to obtain first data in another m × n matrix formAlso, there may be differences in content.

Instep 204, the processing device trains the feature extraction model and the decoding model according to the first data, so that the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data tends to be minimum.

When the feature extraction model and the decoding model are trained, the training targets are as follows: the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data tends to be minimal. Since the smaller the difference between the processed data and the original data is, the more similar the content of the processed data and the original data is, when the difference between the processed data and the original data tends to be the smallest, the more similar the content of the processed data and the original data is, that is, the features obtained based on the current feature extraction model can accurately describe the original data.

Therefore, after the processing device acquires the first data, the processing device trains the feature extraction model and the decoding model according to the first data according to the training target, and then trains the feature extraction model and the decoding model one or more times in a similar manner, so that the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data tends to be minimum.

In a possible implementation manner, the processing device sets a preset loss function for the feature extraction model and the decoding model, and the difference between the data processed by the feature extraction model and the decoding model and the corresponding original data is positively correlated with the output value of the preset loss function, so that when the feature extraction model and the decoding model are trained according to the first data and the preset loss function, the training target is to make the output value of the preset loss function tend to be minimum, so as to ensure that the difference between the data processed by the feature extraction model and the decoding model and the original data tends to be minimum, that is, the contents of the two are relatively similar.

Therefore, the processing device obtains the first data and the preset loss function, calculates according to the first data and the preset loss function to obtain the output value of the preset loss function, trains the feature extraction model and the decoding model according to the output value of the preset loss function according to the training target, and trains the feature extraction model and the decoding model in a similar manner for one or more times to make the output value of the preset loss function tend to be minimum.

In one possible implementation, the predetermined loss function is:

the pixel points with width w and height h are located in the second data.

By adopting the training mode and performing one or more times of training according to the training target, when the trained feature extraction model and the trained decoding model obtain the processed data according to another original data again, the output value of the preset loss function obtained through calculation is smaller than the output value of the preset loss function obtained through calculation last time, after performing one or more times of training, the output value of the preset loss function obtained through calculation tends to be the minimum, namely, the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data is the minimum, and the content is the most similar.

The above step 201-204 is only described by taking the feature extraction model capable of accurately describing the original data as an example for training in cooperation with the training feature extraction model and the decoding model, in another embodiment, the feature extraction model may be trained in other ways, only the condition that the feature extraction model can accurately describe the original data is satisfied, and the specific training process is not repeated here.

Instep 205, the processing device obtains first target data and second target data.

In the embodiment of the present disclosure, taking the first target data as an example to describe a process of obtaining countermeasure data, the processing device may obtain the first target data and the second target data, where a category of the first target data is different from a category of the second target data, so that the processing device may obtain the first countermeasure data, which has a content similar to that of the first target data but a category different from that of the first target data, based on the first target data and guided by the category of the second target data according to a difference between the first target data and the second target data.

For example, the first target data is classified as a sofa, and the second target data is classified as a fan. Or the category of the first target data is cats, and the category of the second target data is dogs.

The first target data and the second target data may be obtained by shooting or recording by a processing device, or may be obtained by downloading from the internet, or may be obtained by transmitting to the processing device by another device. The first target data and the second target data may be data in various formats such as pictures, audio or video, and the formats of the first target data and the second target data are the same.

In one possible implementation manner, a plurality of target data may be acquired, each target data is labeled with a category to which the target data belongs, and target data different from the first target data category is randomly selected from the plurality of target data as the second target data. Or, the similarity between any two categories is obtained, and the target data which is different from the first target data category and meets the requirement of the similarity between the category of the target data and the category of the first target data is randomly selected from the plurality of target data to serve as the second target data. Wherein, the similarity satisfies the requirement including: the similarity is greater than a preset threshold, that is, the difference between the second target data and the first target data is required to be small. Or, the similarity satisfying requirement includes: the similarity is smaller than a preset threshold, that is, the second target data and the first target data are required to have a larger category difference.

Instep 206, the processing device obtains a first feature of the first target data and a second feature of the second target data based on the feature extraction model.

The processing equipment performs feature extraction on the first target data based on the feature extraction model to obtain features of the first target data as first features, and performs feature extraction on the second target data based on the feature extraction model to obtain features of the second target data as second features. Wherein the first characteristic is used for describing first target data, and the second characteristic is used for describing second target data.

In one possible implementation, the first feature and the second feature may be high-dimensional expression features. The first feature is obtained by feature extraction of the first target data according to multiple dimensions, and the first target data can be described from multiple dimensions, so that the first target data can be accurately described. The second feature is obtained by feature extraction of the second target data according to a plurality of dimensions, and the second target data can be described from the plurality of dimensions, so that the second target data can be described as accurately as possible.

For example, the target data is an image, feature extraction is performed on the target data according to two dimensions of color and shape to obtain a two-dimensional expression feature of the target data, wherein the feature in the color dimension is a feature obtained based on pixel points and is determined according to a pixel value of each pixel point, the feature in the shape dimension may include a contour feature or a region feature, the contour feature is used for describing a contour of an object in the image, and the region feature is used for describing a shape of the object. The two-dimensional expression characteristic can describe the color and the shape of an object contained in the image more accurately, namely the target data more accurately.

Instep 207, the processing device obtains interference data based on the first characteristic and the second characteristic.

The interference data is used to describe the difference between the second feature and the first feature, thereby describing the difference between the second target data and the first target data. The processing device may calculate a difference feature between the first feature and the second feature, perform format conversion on the difference feature to obtain interference data corresponding to the difference feature, where a data format of the interference data is the same as a data format of the first target data, and then may process the first target data according to the interference data.

In a possible implementation manner, the difference between the second feature and the first feature may be positively correlated with the interference data, which means that the larger the interference data is, the larger the difference between the second feature and the first feature is, and the larger the difference between the second target data and the first target data is. Alternatively, the difference between the second feature and the first feature may be inversely related to the disturbance data, meaning that the larger the disturbance data, the smaller the difference between the second feature and the first feature, and the smaller the difference between the second target data and the first target data.

In one possible implementation manner, the processing device may obtain, according to the first feature and the second feature, a distance between the second feature and the first feature, and obtain, according to the distance and the first target data, interference data by using the following function:

the gradient obtained by partial derivation of the first target data is used.

In another possible implementation manner, the processing device may perform statistical processing according to the first characteristic and the second characteristic to obtain a statistical value, and obtain the interference data according to the statistical value and the first target data. The statistical processing method may be a method of obtaining a mean square error, or other statistical processing methods.

Instep 208, the processing device obtains first countermeasure data corresponding to the first target data according to the first target data and the interference data.

Since the interference data is used for describing the difference between the second characteristic and the first characteristic, after the interference data is obtained, the first countermeasure data corresponding to the first target data can be obtained according to the first target data and the interference data, and the first countermeasure data and the second target data are classified into the same category.

Because the classification process of the data by the classification model is realized based on the characteristics of the data, the characteristics of the data are firstly extracted and classified when the classification is carried out based on the classification model. In the embodiment of the present disclosure, for the same data, although the features extracted by the classification model have the emphasis points, the features have harmonicity with the features extracted by the feature extraction model, and the two features may have a difference but are similar to each other. Then, by superimposing the first target data with the disturbance data, the content of the first countermeasure data can be made similar to that of the first target data, but the features of the first countermeasure data are closer to those of the second target data, and the first countermeasure data mislead the classification of the classification model, so that the classification model misclassifies the first countermeasure data into the same category as the second target data according to the features of the first countermeasure data, that is, the first countermeasure data and the second target data are classified into the same category, while the first countermeasure data and the first target data are classified into different categories, so that the classification model is misclassified. Then, training the classification model according to the first target data and the first antagonistic data can enable the classification model to learn the capacity of classifying the antagonistic data, and thus the classification model capable of being classified correctly can be obtained.

In a possible implementation manner, the first target data and the interference data are superimposed, and first countermeasure data corresponding to the first target data is obtained, so that the first countermeasure data includes the interference data. For example, according to the first target data and the interference data, the following function is adopted to perform calculation, and the first countermeasure data is obtained:

x^adv＝x+∈·sign·J(θ，x，x^target)

wherein x is^advIs the first antagonizing data, x is the first target data, J (theta, x)^target) For the interference data, ∈ is a superposition coefficient for determining the amplitude of the data superimposed on the first target data, and sign is a sign function for determining the sign of the interference data superimposed on the first target data.

The description will be given by taking a as an argument and the symbolic function as the following function:

the interference data is processed by adopting the sign function so that the numerical value of the processed data is 0, 1 or-1, and the amplitude of the data is controlled by the superposition coefficient, so that the data superposed on the first target data is determined, the data form can be simplified, the calculation amount is reduced, and the data superposed on the first target data can be controlled in a certain range by setting the superposition coefficient.

Because the distance between the second feature and the first feature is (-1, 1) in general, after the sign function is adopted for processing, the numerical value of the processed data can be controlled within the range of {0, 1, -1}, and the difference between the processed numerical value and the original distance is not large, so that the interference result is not greatly influenced.

In one possible implementation, the superposition coefficient may be a value smaller than 1, by which the data superposed on the first target data may be controlled to be in the range of [0, 1). For example, if the superposition coefficient is 0.1, the first countermeasure data is obtained by using the following formula:

x^adv＝x+0.1×sign·J(θ，x，x^target)。

it should be noted that, for the first target data, one or more second target data may be obtained, one or more first countermeasure data may be generated according to the one or more second target data, and the first target data and the corresponding first countermeasure data are all applied to the training process of the classification model.

It should be noted that, in the embodiments of the present disclosure, the first countermeasure data corresponding to the first target data is obtained as an example only. In another embodiment, on the basis that the first target data and the second target data are acquired, second countermeasure data corresponding to the second target data can be acquired in a similar manner.

Compared with the method for acquiring the first countermeasure data only according to the first target data and the second target data, the method for acquiring the first countermeasure data and the second countermeasure data according to the first target data and the second target data can avoid wasting the second target data, increase the number of the countermeasure data, and improve the data utilization rate, so that more countermeasure data can be acquired by less target data and applied to the training process of the classification model. Under the condition that the classification model requires a certain amount of countermeasure data, the number of required target data can be reduced, the calculation amount is reduced, and the training efficiency is improved.

Fig. 3 is a schematic diagram illustrating a training flow of a feature extraction model and a decoding model according to an exemplary embodiment, as shown in fig. 3, when the feature extraction model is trained by matching with the decoding model instep 201 and step 204, feature extraction is performed on first original data based on the feature extraction model to obtain a third feature, the third feature is decoded based on the decoding model to obtain first data, and the feature extraction model and the decoding model are trained according to the first data and a preset loss function, so that an output value of the preset loss function tends to be minimum.

Fig. 4 is a schematic flowchart of a process for acquiring first countermeasure data according to an exemplary embodiment, and as shown in fig. 4, first target data and second target data of different categories are acquired, feature extraction is performed on the first target data and the second target data respectively based on a trained feature extraction model to obtain first features and second features, a distance is calculated according to the second features and the first features to obtain interference data, and the first target data and the interference data are superimposed to obtain first countermeasure data corresponding to the first target data.

According to the method provided by the embodiment of the disclosure, feature extraction is performed on first original data based on a feature extraction model to obtain third features, decoding processing is performed on the third features based on a decoding model to obtain first data, and the feature extraction model and the decoding model are trained in cooperation according to the first data, so that the difference between the data processed by the feature extraction model and the decoding model and the corresponding original data tends to be minimum. The feature extraction model and the decoding model are trained according to the original data, so that the accuracy of the feature extraction model can be improved, and the data can be accurately described based on the features obtained after the feature extraction model is processed.

When first target data and second target data with different categories are acquired, feature extraction is performed on the first target data and the second target data with different categories respectively based on a trained feature extraction model, interference data is acquired according to the difference between the extracted features of the first target data and the features of the second target data, first antagonistic data corresponding to the first target data is acquired according to the interference data and the first target data, and the first antagonistic data and the first target data are divided into different categories. Because the acquisition process of the countermeasure data is irrelevant to the classification models in the embodiment of the disclosure, the countermeasure data acquired by adopting the method provided by the embodiment of the disclosure can be suitable for the training process of a plurality of classification models, so that the accuracy of the plurality of classification models is improved, and the applicability is improved.

The embodiment of the disclosure can be applied to a scene of acquiring corresponding countermeasure data according to original data, and the original data can be data in various formats such as pictures, audio or video. For example, a user takes a first photo and a second photo, wherein the category of the first photo is cat and the category of the second photo is dog, the first photo and the second photo are subjected to feature extraction, interference data is obtained, the interference data and the first photo are overlapped, a third photo is obtained, the third photo is used as a countermeasure photo of the first photo, and the third photo is similar to the first photo in content and is divided into the same categories as the second photo. Subsequently, the classification model can be trained according to the first picture and the third picture, and the classification accuracy of the classification model is improved.

Fig. 5 is a block diagram illustrating a countermeasure data acquisition device in accordance with an exemplary embodiment. Referring to fig. 5, the apparatus includes adata acquisition unit 501, a firstfeature acquisition unit 502, aninterference acquisition unit 503, and acountermeasure acquisition unit 504.

Adata acquisition unit 501 configured to acquire first target data and second target data, the category of the first target data being different from the category of the second target data;

a firstfeature obtaining unit 502 configured to obtain a first feature of the first target data and a second feature of the second target data based on the feature extraction model, the first feature being used for describing the first target data, the second feature being used for describing the second target data;

aninterference obtaining unit 503 configured to obtain interference data according to the first feature and the second feature, the interference data describing a difference between the second feature and the first feature;

thecountermeasure acquisition unit 504 is configured to acquire first countermeasure data corresponding to the first target data according to the first target data and the interference data, and the first countermeasure data and the second target data are classified into the same category.

In a possible implementation manner, theinterference obtaining unit 503 includes:

a distance acquisition subunit configured to acquire, according to the first feature and the second feature, a distance between the second feature and the first feature;

an interference obtaining subunit, configured to obtain interference data according to the distance and the first target data by using the following function:

the gradient obtained by partial derivation of the first target data is used.

In another possible implementation manner, thecountermeasure acquisition unit 504 includes:

a countermeasure acquisition subunit configured to acquire first countermeasure data by performing a calculation using the following function based on the first target data and the interference data:

x^adv＝x+∈·sign·J(θ，x，x^target)

In another possible implementation manner, the apparatus further includes:

a raw acquisition unit configured to acquire first raw data;

the decoding unit is configured to perform decoding processing on the first data based on a decoding model to obtain first data;

and the training unit is configured to train the feature extraction model and the decoding model according to the first data, so that the difference between the data processed based on the feature extraction model and the decoding model and the corresponding original data tends to be minimum.

In another possible implementation manner, the training unit includes:

a training subunit configured to train the feature extraction model and the decoding model so that an output value of the preset loss function tends to be minimum, based on the first data and the preset loss function;

In another possible implementation, the predetermined loss function is:

the pixel points with width w and height h are located in the second data.

With regard to the apparatus in the above-described embodiment, the specific manner in which each unit performs the operation has been described in detail in the embodiment related to the method, and will not be described in detail here.

Fig. 6 is a block diagram illustrating a terminal 600 for obtaining countermeasure data according to an exemplary embodiment, where the terminal 600 is configured to perform the steps performed by a processing device in the countermeasure data obtaining method, and may be a portable mobile terminal, such as a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio L layer iii, motion Picture Experts compression standard Audio layer 3), an MP4 player (Moving Picture Experts Group Audio L layer IV, motion Picture Experts compression standard Audio layer 4), a notebook computer, or a desktop computer, and the terminal 600 may also be referred to as a user equipment, a portable terminal, a laptop terminal, a desktop terminal, or other names.

In general, the terminal 600 includes: one ormore processors 601 and one ormore memories 602.

Processor 601 may include one or more Processing cores, such as a 4-core processor, an 8-core processor, etc.processor 601 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), a P L a (Programmable logic Array),processor 601 may also include a main processor and a coprocessor, the main processor being a processor for Processing data in a wake-up state, also known as a CPU (Central Processing Unit), the coprocessor being a low-power processor for Processing data in a standby state, in some embodiments,processor 601 may be integrated with a GPU (Graphics Processing Unit) for rendering and rendering content for display, in some embodiments,processor 601 may also include an intelligent processor for learning about AI operations of the AI processor.

Thememory 602 may include one or more computer-readable storage media, which may be non-transitory. Thememory 602 may also include volatile memory or non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in thememory 602 is used to store at least one instruction for theprocessor 601 to have to implement the countermeasure data acquisition method provided by the method embodiments herein.

In some embodiments, the terminal 600 may further optionally include: aperipheral interface 603 and at least one peripheral. Theprocessor 601,memory 602, andperipheral interface 603 may be connected by buses or signal lines. Various peripheral devices may be connected to theperipheral interface 603 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of aradio frequency circuit 604, atouch screen display 605, acamera 606, anaudio circuit 607, apositioning component 608, and apower supply 609.

Theperipheral interface 603 may be used to connect at least one peripheral related to I/O (Input/Output) to theprocessor 601 and thememory 602. In some embodiments, theprocessor 601,memory 602, andperipheral interface 603 are integrated on the same chip or circuit board; in some other embodiments, any one or two of theprocessor 601, thememory 602, and theperipheral interface 603 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.

TheRadio Frequency circuit 604 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. Theradio frequency circuitry 604 communicates with communication networks and other communication devices via electromagnetic signals. Therf circuit 604 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, theradio frequency circuit 604 comprises: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. Theradio frequency circuitry 604 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 13G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, therf circuit 604 may further include NFC (Near Field Communication) related circuits, which are not limited in this application.

TheDisplay 605 is used to Display a UI (User Interface) which may include graphics, text, icons, video and any combination thereof, when theDisplay 605 is a touch Display, theDisplay 605 also has the ability to capture touch signals on or over the surface of theDisplay 605. the touch signals may be input to theprocessor 601 for processing as control signals, at which time theDisplay 605 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard.

Thecamera assembly 606 is used to capture images or video. Optionally,camera assembly 606 includes a front camera and a rear camera. Generally, a front camera is disposed at a front panel of the terminal, and a rear camera is disposed at a rear surface of the terminal. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments,camera assembly 606 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.

Audio circuitry 607 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to theprocessor 601 for processing or inputting the electric signals to theradio frequency circuit 604 to realize voice communication. For the purpose of stereo sound collection or noise reduction, a plurality of microphones may be provided at different portions of the terminal 600. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from theprocessor 601 or theradio frequency circuit 604 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments,audio circuitry 607 may also include a headphone jack.

Thepositioning component 608 is used to locate the current geographic location of the terminal 600 to implement navigation or L BS (L geographic based Service). thepositioning component 608 can be a positioning component based on the united states GPS (global positioning System), the beidou System of china, the greiner System of russia, or the galileo System of the european union.

Power supply 609 is used to provide power to the various components interminal 600. Thepower supply 609 may be ac, dc, disposable or rechargeable. When thepower supply 609 includes a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, the terminal 600 also includes one or more sensors 610. The one or more sensors 610 include, but are not limited to: acceleration sensor 611, gyro sensor 612, pressure sensor 613, fingerprint sensor 614, optical sensor 615, andproximity sensor 616.

The acceleration sensor 611 may detect the magnitude of acceleration in three coordinate axes of the coordinate system established with the terminal 600. For example, the acceleration sensor 611 may be used to detect components of the gravitational acceleration in three coordinate axes. Theprocessor 601 may control thetouch screen display 605 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 611. The acceleration sensor 611 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 612 may detect a body direction and a rotation angle of the terminal 600, and the gyro sensor 612 and the acceleration sensor 611 may cooperate to acquire a 3D motion of the user on theterminal 600. Theprocessor 601 may implement the following functions according to the data collected by the gyro sensor 612: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.

The pressure sensor 613 may be disposed on a side frame of the terminal 600 and/or on a lower layer of thetouch display screen 605. When the pressure sensor 613 is disposed on the side frame of the terminal 600, a user's holding signal of the terminal 600 can be detected, and theprocessor 601 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 613. When the pressure sensor 613 is disposed at the lower layer of thetouch display screen 605, theprocessor 601 controls the operability control on the UI interface according to the pressure operation of the user on thetouch display screen 605. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.

The fingerprint sensor 614 is used for collecting a fingerprint of a user, and theprocessor 601 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 614, or the fingerprint sensor 614 identifies the identity of the user according to the collected fingerprint, when the identity of the user is identified to be a credible identity, theprocessor 601 authorizes the user to have relevant sensitive operations, wherein the sensitive operations comprise screen unlocking, encrypted information viewing, software downloading, payment, setting change and the like.

The optical sensor 615 is used to collect the ambient light intensity. In one embodiment,processor 601 may control the display brightness oftouch display 605 based on the ambient light intensity collected by optical sensor 615. Specifically, when the ambient light intensity is high, the display brightness of thetouch display screen 605 is increased; when the ambient light intensity is low, the display brightness of thetouch display screen 605 is turned down. In another embodiment, theprocessor 601 may also dynamically adjust the shooting parameters of thecamera assembly 606 according to the ambient light intensity collected by the optical sensor 615.

Aproximity sensor 616, also known as a distance sensor, is typically disposed on the front panel of the terminal 600. Theproximity sensor 616 is used to collect the distance between the user and the front surface of the terminal 600. In one embodiment, when theproximity sensor 616 detects that the distance between the user and the front surface of the terminal 600 gradually decreases, theprocessor 601 controls thetouch display 605 to switch from the bright screen state to the dark screen state; when theproximity sensor 616 detects that the distance between the user and the front surface of the terminal 600 gradually becomes larger, theprocessor 601 controls thetouch display 605 to switch from the breath screen state to the bright screen state.

Those skilled in the art will appreciate that the configuration shown in fig. 6 is not intended to be limiting ofterminal 600 and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be used.

Fig. 7 is a schematic structural diagram of aserver 700 according to an exemplary embodiment, where theserver 700 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 701 and one ormore memories 702, where thememory 702 stores at least one instruction, and the at least one instruction is loaded and executed by theprocessors 701 to implement the methods provided by the above method embodiments. Of course, the server may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input/output, and the server may also include other components for implementing the functions of the device, which are not described herein again.

Theserver 700 may be configured to perform the steps performed by the processing device in the countermeasure data acquisition method described above.

In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium having instructions therein, which when executed by a processor of a processing device, enable the processing device to perform a countermeasure data acquisition method, the method comprising:

acquiring a first feature of the first target data and a second feature of the second target data based on the feature extraction model;

and overlapping the first target data and the interference data to acquire first antagonistic data corresponding to the first target data, wherein the first antagonistic data and the second target data are divided into the same category.

the gradient obtained by partial derivation of the first target data is used.

x^adv＝x+∈·sign·J(θ，x，x^target)

In another possible implementation manner, the method further includes:

acquiring first original data;

decoding the third characteristic based on the decoding model to obtain first data;

In another possible implementation, the predetermined loss function is:

wherein, loss (theta, x)^recIs a predetermined loss function, theta is a parameter of the predetermined loss function, x^recW is the width of the pixel in the first original data, H is the height of the pixel in the first original data, x_w，hThe pixel points with width w and height h in the first original data,

the pixel points with width w and height h are located in the second data.

In an exemplary embodiment, there is also provided a computer program product, instructions of which, when executed by a processor of a processing device, enable the processing device to perform a countermeasure data acquisition method, the method comprising:

the gradient obtained by partial derivation of the first target data is used.

x^adv＝x+∈·sign·J(θ，x，x^target)

In another possible implementation manner, the method further includes:

acquiring first original data;

In another possible implementation, the predetermined loss function is:

the pixel points with width w and height h are located in the second data.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. A countermeasure data acquisition method, the method comprising:

2. The method of claim 1, wherein obtaining interference data based on the first characteristic and the second characteristic comprises:

3. The method of claim 2, wherein the obtaining first countermeasure data corresponding to the first target data according to the first target data and the interference data comprises:

x^adv＝x+∈·sign·J(θ，x，x^target)

4. The method of claim 1, further comprising:

acquiring first original data;

5. The method of claim 4, wherein training the feature extraction model and the decoding model according to the first data to minimize a difference between data processed based on the feature extraction model and the decoding model and corresponding original data comprises:

6. The method of claim 5, wherein the predetermined loss function is:

the pixel points with width w and height h in the second data are located.

7. A countermeasure data acquisition apparatus, the apparatus comprising:

8. The apparatus of claim 7, further comprising:

a raw acquisition unit configured to acquire first raw data;

9. A processing device for obtaining countermeasure data, the processing device comprising:

one or more processors;

wherein the one or more processors are configured to perform the countermeasure data acquisition method of any of claims 1-6.

10. A non-transitory computer readable storage medium having instructions therein which, when executed by a processor of a processing device, enable the processing device to perform the countermeasure data acquisition method of any of claims 1 to 6.