阅读说明：本技术 一种基于高隐蔽性通用扰动的对抗样本生成方法 (Confrontation sample generation method based on high-concealment universal disturbance ) 是由 郭敏 曾颖明 赵晓燕 韩磊 方永强 于 2020-06-10 设计创作，主要内容包括：本发明涉及一种基于高隐蔽性通用扰动的对抗样本生成方法,涉及人工智能安全技术领域。本发明首先将攻击目标函数优化问题,由最大化单一图像的损失,调整为最大化某特定类别图像的期望损失,以实现扰动的通用性；其次,为提高对抗样本的不易察觉性,本发明设置多目标优化函数,使特定类别的图像被错误识别的同时,保证其他类别的图像不受干扰影响,仍能被正确决策；最后,在隐蔽性方面,经前期实验发现,传统的梯度方法能够较快地产生具有对抗效果的扰动,而低频噪声往往更隐蔽更稳定,因此,本发明在使用传统梯度方法生成初步的对抗扰动后,进一步采用低通滤波器来消除通用扰动中的高频尖锐噪音,在实现通用攻击的同时保证对抗样本的隐蔽性。(The invention relates to a confrontation sample generation method based on high-concealment universal disturbance, and relates to the technical field of artificial intelligence safety. Firstly, adjusting the attack objective function optimization problem from the loss of a maximized single image to the expected loss of a maximized specific image so as to realize the universality of disturbance; secondly, in order to improve the imperceptibility of the confrontation sample, the multi-objective optimization function is set, so that the images of specific categories are mistakenly identified, and meanwhile, the images of other categories are ensured not to be influenced by interference and can still be correctly decided; finally, in the aspect of concealment, early experiments show that the traditional gradient method can quickly generate disturbance with a countermeasure effect, and low-frequency noise is often more concealed and more stable, so that after the traditional gradient method is used for generating preliminary countermeasure disturbance, a low-pass filter is further adopted to eliminate high-frequency sharp noise in general disturbance, and concealment of the countermeasure sample is ensured while general attack is realized.)

1. A confrontation sample generation method based on high-concealment universal disturbance is characterized by comprising the following steps:

step1, maximizing expected loss of a specific category to obtain a universal loss function so as to realize basic universal disturbance generation;

step2, realizing high-concealment universal disturbance generation based on the step 1: firstly, adding correction to samples except for a target attack class into the general loss function, and constructing a loss function generated by a target-free general countermeasure sample with a target; secondly, performing optimization training on the loss function in a gradient descending manner to obtain primary universality disturbance; and finally, filtering the preliminary universal disturbance by adopting low-pass filtering to remove noise.

2. The method of claim 1, wherein in step 1: setting X belongs to X as an input sample, Y belongs to Y as a sample label, (X, Y) is a set to which data belongs, C (-) is a classifier, and C (X) represents a classification result of the sample X;

then no-target-confrontation-sample generation means that given a legal input sample x, C (x) ═ a, a confrontation sample x 'is sought, so that C (x') ≠ a; generating a target countermeasure sample means that a legal input sample x and a classification target t are given, t belongs to Y, C (x) ≠ t, and a countermeasure sample x 'is searched, so that C (x') ═ t;

in the generation process of the confrontation sample, determining a disturbance function rho: x → X, such that:

x'＝ρ(x)＝x+ (1)

wherein, for added counterdisturbance, the disturbance magnitude is limited: | | non-woven hair_p≤，||·||_pIs L_pThe distance is a preset constant value;

setting a specific category as D ∈ Y, the category dataset as D ((x, Y) | c (x) ═ D, Y ═ D),

the loss function without the target general disturbance is set as:

maxE_(x，y)～D[L(C(ρ(x))，y)]s.t.||||_p≤(4)

the loss function with the target general disturbance is set as:

maxE_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]s.t.||||_p≤(5)

wherein L (-) is Euclidean distance E_(x，y)～D[·]And expressing the expectation of the loss function on the data set D, wherein the loss function without the target general disturbance and the loss function with the target general disturbance form the general loss function.

3. The method as claimed in claim 2, wherein in step2, when constructing the Loss function for the target-free and target-universal antagonistic sample generation, the target-free and target-attack Loss functions Loss and less of universal disturbance are first performed_targAre respectively defined as follows:

Loss＝max[(E_(x，y)～D[L(C(ρ(x))，y)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤ (6)

Loss_targ＝max[(E_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤(7)

where F ═ X, Y — D is the complement of D.

4. The method as claimed in claim 3, wherein in step2, when constructing the loss function generated by the confrontation sample without target and with target universality, SSIM index is introduced to measure the similarity between the confrontation sample and the original clean sample, the confrontation sample is further optimized by limiting the similarity, and the loss functions of the formulas (6) and (7) are respectively adjusted as follows:

Loss＝max[(E_(x，y)～D[L(C(ρ(x))，y)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤₁，SSIM(x，ρ(x))≤₂，(8)

Loss_targ＝max[(E_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]-E_(x，y)～_F[L(C(ρ(x))，y)])]s.t.||||_p≤₁，SSIM(x，ρ(x))≤₂(9)

wherein the content of the first and second substances,₁、₂are all preset constants, and SSIM represents structural similarity.

5. The method according to claim 4, wherein in step2, the loss function is optimally trained in a gradient descent manner, and the preliminary commonality disturbance is obtained specifically as follows:

firstly, optimizing a loss function by adopting an iterative gradient method to obtain general disturbance rho (x), gradually establishing general disturbance by continuously iterating data points in each iteration data set,

in each iteration, if the classifier can identify the target as the attack target specified by the attacker, skipping the current point, and calculating the Loss and the Loss of the target which cannot reach the target set by the attacker after adding the general disturbance, wherein the data points comprise the data points which identify the specific target as the attack target and the normal target and are wrongly classified_targThe direction gradient of the loss maximization is multiplied by a preset learning rate α, and the score is added into the current general disturbance;

after each iteration, judging the identification accuracy of the data set used by the iteration, wherein the accuracy of the target-free attack is the weighted sum of the probability of classifying a specific class into errors and the probability of correctly identifying other classes; the accuracy of the target attack is the sum of the probability of identifying a certain specific class of data as a certain other specific class and the weighted probability of correctly identifying other classes of data, if the accuracy reaches a preset threshold value, iteration is stopped, a next data subset is randomly initialized, iteration of a next batch is carried out, and finally preliminary universal disturbance is output and is called as a universal disturbance matrix.

6. The method of claim 5, wherein in step2, the preliminary generalized perturbation is filtered by low-pass filtering, and the high-frequency noise in the preliminary generalized perturbation is removed by convolution when removing the noise.

7. The method of claim 6, wherein convolving to remove the high frequency noise in the preliminary general perturbation is performed by sweeping a matrix completely through a general perturbation matrix to obtain a new general perturbation.

8. The method of claim 7, wherein the removing the high frequency noise in the preliminary generalized perturbation by convolution is specifically: the convolution puts the anchor point of the kernel on the specific position element of the general disturbance matrix generated in the previous step, and meanwhile, other values in the kernel are superposed with each element in the neighborhood of the element; multiplying each value in the kernel by the corresponding element value and adding the products; putting the obtained result on an element corresponding to the anchor point; and repeating the process for all element values of the general disturbance matrix, and finally, replacing the value of the central element point of the template by the weighted average gray value of the elements in the neighborhood.

9. Use of a method according to any one of claims 1 to 8 for combating an attack.

10. Use of the method of any one of claims 1 to 8 in the field of artificial intelligence security.

Technical Field

The invention relates to the technical field of artificial intelligence safety, in particular to a confrontation sample generation method based on high-concealment universal disturbance.

Background

In recent years, attack resistance becomes a new research hotspot in the field of artificial intelligence, and attack methods such as data pollution, escape, simulation and the like are continuously emerged. At present, domestic and foreign research institutions mainly aim at resisting sample attacks aiming at the attack technology research of artificial intelligence algorithms. The challenge sample is a sample with a resistance attack effect formed by adding specific interference to the original sample. I.e. to make the intelligent algorithm identify errors to the sample.

Currently, various countermeasure sample generation algorithms are proposed in succession, and typical countermeasure sample generation algorithms include a fast gradient attack, a jacobian attack, a deep spoofing attack, and the like. However, most of the existing countermeasures sample generation methods add targeted disturbance to each sample. In a real application scenario, due to the requirements of data acquisition capability and real-time performance, it is often difficult to add targeted interference to each sample one by one. Recent studies have shown that versatility perturbation can effectively solve this problem, and by adding a kind of interference, an attack effect can be generated on a class of samples. However, the existing general perturbation technology achieves generality at the expense of the concealment of the countercheck samples, for example, in image data, general perturbation is mostly obvious spots or color blocks. Meanwhile, for the universal interference of a certain type of samples, the method often generates an antagonistic effect on other types of samples, and is easy to find in advance when the attack target is not reached.

Disclosure of Invention

Technical problem to be solved

The technical problem to be solved by the invention is as follows: how to design a confrontation sample generation method based on high-concealment universal disturbance, so that the confrontation disturbance has universality and can also have concealment and imperceptibility.

(II) technical scheme

In order to solve the technical problem, the invention provides a confrontation sample generation method based on high-concealment universal disturbance, which comprises the following steps:

step1, maximizing expected loss of a specific category to obtain a universal loss function so as to realize basic universal disturbance generation;

step2, realizing high-concealment universal disturbance generation based on the step 1: firstly, adding correction to samples except for a target attack class into the general loss function, and constructing a loss function generated by a target-free general countermeasure sample with a target; secondly, performing optimization training on the loss function in a gradient descending manner to obtain primary universality disturbance; and finally, filtering the preliminary universal disturbance by adopting low-pass filtering to remove noise.

Preferably, in step 1: setting X belongs to X as an input sample, Y belongs to Y as a sample label, (X, Y) is a set to which data belongs, C (-) is a classifier, and C (X) represents a classification result of the sample X;

then the generation of the no-target countermeasure sample means that given a legal input sample x, c (x) ≠ a, a countermeasure sample x' is found, so that c (x) ≠ a; generating a target countermeasure sample means that a legal input sample x and a classification target t are given, t belongs to Y, C (x) ≠ t, and a countermeasure sample x' is searched, so that C (x) ═ t;

in the generation process of the confrontation sample, determining a disturbance function rho: x → X, such that:

x′＝ρ(x)＝x+ (1)

wherein, for added counterdisturbance, the disturbance magnitude is limited: | | non-woven hair_p≤，||·||_pIs L_pThe distance is a preset constant value;

setting a specific category as D ∈ Y, the category dataset as D ((x, Y) | c (x) ═ D, Y ═ D),

the loss function without the target general disturbance is set as:

maxE_(x，y)～D[L(C(ρ(x))，y)]s.t.||||_p≤(4)

the loss function with the target general disturbance is set as:

maxE_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]s.t.||||_p≤ (5)

wherein L (-) is Euclidean distance E_(x，y)～D[·]Representing the expectation of a loss function on the data set D, said target-free general perturbed lossAnd the loss function with the target general disturbance form the general loss function.

Preferably, in step2, when constructing the Loss function generated by the target-free and target-universal countermeasure sample, the commonly disturbed target-free Loss function Loss and the target attack Loss function Loss are performed first_targAre respectively defined as follows:

Loss＝max[(E_(x，y)～D[L(C(ρ(x))，y)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤(6)

Loss_targ＝max[(E_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤ (7)

where F ═ X, Y — D is the complement of D.

Preferably, in step2, when a loss function generated by a non-target and target-universal confrontation sample is constructed, an SSIM index is introduced to measure the similarity between the confrontation sample and the original clean sample, the confrontation sample is further optimized by limiting the similarity, and the loss functions of formulas (6) and (7) are respectively adjusted to:

Loss＝max[(E_(x，y)～D[L(C(ρ(x))，y)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤₁，SSIM(x，ρ(x))≤₂， (8)

Loss_targ＝max[(E_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤₁，SSIM(x，ρ(x))≤₂(9)

wherein the content of the first and second substances,₁、₂are all preset constants, and SSIM represents structural similarity.

Preferably, in step2, the loss function is optimally trained in a gradient descent manner, and the preliminary universality disturbance is obtained specifically as follows:

firstly, optimizing a loss function by adopting an iterative gradient method to obtain a general disturbance rho (x), and gradually establishing a channel by continuously iterating data points in each iteration data setWith disturbance, in each iteration, if the classifier can identify the target as the attack target specified by the attacker, the current point is skipped, and for the target which cannot reach the setting of the attacker after the general disturbance is added, the method comprises the steps of identifying the specific target as the data points of the attack target and the normal target which are wrongly classified, and calculating the Loss and the Loss of the specific target_targThe direction gradient of the loss maximization is multiplied by a preset learning rate α, and the score is added into the current general disturbance;

after each iteration, judging the identification accuracy of the data set used by the iteration, wherein the accuracy of the target-free attack is the weighted sum of the probability of classifying a specific class into errors and the probability of correctly identifying other classes; the accuracy of the target attack is the sum of the probability of identifying a certain specific class of data as a certain other specific class and the weighted probability of correctly identifying other classes of data, if the accuracy reaches a preset threshold value, iteration is stopped, a next data subset is randomly initialized, iteration of a next batch is carried out, and finally preliminary universal disturbance is output and is called as a universal disturbance matrix.

Preferably, in step2, low-pass filtering is adopted to filter the preliminary general disturbance, and when noise is removed, high-frequency noise in the preliminary general disturbance is eliminated through convolution.

Preferably, the convolution is used to eliminate the high-frequency noise in the preliminary general disturbance by completely sweeping a matrix through the general disturbance matrix to obtain a new general disturbance.

Preferably, the removing the high-frequency noise in the preliminary general disturbance by convolution is specifically: the convolution puts the anchor point of the kernel on the specific position element of the general disturbance matrix generated in the previous step, and meanwhile, other values in the kernel are superposed with each element in the neighborhood of the element; multiplying each value in the kernel by the corresponding element value and adding the products; putting the obtained result on an element corresponding to the anchor point; and repeating the process for all element values of the general disturbance matrix, and finally, replacing the value of the central element point of the template by the weighted average gray value of the elements in the neighborhood.

The invention also provides the application of the method in resisting the attack.

The invention also provides application of the method in the field of artificial intelligence safety.

(III) advantageous effects

Firstly, adjusting the attack objective function optimization problem from the loss of a maximized single image to the expected loss of a maximized specific image so as to realize the universality of disturbance; secondly, in order to improve the imperceptibility of the confrontation sample, the multi-objective optimization function is set, so that the images of specific categories are mistakenly identified, and meanwhile, the images of other categories are ensured not to be influenced by interference and can still be correctly decided; finally, in the aspect of concealment, early experiments show that the traditional gradient method can quickly generate disturbance with a countermeasure effect, and low-frequency noise is often more concealed and more stable, so that after the traditional gradient method is used for generating preliminary countermeasure disturbance, a low-pass filter is further adopted to eliminate high-frequency sharp noise in general disturbance, and concealment of the countermeasure sample is ensured while general attack is realized.

Detailed Description

In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be given in conjunction with examples.

The invention provides a confrontation sample generation method based on high-concealment universal disturbance, which enables the confrontation disturbance to have universality and simultaneously to have concealment and imperceptibility. The method specifically comprises the following steps:

step1 basic generic perturbation generation

The conventional countermeasure sample generation method can be divided into targeted countermeasure sample generation and non-targeted countermeasure sample generation according to an attack target. Setting X belongs to X as an input sample, Y belongs to Y as a sample label, (X, Y) is a set to which data belongs, C (-) is a classifier, and C (X) represents a classification result of the sample X;

then the generation of the no-target countermeasure sample means that given a legal input sample x, c (x) ≠ a, a countermeasure sample x' is found, so that c (x) ≠ a; generating a target countermeasure sample means that a legal input sample x and a classification target t (t epsilon Y, C (x) ≠ t) are given, and a countermeasure sample x' is searched, so that C (x) ═ t;

in the generation process of the countermeasure sample, a disturbance function ρ needs to be determined: x → X, such that:

x′＝ρ(x)＝x+ (1)

wherein, for the added countermeasure disturbance, for ensuring the concealment of the countermeasure sample, the disturbance size is limited: | | non-woven hair_p≤，||·||_pIs L_pThe distance is a constant value set artificially;

the conventional targetless confrontation sample generation process is to find a disturbance ρ that satisfies the noise constraint to maximize the loss of the classifier C (-) for a given input sample pair (x, y):

max L(C(ρ(x))，y)s.t.||||_p≤ (2)

wherein L (-) is Euclidean distance and comprises L₁、L₂、L_∞And the like calculation modes;

conventional targeted countermeasure sample generation, i.e., a countermeasure sample that can be recognized by a classifier as an aggressor-specified category y_targThe loss function can be expressed as follows:

max(L(C(ρ(x))，y)-L(C(ρ(x))，y_targ))s.t.||||_p≤ (3)

in general, the conventional method of generating the confrontational samples is to add a targeted confrontational disturbance to each sample by maximizing the loss of a single data. The invention aims to provide a general disturbance generation method, which can have an anti-attack effect on a certain type of samples by generating a disturbance. Therefore, the present invention first adjusts the maximum single image loss to maximize the expected loss for a particular class to achieve the versatility of the perturbation.

Based on the general requirement, a specific category is set as D ∈ Y, the data set of the category is D ((x, Y) | c (x) ═ D, Y ═ D),the invention firstly sets the loss function of the non-target general disturbance as:

maxE_(x，y)～D[L(C(ρ(x))，y)]s.t.||||_p≤ (4)

the loss function with the target general disturbance is set as:

maxE_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]s.t.||||_p≤ (5)

wherein E is_(x，y)～D[·]Representing the expectation of the loss function on the data set D.

Step2, generating high-concealment universal disturbance

(1) Non-class specific recognition restriction

In practical use, the general disturbance is generally added to all samples, and the attack goal planned to be realized by the invention is to generate attack effect on a certain type of samples and not to influence the decision results of other types of samples. The general disturbance generated under the above loss function has a problem of being easily perceived, and in particular, the decision accuracy of the "other" category samples may be affected after adding interference to all samples. For example, the attacker's goal is to recognize only the "stop" sign on the guideboard as "proceed", but after adding the versatility countermeasure disturbance, the sign of "speed limit 60 km" may be mistakenly recognized as "speed limit 40 km" as well. Attacks outside this setting are not needed by the attacker, but are easily alert by the defender to discover the system itself through these anomalies.

Therefore, further processing is required for the loss function to mask the attack intention of the attacker, prevent the defended party from easily discovering the loss function, and achieve the imperceptibility of the general disturbance. The invention adds the correction of the samples except the target attack class into the general loss function, and achieves the imperceptibility of the general disturbance by inhibiting the attack effect of the general disturbance on the samples of other classes.

The invention uses general disturbance non-target Loss function Loss and target attack Loss function Loss_targThe definition is as follows:

Loss＝max[(E_(x，y)～D[L(C(ρ(x))，y)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.|||||_p≤(6)

Loss_targ＝max[(E_(x，y)～D[L(C(ρ(x))，y)-L(C(ρ(x))，y_targ)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤ (7)

where F ═ X, Y — D is the complement of D.

In the step, in order to improve the imperceptibility of the confrontation sample, a multi-objective optimization function is set, so that the images of specific categories are wrongly identified, and meanwhile, the images of other categories are ensured not to be influenced by interference and can still be correctly decided.

(2) Introduction of structural similarity index to enhance anti-disturbance concealment under human vision

By optimally training the objective function, the general anti-disturbance with certain imperceptibility can be obtained, but some problems still exist. In the traditional generation of countermeasure samples, Euclidean distance is generally adopted to measure the difference between the classifier identification result and the true result, but the Euclidean distance has difference with the human vision and auditory identification effect.

Taking an image as an example, human beings have different degrees of sensitivity to three channels of an RGB image. In general, humans are less sensitive to perturbations added by the blue channel and more sensitive to perturbations added by the red channel. The same magnitude of perturbation is added to the three channels at euclidean distances, and the perturbation added by the red channel is more easily detected.

The sensitivity of the Human Visual System (HVS) to noise depends on the local brightness, contrast and structure, and another index is needed by the attacker to assess the concealment of the communication with the addition of general noise. Structural Similarity (SSIM) is an index that measures the similarity between two images under HVS. SSIM defines structural information from an image composition perspective as being independent of brightness, contrast, reflecting attributes of object structures in a scene, and models distortion as a combination of three different factors, brightness, contrast, and structure. The mean is used as an estimate of the luminance, the standard deviation as an estimate of the contrast, and the covariance as a measure of the degree of structural similarity. SSIM is widely used to measure image and video quality.

The invention introduces SSIM index to measure the similarity between the antagonistic sample and the original clean sample, and further optimizes the antagonistic sample by limiting the similarity. The loss function is adjusted to:

Loss＝max[(E_(x，y)～D[L(C(ρ(x))，y)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤₁，SSIM(x，ρ(x))≤₂， (8)

Loss_targ＝max[(E_(x，y)～D[L(C(p(x))，y)-L(C(ρ(x))，y_targ)]-E_(x，y)～F[L(C(ρ(x))，y)])]s.t.||||_p≤₁，SSIM(x，ρ(x))≤₂(9)

₁、₂the values are all preset constants, and SSIM represents structural similarity;

(3) optimizing training

1) Optimization training based on gradient descent method

The existing mainstream anti-attack technology optimizes disturbance noise by calculating sample gradient information. Based on the inspiration, the invention firstly adopts an iterative gradient method to optimize the loss function to obtain the general disturbance rho (x). The general perturbation is built step by iterating the data points in each iteration data set.

In each iteration, if the classifier can identify the target as an aggressor-specified target, the current point is skipped. For the targets which cannot reach the settings of the attacker after the general disturbance is added, the method comprises the steps of identifying the specific targets as the data points of the attack targets and the normal targets which are wrongly classified, and calculating the Loss and the Loss of the specific targets_targThe loss-maximized directional gradient, multiplied by the originally set learning rate α, adds performance to the current general disturbance.

And after each iteration, judging the identification accuracy of the data set used by the iteration. The accuracy rate of the target-free attack is the weighted sum of the probability of classifying a specific class by mistake and the probability of correctly identifying other classes; the accuracy of a targeted attack is the weighted sum of the probability of identifying a particular class of data as another particular class and the probability of correctly identifying other classes of data. And if the accuracy reaches a preset threshold value, stopping iteration, randomly initializing the next data subset, performing iteration of the next batch, and finally outputting the general disturbance as a matrix, namely a general disturbance matrix.

2) Enhancing general interference concealment based on low-pass filtering

In the existing typical classifier, such as convolutional neural network, too many convolutional layers are provided, which results in sharp noise being amplified to a high factor in the deep network. The high-frequency noise is easily identified and found by human eyes, and the defense can also identify the confrontation sample by searching for the high-frequency noise. Therefore, after each iteration of the general perturbation, a low-pass filter is added. The low-pass filtering can make the sample data smooth and filter sharp points in the general noise, so that the general disturbance is more universal and invisible.

The invention adopts Gaussian filtering and eliminates high-frequency noise in general disturbance through convolution. Specifically, the original general disturbance is completely swept by a matrix to obtain a new general disturbance. The elimination of the high-frequency noise in the general disturbance by convolution is specifically: the convolution puts the anchor point of the kernel on the specific position element of the general disturbance matrix generated in the previous step, and meanwhile, other values in the kernel are superposed with each element in the neighborhood of the element; multiplying each value in the kernel by the corresponding element value and adding the products; putting the obtained result on an element corresponding to the anchor point; the above process is repeated for all element values of the generic perturbation matrix. And finally, replacing the value of the element point in the center of the template by the weighted average gray value of the elements in the neighborhood.

In summary, the process of generating the high-concealment general disturbance in this step is summarized as follows:

step 1: and setting a universal disturbance loss function. Constructing a loss function for resisting sample generation with no target and target universality by considering the general attack effect of disturbance, the minimized influence on non-specific categories and the imperceptibility in the real physical sense, wherein the loss function is expressed by the formulas (8) and (9);

step 2: performing optimization training on the loss function in a gradient descending manner to obtain primary universality disturbance;

step 3: and filtering the disturbance generated in the previous step by adopting low-pass filtering to remove sharp noise and enhance the concealment of the confrontation sample.

The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.