阅读说明：本技术 防御对抗攻击的自适应去噪机器学习应用方法 (Self-adaptive denoising machine learning application method for defending against attack ) 是由 韩正博 许光全 冯美琪 杨张妍 于 2021-07-26 设计创作，主要内容包括：本发明属于机器学习、图像识别技术领域,为消除灰度图像中的大多数敌对干扰,以保证机器学习图像识别质量,本发明,机器学习系统中防御对抗攻击的自适应去噪方法,步骤如下：计算图像熵：将图片转换为灰度图,并计算图像的熵值,若熵值大于设定的阈值则说明该图片可能存在对抗扰动,若熵值小于设定的阈值则不进行处理；利用自适应标量量化算法对扰动图片进行处理,选取滤波器和滤波函数对图像进行去噪处理；利用快速三维块匹配算法FastBM3D对图像质量进行优化；将图片输入至神经网络中进行处理。本发明主要应用于目标、图像自动识别场合。(The invention belongs to the technical field of machine learning and image recognition, and discloses a self-adaptive denoising method for defending against attacks in a machine learning system, which aims to eliminate most of hostile interference in a gray level image so as to ensure the recognition quality of a machine learning image, and comprises the following steps: calculating the entropy of the image: converting the picture into a gray scale map, calculating an entropy value of the picture, if the entropy value is greater than a set threshold value, indicating that the picture may have anti-disturbance, and if the entropy value is less than the set threshold value, not processing; processing the disturbed image by using a self-adaptive scalar quantization algorithm, and selecting a filter and a filter function to perform denoising processing on the image; optimizing the image quality by using a fast three-dimensional block matching algorithm FastBM 3D; and inputting the picture into a neural network for processing. The invention is mainly applied to the occasions of automatic identification of targets and images.)

1. A self-adaptive denoising method for defending against attacks in a machine learning system is characterized by comprising the following steps:

calculating the entropy of the image: converting the picture into a gray scale map, calculating an entropy value of the picture, if the entropy value is greater than a set threshold value, indicating that the picture may have anti-disturbance, and if the entropy value is less than the set threshold value, not processing;

processing the disturbed image by using a self-adaptive scalar quantization algorithm, and selecting a filter and a filter function to perform denoising processing on the image;

optimizing the image quality by using a fast three-dimensional block matching algorithm FastBM 3D;

and inputting the picture into a neural network for processing.

2. The adaptive denoising method for defending against attacks in a machine learning system as claimed in claim 1, wherein the specific step of calculating the entropy of the image is:

for an 8-bit grayscale image, the image entropy is defined as the equation:

p_irepresenting the ratio of pixels to the value i in the image, setting T_eFor an image entropy value higher than T_eDenoising it.

And (3) processing the disturbed picture by using an adaptive scalar quantization algorithm:

the principle of adaptive scalar quantization is to set a convolution filter and a threshold T_e. Each pixel in the image is then scanned using a convolution filter. For each pixel value x in the convolution filter, if x is less than the thresholdValue T_eIt is directly set to 0; if x is greater than the threshold T_eIt will be calculated by the filter function f (x).

For the filtering function f (x), one of three functions may be employed:

(1) mean function, taking greater than T in convolution filter_eAnd replacing with the average value:

(2) median function: get greater than T in convolution filter_eThe median of all pixel values of (a), is replaced by the median:

f(x)＝mid(x)

where the input x is an ordered array of all pixel values, the mid () function is used to find the median;

(3) maximum function: get all greater than T in convolution filter_eThe maximum of the pixel values and replace them with the maximum.

f(x)＝max(x)

The input x is an ordered array of all pixel values;

using a threshold value T_eAnd a filter function f (x) to ensure that the perturbations are removed while preserving most of the image features.

3. The adaptive denoising method for defending against attacks in a machine learning system as claimed in claim 1, wherein the image quality is optimized by using FastBM3D, comprising the following steps:

(1) reducing the number of similar blocks in the grouped portion and increasing the step size of the selected reference block;

(2) the final estimate is removed from the original BM3D algorithm and the quantized image is only subject to the basic estimate of the BM3D algorithm.

4. The adaptive denoising method for defending against attacks in a machine learning system as claimed in claim 1, wherein the image is inputted into a neural network for processing, the image with entropy smaller than threshold or the image denoised by ASQ-FastBM3D is inputted into the neural network, and the result is compared and analyzed.

Technical Field

The invention belongs to the field of machine learning, and relates to a method for restoring and removing confrontation sample data in neural network attack. In particular to a self-adaptive denoising method for defending against attacks in a machine learning system.

Background

In recent years, machine learning has made a great contribution in many fields such as image recognition, speech recognition, object detection, malware detection, natural language processing, and the like. In 2014, Ian Goodfellow et al proposed generation of a countermeasure Network (GAN), which made machine learning systems a further breakthrough in image generation and speech generation. Based on the concept of GAN, Mehdi-Mirza et al propose cgan (conditional general adaptive networks) that provides conditions for generating specific images. Alec-Radford et al propose DCGAN (deep adaptive genetic adaptive networks) which combines GAN and Convolutional neural networks. DCGAN allows one to generate instances that can be used as raw data for training the model.

However, in 2013, Christian Szegedy et al proposed the concept of fighting samples. They found that the original sample can fool the model by deliberately adding a small perturbation, giving a false output with high confidence. Furthermore, one cannot recognize the difference between these two examples. As shown in fig. 1, the original image is a labrador retriever. After adding a small antagonistic perturbation to the original image, the neural network classifies it as a beagle dog. The two figures look the same, but the neural network can be tricked after antagonistic perturbations are added, and the model can give erroneous results. In real life, an autonomous automobile needs to constantly recognize the surrounding environment and traffic conditions. Assuming that there is a stop sign along the road, but for some reason it has some dirt on it, the vehicle recognizes the stop sign as a right turn sign, and then the vehicle will turn right according to the sign, which may cause a serious traffic accident.

Scalar quantization is first applied in the signal processing domain. The principle of scalar quantization is to divide the entire dynamic range into several small intervals. As shown in fig. 2, each interval has a representative value. During quantization, the signal values falling within the interval will be replaced by the representative values. For example, if the signal value is-0.3, the representative value is-0.5. If the signal value is 0.8, thenThe representative value is 1. Since the semaphore is one-dimensional, this method is called scalar quantization. Suppose we split the input into M intervals, b_iA breakpoint value, y, representing the ith position_iRepresenting a representative value of the i-th interval, Q (x) representing a quantization function, then

Q(x)＝y_i b_i<x<b_i+1

The three-dimensional Block Matching algorithm (BM 3D) is an effective method for denoising grayscale images. The method is mainly divided into two parts of basic estimation and final estimation. Each part is divided into three sub-parts: grouping, collaborative filtering, and aggregation. The grouping part is to find the blocks with the smallest difference and integrate them into a three-dimensional matrix. Collaborative filtering is the two-dimensional transformation of blocks in each three-dimensional matrix. The aggregation is to perform a one-dimensional transformation on the three-dimensional matrix, followed by setting components smaller than the parameter λ to zero using a hard threshold. Although the denoising effect of the BM3D is better than that of other methods, the running cost of the BM3D algorithm is quite high. If the BM3D algorithm is applied to the field of automatic driving, a serious accident may be caused.

Disclosure of Invention

In order to overcome the defects of the prior art, the invention aims to provide an Adaptive denoising framework ASQ-FastBM3D combined with an Adaptive Scalar Quantization (Adaptive Scalar Quantization) algorithm and a Fast three-dimensional Block Matching algorithm (Fast Block Matching and 3D Filtering, FastBM3D for short) algorithm. The ASQ algorithm and the FastBM3D algorithm can eliminate most hostile interference in the gray-scale image to ensure the quality of the machine learning system. Therefore, the technical scheme adopted by the invention is that the self-adaptive denoising method for defending against attack in the machine learning system comprises the following steps:

calculating the entropy of the image: converting the picture into a gray scale map, calculating an entropy value of the picture, if the entropy value is greater than a set threshold value, indicating that the picture may have anti-disturbance, and if the entropy value is less than the set threshold value, not processing;

processing the disturbed image by using a self-adaptive scalar quantization algorithm, and selecting a filter and a filter function to perform denoising processing on the image;

optimizing the image quality by using a fast three-dimensional block matching algorithm FastBM 3D;

and inputting the picture into a neural network for processing.

The specific step of calculating the image entropy comprises the following steps:

for an 8-bit grayscale image, the image entropy is defined as the equation

p_iRepresenting the ratio of pixels to the value i in the image, setting T_eFor an image entropy value higher than T_eDenoising it.

And (3) processing the disturbed picture by using an adaptive scalar quantization algorithm:

the principle of adaptive scalar quantization is to set a convolution filter and a threshold T_e. Each pixel in the image is then scanned using a convolution filter. For each pixel value x in the convolution filter, if x is less than a threshold value T_eIt is directly set to 0; if x is greater than the threshold T_eIt will be calculated by the filter function f (x).

For the filtering function f (x), one of three functions may be employed:

(1) mean function, taking greater than T in convolution filter_eAnd replacing with the average value:

(2) median function: get greater than T in convolution filter_eThe median of all pixel values of (a), is replaced by the median:

f(x)＝mid(x)

where the input x is an ordered array of all pixel values, the mid () function is used to find the median;

(3) maximum function: get all greater than T in convolution filter_eThe maximum of the pixel values and replace them with the maximum.

f(x)＝max(x)

The input x is an ordered array of all pixel values;

using a threshold value T_eAnd a filter function f (x) to ensure that the perturbations are removed while preserving most of the image features.

Optimization of image quality using FastBM3D

(1) Reducing the number of similar blocks in the grouped portion and increasing the step size of the selected reference block;

(2) the final estimate is removed from the original BM3D algorithm and the quantized image is only subject to the basic estimate of the BM3D algorithm.

Inputting the picture into a neural network for processing

And inputting the picture with the entropy value smaller than the threshold value or the picture denoised by utilizing ASQ-FastBM3D into a neural network to obtain a result for comparative analysis.

The invention has the characteristics and beneficial effects that:

the antagonism disturbance is considered as a noise, and a method of adaptive scalar quantization combined with the FastBM3D algorithm is proposed. It is a lightweight framework that can recover antagonistic instances without the use of neural networks. The method has the advantages of high efficiency and high recovery precision, and can be combined with any machine learning system to improve the robustness. Experimental results show that the method has higher recovery rate and efficiency than the traditional image denoising method and the existing neural network denoising method. The real license plate recognition environment is simulated through experiments. The result shows that the method can achieve 99.73% of accuracy rate by combining with a license plate recognition system. Generally speaking, the method of the invention can resist attacks of adversaries and ensure the quality of a machine learning system.

Description of the drawings:

fig. 1 is directed to an example of a challenge.

Fig. 2 scalar quantization function.

Fig. 3 system framework.

Fig. 4 is a flow chart.

Detailed Description

The invention regards antagonistic disturbance as noise, and provides an Adaptive denoising framework ASQ-FastBM3D combined with an Adaptive Scalar Quantization (ASQ) algorithm and a Fast three-dimensional Block Matching (Fast Block Matching and 3D Filtering, FastBM3D) algorithm. The ASQ algorithm and FastBM3D algorithm are upgraded versions of the scalar quantization and BM3D algorithms. The method can eliminate most hostile interferences in the gray level image, such as license plate detection, guideboard detection and the like in real life, the noise of an input picture is very large, and thus the noise is identified as counterdisturbance by a neural network, and an error identification result is caused. By the algorithm, the input picture can be denoised to eliminate the anti-disturbance in the picture, and then the picture is input into the machine learning model for recognition, so that the accuracy of machine learning model recognition in real life can be improved. It can guarantee the quality of the machine learning system.

1. Integrated framework

The system is divided into four modules as shown in fig. 3:

computing the image entropy. And converting the picture into a gray scale map, calculating an entropy value of the image, if the entropy value is greater than a set threshold value, indicating that the picture may have anti-disturbance, and if the entropy value is less than the set threshold value, not processing.

And processing the disturbed picture by using an adaptive scalar quantization algorithm. And selecting a proper filter and a proper filter function to carry out denoising processing on the image.

Optimization of image quality using FastBM 3D.

Inputting the picture into the neural network for processing.

2. Computing image entropy

The image entropy is an information entropy that reflects the average amount of information in an image. For an 8-bit grayscale image, the image entropy is defined as the equation

p_iRepresenting the ratio of pixels to the value i in the image. Since the nature of the antagonistic perturbation is noise, the entropy of the antagonistic instance with the addition of a partial perturbation is generally greater than the entropy of the original instance. Thus, we can set T_eSo as to be higher than T for image entropy values_eWe denoise it. This makes the program run more efficient.

3. Processing perturbed pictures using an adaptive scalar quantization Algorithm (ASQ)

The principle of adaptive scalar quantization is to set a convolution filter and a threshold T_e. Each pixel in the image is then scanned using a convolution filter. For each pixel value x in the convolution filter, if x is less than a threshold value T_eIt is directly set to 0; if x is greater than the threshold T_eIt will be calculated by the filter function f (x).

For the filter function f (x), we propose three methods:

(1) mean function, taking greater than T in convolution filter_eAnd replacing them with the average value.

(2) Median function: get greater than T in convolution filter_eThe median value of all pixel values of (a) is replaced with the median value.

f(x)＝mid(x)

Where the input x is an ordered array of all pixel values. The mid () function is used to find the median.

(3) Maximum function: get all greater than T in convolution filter_eMaximum value of pixel value, and maximum valueReplacing them.

f(x)＝max(x)

The input x is an ordered array of all pixel values. The max () function is used to find the maximum value.

Threshold value T_eAnd f (x) are important to eliminate hostile interference and to preserve the original characteristics of the image. If the threshold is too low, most hostile interference may not be eliminated. If the threshold value T is_eToo high, most of the key image information may be deleted, resulting in a classification error. In summary, for images with significant features, we use a threshold T_eAnd a filter function f (x) to ensure that some perturbations are removed while preserving most of the image features.

4. Optimization of image quality using FastBM3D

BM3D has good denoising effect on the gray-scale image, but has long grouping part and final estimation time and low calculation efficiency. Therefore, the conventional BM3D algorithm is not suitable for real-time systems such as license plate recognition and traffic signal recognition in automatic driving. For these two reasons, the present invention makes two improvements to the BM3D algorithm.

(1) Since the features of a given image are apparent and the grouping operation in BM3D takes the longest time, the number of similar blocks in the grouped portion can be reduced and the step size of the selected reference block can be increased. After the number of similar blocks is reduced and the step length is increased, the denoising effect is not much different from that of the original algorithm, but the denoising efficiency is greatly improved.

(2) The present invention implicitly removes the final estimate from the original BM3D algorithm. Since the image features are obvious, the invention considers that the quantized image is only basically estimated by the BM3D algorithm.

5. Inputting the picture into a neural network for processing

And inputting the picture with the entropy value smaller than the threshold value or the picture denoised by utilizing ASQ-FastBM3D into a neural network to obtain a result for comparative analysis.

Attack method	Mean entropy value	Maximum entropy value	Minimum entropy value
				Original picture	4.71	5.05	4.14
FGSM	6.72	6.89	6.53
				DeepFool	5.92	6.31	5.33
JSMA	5.88	6.14	5.38
				BIM	6.97	7.10	6.80
PGD	6.88	7.02	6.69
				C&W	7.07	7.30	6.26

TABLE 1 entropy comparison of Normal and challenge sample pictures

TABLE 2 recovery rates for different kinds of challenge samples

TABLE 3 comparative Effect of ASQ-FastBM3D with other existing methods

The invention finally realizes a self-adaptive denoising framework for defending against attacks in a machine learning system. The system mainly utilizes a self-adaptive scalar quantization method to eliminate the anti-disturbance in the picture and utilizes a FastBM3D algorithm to improve the picture quality. The flow chart of the invention is shown in fig. 4, and the specific implementation mode is as follows:

firstly, initializing a system, and setting corresponding threshold values, filter functions, filter sizes and the like;

calculating the image entropy of the input picture, if the image entropy is larger than a threshold value, performing the next step, otherwise, performing the fifth step;

thirdly, denoising the input picture by using a set scalar quantization algorithm;

fourthly, improving the image quality by utilizing a FastBM3D algorithm;

step five: and inputting the image into a neural network for recognition.

The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.