针对深度神经网络模型指纹检测的逃避算法

随着深度神经网络在不同领域的成功应用,模型的知识产权保护成为了一个备受关注的问题.由于深度神经网络的训练需要大量计算资源、人力成本和时间成本,攻击者通过窃取目标模型参数,可低成本地构建本地替代模型.为保护模型所有者的知识产权,最近提出的模型指纹比对方法,利用模型决策边界附近的指纹样本及其指纹查验模型是否被窃取,具有不影响模型自身性能的优点.针对这类基于模型指纹的保护策略,提出了一种逃避算法,可以成功绕开这类保护策略,揭示了模型指纹保护的脆弱性.该逃避算法的核心是设计了一个指纹样本检测器——Fingerprint-GAN.利用生成对抗网络(generative adversarial network,GAN)原理,学习正常样本在隐空间的特征表示及其分布,根据指纹样本与正常样本在隐空间中特征表示的差异性,检测到指纹样本,并向目标模型所有者返回有别于预测的标签,使模型所有者的指纹比对方法失效.最后通过CIFAR-10,CIFAR-100数据集评估了逃避算法的性能,实验结果表明:算法对指纹样本的检测率分别可达95%和94%,而模型所有者的指纹比对成功率最高仅为19%,证明了模型指纹比对保护方法的不可靠性.     

基于小样本学习的图像分类技术综述

图像分类的应用场景非常广泛, 很多场景下难以收集到足够多的数据来训练模型, 利用小样本学习进行图像分类可解决训练数据量小的问题. 本文对近年来的小样本图像分类算法进行了详细综述, 根据不同的建模方式, 将现有算法分为卷积神经网络模型和图神经网络模型两大类, 其中基于卷积神经网络模型的算法包括四种学习范式: 迁移学习、元学习、对偶学习和贝叶斯学习; 基于图神经网络模型的算法原本适用于非欧几里得结构数据, 但有部分学者将其应用于解决小样本下欧几里得数据的图像分类任务, 有关的研究成果目前相对较少. 此外, 本文汇总了现有文献中出现的数据集并通过实验结果对现有算法的性能进行了比较. 最后, 讨论了小样本图像分类技术的难点及未来研究趋势.     

基于可解释基拆解和知识图谱的深度神经网络可视化

近年来,以卷积神经网络(CNN)等为代表的深度学习模型,以其深度分层学习,无标签化学习等优势,已在图像识别为代表的各个领域得到日益广泛的应用.然而,深度神经网络模型由于其内在的黑盒原理,对其内部工作机制的解释仍然面临巨大挑战,其可解释性问题已成为了研究界和工业界的前沿性热点研究课题.针对现有研究存在的缺乏基于图谱的可解释性方法的问题,以及可解释基模型的图谱构建优势,本文提出了一种基于可解释基拆解和知识图谱的深度神经网络可视化方法.首先采用一种面向可解释基模型特征拆解结构的知识图谱构建方法,构建了场景和解释特征之间的解释关系和并列关系等图谱信息;利用场景-特征的解释关系网络,提出了一种基于Jaccard系数的场景间相似度聚类方法;针对现有可解释基模型对相似的场景,其解释特征重合率可能很高的问题,提出了一种基于场景的判别性特征提取方法,在特征拆解结果中能对每一类样本分别提取出能够区别此类和其他类并且拥有同等重要性的拆解特征(即判别性特征);针对现有可解释基的深度网络可视化测试缺乏保真度测试的问题,提出了一种适于深度神经网络的保真度测试方法.保真度测试和人类置信度测试,均表明本文所提方法可取得优异效果.     

一种基于进化策略和注意力机制的黑盒对抗攻击算法

深度神经网络在许多计算机视觉任务中都取得了优异的结果,并在不同领域中得到了广泛应用.然而研究发现,在面临对抗样本攻击时,深度神经网络表现得较为脆弱,严重威胁着各类系统的安全性.在现有的对抗样本攻击中,由于黑盒攻击具有模型不可知性质和查询限制等约束,更接近实际的攻击场景.但现有的黑盒攻击方法存在攻击效率较低与隐蔽性弱的缺陷,因此提出了一种基于进化策略的黑盒对抗攻击方法.该方法充分考虑了攻击过程中梯度更新方向的分布关系,自适应学习较优的搜索路径,提升攻击的效率.在成功攻击的基础上,结合注意力机制,基于类间激活热力图将扰动向量分组和压缩优化,减少在黑盒攻击过程中积累的冗余扰动,增强优化后的对抗样本的不可感知性.通过与其他4种最新的黑盒对抗攻击方法（AutoZOOM、QL-attack、FD-attak、D-based attack）在7种深度神经网络上进行对比,验证了该方法的有效性与鲁棒性.     

基于对抗式数据增强的深度文本检索重排序

在信息检索领域的排序任务中, 神经网络排序模型已经得到广泛使用. 神经网络排序模型对于数据的质量要求极高, 但是, 信息检索数据集通常含有较多噪音, 不能精确得到与查询不相关的文档. 为了训练一个高性能的神经网络排序模型, 获得高质量的负样本, 则至关重要. 借鉴现有方法doc2query的思想, 本文提出了深度、端到端的模型AQGM, 通过学习不匹配查询文档对, 生成与文档不相关、原始查询相似的对抗查询, 增加了查询的多样性,增强了负样本的质量. 本文利用真实样本和AQGM模型生成的样本, 训练基于BERT的深度排序模型, 实验表明,与基线模型BERT-base对比, 本文的方法在MSMARCO和TrecQA数据集上, MRR指标分别提升了0.3％和3.2％.     

面向知识图谱链接预测任务的解释子图生成模型

近年来图神经网络（GNN）发展迅速,相关模型在知识图谱链接预测任务上的性能显著提升。为解释性能提升的原因,研究人员需要提取GNN学习到的子图模式。然而现有GNN解释器在知识图谱这类典型多关系（multi-relation）图数据场景下的解释准确性尚未被验证,且相关工具尚未实现,导致解释子图提取困难。针对该问题,提出一种将多关系的知识图谱转换为单关系（uni-relational）图的知识图谱链接预测模型,该模型通过将知识图谱中的实体组合为新的节点,并将关系作为新节点的特征,生成只有单一关系的新图,并在新图上训练去噪自编码器使其获得链接预测能力,最后使用GNN解释器生成子图解释。在三个基准数据集上的实验表明,与不进行转换的GraIL相比,所提基于单关系转换的链接预测模型的相对AUC指标提升显著。最后,该模型选取FB15K-237数据集进行解释子图提取实验,验证了模型在直接提取链接预测解释方面的有效性。     

基于深度学习的铁路图像场景分类优化研究

铁路检测、监测领域产生海量的图像数据,基于图像场景进行分类对图像后续分析、管理具有重要价值.本文提出一种结合深度卷积神经神经网络DCNN （Deep Convolutional Neural Networks）与梯度类激活映射Grad-CAM （Grad Class Activation Mapping）的可视化场景分类模型,DCNN在铁路场景分类图像数据集进行迁移学习,实现特征提取,Grad-CAM根据梯度全局平均计算权重实现对类别的加权热力图及激活分数计算,提升分类模型可解释性.实验中对比了不同的DCNN网络结构对铁路图像场景分类任务性能影响,对场景分类模型实现可视化解释,基于可视化模型提出了通过降低数据集内部偏差提升模型分类能力的优化流程,验证了深度学习技术对于图像场景分类任务的有效性.     

基于PGAT模型的氧气顶吹转炉小样本故障诊断

针对现有的深度学习方法对小样本情况下的故障诊断精度不佳和图神经网络构造图的方式依赖其他算法的问题,提出一种图的构造方法,并基于该方法提出一种基于图注意力机制与先验知识库的PGAT(prior knowledge-graph attention network)模型.将有标签样本和无标签样本按照固定的方式连接在一起,通过引入图注意力机制计算出样本之间的相似程度,使得新加入的样本不依赖于图的拓扑结构,解决图卷积神经网络不易于扩展的问题.在基准数据集和氧气顶吹转炉数据集上的实验表明,在只有少量有效数据的条件下,所提模型相较于其他模型具有更好的故障诊断精度.     

基于图表征和双重注意力机制的跨被试ERP检测

针对事件相关电位（event-related potential,ERP）在跨被试场景下检测精度不高的问题,提出了一种基于图表征和双重注意力机制的卷积循环神经网络模型。该模型采用不依赖于被试和任务的图来表征脑电信号中的空间信息,并级联卷积神经网络（convolutional neural network,CNN）和长短期记忆网络（long short-term memory network,LSTM）形成CNN-LSTM基础框架,同时嵌入双重注意力机制（即选择性内核卷积和自注意力机制）以充分提取不同被试脑电信号的时空特征,从而提高跨被试场景下的ERP检测精度。在基于快速序列视觉呈现范式的大规模基准数据集上的实验结果表明,与现有的7种ERP检测方法相比,所提方法在跨被试场景下具有显著的优越性。     

基于压缩感知的神经网络实时综合防御策略

近年来,基于深度神经网络的视觉识别模型因其在准确率、成本及效率等方面的优势而广泛应用于自动驾驶、工业检测及无人机导航等领域.而深度神经网络自身易受数字域或物理域对抗样本攻击导致模型误判,因此其在无人驾驶等具有强鲁棒性、高实时性要求的场景中部署和应用可能为系统引入新的风险.现有的防御方案在增强模型鲁棒性的同时往往造成准确率明显下降,且往往不能对像素攻击和补丁攻击均提供较强防御能力.因此,设计一种精度高且对多类对抗攻击均具有强鲁棒性的实时综合防御策略成为深度神经网络视觉方案落地应用的关键.本文提出一种基于压缩感知的神经网络实时综合防御策略ComDCT,首先构建图像压缩感知压缩域与其稀疏离散余弦系数之间的映射神经网络,并将网络输出的离散余弦系数通过离散余弦逆变换恢复为去除对抗性扰动的图像作为分类器输入,以降低对抗样本攻击成功率.其次,本文提出通过引入分类损失进一步提升防御策略的综合性能,并根据防御者是否掌握分类模型参数结构等信息分析讨论并验证了黑盒、白盒两种防御模式下引入分类损失的有效性.相比于ComDefend、MF、TVD、LRR等多种防御方法,本文提出的基于压缩感知的神经网络实时综合防...     

一种基于环签名的匿名数字指纹方案

分析了现有数字指纹技术，将环签名与数字指纹相结合，基于椭圆曲线密码提出了一类非对称的匿名数字指纹方案。该方案实现了购买者的匿名性与指纹信息的非对称性，有效地保护了用户与商家的隐私信息，必要时又可对匿名身份实施追踪，避免了可信第三方的安全假设及指纹信息前后关联的缺陷，防止了对数字指纹进行联合攻击和广义伪造攻击的安全隐患。     

Optimal fingerprint scheme for video on demand using block designs

Video fingerprint is a mechanism to protect movie from the traitors and also have the capability to identify the traitors. The problem arises in video fingerprint when several traitors having the same copies of a movie with different fingerprints collude together. During the collusion the original fingerprints in the movie will be removed or attenuated. Due to this the traitors can illegally copy, duplicate, record or redistribute the movie without having legitimate permissions. To avoid illegitimate acts of the traitors, a new Video on Demand architecture is proposed in this paper. This new architecture combines the proxy caching mechanisms in the peer to peer network to support larger users group. A new video fingerprinting scheme is proposed for this architecture, which can strongly resist against collusion attacks from the traitors. To check the appropriateness of our scheme, we have analyzed some of the existing schemes. The appropriateness is analyzed in terms of efficiency, effectivity and performance. To evaluate the optimality of these schemes, we have carried out simulation for our architecture. The results from the simulation show the optimal outcome for our scheme than any existing schemes.     

A collusion attack optimization framework toward spread-spectrum fingerprinting

Understanding the weaknesses and the limitations of existing digital fingerprinting schemes and designing effective collusion attacks play an important role in the development of digital fingerprinting. In this paper, we propose a collusion attack optimization framework for spread-spectrum (SS) fingerprinting. Our framework is based upon the closed-loop feedback control theory. In the framework, we at first define a measure function to test whether the fingerprint presents in the attacked signal after collusion. Then, an optimization mechanism is introduced to attenuate the fingerprints from the forgery. We evaluate the performance of the proposed framework for three different SS-based embedding methods. The experimental results show that the proposed framework is more effective than the other examined collusion attacks. About three pieces of fingerprinted content are able to interrupt the fingerprinting system which accommodates about 1000 users, if we require the detection probability to be less than 0.9. Meanwhile, a high fidelity of the attacked content is retained.     

Predicting fingerprint biometrics performance from a small gallery

Predicting the performance of a biometrics is an important problem in a real-world application. In this paper, we present a binomial model to predict both the fingerprint verification and identification performance. The match and non-match scores are computed, using the number of corresponding triangles as the match metric, between the query and gallery fingerprints. The triangles are formed using the minutiae features. The match score and non-match score in a binomial prediction model are used to predict the performance on large (relative to the size of the gallery) populations from a small gallery. We apply the model to the entire NIST-4 database and show the results for both the fingerprint verification and the identification.     

一种二进制数字指纹编码算法

抗合谋攻击是数字指纹技术中需要解决的关键问题之一.基于二进制随机编码,通过使用伪随机序列对指纹比特的重复嵌入进行控制,提出了一种有效的抗合谋攻击的数字指纹编码算法及其相应的跟踪算法.理论分析和实验结果表明,在适当的合谋尺寸下,该算法能够对非法分发者进行有效跟踪,同时无辜用户被诬陷的概率可以根据要求接近于0.由于在该算法中发行商无须知道用户原来的码字,因此可以说该算法是设计非对称指纹的一个很好的备选算法.     

基于视觉模型的抗共谋指纹方案

在传统的基于QIM（Quantization Index Modulation）嵌入的数字指纹系统中,由于量化步长固定,指纹系统的抗共谋性能和图像保真度较差。针对这些问题,提出一种抗共谋指纹方案,在嵌入指纹时添加随机信号到宿主信号的DCT域,根据Watson视觉模型选择量化步长。实验结果表明,与原始的QIM指纹方案相比,采用提出方案的QIM指纹系统在抗共谋能力和视觉失真度方面都具有较好的性能。     

Distortion Estimation in Compressed Music Using Only Audio Fingerprints

An audio fingerprint is a compact yet very robust representation of the perceptually relevant parts of an audio signal. It can be used for content-based audio identification, even when the audio is severely distorted. Audio compression changes the fingerprint slightly. We show that these small fingerprint differences due to compression can be used to estimate the signal-to-noise ratio (SNR) of the compressed audio file compared to the original. This is a useful content-based distortion estimate, when the original, uncompressed audio file is unavailable. The method uses the audio fingerprints only. For stochastic signals distorted by additive noise, an analytical expression is obtained for the average fingerprint difference as function of the SNR level. This model is based on an analysis of the Philips robust hash (PRH) algorithm. We show that for uncorrelated signals, the bit error rate (BER) is approximately inversely proportional to the square root of the SNR of the signal. This model is extended to correlated signals and music. For an experimental verification of our proposed model, we divide the field of audio fingerprinting algorithms into three categories. From each category, we select an algorithm that is representative for that category. Experiments show that the behavior predicted by the stochastic model for the PRH also holds for the two other algorithms.     

Decision-level fusion in fingerprint verification

A scheme is proposed for classifier combination at decision level which stresses the importance of classifier selection during combination. The proposed scheme is optimal (in the Neyman-Pearson sense) when sufficient data are available to obtain reasonable estimates of the join densities of classifier outputs. Four different fingerprint matching algorithms are combined using the proposed scheme to improve the accuracy of a fingerprint verification system. Experiments conducted on a large fingerprint database (∼2700 fingerprints) confirm the effectiveness of the proposed integration scheme. An overall matching performance increase of ∼3% is achieved. We further show that a combination of multiple impressions or multiple fingers improves the verification performance by more than 4% and 5%, respectively. Analysis of the results provide some insight into the various decision-level classifier combination strategies.     

基于代码的软件指纹技术及实现方案研究*

在全面分析软件标志和软件安全技术理论的基础上,创造性地提出新的软件指纹技术及基本实现方案,并对基于代码的静态软件指纹技术的嵌入、检测、攻击以及安全性等方面进行了深入探讨,从而形成了系统的软件安全保护应用模式.     

Digital Image Source Coder Forensics Via Intrinsic Fingerprints

Recent development in multimedia processing and network technologies has facilitated the distribution and sharing of multimedia through networks, and increased the security demands of multimedia contents. Traditional image content protection schemes use extrinsic approaches, such as watermarking or fingerprinting. However, under many circumstances, extrinsic content protection is not possible. Therefore, there is great interest in developing forensic tools via intrinsic fingerprints to solve these problems. Source coding is a common step of natural image acquisition, so in this paper, we focus on the fundamental research on digital image source coder forensics via intrinsic fingerprints. First, we investigate the unique intrinsic fingerprint of many popular image source encoders, including transform-based coding (both discrete cosine transform and discrete wavelet transform based), subband coding, differential image coding, and also block processing as the traces of evidence. Based on the intrinsic fingerprint of image source encoders, we construct an image source coding forensic detector that identifies which source encoder is applied, what the coding parameters are along with confidence measures of the result. Our simulation results show that the proposed system provides trustworthy performance: for most test cases, the probability of detecting the correct source encoder is over 90%.