CN117576522B - A model training method and device based on dynamic defense of mimicry structure - Google Patents

Abstract

This specification discloses a model training method and device based on dynamic defense of mimicry structure. The task execution method includes: obtaining a pre-trained model, inputting the first image used to train the pre-trained model into the pre-trained model, and obtaining the recognition result corresponding to the first image. According to the recognition result corresponding to the first image and the actual label corresponding to the first image, the second image is determined. The second image is input into the pre-trained model to determine the weights corresponding to each sub-recognition network set in the pre-trained model through the weight network layer in the pre-trained model, and the second image is recognized by each sub-recognition network to obtain each recognition result, and each recognition result is weighted according to the weights corresponding to each sub-recognition network determined to obtain the final recognition result, and the pre-trained model is trained with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

Description

A model training method and device based on dynamic defense of mimicry structure

Technical Field

This specification relates to the field of artificial intelligence, and in particular to a model training method and device based on dynamic defense of mimicry structure.

Background technique

With the rapid development of artificial intelligence, deep learning has achieved remarkable results in many fields such as image recognition, natural language processing, speech recognition, etc. However, the performance of neural network models in complex environments such as noise, disturbance, and adversarial attacks is often unstable and lacks robustness.

Currently, when a neural network model is used to recognize images, the image samples input into the neural network model may include adversarial samples. When the neural network model is faced with adversarial samples for recognition, the accuracy of the output results may decrease. Moreover, as time goes by, the types of adversarial samples continue to increase. The current training method is not sufficient to obtain a neural network model with higher accuracy.

Based on this, how to improve the accuracy of neural network model training is an urgent problem to be solved.

Summary of the invention

This specification provides a model training method and device based on dynamic defense of mimicry structure to partially solve the above-mentioned problems existing in the prior art.

This manual adopts the following technical solutions:

This specification provides a model training method based on dynamic defense of mimicry structure, including:

Get the pre-trained model;

Inputting a first image used to train the pre-trained model into the pre-trained model to obtain a recognition result corresponding to the first image;

Determining gradient information corresponding to the first image according to a recognition result corresponding to the first image and an actual label corresponding to the first image;

Generate interference data according to a reverse gradient direction of a gradient direction corresponding to the gradient information;

Adding the interference data to the first image to obtain a second image;

Inputting the second image into the pre-trained model, determining the weights corresponding to the sub-recognition networks set in the pre-trained model through the weight network layer in the pre-trained model, and respectively recognizing the second image through each sub-recognition network to obtain each recognition result, and weighting each recognition result according to the determined weights corresponding to each sub-recognition network to obtain a final recognition result;

The pre-training model is trained with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

Optionally, each of the sub-recognition networks includes a first sub-recognition network and a second sub-recognition network, the first sub-recognition network is used to recognize an image input into the first sub-recognition network by using a learned recognition rule for recognizing a first image, and the second sub-recognition network is used to recognize an image input into the second sub-recognition network by using a learned recognition rule for recognizing a second image;

The pre-training model is trained with minimizing the deviation between the final recognition result and the actual label as the optimization goal, specifically including:

The network parameters of the first sub-recognition network in the pre-trained model are fixed, and the network parameters in the second sub-recognition network and the network parameters in the weight network layer are adjusted with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

Optionally, the method further comprises:

When it is monitored that image data that does not match the type of image data used to train the pre-trained model is obtained, a number of new sub-recognition networks are generated, and the new sub-recognition networks are deployed to the pre-trained model, and the weight network layer is dimensionally expanded according to the new sub-recognition networks to obtain an updated pre-trained model;

Inputting the acquired image data that does not conform to the type of image data used to train the pre-trained model and the original image data as expanded image data into the updated pre-trained model, so as to determine the weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks through the weight network layer in the updated pre-trained model, and respectively recognize the expanded image data through each original sub-recognition network and each new sub-recognition network to obtain each recognition result, and weighting the recognition results according to the determined weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks to obtain the recognition result corresponding to the expanded image data;

The updated pre-trained model is trained with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data.

Optionally, the updated pre-trained model is trained with minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as an optimization goal, specifically comprising:

Fixing the network parameters of the original sub-recognition networks in the pre-trained model and the network parameters corresponding to the dimensions of the original sub-recognition networks in the weight network layer;

With minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as the optimization goal, the network parameters in each new sub-recognition network and the network parameters corresponding to the expanded dimension of each new sub-recognition network in the weight network layer are adjusted.

Optionally, the updated pre-trained model is trained with minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as an optimization goal, specifically including:

For the Nth round of training, a first loss value is obtained according to a deviation between a recognition result corresponding to the expanded image data obtained in the Nth round of training and an actual label corresponding to the expanded image data;

For each original sub-recognition network, determine a second loss value corresponding to the original sub-recognition network according to a deviation between a recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data before training and a recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data after the N-1th round of training;

A total loss value is obtained according to the first loss value and the second loss value, and the pre-trained model is trained for an Nth round by minimizing the total loss value as an optimization target.

This specification provides a model training device based on dynamic defense of mimicry structure, including:

Acquisition module, used to obtain pre-trained models;

A generation module, used to input the first image used to train the pre-trained model into the pre-trained model to obtain a recognition result corresponding to the first image; determine the gradient information corresponding to the first image according to the recognition result corresponding to the first image and the actual label corresponding to the first image; generate interference data according to the reverse gradient direction of the gradient direction corresponding to the gradient information; add the interference data to the first image to obtain a second image;

A weighting module, used for inputting the second image into the pre-trained model, determining the weights corresponding to the sub-recognition networks set in the pre-trained model through the weight network layer in the pre-trained model, and respectively recognizing the second image through each sub-recognition network to obtain each recognition result, and weighting each recognition result according to the determined weights corresponding to each sub-recognition network to obtain a final recognition result;

The training module is used to train the pre-training model with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

Optionally, each of the sub-recognition networks includes a first sub-recognition network and a second sub-recognition network, the first sub-recognition network is used to recognize an image input into the first sub-recognition network by using a learned recognition rule for recognizing a first image, and the second sub-recognition network is used to recognize an image input into the second sub-recognition network by using a learned recognition rule for recognizing a second image;

The training module is specifically used to fix the network parameters of the first sub-recognition network in the pre-trained model, and adjust the network parameters in the second sub-recognition network and the network parameters in the weight network layer with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

Optionally, the training module is also used to, when it is monitored that image data of a type inconsistent with the image data used to train the pre-trained model is obtained, generate several new sub-recognition networks, deploy the new sub-recognition networks into the pre-trained model, and according to the new sub-recognition networks, dimensionally expand the weight network layer to obtain an updated pre-trained model; input the image data that is inconsistent with the type of image data used to train the pre-trained model and the original image data as expanded image data into the updated pre-trained model, so as to confirm through the weight network layer in the updated pre-trained model. Determine the weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks, and respectively recognize the expanded image data through each original sub-recognition network and each new sub-recognition network to obtain each recognition result, and weight the each recognition result according to the determined weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks to obtain the recognition result corresponding to the expanded image data; and train the updated pre-trained model with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data.

This specification provides a computer-readable storage medium, which stores a computer program. When the computer program is executed by a processor, it implements the above-mentioned model training method based on dynamic defense of mimetic structure.

This specification provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the above-mentioned model training method based on dynamic defense of mimetic structure when executing the program.

At least one of the above technical solutions adopted in this specification can achieve the following beneficial effects:

In the model training method based on dynamic defense of mimetic structure provided in this specification, a pre-trained model is obtained, and the first image used to train the pre-trained model is input into the pre-trained model to obtain the recognition result corresponding to the first image. According to the recognition result corresponding to the first image and the actual label corresponding to the first image, the second image is determined. The second image is input into the pre-trained model to determine the weights corresponding to each sub-recognition network set in the pre-trained model through the weight network layer in the pre-trained model, and the second image is recognized by each sub-recognition network to obtain each recognition result, and each recognition result is weighted according to the weights corresponding to each sub-recognition network determined to obtain the final recognition result, and the pre-trained model is trained with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

It can be seen from the above method that in the model training method based on dynamic defense of mimetic structure provided in this specification, there are multiple sub-recognition networks in the pre-trained model, each sub-recognition network will give different recognition results for the input image data, and the weight network layer will determine which sub-recognition model outputs a more convincing recognition result based on the sample characteristics of the image data, thereby obtaining a more accurate recognition result for the image data input into the pre-trained model. In practical applications, as time goes by, the types of adversarial samples input into the pre-trained model continue to increase, and in this specification, as a large number of samples are input into the model, the model will generate several new sub-recognition networks based on the input samples, and by continuously adding sub-recognition networks and training the pre-trained model, the pre-trained model after training will be more defensive in the field of risk identification.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings described herein are used to provide a further understanding of this specification and constitute a part of this specification. The illustrative embodiments and descriptions of this specification are used to explain this specification and do not constitute an improper limitation on this specification. In the drawings:

FIG1 is a flow chart of a model training method based on dynamic defense of mimicry structure provided in this specification;

FIG2 is a schematic diagram of a training process of a pre-training model provided in this specification;

FIG3 is a schematic diagram of a training process of a pre-training model provided in this specification;

FIG4 is a schematic diagram of a model training device based on dynamic defense of mimicry structure provided in this specification;

FIG. 5 is a schematic diagram of an electronic device provided in this specification corresponding to FIG. 1 .

Detailed ways

In order to make the purpose, technical solutions and advantages of this specification clearer, the technical solutions of this specification will be clearly and completely described below in combination with the specific embodiments of this specification and the corresponding drawings. Obviously, the described embodiments are only part of the embodiments of this specification, not all of the embodiments. Based on the embodiments in this specification, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this specification.

The technical solutions provided by the embodiments of this specification are described in detail below in conjunction with the accompanying drawings.

FIG1 is a flow chart of a model training method based on dynamic defense of mimicry structure provided in this specification, which includes the following steps:

S101: Obtain a pre-trained model.

As an important branch of artificial intelligence, deep learning has achieved remarkable results in image recognition, natural language processing, speech recognition and many other fields. At present, when using neural network models to recognize images, their performance in complex environments such as noise, disturbance, and adversarial attacks is often unstable and lacks robustness. In particular, when adversarial samples appear, neural network models cannot accurately recognize images.

Among them, adversarial samples refer to a special type of sample in a machine learning model that makes the model make an error in its judgment of the adversarial sample by adding carefully designed perturbations or interferences to the input data. These samples are usually slightly modified based on the training data so that the modified samples produce the expected wrong judgment in the model. The existence of adversarial samples may have a serious impact on the performance of machine learning models, causing the model to be unable to correctly classify or identify data in some cases. Therefore, under adversarial attacks, the accuracy and stability of the model may be seriously affected. The creation of adversarial samples usually requires certain skills and knowledge in order to correctly design and create perturbations or interferences that can deceive the model. Methods for creating adversarial samples include but are not limited to adding noise, changing the color or brightness of an image, and modifying the grammar or semantics of a text.

In addition, as time goes by, more and more adversarial samples appear, and their types vary infinitely. When using traditional training methods to train neural network models, the neural network models may cause catastrophic forgetting problems, resulting in inaccurate image recognition results.

Based on this, the present specification provides a model training method based on dynamic defense of mimetic structure, obtains a pre-trained model, inputs the first image used to train the pre-trained model into the pre-trained model, and obtains the recognition result corresponding to the first image. According to the recognition result corresponding to the first image and the actual label corresponding to the first image, the gradient information corresponding to the first image is determined, and interference data is generated according to the reverse gradient direction of the gradient direction corresponding to the gradient information, and then the interference data is added to the first image to obtain the second image. The second image is input into the pre-trained model to determine the weights corresponding to each sub-recognition network set in the pre-trained model through the weight network layer in the pre-trained model, and the second image is recognized by each sub-recognition network to obtain each recognition result, and each recognition result is weighted according to the weights corresponding to each sub-recognition network determined to obtain the final recognition result, and the pre-trained model is trained with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

This training method can improve the robustness of the neural network model and make the neural network model more secure and reliable when facing adversarial samples. Compared with traditional training methods, it improves the accuracy of the neural network model to obtain recognition results that are closer to the real label.

In this specification, the execution entity for implementing a model training method based on dynamic defense of mimetic structure can be a terminal device such as a laptop computer, a tablet computer, or, of course, a server. For the sake of ease of description, this specification only takes the server as an execution entity as an example to illustrate a model training method based on dynamic defense of mimetic structure provided in this specification.

In this specification, the server first obtains a pre-trained model, where the pre-trained model includes a weight network layer and one or more sub-recognition networks, wherein the weight network layer gives corresponding weights for each sub-recognition network, and the sub-recognition network gives recognition results for the input image data respectively.

S102: Inputting a first image used for training the pre-training model into the pre-training model to obtain a recognition result corresponding to the first image.

The server can input the first image into the sub-recognition network corresponding to the first image in the pre-trained model to train the sub-recognition network corresponding to the first image in the pre-trained model, wherein the first image can be of multiple types, for example, ordinary image data and difficult image data.

Among them, ordinary images refer to normal images with higher clarity, and difficult images include various situations, such as blurred images, incomplete image subjects, unclear image subjects, tilted and flipped images, etc.

Difficult image data can be generated by damaging ordinary image data through an algorithm. For example, performing noise processing on the image, such as Gaussian noise, shot noise, impulse noise, etc.; performing blur processing on the image, such as defocus blur, frosted glass blur, motion blur, zoom blur, etc.; adding weather factors to the image, such as snow, frost, fog, etc.; adjusting the digital category of the image, such as brightness, contrast, plasticity, pixelation, and JPEG.

Furthermore, the first image is input into the pre-trained model to obtain a recognition result corresponding to the first image.

S103: Determine gradient information corresponding to the first image according to a recognition result corresponding to the first image and an actual label corresponding to the first image.

The server inputs the first image into the pre-trained model, obtains the recognition result corresponding to the first image, and then calculates the loss function. Here, the cross entropy loss is used to calculate the loss value, which can be expressed as:

Among them, the input of the pre-trained model is , the output is a pair/> The image recognition result is denoted as /> ,/> represents the i-th category of the true label,/> is the probability of the i-th category in the image recognition results output by the pre-trained model.

Furthermore, the loss function with respect to the input The gradient of is calculated, and the formula can be expressed as:

in, For/> The corresponding gradient information, /> For/> The corresponding recognition result, /> Yes/> The corresponding true label.

S104: Generate interference data according to a reverse gradient direction of a gradient direction corresponding to the gradient information.

In this specification, the server is based on The gradient information corresponds to the reverse gradient direction of the gradient direction, generating interference data for the input / > Generate disturbance, which can be expressed as:

in, is the generated interference data, /> is the disturbance coefficient, /> The larger the value, the higher the disturbance level. is a symbolic function, by calculating the loss function with respect to the input/> Gradient information, use /> The sign function converts it into the direction of the reverse gradient, which can generate interference data pointing in the direction of increasing loss, thereby achieving the purpose of adversarial attack.

S105: Add the interference data to the first image to obtain a second image.

The server adds the generated interference data to the first image to obtain the second image, which can be expressed as:

in, Add the perturbed image data to x input into the pre-trained model, that is, The second image is obtained by adding interference data to the first image.

S106: Input the second image into the pre-trained model to determine the weights corresponding to each sub-recognition network set in the pre-trained model through the weight network layer in the pre-trained model, and recognize the second image through each sub-recognition network to obtain each recognition result, and weight the each recognition result according to the determined weights corresponding to each sub-recognition network to obtain the final recognition result.

The pre-trained model includes a weighted network layer and sub-recognition networks, wherein each sub-recognition network includes a first sub-recognition network and a second sub-recognition network. The first sub-recognition network is used to recognize the image input into the first sub-recognition network by using the learned recognition rules for recognizing the first image, and the second sub-recognition network is used to recognize the image input into the second sub-recognition network by using the learned recognition rules for recognizing the second image.

The server inputs the second image into the pre-trained model. At this time, the second image passes through the weight network layer in the pre-trained model to obtain the weights corresponding to each sub-recognition network set in the pre-trained model. The second image is input into each sub-recognition network in the pre-trained model respectively, so that each sub-recognition network recognizes the second image respectively to obtain each recognition result, and each recognition result is weighted according to the weights corresponding to each sub-recognition network determined to obtain the final recognition result.

It should be noted that the second sub-recognition network in the pre-trained model may be a fully initialized sub-recognition network, which is subsequently trained by the model training method mentioned in S107. Alternatively, the server inputs the second image into the second sub-recognition network of the pre-trained model, trains the second sub-recognition network, so that the second sub-recognition network can recognize the image input into the second sub-recognition network through the learned recognition rules for recognizing the second image, and then deploys the trained second sub-recognition network into the pre-trained model, and further trains it by the model training method mentioned in S107.

In this specification, when the server uses the first image to train the first sub-recognition network and uses the second image to train the second sub-recognition network, a small amount of the second image can also be added to the first image. Similarly, a small amount of the first image can be added to the second image. This can enhance the generalization ability of each sub-recognition network itself and reduce overfitting.

S107: The pre-training model is trained with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

In this specification, when the server inputs the second image into the pre-trained model and trains the pre-trained model, two training methods are provided. One method is to train the pre-trained model with minimizing the deviation between the final recognition result and the actual label as the optimization goal, and update the parameters of the weight network layer and the first sub-recognition network and the second sub-recognition network in the pre-trained model, that is, this method emphasizes that during the training process, the parameters of all network layers must be adjusted;

Another way is to fix the network parameters of the first sub-recognition network in the pre-trained model, and adjust the network parameters in the second sub-recognition network and the network parameters in the weight network layer with the optimization goal of minimizing the deviation between the final recognition result and the actual label. That is, the network parameters of the trained first sub-recognition network do not need to be adjusted, and only the parameters in the second sub-recognition network and the weight network layer are adjusted. The first sub-recognition network in the pre-trained model has already learned the recognition rules for the first image in advance, that is, the server uses the first image to train the first sub-recognition network separately in advance, and adjusts its network parameters according to the recognition result of the first sub-recognition network so that it has the recognition ability for the first image. Therefore, during the training process of the pre-trained model, the network parameters of the first sub-recognition network can be fixed, and only the network parameters in the second sub-recognition network and the network parameters in the weight network layer are adjusted.

In addition, when the server monitors that the pre-trained model obtains image data that does not match the type of image data used to train the pre-trained model, specifically, during a certain period of time, the server monitors that the accuracy of the recognition results corresponding to the image data input into the pre-trained model during this period is significantly reduced, then, it can be considered that the type of image data input into the pre-trained model during this period is different from the type of image data previously input into the pre-trained model, so it is necessary to train the pre-trained model based on the image data input into the pre-trained model during this period. Furthermore, the server generates several new sub-recognition networks, deploys the new sub-recognition networks into the pre-trained model, and according to the new sub-recognition networks, dimensionally expands the weight network layer to obtain an updated pre-trained model.

The server will obtain image data that does not match the type of image data used to train the pre-trained model and the original image data as expanded image data and input them into the updated pre-trained model. That is to say, after the server obtains image data that does not match the type of image data used to train the pre-trained model, it needs to fuse the image data that does not match the type of image data used to train the pre-trained model and the original image data to form a sample set. The image data in this sample set is the expanded image data, and the expanded image data is input into the updated pre-trained model, wherein the original image data may include a first image and a second image. The image data that does not match the type of image data used to train the pre-trained model and the original image data are input into the updated pre-trained model together, and then the pre-trained model is trained. This method can prevent the new sub-recognition network in the pre-trained model from overfitting, and can also prevent the original sub-recognition network in the pre-trained model from shifting too much when updating the network parameters to a certain extent.

Furthermore, the weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks are determined through the weight network layer in the updated pre-trained model, and the expanded image data is recognized through each original sub-recognition network and each new sub-recognition network to obtain each recognition result, and each recognition result is weighted according to the determined weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks to obtain the recognition result corresponding to the expanded image data. Then, the server trains the updated pre-trained model with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data.

There are also two training methods for the pre-trained model here. One is to minimize the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as the optimization goal, train the updated pre-trained model, and update all network parameters of the weight network layer in the pre-trained model and the network parameters of each sub-recognition network, as shown in Figure 2.

FIG2 is a schematic diagram of a training process of a pre-training model provided in this specification.

The shaded part in Figure 2 represents the part involved in the training, that is, in the first training method provided in this specification, all network parameters of the weight network layer in the pre-trained model and the network parameters of each sub-recognition network can be updated to obtain a more integrated weight network layer and each sub-recognition network, thereby making the pre-trained model more accurate.

The other is to fix the network parameters of the original sub-recognition networks in the pre-trained model and the network parameters corresponding to the dimensions of the original sub-recognition networks in the weight network layer, and take minimizing the deviation between the recognition results corresponding to the expanded image data and the actual labels corresponding to the expanded image data as the optimization goal, and adjust the network parameters in each new sub-recognition network and the network parameters corresponding to the expanded dimensions of each new sub-recognition network in the weight network layer, as shown in Figure 3.

FIG3 is a schematic diagram of a training process of a pre-training model provided in this specification.

The shaded part in Figure 3 represents the part involved in the training, that is, in the second training method provided in this specification, the network parameters involved in the training process include the network parameters in each new sub-recognition network and the network parameters corresponding to the extended dimensions of each new sub-recognition network in the weight network layer. This method can reduce the training pressure of the model, only adjust a part of the parameters in the pre-trained model, and reduce the problem of catastrophic forgetting in the pre-trained model.

In the first training method, because the network parameters in each sub-recognition network and all network parameters in the weight network layer are adjusted, in order to make the model training effect better, the server can calculate the loss function of the two parts to obtain two loss values, and then obtain the total loss value based on these two loss values.

Specifically, for the Nth round of training, the server obtains a first loss value according to the deviation between the recognition result corresponding to the expanded image data obtained in the Nth round of training and the actual label corresponding to the expanded image data, which can be specifically expressed as:

in, is the first loss value, n represents the number of sub-recognition networks, /> Represents the weight value output by the weight network layer for the i-th sub-recognition network, where,/> It is through/> The value after the function is processed, thus ensuring/> . /> The function processing process can be specifically expressed as:

Furthermore, since the original sub-recognition network in the pre-trained model may be a sub-recognition network that has been trained, in order to prevent the pre-trained model trained in the Nth round from deviating too far from the network parameters in the pre-trained model before training, causing catastrophic forgetting, the second loss value is calculated.

Specifically, for each original sub-recognition network, the server determines the second loss value corresponding to the original sub-recognition network according to the deviation between the recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data before training and the recognition result obtained by the original sub-recognition network in the pre-training model after the N-1th round of training for the expanded image data. The second loss value can be specifically expressed as:

in, It indicates the recognition results obtained by each original sub-recognition network in the pre-training model for the expanded image data. It represents the recognition results obtained by each original sub-recognition network in the pre-training model for the expanded image data after the N-1th round of training. Specifically, the specific calculation formula of JS divergence is:

Among them, M represents the average distribution of P and Q, and the specific calculation formula is:

and Represents KL divergence, which is calculated as:

Furthermore, the server can obtain the second loss value through the above formula, and then obtain the total loss value according to the first loss value and the second loss value, which can be specifically expressed as:

in, Represents the tempering factor, which is used to control the forgetting ratio of the sub-recognition network. The server trains the pre-trained model for the Nth round with the optimization goal of minimizing the total loss value.

It should be noted that when the server detects that the image data obtained does not match the type of image data used to train the pre-trained model, it generates several new sub-recognition networks. However, when a large number of new sub-recognition networks are generated, the image data that does not match the type of image data used to train the pre-trained model and the original image data are input into all sub-recognition networks as expanded image data, which will increase the amount of calculation of the pre-trained model. Therefore, when the number of sub-recognition networks is large, The weights of each sub-recognition network processed by the function are carried out/> Sampling, if the weight of the sub-recognition network is within the first k, it is retained, otherwise, the weight of the sub-recognition network is directly set to negative infinity.

The above formula also needs to be Function processing, for non/> Part, because the weight corresponding to the sub-recognition network is negative infinity, so after /> After the function is processed, the weight corresponding to the sub-recognition network will be set to 0, which can effectively reduce the amount of calculation. For example, in /> Sampling /> , only the sub-recognition networks whose weight values are in the top 3 are retained. The server inputs the expanded image data into the three retained sub-recognition networks respectively, and weights the three recognition results according to the weights corresponding to the three sub-recognition networks to obtain the recognition result corresponding to the expanded image data.

In this specification, a second image is obtained through the recognition result corresponding to the first image and the actual label corresponding to the first image, and then the second image is input into a pre-trained model, and the network parameters in the pre-trained model are adjusted and updated to obtain a more accurate recognition result.

When the server detects that the type of image data input into the pre-trained model does not match the type of image data used by the pre-trained model, it can generate several new sub-recognition networks to increase the adaptability of the pre-trained model to the environment, thereby achieving good recognition results for a variety of image data.

In addition, during the training process of the pre-trained model, two training methods are also provided. One is to adjust the network parameters of the weight network layer and each sub-recognition network in the pre-trained model. This method can achieve a deep fusion of the weight network layer and each sub-recognition network in the pre-trained model to obtain a pre-trained model with higher accuracy.

The other is to fix the network parameters of the original sub-recognition networks in the pre-trained model and the network parameters corresponding to the dimensions of the original sub-recognition networks in the weight network layer, and only adjust the network parameters in each new sub-recognition network and the network parameters corresponding to the extended dimensions of each new sub-recognition network in the weight network layer. This method can retain the previous training effects and prevent catastrophic forgetting.

These two methods are suitable for different scenarios. In practical applications, the pre-trained model needs to be trained according to different situations. You can also choose the correct training method according to the input image data to obtain a more accurate pre-trained model.

The method provided in this specification can be applied to a variety of image recognition scenarios, especially in the field of risk identification. For example, in the field of face recognition, the collected face images can be used to determine whether the user has business risks. The method provided in this specification can be applied in the above-mentioned fields. It can be seen from this specification that as the types of adversarial samples increase, sub-recognition networks are automatically added, and the network parameters of each sub-recognition network and weight network layer are adjusted through the above-mentioned training method, so that accurate recognition results can be obtained. Therefore, although the types of risks gradually increase over time, the method provided in this specification can train the pre-trained model according to the sample characteristics of the image data, so that the pre-trained model can learn sub-recognition networks for new risks, realizing the process of dynamic defense of the model.

In order to further describe the method provided in this specification, a network structure of a pre-trained model is provided here, which includes three sub-recognition networks: A, B and C. A or B can be a first sub-recognition network obtained through a first image, and C can be a second sub-recognition network obtained through a second image. Among them, A is mainly used to identify ordinary image data, B is mainly used to identify difficult image data, and C is mainly used to identify adversarial image data. A, B and C can all identify three different image data and obtain corresponding results. In the pre-training process of the pre-trained model, ordinary image data, difficult image data and adversarial image data are used to train A, B and C separately, and the trained A, B and C are deployed to the pre-trained model, and a weight network layer is set in the pre-trained model, and then the pre-trained model is trained so that the weight network layer and the three sub-recognition networks can learn each other's learning characteristics, so that the pre-trained model can obtain more reasonable recognition results according to the input of different image data. At the same time, under the action of the weight network layer, the recognition results of the three sub-recognition networks are fused, so that the final recognition result obtained is more accurate, and the dynamic defense process is realized.

The above is one or more implementations of the model training method based on dynamic defense of mimetic structure in this specification. Based on the same idea, this specification also provides a corresponding model training device based on dynamic defense of mimetic structure, as shown in FIG4 .

FIG4 is a schematic diagram of a model training device based on dynamic defense of mimicry structure provided in this specification, including:

An acquisition module 401 is used to acquire a pre-trained model;

A generating module 402 is used to input the first image used for training the pre-trained model into the pre-trained model to obtain a recognition result corresponding to the first image; determine the gradient information corresponding to the first image according to the recognition result corresponding to the first image and the actual label corresponding to the first image; generate interference data according to the reverse gradient direction of the gradient direction corresponding to the gradient information; and add the interference data to the first image to obtain a second image;

A weighting module 403 is used to input the second image into the pre-trained model, determine the weights corresponding to the sub-recognition networks set in the pre-trained model through the weight network layer in the pre-trained model, and recognize the second image through each sub-recognition network to obtain each recognition result, and weight the recognition results according to the determined weights corresponding to the sub-recognition networks to obtain a final recognition result;

The training module 404 is used to train the pre-training model with minimizing the deviation between the final recognition result and the actual label as the optimization goal.

Optionally, each of the sub-recognition networks includes a first sub-recognition network and a second sub-recognition network, the first sub-recognition network is used to recognize an image input into the first sub-recognition network by using a learned recognition rule for recognizing a first image, and the second sub-recognition network is used to recognize an image input into the second sub-recognition network by using a learned recognition rule for recognizing a second image;

The training module 404 is specifically used to fix the network parameters of the first sub-recognition network in the pre-trained model, and adjust the network parameters in the second sub-recognition network and the network parameters in the weight network layer with the optimization goal of minimizing the deviation between the final recognition result and the actual label.

Optionally, the training module 404 is also used to, when it is monitored that image data of a type inconsistent with the image data used for training the pre-trained model is obtained, generate several new sub-recognition networks, deploy the new sub-recognition networks into the pre-trained model, and according to the new sub-recognition networks, dimensionally expand the weight network layer to obtain an updated pre-trained model; input the image data of a type inconsistent with the image data used for training the pre-trained model and the original image data as expanded image data into the updated pre-trained model, so as to pass through the weight network layer in the updated pre-trained model, Determine the weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks, and respectively recognize the expanded image data through each original sub-recognition network and each new sub-recognition network to obtain each recognition result, and weight the recognition results according to the determined weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks to obtain the recognition result corresponding to the expanded image data; train the updated pre-trained model with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data.

Optionally, the training module 404 is specifically used to fix the network parameters of the original sub-recognition networks in the pre-trained model and the network parameters corresponding to the dimensions of the original sub-recognition networks in the weight network layer; and adjust the network parameters in the new sub-recognition networks and the network parameters corresponding to the expanded dimensions of the new sub-recognition networks in the weight network layer with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data.

Optionally, the training module 404 is specifically used to obtain a first loss value for the Nth round of training based on the deviation between the recognition result corresponding to the expanded image data obtained in the Nth round of training and the actual label corresponding to the expanded image data; for each original sub-recognition network, determine a second loss value corresponding to the original sub-recognition network based on the deviation between the recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data before training and the recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data after the N-1th round of training; obtain a total loss value based on the first loss value and the second loss value, and perform the Nth round of training on the pre-trained model by minimizing the total loss value as the optimization target.

This specification also provides a computer-readable storage medium, which stores a computer program. The computer program can be used to execute a model training method based on dynamic defense of mimicry structure provided in FIG. 1 above.

This specification also provides a schematic structural diagram of an electronic device corresponding to Figure 1, as shown in Figure 5. As shown in Figure 5, at the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and of course may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs it to implement the model training method based on dynamic defense of mimetic structure described in Figure 1 above. Of course, in addition to software implementation methods, this specification does not exclude other implementation methods, such as logic devices or a combination of software and hardware, etc., that is to say, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

For the improvement of a technology, it can be clearly distinguished whether it is a hardware improvement (for example, improvement of the circuit structure of diodes, transistors, switches, etc.) or a software improvement (improvement of the method flow). However, with the development of technology, many improvements of the method flow today can be regarded as direct improvements of the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be implemented with a hardware entity module. For example, a programmable logic device (PLD) (such as a field programmable gate array (FPGA)) is such an integrated circuit whose logical function is determined by the user's programming of the device. Designers can "integrate" a digital system on a PLD by programming themselves, without having to ask chip manufacturers to design and make dedicated integrated circuit chips. Moreover, nowadays, instead of manually making integrated circuit chips, this kind of programming is mostly implemented by "logic compiler" software, which is similar to the software compiler used when developing and writing programs, and the original code before compilation must also be written in a specific programming language, which is called hardware description language (HDL). There is not only one kind of HDL, but many kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc. The most commonly used ones are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should also know that it is only necessary to program the method flow slightly in the above-mentioned hardware description languages and program it into the integrated circuit, and then it is easy to obtain the hardware circuit that implements the logic method flow.

The controller may be implemented in any suitable manner, for example, the controller may take the form of a microprocessor or processor and a computer-readable medium storing a computer-readable program code (e.g., software or firmware) executable by the (micro)processor, a logic gate, a switch, an application-specific integrated circuit (ASIC), a programmable logic controller, and an embedded microcontroller. Examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320. The memory controller may also be implemented as part of the control logic of the memory. It is also known to those skilled in the art that, in addition to implementing the controller in a purely computer-readable program code manner, the controller may be implemented in the form of a logic gate, a switch, an application-specific integrated circuit, a programmable logic controller, and an embedded microcontroller by logically programming the method steps. Therefore, such a controller may be considered as a hardware component, and the devices for implementing various functions included therein may also be considered as structures within the hardware component. Or even, the devices for implementing various functions may be considered as both software modules for implementing the method and structures within the hardware component.

The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For the convenience of description, the above device is described in various units according to their functions. Of course, when implementing this specification, the functions of each unit can be implemented in the same or multiple software and/or hardware.

Those skilled in the art will appreciate that the embodiments of this specification may be provided as methods, systems, or computer program products. Therefore, this specification may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

This specification is described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to the embodiments of this specification. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.

The memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. The memory is an example of a computer-readable medium.

Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.

It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

Those skilled in the art will appreciate that the embodiments of this specification may be provided as methods, systems or computer program products. Therefore, this specification may take the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware. Moreover, this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

This specification may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. This specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules may be located in local and remote computer storage media, including storage devices.

Each embodiment in this specification is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The above description is only an embodiment of the present specification and is not intended to limit the present specification. For those skilled in the art, the present specification may have various changes and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification shall be included in the scope of the claims of the present specification.

Claims (10)

1. A model training method based on dynamic defense of mimicry structure, characterized by comprising: Get the pre-trained model; Inputting a first image used to train the pre-trained model into the pre-trained model to obtain a recognition result corresponding to the first image; Determining gradient information corresponding to the first image according to a recognition result corresponding to the first image and an actual label corresponding to the first image; Generate interference data according to the reverse gradient direction of the gradient direction corresponding to the gradient information, wherein the direction of the gradient information is converted into the reverse gradient direction by a preset function, and the interference data is generated according to the converted gradient information and a preset perturbation coefficient, wherein the larger the perturbation coefficient, the higher the degree of perturbation to the converted gradient information; adding the interference data to the first image to obtain a second image; Inputting the second image into the pre-trained model, determining the weights corresponding to the sub-recognition networks set in the pre-trained model through the weight network layer in the pre-trained model, and respectively recognizing the second image through each sub-recognition network to obtain each recognition result, and weighting each recognition result according to the determined weights corresponding to each sub-recognition network to obtain a final recognition result; The pre-training model is trained with the optimization goal of minimizing the deviation between the final recognition result and the actual label. 2. The method according to claim 1, wherein each of the sub-recognition networks comprises a first sub-recognition network and a second sub-recognition network, wherein the first sub-recognition network is used to recognize an image input into the first sub-recognition network by using a learned recognition rule for recognizing a first image, and the second sub-recognition network is used to recognize an image input into the second sub-recognition network by using a learned recognition rule for recognizing a second image; The pre-training model is trained with minimizing the deviation between the final recognition result and the actual label as the optimization goal, specifically including: The network parameters of the first sub-recognition network in the pre-trained model are fixed, and the network parameters in the second sub-recognition network and the network parameters in the weight network layer are adjusted with the optimization goal of minimizing the deviation between the final recognition result and the actual label. 3. The method according to claim 1, characterized in that the method further comprises: When it is monitored that image data that does not match the type of image data used to train the pre-trained model is obtained, a number of new sub-recognition networks are generated, and the new sub-recognition networks are deployed to the pre-trained model, and the weight network layer is dimensionally expanded according to the new sub-recognition networks to obtain an updated pre-trained model; Inputting the acquired image data that does not conform to the type of image data used to train the pre-trained model and the original image data as expanded image data into the updated pre-trained model, so as to determine the weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks through the weight network layer in the updated pre-trained model, and respectively recognize the expanded image data through each original sub-recognition network and each new sub-recognition network to obtain each recognition result, and weighting the recognition results according to the determined weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks to obtain the recognition result corresponding to the expanded image data; The updated pre-trained model is trained with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data. 4. The method according to claim 3, characterized in that the updated pre-trained model is trained with minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as the optimization goal, specifically comprising: Fixing the network parameters of the original sub-recognition networks in the pre-trained model and the network parameters corresponding to the dimensions of the original sub-recognition networks in the weight network layer; With minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as the optimization goal, the network parameters in each new sub-recognition network and the network parameters corresponding to the expanded dimension of each new sub-recognition network in the weight network layer are adjusted. 5. The method according to claim 3, characterized in that the updated pre-trained model is trained with minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data as the optimization goal, specifically comprising: For the Nth round of training, a first loss value is obtained according to a deviation between a recognition result corresponding to the expanded image data obtained in the Nth round of training and an actual label corresponding to the expanded image data; For each original sub-recognition network, determine a second loss value corresponding to the original sub-recognition network according to a deviation between a recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data before training and a recognition result obtained by the original sub-recognition network in the pre-training model for the expanded image data after the N-1th round of training; A total loss value is obtained according to the first loss value and the second loss value, and the pre-trained model is trained for an Nth round by minimizing the total loss value as an optimization target. 6. A model training device based on dynamic defense of mimicry structure, characterized by comprising: Acquisition module, used to obtain pre-trained models; A generation module, used to input the first image used to train the pre-trained model into the pre-trained model to obtain a recognition result corresponding to the first image; determine the gradient information corresponding to the first image according to the recognition result corresponding to the first image and the actual label corresponding to the first image; generate interference data according to the reverse gradient direction of the gradient direction corresponding to the gradient information, wherein the direction of the gradient information is converted into the reverse gradient direction by a preset function, and the interference data is generated according to the converted gradient information and a preset perturbation coefficient, wherein the larger the perturbation coefficient, the higher the degree of perturbation to the converted gradient information; and add the interference data to the first image to obtain a second image; A weighting module, used for inputting the second image into the pre-trained model, determining the weights corresponding to the sub-recognition networks set in the pre-trained model through the weight network layer in the pre-trained model, and respectively recognizing the second image through each sub-recognition network to obtain each recognition result, and weighting each recognition result according to the determined weights corresponding to each sub-recognition network to obtain a final recognition result; The training module is used to train the pre-training model with the optimization goal of minimizing the deviation between the final recognition result and the actual label. 7. The device according to claim 6, characterized in that each of the sub-recognition networks includes a first sub-recognition network and a second sub-recognition network, the first sub-recognition network is used to recognize the image input to the first sub-recognition network by using the learned recognition rule for recognizing the first image, and the second sub-recognition network is used to recognize the image input to the second sub-recognition network by using the learned recognition rule for recognizing the second image; The training module is specifically used to fix the network parameters of the first sub-recognition network in the pre-trained model, and adjust the network parameters in the second sub-recognition network and the network parameters in the weight network layer with the optimization goal of minimizing the deviation between the final recognition result and the actual label. 8. The device as described in claim 6 is characterized in that the training module is also used to, when monitoring the acquisition of image data that does not match the type of image data used to train the pre-trained model, generate a number of new sub-recognition networks, deploy the new sub-recognition networks into the pre-trained model, and according to the new sub-recognition networks, perform dimension expansion on the weight network layer to obtain an updated pre-trained model; input the image data that does not match the type of image data used to train the pre-trained model and the original image data as expanded image data into the updated pre-trained model, so as to obtain the updated pre-trained model through the updated pre-trained model. The weight network layer is used to determine the weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks, and the expanded image data is recognized by each original sub-recognition network and each new sub-recognition network, respectively, to obtain each recognition result, and the recognition results are weighted according to the determined weights corresponding to the original sub-recognition networks and the weights corresponding to the new sub-recognition networks to obtain the recognition result corresponding to the expanded image data; the updated pre-training model is trained with the optimization goal of minimizing the deviation between the recognition result corresponding to the expanded image data and the actual label corresponding to the expanded image data. 9. A computer-readable storage medium, characterized in that the storage medium stores a computer program, and when the computer program is executed by a processor, the method according to any one of claims 1 to 5 is implemented. 10. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method described in any one of claims 1 to 5 when executing the program.