Adversarial Example Generation Based on Particle Swarm Optimization
-
摘要: 随着机器学习被广泛的应用,其安全脆弱性问题也突显出来。该文提出一种基于粒子群优化(PSO)的对抗样本生成算法,揭示支持向量机(SVM)可能存在的安全隐患。主要采用的攻击策略是篡改测试样本,生成对抗样本,达到欺骗SVM分类器,使其性能失效的目的。为此,结合SVM在高维特征空间的线性可分的特点,采用PSO方法寻找攻击显著性特征,再利用均分方法逆映射回原始输入空间,构建对抗样本。该方法充分利用了特征空间上线性模型上易寻优的特点,同时又利用了原始输入空间篡改数据的可解释性优点,使原本难解的优化问题得到实现。该文对2个公开数据集进行实验,实验结果表明,该方法通过不超过7%的小扰动量生成的对抗样本均能使SVM分类器失效,由此证明了SVM存在明显的安全脆弱性。Abstract: As machine learning is widely applied to various domains, its security vulnerability is also highlighted. A PSO (Particle Swarm Optimization) based adversarial example generation algorithm is proposed to reveal the potential security risks of Support Vector Machine (SVM). The adversarial examples, generated by slightly crafting the legitimate samples, can mislead SVM classifier to give wrong classification results. Using the linear separable property of SVM in high-dimensional feature space, PSO is used to find the salient features, and then the average method is used to map back to the original input space to construct the adversarial example. This method makes full use of the easily finding salient features of linear models in the feature space, and the interpretable advantages of the original input space. Experimental results show that the proposed method can fool SVM classifier by using the adversarial example generated by less than 7 % small perturbation, thus proving that SVM has obvious security vulnerability.
-
表 1 粒子群寻优(PSO)算法
输入:$A$ //特征子集 输出:$B$ //显著性特征 (1) $d = \left| A \right|, B = \phi $ //$A = ({a^{(1)}}, {a^{(2)}}, ·\!·\!· , {a^{(d)}})$ (2) FOR $ i \leftarrow 1, 2, ·\!·\!· , N $ DO (3) ${{\text{s}}_i} \leftarrow {\rm rand}(d), {{\text{v}}_i} \leftarrow {\rm rand}(d)$ //初始化$N$个粒子的位置和
速度(4) ${{\text{p}}_i} \leftarrow {{\text{s}}_i}$ //${{\text{p}}_i}$为第$i$个粒子的当前最佳位置 (5) END FOR
(6) ${{\text{p}}_g} \leftarrow {{\text{p}}_j}$,其中$j \leftarrow \arg {{\rm max}_i} \;{\rm{fit}}({{\text{p}}_i}), i = 1, 2, ·\!·\!· , N$ //${{\text{p}}_g}$为所有
粒子的当前最佳位置(7) FOR $ k \leftarrow 1, 2, ·\!·\!· , M $ DO //$M$为迭代次数 (8) FOR $i \leftarrow 1, 2, ·\!·\!· , N$ DO
(9) $\begin{gathered} {{\text{v}}_{i + 1}} \leftarrow {{\text{v}}_i} + {c_1}{r_1}({{\text{p}}_i} - {{\text{s}}_i}) \\ \quad\ \ + {c_2}{r_2}({{\text{p}}_g} - {{\text{s}}_i}) \\ \end{gathered} $(10) ${{\text{s}}_{i + 1}} \leftarrow {{\text{s}}_i} + {{\text{v}}_{i + 1}}$ (11) IF ${\rm{fit}}({\text{s}}{}_{i + 1}) > {\rm{fit}}({\text{p}}{}_{i + 1}) $ THEN (12) ${{\text{p}}_i} \leftarrow {{\text{s}}_{i + 1}}$ (13) END IF (14) END FOR (15) ${{\text{p}}_g} \leftarrow {{\text{p}}_j}$ 其中$j \leftarrow \arg {{\rm max}_i} \;{\rm{fit}}({{\text{p}}_i})$ (16) END FOR (17) FOR $i \leftarrow 1, 2, ·\!·\!· , d $ DO (18) IF ${{\text{p}}_{{}_{gi}}} > 0.5 $ THEN (19) $B \leftarrow B \cup \{ {a^{(i)}}\} $ //${a^{(i)}}$是${{\text{p}}_{{}_{gi}}}$对应的特征 (20) END IF (21) END FOR (22) RETURN $B$ 
下载: 导出CSV
表 2 输入空间扰动算法
输入:$A$ //${\text{w}}$从大到小排序后对应的特征 $B$ //显著性特征 ${{\text{X}}_0}$ //原始样本 输出:$\Delta {\text{X}} $ //对抗样本的扰动 (1) $N = \left| B \right|, \Delta {\text{X}} = {\text{0}}$ //$N$为$B$的特征数,$\Delta {\text{X}} $的大小与${{\text{X}}_0}$相
同,且所有特征的初始值为0(2) FOR $ i \leftarrow 1, 2, ·\!·\!· , N$ DO (3) $k \leftarrow {\rm index}({b^{(i)}})$ //$k$为$B = ({b^{(1)}}, {b^{(2)}}, ·\!·\!· , {b^{(n)}})$在特征空
间的特征索引(4) $I \leftarrow {\rm component}(k)$ // $I$为特征空间的第$k$个特征对应
的“输入空间特征集”(5) $\sigma \leftarrow \delta (\theta , \lambda , I, {{\text{X}}_0})$//$\delta ( \cdot )$由式(11)得到 (6) FOR $j \leftarrow 1, 2, ·\!·\!· , \left| I \right| $ DO (7) $\Delta {\text{X}}(j) \leftarrow \Delta {\text{X}}(j) + \sigma $ (8) END FOR (9) END FOR (10) RETURN $\Delta {\text{X}} $ //对抗样本的扰动
下载: 导出CSV
表 3 测试集中各个手写体的分类准确率(%)
手写体数字 0 1 2 3 4 5 6 7 8 9 准确率 98.88 98.94 95.16 95.74 96.13 92.71 97.18 94.65 93.94 93.76
下载: 导出CSV
表 4 不同扰动量下各类手写体数字的平均分类正确率(%)
手写体数字 扰动前 1%扰动 3%扰动 5%扰动 7%扰动 0 98.88 95.32 75.37 37.44 10.17 1 98.94 96.48 31.93 13.57 1.21 2 95.16 84.54 72.14 64.93 58.65 3 95.74 81.76 67.89 50.22 30.74 4 96.13 92.44 42.98 8.76 0.39 5 92.71 89.38 55.73 18.37 5.65 6 97.18 94.63 70.64 30.58 12.33 7 94.65 91.71 69.87 32.43 17.47 8 94.65 94.13 78.21 35.38 13.58 9 93.94 90.85 52.73 27.64 6.53
下载: 导出CSV
表 5 不同扰动比例下各对象的平均分类正确率(%)
人脸序号 1%扰动 3%扰动 5%扰动 7%扰动 1 95.12 90.02 68.82 38.63 2 87.68 71.13 54.98 29.22 3 91.19 81.57 58.13 29.16 4 89.43 75.27 52.29 21.09 5 90.78 79.27 43.55 26.87 6 87.91 71.62 60.14 21.33 7 83.26 41.12 15.67 8.31 8 92.43 70.22 47.93 29.83 9 91.33 75.71 46.62 28.11 10 94.66 81.73 57.45 30.13 11 82.63 68.20 30.79 10.32 12 98.78 81.17 66.05 37.16 13 72.65 57.27 33.48 6.37 14 85.17 63.33 49.78 7.91 15 97.5 89.85 70.21 29.84
下载: 导出CSV
-
BARRENO M, NELSON B, SEARS R, et al. Can machine learning be secure?[C]. Proceedings of 2006 ACM Symposium on Information, Computer and Communications Security, Taipei, China, 2006: 16–25. doi: 10.1145/1128817.1128824. LI Pan, ZHAO Wentao, LIU Qiang, et al. Security issues and their countermeasuring techniques of machine learning: A survey[J]. Journal of Frontiers of Computer Science & Technology, 2018, 12(2): 171–184. SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. http://arxiv.org/abs/1312.6199v4, 2014. PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]. Proceedings of 2016 IEEE European Symposium on Security and Privacy, Saarbrucken, Germany, 2016: 372–387. doi: 10.1109/EuroSP.2016.36. PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against machine learning[EB/OL]. http://arxiv.org/abs/1602.02697v4, 2017. AKHTAR N and MIAN A. Threat of adversarial attacks on deep learning in computer vision: A survey[J]. IEEE Access, 2018, 6: 14410–14430. doi: 10.1109/ACCESS.2018.2807385 CORTES C and VAPNIK V. Support-vector networks[J]. Machine Learning, 1995, 20(3): 273–297. doi: 10.1007/BF00994018 BIGGIO B, NELSON B, and LASKOV P. Support vector machines under adversarial label noise[C]. Proceedings of the 3rd Asian Conference on Machine Learning, Taoyuan, China, 2011, 20: 97–112. BIGGIO B, NELSON B, and LASKOV P. Poisoning attacks against support vector machines[EB/OL]. http://arxiv.org/abs/1206.6389v3, 2013. MEI Shike and ZHU Xiaojin. Using machine teaching to identify optimal training-set attacks on machine learners[C]. Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence, Austin, USA, 2015: 2871–2877. CHEN Zhipeng, TONDI B, LI Xiaolong, et al. A gradient-based pixel-domain attack against SVM detection of global image manipulations[C]. Proceedings of 2017 IEEE Workshop on Information Forensics and Security, Rennes, France, 2017: 1–6. doi: 10.1109/WIFS.2017.8267668. BIGGIO B, CORONA I, MAIORCA D, et al. Evasion attacks against machine learning at test time[EB/OL]. http://arxiv.org/abs/1708.06131, 2013. GOLLAND P. Discriminative direction for kernel classifiers[C]. Proceedings of the 14th International Conference on Neural Information Processing Systems: Natural and Synthetic, Vancouver, British Columbia, Canada, 2001: 745–752. AMRAEE S, VAFAEI A, JAMSHIDI K, et al. Abnormal event detection in crowded scenes using one-class SVM[J]. Signal, Image and Video Processing, 2018, 12(6): 1115–1123. doi: 10.1007/s11760-018-1267-z BENMAHAMED Y, TEGUAR M, and BOUBAKEUR A. Application of SVM and KNN to Duval pentagon 1 for transformer oil diagnosis[J]. IEEE Transactions on Dielectrics and Electrical Insulation, 2017, 24(6): 3443–3451. doi: 10.1109/TDEI.2017.006841 SCHNALL A and HECKMANN M. Feature-space SVM adaptation for speaker adapted word prominence detection[J]. Computer Speech & Language, 2019, 53: 198–216. doi: 10.1016/j.csl.2018.06.001 ZHAO Rui and MAO Kezhi. Semi-random projection for dimensionality reduction and extreme learning machine in high-dimensional space[J]. IEEE Computational Intelligence Magazine, 2015, 10(3): 30–41. doi: 10.1109/MCI.2015.2437316 EBERHART R and KENNEDY J. A new optimizer using particle swarm theory[C]. Proceedings of the Sixth International Symposium on Micro Machine and Human Science, Nagoya, Japan, 2002: 39–43. doi: 10.1109/MHS.1995.494215. SHI Y and EBERHART R. A modified particle swarm optimizer[C]. Proceeding of 1998 IEEE International Conference on Evolutionary Computation, World Congress on Computational Intelligence, Anchorage, USA, 1998: 69–73. doi: 10.1109/ICEC.1998.699146. LIN S W, YING K C, CHEN S C, et al. Particle swarm optimization for parameter determination and feature selection of support vector machines[J]. Expert Systems with Applications, 2008, 35(4): 1817–1824. doi: 10.1016/j.eswa.2007.08.088 LECUN Y, CORTES C, and BURGES C J C. The MNIST database of handwritten digits[EB/OL]. http://yann.lecun.com/exdb/mnist/, 2010. YALE. The Yale face database[OL]. http://cvc.cs.yale.edu/cvc/projects/yalefaces/yalefaces.html, 1997. 何光辉, 唐远炎, 房斌, 等. 图像分割方法在人脸识别中的应用[J]. 计算机工程与应用, 2010, 46(28): 196–198. doi: 10.3778/j.issn.1002-8331.2010.28.055HE Guanghui, TANG Yuanyan, FANG Bin, et al. Image partition method in face recognition[J]. Computer Engineering and Applications, 2010, 46(28): 196–198. doi: 10.3778/j.issn.1002-8331.2010.28.055 -
下载:
图(6) / 表(5)
计量
- 文章访问数: 3813
- HTML全文浏览量: 1104
- PDF下载量: 147
- 被引次数: 0
