基于粒子群優(yōu)化的對抗樣本生成算法

錢亞冠; 盧紅波; 紀守領(lǐng); 周武杰; 吳淑慧; 云本勝; 陶祥興; 雷景生

doi:10.11999/JEIT180777

基于粒子群優(yōu)化的對抗樣本生成算法

doi: 10.11999/JEIT180777

1.
浙江科技學院理學院/大數(shù)據(jù)學院 ??杭州 ??310023
2.
浙江大學計算機學院 ??杭州 ??310027
3.
浙江科技學院電子與信息工程學院 ??杭州 ??310023

基金項目: 浙江省自然科學基金(LY17F020011, LY18F020012)，浙江省公益技術(shù)應用研究項目(LGG19F030001)，國家自然科學基金(61772466, 61672337, 11771399)

詳細信息

作者簡介:
錢亞冠：男，1976年生，副教授，研究方向為機器學習安全、計算機視覺

盧紅波：男，1993年生，碩士生，研究方向為機器學習安全

紀守領(lǐng)：男，1986年生，研究員，主要研究方向為人工智能安全、數(shù)據(jù)驅(qū)動安全與隱私保護

周武杰：男，1983年生，副教授，主要研究方向為機器視覺

吳淑慧：女，1975年生，講師，研究領(lǐng)域為深度神經(jīng)網(wǎng)絡

云本勝：男，1980年生，講師，研究領(lǐng)域為機器學習與數(shù)據(jù)挖掘

陶祥興：男，1966年生，教授，主要研究領(lǐng)域為信號處理與金融數(shù)據(jù)分析

雷景生：男，1967年生，教授，主要研究領(lǐng)域為機器學習與大數(shù)據(jù)處理

通訊作者:
錢亞冠　QianYaGuan@zust.edu.cn

中圖分類號: TP309.2
計量
- 文章訪問數(shù): 3974
- HTML全文瀏覽量: 1183
- PDF下載量: 152
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-08-06
- 修回日期: 2019-01-28
- 網(wǎng)絡出版日期: 2019-02-15
- 刊出日期: 2019-07-01

Adversarial Example Generation Based on Particle Swarm Optimization

1.
School of Science/School of Big-data Science, Zhejiang University of Science and Technology, Hangzhou 310023, China
2.
School of Computer Science, Zhejiang University, Hangzhou 310027, China
3.
School of Electronic and Information Engineering, Zhejiang University of Science and Technology, Hangzhou 310023, China

Funds: Zhejiang Natural Science Foundation (LY17F020011, LY18F020012), The Scientific Project of Zhejiang Provincial Science and Technology Department (LGG19F030001), The National Natural Science Foundation of China(61772466, 61672337, 11771399)

摘要

摘要: 隨著機器學習被廣泛的應用，其安全脆弱性問題也突顯出來。該文提出一種基于粒子群優(yōu)化(PSO)的對抗樣本生成算法，揭示支持向量機(SVM)可能存在的安全隱患。主要采用的攻擊策略是篡改測試樣本，生成對抗樣本，達到欺騙SVM分類器，使其性能失效的目的。為此，結(jié)合SVM在高維特征空間的線性可分的特點，采用PSO方法尋找攻擊顯著性特征，再利用均分方法逆映射回原始輸入空間，構(gòu)建對抗樣本。該方法充分利用了特征空間上線性模型上易尋優(yōu)的特點，同時又利用了原始輸入空間篡改數(shù)據(jù)的可解釋性優(yōu)點，使原本難解的優(yōu)化問題得到實現(xiàn)。該文對2個公開數(shù)據(jù)集進行實驗，實驗結(jié)果表明，該方法通過不超過7%的小擾動量生成的對抗樣本均能使SVM分類器失效，由此證明了SVM存在明顯的安全脆弱性。
- 機器學習 /
- 支持向量機 /
- 探測攻擊 /
- 顯著性擾動 /
- 對抗樣本
Abstract: As machine learning is widely applied to various domains, its security vulnerability is also highlighted. A PSO (Particle Swarm Optimization) based adversarial example generation algorithm is proposed to reveal the potential security risks of Support Vector Machine (SVM). The adversarial examples, generated by slightly crafting the legitimate samples, can mislead SVM classifier to give wrong classification results. Using the linear separable property of SVM in high-dimensional feature space, PSO is used to find the salient features, and then the average method is used to map back to the original input space to construct the adversarial example. This method makes full use of the easily finding salient features of linear models in the feature space, and the interpretable advantages of the original input space. Experimental results show that the proposed method can fool SVM classifier by using the adversarial example generated by less than 7 % small perturbation, thus proving that SVM has obvious security vulnerability.
- Machine learning /
- Support Vector Machine(SVM) /
- Exploring attacks /
- Salient perpetuation /
- Adversarial example

HTML全文

圖 1 手寫體數(shù)字圖像示例

下載: 全尺寸圖片幻燈片

圖 2 人臉圖像示例

下載: 全尺寸圖片幻燈片

圖 3 “三庭五眼”的人臉分割示例

下載: 全尺寸圖片幻燈片

圖 4 不同擾動程度的圖像示例

下載: 全尺寸圖片幻燈片

圖 5 人臉擾動前后的圖像示例

下載: 全尺寸圖片幻燈片

圖 6 不同擾動量下的對象示例

下載: 全尺寸圖片幻燈片

表 1 粒子群尋優(yōu)(PSO)算法

　輸入：$A$ //特征子集

　輸出：$B$ //顯著性特征

　(1) $d = \left| A \right|, B = \phi $ //$A = ({a^{(1)}}, {a^{(2)}}, ·\!·\!· , {a^{(d)}})$

　(2) FOR $ i \leftarrow 1, 2, ·\!·\!· , N $ DO

　(3) 　　${{\text{s}}_i} \leftarrow {\rm rand}(d), {{\text{v}}_i} \leftarrow {\rm rand}(d)$ //初始化$N$個粒子的位置和
速度

　(4) 　　${{\text{p}}_i} \leftarrow {{\text{s}}_i}$ //${{\text{p}}_i}$為第$i$個粒子的當前最佳位置

　(5) END FOR
　(6) ${{\text{p}}_g} \leftarrow {{\text{p}}_j}$，其中$j \leftarrow \arg {{\rm max}_i} \;{\rm{fit}}({{\text{p}}_i}), i = 1, 2, ·\!·\!· , N$ //${{\text{p}}_g}$為所有
粒子的當前最佳位置

　(7) FOR $ k \leftarrow 1, 2, ·\!·\!· , M $ DO //$M$為迭代次數(shù)

　(8) 　　FOR $i \leftarrow 1, 2, ·\!·\!· , N$ DO
　(9) 　　　　$\begin{gathered} {{\text{v}}_{i + 1}} \leftarrow {{\text{v}}_i} + {c_1}{r_1}({{\text{p}}_i} - {{\text{s}}_i}) \\ \quad\ \ + {c_2}{r_2}({{\text{p}}_g} - {{\text{s}}_i}) \\ \end{gathered} $

　(10) 　　　　　${{\text{s}}_{i + 1}} \leftarrow {{\text{s}}_i} + {{\text{v}}_{i + 1}}$

　(11) 　　　　IF ${\rm{fit}}({\text{s}}{}_{i + 1}) > {\rm{fit}}({\text{p}}{}_{i + 1}) $ THEN

　(12) 　　　　　${{\text{p}}_i} \leftarrow {{\text{s}}_{i + 1}}$

　(13) 　　　END IF

　(14) END FOR

　(15) ${{\text{p}}_g} \leftarrow {{\text{p}}_j}$ 其中$j \leftarrow \arg {{\rm max}_i} \;{\rm{fit}}({{\text{p}}_i})$

　(16) END FOR

　(17) FOR $i \leftarrow 1, 2, ·\!·\!· , d $ DO

　(18) IF ${{\text{p}}_{{}_{gi}}} > 0.5 $ THEN

　(19) 　　　　$B \leftarrow B \cup \{ {a^{(i)}}\} $ //${a^{(i)}}$是${{\text{p}}_{{}_{gi}}}$對應的特征

　(20) 　END IF

　(21) END FOR

　(22) RETURN $B$

下載: 導出CSV

表 2 輸入空間擾動算法

　輸入：$A$ //${\text{w}}$從大到小排序后對應的特征

　 $B$ //顯著性特征

　 ${{\text{X}}_0}$ //原始樣本

　輸出：$\Delta {\text{X}} $ //對抗樣本的擾動

　(1) $N = \left| B \right|, \Delta {\text{X}} = {\text{0}}$ //$N$為$B$的特征數(shù)，$\Delta {\text{X}} $的大小與${{\text{X}}_0}$相
同，且所有特征的初始值為0

　(2) FOR $ i \leftarrow 1, 2, ·\!·\!· , N$ DO

　(3) 　　　$k \leftarrow {\rm index}({b^{(i)}})$ //$k$為$B = ({b^{(1)}}, {b^{(2)}}, ·\!·\!· , {b^{(n)}})$在特征空
間的特征索引

　(4) 　　　$I \leftarrow {\rm component}(k)$ // $I$為特征空間的第$k$個特征對應
的“輸入空間特征集”

　(5) 　　$\sigma \leftarrow \delta (\theta , \lambda , I, {{\text{X}}_0})$//$\delta ( \cdot )$由式(11)得到

　(6) 　　FOR $j \leftarrow 1, 2, ·\!·\!· , \left| I \right| $ DO

　(7) 　　　　$\Delta {\text{X}}(j) \leftarrow \Delta {\text{X}}(j) + \sigma $

　(8) 　　END FOR

　(9) END FOR

　(10) RETURN $\Delta {\text{X}} $ //對抗樣本的擾動

下載: 導出CSV

表 3 測試集中各個手寫體的分類準確率(%)

手寫體數(shù)字	0	1	2	3	4	5	6	7	8	9
準確率	98.88	98.94	95.16	95.74	96.13	92.71	97.18	94.65	93.94	93.76

下載: 導出CSV

表 4 不同擾動量下各類手寫體數(shù)字的平均分類正確率(%)

手寫體數(shù)字	擾動前	1%擾動	3%擾動	5%擾動	7%擾動
0	98.88	95.32	75.37	37.44	10.17
1	98.94	96.48	31.93	13.57	1.21
2	95.16	84.54	72.14	64.93	58.65
3	95.74	81.76	67.89	50.22	30.74
4	96.13	92.44	42.98	8.76	0.39
5	92.71	89.38	55.73	18.37	5.65
6	97.18	94.63	70.64	30.58	12.33
7	94.65	91.71	69.87	32.43	17.47
8	94.65	94.13	78.21	35.38	13.58
9	93.94	90.85	52.73	27.64	6.53

下載: 導出CSV

表 5 不同擾動比例下各對象的平均分類正確率(%)

人臉序號	1%擾動	3%擾動	5%擾動	7%擾動
1	95.12	90.02	68.82	38.63
2	87.68	71.13	54.98	29.22
3	91.19	81.57	58.13	29.16
4	89.43	75.27	52.29	21.09
5	90.78	79.27	43.55	26.87
6	87.91	71.62	60.14	21.33
7	83.26	41.12	15.67	8.31
8	92.43	70.22	47.93	29.83
9	91.33	75.71	46.62	28.11
10	94.66	81.73	57.45	30.13
11	82.63	68.20	30.79	10.32
12	98.78	81.17	66.05	37.16
13	72.65	57.27	33.48	6.37
14	85.17	63.33	49.78	7.91
15	97.5	89.85	70.21	29.84

下載: 導出CSV

參考文獻(23)

BARRENO M, NELSON B, SEARS R, et al. Can machine learning be secure?[C]. Proceedings of 2006 ACM Symposium on Information, Computer and Communications Security, Taipei, China, 2006: 16–25. doi: 10.1145/1128817.1128824.

LI Pan, ZHAO Wentao, LIU Qiang, et al. Security issues and their countermeasuring techniques of machine learning: A survey[J]. Journal of Frontiers of Computer Science & Technology, 2018, 12(2): 171–184.

SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing properties of neural networks[EB/OL]. http://arxiv.org/abs/1312.6199v4, 2014.

PAPERNOT N, MCDANIEL P, JHA S, et al. The limitations of deep learning in adversarial settings[C]. Proceedings of 2016 IEEE European Symposium on Security and Privacy, Saarbrucken, Germany, 2016: 372–387. doi: 10.1109/EuroSP.2016.36.

PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical black-box attacks against machine learning[EB/OL]. http://arxiv.org/abs/1602.02697v4, 2017.

AKHTAR N and MIAN A. Threat of adversarial attacks on deep learning in computer vision: A survey[J]. IEEE Access, 2018, 6: 14410–14430. doi: 10.1109/ACCESS.2018.2807385

CORTES C and VAPNIK V. Support-vector networks[J]. Machine Learning, 1995, 20(3): 273–297. doi: 10.1007/BF00994018

BIGGIO B, NELSON B, and LASKOV P. Support vector machines under adversarial label noise[C]. Proceedings of the 3rd Asian Conference on Machine Learning, Taoyuan, China, 2011, 20: 97–112.

BIGGIO B, NELSON B, and LASKOV P. Poisoning attacks against support vector machines[EB/OL]. http://arxiv.org/abs/1206.6389v3, 2013.

MEI Shike and ZHU Xiaojin. Using machine teaching to identify optimal training-set attacks on machine learners[C]. Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence, Austin, USA, 2015: 2871–2877.

CHEN Zhipeng, TONDI B, LI Xiaolong, et al. A gradient-based pixel-domain attack against SVM detection of global image manipulations[C]. Proceedings of 2017 IEEE Workshop on Information Forensics and Security, Rennes, France, 2017: 1–6. doi: 10.1109/WIFS.2017.8267668.

BIGGIO B, CORONA I, MAIORCA D, et al. Evasion attacks against machine learning at test time[EB/OL]. http://arxiv.org/abs/1708.06131, 2013.

GOLLAND P. Discriminative direction for kernel classifiers[C]. Proceedings of the 14th International Conference on Neural Information Processing Systems: Natural and Synthetic, Vancouver, British Columbia, Canada, 2001: 745–752.

AMRAEE S, VAFAEI A, JAMSHIDI K, et al. Abnormal event detection in crowded scenes using one-class SVM[J]. Signal, Image and Video Processing, 2018, 12(6): 1115–1123. doi: 10.1007/s11760-018-1267-z

BENMAHAMED Y, TEGUAR M, and BOUBAKEUR A. Application of SVM and KNN to Duval pentagon 1 for transformer oil diagnosis[J]. IEEE Transactions on Dielectrics and Electrical Insulation, 2017, 24(6): 3443–3451. doi: 10.1109/TDEI.2017.006841

SCHNALL A and HECKMANN M. Feature-space SVM adaptation for speaker adapted word prominence detection[J]. Computer Speech & Language, 2019, 53: 198–216. doi: 10.1016/j.csl.2018.06.001

ZHAO Rui and MAO Kezhi. Semi-random projection for dimensionality reduction and extreme learning machine in high-dimensional space[J]. IEEE Computational Intelligence Magazine, 2015, 10(3): 30–41. doi: 10.1109/MCI.2015.2437316

EBERHART R and KENNEDY J. A new optimizer using particle swarm theory[C]. Proceedings of the Sixth International Symposium on Micro Machine and Human Science, Nagoya, Japan, 2002: 39–43. doi: 10.1109/MHS.1995.494215.

SHI Y and EBERHART R. A modified particle swarm optimizer[C]. Proceeding of 1998 IEEE International Conference on Evolutionary Computation, World Congress on Computational Intelligence, Anchorage, USA, 1998: 69–73. doi: 10.1109/ICEC.1998.699146.

LIN S W, YING K C, CHEN S C, et al. Particle swarm optimization for parameter determination and feature selection of support vector machines[J]. Expert Systems with Applications, 2008, 35(4): 1817–1824. doi: 10.1016/j.eswa.2007.08.088

LECUN Y, CORTES C, and BURGES C J C. The MNIST database of handwritten digits[EB/OL]. http://yann.lecun.com/exdb/mnist/, 2010.

YALE. The Yale face database[OL]. http://cvc.cs.yale.edu/cvc/projects/yalefaces/yalefaces.html, 1997.

何光輝, 唐遠炎, 房斌, 等. 圖像分割方法在人臉識別中的應用[J]. 計算機工程與應用, 2010, 46(28): 196–198. doi: 10.3778/j.issn.1002-8331.2010.28.055

HE Guanghui, TANG Yuanyan, FANG Bin, et al. Image partition method in face recognition[J]. Computer Engineering and Applications, 2010, 46(28): 196–198. doi: 10.3778/j.issn.1002-8331.2010.28.055

相關(guān)文章

施引文獻

資源附件(0)

訪問統(tǒng)計