Journal of Computer Applications ›› 2023, Vol. 43 ›› Issue (2): 467-473.DOI: 10.11772/j.issn.1001-9081.2021122068
Special Issue: 网络空间安全
• Cyber security • Previous Articles Next Articles
Jie LIANG, Xiaoyan HAO(), Yongle CHEN
Received:
2021-12-09
Revised:
2022-04-14
Accepted:
2022-04-22
Online:
2022-05-16
Published:
2023-02-10
Contact:
Xiaoyan HAO
About author:
LIANG Jie, born in 1996, M. S. candidate. Her research interests include internet of things, information security.Supported by:
通讯作者:
郝晓燕
作者简介:
梁捷(1996—),女,山西太原人,硕士研究生,主要研究方向:物联网、信息安全基金资助:
CLC Number:
Jie LIANG, Xiaoyan HAO, Yongle CHEN. Poisoning attack toward visual classification model[J]. Journal of Computer Applications, 2023, 43(2): 467-473.
梁捷, 郝晓燕, 陈永乐. 面向视觉分类模型的投毒攻击[J]. 《计算机应用》唯一官方网站, 2023, 43(2): 467-473.
Add to citation manager EndNote|Ris|BibTeX
URL: https://www.joca.cn/EN/10.11772/j.issn.1001-9081.2021122068
方法 | 触发器 | 模型是否改变 | 触发器隐藏性 | 是否需要重新训练模型 | 原模型精度 | 攻击成功率/% |
---|---|---|---|---|---|---|
BadNets | 随机 | 修改模型权重 | 低 | 是 | 略高 | 52.13±0.2 |
TrojanNN | 限制 | 修改模型权重 | 中 | 是 | 中 | 53.63±0.2 |
DeepPayload | 随机 | 修改模型结构 | 中 | 否 | 中 | 54.03±0.2 |
基于样本的投毒攻击方式 | 随机 | 无改变 | 较高 | 否 | 中 | 56.53±0.2 |
Tab. 1 Comparison of characteristics of different poisoning attack methods
方法 | 触发器 | 模型是否改变 | 触发器隐藏性 | 是否需要重新训练模型 | 原模型精度 | 攻击成功率/% |
---|---|---|---|---|---|---|
BadNets | 随机 | 修改模型权重 | 低 | 是 | 略高 | 52.13±0.2 |
TrojanNN | 限制 | 修改模型权重 | 中 | 是 | 中 | 53.63±0.2 |
DeepPayload | 随机 | 修改模型结构 | 中 | 否 | 中 | 54.03±0.2 |
基于样本的投毒攻击方式 | 随机 | 无改变 | 较高 | 否 | 中 | 56.53±0.2 |
实验 序号 | 干净 样本数 | 中毒样本数 | 中毒样本占 训练样本的 比例/% | ||
---|---|---|---|---|---|
真图 | DCGAN 生成假图 | 假图 占比/% | |||
1 | 35 000 | 4 500 | 10 500 | 70 | 30 |
2 | 40 000 | 5 000 | 5 000 | 50 | 20 |
3 | 45 000 | 3 500 | 1 500 | 30 | 10 |
4 | 47 500 | 2 250 | 250 | 10 | 5 |
5 | 48 500 | 1 425 | 75 | 5 | 3 |
Tab. 2 Setting of number of training samples
实验 序号 | 干净 样本数 | 中毒样本数 | 中毒样本占 训练样本的 比例/% | ||
---|---|---|---|---|---|
真图 | DCGAN 生成假图 | 假图 占比/% | |||
1 | 35 000 | 4 500 | 10 500 | 70 | 30 |
2 | 40 000 | 5 000 | 5 000 | 50 | 20 |
3 | 45 000 | 3 500 | 1 500 | 30 | 10 |
4 | 47 500 | 2 250 | 250 | 10 | 5 |
5 | 48 500 | 1 425 | 75 | 5 | 3 |
有无图像隐写模块 | 攻击成功率/% | 原模型精确度/% | 触发器隐藏性 |
---|---|---|---|
有 | 58.27±0.9 | 94.97±0.1 | 较强 |
无 | 54.24±0.9 | 93.18±0.1 | 较弱 |
Tab. 3 Influence of image steganography module on poisoning attack
有无图像隐写模块 | 攻击成功率/% | 原模型精确度/% | 触发器隐藏性 |
---|---|---|---|
有 | 58.27±0.9 | 94.97±0.1 | 较强 |
无 | 54.24±0.9 | 93.18±0.1 | 较弱 |
有无DCGAN生成“假图”模块 | 攻击成功率/% | 原模型精确度/% | 触发器隐藏性 |
---|---|---|---|
有 | 61.27±0.9 | 92.87±0.1 | 较强 |
无 | 50.24±0.9 | 93.18±0.1 | 较弱 |
Tab. 4 Influence of DCGAN generating "fake picture" module on poisoning attack
有无DCGAN生成“假图”模块 | 攻击成功率/% | 原模型精确度/% | 触发器隐藏性 |
---|---|---|---|
有 | 61.27±0.9 | 92.87±0.1 | 较强 |
无 | 50.24±0.9 | 93.18±0.1 | 较弱 |
1 | 李欣姣,吴国伟,姚琳,等. 机器学习安全攻击与防御机制研究进展和未来挑战[J]. 软件学报, 2021, 32(2):406-423. 10.13328/j.cnki.jos.006147 |
LI X J, WU G W, YAO L, et al. Progress and future challenges of security attacks and defense mechanisms in machine learning[J]. Journal of Software, 2021, 32(2): 406-423. 10.13328/j.cnki.jos.006147 | |
2 | 纪守领,杜天宇,李进锋,等. 机器学习模型安全与隐私研究综述[J].软件学报, 2021, 32(1):41-67. 10.13328/j.cnki.jos.006131 |
JI S L, DU T Y, LI J F, et al. Security and privacy of machine learning models: a survey[J]. Journal of Software, 2021, 32(1): 41-67. 10.13328/j.cnki.jos.006131 | |
3 | 陈宇飞,沈超,王骞,等. 人工智能系统安全与隐私风险[J]. 计算机研究与发展, 2019, 56(10):2135-2150. 10.7544/issn1000-1239.2019.20190415 |
CHEN Y F, SHEN C, WANG Q, et al. Security and privacy risks in artificial intelligence systems[J]. Journal of Computer Research and Development, 2019, 56(10):2135-2150. 10.7544/issn1000-1239.2019.20190415 | |
4 | PARKHI O M, VEDALDI A, ZISSERMAN A, et al. Deep face recognition[C]// Proceedings of the 2015 British Machine Vision Conference. Durham: BMVA Press, 2015: No.41. 10.5244/c.29.41 |
5 | XUE M F, HE C, WANG J, et al. Backdoors hidden in facial features: a novel invisible backdoor attack against face recognition systems[J]. Peer-to-Peer Networking and Applications, 2021, 14(3): 1458-1474. 10.1007/s12083-020-01031-z |
6 | CHEN X Y, LIU C, LI B, et al. Targeted backdoor attacks on deep learning systems using data poisoning[EB/OL]. (2017-12-15) [2021-09-22].. |
7 | 相迎宵. I-SIG系统中双向投毒攻击分析及防护[D]. 北京:北京交通大学, 2019. |
XIANG Y X. Analysis and defense of bidirectional poisoning attack in I-SIG system[D]. Beijing: Beijing Jiaotong University, 2019. | |
8 | YAO Y S, LI H Y, ZHENG H T, et al. Latent backdoor attacks on deep neural networks[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 2041-2055. 10.1145/3319535.3354209 |
9 | CHEN C Y, SEFF A, KORNHAUSER A, et al. DeepDriving: learning affordance for direct perception in autonomous driving[C]// Proceedings of the 2015 IEEE International Conference on Computer Vision. Piscataway: IEEE, 2015: 2722-2730. 10.1109/iccv.2015.312 |
10 | GU T Y, DOLAN-GAVITT B, GARG S. BadNets: identifying vulnerabilities in the machine learning model supply chain[EB/OL]. (2019-03-11) [2021-09-22].. 10.1109/access.2019.2909068 |
11 | TANG R X, DU M N, LIU N H, et al. An embarrassingly simple approach for trojan attack in deep neural networks[C]// Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2020: 218-228. 10.1145/3394486.3403064 |
12 | LIU Y F, MA X J, BAILEY J, et al. Reflection backdoor: a natural backdoor attack on deep neural networks[C]// Proceedings of the 2020 European Conference on Computer Vision, LNCS 12355. Cham: Springer, 2020: 182-199. |
13 | SAHA A, SUBRAMANYA A, PIRSIAVASH H. Hidden trigger backdoor attacks[C]// Proceedings of the 34th AAAI Conference on Artificial Intelligence. Palo Alto, CA: AAAI Press, 2020: 11957-11965. 10.1609/aaai.v34i07.6871 |
14 | SAHA A, TEJANKAR A, KOOHPAYEGANI S A, et al. Backdoor attacks on self-supervised learning[C]// Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2022: 13327-13336. 10.1109/cvpr52688.2022.01298 |
15 | TURNER A, TSIPRAS D, MADRY A. Clean-label backdoor attacks[EB/OL]. (2018-12-21) [2021-09-22].. |
16 | 高程程,惠晓威. 基于灰度共生矩阵的纹理特征提取[J]. 计算机系统应用, 2010, 19(6):195-198. 10.3969/j.issn.1003-3254.2010.06.047 |
GAO C C, HUI X W. GLCM-based texture feature extraction[J]. Journal of Computer Systems and Applications, 2010, 19(6):195-198. 10.3969/j.issn.1003-3254.2010.06.047 | |
17 | 万梦翔,姚寒冰. 面向恶意网页训练数据生成的GAN模型[J]. 计算机工程与应用, 2021, 57(6):124-130. |
WAN M X, YAO H B. GAN model for malicious web training data generation[J]. Computer Engineering and Applications, 2021, 57(6): 124-130. | |
18 | LeCUN Y, BOTTOU L, BENGIO Y, et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324. 10.1109/5.726791 |
19 | LIU Y T, XIE Y, SRIVASTAVA A. Neural trojans[C]// Proceedings of the IEEE 35th International Conference on Computer Design. Piscataway: IEEE, 2017: 45-48. 10.1109/iccd.2017.16 |
20 | SHEN S Q, TOPLE S, SAXENA P. AUROR: defending against poisoning attacks in collaborative deep learning systems[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York: ACM, 2016: 508-519. 10.1145/2991079.2991125 |
21 | ANWAR S, HWANG K, SUNG W. Structured pruning of deep convolutional neural networks[J]. ACM Journal on Emerging Technologies in Computing Systems, 2017, 13(3): No.32. 10.1145/3005348 |
[1] | Zhaojun TANG, Meiyan XIA, Hua ZHANG, Ting XIE. Fixed-time consensus of dynamic event-triggered multi-agent systems [J]. Journal of Computer Applications, 2024, 44(3): 960-965. |
[2] | Weina DONG, Jia LIU, Xiaozhong PAN, Lifeng CHEN, Wenquan SUN. High-capacity robust image steganography scheme based on encoding-decoding network [J]. Journal of Computer Applications, 2024, 44(3): 772-779. |
[3] | Xuebin CHEN, Changsheng QU. Overview of backdoor attacks and defense in federated learning [J]. Journal of Computer Applications, 2024, 44(11): 3459-3469. |
[4] | Wanting JI, Wenyi LU, Yuhang MA, Linlin DING, Baoyan SONG, Haolin ZHANG. Machine reading comprehension event detection based on relation-enhanced graph convolutional network [J]. Journal of Computer Applications, 2024, 44(10): 3288-3293. |
[5] | Wanzhen CHEN, En ZHANG, Leiyong QIN, Shuangxi HONG. Privacy-preserving federated learning algorithm based on blockchain in edge computing [J]. Journal of Computer Applications, 2023, 43(7): 2209-2216. |
[6] | Chao GE, Chenlei CHANG, Zheng YAO, Hao SU. Synchronous control of neural network based on event-triggered mechanism [J]. Journal of Computer Applications, 2023, 43(5): 1641-1646. |
[7] | Kejun JIN, Hongtao YU, Yiteng WU, Shaomei LI, Jianpeng ZHANG, Honghao ZHENG. Improved defense method for graph convolutional network based on singular value decomposition [J]. Journal of Computer Applications, 2023, 43(5): 1511-1517. |
[8] | Chao GE, Yaxin ZHANG, Yue LIU, Hong WANG. Non-fragile dissipative control scheme for event-triggered networked systems [J]. Journal of Computer Applications, 2023, 43(2): 615-621. |
[9] | Qian CHEN, Zheng CHAI, Zilong WANG, Jiawei CHEN. Poisoning attack detection scheme based on generative adversarial network for federated learning [J]. Journal of Computer Applications, 2023, 43(12): 3790-3798. |
[10] | GAO An’an, HU Aihua, JIANG Zhengxian. Secure consensus of multi‑agent systems based on event‑triggered impulsive control [J]. Journal of Computer Applications, 2023, 43(1): 140-146. |
[11] | CHAI Jie, GUO Liuxiao, SHEN Wanqiang, CHEN Jing. Consensus of time-varying multi-agent systems based on event-triggered impulsive control [J]. Journal of Computer Applications, 2021, 41(9): 2748-2753. |
[12] | GAN Lan, SHEN Hongfei, WANG Yao, ZHANG Yuejin. Data augmentation method based on improved deep convolutional generative adversarial networks [J]. Journal of Computer Applications, 2021, 41(5): 1305-1313. |
[13] | HUANG Siyuan, ZHANG Minqing, KE Yan, BI Xinliang. Image steganalysis method based on saliency detection [J]. Journal of Computer Applications, 2021, 41(2): 441-448. |
[14] | Cui WANG, Yafei ZHANG, Junjun GUO, Shengxiang GAO, Zhengtao YU. Event detection without trigger words incorporating syntactic information [J]. Journal of Computer Applications, 2021, 41(12): 3534-3539. |
[15] | NING Jin, CHEN Leiting, ZHOU Chuan, ZHANG Lei. Intelligent trigger mechanism for model aggregation and disaggregation [J]. Journal of Computer Applications, 2019, 39(6): 1614-1618. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||