CN117240624B - Method and device for generating and testing anti-attack sample based on black box scene - Google Patents
Method and device for generating and testing anti-attack sample based on black box scene Download PDFInfo
- Publication number
- CN117240624B CN117240624B CN202311508395.1A CN202311508395A CN117240624B CN 117240624 B CN117240624 B CN 117240624B CN 202311508395 A CN202311508395 A CN 202311508395A CN 117240624 B CN117240624 B CN 117240624B
- Authority
- CN
- China
- Prior art keywords
- sample
- data set
- features
- value
- classifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012360 testing method Methods 0.000 title claims abstract description 21
- 238000012549 training Methods 0.000 claims abstract description 19
- 238000013145 classification model Methods 0.000 claims abstract description 14
- 238000003860 storage Methods 0.000 claims description 11
- 238000004422 calculation algorithm Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 10
- 239000002131 composite material Substances 0.000 claims description 5
- 230000003068 static effect Effects 0.000 claims description 4
- 238000013480 data collection Methods 0.000 claims description 3
- 230000003094 perturbing effect Effects 0.000 claims description 2
- 238000010998 test method Methods 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000006467 substitution reaction Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 4
- 230000003042 antagnostic effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 208000025174 PANDAS Diseases 0.000 description 2
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 description 2
- 240000004718 Panda Species 0.000 description 2
- 235000016496 Panda oleosa Nutrition 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 150000001875 compounds Chemical class 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
A black box scene-based anti-attack sample generation and test method and device relate to the technical field of network security, and the method comprises the following steps: acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and integrating the classification result and the flow sample set into a complete data set; inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model; generating a challenge sample from the complete data set; inputting the challenge sample into the surrogate classification model for testing; according to the method, the countermeasure sample with the reality constraint is generated aiming at the attack flow, the practicability and the aggressiveness of the countermeasure sample are improved, the scene is simpler, the attack is more effective, and the method is more suitable for the real-world countermeasure attack.
Description
Technical Field
The invention relates to the technical field of network security.
Background
Network traffic intrusion detection systems (NIDS) are an attack detection mechanism for detecting potential intrusions, such as malicious activity, computer attacks or computer abuse, virus propagation, etc., and alerting during the detection process. There are two main ways to implement NIDS: a signature-based NIDS and an anomaly detection-based NIDS. Among them, signature-based methods dominate many devices, but adversaries can use random port numbers or known port numbers to evade port-based intrusion detectors and encrypt network traffic packets to fool classifiers; exception-based NIDS are typically implemented using machine learning or deep learning, and use byte sequences and statistical features of packet packets or streams to classify network traffic to solve previous problems. While machine learning and deep learning have excellent performance, they are extremely vulnerable to resistance samples, especially designed resistance data with small variations that can cause changes in the output of the model.
A challenge attack is to make the fraud model produce incorrect output by adding some minor perturbations. Some of the common methods include L-BFGS, FGSM, and the like. These methods are commonly used in the field of computer vision and, although the resulting disturbance is small, are sufficient to force the prediction of trained neural networks into incorrect categories. For example, a perturbed image of a panda remains a panda for humans, but it can make the neural network predict false labels. Therefore, in the network traffic field, the attack on the network traffic intrusion detection system by the anti-sample method can also be utilized to evade detection. However, common challenge methods have many inapplicabilities in the traffic domain in generating challenge traffic as challenge samples due to the differences between images and network traffic.
First, common attack countermeasure methods such as L-BFGS and FGSM are mostly based on white box scenes, and the main idea is to perform a certain limited disturbance on the gradient of the model input, so that the loss function after the disturbance is maximized. This makes the attack need to know detailed information inside the target model, which is not applicable in network traffic scenarios. In general, an attacker cannot learn all or part of information of a model when attacking an intrusion detector, so that research on a method for resisting attack in a black box scene is very important.
Secondly, the above-mentioned common attack countermeasure method is mainly used in the image field, and some methods are directed to modifying pixels of an image to perform perturbation. The network traffic is quite different from the data format of the image, and the method is not fully applicable. And for network attack traffic, the traffic needs to maintain the original capability of the attack, so the number and extent of features that can be modified is more limited. However, existing methods of combating attacks in the traffic domain typically do not take into account the domain and class constraints of the samples, i.e. whether or not the challenge samples conform to the constraints of the communication protocol and the specific attack class. Thus, while such attack traffic can evade the identification of intrusion detectors, they do not have the ability to attack in an actual network environment, and such a counterattack is not of any practical significance.
Therefore, how to provide a method for generating an antagonistic sample with realistic constraint for attack traffic in a black box scenario is a technical problem to be solved in the art.
Disclosure of Invention
In order to solve the technical problems, the invention provides a black box scene-based method and a device for generating and testing a challenge sample, wherein the method is used for generating the challenge sample with realistic constraint according to the attack flow, so that the practicability and the aggressiveness of the challenge sample are improved, the scene is simpler, the attack is more effective, and the method is more suitable for real-world challenge attack.
Based on the same inventive concept, the invention has four independent technical schemes:
1. a black box scene-based anti-attack sample generation and test method comprises the following steps:
s1, acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and integrating the classification result and the flow sample set into a complete data set;
s2, inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model;
s3, generating a countermeasure sample according to the complete data set;
s4, inputting the countermeasure sample into the alternative classification model for testing.
Further, the challenge sample is generated using an a-M challenge sample generation method.
Further, step S1 includes:
s11, sending a query to a target classifier A according to the flow sample set to obtain a classification result label;
and S12, storing each query and the corresponding classification result label as complete data in a composite data set dictionary to obtain a complete data set.
Further, training the classifier to be debugged by using a random gradient descent algorithm.
Further, training a plurality of classifiers to be debugged by using a random gradient descent algorithm.
Further, step S3 includes:
s31, giving an original sample x= (X) based on the complete dataset 1 ,X 2 ,…X n ) Wherein X is n Is a sample feature, first calculate each X i The mutual information values among the classification result labels Y are arranged in descending order, and the first L sample features are screened out to form a new data set W with the classification result labels Y, wherein L is a preset value;
s32, classifying the L sample features according to the selection of the discrete features and the combined features, and selecting locking features which do not need to be changed from the combined features;
s33, on the data set W, disturbing other combined features except the locking features based on a multi-feature disturbance algorithm, and then disturbing the features by adopting a single-feature disturbance method.
Further, perturbing the perturbed feature with the single feature includes:
s331, acquiring discrete single features in a data set W, and if the data set W is a static data set which is not added any more, calculating the maximum value M and the minimum value M of the single features;
if the data set W is a dynamically increased data set, acquiring the momentum K and according to the momentum K and the maximum value M of the previous batch of data i−1 And a minimum value m i−1 Calculating the maximum value M and the minimum value M of the characteristic of the current data set W;
s332, acquiring a parameter epsilon, and determining the disturbance value P according to the parameter epsilon, the maximum value M and the minimum value M, wherein the formula is as follows:;
s333, randomly generating an addition and subtraction symbol parameter q, and calculating data Z' subjected to disturbance under the current single characteristic according to the disturbance value P and the parameter q, wherein the formula is as follows:
Z’=Z+qP;
wherein Z is the original data of the characteristic value in the data set W;
s334, if the value of the disturbed data Z ' is smaller than the minimum value M, the final challenge sample value is M, if the value of the disturbed data Z ' is larger than the maximum value M, the final challenge sample value is M, and if the values are not satisfied, the final challenge sample value is Z '.
Further, based on the momentum K and the maximum M of the previous batch data i−1 And a minimum value m i−1 The maximum value M and the minimum value M of the current data feature set are calculated as follows:
;
;
wherein Max (W) is a characteristic maximum value of the acquired data set W, and min (W) is a characteristic minimum value of the acquired data set W.
2. A black box scene-based challenge sample generation and testing device, comprising:
the data collection module is used for acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and collecting the data and the flow sample set into a complete data set;
the training module is used for inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model;
a sample generation module for generating an challenge sample from the complete data set using an a-M challenge sample generation method;
and the testing module is used for inputting the countermeasure sample into the alternative classification model for testing.
3. A computer readable storage medium storing a computer program which when executed by a processor implements the method described above.
4. An electronic device comprises a processor and a storage device, wherein a plurality of instructions are stored in the storage device, and the processor is used for reading the plurality of instructions in the storage device and executing the method.
The method and the device for generating and testing the attack resistance sample based on the black box scene provided by the invention at least comprise the following beneficial effects:
(1) The invention has universality and wider application scene, and generates antagonistic network traffic in the black box model, so that the detailed information of the target model is not required to be known, thereby not only conforming to the actual attack scene, but also ensuring simpler attack and reducing the attack cost;
(2) The invention can be applied to more realistic application scenarios, which generate antagonistic samples that meet real world constraints and have an aggressive meaning in the real world. Thus, not only can the challenge sample deception classifier be ensured, but also the attack flow can keep the original attack capability, and the constraint of the communication field is more met;
(3) The invention also has the advantages of high efficiency, less resource consumption and the like, and the invention does not need to know all information of the model, so that the attack is resisted without adopting a mode of changing internal parameters of the model, the attack time and the space occupied by the attack can be saved, and the cost is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a system architecture diagram of a black box scene-based anti-attack sample generation and test method provided by the invention;
fig. 2 is a schematic diagram of feature disturbance of a method for generating and testing a challenge sample based on a black box scene.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. However, it will be apparent to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The following description of the embodiments of the present application, taken in conjunction with the accompanying drawings, clearly and fully describes the technical solutions of the embodiments of the present application, and it is evident that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application, but the present application may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present application is not limited to the specific embodiments disclosed below.
Embodiment one:
referring to fig. 1, in some embodiments, a black box scene-based challenge sample generation and testing method is provided, including:
s1, acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and integrating the classification result and the flow sample set into a complete data set;
s2, inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model;
s3, generating a countermeasure sample according to the complete data set;
s4, inputting the countermeasure sample into the alternative classification model for testing.
Preferably, the challenge sample is generated using an a-M challenge sample generation method.
It should be noted that, the method provided in this embodiment further includes a surrogate model method, where the surrogate model method establishes a surrogate model of the target classifier in the black box scene. In the black box scene, an attacker does not know the structure and parameter information of the target model, and is more in line with the real-world attack scene. The only ability of an attacker is to input selected data into the target model and observe the labeling results of the target model. Therefore, in order to attack the unknown model, the surrogate model is trained by querying the labels of the target model to have similar performance to the target model. By training the substitution model, the related information of the target classifier is obtained, the problem that all information of the target classifier cannot be known in a real scene is solved, and the resistance attack is realized.
Secondly, in order to solve the problem of network traffic reality constraint, an A-M method is proposed. The a-M challenge sample generation method refers to a constraint challenge sample generation method. Because the network traffic data belongs to the form data and the data has the constraint of network protocol, the data are connected with each other. The countermeasure sample generation method of the simple migration image may cause traffic to lose actual functions such as a change in port number and a change in a hold connection or a termination signal. In order to keep the original functions of the flow as unchanged as possible, the A-M utilizes single-feature disturbance and multi-feature disturbance to respectively solve the disturbance problems of discrete features and related features.
The single feature disturbance firstly calculates the features with larger influence on the classification labels in the discrete features by using mutual information, and then, the features are disturbed. The multi-feature perturbation utilizes the locking features to search for features associated with them. When the locking feature is disturbed, the relevant feature will also be disturbed accordingly.
Specifically, step S1, obtaining a flow sample set and inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and integrating the data and the flow sample set into a complete data set, including:
s11, sending a query to a target classifier A according to the flow sample set to obtain a classification result label;
and S12, storing each query and the corresponding classification result label as complete data in a composite data set dictionary to obtain a complete data set.
As a preferred embodiment, the classifier to be debugged is trained using a random gradient descent algorithm.
Surrogate model training is based primarily on migration of resistant samples. As long as models a and B are trained under similar tasks, the resistance sample affecting one model will typically affect the other model, even though the two models have completely different structures and parameters. Thus, an attacker only needs to launch an attack on the surrogate model and transfer the surrogate model generated challenge sample to the target model.
As shown in fig. 1, the selected traffic packets are classified in a target classifier to obtain an associated classification label. A composite dataset consisting of data and class labels is used to create the challenge sample and train the surrogate model. The generated resistance sample data set is then input into a trained surrogate model for testing to achieve the effect of attacking the original model.
The complete surrogate model training process is described as follows: the challenge can only use the synthetic input data X query to obtain a machine-learning or deep-learning model of the tag as response Y. These query-response pairs are then used to train a surrogate model
The complete surrogate model training process is divided into the following sections: the surrogate model architecture design and collection of the synthetic dataset, and surrogate model training on the synthetic dataset.
The design of the surrogate model architecture and the collection of the synthetic data set are very challenging tasks. Due to the lack of information about the architecture and training process of the target classifier a in the actual attack, a temporary suitable model B will be temporarily selected for the training process. The challenge may also train multiple machine learning or deep learning models to find the best trained surrogate model E. The synthetic data X' is generated by querying tags from the object model a.
(1) A query is sent to the target model a using the collected traffic sample set X to obtain a label Y.
(2) Each query and its response tag are stored as a composite data pair in the compound dataset dictionary Q.
(3) Once the appropriate number of synthetic data X' is obtained, we train a temporary substitution model B on the synthetic data set. A stochastic gradient descent algorithm is used to train the temporary surrogate model B.
(4) The trained temporary substitution model B is set as the final substitution model E.
Step S3, including:
s31, giving an original sample x= (X) based on the complete dataset 1 ,X 2 ,…X n ) Wherein X is n Is a sample feature, first calculate each X i The mutual information values among the classification result labels Y are arranged in descending order, and the first L sample features are screened out to form a new data set W with the classification result labels Y, wherein L is a preset value;
s32, classifying the L sample features according to the selection of the discrete features and the combined features, and selecting locking features which do not need to be changed from the combined features;
s33, on the data set W, disturbing other combined features except the locking features based on a multi-feature disturbance algorithm, and then disturbing the features by adopting a single-feature disturbance method.
In step S33, the perturbed feature is perturbed by using the single feature, including:
s331, acquiring discrete single features in a data set W, and if the data set W is a static data set which is not added any more, calculating the maximum value M and the minimum value M of the single features;
if the data set W is a dynamically increased data set, acquiring the momentum K and according to the momentum K and the maximum value M of the previous batch of data i−1 And a minimum value m i−1 Calculating the maximum value M and the minimum value M of the characteristic of the current data set W;
s332, acquiring a parameter epsilon, and determining the disturbance value P according to the parameter epsilon, the maximum value M and the minimum value M, wherein the formula is as follows:;
s333, randomly generating an addition and subtraction symbol parameter q, and calculating data Z' subjected to disturbance under the current single characteristic according to the disturbance value P and the parameter q, wherein the formula is as follows:
Z’=Z+qP;
wherein Z is the original data of the characteristic value in the data set W;
s334, if the value of the disturbed data Z ' is smaller than the minimum value M, the final challenge sample value is M, if the value of the disturbed data Z ' is larger than the maximum value M, the final challenge sample value is M, and if the values are not satisfied, the final challenge sample value is Z '.
In step S331, according to the momentum K and the maximum value M of the previous batch data i−1 And a minimum value m i−1 The maximum value M and the minimum value M of the current data feature set are calculated as follows:
;
;
wherein Max (W) is a characteristic maximum value of the acquired data set W, and min (W) is a characteristic minimum value of the acquired data set W.
It should be noted that, in order to generate a challenge traffic that does not lose aggressiveness in the real world, the challenge traffic is generally required to satisfy two a-M methods in order to generate a challenge sample that satisfies the network communication protocol constraint and the challenge class constraint domain. The feature analysis performed by a-M relies on two key concepts: single feature perturbations and multi-feature perturbations.
As shown in fig. 2, after the data set is processed, the data set is perturbed individually according to a single characteristic perturbation mode for uncorrelated numerical features having discrete values, and is perturbed jointly according to a plurality of characteristic modes for features having mutual constraints. The following sections describe in detail the perturbation modes based on these concepts and their advantages.
Single feature perturbation: in order to perturb the uncorrelated numerical variables, the main aspect that needs to be considered is the interval of values that each variable can assume. The discrete features that are uncorrelated can sometimes be up to a large order of magnitude for the entire dataset. Second, not all uncorrelated discrete features are meaningful for the generation of the resistance samples, and it is even possible to increase the classifier recognition of the resistance samples. In order to solve the problems of a large number of features and their contribution to the resistant samples, before disturbing individual features, the contribution of the individual features in the dataset is first calculated in order to find features with a higher probability of misleading the classifier in the production of the resistant samples, to avoid adding overhead when the number of features is large, and to add features with negative impact on the misleading classifier. Thus, this patent incorporates mutual information as a method of computing feature contributions. The calculation formula is as follows:
;
mutual information refers to the correlation between two random variables, i.e. the degree to which the uncertainty of another random variable has been reduced after a given random variable, so the minimum value of mutual information is 0, which means that the given random variable has no relation to the determination of another random variable, and the maximum value is the entropy of the random variable, which means that the given random variable can completely eliminate the uncertainty of another random variable.
To select the most discriminative feature from the set of flow dictionaries Q, we calculate MI between each feature and tag pair. The feature with the highest mutual information is selected as the most discriminating feature. The mutual information values of the different features also describe the influence of the features on the classification process.
Specifically, the corresponding disturbance is performed on the screened characteristics with high mutual information values. Z is a feature in the traffic data set of a feature in the network traffic data set, and Z' is a feature in the traffic feature data set generated after interference. For complete static data, the maximum M and minimum M in the feature data set are first calculated. After obtaining the maximum and minimum values, the magnitude of the disturbance value is determined by setting the value of ε [0,1], the disturbance of each batch is determined by P, which is determined by the maximum, minimum and ε together.
For data with updated characteristics, the maximum value M of the previous batch is considered i−1 And a minimum value m i−1 After that, momentum K.epsilon.0, 1]For determining the maximum value M and the minimum value M of the characteristic Z of the current data set W. The final disturbance data Z' is determined by the original value Z, the random addition and subtraction sign q and the disturbance P. If the current value minus the disturbance value P is smaller than the minimum value, the disturbance value is replaced by the minimum value m, or vice versa. If the data value is within the interval, a perturbation value P is randomly added or subtracted from the current data, where q is the operation symbol.
Multi-feature perturbation:
in order for the data to meet certain domain constraints, the relevant features require combined perturbation in addition to inter-interval perturbation of the discrete features. When one feature of a set of features changes as the other feature changes, we categorize it as a related feature.
Since the values in the variables may affect each other, there may be multiple inter-feature constraints. To improve the previous solutions and to meet both types of constraints, several functions may be combined into one common record. It configures the locked features whose values are used to find other combinations of features without modification.
For better understanding, FIG. 2 shows the manner in which multi-feature perturbation and single-feature perturbation follow mutual information screening and lock-in feature selection. The combination pattern first examines the property with the lock value, finds the disturbed combination, and replaces the original combination. For example, feature T1 is a lock feature, and the value of T2 changes from B to G. T2, T3 and T4 are relevant features, and the values of T3 and T4 will vary with the variation of the value of T2. Thus, when the value of T2 changes from B to G, the values of K3 and K4 will also change accordingly.
Embodiment two:
in some embodiments, a black box scene-based challenge-attack sample generation and testing device is provided, comprising:
the data collection module is used for acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and collecting the data and the flow sample set into a complete data set;
the training module is used for inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model;
a sample generation module for generating an challenge sample from the complete data set using an a-M challenge sample generation method;
and the testing module is used for inputting the countermeasure sample into the alternative classification model for testing.
Embodiment III:
in some embodiments, a computer readable storage medium is provided, which stores a computer program which, when executed by a processor, implements the method described above.
Embodiment four:
in some embodiments, an electronic device is provided that includes a processor and a storage device having a plurality of instructions stored therein, the processor configured to read the plurality of instructions in the storage device and perform the method described above.
It should be appreciated that in embodiments of the present application, the processor may be a central processing unit (Central Processing Unit, CPU), which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include read-only memory, flash memory, and random access memory, and provides instructions and data to the processor. Some or all of the memory may also include non-volatile random access memory.
It should be appreciated that the above-described integrated modules/units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer-readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiment, or may be implemented by instructing related hardware by a computer program, where the computer program may be stored in a computer readable storage medium, and the computer program may implement the steps of each method embodiment described above when executed by a processor. The computer program comprises computer program code, and the computer program code can be in a source code form, an object code form, an executable file or some intermediate form and the like. The computer readable medium may include: any entity or device capable of carrying the computer program code described above, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. The content of the computer readable storage medium can be appropriately increased or decreased according to the requirements of the legislation and the patent practice in the jurisdiction.
The black box scene-based anti-attack sample generation and test method and device provided by the embodiment have universality, have wider application scenes, and generate the anti-attack network flow in the black box model, so that the detailed information of the target model is not required to be known, thereby not only conforming to the actual attack scene, but also ensuring simpler attack and reducing the attack cost; can be applied to more realistic application scenarios, the method generates a challenge sample that satisfies real world constraints and has an aggressive meaning in the real world. Thus, not only can the challenge sample deception classifier be ensured, but also the attack flow can keep the original attack capability, and the constraint of the communication field is more met; the method has the advantages of high efficiency, less resource consumption and the like, and the method does not need to know all information of the model, so that the attack is resisted in a mode of changing internal parameters of the model, the attack time and the space occupied by the attack can be saved, and the cost is reduced.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other manners. For example, the apparatus/device embodiments described above are merely illustrative, e.g., the division of modules or elements described above is merely a logical functional division, and may be implemented in other ways, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (9)
1. The method for generating and testing the attack resistance sample based on the black box scene is characterized by comprising the following steps:
s1, acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and integrating the classification result and the flow sample set into a complete data set;
s2, inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model;
s3, generating a countermeasure sample according to the complete data set;
s4, inputting the countermeasure sample into the alternative classification model for testing;
the step S3 comprises the following steps:
s31, giving an original sample x= (X) based on the complete dataset 1 ,X 2 ,…X n ) Wherein X is n Is a sample feature, first calculate each X i And the mutual information values between the classification result labels Y are arranged in descending order, and the first L sample characteristics are screened out and are matched with the classification result labels YThe class result label Y forms a new data set W, wherein L is a preset value;
s32, classifying the L sample features according to the selection of the discrete features and the combined features, and selecting locking features which do not need to be changed from the combined features;
s33, on the data set W, disturbing other combined features except the locking features based on a multi-feature disturbance algorithm, and then disturbing the features by adopting a single-feature disturbance method.
2. The method of claim 1, wherein the challenge sample is generated using an a-M challenge sample generation method.
3. The method according to claim 1, wherein step S1 comprises:
s11, sending a query to a target classifier according to the flow sample set to obtain a classification result label;
and S12, storing each query and the corresponding classification result label as complete data in a composite data set dictionary to obtain a complete data set.
4. The method of claim 1, wherein the classifier to be commissioned is trained using a random gradient descent algorithm.
5. The method of claim 1, wherein perturbing the feature using a single feature perturbation method comprises:
s331, acquiring discrete single features in a data set W, and if the data set W is a static data set which is not added any more, calculating the maximum value M and the minimum value M of the single features;
if the data set W is a dynamically increased data set, acquiring the momentum K and according to the momentum K and the maximum value M of the previous batch of data i−1 And a minimum value m i−1 Calculating the maximum value M and the minimum value M of the characteristic of the current data set W;
s332, acquiring a parameter epsilon and according to the parameter epsilonEpsilon, a maximum value M and a minimum value M determine the size of a disturbance value P, and the formula is as follows:;
s333, randomly generating an addition and subtraction symbol parameter q, and calculating data Z' subjected to disturbance under the current single characteristic according to the disturbance value P and the parameter q, wherein the formula is as follows:
Z’=Z+qP;
wherein Z is the original data of the characteristic value in the data set W;
s334, if the value of the disturbed data Z ' is smaller than the minimum value M, the final challenge sample value is M, if the value of the disturbed data Z ' is larger than the maximum value M, the final challenge sample value is M, and if the values are not satisfied, the final challenge sample value is Z '.
6. The method according to claim 5, wherein the momentum K and the maximum M of the previous batch data are used as the energy i−1 And a minimum value m i−1 The maximum value M and the minimum value M of the current data feature set are calculated as follows:
;
;
wherein Max (W) is a characteristic maximum value of the acquired data set W, and min (W) is a characteristic minimum value of the acquired data set W.
7. A black box scene-based challenge sample generation and testing device, comprising:
the data collection module is used for acquiring a flow sample set, inputting the flow sample set into a target classifier, collecting a classification result of the target classifier, and collecting the data and the flow sample set into a complete data set;
the training module is used for inputting the complete data set into a classifier to be debugged, and training the classifier to be debugged into a substitute classification model;
a sample generation module for generating an challenge sample from the complete data set using an a-M challenge sample generation method;
the test module is used for inputting the countermeasure sample into the alternative classification model for testing;
the sample generation module includes:
giving an original sample x= (X) based on the complete data set 1 ,X 2 ,…X n ) Wherein X is n Is a sample feature, first calculate each X i The mutual information values among the classification result labels Y are arranged in descending order, and the first L sample features are screened out to form a new data set W with the classification result labels Y, wherein L is a preset value;
classifying the L sample features according to the selection of discrete features and combined features, and selecting locking features which do not need to be changed from the combined features;
on the data set W, the other combined features except the locking features are disturbed based on a multi-feature disturbance algorithm, and then the features are disturbed by adopting a single-feature disturbance method.
8. A computer readable storage medium storing a computer program, which when executed by a processor performs the method according to any one of claims 1-6.
9. An electronic device comprising a processor and a memory means, wherein a plurality of instructions are stored in the memory means, the processor being arranged to read the plurality of instructions in the memory means and to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311508395.1A CN117240624B (en) | 2023-11-14 | 2023-11-14 | Method and device for generating and testing anti-attack sample based on black box scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311508395.1A CN117240624B (en) | 2023-11-14 | 2023-11-14 | Method and device for generating and testing anti-attack sample based on black box scene |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117240624A CN117240624A (en) | 2023-12-15 |
| CN117240624B true CN117240624B (en) | 2024-01-23 |
Family
ID=89088424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311508395.1A Active CN117240624B (en) | 2023-11-14 | 2023-11-14 | Method and device for generating and testing anti-attack sample based on black box scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117240624B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109271975A (en) * | 2018-11-19 | 2019-01-25 | 燕山大学 | A kind of electrical energy power quality disturbance recognition methods based on big data multi-feature extraction synergetic classification |
| CN112149609A (en) * | 2020-10-09 | 2020-12-29 | 中国人民解放军空军工程大学 | Black box anti-sample attack method for electric energy quality signal neural network classification model |
| CN113704758A (en) * | 2021-07-29 | 2021-11-26 | 西安交通大学 | Black box attack counterattack sample generation method and system |
| CN113780160A (en) * | 2021-09-08 | 2021-12-10 | 广东电网有限责任公司广州供电局 | Electric energy quality disturbance signal classification method and system |
| CN114531283A (en) * | 2022-01-27 | 2022-05-24 | 西安电子科技大学 | Method, system, storage medium and terminal for measuring robustness of intrusion detection model |
| CN114758198A (en) * | 2022-03-23 | 2022-07-15 | 北京理工大学 | Black box attack method and system for resisting disturbance based on meta-learning |
| CN116015788A (en) * | 2022-12-13 | 2023-04-25 | 中国科学院信息工程研究所 | Malicious traffic protection method and system based on active detection |
| CN116668112A (en) * | 2023-05-29 | 2023-08-29 | 广州大学 | Method and device for generating flow countermeasure sample access black box model |
-
2023
- 2023-11-14 CN CN202311508395.1A patent/CN117240624B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109271975A (en) * | 2018-11-19 | 2019-01-25 | 燕山大学 | A kind of electrical energy power quality disturbance recognition methods based on big data multi-feature extraction synergetic classification |
| CN112149609A (en) * | 2020-10-09 | 2020-12-29 | 中国人民解放军空军工程大学 | Black box anti-sample attack method for electric energy quality signal neural network classification model |
| CN113704758A (en) * | 2021-07-29 | 2021-11-26 | 西安交通大学 | Black box attack counterattack sample generation method and system |
| CN113780160A (en) * | 2021-09-08 | 2021-12-10 | 广东电网有限责任公司广州供电局 | Electric energy quality disturbance signal classification method and system |
| CN114531283A (en) * | 2022-01-27 | 2022-05-24 | 西安电子科技大学 | Method, system, storage medium and terminal for measuring robustness of intrusion detection model |
| CN114758198A (en) * | 2022-03-23 | 2022-07-15 | 北京理工大学 | Black box attack method and system for resisting disturbance based on meta-learning |
| CN116015788A (en) * | 2022-12-13 | 2023-04-25 | 中国科学院信息工程研究所 | Malicious traffic protection method and system based on active detection |
| CN116668112A (en) * | 2023-05-29 | 2023-08-29 | 广州大学 | Method and device for generating flow countermeasure sample access black box model |
Non-Patent Citations (1)
| Title |
|---|
| 深度识别网络的可解释性方法研究;王宜轩;《CNKI中国优秀硕士学位论文全文数据量》;第1-68页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117240624A (en) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Backdoor learning: A survey | |
| Bhavsar et al. | Intrusion detection system using data mining technique: Support vector machine | |
| CN111683108A (en) | Method for generating network flow anomaly detection model and computer equipment | |
| US11977626B2 (en) | Securing machine learning models against adversarial samples through backdoor misclassification | |
| Kausar et al. | A review of classification approaches using support vector machine in intrusion detection | |
| Yang et al. | A real-time and adaptive-learning malware detection method based on api-pair graph | |
| CN110855716B (en) | Self-adaptive security threat analysis method and system for counterfeit domain names | |
| CN116915450A (en) | Topology pruning optimization method based on multi-step network attack recognition and scene reconstruction | |
| Li et al. | Detecting adversarial patch attacks through global-local consistency | |
| Lee et al. | CoNN-IDS: Intrusion detection system based on collaborative neural networks and agile training | |
| Pauling et al. | A tutorial on adversarial learning attacks and countermeasures | |
| CN117240624B (en) | Method and device for generating and testing anti-attack sample based on black box scene | |
| CN116756578A (en) | Vehicle information security threat aggregation analysis and early warning method and system | |
| Soliman et al. | A network intrusions detection system based on a quantum bio inspired algorithm | |
| CN115545091A (en) | Integrated learner-based malicious program API (application program interface) calling sequence detection method | |
| Devaraju et al. | Performance comparison of intrusion detection system using various techniques–A review | |
| Nowroozi et al. | Employing deep ensemble learning for improving the security of computer networks against adversarial attacks | |
| Wang et al. | TransIDS: A Transformer-based approach for intrusion detection in Internet of Things using Label Smoothing | |
| Sun et al. | Attacking-Distance-Aware Attack: Semi-targeted Model Poisoning on Federated Learning | |
| Madwanna et al. | YARS-IDS: A novel IDS for multi-class classification | |
| Saikam et al. | EESNN: hybrid deep learning empowered spatial-temporal features for network intrusion detection system | |
| Altalbe | Enhanced Intrusion Detection in In-Vehicle Networks using Advanced Feature Fusion and Stacking-Enriched Learning | |
| Zhang et al. | An evolutionary algorithm for non-destructive reverse engineering of integrated circuits | |
| Raghuvamsi et al. | Temporal Convolutional Network-based Locational Detection of False Data Injection Attacks in Power System State Estimation | |
| Kotenko et al. | Countering Adversarial Zeroth Order Optimization Attacks Based on Neural-Cleanse, Gaussian and Poisson Noise Adding |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |