基于FGSM样本扩充的模型窃取攻击方法研究

信息安全研究 ›› 2021, Vol. 7 ›› Issue (11): 1023-.

基于FGSM样本扩充的模型窃取攻击方法研究

陈传涛，潘丽敏，罗森林，王子文

（北京理工大学信息系统及安全对抗实验中心，北京100081）

出版日期:2021-11-07 发布日期:2021-11-05
通讯作者: 王子文硕士研究生，主要研究方向为网络安全 154435252@qq.com
作者简介:陈传涛硕士研究生，主要研究方向为信息安全 chencht163@163.com 潘丽敏硕导，高级实验师，主要研究方向：网络安全、文本安全、媒体安全、数据挖掘 panlimin2016@gmail.com 罗森林教授、博士生导师，主要研究方向为信息安全、数据挖掘、文本安全 luosenlin2019@126.com 王子文硕士研究生，主要研究方向为网络安全 154435252@qq.com

Research on Model Steal Attack Based on FGSM Sample Expansion

Online:2021-11-07 Published:2021-11-05

摘要/Abstract

摘要： 针对模型窃取攻击方法存在适用范围窄、依赖大量训练数据且窃取的替代模型预测准确率较低等问题，提出了一种基于FGSM样本扩充的模型窃取攻击方法。该方法使用少量样本作为种子集，通过快速梯度符号方法（FGSM）不断扩充样本；根据待攻击模型的决策纠正替代模型边界，提高替代模型与待攻击模型的相近程度;结合超参数交叉验证，利用不断增加的训练集训练替代模型，最终实现模型窃取攻击。在Drebin数据集上的实验结果表明，替代模型的一致率和准确率随着迭代轮次的增加而逐步提高，利用此方法训练的替代模型的检测准确率优于所对比的模型窃取方法。

关键词: FGSM, 样本扩充, 模型窃取, 超参数选取, 交叉验证

Abstract: Aiming at the problems of narrow application range, large training data dependence and low prediction accuracy of the model stealing attack method, a model stealing attack method based on FGSM sample expansion was proposed. In this method, a small number of samples were used as the seed set, and the new samples were continuously expanded by the rapid gradient symbol method (FGSM). The boundary of the alternative model was corrected according by the decision of the model to be attacked, and the similarity between the alternative model and the model to be attacked was improved. Combined with the cross-validation of hyperparameters, the model stealing attack was realized by using the increasing training set to train the alternative model. The experimental results on Drebin dataset showed that the consistency and accuracy of the alternative model gradually improved with the increase of iteration rounds, and the detection accuracy of the alternative model trained by this method was better than that of the model stealing methods compared.

Key words: FGSM, sample expansion, model stealing, hyperparameter selection, Cross validation

陈传涛, 潘丽敏, 罗森林, 王子文. 基于FGSM样本扩充的模型窃取攻击方法研究[J]. 信息安全研究, 2021, 7(11): 1023-.

参考文献

佚名. 中国互联网络信息中心发布第46次《中国互联网络发展状况统计报告》 [J]. 国家图书馆学刊, 2020, 29(06):19
李德毅, 刘常昱, 杜鹢, 等. 不确定性人工智能 [J]. 软件学报, 2004, 15(11): 1583-1594.
王柯林, 杨珂, 赵瑞哲, 等. 基于随机森林的抗混淆Android恶意应用检测 [J]. 信息安全研究, 2021,7(02): 126-135
Szegedy C, Zaremba W, Sutskever I. Intriguing properties of neural networks [C] // 2nd Int Conf on Learning Representations, Banff: ICLR, 2014:1-10
Barreno M, Nelson B, Joseph A D, et al. The security of machine learning[J]. Machine Learning, 2010, 81(2): 121-148
于颖超, 丁琳, 陈左宁. 机器学习系统面临的安全攻击及其防御技术研究[J]. 信息网络安全, 2018, 213(09): 10-18
Meng Dongyu, Chen Hao. Magnet: a two-pronged defense against adversarial examples [C] // Proc of the 2017 ACM SIGSAC Conf on Computer and Communications Security, New York: ACM, 2017: 135-147
Fredrikson M, Jha S, Ristenpart T. Model inversion attacks that exploit confidence information and basic countermeasures [C] // Proc of the 22nd ACM SIGSAC Conf on Computer and Communications Security, New York: ACM, 2015: 1322-1333
Xu Weilin, Qi Yanjun, Evans D. Automatically evading classifiers [C] // Proc of the 2016 network and distributed systems symp, California: NDSS, 2016: 21-24
Stevens D, Lowd D. On the hardness of evading combinations of linear classifiers [C] // Proc of the 2013 ACM workshop on Artificial intelligence and security, New York: ACM, 2013: 77-86
Dong Yinpeng, Liao Fangzhou, Pang Tianyu, et al. Boosting adversarial attacks with momentum [C] // Proce of the IEEE Conf on Computer Vision and Pattern Recognition, New York: IEEE, 2018: 9185-9193
纪守领, 杜天宇, 李进锋, 等. 机器学习模型安全与隐私研究综述[J]. 软件学报, 2021, 32(01): 41-67
Lowd D, Meek C. Adversarial learning [C] // Proc of the eleventh ACM SIGKDD int conf on Knowledge discovery in data mining, New York: ACM, 2005: 641-647
Tramèr F, Zhang F, Juels A, et al. Stealing machine learning models via prediction apis [C] // 2018 IEEE Symp on Security and Privacy, Berkeley: USENIX, 2016: 601-618
Papernot N, McDaniel P, Goodfellow I, et al. Practical black-box attacks against machine learning [C] // Proc of the 2017 ACM on Asia conf on computer and communications security, New York: ACM, 2017: 506-519
Wang Binghui, Gong Neil Zhenqiang. Stealing hyperparameters in machine learning [C] // IEEE Symp on Security and Privacy, Piscataway, NJ: IEEE, 2018: 36-52
Arp D, Spreitzenbarth M, Hubner M, et al. Drebin: Effective and explainable detection of android malware in your pocket [C] // Network & Distributed System Security Symp, California: NDSS, 2014: 23-26