对抗黑盒攻击的混合对抗性训练防御策略研究

随着深度学习模型在无人驾驶等安全敏感性任务中的广泛应用,围绕深度模型展开的攻防逐渐成为机器学习研究的热点。黑盒攻击是一种典型的攻击场景,在攻击者不知道模型具体使用结构和参数等情况下仍能进行有效攻击,是现实场景中最常用的攻击方法。因此,分析深度学习模型的脆弱性并设计出更加鲁棒的模型来对抗黑盒攻击成为迫切需要。而传统基于单模型的单强度和多强度对抗性训练方法,在抵御黑盒攻击时性能十分有限;基于多模型的集成对抗性训练方法在抵御高强度、多样化攻击样本效果也不理想。本文提出一种基于贪婪强度搜索的混合对抗性训练方法,实验结果表明,所提出的混合对抗性训练能够有效抵御多样化的黑盒攻击,性能优于传统的集成对抗性训练。

Defense Strategy Against Black-Box Attacks with Mixed Adversarial Training

Deep learning (DL) models have been widely applied to security-sensitivity tasks, such as auto-driving, etc. Attacks and defenses concerned with the DL have gradually become hot spots in the field of machine learning. The black box attack,as a typical attack type and the most common attack method in the real context, can still perform effective attacks without knowing the specific structure of the model and parameters. Therefore, a reasonable analysis of the vulnerability of the DL model and design of a more robust model against black-box attacks has become an emergent topic. Traditional single-strength and multi-strength adversarial training methods based on single-model are infeasible to resist black-box attacks. Ensemble adversarial training based on multi-model still fails to resist attack samples that are high-intensity and diversify.In order to solve this problem, the mixed adversarial training defense strategy based on greedy search strength is proposed. Experimental results show that the proposed defensive strategy has robustness faced with the diversified black box attacks, and superior performance compared to conventional adversarial training methods.