摘要
随着对机器学习安全问题的关注度不断提高,提出一种针对SVM(support vector machine,支持向量机)的攻击样本生成方法。这种攻击发生在测试阶段,通过篡改实例数据,达到欺骗SVM分类模型的目的,具有很大的隐蔽性。采用贪心策略在核空间中搜索显著性特征子集;然后将核空间中的扰动映射回输入空间,获得攻击样本。该方法通过不超过7%的小扰动量使测试样本错误地分类。对2个数据集进行实验,攻击均能取得成功。在人造数据集中,2%的扰动量下可使SVM分类器的错误率在50%以上;在MNIST数据集中,5%的扰动量可使SVM分类器错误率接近100%。
With the increasing concern of machine learning security issues,an adversarial sample generation method for SVM was proposed.This attack occurred in the testing stage by manipulating with the sample tofool the SVM classification model.Greedy strategy was used to search for salient feature subsets in kernel space and then the perturbation in the kernel space was projected back into the input space to obtain attack samples.This method made'the test samples misclassified by less than 7% perturbation.Experiments are carried out on two data sets,and both of them are successful.In the artificial data set,the classification error rate is above 50% under 2% perturbation.In MNIST data set,the classification error rate is close to 100% under 5% perturbation.
作者
钱亚冠
关晓惠
吴淑慧
云本胜
任东晓
QIAN Yaguan;GUAN Xiaohui;WU Shuhui;YUN Bensheng;REN Dongxiao(Zhejiang University of Science and Technology,Hangzhou 310023,China;Zhejiang University of Water Resources and Electric Power,Hangzhou 310018,China)
出处
《电信科学》
2019年第1期81-89,共9页
Telecommunications Science
基金
浙江省自然科学基金资助项目(No.LY17F020011)
浙江省公益技术应用研究项目(No.LGG19F030001)
国家自然科学基金资助项目(No.61572163)~~
关键词
机器学习
支持向量机
贪心算法
显著性特征
攻击样本
machine learning
support vector machine
greedy algorithm
salient feature
adversarial sample
