Adversarial attacks and defenses for digital communication signals identification

As modern communication technology advances apace,the digital communication signals identification plays an important role in cognitive radio networks,the communication monitoring and management systems.AI has become a promising solution to this problem due to its powerful modeling capability,which has become a consensus in academia and industry.However,because of the data-dependence and inexplicability of AI models and the openness of electromagnetic space,the physical layer digital communication signals identification model is threatened by adversarial attacks.Adversarial examples pose a common threat to AI models,where well-designed and slight perturbations added to input data can cause wrong results.Therefore,the security of AI models for the digital communication signals identification is the premise of its efficient and credible applications.In this paper,we first launch adversarial attacks on the end-to-end AI model for automatic modulation classifi-cation,and then we explain and present three defense mechanisms based on the adversarial principle.Next we present more detailed adversarial indicators to evaluate attack and defense behavior.Finally,a demonstration verification system is developed to show that the adversarial attack is a real threat to the digital communication signals identification model,which should be paid more attention in future research.

Adversarial Defense Technology for Small Infrared Targets

With the rapid development of deep learning-based detection algorithms,deep learning is widely used in the field of infrared small target detection.However,well-designed adversarial samples can fool human visual perception,directly causing a serious decline in the detection quality of the recognition model.In this paper,an adversarial defense technology for small infrared targets is proposed to improve model robustness.The adversarial samples with strong migration can not only improve the generalization of defense technology,but also save the training cost.Therefore,this study adopts the concept of maximizing multidimensional feature distortion,applying noise to clean samples to serve as subsequent training samples.On this basis,this study proposes an inverse perturbation elimination method based on Generative Adversarial Networks(GAN)to realize the adversarial defense,and design the generator and discriminator for infrared small targets,aiming to make both of them compete with each other to continuously improve the performance of the model,find out the commonalities and differences between the adversarial samples and the original samples.Through experimental verification,our defense algorithm is not only able to cope with multiple attacks but also performs well on different recognition models compared to commonly used defense algorithms,making it a plug-and-play efficient adversarial defense technique.

LDAS&ET-AD:Learnable Distillation Attack Strategies and Evolvable Teachers Adversarial Distillation

Adversarial distillation(AD)has emerged as a potential solution to tackle the challenging optimization problem of loss with hard labels in adversarial training.However,fixed sample-agnostic and student-egocentric attack strategies are unsuitable for distillation.Additionally,the reliability of guidance from static teachers diminishes as target models become more robust.This paper proposes an AD method called Learnable Distillation Attack Strategies and Evolvable Teachers Adversarial Distillation(LDAS&ET-AD).Firstly,a learnable distillation attack strategies generating mechanism is developed to automatically generate sample-dependent attack strategies tailored for distillation.A strategy model is introduced to produce attack strategies that enable adversarial examples(AEs)to be created in areas where the target model significantly diverges from the teachers by competing with the target model in minimizing or maximizing the AD loss.Secondly,a teacher evolution strategy is introduced to enhance the reliability and effectiveness of knowledge in improving the generalization performance of the target model.By calculating the experimentally updated target model’s validation performance on both clean samples and AEs,the impact of distillation from each training sample and AE on the target model’s generalization and robustness abilities is assessed to serve as feedback to fine-tune standard and robust teachers accordingly.Experiments evaluate the performance of LDAS&ET-AD against different adversarial attacks on the CIFAR-10 and CIFAR-100 datasets.The experimental results demonstrate that the proposed method achieves a robust precision of 45.39%and 42.63%against AutoAttack(AA)on the CIFAR-10 dataset for ResNet-18 and MobileNet-V2,respectively,marking an improvement of 2.31%and 3.49%over the baseline method.In comparison to state-of-the-art adversarial defense techniques,our method surpasses Introspective Adversarial Distillation,the top-performing method in terms of robustness under AA attack for the CIFAR-10 dataset,with enhancements of 1.40%and 1.43%for ResNet-18 and MobileNet-V2,respectively.These findings demonstrate the effectiveness of our proposed method in enhancing the robustness of deep learning networks(DNNs)against prevalent adversarial attacks when compared to other competing methods.In conclusion,LDAS&ET-AD provides reliable and informative soft labels to one of the most promising defense methods,AT,alleviating the limitations of untrusted teachers and unsuitable AEs in existing AD techniques.We hope this paper promotes the development of DNNs in real-world trust-sensitive fields and helps ensure a more secure and dependable future for artificial intelligence systems.

Correcting Climate Model Sea Surface Temperature Simulations with Generative Adversarial Networks:Climatology,Interannual Variability,and Extremes

Climate models are vital for understanding and projecting global climate change and its associated impacts.However,these models suffer from biases that limit their accuracy in historical simulations and the trustworthiness of future projections.Addressing these challenges requires addressing internal variability,hindering the direct alignment between model simulations and observations,and thwarting conventional supervised learning methods.Here,we employ an unsupervised Cycle-consistent Generative Adversarial Network(CycleGAN),to correct daily Sea Surface Temperature(SST)simulations from the Community Earth System Model 2(CESM2).Our results reveal that the CycleGAN not only corrects climatological biases but also improves the simulation of major dynamic modes including the El Niño-Southern Oscillation(ENSO)and the Indian Ocean Dipole mode,as well as SST extremes.Notably,it substantially corrects climatological SST biases,decreasing the globally averaged Root-Mean-Square Error(RMSE)by 58%.Intriguingly,the CycleGAN effectively addresses the well-known excessive westward bias in ENSO SST anomalies,a common issue in climate models that traditional methods,like quantile mapping,struggle to rectify.Additionally,it substantially improves the simulation of SST extremes,raising the pattern correlation coefficient(PCC)from 0.56 to 0.88 and lowering the RMSE from 0.5 to 0.32.This enhancement is attributed to better representations of interannual,intraseasonal,and synoptic scales variabilities.Our study offers a novel approach to correct global SST simulations and underscores its effectiveness across different time scales and primary dynamical modes.

Data-augmented landslide displacement prediction using generative adversarial network

Landslides are destructive natural disasters that cause catastrophic damage and loss of life worldwide.Accurately predicting landslide displacement enables effective early warning and risk management.However,the limited availability of on-site measurement data has been a substantial obstacle in developing data-driven models,such as state-of-the-art machine learning(ML)models.To address these challenges,this study proposes a data augmentation framework that uses generative adversarial networks(GANs),a recent advance in generative artificial intelligence(AI),to improve the accuracy of landslide displacement prediction.The framework provides effective data augmentation to enhance limited datasets.A recurrent GAN model,RGAN-LS,is proposed,specifically designed to generate realistic synthetic multivariate time series that mimics the characteristics of real landslide on-site measurement data.A customized moment-matching loss is incorporated in addition to the adversarial loss in GAN during the training of RGAN-LS to capture the temporal dynamics and correlations in real time series data.Then,the synthetic data generated by RGAN-LS is used to enhance the training of long short-term memory(LSTM)networks and particle swarm optimization-support vector machine(PSO-SVM)models for landslide displacement prediction tasks.Results on two landslides in the Three Gorges Reservoir(TGR)region show a significant improvement in LSTM model prediction performance when trained on augmented data.For instance,in the case of the Baishuihe landslide,the average root mean square error(RMSE)increases by 16.11%,and the mean absolute error(MAE)by 17.59%.More importantly,the model’s responsiveness during mutational stages is enhanced for early warning purposes.However,the results have shown that the static PSO-SVM model only sees marginal gains compared to recurrent models such as LSTM.Further analysis indicates that an optimal synthetic-to-real data ratio(50%on the illustration cases)maximizes the improvements.This also demonstrates the robustness and effectiveness of supplementing training data for dynamic models to obtain better results.By using the powerful generative AI approach,RGAN-LS can generate high-fidelity synthetic landslide data.This is critical for improving the performance of advanced ML models in predicting landslide displacement,particularly when there are limited training data.Additionally,this approach has the potential to expand the use of generative AI in geohazard risk management and other research areas.

GeoNER:Geological Named Entity Recognition with Enriched Domain Pre-Training Model and Adversarial Training

As important geological data,a geological report contains rich expert and geological knowledge,but the challenge facing current research into geological knowledge extraction and mining is how to render accurate understanding of geological reports guided by domain knowledge.While generic named entity recognition models/tools can be utilized for the processing of geoscience reports/documents,their effectiveness is hampered by a dearth of domain-specific knowledge,which in turn leads to a pronounced decline in recognition accuracy.This study summarizes six types of typical geological entities,with reference to the ontological system of geological domains and builds a high quality corpus for the task of geological named entity recognition(GNER).In addition,Geo Wo BERT-adv BGP(Geological Word-base BERTadversarial training Bi-directional Long Short-Term Memory Global Pointer)is proposed to address the issues of ambiguity,diversity and nested entities for the geological entities.The model first uses the fine-tuned word granularitybased pre-training model Geo Wo BERT(Geological Word-base BERT)and combines the text features that are extracted using the Bi LSTM(Bi-directional Long Short-Term Memory),followed by an adversarial training algorithm to improve the robustness of the model and enhance its resistance to interference,the decoding finally being performed using a global association pointer algorithm.The experimental results show that the proposed model for the constructed dataset achieves high performance and is capable of mining the rich geological information.

An Empirical Study on the Effectiveness of Adversarial Examples in Malware Detection

Antivirus vendors and the research community employ Machine Learning(ML)or Deep Learning(DL)-based static analysis techniques for efficient identification of new threats,given the continual emergence of novel malware variants.On the other hand,numerous researchers have reported that Adversarial Examples(AEs),generated by manipulating previously detected malware,can successfully evade ML/DL-based classifiers.Commercial antivirus systems,in particular,have been identified as vulnerable to such AEs.This paper firstly focuses on conducting black-box attacks to circumvent ML/DL-based malware classifiers.Our attack method utilizes seven different perturbations,including Overlay Append,Section Append,and Break Checksum,capitalizing on the ambiguities present in the PE format,as previously employed in evasion attack research.By directly applying the perturbation techniques to PE binaries,our attack method eliminates the need to grapple with the problem-feature space dilemma,a persistent challenge in many evasion attack studies.Being a black-box attack,our method can generate AEs that successfully evade both DL-based and ML-based classifiers.Also,AEs generated by the attack method retain their executability and malicious behavior,eliminating the need for functionality verification.Through thorogh evaluations,we confirmed that the attack method achieves an evasion rate of 65.6%against well-known ML-based malware detectors and can reach a remarkable 99%evasion rate against well-known DL-based malware detectors.Furthermore,our AEs demonstrated the capability to bypass detection by 17%of vendors out of the 64 on VirusTotal(VT).In addition,we propose a defensive approach that utilizes Trend Locality Sensitive Hashing(TLSH)to construct a similarity-based defense model.Through several experiments on the approach,we verified that our defense model can effectively counter AEs generated by the perturbation techniques.In conclusion,our defense model alleviates the limitation of the most promising defense method,adversarial training,which is only effective against the AEs that are included in the training classifiers.

Image segmentation of exfoliated two-dimensional materials by generative adversarial network-based data augmentation

Mechanically cleaved two-dimensional materials are random in size and thickness.Recognizing atomically thin flakes by human experts is inefficient and unsuitable for scalable production.Deep learning algorithms have been adopted as an alternative,nevertheless a major challenge is a lack of sufficient actual training images.Here we report the generation of synthetic two-dimensional materials images using StyleGAN3 to complement the dataset.DeepLabv3Plus network is trained with the synthetic images which reduces overfitting and improves recognition accuracy to over 90%.A semi-supervisory technique for labeling images is introduced to reduce manual efforts.The sharper edges recognized by this method facilitate material stacking with precise edge alignment,which benefits exploring novel properties of layered-material devices that crucially depend on the interlayer twist-angle.This feasible and efficient method allows for the rapid and high-quality manufacturing of atomically thin materials and devices.

Multi-distortion suppression for neutron radiographic images based on generative adversarial network

Neutron radiography is a crucial nondestructive testing technology widely used in the aerospace,military,and nuclear industries.However,because of the physical limitations of neutron sources and collimators,the resulting neutron radiographic images inevitably exhibit multiple distortions,including noise,geometric unsharpness,and white spots.Furthermore,these distortions are particularly significant in compact neutron radiography systems with low neutron fluxes.Therefore,in this study,we devised a multi-distortion suppression network that employs a modified generative adversarial network to improve the quality of degraded neutron radiographic images.Real neutron radiographic image datasets with various types and levels of distortion were built for the first time as multi-distortion suppression datasets.Thereafter,the coordinate attention mechanism was incorporated into the backbone network to augment the capability of the proposed network to learn the abstract relationship between ideally clear and degraded images.Extensive experiments were performed;the results show that the proposed method can effectively suppress multiple distortions in real neutron radiographic images and achieve state-of-theart perceptual visual quality,thus demonstrating its application potential in neutron radiography.

Quantum generative adversarial networks based on a readout error mitigation method with fault tolerant mechanism

Readout errors caused by measurement noise are a significant source of errors in quantum circuits,which severely affect the output results and are an urgent problem to be solved in noisy-intermediate scale quantum(NISQ)computing.In this paper,we use the bit-flip averaging(BFA)method to mitigate frequent readout errors in quantum generative adversarial networks(QGAN)for image generation,which simplifies the response matrix structure by averaging the qubits for each random bit-flip in advance,successfully solving problems with high cost of measurement for traditional error mitigation methods.Our experiments were simulated in Qiskit using the handwritten digit image recognition dataset under the BFA-based method,the Kullback-Leibler(KL)divergence of the generated images converges to 0.04,0.05,and 0.1 for readout error probabilities of p=0.01,p=0.05,and p=0.1,respectively.Additionally,by evaluating the fidelity of the quantum states representing the images,we observe average fidelity values of 0.97,0.96,and 0.95 for the three readout error probabilities,respectively.These results demonstrate the robustness of the model in mitigating readout errors and provide a highly fault tolerant mechanism for image generation models.

CMAES-WFD:Adversarial Website Fingerprinting Defense Based on Covariance Matrix Adaptation Evolution Strategy

Website fingerprinting,also known asWF,is a traffic analysis attack that enables local eavesdroppers to infer a user’s browsing destination,even when using the Tor anonymity network.While advanced attacks based on deep neural network(DNN)can performfeature engineering and attain accuracy rates of over 98%,research has demonstrated thatDNNis vulnerable to adversarial samples.As a result,many researchers have explored using adversarial samples as a defense mechanism against DNN-based WF attacks and have achieved considerable success.However,these methods suffer from high bandwidth overhead or require access to the target model,which is unrealistic.This paper proposes CMAES-WFD,a black-box WF defense based on adversarial samples.The process of generating adversarial examples is transformed into a constrained optimization problem solved by utilizing the Covariance Matrix Adaptation Evolution Strategy(CMAES)optimization algorithm.Perturbations are injected into the local parts of the original traffic to control bandwidth overhead.According to the experiment results,CMAES-WFD was able to significantly decrease the accuracy of Deep Fingerprinting(DF)and VarCnn to below 8.3%and the bandwidth overhead to a maximum of only 14.6%and 20.5%,respectively.Specially,for Automated Website Fingerprinting(AWF)with simple structure,CMAES-WFD reduced the classification accuracy to only 6.7%and the bandwidth overhead to less than 7.4%.Moreover,it was demonstrated that CMAES-WFD was robust against adversarial training to a certain extent.

Covert LEO Satellite Communication Aided by Generative Adversarial Network Based Cooperative UAV Jamming

In this paper,we study the covert performance of the downlink low earth orbit(LEO)satellite communication,where the unmanned aerial vehicle(UAV)is employed as a cooperative jammer.To maximize the covert rate of the LEO satellite transmission,a multi-objective problem is formulated to jointly optimize the UAV’s jamming power and trajectory.For practical consideration,we assume that the UAV can only have partial environmental information,and can’t know the detection threshold and exact location of the eavesdropper on the ground.To solve the multiobjective problem,we propose the data-driven generative adversarial network(DD-GAN)based method to optimize the power and trajectory of the UAV,in which the sample data is collected by using genetic algorithm(GA).Simulation results show that the jamming solution of UAV generated by DD-GAN can achieve an effective trade-off between covert rate and probability of detection errors when only limited prior information is obtained.

Quantifying Uncertainty in Dielectric Solids’ Mechanical Properties Using Isogeometric Analysis and Conditional Generative Adversarial Networks

Accurate quantification of the uncertainty in the mechanical characteristics of dielectric solids is crucial for advancing their application in high-precision technological domains,necessitating the development of robust com-putational methods.This paper introduces a Conditional Generation Adversarial Network Isogeometric Analysis(CGAN-IGA)to assess the uncertainty of dielectric solids’mechanical characteristics.IGA is utilized for the precise computation of electric potentials in dielectric,piezoelectric,and flexoelectric materials,leveraging its advantage of integrating seamlessly with Computer-Aided Design(CAD)models to maintain exact geometrical fidelity.The CGAN method is highly efficient in generating models for piezoelectric and flexoelectric materials,specifically adapting to targeted design requirements and constraints.Then,the CGAN-IGA is adopted to calculate the electric potential of optimum models with different parameters to accelerate uncertainty quantification processes.The accuracy and feasibility of this method are verified through numerical experiments presented herein.

Sparse Adversarial Learning for FDIA Attack Sample Generation in Distributed Smart

False data injection attack(FDIA)is an attack that affects the stability of grid cyber-physical system(GCPS)by evading the detecting mechanism of bad data.Existing FDIA detection methods usually employ complex neural networkmodels to detect FDIA attacks.However,they overlook the fact that FDIA attack samples at public-private network edges are extremely sparse,making it difficult for neural network models to obtain sufficient samples to construct a robust detection model.To address this problem,this paper designs an efficient sample generative adversarial model of FDIA attack in public-private network edge,which can effectively bypass the detectionmodel to threaten the power grid system.A generative adversarial network(GAN)framework is first constructed by combining residual networks(ResNet)with fully connected networks(FCN).Then,a sparse adversarial learning model is built by integrating the time-aligned data and normal data,which is used to learn the distribution characteristics between normal data and attack data through iterative confrontation.Furthermore,we introduce a Gaussian hybrid distributionmatrix by aggregating the network structure of attack data characteristics and normal data characteristics,which can connect and calculate FDIA data with normal characteristics.Finally,efficient FDIA attack samples can be sequentially generated through interactive adversarial learning.Extensive simulation experiments are conducted with IEEE 14-bus and IEEE 118-bus system data,and the results demonstrate that the generated attack samples of the proposed model can present superior performance compared to state-of-the-art models in terms of attack strength,robustness,and covert capability.

Boosting Adversarial Training with Learnable Distribution

In recent years,various adversarial defense methods have been proposed to improve the robustness of deep neural networks.Adversarial training is one of the most potent methods to defend against adversarial attacks.However,the difference in the feature space between natural and adversarial examples hinders the accuracy and robustness of the model in adversarial training.This paper proposes a learnable distribution adversarial training method,aiming to construct the same distribution for training data utilizing the Gaussian mixture model.The distribution centroid is built to classify samples and constrain the distribution of the sample features.The natural and adversarial examples are pushed to the same distribution centroid to improve the accuracy and robustness of the model.The proposed method generates adversarial examples to close the distribution gap between the natural and adversarial examples through an attack algorithm explicitly designed for adversarial training.This algorithm gradually increases the accuracy and robustness of the model by scaling perturbation.Finally,the proposed method outputs the predicted labels and the distance between the sample and the distribution centroid.The distribution characteristics of the samples can be utilized to detect adversarial cases that can potentially evade the model defense.The effectiveness of the proposed method is demonstrated through comprehensive experiments.

Generative adversarial networks based motion learning towards robotic calligraphy synthesis

Robot calligraphy visually reflects the motion capability of robotic manipulators.While traditional researches mainly focus on image generation and the writing of simple calligraphic strokes or characters,this article presents a generative adversarial network(GAN)-based motion learning method for robotic calligraphy synthesis(Gan2CS)that can enhance the efficiency in writing complex calligraphy words and reproducing classic calligraphy works.The key technologies in the proposed approach include:(1)adopting the GAN to learn the motion parameters from the robot writing operation;(2)converting the learnt motion data into the style font and realising the transition from static calligraphy images to dynamic writing demonstration;(3)reproducing high-precision calligraphy works by synthesising the writing motion data hierarchically.In this study,the motion trajectories of sample calligraphy images are firstly extracted and converted into the robot module.The robot performs the writing with motion planning,and the writing motion parameters of calligraphy strokes are learnt with GANs.Then the motion data of basic strokes is synthesised based on the hierarchical process of‘stroke-radicalpart-character’.And the robot re-writes the synthesised characters whose similarity with the original calligraphy characters is evaluated.Regular calligraphy characters have been tested in the experiments for method validation and the results validated that the robot can actualise the robotic calligraphy synthesis of writing motion data with GAN.

Stroke Electroencephalogram Data Synthesizing through Progressive Efficient Self-Attention Generative Adversarial Network

Early and timely diagnosis of stroke is critical for effective treatment,and the electroencephalogram(EEG)offers a low-cost,non-invasive solution.However,the shortage of high-quality patient EEG data often hampers the accuracy of diagnostic classification methods based on deep learning.To address this issue,our study designed a deep data amplification model named Progressive Conditional Generative Adversarial Network with Efficient Approximating Self Attention(PCGAN-EASA),which incrementally improves the quality of generated EEG features.This network can yield full-scale,fine-grained EEG features from the low-scale,coarse ones.Specially,to overcome the limitations of traditional generative models that fail to generate features tailored to individual patient characteristics,we developed an encoder with an effective approximating self-attention mechanism.This encoder not only automatically extracts relevant features across different patients but also reduces the computational resource consumption.Furthermore,the adversarial loss and reconstruction loss functions were redesigned to better align with the training characteristics of the network and the spatial correlations among electrodes.Extensive experimental results demonstrate that PCGAN-EASA provides the highest generation quality and the lowest computational resource usage compared to several existing approaches.Additionally,it significantly improves the accuracy of subsequent stroke classification tasks.

Conditional Generative Adversarial Network Enabled Localized Stress Recovery of Periodic Composites

Structural damage in heterogeneousmaterials typically originates frommicrostructures where stress concentration occurs.Therefore,evaluating the magnitude and location of localized stress distributions within microstructures under external loading is crucial.Repeating unit cells(RUCs)are commonly used to represent microstructural details and homogenize the effective response of composites.This work develops a machine learning-based micromechanics tool to accurately predict the stress distributions of extracted RUCs.The locally exact homogenization theory efficiently generates the microstructural stresses of RUCs with a wide range of parameters,including volume fraction,fiber/matrix property ratio,fiber shapes,and loading direction.Subsequently,the conditional generative adversarial network(cGAN)is employed and constructed as a surrogate model to establish the statistical correlation between these parameters and the corresponding localized stresses.The stresses predicted by cGAN are validated against the remaining true data not used for training,showing good agreement.This work demonstrates that the cGAN-based micromechanics tool effectively captures the local responses of composite RUCs.It can be used for predicting potential crack initiations starting from microstructures and evaluating the effective behavior of periodic composites.

Network Intrusion Detection Model Based on Ensemble of Denoising Adversarial Autoencoder

Network security problems bring many imperceptible threats to the integrity of data and the reliability of device services,so proposing a network intrusion detection model with high reliability is of great research significance for network security.Due to the strong generalization of invalid features during training process,it is more difficult for single autoencoder intrusion detection model to obtain effective results.A network intrusion detection model based on the Ensemble of Denoising Adversarial Autoencoder(EDAAE)was proposed,which had higher accuracy and reliability compared to the traditional anomaly detection model.Using the adversarial learning idea of Adversarial Autoencoder(AAE),the discriminator module was added to the original model,and the encoder part was used as the generator.The distribution of the hidden space of the data generated by the encoder matched with the distribution of the original data.The generalization of the model to the invalid features was also reduced to improve the detection accuracy.At the same time,the denoising autoencoder and integrated operation was introduced to prevent overfitting in the adversarial learning process.Experiments on the CICIDS2018 traffic dataset showed that the proposed intrusion detection model achieves an Accuracy of 95.23%,which out performs traditional self-encoders and other existing intrusion detection models methods in terms of overall performance.

MaliFuzz:Adversarial Malware Detection Model for Defending Against Fuzzing Attack

With the prevalence of machine learning in malware defense,hackers have tried to attack machine learning models to evade detection.It is generally difficult to explore the details of malware detection models,hackers can adopt fuzzing attack to manipulate the features of the malware closer to benign programs on the premise of retaining their functions.In this paper,attack and defense methods on malware detection models based on machine learning algorithms were studied.Firstly,we designed a fuzzing attack method by randomly modifying features to evade detection.The fuzzing attack can effectively descend the accuracy of machine learning model with single feature.Then an adversarial malware detection model MaliFuzz is proposed to defend fuzzing attack.Different from the ordinary single feature detection model,the combined features by static and dynamic analysis to improve the defense ability are used.The experiment results show that the adversarial malware detection model with combined features can deal with the attack.The methods designed in this paper have great significance in improving the security of malware detection models and have good application prospects.