陆兵 顾苏杭
摘 要:真实数据集中存在的对抗样本一方面易导致分类器取得较差分类结果,另一方面如果能够被合理利用,分类器的泛化能力将得到显著提高。针对现有大部分分类算法并没有利用对抗样本训练分类模型,提出一种攻击标签信息的对抗分类算法(ACA)。该方法从给定数据集中选取一定比例样本并攻擊所选取的样本标签使之成为对抗样本,即将样本标签替换成其他不同类型的标签。利用支持向量机(support vector machine,SVM)训练包含对抗样本的数据集,计算生成的SVM输出误差对于输入样本的一阶梯度信息并嵌入到输入样本特征中以更新输入样本。再次利用SVM训练更新后的样本以生成对抗的SVM(A-SVM)。原理分析与实验结果表明,一阶梯度信息不仅提供了一种分类器输出与输入之间的正相关关系,而且可提高A-SVM的实际分类性能
Abstract: As for the adversarial data samples which indeed exist in real-world datasets,on the one hand,they can mislead data classifiers into correct predictions which results in poor classification. On the other hand,appropriate applications of the adversarial data samples can distinctly improve the generalization of data classifiers. However,most of existing classification methods do not take the adversarial data samples into account to build corresponding classification models. An adversarial classification algorithm (ACA) based on attacks on the labels of data samples which aims to obtain outperformed classification performance by learning the adversarial data samples is proposed. In a given dataset,a certain percentage of data samples are chosen as adversarial data samples,namely the labels of these chosen data samples are substituted by the other labels which are different from the original labels of the chosen data samples. A SVM model can be generated by using the support vector machine(SVM) algorithm to training the given dataset which contains the adversarial data samples. And the first-order gradient information on the output error of the generated SVM with respect to the input samples can be computed. The input samples can be updated by embedding the first-order gradient information into the original input samples. Consequently,adversarial SVM (A-SVM) can be generated by using the SVM alg-orithm again to train the updated input samples. In terms of theoretical analysis and experimental results on UCI real-world datasets,the mathematically computed first-order gradient information not only provided a positive relation between the outputs and the inputs of a classifier,but also indeed can improve the actual classification performance of A-SVM.
Key words:classifiers;adversarial data samples;attacks on labels;support vector machine(SVM)
Mosca等[8]將包含扰动的样本输入神经网络并利用输出的结果对当前输入样本进行一阶求导,解得的一阶梯度信息被嵌入到当前输入样本特征中,更新后的样本再次被输入到神经网络进行训练,由此生成的神经网络泛化能力得到明显提高。文章[9]将微小且合理的扰动加入到样本特征中人为生成对抗样本,训练包含对抗样本的训练集生成的深度神经网络(deep neural network,DNN)可有效地应用于恶意软件检测。马玉琨等[10]针对DNN应用于活体检测时性能易受对抗样本干扰,从样本特征维度角度考虑将对抗样本干扰集中在少数几个样本特征维度,从而提出一种最小扰动维度的活体检测对抗样本生成技术,该技术只需要对样本少数几个特征维度作扰动便可生成对抗样本。Gu等[11]在研究对抗样本结构的基础上,在DNN输入层中将扰动加入到样本特征使部分样本成为对抗样本,训练生成的深度感知网络可很好地抑制样本噪声对分类性能带来的影响。在实际数据分类的过程中,由于每个真实数据集都会包含对抗样本,因此本文从合理利用对抗样本的落脚点出发,结合支持向量机提出一种攻击标签信息的鲁棒分类算法(ACA)。
表4给出了当公式(5)中的参数 取不同值时,A-SVM在4个真实数据集上的实际分类性能,此时固定公式(7)中 的值为 。分析表4提供的实验结果可知,参数 的最佳取值为0.001,随着 取值增大,A-SVM分类精度逐步降低。根据大量实验结果表明,较大的 值会严重破坏原有样本特征空间,利用ACA算法训练更新后的样本生成的A-SVM识别保持原有样本特征结构的新样本能力减弱。表4有力证明了本文所提ACA算法合理利用对抗样本生成A-SVM分类器的有效性。
3 结束语
