| 引用本文: | 王鹏博,陈思哲,黄晓霖.第一类投毒攻击及其特征分析[J].哈尔滨工业大学学报,2025,57(9):21.DOI:10.11918/202212023 |
| WANG Pengbo,CHEN Sizhe,HUANG Xiaolin.Type I poisoning attack and its feature analysis[J].Journal of Harbin Institute of Technology,2025,57(9):21.DOI:10.11918/202212023 |
|
| 摘要: |
| 为研究神经网络在面对安全威胁时的鲁棒性与可信性问题,聚焦于其在投毒攻击下的脆弱性,在系统分析第一类对抗攻击与第二类对抗攻击特征的基础上,结合神经网络在特征学习中的结构性缺陷,提出第一类投毒攻击的概念。通过理论分析建模,明确第一类投毒攻击与现有的“干净标签”、特征碰撞等投毒攻击在特征层面的本质差异。基于监督变分自编码器构建第一类投毒样本生成框架,并在ResNet50、VGG16、MobileNetV2等常用深度神经网络模型上开展实验。结果表明:第一类投毒攻击方法在不破坏标签一致性的前提下,有效干扰模型的分类决策,能够在典型神经网络构架上诱导模型产生分类错误。此外,防御实验表明:第一类投毒攻击可绕过现有主流防御机制,使现有主要防御机制失效。第一类投毒攻击具有较强的隐蔽性和破坏性,是一种值得深入研究的新型安全威胁形式,该攻击方法的提出对于未来构建更安全、鲁棒性更强的神经网络系统具有重要意义。 |
| 关键词: 神经网络 投毒攻击 第一类错误 特征分析 稳健性 |
| DOI:10.11918/202212023 |
| 分类号:TP183 |
| 文献标识码:A |
| 基金项目:科技部重点研发计划(2023YFF1104202);国家自然科学基金(62376155) |
|
| Type I poisoning attack and its feature analysis |
|
WANG Pengbo,CHEN Sizhe,HUANG Xiaolin
|
|
(Institute of Pattern Analysis and Machine Intelligence, Shanghai Jiaotong University, Shanghai 200240, China)
|
| Abstract: |
| To investigate the robustness and trustworthiness of neural networks under security threats, this study focuses on their vulnerability to poisoning attacks. Based on a systematic analysis of the characteristics of type I and type II adversarial attacks, and in light of the structural deficiencies in neural network feature learning, the concept of type I poisoning attack is proposed. Theoretical modeling and analysis demonstrate fundamental feature-level distinctions between type I poisoning attacks and existing methods, such as “clean-label” or feature collision poisoning. A type I poisoned sample generation framework is built based on supervised variational autoencoders, and experiments on widely-used deep neural network architectures including ResNet50, VGG16, and MobileNetV2 are conducted. Results demonstrate that the proposed type I poisoning method effectively disrupts model classification decisions while preserving label consistency, successfully inducing misclassification across typical neural network architectures. Moreover, the defense experiments reveal that type I poisoning attacks can bypass existing mainstream defense mechanisms, rendering current primary countermeasures ineffective. With its strong stealth and disruptive capabilities, type I poisoning represents a novel security threat worthy of in-depth investigation. The development of this attack methodology holds significant implications for building more secure and robust neural network systems in the future. |
| Key words: neural network poisoning attack type I error feature analysis robustness |
