Antagonistic attack and defense method and system based on PID controller

Abstract

The invention relates to an antagonistic attack and defense method and system based on a PID controller. The method comprises the following steps: S1, inputting a training data set and a machine learning model f; s2, training a machine learning model f according to the input training data set; and S3, judging whether the loss function J is converged or not, if the loss function J is not converged,training the machine learning model f by adopting the adversarial sample xadv generated by the adversarial attack based on the PID controller and the original data x as a training data set until theloss function J is converged to obtain the trained machine learning model f, and if the loss function J is converged, directly outputting a result. According to the invention, a higher attack successrate can be realized under the same disturbance constraint limitation through a process of generating an adversarial sample by an adversarial attack, and the invention can be used for evaluating the performance of a machine learning model and the effectiveness of an adversarial defense method; adversarial training on the machine learning model by using adversarial samples generated by adversarialattacks can be used as a defense method to improve the robustness of the model.

Description

technical field [0001] The invention relates to the security field of artificial intelligence machine learning methods, in particular to an adversarial attack and defense method and system based on a PID (Proportional Integral Derivative) controller. Background technique [0002] Machine learning is the core of artificial intelligence. In recent years, machine learning has achieved unprecedented development, and its application has spread across various fields of artificial intelligence. Especially in the fields of data mining, computer vision, natural language processing and unmanned driving, the application of machine learning has achieved great success. However, existing machine learning models are vulnerable to adversarial examples, where attackers can generate adversarial examples by adding subtle perturbations to the original input data. Adversarial examples with additional subtle perturbations will not affect human judgment, but will cause machine learning models to ...

AI Technical Summary

Problems solved by technology

Existing adversarial attack and defense algorithms face four problems: The first problem is that gradient-based adversarial attacks need to know the specific structure and parameters of the network model, while attacks on black-box models mainly rely on the migration of generated adversarial samples. , so as the attacker knows the structural information of the model and the data sources for training the model become less and less, the attack success rate will also decrease; the second problem is for the defense model, the attack success rate of the existing adversarial attack algorithm limited; the third problem is that for the existing defense methods, the transfer of adversarial samples in the process of implementing adversarial training is limited, resulting in low robustness of the defense model; the fourth problem is that the existing technology is also Unable to accurately assess the robustness of machine learning models and the effectiveness of adversarial defense methods

Images