Adversarial sample generation method and device, electronic equipment and storage medium

By obtaining the field attribute information of structured data, the adversarial attack configuration is determined, and highly adaptable adversarial samples are generated. This solves the problem that existing technologies are difficult to apply to structured data and achieves high-quality adversarial sample generation.

CN116468110BActive Publication Date: 2026-06-09BEIJING BAIDU NETCOM SCI & TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING BAIDU NETCOM SCI & TECH CO LTD
Filing Date
2023-04-14
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing adversarial attack techniques mainly focus on unstructured data and are difficult to apply to structured data. Furthermore, machine learning models that perform well on structured data, such as tree models like XGBoost, lack effective adversarial attack methods.

Method used

This paper presents a method for generating adversarial examples for structured data. By obtaining the attribute information of the fields, the configuration information of the adversarial attack is determined, and adversarial examples are generated based on this. The method considers the editability, importance and imperceptibility of the fields and adopts an adaptive configuration to generate adversarial examples.

Benefits of technology

It improves the applicability and usability of adversarial attacks on structured data. The generated adversarial samples are closer to real system applications, with high imperceptibility and usability, and are suitable for adversarial attacks on structured data.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116468110B_ABST
    Figure CN116468110B_ABST
Patent Text Reader

Abstract

This disclosure provides a method, apparatus, electronic device, and storage medium for generating adversarial examples, relating to the field of artificial intelligence technology, particularly machine learning and natural language processing. The specific implementation involves: obtaining attribute information of fields in a first structured data set; determining configuration information for an adversarial attack based on the attribute information of the fields in the first structured data set; and obtaining adversarial examples of the first structured data set based on the configuration information of the adversarial attack. This disclosure takes into account the diverse field attributes of structured data in real-world system applications, making the adversarial attack more closely resemble real-world system applications, possessing high usability, and applicable to adversarial attacks on structured data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of artificial intelligence technology, particularly to the fields of machine learning and natural language processing, and specifically to a method, apparatus, electronic device, and storage medium for generating adversarial examples. Background Technology

[0002] Machine learning has achieved state-of-the-art performance in many tasks, including but not limited to image classification, text mining, and audio processing. With the development of machine learning technology, the robustness and safety of machine learning models are receiving increasing attention.

[0003] Adversarial attacks involve applying slight perturbations to the input samples of a machine learning model to generate adversarial examples, causing the target machine learning model to produce incorrect outputs. Adversarial attacks can be used to assess the risk of a model and help improve its robustness, security, and interpretability.

[0004] Currently, research on adversarial attacks mainly focuses on deep neural networks and areas where deep neural networks excel, such as computer vision or audio processing. The sample data in these areas is typically homogeneous and unstructured. Adversarial attack schemes targeting unstructured data are not applicable to structured data. Summary of the Invention

[0005] This disclosure provides a method, apparatus, electronic device, and storage medium for generating adversarial examples.

[0006] According to one aspect of this disclosure, a method for generating adversarial examples is provided, including...

[0007] Retrieve attribute information of fields in the first structured data;

[0008] Based on the attribute information of the fields in the first structured data, determine the configuration information for countering attacks;

[0009] Based on the configuration information of the adversarial attack, adversarial samples of the first structured data are obtained.

[0010] According to another aspect of this disclosure, an apparatus for generating adversarial examples is provided, comprising:

[0011] The acquisition module is used to retrieve attribute information of fields in the first structured data;

[0012] The configuration information determination module is used to determine the configuration information against attacks based on the attribute information of the fields in the first structured data.

[0013] The adversarial sample generation module is used to obtain adversarial samples of the first structured data based on the configuration information of the adversarial attack.

[0014] According to another aspect of this disclosure, an electronic device is provided, comprising:

[0015] At least one processor; and

[0016] The memory is communicatively connected to the at least one processor; wherein,

[0017] The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform any of the methods described in the present disclosure.

[0018] According to another aspect of this disclosure, a non-transitory computer-readable storage medium is provided storing computer instructions, wherein the computer instructions are used to cause the computer to perform any of the methods according to embodiments of this disclosure.

[0019] According to another aspect of this disclosure, a computer program product is provided, including a computer program that, when executed by a processor, implements any of the methods according to embodiments of this disclosure.

[0020] According to the technical solution of this disclosure, adversarial examples can be generated by adaptive configuration based on the attributes of the fields in different structured data. Since the diverse field attributes of structured data in real-world system applications are taken into account, the adversarial attacks are more closely aligned with real-world system applications, have high usability, and are applicable to adversarial attacks on structured data.

[0021] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of this disclosure, nor is it intended to limit the scope of this disclosure. Other features of this disclosure will become readily apparent from the following description. Attached Figure Description

[0022] The accompanying drawings are provided to better understand this solution and do not constitute a limitation of this disclosure. Wherein:

[0023] Figure 1 This is a flowchart illustrating a method for generating adversarial samples according to an embodiment of the present disclosure;

[0024] Figure 2 This is a flowchart illustrating a method for generating adversarial examples in an application example of this disclosure.

[0025] Figure 3 This is a flowchart illustrating the process of trimming structured data after reverse reconstruction in an application example of an embodiment of this disclosure;

[0026] Figure 4 This is an application flowchart of the method for generating adversarial examples in an application example of this disclosure;

[0027] Figure 5 This is a schematic block diagram of an adversarial sample generation apparatus according to an embodiment of the present disclosure;

[0028] Figure 6 This is a schematic block diagram of an adversarial sample generation apparatus according to another embodiment of the present disclosure;

[0029] Figure 7 This is a schematic block diagram of an adversarial sample generation apparatus according to yet another embodiment of the present disclosure;

[0030] Figure 8 This is a block diagram of an electronic device used to implement the methods of the embodiments of this disclosure. Detailed Implementation

[0031] The exemplary embodiments of this disclosure are described below with reference to the accompanying drawings, including various details of the embodiments to aid understanding, and should be considered merely exemplary. Therefore, those skilled in the art will recognize that various changes and modifications can be made to the embodiments described herein without departing from the scope of this disclosure. Similarly, for clarity and brevity, descriptions of well-known functions and structures are omitted in the following description.

[0032] The basic concepts and related technologies involved in the embodiments of this disclosure are briefly described below. It should be understood that the basic concepts and related technologies described below do not limit the embodiments of this disclosure. The following related technologies are optional solutions and can be arbitrarily combined with the technical solutions of the embodiments of this disclosure, all of which fall within the protection scope of the embodiments of this disclosure.

[0033] 1. Structured Data: Structured data refers to data that can be represented and stored using relational databases, logically expressed and implemented using a two-dimensional table structure. Typically, each row represents information about a sample, and each column represents a field. Data within the same field has the same data range and data type, while different fields may have different data ranges and data types. Structured data can be used for tasks such as classification, regression, prediction, ranking, gain analysis, and clustering. Common machine learning methods for structured data include Support Vector Machines (SVMs), tree models, and deep learning models. Deep learning models are often used for unstructured data and demonstrate excellent performance; however, they remain highly challenging for structured data. Currently, the best-performing machine learning solutions for structured data are various tree models and their variants, such as XGBoost (Extreme Gradient Boosting).

[0034] 2. Adversarial Attacks: Adversarial attacks involve applying slight perturbations to input samples to generate adversarial examples, causing the target machine learning model to produce incorrect outputs. Adversarial attacks can expose the vulnerabilities and risks of machine learning models, helping to improve their robustness, security, and interpretability. Currently, adversarial attacks are categorized into white-box attacks and black-box attacks based on the attacker's understanding of the target model. In white-box attacks, the attacker has complete control over the target model, can invoke the model to obtain its output relative to a given input, and knows all its internal parameters. In this case, the attacker can often use optimization methods similar to gradient descent to adjust the perturbations and generate adversarial examples. In black-box attacks, the attacker cannot know the internal structure and parameters of the target model; they can only invoke the model to obtain its output relative to a given input. Based on the type of output, black-box attacks can be further subdivided into score-based attacks and decision-based attacks. In score-based attacks, the attacker can know the model's final output score (e.g., the probability of each class in a classification model). In decision-based attacks, the attacker can only know the model's judgment result (e.g., the class given by a classification model).

[0035] Research into adversarial attacks stems from the need for robustness and security of state-of-the-art machine learning models. Current research primarily focuses on deep neural networks and their strengths, such as computer vision or audio processing, where the data is typically homogeneous and unstructured. However, in addition to unstructured data, the real world also contains a large amount of structured data (such as tables) and its industrial applications (such as financial fraud and power forecasting), which are equally important and significant. Yet, research into adversarial attacks in these areas remains largely unexplored.

[0036] Through in-depth research, the inventors of the disclosed technical solution have discovered that structured data adversarial attacks differ from unstructured data adversarial attacks in the following ways:

[0037] 1. Data Differences: In structured data, the value range and data type of each feature are different, while in unstructured data, each feature has the same value range and data type. For example, in image data (unstructured data), each pixel is an integer between 0 and 255, while in tabular data (structured data), each field can represent different information, such as email address, last name, or amount. Therefore, the value range and data type of different fields may differ significantly.

[0038] 2. Model Differences: Deep neural networks, which perform exceptionally well on unstructured data, do not perform as well on structured data. Therefore, tree models such as XGBoost are more commonly used for structured data tasks. Compared to deep neural networks, many gradient-based adversarial attack methods are not applicable to tree models with discrete gradients. Therefore, adversarial attacks on structured data require adversarial attack algorithms that are independent of the model architecture.

[0039] 3. Editability Differences: The editability of fields is also an important aspect to consider when countering attacks on structured data. Unlike unstructured data adversarial attack algorithms, which can arbitrarily and independently modify any feature, in real-world applications of structured data, the values ​​of certain fields are automatically determined by the system and cannot be modified by the adversarial attack algorithm.

[0040] 4. Imperceptible Differences: Imperceptibility is also one of the main challenges of adversarial attack algorithms. Imperceptibility refers to the fact that adversarial examples need to be difficult for humans to perceive relative to real examples; that is, the difference between the two needs to be as small as possible. In unstructured data, imperceptibility is an intuitive concept that is easy to measure. However, in structured data, imperceptibility is related to the number and degree of changes in fields that are frequently examined manually and fields of importance in a specific domain. Therefore, the methods for measuring imperceptibility in adversarial attacks on unstructured data are not applicable to adversarial attacks on structured data.

[0041] This disclosure provides a method for generating adversarial examples applicable to structured data. Figure 1 A flowchart illustrating a method for generating adversarial examples according to an embodiment of this disclosure is shown. This method can be applied to an adversarial example generation apparatus, which can be deployed in an electronic device. The electronic device may be a single-machine or multi-machine terminal, server, or other processing device. The terminal may be a mobile device, a personal digital assistant (PDA), a handheld device, a computing device, an in-vehicle device, a wearable device, or other user equipment (UE). In some possible implementations, the method can also be implemented by a processor calling computer-readable instructions stored in memory. Figure 1 As shown, the method may include:

[0042] S110. Obtain the attribute information of the fields in the first structured data;

[0043] S120. Based on the attribute information of the fields in the first structured data, determine the configuration information for countering attacks;

[0044] S130. Based on the configuration information of the adversarial attack, an adversarial sample of the first structured data is obtained.

[0045] For example, the attribute information of a field may include one or more of the following: the field's value range, data type, editability, importance, and manual inspection capability. Editability refers to whether the field is editable, and manual inspection capability refers to whether the field will be manually inspected, or the frequency with which the field is manually inspected. In practical applications, during the generation of adversarial examples, the various attribute information of a field can be represented in vector form.

[0046] In this embodiment of the disclosure, the configuration information for adversarial attacks may include various parameters, functions, etc., that are used in the process of generating adversarial attacks or adversarial samples.

[0047] For example, adversarial examples are generated by perturbing the features in the original sample (i.e., the first structured data). The configuration information of the adversarial attack may include the location of the perturbed features in the original sample (hereinafter referred to as the perturbed feature location).

[0048] For example, the configuration information for adversarial attacks may include parameters used to measure the imperceptibility of adversarial examples, such as norm, similarity, distance, etc.

[0049] For example, the configuration information for adversarial attacks may include parameters related to the size of the perturbation, such as the exploration perturbation and the perturbation value.

[0050] For example, an adversarial attacker can be constructed based on the configuration information of the adversarial attack. This adversarial attacker is then used to perturb the first structured data to obtain adversarial samples. For example, the adversarial samples of the first structured data can be updated multiple times through iterative operations until the number of iterations reaches a preset threshold, resulting in optimized adversarial samples. For instance, in each iteration, based on the configuration information of the adversarial attack, one or more features in the first structured data are perturbed. When the model prediction result and imperceptibility of the perturbed structured data meet predetermined conditions, the perturbed structured data is used as the updated adversarial sample.

[0051] In the adversarial sample generation method provided in this disclosure, adversarial samples can be generated adaptively based on the attributes of the fields in different structured data. Because the diverse field attributes of structured data in real-world system applications are taken into account, the adversarial attacks are more closely aligned with real-world system applications, possessing high usability and applicable to adversarial attacks on structured data.

[0052] In one exemplary implementation, S110, obtaining attribute information of fields in the first structured data includes: receiving a configuration file; wherein the configuration file is obtained based on user input information; and parsing the configuration file to obtain attribute information of fields in the first structured data.

[0053] For example, the configuration file can be obtained by modifying configuration items for a specific task based on user input information. These configuration items can include field-related information. This field-related information can include the category, value range, editability, frequency of manual review, and importance of each field in the structured data. Optionally, the configuration items can also include configuration items related to specific task requirements, such as data paths, model-related information, and adversarial attack algorithm-related information. Here, the data path is the storage path of the first structured data; model-related information can include the storage path of the machine learning model's structure file, parameter file, etc.; and adversarial attack algorithms can include information related to the algorithm type and configuration, such as pre-set perturbation values ​​and iteration counts.

[0054] In practical applications, users can input at least one configuration item through the human-computer interaction interface of an electronic device according to specific task requirements. The electronic device can generate a configuration file based on at least one configuration item and send the configuration file to the adversarial attack module in the electronic device. The adversarial attack module parses the attribute information of the fields in the first structured data from the configuration file and performs subsequent adversarial attack processes based on this.

[0055] According to this implementation method, users can schedule the implementation of adversarial attacks through configuration files. They only need to modify the configuration files according to the actual situation to generate adversarial samples for adversarial attacks. Even people without professional knowledge or coding experience can quickly get started and use it, which lowers the threshold for implementing adversarial attacks.

[0056] In one exemplary implementation, the configuration information for adversarial attacks includes the location of perturbation features. For example, S120, determining the configuration information for adversarial attacks based on the attribute information of fields in the first structured data, may include: determining a target field among multiple fields in the first structured data based on the editability of each field; and determining the location of perturbation features based on the target field.

[0057] For example, the editability of a field can be represented by a vector, which can be called an editability vector. Optionally, a set of editable fields can be determined based on the editability vector corresponding to each field in the first structured data; one or more fields are randomly selected as target fields from the set of editable fields. Taking a table as an example, the column where the perturbation feature is located can be determined based on the target field. Optionally, the row where the perturbation feature is located can also be randomly determined to obtain the position of the perturbation feature.

[0058] It is understandable that when generating adversarial samples based on configuration information for adversarial attacks, one or more features can be identified as target features in the first structured data based on the location of the perturbation feature, and then the target features can be perturbed.

[0059] According to this implementation method, it is possible to avoid perturbing the manually uneditable positions in the first structured data, thereby avoiding the destruction of the imperceptibility of adversarial examples, enabling the adversarial example generation method to be applied to structured data and improving the quality of adversarial examples.

[0060] In one exemplary implementation, the configuration information for adversarial attacks further includes an imperceptible norm, which characterizes the distance between the first structured data and the second structured data, obtained by perturbing the first structured data. In other words, in this implementation, the imperceptibility of the second structured data is characterized using a norm. The second structured data can be a candidate adversarial sample. When the model prediction result corresponding to the second structured data and the imperceptibility meet certain conditions—for example, when the model prediction result corresponding to the second structured data differs from the model prediction result corresponding to the first structured data, and the imperceptibility of the second structured data is below a threshold—the second structured data is used as an adversarial sample of the first structured data. Using the imperceptible norm allows for the measurement of imperceptibility based on the encoding information corresponding to fields, thereby overcoming the measurement limitations caused by different field categories and representations.

[0061] In this embodiment, S120, determining the configuration information for counter-attacks based on the attribute information of the fields in the first structured data, may further include: determining the imperceptible norm based on the frequency and / or importance information of manual inspection of the target field.

[0062] For example, the frequency of manual inspection of a field can be represented by a vector, which can be called the manual inspection vector. Similarly, the importance information of a field can also be represented by a vector, which can be called the feature importance vector.

[0063] According to this implementation, when constructing the imperceptibility norm for measuring imperceptibility, the importance of the field and / or whether the field is manually checked are considered. In this way, the imperceptibility norm can be used to reduce the perturbation of fields that are frequently manually checked and important, thereby ensuring the imperceptibility and authenticity of the second structured data obtained by the perturbation and the final adversarial sample.

[0064] In one exemplary implementation, the configuration information for countering attacks further includes exploration perturbations. S120, determining the configuration information for countering attacks based on the attribute information of fields in the first structured data further includes: determining exploration perturbations based on the value range of the target field.

[0065] In this context, exploratory perturbation refers to the parameters used to explore and determine perturbation values ​​during adversarial attacks. Specifically, assuming the exploratory perturbation is h, it is used to adjust the perturbation value r in both positive and negative directions, resulting in a positive perturbation value r+h and a negative perturbation value rh. The positive and negative perturbation values ​​r+h and rh are then used to perturb the first structured data, respectively, to obtain positive and negative perturbation structured data. Based on these positive and negative perturbation structured data, corresponding model prediction results are obtained, and the perturbation value r is updated according to the model prediction results. The perturbation value r can be represented by a vector, called the feature perturbation vector.

[0066] In related techniques, the same exploratory perturbation is generally applied to each feature in the input sample. However, this approach is not suitable for structured data. For example, if the exploratory perturbation used for a first field with a value range of 0 to 10 is the same as the exploratory perturbation used for a second field with a value range of 0 to 1000, the perturbation of the first field may be too large, compromising its imperceptibility, while the perturbation of the second field may be too small to cause the model to make incorrect predictions.

[0067] In this implementation, the exploration perturbation is determined based on the value range of the target field; that is, different exploration perturbations can be determined for different fields. Based on this, imperceptible damage and failure of adversarial attacks caused by using a single exploration perturbation can be avoided, thus improving the quality of adversarial examples.

[0068] In one exemplary implementation, S130, obtaining an adversarial sample of the first structured data based on the configuration information of the adversarial attack, includes: determining a target feature in the first encoding information of the first structured data based on the perturbation feature position in the configuration information; determining a target perturbation value based on the exploration perturbation in the configuration information; perturbing the target feature in the first encoding information based on the target perturbation value to obtain second encoding information; determining the distance between the second structured data corresponding to the second encoding information and the first structured data based on the imperceptible norm in the configuration information; and using the second structured data as an adversarial sample of the first structured data based on the distance.

[0069] This implementation provides a specific application process for the configuration information of adversarial attacks. The distance between the second structured data and the first structured data can be understood as the imperceptibility of the second structured data. In practical applications, the second structured data can also be input into the machine learning model to be attacked to obtain the corresponding model prediction result. If the model prediction result and the distance meet preset conditions, the second structured data can be used as an adversarial sample of the first structured data.

[0070] As can be seen, in the process of using this configuration information to determine adversarial examples, the first encoded information of the first structured data is perturbed, and then the second encoded information obtained from the perturbation is restored to the second structured data. In this way, features in different fields can be processed into the same type of encoded information, reducing the problem that the perturbation configuration cannot be effective for different types of data, so that all fields can be effectively perturbed, thus improving the quality of adversarial examples.

[0071] Optionally, in some embodiments, the method for generating adversarial examples further includes: encoding and normalizing the first structured data based on an encoded information dictionary to obtain first encoded information; determining a normalization scaler based on the first encoded information; wherein the normalization scaler is used to process the second encoded information obtained by perturbation to obtain second structured data.

[0072] The encoding information dictionary can be pre-configured or specifically designed for different types of structured data. For example, this encoding information dictionary can be used to implement one-hot encoding. Specifically, it can be used to process structured data into one-hot encoded information and to reverse-engineer one-hot encoded information back into structured data.

[0073] According to this implementation, the first structured data is pre-encoded based on an encoding information dictionary and then normalized, that is, the encoded information of all fields of the first structured data is mapped to a value range of 0 to 1. In this way, a normalized scaler determined by each field of the first structured data can be obtained. This normalized scaler is saved and applied to process the perturbation-obtained second encoded information, thereby accurately restoring the encoded information.

[0074] Optionally, in some embodiments, the method for generating adversarial examples further includes: reversing the second encoded information based on a normalization scaler to obtain third structured data; and pruning each field in the third structured data based on field rules corresponding to each field in the first structured data to obtain second structured data.

[0075] For example, the field rule corresponding to a field can refer to the constraint rules of the features under that field, which are determined by the field type.

[0076] For example, for a Boolean field, the rule is that if the feature obtained by reverse reconstruction is greater than 0.5, then the feature is pruned to 1; otherwise, the feature is pruned to 0.

[0077] For example, for a field of positive integer type, the field rule is that if the feature obtained by reverse reconstruction is not greater than 0, then the feature is pruned to 0; otherwise, the feature is rounded down.

[0078] According to this implementation method, the third structured data obtained by reverse engineering can be pruned according to the field rules corresponding to each field to obtain the second structured data corresponding to the second encoded information. Based on this, the authenticity and imperceptibility of the second structured data and the final adversarial example can be guaranteed, thereby improving the quality of the adversarial example.

[0079] To facilitate understanding of the technical solutions of this disclosure, a specific application example is provided below. In this application example, the adversarial attack framework may include the following modules:

[0080] 1. Data-related module: The main functions of the data-related module include structured data reading, forward one-hot encoding and reverse one-hot encoding of structured data, forward label encoding and reverse label encoding of structured data, structured data field normalization, feature data correction, and field information vector conversion.

[0081] 2. Predictor Module: The predictor module is used to load the pre-trained structured data machine learning module, that is, to load the machine learning model to be attacked and simulate a real application system.

[0082] 3. Adversarial Attack Module: The adversarial attack module is used to generate adversarial examples for the real system simulated by the simulator. The attack algorithm module includes the adversarial attack loss function, the imperceptibility norm, and the adversarial attack algorithm.

[0083] For example, the adversarial attack loss function takes into account a custom threshold in the real application system, and the loss function is set with reference to the following formula:

[0084] Loss(x)=max[([M(x)]1-τ),-υ]

[0085] Where Loss(x) is the loss value calculated based on the loss function, x is the input sample (first structured data), M is the model, [M(x)]1 is the model score, τ is a custom threshold, and v is a hyperparameter that is transferable to an attack.

[0086] For example, the imperceptibility norm takes into account both field importance and whether the field was manually checked. This imperceptibility norm can be set with reference to the following formula:

[0087] norm=||r(αh+β[(1-h)(1-v)+hv])|| p

[0088] Where norm represents the calculated imperceptibility; p indicates that the p-norm is used for calculation; r is the feature perturbation vector during the adversarial attack process; e is the manual inspection vector; v is the feature importance vector; and α and β are pre-set hyperparameters.

[0089] 4. Utility Function Module: The utility function module includes functions such as tag conversion and success rate calculation.

[0090] 5. Configuration File Module: The configuration file module is used to fill in settings as needed. The anti-attack script reads the configuration file to schedule various modules to complete the anti-attack task. For different tasks, settings such as data path, model file path, field category, whether to check fields, field importance, and field editability are filled in according to specific circumstances and system requirements. In other words, anti-attack tasks can be configured and executed immediately through the configuration file, without requiring any coding knowledge.

[0091] Figure 2 This diagram illustrates the flowchart of the adversarial example generation method in this application example. (Reference) Figure 2 Based on the above framework, methods for generating adversarial examples may include:

[0092] S201. Modify the configuration file according to the specific task requirements, and fill in the data-related paths, model-related information, field-related information, and adversarial attack algorithm-related configurations.

[0093] S202. The adversarial attack script reads and parses the configuration file to obtain data path, model-related information, field-related vectors, adversarial attack algorithm-related configuration, and field category vectors.

[0094] S203. Read and process data according to the data path, and output the original sample, the sample after one-hot encoding, and a dictionary of one-hot encoded information for each field. Use feature encoding normalization to normalize all features to between 0 and 1, and generate a feature normalization scaler for subsequent normalized feature encoding reverse reconstruction.

[0095] S204. Using the read field manual inspection vector, field importance vector, field editability vector, and one-hot encoded information fields for each field, generate the feature dimension manual inspection vector, importance vector, and editability vector. Use the feature manual inspection vector and feature importance vector to construct an imperceptibility norm, which is used to subsequently improve the imperceptibility of adversarial examples.

[0096] S205. Load the pre-trained model using the model-related files and build a predictor to simulate predictions for real-world system applications.

[0097] S206. Initialize and build the adversarial attacker using the predictor, encoder normalizer scaler, field one-hot encoder dictionary, field one-hot encoding information dictionary, imperceptibility norm, feature editability vector, field category vector, and adversarial attack algorithm related settings.

[0098] S207. Use a predictor to predict the original samples. For samples classified into the attacked category, obtain the normalized features of the corresponding samples, use an adversarial attacker to attack, and generate adversarial samples.

[0099] The specific steps for the adversarial attack generator to generate adversarial samples are as follows:

[0100] Step 1: Initialize the predictor f, the encoder normalizer S, and the field one-hot encoder dictionary D of the adversarial attacker based on the input. encoder Dictionary of one-hot encoded information fields encoder_info Imperceptibility norm N, Feature editability vector V editable Field category vector V type .

[0101] Step 2: Set the initial learning rate η, perturbation exploration constant h, ADAM hyperparameters (including B1, B2, ∈), loss function L, and loss function weight c according to the adversarial algorithm.

[0102] Step 3: Use the encoding normalizer scaler S and the field one-hot encoder dictionary D. encoder Dictionary of one-hot encoded information fields encoder_info The original input sample is normalized to feature x, which is then restored to an unprocessed sample and input into the predictor f to obtain the original category y.

[0103] Step 4: Initialize the feature perturbation vector r to 0, the ADAM state to 0 (mean M, variance v, number of rounds T), and the minimum imperceptibility N. min For infinite, optimal adversarial sample features Adv best These are the original input features.

[0104] Step 5: Based on the feature editability vector V editable Randomly select an editable position i as the perturbation position, and modify the feature perturbation vector at the corresponding position using ±h, resulting in two new perturbation vectors. The perturbation value at position i becomes r. i +h and r i -h, denoted as r + and r - .

[0105] Step 6: Add a perturbation r to the original input features. +and r - Two new features x+r are obtained + and x+r - Using the encoding normalizer scaler S and the field one-hot encoder dictionary D encoder Dictionary of one-hot encoded information fields encoder_info Perform reverse reconstruction and based on the field category vector V type Pruning is performed to generate true samples for prediction.

[0106] Step 7: Use the predictor to predict the true samples of reverse restoration trimming, and obtain f(x+r) + ) and f(x+r - The value of ).

[0107] Step 8: Calculate x+r using the loss function L. + and x+r - The adversarial loss L(x+r) + ) and L(x+r - ).

[0108] Step 9: Calculate the imperceptibility N(r) of the perturbation using the imperceptibility norm N. + ) and N(r - ).

[0109] Step 10: Use the symmetric difference quotient formula Estimate the gradient g at the selected feature location i i .

[0110] Step 11: Update the ADAM state at the selected feature location i:

[0111] T i ←T i +1

[0112] M i ←B1M i +(1-B1)g i

[0113]

[0114] Step 12: Update the feature perturbation vector at the selected feature location i:

[0115]

[0116]

[0117]

[0118] Step 13: Add the updated perturbation r to the original input features to obtain x+r, and use the encoding normalizer scalerS and the field one-hot encoder dictionary D. encoder Dictionary of one-hot encoded information fields encoder_info Perform reverse reconstruction and based on the field category vector V type Pruning is performed to generate true samples for prediction.

[0119] Step 14: Use the predictor to predict the real sample and obtain f(x+r).

[0120] Step 15: Calculate the loss function L(x+r) for x+r using the loss function L.

[0121] Step 16: Calculate the imperceptibility N(r) of r using the imperceptibility norm N.

[0122] Step 17: Determine whether the attack was successful based on f(x+r) and the original category y. If the attack is successful for the first time, reset the ADAM state.

[0123] Step 18: Compare the imperceptibility N(r) with the minimum imperceptibility N. min If the imperceptibility N(r) is less than the minimum imperceptibility N min And the attack successfully updates the minimum imperceptibility N. min and optimal adversarial example features Adv best :

[0124] N min ←N(r)

[0125] Adv best ←x+r

[0126] Step 19: If the number of iterations is less than the maximum number of iterations, repeat steps 5 to 18.

[0127] It should be noted that the above process uses the selection of one feature position i as an example. In practical applications, multiple positions can be selected simultaneously for calculation to make full use of machine performance and improve efficiency.

[0128] Figure 3 This diagram illustrates the trimming of the structured data obtained from the reverse reconstruction in steps 6 and 13 above. Figure 3 As shown, for each feature x in the structured data obtained by reverse reconstruction, the corresponding pruning strategy can be used to prune the feature according to whether it is Boolean data, integer type, positive integer type, positive floating-point type, or one-hot encoded, and the pruned features are connected to obtain structured data with the same format as the real sample.

[0129] Figure 4 The flowchart illustrating the adversarial example generation method in this application example is shown. Figure 4 As shown, the application process includes:

[0130] S401, User modifies configuration file;

[0131] S402, Run the anti-attack script;

[0132] S403, Generate adversarial examples or counterfactual interpretations of the input samples.

[0133] As can be seen, the beneficial effects of the structured data machine learning adversarial attack framework used in this disclosure embodiment, and its differences from related technologies, include at least the following:

[0134] 1. The embodiments disclosed herein are closer to real-world situations. Because discrete gradient tree models outperform deep learning models on structured data tasks, they are more commonly used for structured tasks in practice. Therefore, the structured data machine learning model adversarial attack framework of the embodiments disclosed herein is more in line with real-world scenarios compared to adversarial attack techniques for structured data deep learning models and adversarial attack techniques for unstructured data discrete gradient tree models.

[0135] 2. The framework proposed in this disclosure is closer to real-world system applications. In real-world applications of structured data tasks, some fields may be manually viewed, different fields may have varying importance, and some fields may be uneditable due to system-generated features. Compared to current technologies, the framework proposed in this disclosure takes into account the characteristics of real-world structured data applications, making adversarial attacks more closely resemble real-world applications and increasing usability.

[0136] 3. The frame attack algorithm proposed in this disclosure is more effective. Related technologies do not normalize structured data, resulting in different ranges of values ​​and perturbation sensitivities for different fields. This leads to the problem that the same perturbation exploration constant cannot be effective for all feature points (i.e., the gradient cannot be estimated due to ±h loss function changes). This disclosure normalizes the structured data features through normalization, ensuring that the value range of all field features is between 0 and 1, reducing the problem of the perturbation exploration constant not being effective.

[0137] 4. The structured data adversarial examples generated by the framework proposed in this disclosure are more realistic. Compared with related technologies that directly return adversarial examples, this disclosure prunes the unprocessed samples reconstructed from the feature vectors according to field categories before prediction and before the final adversarial example is returned, ensuring that the generated sample is a realistic and reasonable one.

[0138] 5. The framework proposed in this disclosure is simpler and easier to use. The framework is highly modular, and the modules are scheduled through configuration files. Therefore, adversarial attacks can be generated by modifying the configuration files according to the actual situation. Even people without professional knowledge or coding experience can quickly get started.

[0139] According to embodiments of this disclosure, this disclosure also provides an apparatus for generating adversarial samples. Figure 5 A schematic block diagram of an apparatus for generating anti-samples according to an embodiment of this disclosure is shown. Figure 5 As shown, the adversarial example generation apparatus may include:

[0140] The acquisition module 501 is used to acquire the attribute information of the fields in the first structured data;

[0141] The configuration information determination module 502 is used to determine the configuration information against attacks based on the attribute information of the fields in the first structured data.

[0142] The adversarial sample generation module 503 is used to obtain adversarial samples of the first structured data based on the configuration information of the adversarial attack.

[0143] For example, the acquisition module 501 can be used to receive a configuration file, which is obtained based on user input information, and parse the configuration file to obtain the attribute information of the fields in the first structured data.

[0144] For example, the configuration information for countering attacks includes the location of perturbation features. Accordingly, the configuration information determination module 502 can be specifically used to determine a target field among multiple fields in the first structured data based on the editability of each field in the first structured data; and to determine the location of perturbation features based on the target field.

[0145] For example, the configuration information for adversarial attacks also includes an imperceptible norm, which is used to characterize the distance between the first structured data and the second structured data, the second structured data being obtained by perturbing the first structured data. The configuration information determination module 502 can also be used to determine the imperceptible norm based on the frequency and / or importance information of manual inspection of the target field.

[0146] For example, the configuration information for countering attacks also includes exploration perturbations. The configuration information determination module 502 can also be used to determine the exploration perturbations based on the value range of the target field.

[0147] For example, the adversarial example generation module 503 can be specifically used for:

[0148] Based on the location of perturbation features in the configuration information, target features are determined in the first encoding information of the first structured data; based on the exploration perturbation in the configuration information, target perturbation values ​​are determined; based on the target perturbation values, the target features are perturbed in the first encoding information to obtain second encoding information; based on the imperceptible norm in the configuration information, the distance between the second structured data corresponding to the second encoding information and the first structured data is determined; based on the distance, the second structured data is used as an adversarial example of the first structured data.

[0149] Optionally, in Figure 5 On the basis of, such as Figure 6 As shown, the adversarial example generation device also includes:

[0150] The scaler determination module 601 is used to encode and normalize the first structured data based on the encoding information dictionary to obtain the first encoding information, and to determine the normalization scaler based on the first encoding information; wherein, the normalization scaler is used to process the second encoding information obtained by perturbation to obtain the second structured data.

[0151] Optionally, in Figure 6 On the basis of, such as Figure 7 As shown, the adversarial example generation device also includes:

[0152] The second structured data generation module 701 is used to reverse-engineer the second encoded information based on the normalization scaler to obtain the third structured data, and to trim each field in the third structured data based on the field rules corresponding to each field in the first structured data to obtain the second structured data.

[0153] The specific functions and examples of each module and submodule of the apparatus in this disclosure can be found in the relevant descriptions of the corresponding steps in the above method embodiments, and will not be repeated here.

[0154] The acquisition, storage, and application of user personal information involved in the technical solution disclosed herein comply with the provisions of relevant laws and regulations and do not violate public order and good morals.

[0155] According to embodiments of this disclosure, this disclosure also provides an electronic device, a readable storage medium, and a computer program product.

[0156] Figure 8A schematic block diagram of an example electronic device 800 that can be used to implement embodiments of the present disclosure is shown. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the present disclosure described and / or claimed herein.

[0157] like Figure 8 As shown, device 800 includes a computing unit 801, which can perform various appropriate actions and processes based on a computer program stored in read-only memory (ROM) 802 or a computer program loaded from storage unit 808 into random access memory (RAM) 803. RAM 803 may also store various programs and data required for the operation of device 800. The computing unit 801, ROM 802, and RAM 803 are interconnected via bus 804. Input / output (I / O) interface 805 is also connected to bus 804.

[0158] Multiple components in device 800 are connected to I / O interface 805, including: input unit 806, such as keyboard, mouse, etc.; output unit 807, such as various types of monitors, speakers, etc.; storage unit 808, such as disk, optical disk, etc.; and communication unit 809, such as network card, modem, wireless transceiver, etc. Communication unit 809 allows device 800 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.

[0159] The computing unit 801 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of the computing unit 801 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various computing units running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 801 performs the various methods and processes described above, such as adversarial example generation methods. For example, in some embodiments, the adversarial example generation method may be implemented as a computer software program tangibly contained in a machine-readable medium, such as storage unit 808. In some embodiments, part or all of the computer program may be loaded and / or installed on device 800 via ROM 802 and / or communication unit 809. When the computer program is loaded into RAM 803 and executed by the computing unit 801, one or more steps of the adversarial example generation method described above may be performed. Alternatively, in other embodiments, the computing unit 801 may be configured to perform adversarial example generation methods by any other suitable means (e.g., by means of firmware).

[0160] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0161] The program code used to implement the methods of this disclosure may be written in any combination of one or more programming languages. This program code may be provided to a processor or controller of a general-purpose computer, special-purpose computer, or other programmable data processing apparatus, such that when executed by the processor or controller, the program code causes the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The program code may be executed entirely on a machine, partially on a machine, as a standalone software package partially on a machine and partially on a remote machine, or entirely on a remote machine or server.

[0162] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0163] To provide interaction with a user, the systems and techniques described herein can be implemented on a computer having: a display device for displaying information to the user (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor); and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the computer. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).

[0164] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as a data server), or computing systems that include middleware components (e.g., an application server), or computing systems that include frontend components (e.g., a user computer with a graphical user interface or web browser through which a user can interact with embodiments of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., a communication network). Examples of communication networks include local area networks (LANs), wide area networks (WANs), and the Internet.

[0165] Computer systems can include clients and servers. Clients and servers are generally located far apart and typically interact via communication networks. Client-server relationships are created by computer programs running on the respective computers and having a client-server relationship with each other. Servers can be cloud servers, servers in distributed systems, or servers incorporating blockchain technology.

[0166] It should be understood that the various forms of processes shown above can be used to rearrange, add, or delete steps. For example, the steps described in this disclosure can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution disclosed in this disclosure can be achieved, and this is not limited herein.

[0167] The specific embodiments described above do not constitute a limitation on the scope of protection of this disclosure. Those skilled in the art should understand that various modifications, combinations, sub-combinations, and substitutions can be made according to design requirements and other factors. Any modifications, equivalent substitutions, and improvements made within the principles of this disclosure should be included within the scope of protection of this disclosure.

Claims

1. A method for generating adversarial examples, comprising: Receive a configuration file; wherein the configuration file is obtained based on user input information; The configuration file is parsed to obtain the attribute information of the fields in the first structured data; the first structured data includes tables; the first structured data is the original sample input to the machine learning model and is used for power prediction. Based on the attribute information of the fields in the first structured data, configuration information for countering attacks is determined; wherein, based on the value range of the fields, exploratory perturbations in the configuration information are determined. Based on the location of the perturbation features in the configuration information, the target features are determined in the first encoding information of the first structured data; Based on the exploratory perturbation, the target perturbation value is determined; Based on the target perturbation value, the target feature is perturbed in the first encoding information to obtain the second encoding information; Based on the imperceptible norm in the configuration information, the distance between the second structured data corresponding to the second encoding information and the first structured data is determined; The second structured data is input into the machine learning model to obtain the model prediction result. If the model prediction result and the distance meet the preset conditions, the second structured data is used as an adversarial example of the first structured data. The risk of the machine learning model is assessed based on the adversarial examples.

2. The method according to claim 1, wherein, The configuration information for countering attacks includes the location of perturbation features; The step of determining the configuration information for counter-attacks based on the attribute information of the fields in the first structured data includes: Based on the editability of each field in the first structured data, the target field is determined among multiple fields in the first structured data; Based on the target field, the location of the disturbance feature is determined.

3. The method according to claim 2, wherein, The configuration information for countering attacks also includes an imperceptible norm, which is used to characterize the distance between the first structured data and the second structured data, the second structured data being obtained by perturbing the first structured data; The step of determining the configuration information for counter-attacks based on the attribute information of the fields in the first structured data also includes: The imperceptible norm is determined based on the frequency and / or importance information of manual inspection of the target field.

4. The method according to claim 1, further comprising: Based on the encoded information dictionary, the first structured data is encoded and normalized to obtain the first encoded information; Based on the first encoding information, a normalization scaler is determined; wherein, the normalization scaler is used to process the second encoding information obtained by perturbation to obtain the second structured data.

5. The method according to claim 4, further comprising: Based on the normalization scaler, the second encoded information is reverse-engineered to obtain the third structured data; Based on the field rules corresponding to each field in the first structured data, each field in the third structured data is pruned to obtain the second structured data.

6. An apparatus for generating adversarial examples, comprising: An acquisition module is used to receive a configuration file, parse the configuration file, and obtain the attribute information of the fields in the first structured data; wherein, the configuration file is obtained based on user input information; the first structured data includes tables; the first structured data is the original sample input to the machine learning model and is used for power prediction; The configuration information determination module is used to determine the configuration information for countering attacks based on the attribute information of the fields in the first structured data; wherein, the exploration perturbation in the configuration information is determined based on the value range of the fields; An adversarial example generation module is configured to: determine a target feature in the first encoding information of the first structured data based on the perturbation feature position in the configuration information; determine a target perturbation value based on the exploration perturbation; perturb the target feature in the first encoding information based on the target perturbation value to obtain second encoding information; determine the distance between the second structured data corresponding to the second encoding information and the first structured data based on the imperceptible norm in the configuration information; input the second structured data into the machine learning model to obtain a model prediction result; if the model prediction result and the distance meet a preset condition, use the second structured data as an adversarial example of the first structured data; and evaluate the risk of the machine learning model based on the adversarial example.

7. The apparatus according to claim 6, wherein, The configuration information for countering attacks includes the location of perturbation features; The configuration information determination module is used for: Based on the editability of each field in the first structured data, the target field is determined among multiple fields in the first structured data; Based on the target field, the location of the disturbance feature is determined.

8. The apparatus according to claim 7, wherein, The configuration information for countering attacks also includes an imperceptible norm, which is used to characterize the distance between the first structured data and the second structured data, the second structured data being obtained by perturbing the first structured data; The configuration information determination module is also used for: The imperceptible norm is determined based on the frequency and / or importance information of manual inspection of the target field.

9. The apparatus according to claim 6, further comprising: The scaler determination module is used to encode and normalize the first structured data based on the encoded information dictionary to obtain the first encoded information, and to determine a normalization scaler based on the first encoded information; wherein the normalization scaler is used to process the second encoded information obtained by perturbation to obtain the second structured data.

10. The apparatus according to claim 9, further comprising: The second structured data generation module is used to reverse-engineer the second encoded information based on the normalization scaler to obtain the third structured data, and to trim each field in the third structured data based on the field rules corresponding to each field in the first structured data to obtain the second structured data.

11. An electronic device, comprising: At least one processor; as well as A memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-5.

12. A non-transitory computer-readable storage medium storing computer instructions, wherein, The computer instructions are used to cause the computer to perform the method according to any one of claims 1-5.

13. A computer program product comprising a computer program that, when executed by a processor, implements the method according to any one of claims 1-5.