The Safety Evaluation and Defense Reinforcement of the AI System

doi:10.3969/j.issn.1671-1122.2020.09.018

Abstract

Abstract:

Deep learning models have performed well on many AI tasks, but elaborate adversarial samples can trick well-trained models into making false judgments. The success of the adversarial attack calls into question the usability of the AI system. In order to improve the security and robustness, the paper follow the security development lifecycle and propose a security evaluation and defense reinforcement scheme for the AI system. The scheme improves the system's ability to resist attacks and helps developers build a more secure AI system through measures such as accurate detection and interception of adversarial attacks, scientific evaluation of the model's robustness, and real-time monitoring of new adversarial attacks.

Key words: deep learning, adversarial attack, security development lifecycle

CLC Number:

TP309

WANG Wenhua, HAO Xin, LIU Yan, WANG Yang. The Safety Evaluation and Defense Reinforcement of the AI System[J]. Netinfo Security, 2020, 20(9): 87-91.

Figures/Tables 5

References 12

[1]	ROSS G. Fast r-cnn. 2015 IEEE International Conference on Computer Vision (ICCV)[EB/OL]. http://www.wikicfp.com/cfp/servlet/event.showcfp?eventid=41902, 2020-5-15.
[2]	MAHYAR N, POUYA S, RAMA C, et al. Ssh: Single Stage Headless Face Detector[EB/OL]. https://www.researchgate.net/publication/319121688_SSH_Single_Stage_Headless_Face_Detector, 2020-5-15.
[3]	DEVLIN J, CHANG M W, LEE K, et al. Bert: Pre-training of Deep Bidirectional Transformers for Language Understanding[EB/OL]. https://www.researchgate.net/publication/328230984_BERT_Pre-training_of_Deep_Bidirectional_Transformers_for_Language_Understanding, 2020-5-15.
[4]	VOLKER F, MUMMADI C K, JAN H M, et al. Adversarial Examples for Semantic Image Segmentation[EB/OL]. https://www.researchgate.net/publication/314237740_Adversarial_Examples_for_Semantic_Image_Segmentation2017, 2020-5-15.
[5]	NICHOLAS C, DAVID W. Audio Adversarial Examples: Targeted Attacks on Speech-to-text[EB/OL]. http://dx.doi.org/10.1109/SPW.2018.00009, 2020-5-15.
[6]	LI Y, LI L, WANG L, et al. Nattack: Learning the Distributions of Adversarial Examples for An Improved Black-Box Attack on Deep Neural Networks[EB/OL]. https://www.researchgate.net/publication/332831968_NATTACK_Learning_the_Distributions_of_Adversarial_Examples_for_an_Improved_Black-Box_Attack_on_Deep_Neural_Networks, 2020-5-15.
[7]	ZHOU M, WU J, LIU Y, et al. DaST: Data-free Substitute Training for Adversarial Attacks[EB/OL]. https://www.researchgate.net/publication/340295960_DaST_Data-free_Substitute_Training_for_Adversarial_Attacks, 2020-5-15.
[8]	GAO J, LANCHANTIN J, SOFFA M L, et al. Black-Box Generation of Adversarial Text Sequences to Evade Deep Learning Classifiers[EB/OL]// https://www.researchgate.net/publication/322517759_Black-box_Generation_of_Adversarial_Text_Sequences_to_Evade_Deep_Learning_Classifiers, 2020-5-15.
[9]	LI J, JI S, DU T, et al. Textbugger: Generating Adversarial Text against Real-World Applications[EB/OL]. https://www.researchgate.net/publication/329641568_TextBugger_Generating_Adversarial_Text_Against_Real-world_Applications, 2020-5-15.
[10]	ZHANG Y, BALDRIDGE J, HE L. PAWS: Paraphrase Adversaries from Word Scrambling[EB/OL]. a https://www.researchgate.net/publication/332168683_PAWS_Paraphrase_Adversaries_from_Word_Scrambling, 2020-5-15.
[11]	JIA R, LIANG P. Adversarial Examples for Evaluating Reading Comprehension Systems[EB/OL]. https://www.researchgate.net/publication/322587525_Adversarial_Examples_for_Evaluating_Reading_Comprehension_Systems, 2020-5-15.
[12]	EBRAHIMI J, RAO A, LOWD D, et al. Hotflip: White-Box Adversarial Examples For Text Classification[EB/OL]. https://www.researchgate.net/publication/334118034_HotFlip_White-Box_Adversarial_Examples_for_Text_Classification, 2020-5-15.

白盒攻击算法	无目标	非迭代	FGSM	Fast Gradient Sign Method
			RFGSM	Random perturbation with FGSM
			FGM	Fast Gradient Method
			RFGM	Random perturbation with FGM
		迭代	BIM	Basic Iterative Method
			PGD	Projected L∞ Gradient Descent
			U-MIM	Untargeted BIM with Momentum
			DF	DeepFool
			DI2-FGSM	Diverse Input Iterative Method
			M-DI2-FGSM	DI2-FGSM with Momentum
	有目标	非迭代	FGSM	—
			LLC	Least Likely Class Method
			R+LLC	Random with LLC
		迭代	BLB	Box-constrained L-BFGS
			ILLC	Iterative LLC
			T-MIM	Targeted BIM with Momentum
			JSMA	Jacobian based Saliency Map
			CW	Carlini & Wagner
			DI2-FGSM	—
			M-DI2-FGSM	—

培训内容	角色
对抗攻击的定义及危害	开发&测试&运营
如何进行对抗检测、防御、训练	开发
如何评估系统鲁棒性	测试&开发
如何监控新型对抗攻击	运营&开发