ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2020, Vol. 57 ›› Issue (4): 736-745.doi: 10.7544/issn1000-1239.2020.20190844

所属专题: 2020数据驱动网络专题

• 网络技术 • 上一篇    下一篇

面向低维工控网数据集的对抗样本攻击分析

周文1,3,张世琨2,丁勇4,陈曦5   

  1. 1(北京大学软件与微电子学院 北京 100871);2(北京大学软件工程国家工程研究中心 北京 100871);3(中国航空油料集团有限公司 北京 100088);4(鹏城实验室 广东深圳 518000);5(中国软件测评中心 北京 100048) (zhou.wen@pku.edu.cn)
  • 出版日期: 2020-04-01
  • 基金资助: 
    国家自然科学基金项目(61772150);鹏城实验室基金项目(PCL2018KP004)

Adversarial Example Attack Analysis of Low-Dimensional Industrial Control Network System Dataset

Zhou Wen1,3, Zhang Shikun2, Ding Yong4, Chen Xi5   

  1. 1(School of Software and Microelectronics, Peking University,Beijing 100871);2(National Engineering Research Center for Software Engineering, Peking University, Beijing 100871);3(China National Aviation Fuel Group Limited, Beijing 100088);4(Peng Cheng Laboratory, Shenzhen, Guangdong 518000);5(China Software Testing Center, Beijing 100048)
  • Online: 2020-04-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61772150) and the Project of Peng Cheng Laboratory (PCL2018KP004).

摘要: 针对工业控制系统的网络攻击日趋增加,凸显工业控制网络入侵异常检测的必需性.研究工作者已经提出了各种基于机器学习算法的工控网流量异常检测模型,然而对抗样本攻击阻碍了机器学习模型的广泛应用.目前关于对抗样本攻击的成果集中在特征丰富的数据集上.然而,工控系统由于网络拓扑结构相对固定,所以数据集特征较少.针对一个低维(特征少)的天然气工控网数据集,通过实验分析4个常见优化算法SGD,RMSProp,AdaDelta和Adam与对抗样本攻击能力的关系,分析典型机器学习算法防御对抗样本攻击的能力,并研究对抗训练对提高深度学习算法抗对抗样本白盒攻击的能力.此外,提出了一个新指标“同比损失率”来评估对抗样本的白盒攻击能力.大量实验结果表明:对于这个低维数据集,优化算法确实影响了对抗样本的白盒攻击能力;对抗样本对各典型机器学习算法具有黑盒攻击能力;和决策树、随机森林,支持向量机、AdaBoost、逻辑回归、卷积神经网络(CNN)等典型分类器相比,循环神经网络(RNN)具有最强的防对抗样本黑盒攻击能力;此外,对抗样本训练能够提高深度学习模型防御对抗样本白盒攻击的能力.

关键词: 对抗样本, 深度学习, 入侵检测, 工业控制系统, 机器学习

Abstract: The growth in cyber attacks on industrial control systems (ICS) highlights the need for network intrusion anomaly detection. Researchers have proposed various anomaly detection models for industrial control network traffic based on machine learning algorithms. However, adversarial example attacks are hindering the widespread application of machine learning models. Existing researches on adversarial example attacks focused on feature-rich/high-dimensional datasets. However, due to the relatively fixed network topology of the industrial control network system, the number of features in an ICS dataset is small. It is unknown whether the existing researches on adversarial examples work well for low-dimensional ICS datasets. We aim to analyze the relationship between four common optimization algorithms (namely, SGD, RMSProp, AdaDelta and Adam) and adversarial sample attacking capability, and analyze the defending capability of typical machine learning algorithms against adversarial example attacks through experiments on a low-dimensional natural Gas dataset. We also investigate whether adversarial examples-based training can improve the anti-attack ability of deep learning algorithms. Moreover, a new index “Year-to-Year Loss Rate” is proposed to evaluate the white-box attacking ability of adversarial examples. Experimental results show that for the natural Gas dataset: 1)the optimization algorithm does have an impact on the white-box attacking ability of adversarial examples; 2)the adversarial example has the ability in carrying out black-box attacks to each typical machine learning algorithm; 3)compared with decision tree, random forest, support vector machine, AdaBoost, logistic regression and convolutional neural network, recurrent neural network has the best capability in resisting black-box attack of adversarial examples; 4) adversarial example training can improve the defending ability of deep learning models.

Key words: adversarial example, deep learning, intrusion detection, industrial control system, machine learning

中图分类号: