CN108596336A - For the software and hardware combined attack method and device of neural network - Google Patents
For the software and hardware combined attack method and device of neural network Download PDFInfo
- Publication number
- CN108596336A CN108596336A CN201810371573.3A CN201810371573A CN108596336A CN 108596336 A CN108596336 A CN 108596336A CN 201810371573 A CN201810371573 A CN 201810371573A CN 108596336 A CN108596336 A CN 108596336A
- Authority
- CN
- China
- Prior art keywords
- attack
- neural network
- hardware
- software
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013528 artificial neural network Methods 0.000 title claims abstract description 103
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000007423 decrease Effects 0.000 claims abstract description 16
- 210000005036 nerve Anatomy 0.000 claims abstract description 7
- 230000001960 triggered effect Effects 0.000 claims abstract description 3
- 238000012549 training Methods 0.000 claims description 57
- 238000013461 design Methods 0.000 claims description 17
- 238000013138 pruning Methods 0.000 claims description 15
- 238000002513 implantation Methods 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 6
- 235000013399 edible fruits Nutrition 0.000 claims description 4
- 239000007943 implant Substances 0.000 claims description 4
- 210000004218 nerve net Anatomy 0.000 claims description 2
- 230000000694 effects Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000001537 neural effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000011109 contamination Methods 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000002023 wood Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/06—Physical realisation, i.e. hardware implementation of neural networks, neurons or parts of neurons
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Biophysics (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computational Linguistics (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Neurology (AREA)
- Computer Security & Cryptography (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of software and hardware combined attack methods and device for neural network, wherein method includes the following steps:The sub-neural network containing wooden horse is hidden in original neural network by the default trained flow of software view, under the precision for not influencing original nerve, to be implanted into wooden horse;Judge whether to meet Prerequisite;If meeting Prerequisite, the sub-neural network containing wooden horse is triggered by the predetermined hardware wooden horse circuit of hardware view, to achieve the purpose that software and hardware combined attack.This method realizes that the attack to neural network is simply easily realized to effectively increase and decrease concealment, the feasibility of attack by way of software and hardware combination it is not necessary to modify input picture.
Description
Technical field
The present invention relates to hardware securities and algorithm security technical field, more particularly to a kind of software and hardware for neural network
Gang up against method and device.
Background technology
Currently, machine learning develops rapidly recently, from AlexNet to 2015 years ResNet in 2012, ILSVRC's
The top-5 precision of classification task is increased to 96.4% from 84.7%.Have benefited from its excellent effect, deep learning is for example automatic
Many new application scenarios such as driving and intelligent security guard, which have, to be widely applied.Because these applications are all security requirement pole
It is high and need to calculate in real time, so embedding assembly is more suitable for these scenes.Compared with cloud computing, embedding assembly is by net
Network influence is small, and delay is low, safe.Industry has had many enterprises to provide Embedded solution, such as the TPU of Google
(Tensor Processing Unit, high-performance processor) and DPU (the Deep learningProcessing to reflect deeply
Unit, deep learning processor).Embedded solution generally includes a software tool chain and a set of hardware accelerator.
Wherein software tool chain original model can be pinpointed, a series of compressions such as beta pruning, improve the computational efficiency of network model.
And hardware accelerator is then the application specific processor designed for neural computing, and the high energy efficiency meter of neural network may be implemented
It calculates.
But while extensive use, it also seen that neural network and stable not as good as expecting people and safety.In god
Through having there is many researchs attacked for neural network in terms of network algorithm.2013, Szegedy proposed confrontation
The concept of sample is easy to be entered disturbance small on picture by experiment shows neural network and is confused, point that must be made mistake
Class as a result, then the relevant technologies propose different confrontation sample generating methods, make moderate progress in effect or formation speed,
The result for further demonstrating neural network is easy to be entered disturbance.On the other hand, data contamination is also machine learning secure side
A studied always field of face, attacker is by distorting training dataset so that learns the model performance obtained
Decline.Based on this method, the concept of neural network wooden horse is proposed in field of neural networks.Chen proposes to scheme original training
Piece and specific attack pattern carry out fusion and obtain new training picture, and the classification of new training picture is set to attacker and is wished
Class categories A so that the picture with the attack pattern can be all classified as A classifications by obtained model after training, reach by
Attack attack effect of the pattern as back door.Liu gives a kind of attack graph generating specific shape using back-propagation algorithm
The method of case, and in the case where that can not obtain training set generates training picture by backpropagation, realize with it is above-mentioned similar
Attack effect.
However, there are the same problems for attack method mentioned above, exactly only attacked in software and algorithm level,
The test pictures for needing modification to input, and this modification is compared for attacker and is difficult to realize.Even if there is some for existing
Attack method in the case of reality makes for example, describing a kind of method for traffic sign attack resisting sample using paster
Obtain the image that vehicle-mounted camera captures has certain disturbance with original input image, but this method is still easy to be found and it is imitated
Fruit is influenced by conditions such as the lighting angles of reality.
And attacker's rule of pure hardware view haves the shortcomings that flexibility ratio is poor.Merely from hardware point of view modify without
Model is changed, can achieve the purpose that reduce neural network accelerator performance or provides error result, but cannot achieve institute above
Back door implantation attack stated etc. determines the attack effect of output according to input.
Invention content
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, an object of the present invention is to provide a kind of software and hardware combined attack method for neural network, it should
Method can effectively increase and decrease concealment, the feasibility of attack, simple easily to realize.
It is another object of the present invention to propose a kind of software and hardware combined attack device for neural network.
In order to achieve the above objectives, one aspect of the present invention embodiment proposes a kind of attacks for the software and hardware combined of neural network
Method is hit, is included the following steps:The sub-neural network containing wooden horse is hidden in original by the default trained flow of software view
In some neural networks, under the precision for not influencing original nerve, to be implanted into the wooden horse;Judge whether to meet attack
Condition;If meeting the Prerequisite, contain wooden horse described in the predetermined hardware wooden horse circuit triggering by hardware view
Sub-neural network, to achieve the purpose that software and hardware combined attack.
The software and hardware combined attack method for neural network of the embodiment of the present invention, the side combined by software and hardware
Formula realizes the attack to neural network it is not necessary to modify input picture, and model accuracy is unaffected, and wooden horse does not swash
Performance is consistent with former network when hair, good concealment, simple easily to realize to effectively increase and decrease concealment, the feasibility of attack.
In addition, the software and hardware combined attack method according to the above embodiment of the present invention for neural network can also have
Additional technical characteristic below:
Further, in one embodiment of the invention, the default trained flow specifically includes:According to sub-network
Design treats trained network progress cut operator and obtains the sub-network after beta pruning;According to default target of attack to the beta pruning after
Sub-network carry out the sub-network after attack train, wherein the attack training include classification obscure attack it is trained,
Back door implantation attack training, accuracy decline attack the one or more of training;Passed through according to the sub-network recovery after the training
The weights that the cut operator is removed, and the weights are carried out to restore precision training, with the essence of network to be trained described in recovery
Degree.
Further, in one embodiment of the invention, if described meet the Prerequisite, pass through hardware layer
The predetermined hardware wooden horse circuit triggering sub-neural network containing wooden horse in face, to achieve the purpose that software and hardware combined attack,
Further comprise:If the pixel dimension of the accelerator is parallel, the cross chosen in the accelerator region is made
It is calculated for the sub-neural network, to achieve the purpose that software and hardware combined attack;If input channel is parallel, institute is chosen
It states a preceding default channel in input channel to be calculated as the sub-neural network, to reach the mesh of software and hardware combined attack
's.
Further, in one embodiment of the invention, the predetermined hardware wooden horse circuit of the hardware view includes adding
Method tree circuit multiplies accumulating circuit, specifically includes:MUX is added after multiplication calculates output in the addition tree circuit, and is meeting
When the Prerequisite, multiplication result is exported;It is described to multiply accumulating circuit according to finite state machine progress Count of Status, and meeting
When the Prerequisite, the part output multiplication result in selection state, the output 0 of remainder.
Further, in one embodiment of the invention, wherein if the Prerequisite is unsatisfactory for, by hard
Part accelerator calculates full neural network, to obtain correct result.
In order to achieve the above objectives, another aspect of the present invention embodiment proposes a kind of for the software and hardware combined of neural network
Device is attacked, including:Wooden horse implant module, for by the default trained flow of software view by the sub- nerve net containing wooden horse
Network is hidden in original neural network, under the precision for not influencing original nerve, to be implanted into the wooden horse;Judge mould
Block meets Prerequisite for judging whether;Module is attacked, for when meeting the Prerequisite, passing through hardware view
The predetermined hardware wooden horse circuit triggering sub-neural network containing wooden horse, to achieve the purpose that software and hardware combined attack.
The software and hardware combined attack device for neural network of the embodiment of the present invention, the side combined by software and hardware
Formula realizes the attack to neural network it is not necessary to modify input picture, and model accuracy is unaffected, and wooden horse does not swash
Performance is consistent with former network when hair, good concealment, simple easily to realize to effectively increase and decrease concealment, the feasibility of attack.
In addition, the software and hardware combined attack device according to the above embodiment of the present invention for neural network can also have
Additional technical characteristic below:
Further, in one embodiment of the invention, the default trained flow specifically includes:According to sub-network
Design treats trained network progress cut operator and obtains the sub-network after beta pruning;According to default target of attack to the beta pruning after
Sub-network carry out the sub-network after attack train, wherein the attack training include classification obscure attack it is trained,
Back door implantation attack training, accuracy decline attack the one or more of training;Passed through according to the sub-network recovery after the training
The weights that the cut operator is removed, and the weights are carried out to restore precision training, with the essence of network to be trained described in recovery
Degree.
Further, in one embodiment of the invention, the attack module is further used in the accelerator
When pixel dimension is parallel, the cross chosen in the accelerator region is calculated as the sub-neural network, with
Achieve the purpose that software and hardware combined attack, and when input channel is parallel, chooses preceding default channel in the input channel and make
It is calculated for the sub-neural network, to achieve the purpose that software and hardware combined attack.
Further, in one embodiment of the invention, the predetermined hardware wooden horse circuit of the hardware view includes adding
Method tree circuit multiplies accumulating circuit, wherein MUX is added after multiplication calculates output in the addition tree circuit, and described in satisfaction
When Prerequisite, multiplication result is exported, it is described to multiply accumulating circuit according to finite state machine progress Count of Status, and described in satisfaction
When Prerequisite, the part output multiplication result in selection state, the output 0 of remainder.
Further, in one embodiment of the invention, wherein if the Prerequisite is unsatisfactory for, by hard
Part accelerator calculates full neural network, to obtain correct result.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partly become from the following description
Obviously, or practice through the invention is recognized.
Description of the drawings
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, wherein:
Fig. 1 is the flow chart according to the software and hardware combined attack method for neural network of one embodiment of the invention;
Fig. 2 is the functional schematic for ganging up against frame according to one embodiment of the invention;
Fig. 3 is the algorithm schematic diagram according to the training flow of one embodiment of the invention;
Fig. 4 is the wooden horse operation workflow figure according to one embodiment of the invention;
Fig. 5 is the parallel sub-network design diagram for pixel dimension according to one embodiment of the invention;
Fig. 6 is the parallel sub-network schematic diagram for input channel according to one embodiment of the invention;
Fig. 7 is the schematic diagram designed according to the add structure of one embodiment of the invention;
Fig. 8 is to be shown according to what accuracy rate in the case of the CIFAR10 data set pixel-parallels of one embodiment of the invention was distributed
It is intended to;
Fig. 9 be according to the CIFAR10 data set input channels of one embodiment of the invention it is parallel in the case of accuracy rate be distributed
Schematic diagram;
Figure 10 is to be shown according to the structure of the software and hardware combined attack device for neural network of one embodiment of the invention
It is intended to.
Specific implementation mode
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, it is intended to for explaining the present invention, and is not considered as limiting the invention.
The software and hardware combined attacker for neural network proposed according to embodiments of the present invention is described with reference to the accompanying drawings
Method and device describe the software and hardware combined attack for neural network proposed according to embodiments of the present invention with reference to the accompanying drawings first
Method.
Fig. 1 is the flow chart of the software and hardware combined attack method for neural network of one embodiment of the invention.
As shown in Figure 1, should include the following steps for the software and hardware combined attack method of neural network:
In step S101, the sub-neural network containing wooden horse is hidden in by original by the default trained flow of software view
In some neural networks, under the precision for not influencing original nerve, to be implanted into wooden horse.
It is understood that as shown in Fig. 2, the central idea of the embodiment of the present invention is the association by software and hardware level
With design attack frame.In software view, the embodiment of the present invention is by specifically training flow, by the son god containing wooden horse
Through network concealed in original neural network, hidden implantation wooden horse under the premise of not influencing former neural network accuracy.
That is, in the design of software view, the embodiment of the present invention is used in the premise for not influencing neural network accuracy
Under, the method for sub-neural network is hidden in former network
Further, in one particular embodiment of the present invention, training flow is preset to specifically include:According to sub-network
Design treats trained network progress cut operator and obtains the sub-network after beta pruning;According to default target of attack to the son after beta pruning
Network carries out the sub-network after attack is trained, wherein attack training includes that classification obscures attack training, back door implantation
Attack training, accuracy decline attack the one or more of training;Restore to remove by cut operator according to the sub-network after training
Weights, and to the weights carry out restore precision training, to restore the precision of network to be trained.
Specifically, and in software algorithm level, the embodiment of the present invention proposes a set of trained flow, not influence original
In the case of neural network accuracy, the insertion of sub-network is realized.A whole set of algorithm flow includes the following steps:
(1) cut operator is carried out according to the design of sub-network to trained network.
(2) sub-network obtained to beta pruning with expected target of attack is trained.
(3) to the sub-network obtained in step 2, restore the weights that beta pruning is removed in the 1st step, only this part is instructed
Practice, restores original precision.
It should be noted that the training objective of the 3rd step is consistent with without the proper network training objective of attack, and the
The training objective of 2 steps is then to realize attack effect.Here attack effect can there are many, the embodiment of the present invention is herein
Define three kinds of attack modes:
(1) classification obscures attack:The training picture tag of certain two class is exchanged when training so that neural network is to other
In the case of class classification is normal, makes mistake classification to this two class, lead to decision error in applying.It can be applied to automatic Pilot
Etc. attack under scenes.
(2) classification obscures attack:The training picture tag of certain two class is exchanged when training so that neural network is to other
In the case of class classification is normal, makes mistake classification to this two class, lead to decision error in applying.It can be applied to automatic Pilot
Etc. attack under scenes.
(3) accuracy decline is attacked:Stop to train in advance in a certain precision when to sub- network training, reduce its performance so that
Application reliability reduces.
As shown in figure 3, attack flow in this way, the embodiment of the present invention can be in the premise for not influencing original precision
Under, obtain the neural network of a hiding wooden horse sub-network.
In step s 102, judge whether to meet Prerequisite.
Further, in one particular embodiment of the present invention, wherein if being unsatisfactory for Prerequisite, by hard
Part accelerator calculates full neural network, to obtain correct result.
It is understood that as shown in figure 4, in the case where wooden horse is not activated, hardware accelerator is to full neural network
It is calculated, obtains correct result.
In step s 103, if meeting Prerequisite, contained by the predetermined hardware wooden horse circuit triggering of hardware view
The sub-neural network for having wooden horse, to achieve the purpose that software and hardware combined attack.
It is understood that in hardware view, it is soft to trigger on other occasions to design corresponding hardware Trojan horse circuit
The sub-neural network of part level realizes the purpose of attack.That is, in the case where wooden horse is activated, hardware accelerator is only
Sub-neural network is calculated, error result desired by attacker is provided.In addition, the embodiment of the present invention passes through in additional calculation
Part selection sums up the convolution results of all weights or is summed up to the convolution results of part weights and calculated to control
Full neural network or sub-neural network.
Further, in one particular embodiment of the present invention, if meeting Prerequisite, pass through hardware view
Predetermined hardware wooden horse circuit triggers the sub-neural network containing wooden horse, to achieve the purpose that software and hardware combined attack, further wraps
It includes:If the pixel dimension of accelerator is parallel, in accelerator region a cross is carried out as sub-neural network
It calculates, to achieve the purpose that software and hardware combined attack;If input channel is parallel, preceding default channel in input channel is chosen
It is calculated as sub-neural network, to achieve the purpose that software and hardware combined attack.
Since hardware accelerator has different Parallel Design thinkings, design of the embodiment of the present invention for sub-neural network
It is divided into two kinds.As shown in figure 5, the first is for the parallel of pixel dimension, i.e., convolution kernel calculates time width and high dimension is parallel
It calculates.In this case, by taking the convolution kernel of a 3x3 as an example, one of cross conduct can be taken to the region of each 3x3
Sub-network is calculated.As shown in fig. 6, second is for the parallel of input channel, the embodiment of the present invention can choose every n
First k in input channel is calculated as sub-network.
Further, in one particular embodiment of the present invention, the predetermined hardware wooden horse circuit of hardware view includes adding
Method tree circuit multiplies accumulating circuit, specifically includes:MUX is added after multiplication calculates output in addition tree circuit, and is attacked meeting
When condition, multiplication result is exported;Multiply accumulating circuit and Count of Status carried out according to finite state machine, and when meeting Prerequisite,
Part output multiplication result in selection state, the output 0 of remainder.
Specifically, as shown in fig. 7, in add circuit design aspect, the embodiment of the present invention is also for add tree and multiplies tired
The two different add structure of device are added to devise two kinds of circuits.For addition tree circuit, MUX is added after multiplication calculates output,
According to wooden horse, whether triggering selection exports multiplication result or 0.And for multiplying accumulating circuit, carry out state meter with finite state machine
Number, if wooden horse is triggered, to the preceding k selection output multiplication result in every n state, others output 0.And in hardware wood
Horse triggers design aspect, since attacker is the design side of hardware circuit, so the design of hardware Trojan horse trigger is to be easy to
, simplest way is exactly directly to be signally attached on some output pin using trigger signal as 1bit, then
It can trigger by radio receiving transmitting module etc..
In one particular embodiment of the present invention, the training flow of the embodiment of the present invention in CIFAR10 and
The experiment that classification obscures attack is carried out on YouTubeFacesDatabase, the network used is ResNet-20.
CIFAR10 is upper to have carried out classification to 0 class (aircraft) and 1 class (automobile) and has obscured, to experimental result such as Fig. 8 and table 1 of pixel-parallel
It is shown, it is that 10 respective accuracys rate of classification trigger/not triggering/primitive network that do not attacked in wooden horse in CIFAR10 in Fig. 8
Distribution in the case of three kinds, table 1 are the classification results for two classes being confused, it can be seen that by training flow, precision does not almost have
Have it is impacted, wooden horse activation after, two categories are mistakenly classified as another kind with very high probability.Wherein, table 1 is
Attack effect table in the case of CIFAR10 data set pixel-parallels.
Table 1
And when input channel is parallel, as a result as shown in Fig. 9 and table 2, it can be seen that precision has certain decline, but still rises
Expected effect is arrived.Wherein, table 2 is attack effect table in the case of CIFAR10 data set input channels are parallel.
Table 2
Meanwhile the embodiment of the present invention also tests YouTubeFaces data, effect is as shown in table 3, completes pre-
The target of attack of phase.Table 3 is YouTubeFaces experimental result data tables.
Table 3
To sum up, the case where embodiment of the present invention provides software tool chain and hardware accelerator for attacker, proposes to be directed to
The software and hardware combined attack frame of neural network is asked to solve the existing feasibility of simple software view attack and concealment
Topic.
The software and hardware combined attack method for neural network proposed according to embodiments of the present invention, passes through software and hardware
In conjunction with mode realize attack to neural network it is not necessary to modify input picture, and model accuracy is unaffected,
Performance is consistent with former network when wooden horse does not excite, good concealment, simple easy to effectively increase and decrease concealment, the feasibility of attack
It realizes.
The software and hardware combined attack for neural network proposed according to embodiments of the present invention referring next to attached drawing description fills
It sets.
Figure 10 is the structural schematic diagram of the software and hardware combined attack device for neural network of one embodiment of the invention.
As shown in Figure 10, should include for the software and hardware combined attack device 10 of neural network:Wooden horse implant module 100,
Judgment module 200 and attack module 300.
Wherein, wooden horse implant module 100 is used for by the default trained flow of software view that the son containing wooden horse is neural
It is network concealed in original neural network, under the precision for not influencing original nerve, be implanted into wooden horse.Judgment module 200
For judging whether to meet Prerequisite.It attacks module 300 to be used for when meeting Prerequisite, passes through the default hard of hardware view
Part wooden horse circuit triggers the sub-neural network containing wooden horse, to achieve the purpose that software and hardware combined attack.The embodiment of the present invention
The attack of realization to neural network it is not necessary to modify input picture by way of software and hardware combination of device 10,
It is simple easily to realize to effectively increase and decrease concealment, the feasibility of attack.
Further, in one embodiment of the invention, training flow is preset to specifically include:According to the design of sub-network
It treats trained network progress cut operator and obtains the sub-network after beta pruning;According to default target of attack to the sub-network after beta pruning
Carry out the sub-network after attack is trained, wherein attack training includes that classification obscures attack training, back door implantation attack
Training, accuracy decline attack the one or more of training;The power for restoring to remove by cut operator according to the sub-network after training
Value, and the weights are carried out to restore precision training, to restore the precision of network to be trained.
Further, in one embodiment of the invention, attack module 300 is further used for tieing up in the pixel of accelerator
When spending parallel, a cross in accelerator region is calculated as sub-neural network, to reach software and hardware combined
The purpose of attack, and when input channel is parallel, chooses a preceding default channel in input channel and counted as sub-neural network
It calculates, to achieve the purpose that software and hardware combined attack.
Further, in one embodiment of the invention, the predetermined hardware wooden horse circuit of hardware view includes add tree
Circuit multiplies accumulating circuit, wherein MUX is added after multiplication calculates output in addition tree circuit, and when meeting Prerequisite, defeated
Go out multiplication as a result, multiplying accumulating circuit according to finite state machine progress Count of Status, and when meeting Prerequisite, in selection state
A part output multiplication result, the output 0 of remainder.
Further, in one embodiment of the invention, wherein if being unsatisfactory for Prerequisite, added by hardware
Fast device calculates full neural network, to obtain correct result.
It should be noted that the aforementioned explanation to the software and hardware combined attack method embodiment for neural network
Suitable for the software and hardware combined attack device for neural network of the embodiment, details are not described herein again.
The software and hardware combined attack device for neural network proposed according to embodiments of the present invention, passes through software and hardware
In conjunction with mode realize attack to neural network it is not necessary to modify input picture, and model accuracy is unaffected,
Performance is consistent with former network when wooden horse does not excite, good concealment, simple easy to effectively increase and decrease concealment, the feasibility of attack
It realizes.
In the description of the present invention, it is to be understood that, term "center", " longitudinal direction ", " transverse direction ", " length ", " width ",
" thickness ", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom" "inner", "outside", " up time
The orientation or positional relationship of the instructions such as needle ", " counterclockwise ", " axial direction ", " radial direction ", " circumferential direction " be orientation based on ... shown in the drawings or
Position relationship is merely for convenience of description of the present invention and simplification of the description, and does not indicate or imply the indicated device or element must
There must be specific orientation, with specific azimuth configuration and operation, therefore be not considered as limiting the invention.
In addition, term " first ", " second " are used for description purposes only, it is not understood to indicate or imply relative importance
Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or
Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three
It is a etc., unless otherwise specifically defined.
In the present invention unless specifically defined or limited otherwise, term " installation ", " connected ", " connection ", " fixation " etc.
Term shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or integral;Can be that machinery connects
It connects, can also be electrical connection;It can be directly connected, can also can be indirectly connected through an intermediary in two elements
The interaction relationship of the connection in portion or two elements, unless otherwise restricted clearly.For those of ordinary skill in the art
For, the specific meanings of the above terms in the present invention can be understood according to specific conditions.
In the present invention unless specifically defined or limited otherwise, fisrt feature can be with "above" or "below" second feature
It is that the first and second features are in direct contact or the first and second features pass through intermediary mediate contact.Moreover, fisrt feature exists
Second feature " on ", " top " and " above " but fisrt feature be directly above or diagonally above the second feature, or be merely representative of
Fisrt feature level height is higher than second feature.Fisrt feature second feature " under ", " lower section " and " below " can be
One feature is directly under or diagonally below the second feature, or is merely representative of fisrt feature level height and is less than second feature.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiments or example.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, changes, replacing and modification.
Claims (10)
1. a kind of software and hardware combined attack method for neural network, which is characterized in that include the following steps:
The sub-neural network containing wooden horse is hidden in original neural network by the default trained flow of software view, with
Under the precision for not influencing original nerve, it is implanted into the wooden horse;
Judge whether to meet Prerequisite;And
If meeting the Prerequisite, pass through the predetermined hardware wooden horse circuit triggering son containing wooden horse of hardware view
Neural network, to achieve the purpose that software and hardware combined attack.
2. the software and hardware combined attack method according to claim 1 for neural network, which is characterized in that described default
Training flow specifically includes:
Trained network progress cut operator, which is treated, according to the design of sub-network obtains the sub-network after beta pruning;
The sub-network after attack is trained is carried out to the sub-network after the beta pruning according to default target of attack, wherein
The attack training includes one kind or more that classification obscures attack training, back door implantation attack training, accuracy decline attack training
Kind;
According to the weights that the sub-network after the training is restored to remove by the cut operator, and the weights are carried out to restore essence
Degree training, with the precision of network to be trained described in recovery.
3. the software and hardware combined attack method according to claim 2 for neural network, which is characterized in that if described
Meet the Prerequisite, then the sub- nerve net containing wooden horse is triggered by the predetermined hardware wooden horse circuit of hardware view
Network is further comprised with achieving the purpose that software and hardware combined attack:
If the pixel dimension of the accelerator is parallel, a cross in the accelerator region is chosen as the son
Neural network is calculated, to achieve the purpose that software and hardware combined attack;
If input channel is parallel, chooses a preceding default channel in the input channel and counted as the sub-neural network
It calculates, to achieve the purpose that software and hardware combined attack.
4. wanting the software and hardware combined attack method for neural network described in 1 according to right, which is characterized in that the hardware layer
The predetermined hardware wooden horse circuit in face includes addition tree circuit or multiplies accumulating circuit, is specifically included:
MUX is added after multiplication calculates output in the addition tree circuit, and when meeting the Prerequisite, exports multiplication knot
Fruit;
It is described to multiply accumulating circuit according to finite state machine progress Count of Status, and when meeting the Prerequisite, select state
In a part output multiplication result, the output 0 of remainder.
5. wanting software and hardware combined attack method of the 1-4 any one of them for neural network according to right, which is characterized in that its
In, if being unsatisfactory for the Prerequisite, full neural network is calculated by hardware accelerator, correctly to be tied
Fruit.
6. a kind of software and hardware combined attack device for neural network, which is characterized in that including:
Wooden horse implant module, for the sub-neural network containing wooden horse to be hidden in original by the default trained flow of software view
In some neural networks, under the precision for not influencing original nerve, to be implanted into the wooden horse;
Judgment module meets Prerequisite for judging whether;And
Module is attacked, for when meeting the Prerequisite, described in the predetermined hardware wooden horse circuit triggering by hardware view
Sub-neural network containing wooden horse, to achieve the purpose that software and hardware combined attack.
7. the software and hardware combined attack device according to claim 6 for neural network, which is characterized in that described default
Training flow specifically includes:
Trained network progress cut operator, which is treated, according to the design of sub-network obtains the sub-network after beta pruning;
The sub-network after attack is trained is carried out to the sub-network after the beta pruning according to default target of attack, wherein
The attack training includes one kind or more that classification obscures attack training, back door implantation attack training, accuracy decline attack training
Kind;
According to the weights that the sub-network after the training is restored to remove by the cut operator, and the weights are carried out to restore essence
Degree training, with the precision of network to be trained described in recovery.
8. the software and hardware combined attack device according to claim 7 for neural network, which is characterized in that the attack
Module is further used for when the pixel dimension of the accelerator is parallel, and the cross chosen in the accelerator region is made
It is calculated for the sub-neural network, to achieve the purpose that software and hardware combined attack, and when input channel is parallel, chooses institute
It states a preceding default channel in input channel to be calculated as the sub-neural network, to reach the mesh of software and hardware combined attack
's.
9. wanting the software and hardware combined attack device for neural network described in 6 according to right, which is characterized in that the hardware layer
The predetermined hardware wooden horse circuit in face includes addition tree circuit or multiplies accumulating circuit, wherein the addition tree circuit is calculated in multiplication
MUX is added after output, and when meeting the Prerequisite, exports multiplication result, it is described to multiply accumulating circuit according to finite state
Machine carries out Count of Status, and when meeting the Prerequisite, the part output multiplication result in selection state, remainder
Output 0.
10. wanting software and hardware combined attack device of the 6-9 any one of them for neural network according to right, which is characterized in that
Wherein, if being unsatisfactory for the Prerequisite, full neural network is calculated by hardware accelerator, correctly to be tied
Fruit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810371573.3A CN108596336A (en) | 2018-04-24 | 2018-04-24 | For the software and hardware combined attack method and device of neural network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810371573.3A CN108596336A (en) | 2018-04-24 | 2018-04-24 | For the software and hardware combined attack method and device of neural network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108596336A true CN108596336A (en) | 2018-09-28 |
Family
ID=63614868
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810371573.3A Pending CN108596336A (en) | 2018-04-24 | 2018-04-24 | For the software and hardware combined attack method and device of neural network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108596336A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112329931A (en) * | 2021-01-04 | 2021-02-05 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN113111349A (en) * | 2021-04-25 | 2021-07-13 | 浙江大学 | Backdoor attack defense method based on thermodynamic diagram, reverse engineering and model pruning |
| CN113255909A (en) * | 2021-05-31 | 2021-08-13 | 北京理工大学 | Clean label neural network back door implantation system based on universal countermeasure trigger |
| CN113269308A (en) * | 2021-05-31 | 2021-08-17 | 北京理工大学 | Clean label neural network back door implantation method based on universal countermeasure trigger |
| US11394742B2 (en) | 2020-08-17 | 2022-07-19 | International Business Machines Corporation | Detecting trojan neural networks |
-
2018
- 2018-04-24 CN CN201810371573.3A patent/CN108596336A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11394742B2 (en) | 2020-08-17 | 2022-07-19 | International Business Machines Corporation | Detecting trojan neural networks |
| CN112329931A (en) * | 2021-01-04 | 2021-02-05 | 北京智源人工智能研究院 | Countermeasure sample generation method and device based on proxy model |
| CN113111349A (en) * | 2021-04-25 | 2021-07-13 | 浙江大学 | Backdoor attack defense method based on thermodynamic diagram, reverse engineering and model pruning |
| CN113111349B (en) * | 2021-04-25 | 2022-04-29 | 浙江大学 | Backdoor attack defense method based on thermodynamic diagram, reverse engineering and model pruning |
| CN113255909A (en) * | 2021-05-31 | 2021-08-13 | 北京理工大学 | Clean label neural network back door implantation system based on universal countermeasure trigger |
| CN113269308A (en) * | 2021-05-31 | 2021-08-17 | 北京理工大学 | Clean label neural network back door implantation method based on universal countermeasure trigger |
| CN113269308B (en) * | 2021-05-31 | 2022-11-18 | 北京理工大学 | Clean label neural network back door implantation method based on universal countermeasure trigger |
| CN113255909B (en) * | 2021-05-31 | 2022-12-13 | 北京理工大学 | Clean label neural network back door implantation system based on universal countermeasure trigger |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108596336A (en) | For the software and hardware combined attack method and device of neural network | |
| Buro | Real-time strategy games: A new AI research challenge | |
| Buro et al. | RTS games and real-time AI research | |
| Cohen | The use of deception techniques: Honeypots and decoys | |
| CN108647414A (en) | Operation plan adaptability analysis method based on emulation experiment and storage medium | |
| CN108764453B (en) | Modeling method and action prediction system for multi-agent synchronous game | |
| CN107566387A (en) | Cyber-defence action decision method based on attacking and defending evolutionary Game Analysis | |
| Lee et al. | In-game action sequence analysis for game bot detection on the big data analysis platform | |
| CN106267822A (en) | The method of testing of game performance and device | |
| CN110348907A (en) | A kind of orientation method and device of advertisement crowd | |
| CN109190750A (en) | The small sample generation method and device of network are generated based on confrontation | |
| Sudit et al. | Situational awareness of a coordinated cyber attack | |
| Updyke et al. | Ghosts in the machine: A framework for cyber-warfare exercise npc simulation | |
| Mazurczyk et al. | Towards a systematic view on cybersecurity ecology | |
| Husodo et al. | Enhanced social spider optimization algorithm for increasing performance of multiple pursuer drones in neutralizing attacks from multiple evader drones | |
| Muslea et al. | Adaptive view validation: A first step towards automatic view detection | |
| CN109925712B (en) | Virtual object control system | |
| Qiu et al. | Mt-mtd: muti-training based moving target defense trojaning attack in edged-AI network | |
| Shoshitaishvili et al. | Do you feel lucky? A large-scale analysis of risk-rewards trade-offs in cyber security | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| Fusano et al. | Study of multi-agent based combat simulation for grouped OODA Loop | |
| Soros et al. | How the strictness of the minimal criterion impacts open-ended evolution | |
| CN114239049A (en) | Parameter compression-based defense method facing federal learning privacy reasoning attack | |
| Kaviani et al. | Application of complex systems in neural networks against Backdoor attacks | |
| Anithaashri et al. | Enhancing the Network Security Using Amalgam Games |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180928 |
|
| RJ01 | Rejection of invention patent application after publication |