CN117350364A - Knowledge distillation-based code pre-training model countermeasure sample generation method and system - Google Patents
Knowledge distillation-based code pre-training model countermeasure sample generation method and system Download PDFInfo
- Publication number
- CN117350364A CN117350364A CN202311340360.1A CN202311340360A CN117350364A CN 117350364 A CN117350364 A CN 117350364A CN 202311340360 A CN202311340360 A CN 202311340360A CN 117350364 A CN117350364 A CN 117350364A
- Authority
- CN
- China
- Prior art keywords
- model
- fitness
- samples
- training
- challenge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012549 training Methods 0.000 title claims abstract description 93
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000013140 knowledge distillation Methods 0.000 title claims abstract description 40
- 230000008447 perception Effects 0.000 claims abstract description 13
- 238000013480 data collection Methods 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 67
- 230000002068 genetic effect Effects 0.000 claims description 19
- 238000001514 detection method Methods 0.000 claims description 12
- 230000035772 mutation Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000007405 data analysis Methods 0.000 claims description 4
- 230000007547 defect Effects 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 4
- 108090000623 proteins and genes Proteins 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 abstract description 6
- 238000013528 artificial neural network Methods 0.000 description 7
- 238000011156 evaluation Methods 0.000 description 5
- 238000012360 testing method Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 2
- 230000008485 antagonism Effects 0.000 description 2
- 235000000332 black box Nutrition 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000010353 genetic engineering Methods 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/094—Adversarial learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0475—Generative networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0495—Quantised networks; Sparse networks; Compressed networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/086—Learning methods using evolutionary algorithms, e.g. genetic algorithms or genetic programming
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/096—Transfer learning
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Biomedical Technology (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Physiology (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a code pre-training model countermeasure sample generation method and system based on knowledge distillation. The method comprises the following steps: s1, acquiring an open source data set comprising a plurality of samples; s2, obtaining a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on knowledge distillation of robust perception; s3, using a sample attack optimal student model, and extracting a sample which is successful in attack as an countermeasure sample; s4, using a pre-training code model of the challenge sample attack, and extracting the challenge sample with successful attack to form a challenge set. The challenge set is the generated challenge sample. Correspondingly, the system comprises an open source data collection module, a robustness aware knowledge distillation module, an attack student model module and a pre-training code model attack module. The code pre-training model anti-sample generation method and system based on knowledge distillation have the characteristics of high robustness, sample mobility and good attack effect.
Description
Technical Field
The invention relates to the field of intelligent system safety, in particular to a code pre-training model countermeasure sample generation method and system based on knowledge distillation.
Background
Knowledge distillation (Knowledge Distillation, abbreviated as KD) is a classical model compression method, and the core idea is to simulate a teacher model (or multi-model ensembe) with better performance and more complex structure by guiding a light student model, so that the performance of the student model is improved under the condition of not changing the structure of the student model. Training the student model mimics the behavior of the teacher model, thereby transferring knowledge in the teacher model into the student model. Knowledge distillation methods include, but are not limited to, reasoning about training samples by teacher models, generating predictive probabilities for each sample on each class as soft labels, training student models of specific structures using the soft labels.
The pre-training model refers to a deep learning model in which the training process includes two stages, pre-training and fine-tuning. The pre-training model includes an autorecoding language model and an autoregressive language model. The self-coding language model is mostly realized based on a neural network, namely the model adopted in the invention. Previous studies have found that neural networks are vulnerable to attack, and that small, unnoticeable modifications to the input data may lead to completely different predictions of the neural network, thereby creating a safety hazard. This not only limits the application of the neural network in environments with high security requirements, but also reduces the reliability of the neural network as a data analysis and processing tool. The resistance of the neural network model to the attack is the neural network security. Existing pre-training model knowledge distillation techniques do not address neural network security.
In recent years, researchers have begun to attempt to apply a method of resistance attack in the field of natural language processing to the field of code processing, attempting to construct inputs that may mislead the code model, thereby causing the model to make erroneous decisions. In the code model, an attacker deliberately makes small perturbations to the input code. Such disturbances may lead to misinterpretation of the code by the model, resulting in security holes, functional errors, performance degradation, and even serious system failures. This can have serious consequences for the software development and security areas, such as data leakage, malfunction, system crashes, and even threatens user privacy and security. To solve these problems, researchers have proposed a series of methods. The research at the present stage mainly focuses on understanding the attack principle, exploring different attack methods and preliminary defensive measures. Later researchers have proposed different types of methods of generating examples of resistance. Such as white-box attacks, black-box attacks: white-box attacks refer to the internal structure and parameters of the target model that an attacker can obtain, including the architecture, weights, activation functions, and other information of the model. A black box attack refers to an attacker interacting with the target model only through inputs and outputs without knowing any information about the internal structure and parameters of the model. However, the above code model can be directly attacked by using white-box attack and black-box attack, i.e. the existing code model is not robust.
In recent years, researchers have begun exploring the use of techniques such as fuzzy testing and gradient optimization to generate examples of resistance. The fuzzy test randomly generates input examples to find examples of possible interference models. The gradient optimization method gradually optimizes input by using gradient information of the model to generate antagonism input. Among them, ALERT and carrier are methods that have proven to be more efficient than other methods. But they are low in attack success rate and efficiency, need to be further improved, and have poor attack effect.
Disclosure of Invention
The invention aims to: the invention aims to provide a code pre-training model anti-sample generation method and system based on knowledge distillation, which have high robustness, sample mobility and good attack effect.
The technical scheme is as follows: the invention relates to a code pre-training model countermeasure sample generation method based on knowledge distillation, which comprises the following steps:
s1, acquiring an open source data set, wherein the open source data set comprises a plurality of samples;
s2, obtaining a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on knowledge distillation of robust perception;
s3, attacking the optimal student model by using samples in the open source data set, and extracting samples successfully attacked as countermeasure samples;
s4, using the challenge sample to attack the pre-training code model, and extracting a challenge sample with successful attack to form a challenge set.
Further, in step S1, the acquiring of the open source data set includes the following steps:
s11, collecting initial data sets applicable to different downstream tasks of the code model, wherein the downstream tasks comprise defect detection, attribution of a code author and clone detection;
s12, preprocessing the initial data set, and outputting an open source data set after performing operations including removing code files of irrelevant languages and adjusting the proportion of positive and negative samples.
Further, the initial data set is collected from open source warehouses and/or specialized platforms and contests for challenge studies.
Further, the pre-training code model has a plurality of sets of parameter combinations, each set of parameter combinations corresponds to one student model, and in step S2, the obtaining the optimal student model includes the following steps:
s21, analyzing a plurality of groups of parameter combinations in the pre-training code model, calculating core parameters corresponding to each group of parameter combinations, and selecting the corresponding parameter combinations according to the size of the core parameters to form a search space;
s22, searching an optimal parameter combination in a search space based on a genetic algorithm to serve as an optimal solution;
s23, establishing a plurality of optimal student models based on the optimal solution.
Further, the step S22 specifically includes the following steps:
s221, initializing a population: establishing an initial population based on the search space, wherein the initial population comprises N initial individuals, and each initial individual is a group of parameter combinations randomly selected in the search space;
s222, evaluating the fitness: the fitness function is designed for evaluating the fitness of the student model and the pre-training code model, and the fitness function has the following formula:
Fitness(M)=ω 1 d(D)+ω 2 d(MHM(D))+ω 3 (-W M )
wherein Fitness () refers to an Fitness function; omega 1 、ω 2 、ω 3 Weights for three factors in the fitness function; MHM represents a simple challenge technique; m is an independent variable of the fitness function, and is a model needing fitness calculation, and comprises a distilled student model S and a pre-training code model T; d is a data set corresponding to the downstream task; w (W) M The parameter size of the model M; d () function represents the predicted outcome of the selected model;
s223, natural selection: selecting t initial individuals from the initial population randomly based on a competition selection algorithm to form a competition group;
n times of competition are carried out in the competition group, wherein m initial individuals are selected from the competition group to serve as competitors, the fitness values of the m competitors are calculated respectively, the competitor corresponding to the maximum fitness value is selected to serve as winner n, and all winners are constructed to be parent populations until n meets the quantity condition; the parent population comprises n parent individuals, and each parent individual is a winner;
wherein, the formula for selecting competitors is as follows:
Winner=argmax i∈Tournament f(Ind i )
wherein Winner is a competition selection algorithm; the arg max function is used to process the tensor; tounnament is a contest group; indi is the ith individual in the tournament competition group; f (Ind) i ) For individual Ind i Is a fitness value of (a);
s224, iterative evolution: updating and replacing the parent population through genetic operation to form a child population, wherein the child population comprises a plurality of child individuals, and calculating Fitness value Fitness (S) of the child individuals;
in step S224, the genetic operation includes a crossover operation and a mutation operation, where the crossover operation updates any two parent individuals in the parent population to child individuals according to the following formula:
C(p 1 ,p 2 )=(p 1 [1:k]+p 2 [k+1:])
wherein p1, p2 are two parent individuals; c (p 1, p 2) is to cross p1, p2 individuals to generate offspring individuals; k is a randomly selected crossover point; [1:k ] and [ k+1 ] are selected cross content;
the mutation operation changes certain genes or parameters of the father individuals, and the formula is as follows:
M(p)=p+△
wherein M (p) represents the post-mutation result of individual p; delta is a small random disturbance;
s225, calculating Fitness value Fitness (T) of the pre-training code model, comparing the Fitness value Fitness (S) with Fitness values Fitness (S) of each child individual, and repeating the steps S223-S225 if Fitness (S) < Fitness (T); if Fitness (S) > Fitness (T), the child individuals are output as optimal solutions.
Further, in step S3, the method specifically includes the following steps:
s31, designing a precision function, and calculating the precision of the student model; designing a robustness function, and calculating the robustness of the student model;
s32, when certain precision and robustness are met, using a sample to attack the student model, designing an attack success rate function and calculating the attack success rate of the sample;
s33, screening out samples invalid to attack, and reserving samples successful to attack as countersamples to output.
Further, the precision function formula is as follows:
wherein TP (True Positive) is the number of samples the model correctly classifies as positive; TN (True Negative) is the number of samples the model correctly classifies as negative; FP (False Positive) is the number of samples that the model misclassifies as positive; FN (False Negative) is the number of samples the model misclassifies as negative.
The robustness function formula is as follows:
Robustness=P(y=y'|x,x')
where P (y=y ' |x, x ') represents the probability that the model output is correct given the input x and the challenge sample x '.
Further, the formula of the attack success rate function is as follows:
wherein q (y (pred,i) ,y (target,i) ) As a predictive function, if y (pred,i) ≠y (target,i) Then return 1, otherwise return 0.
Further, in step S4, the method specifically includes the following steps: and attacking the pre-training code model by using the challenge samples, calculating the attack success rate corresponding to each challenge sample based on the attack success rate function, and extracting the challenge samples with successful attacks according to the attack success rate to form a challenge set.
The technical scheme is as follows: the invention relates to a code pre-training model countermeasure sample generation system based on knowledge distillation, which comprises the following steps:
the system comprises an open source data collection module, a data acquisition module and a data analysis module, wherein the open source data collection module is used for obtaining an open source data set, and the open source data set comprises a plurality of samples;
the robustness perception knowledge distillation module is used for acquiring a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on the robustness perception knowledge distillation;
the attack student model module is used for attacking the optimal student model by using samples in the open source data set, and extracting samples which are successful in attack as countermeasure samples;
and the pre-training code model attack module is used for attacking the pre-training code model by using the challenge samples, and extracting the challenge samples which are successfully attacked to form a challenge set.
The beneficial effects are that: the invention has the following remarkable effects: 1. the robustness is high: according to the invention, the optimal solution of the student model is extracted based on knowledge distillation of robust perception, so that invalid disturbance samples are better filtered; 2. the sample may migrate: the invention uses the countermeasure set composed of the countermeasure samples extracted by the student model to finely tune the teacher model, and adopts the migration attack strategy of the model after the countermeasure sample attack fine tuning to find that the model can resist most of the attack of the countermeasure samples, researches the transferability of the code model to the countermeasure example, and proves that the countermeasure sample of the pre-training code model has a certain degree of transferability; 3. the attack effect is good: the migration attack strategy of the pre-training code model provided by the invention has the advantages that the attack success rate is improved and the time cost is reduced.
Drawings
FIG. 1 is a flow chart of an challenge sample generation method of the present invention;
fig. 2 is a flow chart of knowledge distillation for robust perception as employed in the present invention.
Detailed Description
The invention is further elucidated below in connection with the drawings and the detailed description.
Referring to fig. 1 to 2, the invention discloses a code pre-training model challenge sample generation method based on knowledge distillation, which comprises the following steps:
s1, acquiring an open source data set, wherein the open source data set comprises a plurality of samples.
S2, obtaining a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on knowledge distillation of robust perception.
S3, attacking the optimal student model by using samples in the open source data set, and extracting samples which are successfully attacked as countermeasure samples.
S4, using the challenge sample attack pre-training code model, and extracting a challenge sample with successful attack to form a challenge set.
The challenge sample generation method will be specifically described below.
In step S1, the acquisition of the open source dataset includes the steps of:
s11, collecting initial data sets applicable to different downstream tasks of the code model, wherein the downstream tasks comprise defect Detection (Vulnerability Predition), code author attribution (Authorship Attribution) and Clone Detection (Clone Detection).
S12, preprocessing the initial data set, and outputting an open source data set after eliminating code files of irrelevant languages and adjusting the proportion of positive and negative samples.
In this embodiment, the initial data set is collected from an open source warehouse and/or specialized platforms and contests for challenge studies. The open source warehouse includes Github, and the specialized platform and contest for challenge study includes GCJ.
In step S2, the pre-training code model has a plurality of parameter combinations, each parameter combination corresponds to a student model, and the obtaining of the optimal student model includes the following steps:
s21, analyzing a plurality of groups of parameter combinations in the pre-training code model, calculating core parameters corresponding to each group of parameter combinations, and selecting the corresponding parameter combinations to form a search space according to the size of the core parameters.
S22, searching an optimal parameter combination in a search space based on a genetic algorithm, and taking the optimal parameter combination as an optimal solution of the student model. The student model builds a corresponding architecture according to the corresponding parameter combinations. The genetic algorithm regards the architecture corresponding to each student model as an independent individual, and in the searching process, each architecture is mutually independent, so that analysis on a plurality of architectures is facilitated. Mainly comprises the following steps: population initialization, fitness evaluation, natural selection and iterative evolution.
S23, establishing a plurality of optimal student models based on the optimal solution.
In this embodiment, the step S22 specifically includes the following steps:
s221, initializing a population: an initial population is established based on the search space, the initial population comprising N initial individuals, each initial individual being a randomly selected set of parameter combinations in the search space. Randomly generating a set of initial individuals in a search space to form an initial population of size N, the individuals typically being candidate solutions or parameter sets in a problem space, expressed as p= [ P ] 1 ,p 2 ,...,p]Wherein p is i Representing the ith individual.
S222, evaluating the fitness: the fitness function is designed for evaluating fitness values of the student model and the pre-trained code model. When evaluating the student model, the fitness function evaluates each initial individual in the initial population to determine its fitness in solving the problem, and the fitness function mainly considers three factors: accuracy, robustness and parameter scale of the student model. And introducing robustness weights into the fitness function to ensure that the genetic algorithm can obtain parameter combinations corresponding to the student models with enough robustness. The fitness function formula is as follows:
Fitness(M)=ω 1 d(D)+ω 2 d(MHM(D))+ω 3 (-W M )
wherein Fitness () refers to an Fitness function; omega 1 、ω 2 、ω 3 Weights for three factors in the fitness function; MHM represents a simple challenge technique; m is an independent variable of the fitness function, and is a model needing fitness calculation, and comprises a distilled student model S and a pre-training code model T; d is a data set corresponding to the downstream task; w (W) M The parameter size of the model M; the d () function represents the predicted result of the selected model.
S223, natural selection: t initial individuals are selected from the initial population randomly based on a competition selection algorithm to form a competition group.
And (3) performing n times of contests in the contest group, wherein m initial individuals are selected from the contest group to serve as contests, the fitness values of the m contests are calculated respectively, the contest corresponding to the maximum fitness value is selected to serve as a winner n number, and all winners are constructed to be a parent population until n meets the quantity condition. The parent population includes n parent individuals, and each parent individual is a winner.
Wherein, the formula for selecting competitors is as follows:
Winner=argmax i∈Tournament f(Ind i )
wherein Winner is a competition selection algorithm; the arg max function is used to process the tensor; tounnament is a contest group; indi is the ith individual in the tournament competition group; f (Ind) i ) For individual Ind i Is a fitness value of (a);
s224, iterative evolution: and updating and replacing the parent population through genetic operation to form a child population, wherein the child population comprises a plurality of child individuals, and calculating the Fitness value Fitness (S) of the child individuals. Genetic manipulation mimics the genetic process in biological evolution to gradually improve individuals in a parent population.
In step S224, the genetic operation includes a crossover operation and a mutation operation, where the crossover operation updates any two parent individuals in the parent population to child individuals according to the following formula:
C(p 1 ,p 2 )=(p 1 [1:k]+p 2 [k+1:])
wherein p1, p2 are two parent individuals; c (p 1, p 2) is to cross p1, p2 individuals to generate offspring individuals; k is a randomly selected crossover point; [1:k ] and [ k+1 ] are selected cross-contents.
The mutation operation changes certain genes or parameters of the father individuals, and the formula is as follows:
M(p)=p+△
wherein M (p) represents the post-mutation result of individual p; delta is a small random disturbance.
S225, calculating Fitness value Fitness (T) of the pre-training code model, comparing the Fitness value Fitness (S) with Fitness values Fitness (S) of each child individual, and repeating the steps S223-S225 if Fitness (S) < Fitness (T); if Fitness (S) > Fitness (T), the child individuals are output as the optimal solution for the student model.
The step S3 specifically includes the following steps:
s31, designing a precision function, and calculating the precision of the student model. And designing a robustness function, and calculating the robustness of the student model. And verifying whether the precision of the student model is similar to that of the teacher model by using the test set, wherein the precision is used for evaluating the accuracy and the performance of the model in a classification task, and measuring the ratio of the number of correctly classified samples of the model to the total number of samples, wherein the higher the precision is, the better the performance of the model is. Robustness is used to evaluate the robustness and tamper resistance of a model against a challenge, and measure the rate at which the model can correctly predict the correct tag for a challenge instance, i.e., the performance of the model under the challenge. When the accuracy of the student model is hardly lost, the robustness of the student model is detected, and the student model with enough robustness can filter out part of invalid disturbance samples.
S32, when certain precision and robustness are met, using a sample to attack the student model, designing an attack success rate function and calculating the attack success rate of the sample;
s33, screening out samples invalid to attack, and reserving samples successful to attack as countersamples to output.
The formula of the precision function is as follows:
wherein TP (True Positive) is the number of samples that the model correctly classifies as positive; TN (True Negative) is the number of samples the model correctly classifies as negative; FP (False Positive) is the number of samples that the model misclassifies as positive; FN (False Negative) is the number of samples the model misclassifies as negative.
The robustness function formula is as follows:
Robustness=P(y=y'|x,x')
where P (y=y ' |x, x ') represents the probability that the model output is correct given the input x and the challenge sample x '.
The formula of the attack success rate function is as follows:
wherein q (y (pred,i) ,y (target,i) ) As a predictive function, if y (pred,i) ≠y (target,i) Then return 1, otherwise return 0.
The step S4 specifically includes the following steps: and attacking the pre-training code model by using the challenge samples, calculating the attack success rate corresponding to each challenge sample based on the attack success rate function, and extracting the challenge samples with successful attacks according to the attack success rate to form a challenge set.
In the invention, performance detection is also carried out on the countermeasure set, and the method specifically comprises the following steps:
s51, fine-tuning the pre-training code model by taking the countermeasure set as training data. The fine-tuned pre-trained code model can enhance robustness.
S52, using the pre-training code model after the countermeasure fine tuning of the countermeasure set to obtain a performance detection result. In this experiment, it was found that the fine-tuned pre-trained code model was resistant to most of the attacks against the samples.
The invention also discloses a code pre-training model countermeasure sample generation system based on knowledge distillation, which comprises the following steps:
the system comprises an open source data collection module, a data acquisition module and a data analysis module, wherein the open source data collection module is used for obtaining an open source data set, and the open source data set comprises a plurality of samples;
the robustness perception knowledge distillation module is used for obtaining a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on the robustness perception knowledge distillation.
And the attack student model module is used for attacking the optimal student model by using samples in the open source data set, and extracting samples which are successful in attack as countermeasure samples.
And the pre-training code model attack module is used for attacking the pre-training code model by using the challenge samples, and extracting the challenge samples which are successfully attacked to form a challenge set.
In this embodiment, the knowledge-based code pre-training model has the following specific elements of the challenge sample generation system.
In one embodiment, the open source data acquisition module comprises:
an acquisition unit for collecting data sets applicable to different downstream tasks of a code model from a common open source warehouse (such as Github) and platforms and contests (such as GCJ) specially used for challenge study, comprising: defect Detection (Vulnerability Predition), code author attribution (Authorship Attribution), and Clone Detection (Clone Detection).
And the compiling unit is used for preprocessing the initial data set, and outputting an open source data set after operations such as removing code files of irrelevant languages, adjusting the proportion of positive and negative samples and the like are performed.
In one embodiment, the robust aware knowledge distillation module includes:
and the judging unit is used for judging the pre-training code model to comprise a plurality of groups of parameter combinations, and each group of parameter combinations corresponds to one student model. The judging unit is used for analyzing a plurality of groups of parameter combinations in the pre-training code model, calculating core parameters (such as network layer number) corresponding to each group of parameter combinations, and selecting the corresponding parameter combinations to form a search space according to the size of the core parameters.
And the searching unit is used for searching the optimal parameter combination in the search space based on the genetic algorithm to serve as an optimal solution. After the parameter search space of the student model is determined, a genetic algorithm is selected to find the correct parameter combination, and the genetic algorithm regards each architecture as an independent entity, and each student model is mutually independent in the search process, so that the analysis of the architecture is facilitated, and the method mainly comprises the following four steps: population initialization, fitness evaluation, natural selection and iterative evolution.
Model building unit: and the method is used for establishing a plurality of optimal student models based on the optimal solution.
The searching unit comprises a population initializing unit, an adaptability evaluating unit, a natural selecting unit and an iterative evolutionary unit. This will be described in detail below.
And the population initializing unit is used for establishing an initial population based on the search space, wherein the initial population comprises N initial individuals, and each initial individual is a set of parameter combinations randomly selected in the search space. Randomly initializing a set of initial individuals in a search space to form an initial population of size N, the individuals typically being candidate solutions or parameter sets in a problem space, which may be represented as p= [ P ] 1 ,p 2 ,...,p]Wherein p is i Representing the ith individual.
And the fitness evaluation unit is used for designing a fitness function for evaluating fitness values of the student model and the pre-training code model. When evaluating the student model, the fitness function evaluates each initial individual in the initial population to determine its fitness in solving the problem, and the fitness function mainly considers three factors: accuracy, robustness and parameter scale of the student model. And introducing robustness weights into the fitness function to ensure that the genetic algorithm can obtain parameter combinations corresponding to the student models with enough robustness. The fitness function formula is as follows:
Fitness(M)=ω 1 d(D)+ω 2 d(MHM(D))+ω 3 (-W M )
wherein Fitness () refers to an Fitness function; omega 1 、ω 2 、ω 3 Weights for three factors in the fitness function; MHM represents a simple challenge technique; m is an independent variable of the fitness function, and is a model needing fitness calculation, and comprises a distilled student model S and a pre-training code model T; d is a data set corresponding to the downstream task; WM refers to the parameter size of model M; the d () function represents the predicted result of the selected model.
The natural selection unit randomly selects t initial individuals from the initial population based on a competition selection algorithm to form a competition group;
and (3) performing n times of contests in the contest group, wherein m initial individuals are selected from the contest group to serve as contests, the fitness values of the m contests are calculated respectively, the contest corresponding to the maximum fitness value is selected to serve as a winner n number, and all winners are constructed to be a parent population until n meets the quantity condition. The parent population includes n parent individuals, and each parent individual is a winner.
Wherein, the formula for selecting competitors is as follows:
Winner=argmax i∈Tournament f(Ind i )
wherein Winner is a competition selection algorithm; the arg max function is used to process the tensor; tounnament is a contest group; indi is the ith individual in the tournament competition group; f (Ind) i ) For individual Ind i Is used for the adaptation value of the (c).
The iterative evolution unit is used for updating and replacing the parent population through genetic operation to form a child population, wherein the child population comprises a plurality of child individuals, and the Fitness value Fitness (S) of the child individuals is calculated. Genetic manipulation mimics the genetic process in biological evolution to gradually improve individuals in a parent population.
The genetic operation comprises a Crossover operation and a mutation operation, wherein the Crossover operation (cross) combines two parent individuals to generate offspring, and the formula is as follows:
C(p 1 ,p 2 )=(p 1 [1:k]+p 2 [k+1:])
wherein, p1, p2 are two father individuals; c (p 1, p 2) is to cross p1, p2 individuals to generate offspring individuals; k is a randomly selected crossover point; [1:k ] and [ k+1 ] are selected cross content;
mutation manipulation (Mutation) alters certain genes or parameters of the parent individual as follows:
M(p)=p+△
wherein M (p) represents the post-mutation result of individual p; delta is a small random disturbance.
The cyclic unit is used for calculating the Fitness value Fitness (T) of the pre-training code model, comparing the Fitness value Fitness (S) of each child individual with the Fitness value Fitness (S), and repeating the operation steps of the natural selection unit, the iterative evolution unit and the cyclic unit if Fitness (S) < Fitness (T); if Fitness (S) > Fitness (T), the child individuals are output as optimal solutions.
In one embodiment, the attack student model module comprises the following steps:
and the precision evaluation unit is used for designing a precision function and calculating the precision of the student model. After the student model S is acquired, a test set is used to verify whether the accuracy of the student model is similar to that of a teacher model (pre-training code model), and the accuracy function is as follows
Where TP (True Positive) denotes the number of samples the model correctly classified as positive, TN (True Negative) denotes the number of samples the model correctly classified as negative, FP (False Positive) denotes the number of samples the model incorrectly classified as positive, FN (False Negative) denotes the number of samples the model incorrectly classified as negative.
And the robust evaluation unit is used for designing a robust function and calculating the robustness of the student model. Compared with a teacher model (pre-training code model), after the accuracy of the student model is almost not lost, the robustness of the student model is detected, and the robustness function formula is as follows:
Robustness=P(y=y'|x,x')
where P (y=y ' |x, x ') represents the probability that the model output is correct given the input x and the antagonism sample x ';
and the attack unit is used for attacking the student model by using the sample when meeting certain precision and robustness, and calculating the attack success rate of the sample based on the attack success rate function. The attack function calculation formula is as follows:
wherein q (y (pred,i) ,y (target,i) ) Is a predictive function. If y (pred,i) ≠y (target,i) Returning to 1, otherwise returning to 0;
and the sample extraction unit is used for screening out invalid disturbance samples and retaining the challenge samples with successful attack.
In one embodiment, the pre-trained code model attack module includes the following sequentially:
and the attack unit is used for attacking the pre-training code model by using the challenge samples, calculating the attack success rate corresponding to each challenge sample based on the attack success rate function, and extracting the challenge samples with successful attack according to the attack success rate to form a challenge set.
And the training unit is used for fine-tuning the pre-training code model by taking the countermeasure set as training data, and using the pre-training code model subjected to the fine-tuning of the countermeasure sample test to find that the model can resist most of the countermeasure sample attacks.
The method and the device can better mine the countermeasure sample in the pre-training code model, and improve the robustness of the pre-training code model. Firstly, obtaining a student model with higher robustness through knowledge distillation of robust perception. The student model is used for filtering invalid disturbance samples, the screened countermeasure samples are input into the pre-training code model for countermeasure attack, a countermeasure set composed of the countermeasure samples with higher quality is obtained, universality and universality of the countermeasure samples in the countermeasure set are stronger, labor verification cost can be effectively reduced, controllable variables are output, and the practical application field is wider and the precision is higher. In addition, robustness of the pre-trained code model may be improved by countermeasure training.
In summary, the code pre-training model anti-sample generation method and system based on knowledge distillation have the characteristics of high robustness, sample mobility and good attack effect.
Claims (10)
1. A method for generating a challenge sample based on a knowledge distillation code pre-training model, the method comprising the steps of:
s1, acquiring an open source data set, wherein the open source data set comprises a plurality of samples;
s2, obtaining a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on knowledge distillation of robust perception;
s3, attacking the optimal student model by using samples in the open source data set, and extracting samples successfully attacked as countermeasure samples;
s4, using the challenge sample to attack the pre-training code model, and extracting a challenge sample with successful attack to form a challenge set.
2. The knowledge-distillation based code pre-training model challenge sample generation method according to claim 1, wherein in step S1, the acquisition of the open source dataset comprises the steps of:
s11, collecting initial data sets applicable to different downstream tasks of the code model, wherein the downstream tasks comprise defect detection, attribution of a code author and clone detection;
s12, preprocessing the initial data set, and outputting an open source data set after performing operations including removing code files of irrelevant languages and adjusting the proportion of positive and negative samples.
3. The knowledge distillation based code pre-training model challenge sample generation method according to claim 2, wherein the initial data set is collected from an open source warehouse and/or a specialized platform and contest for challenge studies.
4. The knowledge distillation based code pre-training model challenge sample generation method according to claim 1, wherein the pre-training code model has a plurality of sets of parameter combinations, each set of parameter combinations corresponding to one student model, and in step S2, the step of obtaining the optimal student model comprises the steps of:
s21, analyzing a plurality of groups of parameter combinations in the pre-training code model, calculating core parameters corresponding to each group of parameter combinations, and selecting the corresponding parameter combinations according to the size of the core parameters to form a search space;
s22, searching an optimal parameter combination in a search space based on a genetic algorithm to serve as an optimal solution;
s23, establishing a plurality of optimal student models based on the optimal solution.
5. The knowledge distillation based code pre-training model challenge sample generation method according to claim 4, wherein step S22 specifically comprises the steps of:
s221, initializing a population: establishing an initial population based on the search space, wherein the initial population comprises N initial individuals, and each initial individual is a group of parameter combinations randomly selected in the search space;
s222, evaluating the fitness: the fitness function is designed for evaluating the fitness of the student model and the pre-training code model, and the fitness function has the following formula:
Fitness(M)=ω 1 d(D)+ω 2 d(MHM(D))+ω 3 (-W M )
wherein Fitness () refers to an Fitness function; omega 1 、ω 2 、ω 3 Weights for three factors in the fitness function; MHM represents a simple challenge technique; m is an independent variable of the fitness function, and is a model needing fitness calculation, and comprises a distilled student model S and a pre-training code model T; d is a data set corresponding to the downstream task; w (W) M The parameter size of the model M; d () function represents the predicted outcome of the selected model;
s223, natural selection: selecting t initial individuals from the initial population randomly based on a competition selection algorithm to form a competition group;
n times of competition are carried out in the competition group, wherein m initial individuals are selected from the competition group to serve as competitors, the fitness values of the m competitors are calculated respectively, the competitor corresponding to the maximum fitness value is selected to serve as winner n, and all winners are constructed to be parent populations until n meets the quantity condition; the parent population comprises n parent individuals, and each parent individual is a winner;
wherein, the formula for selecting competitors is as follows:
Winner=arg max i∈Tournament f(Ind i )
wherein Winner is a competition selection algorithm; the arg max function is used to process the tensor; tounnament is a contest group; indi is the ith individual in the tournament competition group; f (Ind) i ) For individual Ind i Is a fitness value of (a);
s224, iterative evolution: updating and replacing the parent population through genetic operation to form a child population, wherein the child population comprises a plurality of child individuals, and calculating Fitness value Fitness (S) of the child individuals;
in step S224, the genetic operation includes a crossover operation and a mutation operation, where the crossover operation updates any two parent individuals in the parent population to child individuals according to the following formula:
C(p 1 ,p 2 )=(p 1 [1:k]+p 2 [k+1:])
wherein p1, p2 are two parent individuals; c (p 1, p 2) is to cross p1, p2 individuals to generate offspring individuals; k is a randomly selected crossover point; [1:k ] and [ k+1 ] are selected cross content;
the mutation operation changes certain genes or parameters of the father individuals, and the formula is as follows:
M(p)=p+△
wherein M (p) represents the post-mutation result of individual p; delta is a small random disturbance;
s225, calculating Fitness value Fitness (T) of the pre-training code model, comparing the Fitness value Fitness (S) with Fitness values Fitness (S) of each child individual, and repeating the steps S223-S225 if Fitness (S) < Fitness (T); if Fitness (S) > Fitness (T), the child individuals are output as optimal solutions.
6. The knowledge distillation based code pre-training model challenge sample generation method according to claim 1, comprising the steps of:
s31, designing a precision function, and calculating the precision of the student model; designing a robustness function, and calculating the robustness of the student model;
s32, when certain precision and robustness are met, using a sample to attack the student model, designing an attack success rate function and calculating the attack success rate of the sample;
s33, screening out samples invalid to attack, and reserving samples successful to attack as countersamples to output.
7. The knowledge distillation based code pre-training model challenge sample generation method of claim 6, wherein the precision function formula is as follows:
TP is the number of samples of which the model is correctly classified as positive class; TN is the number of samples that the model correctly classifies as negative; FP is the number of samples that model errors classify as positive class; FN is the number of samples that model errors classify as negative samples.
The robustness function formula is as follows:
Robustness=P(y=y'|x,x')
where P (y=y ' |x, x ') represents the probability that the model output is correct given the input x and the challenge sample x '.
8. The knowledge distillation based code pre-training model challenge sample generation method of claim 6, wherein the attack success rate function is formulated as follows:
wherein q (y (pred,i) ,y (target,i) ) As a predictive function, if y (pred,i) ≠y (target,i) Then return 1, otherwise return 0.
9. The knowledge distillation based code pre-training model challenge sample generation method according to claim 8, comprising the steps of: and attacking the pre-training code model by using the challenge samples, calculating the attack success rate corresponding to each challenge sample based on the attack success rate function, and extracting the challenge samples with successful attacks according to the attack success rate to form a challenge set.
10. A knowledge distillation based code pre-training model challenge sample generation system, the system comprising:
the system comprises an open source data collection module, a data acquisition module and a data analysis module, wherein the open source data collection module is used for obtaining an open source data set, and the open source data set comprises a plurality of samples;
the robustness perception knowledge distillation module is used for acquiring a pre-training code model, and establishing a plurality of optimal student models corresponding to the pre-training code model based on the robustness perception knowledge distillation;
the attack student model module is used for attacking the optimal student model by using samples in the open source data set, and extracting samples which are successful in attack as countermeasure samples;
and the pre-training code model attack module is used for attacking the pre-training code model by using the challenge samples, and extracting the challenge samples which are successfully attacked to form a challenge set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311340360.1A CN117350364A (en) | 2023-10-16 | 2023-10-16 | Knowledge distillation-based code pre-training model countermeasure sample generation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311340360.1A CN117350364A (en) | 2023-10-16 | 2023-10-16 | Knowledge distillation-based code pre-training model countermeasure sample generation method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117350364A true CN117350364A (en) | 2024-01-05 |
Family
ID=89359131
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311340360.1A Pending CN117350364A (en) | 2023-10-16 | 2023-10-16 | Knowledge distillation-based code pre-training model countermeasure sample generation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117350364A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117808095A (en) * | 2024-02-26 | 2024-04-02 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Method and device for generating attack-resistant sample and electronic equipment |
-
2023
- 2023-10-16 CN CN202311340360.1A patent/CN117350364A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117808095A (en) * | 2024-02-26 | 2024-04-02 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Method and device for generating attack-resistant sample and electronic equipment |
| CN117808095B (en) * | 2024-02-26 | 2024-05-28 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Method and device for generating attack-resistant sample and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7362892B2 (en) | Self-optimizing classifier | |
| CN108376220A (en) | A kind of malice sample program sorting technique and system based on deep learning | |
| CN111292195A (en) | Risk account identification method and device | |
| CN106570513A (en) | Fault diagnosis method and apparatus for big data network system | |
| CN113764034B (en) | Method, device, equipment and medium for predicting potential BGC in genome sequence | |
| CN1656472A (en) | Plausible neural network with supervised and unsupervised cluster analysis | |
| CN117350364A (en) | Knowledge distillation-based code pre-training model countermeasure sample generation method and system | |
| CN113742733B (en) | Method and device for extracting trigger words of reading and understanding vulnerability event and identifying vulnerability type | |
| CN113127737B (en) | Personalized search method and search system integrating attention mechanism | |
| CN114065199B (en) | Cross-platform malicious code detection method and system | |
| CN108229170A (en) | Utilize big data and the software analysis method and device of neural network | |
| CN112738092A (en) | Log data enhancement method, classification detection method and system | |
| CN111898129B (en) | Malicious code sample screener and method based on Two-Head anomaly detection model | |
| CN116015967B (en) | Industrial Internet intrusion detection method based on improved whale algorithm optimization DELM | |
| CN111651594A (en) | Case classification method and medium based on key value memory network | |
| CN114781611A (en) | Natural language processing method, language model training method and related equipment | |
| CN112884150A (en) | Safety enhancement method for knowledge distillation of pre-training model | |
| CN114065933B (en) | Unknown threat detection method based on artificial immunity thought | |
| CN115994224A (en) | Phishing URL detection method and system based on pre-training language model | |
| Huang et al. | Harnessing deep learning for population genetic inference | |
| Zhang | Deepmal: A CNN-LSTM model for malware detection based on dynamic semantic behaviours | |
| CN114897085A (en) | Clustering method based on closed subgraph link prediction and computer equipment | |
| CN111144453A (en) | Method and equipment for constructing multi-model fusion calculation model and method and equipment for identifying website data | |
| CN114329474A (en) | Malicious software detection method integrating machine learning and deep learning | |
| CN116962089A (en) | Network monitoring method and system for information security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |