WO2023246237A1 - Attack-defense confrontation simulation test method and system for network model - Google Patents

Attack-defense confrontation simulation test method and system for network model Download PDF

Info

Publication number
WO2023246237A1
WO2023246237A1 PCT/CN2023/087367 CN2023087367W WO2023246237A1 WO 2023246237 A1 WO2023246237 A1 WO 2023246237A1 CN 2023087367 W CN2023087367 W CN 2023087367W WO 2023246237 A1 WO2023246237 A1 WO 2023246237A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
platform
defender
attacker
feedback data
Prior art date
Application number
PCT/CN2023/087367
Other languages
French (fr)
Chinese (zh)
Inventor
李志峰
崔世文
孟昌华
王维强
Original Assignee
支付宝(杭州)信息技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2023246237A1 publication Critical patent/WO2023246237A1/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B17/00Systems involving the use of models or simulators of said systems
    • G05B17/02Systems involving the use of models or simulators of said systems electric

Definitions

  • One or more embodiments of this specification relate to the field of computer technology, and in particular, to an attack and defense simulation test method and system for a network model.
  • AI Artificial Intelligence
  • One or more embodiments of this specification describe an attack and defense confrontation simulation test method and system for a network model to better simulate actual adversarial attacks against the network model and find better methods to combat actual attacks.
  • the specific technical solutions are as follows.
  • embodiments provide an attack and defense confrontation simulation test method for a network model, including an attacker platform and a defender platform.
  • the network model is deployed on the defender platform.
  • the method includes:
  • the attacker platform sends a service request to the defender platform based on the attack algorithm, and the service request carries business data to be predicted;
  • the defender platform receives the service request sent by the attacker platform, determines the prediction result of the business data through the network model, and sends feedback data to the attacker platform based on the prediction result, and Detect anomalies in the processing of business requests;
  • the attacker platform receives feedback data sent by the defender platform in response to the service request, adjusts the attack algorithm when the feedback data meets preset conditions, and continues to execute the attack algorithm-based attack algorithm to the defense. Steps for sending business requests to the party platform.
  • the method further includes:
  • a preset defense plan is executed based on the detected anomaly information
  • the defense plan After executing the preset defense plan, when an abnormality is detected but not eliminated, the defense plan is adjusted and the adjusted defense plan is continued.
  • the step of detecting anomalies in the processing of the service request includes:
  • the step of adjusting the attack algorithm when the feedback data meets a preset condition includes:
  • the operating logic in the attack algorithm is adjusted.
  • the step of sending a service request to the defender platform based on an attack algorithm includes:
  • the step of adjusting the attack algorithm when the feedback data meets a preset condition includes:
  • the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
  • the method further includes:
  • the operating logic in the first attack algorithm is adjusted.
  • the step of sending service requests to the defender platform respectively based on multiple different attack algorithms includes:
  • the step of using the first attack algorithm corresponding to the first feedback data as the attack algorithm used in subsequent attacks and stopping using other attack algorithms includes:
  • the method further includes:
  • the attacker's platform counts the number of successful attacks within a preset period and sends the number to the designated device;
  • the defender platform counts the number of successful defenses within the preset period and sends the number to the designated device;
  • the designated device evaluates the attack and defense confrontation simulation test process for the network model based on the number of successful attacks on the attacker's platform and the number of successful defenses on the defender's platform.
  • the embodiment provides an attack and defense confrontation simulation test system for a network model, including an attacker platform and a defender platform.
  • the network model is deployed on the defender platform.
  • the system includes:
  • the attacker platform is configured to send a service request to the defender platform based on an attack algorithm, where the service request carries business data to be predicted;
  • the defender platform is used to receive the service request sent by the attacker platform, determine the prediction result of the business data through the network model, and send feedback data to the attacker platform based on the prediction result, and Perform anomaly detection in the processing process of the business request;
  • the attacker platform is used to receive feedback data sent by the defender platform in response to the service request, and When the feedback data meets the preset conditions, the attack algorithm is adjusted, and service requests are continued to be sent to the defender platform based on the attack algorithm.
  • the defender platform is also used to:
  • a preset defense plan is executed based on the detected anomaly information; after the preset defense plan is executed, all adjustments are made when the anomaly is detected but not eliminated.
  • the defense plan is described above and continue to implement the adjusted defense plan.
  • the attacker platform when the attacker platform sends a service request to the defender platform based on the attack algorithm, it includes:
  • the attacker's platform when adjusting the attack algorithm when the feedback data meets the preset conditions, includes:
  • the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
  • the attacker platform is also used to count the number of successful attacks within a preset period and send the number to the designated device;
  • the defender platform is also used to count the number of successful defenses within the preset period, and send the number to the designated device, so that the designated device is based on the number of successful attacks on the attacker platform, As well as the number of times the defender's platform has successfully defended, the attack and defense confrontation simulation test process for the network model is evaluated.
  • embodiments provide a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed in a computer, the computer is caused to perform any of the methods described in the first aspect.
  • embodiments provide a computing device, including a memory and a processor.
  • Executable code is stored in the memory.
  • the processor executes the executable code, any one of the aspects of the first aspect is implemented. method described.
  • the attacker's platform sends service requests to the defender's platform based on the attack algorithm, receives feedback data, adjusts the attack algorithm when the feedback data meets the preset conditions, and then continues to attack the defender's platform. ;
  • the defender platform determines the prediction results of the business data in the business request through the network model, sends feedback data to the attacker platform, and performs anomaly detection on the entire business request processing process.
  • This simulation test method of attack and defense confrontation more realistically simulates the actual situation when the attacker's platform attacks the network model. That is, the attacker's platform will continuously adjust the attack algorithm based on feedback data, and the defender's platform will also detect it in real time. abnormality, and take corresponding countermeasures.
  • This simulation testing method better simulates actual adversarial attacks against network models, providing a way to find better ways to combat actual attacks; at the same time, through this simulation process, the defender platform can also find ways to combat actual attacks. A better way to attack.
  • Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification
  • Figure 2 is a schematic flow chart of an attack and defense confrontation simulation test method for a network model provided by the embodiment
  • FIG. 3 is a schematic block diagram of an attack and defense confrontation simulation test system for a network model provided by the embodiment.
  • FIG 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification.
  • an attack plan is developed for the attacker and a defense plan is developed for the defender.
  • the attacker uses the attack plan to send business requests to the defender to call the AI model for prediction.
  • the defender provides prediction services to users based on the AI model it runs.
  • the defender receives a business request sent by the attacker and no anomaly is detected, it will follow the normal business process and input the business data carried in the business request into the AI model to obtain the prediction results and provide the attacker with the prediction results based on the prediction results.
  • Send feedback data is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification.
  • an attack plan is developed for the attacker and a defense plan is developed for the defender.
  • the attacker uses the attack plan to send business requests to the defender to call the AI model for prediction.
  • the defender provides prediction services to users based on the AI model it runs.
  • the defender receives a business request sent by the attacker and no anomaly is
  • the attacker will use the attack plan to send attacks to the defender multiple times and in various ways, and the defender will also detect in real time whether there are any abnormalities in the processing of business requests.
  • the attacker will concentrate all traffic and use this attack method to attack the AI model; if no attack is successful after a period of time, the attack plan will be updated.
  • the defender detects an abnormality or possible attack, it will adopt a corresponding defense plan. If the defense is successful, the attack and defense confrontation process and the defense plan will be recorded and used as defense in actual business processing. plan; if the defense fails, this process of attack and defense confrontation can provide maintenance personnel with a reference for improving the defense plan and improving the stability of the network model.
  • the AI model can also be called a network model, which can be a network model obtained by using deep learning methods.
  • This network model can be used to predict input business data and obtain prediction results.
  • the prediction results include types such as predicted classification and predicted value. That is to say, the network model can be a classification model or a regression model that outputs a predicted value, which is not limited in this application.
  • Business data includes characteristic data of users, products, images, text, audio and other objects.
  • attackers are designed to simulate actual attackers.
  • attackers use a variety of attack algorithms against network models, including backdoor attacks, poisoning attacks, adversarial samples, etc.
  • the real confrontation is the confrontation between the attack system and the defense system, which changes dynamically.
  • the attacker is constantly looking for effective attack methods, and the defender is constantly detecting defense vulnerabilities and upgrading the defense system. Therefore, based on this, this embodiment provides a network model attack and defense confrontation testing method that can simulate real scenarios.
  • step S210 the attacker's platform sends a service request to the defender's platform based on the attack algorithm, and the service request carries the service data to be predicted.
  • step S220 the defender platform receives the service request sent by the attacker platform, determines the prediction results of the business data through the network model, sends feedback data to the attacker platform based on the prediction results, and performs anomaly detection on the processing of the service request.
  • step S230 the attacker platform receives the feedback data sent by the defender platform in response to the business request, and adjusts the feedback data when the feedback data meets the preset conditions. Attack algorithm, continue to perform the steps of sending service requests to the defender platform based on the attack algorithm.
  • This simulation testing method can simulate the dynamic confrontation between the attack system and the defense system.
  • the attacker constantly changes the attack algorithm, and the defender continuously detects defense vulnerabilities and upgrades the defense system, thus simulating the actual network model.
  • the adversarial attack method provides a way to find better ways to combat actual attacks.
  • FIG. 2 is a schematic flowchart of an attack and defense confrontation simulation test method for a network model provided by the embodiment.
  • This method includes the attacker's platform corresponding to the attacker, and the defender's platform corresponding to the defender.
  • the network model is deployed in the defender platform.
  • the network model can be a trained model that is used to determine the prediction results of the input business data based on the trained model parameters. For example, it can be used to recognize images, classify users into high-risk and low-risk categories, or determine user treatment. The level of interest in recommended content, etc.
  • Both the attacker platform and the defender platform can be implemented through any device, device, platform, device cluster, etc. with computing and processing capabilities.
  • the method includes the following steps.
  • the attacker platform A sends a service request to the defender platform B based on the attack algorithm.
  • the service request carries the service data to be predicted.
  • the attacker's platform A can obtain the original data, process the original data based on the attack algorithm, obtain the business data to be predicted, and generate a business request based on the business data.
  • Attacker platform A can use multiple raw data to generate multiple service requests correspondingly, and send multiple service requests to defender platform B.
  • the attacker platform A can add disturbances that are imperceptible to the human eye in the original sample to obtain a processed sample, and use such a sample as business data.
  • the attacker's platform A generates a business request based on the business data and sends it to the defender's platform B. This business request is used to request the defender platform B to use its network model to determine the prediction results for the business data.
  • the attacker's platform can make some changes to the image of a cat, and through recognition by the network model, obtain the image recognition result that it is a dog. These perturbations will not affect human recognition, but they can easily cause the network model to make incorrect predictions.
  • the above attack algorithm can be one or more.
  • the attack algorithm can be selected from a variety of existing attack algorithms, or it can be a generated attack algorithm.
  • the attacker platform A can also send service requests to the defender platform B based on multiple (two or more) different attack algorithms at the same time.
  • Attacker platform A can use different attack algorithms to process the original data to obtain different business data to be predicted, and correspondingly generate multiple types of business requests based on different business data.
  • the types mentioned in different types of business requests can be understood as the types corresponding to business requests carrying business data obtained using different attack algorithms.
  • step S220 the defender platform B receives the service request sent by the attacker platform A, determines the prediction results of the business data through the network model, and sends feedback data to the attacker platform A based on the prediction results.
  • defense platform B can also detect abnormalities in the processing of the above business requests in real time.
  • Defender Platform B is a platform that simulates and utilizes network models to publicly provide prediction services. When the defender platform B does not detect an abnormality, it will process the received business request according to the normal process. For example, the business data carried in the business request will be input into the network model, the prediction result of the business data will be determined through the network model, and feedback data will be sent to attack platform A based on the prediction result. When the defender platform B detects an abnormality, it can handle it in a preset way.
  • the defender platform B can directly send the prediction results to the attacker platform A as feedback data, or it can generate feedback data based on the prediction results. For example, when no anomaly is detected, the prediction results can be directly sent to the attacker platform A as feedback data; when an anomaly is detected, feedback data indicating that the current service is unavailable can be sent to the attacker platform A.
  • the defender platform B When the defender platform B detects anomalies in the processing of business requests, it can perform anomaly detection based on the received business requests and/or corresponding prediction results. For example, you can count the number of business requests from a certain address within a period of time. When the number exceeds the threshold, it is considered abnormal; you can count the number of certain prediction results obtained within a period of time. When the number exceeds the normal range, It is considered that there is an abnormality. For example, in the field of credit approval, network models are used to determine whether credit approval is passed for that user based on input user data. If the credit approval rate is found to be too high within a period of time, it can be considered that there is an anomaly.
  • defense platform B When defense platform B detects an abnormality, it can issue an abnormality warning for further processing by professionals.
  • step S230 the attacker platform A receives the feedback data sent by the defender platform B in response to the business request, adjusts the attack algorithm when the feedback data meets the preset conditions, and continues to perform the attack algorithm in step S210 to send data to the defender platform B based on the attack algorithm.
  • Business request steps the attacker platform A receives the feedback data sent by the defender platform B in response to the business request, adjusts the attack algorithm when the feedback data meets the preset conditions, and continues to perform the attack algorithm in step S210 to send data to the defender platform B based on the attack algorithm.
  • the preset condition may be a preset attack success condition or a preset attack failure condition.
  • the feedback data contains prediction results for business data
  • the prediction results meet the attack purpose preset by the attacker
  • the feedback data is considered to meet the attack success conditions.
  • the prediction result does not achieve the attacker's attack purpose, the feedback data is considered not to meet the attack success conditions.
  • the attacker performs a slight perturbation on the image of a cat, and the purpose of the attack is to hope that the image of the cat will be recognized as an image of a dog.
  • the prediction result shows that the network model recognizes the cat image as a dog image, the prediction result is considered to have achieved the purpose of the attack, and the feedback data meets the conditions for a successful attack.
  • the attacker slightly perturbs the cat image, and the purpose of the attack is to reduce the probability of the cat image being correctly recognized by 20%. If its predicted value is reduced by more than 20% compared to the correct recognition probability of the image without perturbation, it is considered that the predicted value has achieved the purpose of the attack, and the feedback data meets the conditions for a successful attack.
  • the attack algorithm is considered to have successfully attacked the network model.
  • attack failure it can be considered that the feedback data that does not meet the attack success conditions are consistent with the attack failure conditions.
  • the attack failure can also be determined based on the number of sent business requests. For example, when m business requests sent all fail to attack, this attack algorithm is considered to have failed.
  • the attacker platform A can adjust the operating logic in the attack algorithm and continue to send business requests to the defender platform B based on the adjusted attack algorithm, that is, continue to attack the network model. , in order to simulate real attack behavior.
  • the attacker platform A sends a service request to the defender platform B based on one or more attack algorithms, that is, after launching the attack for a period of time, the attacks have failed.
  • the attacker platform A can adjust the attack algorithm, based on the adjusted attack algorithm. Continue to attack the defender’s platform B.
  • the first attack algorithm corresponding to the first feedback data will be used as a subsequent attack.
  • attack algorithm and stop using other attack algorithms That is to say, when among multiple different attack algorithms, once a certain attack algorithm succeeds, only this attack algorithm will be used to continue attacking the defender platform B, and other attack algorithms will no longer be used.
  • the attacker platform uses attack algorithms 1, 2 and 3 to send business data to the defender platform B respectively.
  • the feedback data corresponding to attack algorithm 2 meets the conditions for a successful attack
  • the feedback data is called the first feedback data
  • the attack Algorithm 2 is called the first attack algorithm.
  • the attacker platform A After stopping using other attack algorithms, the attacker platform A continues to send service requests to the defender platform B based on the first attack algorithm.
  • the attacker platform A can then adjust the operating logic in the first attack algorithm.
  • the defender platform B may have detected the anomaly and adopted a corresponding defense plan to make up for the vulnerability. Therefore, the subsequent attack behavior of the first attack algorithm used by the attacker platform A will fail.
  • the real attack plan is limited by the operating environment of the attacker's platform A, such as the memory size, CPU computing power and other resource constraints of the attacker's platform A.
  • the request traffic of the attacker platform A can be limited and a certain proportion of the request traffic is allocated to the attacker. The traffic used by the attacker platform A when conducting the attack cannot exceed this limit.
  • a set flow rate can be allocated to each attack algorithm, and the sum of the set flow rates corresponding to multiple attack algorithms is less than the total set flow rate.
  • the attacker's platform A Based on multiple different attack algorithms, the attacker's platform A sends business requests to the defender's platform B respectively under the set traffic limits corresponding to different attack algorithms.
  • Attacker platform A can use or stop using the attack algorithm by restricting the request traffic. For example, based on the total remaining traffic, you can increase the remaining traffic corresponding to the first attack algorithm, and set the remaining traffic corresponding to other attack algorithms to 0, so as to use the first attack algorithm as the attack algorithm for subsequent attacks and stop using other attack algorithms.
  • the purpose of the attack algorithm Specifically, all of the total remaining traffic may be allocated to the first attack algorithm, or part of the total remaining traffic may be allocated to the first attack algorithm. All remaining traffic from other attack algorithms flows into the total remaining traffic.
  • a total of 1,000 service requests are allocated to the attacker, and 100 service requests are initially allocated to each of the five attack algorithms.
  • 100 service requests are initially allocated to each of the five attack algorithms.
  • all remaining service requests will be allocated to the attack algorithm a, and other attack algorithms will no longer send service requests. If no attack algorithm succeeds within these 100 business requests, you can adjust these attack algorithms and continue to use the remaining 500 business requests to attack.
  • the above content focuses on the process of simulating real attack scenarios and attack behaviors for the attacker and adjusting the attack algorithm.
  • the defender can also simulate a real scenario to execute defense plans, perform defense upgrades, etc.
  • the method may also include steps S240 and S250.
  • step S240 after the defender platform B detects anomalies in the processing of the business request, when an anomaly is detected, the defender platform B can also execute a preset defense plan based on the detected anomaly information.
  • Preset defense solutions may include: changing the network model to one with similar functions, or intercepting business requests from a certain address, etc.
  • step S250 after the defender platform B executes the preset defense plan and detects anomalies that have not been eliminated, Adjust the defense plan and continue to implement the adjusted defense plan.
  • corresponding defense success conditions and defense failure conditions can also be set. For example, within a set period of time after an anomaly is detected, if the anomaly is not eliminated, the defense can be considered a failure; if the anomaly is eliminated, the defense is considered successful.
  • the real defense solution is limited by the operating environment of the defender's platform B, such as the memory size of the defender's platform B, the computing power of the CPU, and other resource constraints.
  • Defender platform B can detect anomalies in the processing of business requests and adjust defense plans under set computing resources.
  • the simulation test process can be evaluated based on the number of attack solutions and the number of successful defense solutions as evaluation indicators.
  • the attacker's platform A can count the number k1 of successful attacks within a preset period and send the number k1 to the designated device.
  • Defender platform B can count the number k2 of successful defenses within the preset period and send the number k2 to the designated device.
  • the designated device can be either attacker platform A or defender platform B, or it can be a third-party device.
  • the entire attack and defense are dynamic. Once the attack plan finds that its attack has failed, it needs to update the attack plan to try to break through the defense; once successful, all attack traffic can use this attack method to increase the number of attacks. Once the defense plan is detected to have been breached, the defense plan needs to be updated to block the attack.
  • the attacker's platform simulates actual business scenarios, and its attack algorithm is more likely to break the network model of real scenarios, rather than just for experimental research.
  • this embodiment also has certain limitations on the attacker's computing resources and computing time, and emphasizes the timeliness and computing cost of the attack algorithm. These are factors that must be considered in real attacks.
  • the defense aspect deals with attack methods that are close to reality, and the defense solutions developed in this scenario are more likely to be applied to actual business scenarios.
  • the simulation test method requires that the defense solution can respond quickly when it is breached, update and upgrade defense methods, and plug loopholes in time. Otherwise, the attacker can use successful attack methods to infinitely break through the defense.
  • the defense solutions generated on this platform are more likely to be applied to actual business scenarios, thereby improving the security and stability of the network model.
  • first in terms such as first feedback data and first attack algorithm is only for convenience of distinction and description and does not have any limiting meaning.
  • FIG. 3 is a schematic block diagram of an attack and defense confrontation simulation test system for a network model provided by the embodiment.
  • the system includes an attacker platform 310 and a defender platform 320, and the network model is deployed on the defender platform 320.
  • attack Both the party platform 310 and the defender platform 320 can be implemented by any device, equipment, platform, device cluster, etc. with computing and processing capabilities.
  • the system embodiment corresponds to the method embodiment shown in Figure 2.
  • the system 300 includes:
  • the attacker platform 310 is configured to send a service request to the defender platform 320 based on the attack algorithm, where the service request carries the business data to be predicted;
  • the defender platform 320 is used to receive the service request sent by the attacker platform 310, determine the prediction results of the business data through the network model, and send feedback data to the attacker platform 310 based on the prediction results to evaluate the business Perform anomaly detection in the request processing process;
  • the attacker platform 310 is configured to receive feedback data sent by the defender platform 320 in response to the service request, adjust the attack algorithm when the feedback data meets the preset conditions, and continue to send services to the defender platform 320 based on the attack algorithm. ask.
  • defender platform 320 is also used to:
  • a preset defense plan is executed based on the detected anomaly information; after the preset defense plan is executed, all adjustments are made when the anomaly is detected but not eliminated.
  • the defense plan is described above and continue to implement the adjusted defense plan.
  • the defender platform 320 when the defender platform 320 detects anomalies in the processing of business requests, it includes:
  • the attacker platform 310 when the attacker platform 310 adjusts the attack algorithm when the feedback data meets the preset conditions, it includes:
  • the operating logic in the attack algorithm is adjusted.
  • the attacker platform 310 when the attacker platform 310 sends a service request to the defender platform 320 based on the attack algorithm, it includes:
  • the attacker platform 310 adjusts the attack algorithm when the feedback data meets the preset conditions, including:
  • the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
  • the attacker platform 310 is also used to:
  • the operating logic in the first attack algorithm is adjusted.
  • the attacker platform 310 when the attacker platform 310 sends service requests to the defender platform 320 based on multiple different attack algorithms, the following include:
  • service requests are respectively sent to the defender platform 320 under the set traffic limits corresponding to the different attack algorithms; where the sum of the set traffic corresponding to the multiple attack algorithms is less than the total set traffic.
  • the attacker platform 310 uses the first attack algorithm corresponding to the first feedback data as the attack algorithm used in subsequent attacks. When it stops using other attack algorithms, it includes:
  • the attacker platform 310 is also used to count the number of successful attacks within a preset period and send the number to the designated device;
  • the defender platform 320 is also used to count the number of successful defenses within the preset period, and send the number to the designated device, so that the designated device is based on the number of successful attacks by the attacker platform 310, and the defense The number of successful defenses of the platform 320 is used to evaluate the attack and defense confrontation simulation test process for the network model.
  • Embodiments of this specification also provide a computer-readable storage medium on which a computer program is stored.
  • the computer program is executed in a computer, the computer is caused to execute the method described in either of Figures 1 and 2.
  • Embodiments of this specification also provide a computing device, including a memory and a processor.
  • Executable code is stored in the memory.
  • the processor executes the executable code, any one of Figures 1 and 2 can be implemented. method described.

Abstract

Embodiments of the present description provide an attack-defense confrontation simulation test method and system for a network model. The network model is deployed in a defense party platform, and the network model publicly provides a prediction service for service data to each user. In the simulation test method, an attack party platform is disguised as a user and sends a service request to the defense party platform on the basis of an attack algorithm, the service request carrying service data to be predicted. The defense party platform receives the service request sent by the attack party platform, determines a prediction result of the service data by means of the network model, and sends feedback data to the attack party platform on the basis of the prediction result. When the attack party platform receives the feedback data and the feedback data satisfies a preset condition, the attack party platform adjusts the attack algorithm, for example, adjusting the operation logic of the attack algorithm when an attack fails, and continuing the attack in a different mode. Meanwhile, the defense party platform also performs anomaly detection on the processing process of the service request, and takes a corresponding defensive measure when an anomaly is detected.

Description

一种针对网络模型的攻防对抗仿真测试方法及系统An attack and defense confrontation simulation test method and system for network models
本申请要求于2022年06月22日提交中国国家知识产权局、申请号为2022107112943、申请名称为“一种针对网络模型的攻防对抗仿真测试方法及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requests the priority of the Chinese patent application submitted to the State Intellectual Property Office of China on June 22, 2022, with the application number 2022107112943 and the application title "An offensive and defensive confrontation simulation test method and system for network models", all of which The contents are incorporated into this application by reference.
技术领域Technical field
本说明书一个或多个实施例涉及计算机技术领域,尤其涉及一种针对网络模型的攻防对抗仿真测试方法及系统。One or more embodiments of this specification relate to the field of computer technology, and in particular, to an attack and defense simulation test method and system for a network model.
背景技术Background technique
以深度学习为代表的人工智能(Artificial Intelligence,AI)模型,在例如面部识别、机器翻译和推荐系统等多种场景下,取得了非常好的性能表现。但是,AI模型在受到攻击时表现非常不稳定,甚至攻击者可以让模型输出他们想要的结果。Artificial Intelligence (AI) models represented by deep learning have achieved very good performance in various scenarios such as facial recognition, machine translation, and recommendation systems. However, AI models perform very unstable when attacked, and attackers can even make the model output the results they want.
因此,希望能有改进的方案,可以更好地模拟实际中针对网络模型的对抗攻击,以便更好地找到对抗实际攻击的方法。Therefore, it is hoped that there will be improved solutions that can better simulate actual adversarial attacks on network models in order to better find ways to combat actual attacks.
发明内容Contents of the invention
本说明书一个或多个实施例描述了一种针对网络模型的攻防对抗仿真测试方法及系统,以更好地模拟实际中针对网络模型的对抗攻击,找到对抗实际攻击的更优方法。具体的技术方案如下。One or more embodiments of this specification describe an attack and defense confrontation simulation test method and system for a network model to better simulate actual adversarial attacks against the network model and find better methods to combat actual attacks. The specific technical solutions are as follows.
第一方面,实施例提供了一种针对网络模型的攻防对抗仿真测试方法,包括攻击方平台和防御方平台,所述网络模型部署在所述防御方平台,所述方法包括:In the first aspect, embodiments provide an attack and defense confrontation simulation test method for a network model, including an attacker platform and a defender platform. The network model is deployed on the defender platform. The method includes:
所述攻击方平台,基于攻击算法向所述防御方平台发送业务请求,所述业务请求携带待预测的业务数据;The attacker platform sends a service request to the defender platform based on the attack algorithm, and the service request carries business data to be predicted;
所述防御方平台,接收所述攻击方平台发送的业务请求,并通过所述网络模型确定所述业务数据的预测结果,基于所述预测结果向所述攻击方平台发送反馈数据,对所述业务请求的处理过程进行异常检测;The defender platform receives the service request sent by the attacker platform, determines the prediction result of the business data through the network model, and sends feedback data to the attacker platform based on the prediction result, and Detect anomalies in the processing of business requests;
所述攻击方平台,接收所述防御方平台针对所述业务请求发送的反馈数据,并在所述反馈数据满足预设条件时调整所述攻击算法,继续执行所述基于攻击算法向所述防御方平台发送业务请求的步骤。The attacker platform receives feedback data sent by the defender platform in response to the service request, adjusts the attack algorithm when the feedback data meets preset conditions, and continues to execute the attack algorithm-based attack algorithm to the defense. Steps for sending business requests to the party platform.
在一种实施方式中,在对所述业务请求的处理过程进行异常检测之后,还包括:In one implementation, after abnormality detection is performed on the processing of the service request, the method further includes:
当检测到异常时,基于检测的异常信息执行预设的防御方案;When an anomaly is detected, a preset defense plan is executed based on the detected anomaly information;
在执行预设的防御方案之后,当检测到异常未排除时调整所述防御方案,继续执行调整后的防御方案。After executing the preset defense plan, when an abnormality is detected but not eliminated, the defense plan is adjusted and the adjusted defense plan is continued.
在一种实施方式中,所述对所述业务请求的处理过程进行异常检测的步骤,包括: In one implementation, the step of detecting anomalies in the processing of the service request includes:
基于接收到的业务请求和/或对应的预测结果,进行异常检测。Perform anomaly detection based on received business requests and/or corresponding prediction results.
在一种实施方式中,所述在所述反馈数据满足预设条件时调整所述攻击算法的步骤,包括:In one implementation, the step of adjusting the attack algorithm when the feedback data meets a preset condition includes:
当所述反馈数据满足预设的攻击失败条件时,对所述攻击算法中的运行逻辑进行调整。When the feedback data meets the preset attack failure conditions, the operating logic in the attack algorithm is adjusted.
在一种实施方式中,所述基于攻击算法向所述防御方平台发送业务请求的步骤,包括:In one implementation, the step of sending a service request to the defender platform based on an attack algorithm includes:
基于多个不同的攻击算法向所述防御方平台分别发送业务请求;Send service requests to the defender platform respectively based on multiple different attack algorithms;
所述在所述反馈数据满足预设条件时调整所述攻击算法的步骤,包括:The step of adjusting the attack algorithm when the feedback data meets a preset condition includes:
当接收到的针对不同的攻击算法的反馈数据中,存在满足预设的攻击成功条件的第一反馈数据时,将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法。When there is first feedback data that satisfies the preset attack success conditions among the received feedback data for different attack algorithms, the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
在一种实施方式中,在停止使用其他攻击算法之后,所述方法还包括:In one implementation, after stopping using other attack algorithms, the method further includes:
当后续接收到的针对所述第一攻击算法的反馈数据满足预设的攻击失败条件时,对所述第一攻击算法中的运行逻辑进行调整。When the subsequently received feedback data for the first attack algorithm satisfies the preset attack failure condition, the operating logic in the first attack algorithm is adjusted.
在一种实施方式中,所述基于多个不同的攻击算法向所述防御方平台分别发送业务请求的步骤,包括:In one implementation, the step of sending service requests to the defender platform respectively based on multiple different attack algorithms includes:
基于多个不同的攻击算法,在不同的攻击算法对应的设定流量限制下,向所述防御方平台分别发送业务请求;其中,多个攻击算法对应的设定流量的总和小于总设定流量。Based on multiple different attack algorithms, and under the set traffic limits corresponding to different attack algorithms, send business requests to the defender platform respectively; wherein the sum of the set traffic corresponding to the multiple attack algorithms is less than the total set traffic .
在一种实施方式中,所述将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法的步骤,包括:In one implementation, the step of using the first attack algorithm corresponding to the first feedback data as the attack algorithm used in subsequent attacks and stopping using other attack algorithms includes:
基于总剩余流量,增大所述第一攻击算法对应的剩余流量,并将其他攻击算法对应的剩余流量设置为0。Based on the total remaining traffic, increase the remaining traffic corresponding to the first attack algorithm, and set the remaining traffic corresponding to other attack algorithms to 0.
在一种实施方式中,该方法还包括:In one embodiment, the method further includes:
所述攻击方平台,统计预设时段内攻击成功的次数,并将所述次数发送至指定设备;The attacker's platform counts the number of successful attacks within a preset period and sends the number to the designated device;
所述防御方平台,统计所述预设时段内防御成功的次数,并将所述次数发送至所述指定设备;The defender platform counts the number of successful defenses within the preset period and sends the number to the designated device;
所述指定设备,基于所述攻击方平台攻击成功的次数,以及所述防御方平台防御成功的次数,对针对所述网络模型的攻防对抗仿真测试过程进行评估。The designated device evaluates the attack and defense confrontation simulation test process for the network model based on the number of successful attacks on the attacker's platform and the number of successful defenses on the defender's platform.
第二方面,实施例提供了一种针对网络模型的攻防对抗仿真测试系统,包括攻击方平台和防御方平台,所述网络模型部署在所述防御方平台,所述系统包括:In the second aspect, the embodiment provides an attack and defense confrontation simulation test system for a network model, including an attacker platform and a defender platform. The network model is deployed on the defender platform. The system includes:
所述攻击方平台,用于基于攻击算法向所述防御方平台发送业务请求,所述业务请求携带待预测的业务数据;The attacker platform is configured to send a service request to the defender platform based on an attack algorithm, where the service request carries business data to be predicted;
所述防御方平台,用于接收所述攻击方平台发送的业务请求,并通过所述网络模型确定所述业务数据的预测结果,基于所述预测结果向所述攻击方平台发送反馈数据,对所述业务请求的处理过程进行异常检测;The defender platform is used to receive the service request sent by the attacker platform, determine the prediction result of the business data through the network model, and send feedback data to the attacker platform based on the prediction result, and Perform anomaly detection in the processing process of the business request;
所述攻击方平台,用于接收所述防御方平台针对所述业务请求发送的反馈数据,并在 所述反馈数据满足预设条件时调整所述攻击算法,继续基于攻击算法向所述防御方平台发送业务请求。The attacker platform is used to receive feedback data sent by the defender platform in response to the service request, and When the feedback data meets the preset conditions, the attack algorithm is adjusted, and service requests are continued to be sent to the defender platform based on the attack algorithm.
在一种实施方式中,所述防御方平台还用于:In one embodiment, the defender platform is also used to:
在对所述业务请求的处理过程进行异常检测之后,当检测到异常时,基于检测的异常信息执行预设的防御方案;在执行预设的防御方案之后,当检测到异常未排除时调整所述防御方案,继续执行调整后的防御方案。After anomaly detection is performed on the processing of the business request, when an anomaly is detected, a preset defense plan is executed based on the detected anomaly information; after the preset defense plan is executed, all adjustments are made when the anomaly is detected but not eliminated. The defense plan is described above and continue to implement the adjusted defense plan.
在一种实施方式中,所述攻击方平台,基于攻击算法向所述防御方平台发送业务请求时,包括:In one implementation, when the attacker platform sends a service request to the defender platform based on the attack algorithm, it includes:
基于多个不同的攻击算法向所述防御方平台分别发送业务请求;Send service requests to the defender platform respectively based on multiple different attack algorithms;
所述攻击方平台,在所述反馈数据满足预设条件时调整所述攻击算法时,包括:The attacker's platform, when adjusting the attack algorithm when the feedback data meets the preset conditions, includes:
当接收到的针对不同的攻击算法的反馈数据中,存在满足预设的攻击成功条件的第一反馈数据时,将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法。When there is first feedback data that satisfies the preset attack success conditions among the received feedback data for different attack algorithms, the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
在一种实施方式中,所述攻击方平台,还用于统计预设时段内攻击成功的次数,并将所述次数发送至指定设备;In one implementation, the attacker platform is also used to count the number of successful attacks within a preset period and send the number to the designated device;
所述防御方平台,还用于统计所述预设时段内防御成功的次数,并将所述次数发送至所述指定设备,以使得所述指定设备基于所述攻击方平台攻击成功的次数,以及所述防御方平台防御成功的次数,对针对所述网络模型的攻防对抗仿真测试过程进行评估。The defender platform is also used to count the number of successful defenses within the preset period, and send the number to the designated device, so that the designated device is based on the number of successful attacks on the attacker platform, As well as the number of times the defender's platform has successfully defended, the attack and defense confrontation simulation test process for the network model is evaluated.
第三方面,实施例提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行第一方面中任一项所述的方法。In a third aspect, embodiments provide a computer-readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is caused to perform any of the methods described in the first aspect.
第四方面,实施例提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面中任一项所述的方法。In a fourth aspect, embodiments provide a computing device, including a memory and a processor. Executable code is stored in the memory. When the processor executes the executable code, any one of the aspects of the first aspect is implemented. method described.
本说明书实施例提供的方法及装置中,攻击方平台基于攻击算法向防御方平台发送业务请求,并接收反馈数据,在反馈数据满足预设条件时调整攻击算法,然后继续对防御方平台进行攻击;而防御方平台通过网络模型确定业务请求中业务数据的预测结果,并向攻击方平台发送反馈数据,全程对业务请求的处理过程进行异常检测。这种攻防对抗的仿真测试方法,更真实地模拟了攻击方平台对网络模型进行攻击时的实际情况,即攻击方平台会基于反馈数据不断地调整攻击算法,而防御方平台也会实时地检测异常,并采取相应的应对措施。这种仿真测试方法更好地模拟了实际中针对网络模型的对抗攻击,为找到对抗实际攻击的更优方法提供了途径;同时,通过这种仿真模拟的过程,防御方平台也可以找到对抗实际攻击的更优方法。In the methods and devices provided by the embodiments of this specification, the attacker's platform sends service requests to the defender's platform based on the attack algorithm, receives feedback data, adjusts the attack algorithm when the feedback data meets the preset conditions, and then continues to attack the defender's platform. ; The defender platform determines the prediction results of the business data in the business request through the network model, sends feedback data to the attacker platform, and performs anomaly detection on the entire business request processing process. This simulation test method of attack and defense confrontation more realistically simulates the actual situation when the attacker's platform attacks the network model. That is, the attacker's platform will continuously adjust the attack algorithm based on feedback data, and the defender's platform will also detect it in real time. abnormality, and take corresponding countermeasures. This simulation testing method better simulates actual adversarial attacks against network models, providing a way to find better ways to combat actual attacks; at the same time, through this simulation process, the defender platform can also find ways to combat actual attacks. A better way to attack.
附图说明Description of the drawings
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单的介绍。显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附 图。In order to explain the technical solutions of the embodiments of the present invention more clearly, the accompanying drawings needed to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, without exerting creative efforts, other drawings can also be obtained based on these drawings. picture.
图1为本说明书披露的一个实施例的实施场景示意图;Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification;
图2为实施例提供的一种针对网络模型的攻防对抗仿真测试方法的流程示意图;Figure 2 is a schematic flow chart of an attack and defense confrontation simulation test method for a network model provided by the embodiment;
图3为实施例提供的一种针对网络模型的攻防对抗仿真测试系统的示意性框图。FIG. 3 is a schematic block diagram of an attack and defense confrontation simulation test system for a network model provided by the embodiment.
具体实施方式Detailed ways
下面结合附图,对本说明书提供的方案进行描述。The solutions provided in this specification will be described below in conjunction with the accompanying drawings.
图1为本说明书披露的一个实施例的实施场景示意图。其中,为攻击方制定攻击方案,为防御方制定防御方案。攻击方利用攻击方案向防御方发送调用AI模型进行预测的业务请求。防御方作为公开提供预测服务的一方,基于自身运行的AI模型向用户提供预测服务。防御方在接收到攻击方发送的业务请求,且没有检测到异常时,会按照正常的业务流程,将业务请求中携带的业务数据输入AI模型,得到预测结果,并基于该预测结果向攻击方发送反馈数据。攻击方会利用攻击方案多次地、以多种方式向防御方发送攻击,防御方也会实时地检测对业务请求的处理过程是否存在异常。一旦某种攻击方法攻击成功,攻击方会集中所有的流量采用该攻击方法对AI模型进行攻击;如果一段时间后没有攻击成功,则会更新攻击方案。而防御方,一旦检测到存在异常或可能的攻击,会采用相应的防御方案进行防御,如果防御成功,则这种攻防对抗的过程以及防御的方案会被记录下来,作为实际业务处理中的防御方案;如果防御失败,这种攻防对抗的过程可以为维护人员提供改进防御方案、提高网络模型稳定性的参考。Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification. Among them, an attack plan is developed for the attacker and a defense plan is developed for the defender. The attacker uses the attack plan to send business requests to the defender to call the AI model for prediction. As a party that publicly provides prediction services, the defender provides prediction services to users based on the AI model it runs. When the defender receives a business request sent by the attacker and no anomaly is detected, it will follow the normal business process and input the business data carried in the business request into the AI model to obtain the prediction results and provide the attacker with the prediction results based on the prediction results. Send feedback data. The attacker will use the attack plan to send attacks to the defender multiple times and in various ways, and the defender will also detect in real time whether there are any abnormalities in the processing of business requests. Once a certain attack method is successful, the attacker will concentrate all traffic and use this attack method to attack the AI model; if no attack is successful after a period of time, the attack plan will be updated. Once the defender detects an abnormality or possible attack, it will adopt a corresponding defense plan. If the defense is successful, the attack and defense confrontation process and the defense plan will be recorded and used as defense in actual business processing. plan; if the defense fails, this process of attack and defense confrontation can provide maintenance personnel with a reference for improving the defense plan and improving the stability of the network model.
其中,AI模型也可以称为网络模型,可以是采用深度学习方法而得到的网络模型。该网络模型可以用于对输入的业务数据进行预测,得到预测结果。该预测结果包括预测分类和预测值等类型,也就是说,该网络模型可以是分类模型,也可以是输出预测值的回归模型,本申请对此不作限定。业务数据包括用户、商品、图像、文本、音频等对象的特征数据。Among them, the AI model can also be called a network model, which can be a network model obtained by using deep learning methods. This network model can be used to predict input business data and obtain prediction results. The prediction results include types such as predicted classification and predicted value. That is to say, the network model can be a classification model or a regression model that outputs a predicted value, which is not limited in this application. Business data includes characteristic data of users, products, images, text, audio and other objects.
上述攻击方是模拟实际中的攻击方而设计。在实际中,攻击方针对网络模型所采用的攻击算法多种多样,包括后门攻击、投毒攻击和对抗样本等等。利用某个攻击算法去攻击几个固定的防御算法,或者利用某个防御算法来应对某几种经典的攻击算法,以测试防御效果,这些都属于静态的攻防对抗。在实际业务场景中,真实的对抗是攻击体系和防御体系的对抗,是动态变化的。在这个过程中,攻击方不停地寻找有效的攻击方法,防御方不断地检测防御漏洞,升级防御体系。因此,本实施例基于此提供了一种能够仿真真实场景的网络模型攻防对抗测试方法。The above attackers are designed to simulate actual attackers. In practice, attackers use a variety of attack algorithms against network models, including backdoor attacks, poisoning attacks, adversarial samples, etc. Using a certain attack algorithm to attack several fixed defense algorithms, or using a certain defense algorithm to deal with certain classic attack algorithms to test the defense effect, are all static attack-defense confrontations. In actual business scenarios, the real confrontation is the confrontation between the attack system and the defense system, which changes dynamically. In this process, the attacker is constantly looking for effective attack methods, and the defender is constantly detecting defense vulnerabilities and upgrading the defense system. Therefore, based on this, this embodiment provides a network model attack and defense confrontation testing method that can simulate real scenarios.
在这种仿真测试方法中,在步骤S210中,攻击方平台基于攻击算法向所述防御方平台发送业务请求,业务请求携带待预测的业务数据。在步骤S220中,防御方平台接收攻击方平台发送的业务请求,并通过网络模型确定业务数据的预测结果,基于预测结果向攻击方平台发送反馈数据,对业务请求的处理过程进行异常检测。在步骤S230中,攻击方平台,接收防御方平台针对业务请求发送的反馈数据,并在反馈数据满足预设条件时调整 攻击算法,继续执行基于攻击算法向防御方平台发送业务请求的步骤。这种仿真测试方法,能够模拟动态的攻击体系与防御体系之间的对抗,攻击方不断地改变攻击算法,防御方不断地检测防御漏洞,升级防御体系,从而能够模拟实际中针对网络模型的真实的对抗攻击方法,为找到对抗实际攻击的更优方法提供了途径。In this simulation test method, in step S210, the attacker's platform sends a service request to the defender's platform based on the attack algorithm, and the service request carries the service data to be predicted. In step S220, the defender platform receives the service request sent by the attacker platform, determines the prediction results of the business data through the network model, sends feedback data to the attacker platform based on the prediction results, and performs anomaly detection on the processing of the service request. In step S230, the attacker platform receives the feedback data sent by the defender platform in response to the business request, and adjusts the feedback data when the feedback data meets the preset conditions. Attack algorithm, continue to perform the steps of sending service requests to the defender platform based on the attack algorithm. This simulation testing method can simulate the dynamic confrontation between the attack system and the defense system. The attacker constantly changes the attack algorithm, and the defender continuously detects defense vulnerabilities and upgrades the defense system, thus simulating the actual network model. The adversarial attack method provides a way to find better ways to combat actual attacks.
下面结合图2对本实施例进行详细说明。This embodiment will be described in detail below with reference to FIG. 2 .
图2为实施例提供的一种针对网络模型的攻防对抗仿真测试方法的流程示意图。在该方法中包括攻击方对应的攻击方平台,以及防御方对应的防御方平台。网络模型部署在防御方平台中。网络模型可以是经过训练的模型,用于基于训练的模型参数确定输入的业务数据的预测结果,例如可以用于对图像进行识别,或者对用户进行高风险和低风险的分类,或者确定用户对待推荐内容的感兴趣程度等等。攻击方平台和防御方平台都可以通过任何具有计算、处理能力的装置、设备、平台、设备集群等来实现。该方法包括以下步骤。FIG. 2 is a schematic flowchart of an attack and defense confrontation simulation test method for a network model provided by the embodiment. This method includes the attacker's platform corresponding to the attacker, and the defender's platform corresponding to the defender. The network model is deployed in the defender platform. The network model can be a trained model that is used to determine the prediction results of the input business data based on the trained model parameters. For example, it can be used to recognize images, classify users into high-risk and low-risk categories, or determine user treatment. The level of interest in recommended content, etc. Both the attacker platform and the defender platform can be implemented through any device, device, platform, device cluster, etc. with computing and processing capabilities. The method includes the following steps.
在步骤S210中,攻击方平台A基于攻击算法向防御方平台B发送业务请求。其中,业务请求携带待预测的业务数据。攻击方平台A可以获取原始数据,基于攻击算法对原始数据进行处理,得到待预测的业务数据,并基于该业务数据生成业务请求。攻击方平台A可以利用多个原始数据,对应地生成多个业务请求,并向防御方平台B发送多个业务请求。In step S210, the attacker platform A sends a service request to the defender platform B based on the attack algorithm. Among them, the service request carries the service data to be predicted. The attacker's platform A can obtain the original data, process the original data based on the attack algorithm, obtain the business data to be predicted, and generate a business request based on the business data. Attacker platform A can use multiple raw data to generate multiple service requests correspondingly, and send multiple service requests to defender platform B.
例如,当攻击算法是对抗样本攻击算法时,攻击方平台A可以在原始样本中添加人眼无法察觉的扰动,得到处理后的样本,将这样的样本作为业务数据。攻击方平台A基于业务数据生成业务请求,并发送至防御方平台B。该业务请求用于请求防御方平台B利用其网络模型确定针对业务数据的预测结果。For example, when the attack algorithm is an adversarial sample attack algorithm, the attacker platform A can add disturbances that are imperceptible to the human eye in the original sample to obtain a processed sample, and use such a sample as business data. The attacker's platform A generates a business request based on the business data and sends it to the defender's platform B. This business request is used to request the defender platform B to use its network model to determine the prediction results for the business data.
例如,攻击方平台可以对猫的图像进行一些改动,通过网络模型的识别,得到这是狗的图像识别结果。这些扰动不会影响人类的识别,但是却很容易致使网络模型做出错误的预测结果。For example, the attacker's platform can make some changes to the image of a cat, and through recognition by the network model, obtain the image recognition result that it is a dog. These perturbations will not affect human recognition, but they can easily cause the network model to make incorrect predictions.
上述攻击算法可以是一种或多种。攻击算法可以是从已有的多种攻击算法中选择的,也可以是生成的攻击算法。攻击方平台A也可以同时基于多个(两个或两个以上)不同的攻击算法向防御方平台B分别发送业务请求。攻击方平台A可以利用不同的攻击算法对原始数据进行处理,得到不同的待预测的业务数据,并基于不同的业务数据,对应地生成多个类型的业务请求。不同类型的业务请求中所提到的类型,可以理解为携带利用不同的攻击算法得到的业务数据的业务请求对应的类型。The above attack algorithm can be one or more. The attack algorithm can be selected from a variety of existing attack algorithms, or it can be a generated attack algorithm. The attacker platform A can also send service requests to the defender platform B based on multiple (two or more) different attack algorithms at the same time. Attacker platform A can use different attack algorithms to process the original data to obtain different business data to be predicted, and correspondingly generate multiple types of business requests based on different business data. The types mentioned in different types of business requests can be understood as the types corresponding to business requests carrying business data obtained using different attack algorithms.
在步骤S220中,防御方平台B接收攻击方平台A发送的业务请求,并通过网络模型确定业务数据的预测结果,基于预测结果向攻击方平台A发送反馈数据。另外,防御平台B还可以实时地对上述业务请求的处理过程进行异常检测。In step S220, the defender platform B receives the service request sent by the attacker platform A, determines the prediction results of the business data through the network model, and sends feedback data to the attacker platform A based on the prediction results. In addition, defense platform B can also detect abnormalities in the processing of the above business requests in real time.
防御方平台B是模拟利用网络模型公开提供预测服务的平台。当防御方平台B没有检测到异常时,会按照正常流程处理接收到的业务请求。例如,会将业务请求携带的业务数据输入网络模型,通过网络模型确定该业务数据的预测结果,并基于该预测结果向攻击平台A发送反馈数据。当防御方平台B检测到异常时,可以采用预设方式进行处理。 Defender Platform B is a platform that simulates and utilizes network models to publicly provide prediction services. When the defender platform B does not detect an abnormality, it will process the received business request according to the normal process. For example, the business data carried in the business request will be input into the network model, the prediction result of the business data will be determined through the network model, and feedback data will be sent to attack platform A based on the prediction result. When the defender platform B detects an abnormality, it can handle it in a preset way.
在确定业务数据的预测结果之后,防御方平台B可以直接将预测结果作为反馈数据发送至攻击方平台A,也可以基于预测结果生成反馈数据。例如,当没有检测到异常时,可以直接将预测结果作为反馈数据发送至攻击方平台A;当检测到异常时,可以向攻击方平台A发送用于表示目前服务不可用等内容的反馈数据。After determining the prediction results of the business data, the defender platform B can directly send the prediction results to the attacker platform A as feedback data, or it can generate feedback data based on the prediction results. For example, when no anomaly is detected, the prediction results can be directly sent to the attacker platform A as feedback data; when an anomaly is detected, feedback data indicating that the current service is unavailable can be sent to the attacker platform A.
防御方平台B在对业务请求的处理过程进行异常检测时,可以基于接收到的业务请求和/或对应的预测结果,进行异常检测。例如,可以统计在一段时间内来自某个地址的业务请求的数量,当该数量超出阈值时,认为存在异常;可以统计在一段时间内得到的某种预测结果的数量,当该数量超出正常范围时认为存在异常。例如,在信贷审批领域,网络模型用于基于输入的用户数据确定是否针对该用户通过信贷审批,如果一段时间内发现信贷审批通过率过高,则可以认为存在异常。When the defender platform B detects anomalies in the processing of business requests, it can perform anomaly detection based on the received business requests and/or corresponding prediction results. For example, you can count the number of business requests from a certain address within a period of time. When the number exceeds the threshold, it is considered abnormal; you can count the number of certain prediction results obtained within a period of time. When the number exceeds the normal range, It is considered that there is an abnormality. For example, in the field of credit approval, network models are used to determine whether credit approval is passed for that user based on input user data. If the credit approval rate is found to be too high within a period of time, it can be considered that there is an anomaly.
当防御平台B检测到异常时,可以发出异常预警,以供专业人员进行进一步处理。When defense platform B detects an abnormality, it can issue an abnormality warning for further processing by professionals.
在步骤S230中,攻击方平台A,接收防御方平台B针对业务请求发送的反馈数据,并在反馈数据满足预设条件时调整攻击算法,继续执行步骤S210中基于攻击算法向防御方平台B发送业务请求的步骤。In step S230, the attacker platform A receives the feedback data sent by the defender platform B in response to the business request, adjusts the attack algorithm when the feedback data meets the preset conditions, and continues to perform the attack algorithm in step S210 to send data to the defender platform B based on the attack algorithm. Business request steps.
其中,预设条件可以是预设的攻击成功条件,也可以是预设的攻击失败条件。当反馈数据包含针对业务数据的预测结果时,如果该预测结果达到攻击方预设的攻击目的,则认为反馈数据满足了攻击成功条件。如果该预测结果没有达到攻击方的攻击目的,则认为反馈数据不满足攻击成功条件。例如,攻击方对猫的图像进行了微小的扰动,其攻击目的是希望该猫的图像被识别成狗的图像。如果预测结果表明网络模型将该猫的图像识别成了狗的图像,则认为预测结果达到了攻击目的,反馈数据满足攻击成功的条件。或者是,攻击方对猫的图像进行了微小的扰动,其攻击目的是希望该猫的图像被正确识别的概率降低20%。如果其预测值相比于未加入扰动的图像的正确识别概率降低了20%以上,则认为预测值达到了攻击目的,反馈数据满足攻击成功的条件。当攻击成功时,认为该攻击算法对网络模型攻击成功了。The preset condition may be a preset attack success condition or a preset attack failure condition. When the feedback data contains prediction results for business data, if the prediction results meet the attack purpose preset by the attacker, the feedback data is considered to meet the attack success conditions. If the prediction result does not achieve the attacker's attack purpose, the feedback data is considered not to meet the attack success conditions. For example, the attacker performs a slight perturbation on the image of a cat, and the purpose of the attack is to hope that the image of the cat will be recognized as an image of a dog. If the prediction result shows that the network model recognizes the cat image as a dog image, the prediction result is considered to have achieved the purpose of the attack, and the feedback data meets the conditions for a successful attack. Or, the attacker slightly perturbs the cat image, and the purpose of the attack is to reduce the probability of the cat image being correctly recognized by 20%. If its predicted value is reduced by more than 20% compared to the correct recognition probability of the image without perturbation, it is considered that the predicted value has achieved the purpose of the attack, and the feedback data meets the conditions for a successful attack. When the attack is successful, the attack algorithm is considered to have successfully attacked the network model.
同样的,对于攻击失败,可以认为没到达到攻击成功条件时的反馈数据,都符合攻击失败的条件。也可以结合发送的业务请求的数量确定攻击失败,例如,当发送的m个业务请求均攻击失败时,认为这种攻击算法攻击失败。Similarly, for attack failure, it can be considered that the feedback data that does not meet the attack success conditions are consistent with the attack failure conditions. The attack failure can also be determined based on the number of sent business requests. For example, when m business requests sent all fail to attack, this attack algorithm is considered to have failed.
当反馈数据满足预设的攻击失败条件时,攻击方平台A可以对攻击算法中的运行逻辑进行调整,基于调整后的攻击算法,继续向防御方平台B发送业务请求,也就是继续攻击网络模型,以便模拟真实的攻击行为。When the feedback data meets the preset attack failure conditions, the attacker platform A can adjust the operating logic in the attack algorithm and continue to send business requests to the defender platform B based on the adjusted attack algorithm, that is, continue to attack the network model. , in order to simulate real attack behavior.
当攻击方平台A基于一种或多种攻击算法向防御方平台B发送业务请求,也就是发起攻击一段时间后,攻击都失败了,攻击方平台A可以调整攻击算法,基于调整后的攻击算法继续向防御方平台B发起攻击。When the attacker platform A sends a service request to the defender platform B based on one or more attack algorithms, that is, after launching the attack for a period of time, the attacks have failed. The attacker platform A can adjust the attack algorithm, based on the adjusted attack algorithm. Continue to attack the defender’s platform B.
如果在攻击方平台A接收到的针对不同的攻击算法的反馈数据中,存在满足预设的攻击成功条件的第一反馈数据,则将该第一反馈数据对应的第一攻击算法作为后续攻击使用 的攻击算法,停止使用其他攻击算法。也就是说,当多个不同的攻击算法中,一旦出现某个攻击算法攻击成功了,则后续仅使用该攻击算法继续对防御方平台B进行攻击,其他攻击算法不再被使用了。If there is first feedback data that satisfies the preset attack success conditions in the feedback data for different attack algorithms received by the attacker platform A, then the first attack algorithm corresponding to the first feedback data will be used as a subsequent attack. attack algorithm and stop using other attack algorithms. That is to say, when among multiple different attack algorithms, once a certain attack algorithm succeeds, only this attack algorithm will be used to continue attacking the defender platform B, and other attack algorithms will no longer be used.
例如,攻击方平台使用攻击算法1、2和3向防御方平台B分别发送业务数据,当发现攻击算法2对应的反馈数据满足攻击成功的条件,则该反馈数据称为第一反馈数据,攻击算法2称为第一攻击算法。For example, the attacker platform uses attack algorithms 1, 2 and 3 to send business data to the defender platform B respectively. When it is found that the feedback data corresponding to attack algorithm 2 meets the conditions for a successful attack, the feedback data is called the first feedback data, and the attack Algorithm 2 is called the first attack algorithm.
在停止使用其他攻击算法之后,攻击方平台A后续继续基于第一攻击算法向防御方平台B发送业务请求。当后续接收到的针对第一攻击算法的反馈数据满足预设的攻击失败条件时,攻击方平台A可以再对第一攻击算法中的运行逻辑进行调整。在这种情况中,防御方平台B可能检测到了异常,并采取了相应的防御方案,弥补了漏洞,因此后续攻击方平台A使用的第一攻击算法的攻击行为会出现失败的情况。After stopping using other attack algorithms, the attacker platform A continues to send service requests to the defender platform B based on the first attack algorithm. When the subsequently received feedback data for the first attack algorithm meets the preset attack failure conditions, the attacker platform A can then adjust the operating logic in the first attack algorithm. In this case, the defender platform B may have detected the anomaly and adopted a corresponding defense plan to make up for the vulnerability. Therefore, the subsequent attack behavior of the first attack algorithm used by the attacker platform A will fail.
真实的攻击方案受到攻击方平台A的运行环境的限制,例如受到攻击方平台A的内存大小、CPU的计算能力等资源限制。为了更接近于真实的攻击行为,可以对攻击方平台A的请求流量进行限制,分配给攻击方一定比例的请求流量,攻击方平台A进行攻击时所使用的流量不能超过这个限制。The real attack plan is limited by the operating environment of the attacker's platform A, such as the memory size, CPU computing power and other resource constraints of the attacker's platform A. In order to be closer to the real attack behavior, the request traffic of the attacker platform A can be limited and a certain proportion of the request traffic is allocated to the attacker. The traffic used by the attacker platform A when conducting the attack cannot exceed this limit.
例如,可以为每个攻击算法分配设定流量,多个攻击算法对应的设定流量的总和小于总设定流量。攻击方平台A基于多个不同的攻击算法,在不同的攻击算法对应的设定流量限制下,向防御方平台B分别发送业务请求。For example, a set flow rate can be allocated to each attack algorithm, and the sum of the set flow rates corresponding to multiple attack algorithms is less than the total set flow rate. Based on multiple different attack algorithms, the attacker's platform A sends business requests to the defender's platform B respectively under the set traffic limits corresponding to different attack algorithms.
攻击方平台A可以通过对请求流量的限制,实现对攻击算法的使用或停止使用。例如,可以基于总剩余流量,增大第一攻击算法对应的剩余流量,并将其他攻击算法对应的剩余流量设置为0,从而达到将第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法的目的。具体的,可以将总剩余流量全部分配给第一攻击算法,也可以将总剩余流量中的部分分配给第一攻击算法。其他攻击算法的剩余流量全部流入总剩余流量中。Attacker platform A can use or stop using the attack algorithm by restricting the request traffic. For example, based on the total remaining traffic, you can increase the remaining traffic corresponding to the first attack algorithm, and set the remaining traffic corresponding to other attack algorithms to 0, so as to use the first attack algorithm as the attack algorithm for subsequent attacks and stop using other attack algorithms. The purpose of the attack algorithm. Specifically, all of the total remaining traffic may be allocated to the first attack algorithm, or part of the total remaining traffic may be allocated to the first attack algorithm. All remaining traffic from other attack algorithms flows into the total remaining traffic.
例如,为攻击方分配总共1000次业务请求,初始时为5个攻击算法各分配100次业务请求。在基于每个攻击算法发送的100次业务请求之内,如果有某个攻击算法a攻击成功了,那么剩余的业务请求全部分配给该攻击算法a,其他的攻击算法不再发送业务请求。如果在这100次业务请求之内,没有任何一个攻击算法攻击成功,则可以对这些攻击算法进行调整,继续利用剩余的500次业务请求进行攻击。For example, a total of 1,000 service requests are allocated to the attacker, and 100 service requests are initially allocated to each of the five attack algorithms. Within the 100 service requests sent based on each attack algorithm, if a certain attack algorithm a succeeds, then all remaining service requests will be allocated to the attack algorithm a, and other attack algorithms will no longer send service requests. If no attack algorithm succeeds within these 100 business requests, you can adjust these attack algorithms and continue to use the remaining 500 business requests to attack.
以上内容中,重点说明了针对攻击方模拟真实的攻击场景和攻击行为,对攻击算法进行调整的过程。在图2所示实施例中,对于防御方来说,同样可以模拟真实的场景,使其执行防御方案、进行防御升级等。该方法还可以包括步骤S240和S250。The above content focuses on the process of simulating real attack scenarios and attack behaviors for the attacker and adjusting the attack algorithm. In the embodiment shown in Figure 2, the defender can also simulate a real scenario to execute defense plans, perform defense upgrades, etc. The method may also include steps S240 and S250.
在步骤S240中,防御方平台B在对业务请求的处理过程进行异常检测之后,当检测到异常时,还可以基于检测的异常信息执行预设的防御方案。预设的防御方案可以包括:将网络模型更换成具有类似功能的网络模型,或者拦截来自某个地址的业务请求等。In step S240, after the defender platform B detects anomalies in the processing of the business request, when an anomaly is detected, the defender platform B can also execute a preset defense plan based on the detected anomaly information. Preset defense solutions may include: changing the network model to one with similar functions, or intercepting business requests from a certain address, etc.
在步骤S250中,防御方平台B在执行预设的防御方案之后,当检测到异常未排除时 调整该防御方案,继续执行调整后的防御方案。在调整防御方案时,可以采用重新训练网络模型的方式,或者设置黑名单、白名单的方式等。In step S250, after the defender platform B executes the preset defense plan and detects anomalies that have not been eliminated, Adjust the defense plan and continue to implement the adjusted defense plan. When adjusting the defense plan, you can retrain the network model or set up a blacklist or whitelist.
针对防御方平台B,也可以设置对应的防御成功条件和防御失败条件。例如,在检测到异常后的设定时长内,如果异常未排除,则可以认为防御失败;如果异常被排除,则认为防御成功。For defender platform B, corresponding defense success conditions and defense failure conditions can also be set. For example, within a set period of time after an anomaly is detected, if the anomaly is not eliminated, the defense can be considered a failure; if the anomaly is eliminated, the defense is considered successful.
真实的防御方案受到防御方平台B的运行环境的限制,例如受到防御方平台B的内存大小、CPU的计算能力等资源限制。防御方平台B可以在设定的计算资源下对业务请求的处理过程进行异常检测,以及调整防御方案等。The real defense solution is limited by the operating environment of the defender's platform B, such as the memory size of the defender's platform B, the computing power of the CPU, and other resource constraints. Defender platform B can detect anomalies in the processing of business requests and adjust defense plans under set computing resources.
在攻击方平台A和防御方平台B对抗一段时间之后,可以基于攻击方案攻破的次数和防御方案防御成功的次数作为评估指标,对仿真测试过程进行评估。After the attacker platform A and the defender platform B confront each other for a period of time, the simulation test process can be evaluated based on the number of attack solutions and the number of successful defense solutions as evaluation indicators.
攻击方平台A,可以统计预设时段内攻击成功的次数k1,并将该次数k1发送至指定设备。防御方平台B,可以统计该预设时段内防御成功的次数k2,并将该次数k2发送至指定设备。指定设备,基于次数k1以及次数k2,对针对网络模型的攻防对抗仿真测试过程进行评估。指定设备可以是攻击方平台A和防御方平台B中的任意一个,也可以是第三方设备。The attacker's platform A can count the number k1 of successful attacks within a preset period and send the number k1 to the designated device. Defender platform B can count the number k2 of successful defenses within the preset period and send the number k2 to the designated device. Specify the device to evaluate the offensive and defensive confrontation simulation test process for the network model based on the number of times k1 and k2. The designated device can be either attacker platform A or defender platform B, or it can be a third-party device.
在上述实施例中,整个攻防是动态的。攻击方案一旦发现自己的攻击失败了,就需要更新攻击方案,去尝试攻破防御;一旦成功,所有的攻击流量都可使用该攻击方法,提高攻击次数。防御方案一旦检测到被攻破,就需要更新防御方案去堵住攻击。In the above embodiment, the entire attack and defense are dynamic. Once the attack plan finds that its attack has failed, it needs to update the attack plan to try to break through the defense; once successful, all attack traffic can use this attack method to increase the number of attacks. Once the defense plan is detected to have been breached, the defense plan needs to be updated to block the attack.
在上述实施例中,攻击方平台模拟实际业务场景,其攻击算法更可能攻破真实场景的网络模型,而不只是用于实验研究。同时,本实施例对攻击方的计算资源和计算耗时也有一定限制,强调攻击算法的时效性和计算成本,这些是真实攻击时要考虑的因素。In the above embodiment, the attacker's platform simulates actual business scenarios, and its attack algorithm is more likely to break the network model of real scenarios, rather than just for experimental research. At the same time, this embodiment also has certain limitations on the attacker's computing resources and computing time, and emphasizes the timeliness and computing cost of the attack algorithm. These are factors that must be considered in real attacks.
防御方面对的是贴近真实的攻击手段,在这种场景下研究出的防御方案更可能应用于实际业务场景。同时,仿真测试方法要求防御方案能够在被攻破时快速做出反应,更新、升级防御手段,及时堵住漏洞,否则,攻击方可使用成功的攻击方法无限攻破防御。在此平台上产生的防御方案更有可能应用于实际业务场景,进而提升网络模型的安全性和稳定性。The defense aspect deals with attack methods that are close to reality, and the defense solutions developed in this scenario are more likely to be applied to actual business scenarios. At the same time, the simulation test method requires that the defense solution can respond quickly when it is breached, update and upgrade defense methods, and plug loopholes in time. Otherwise, the attacker can use successful attack methods to infinitely break through the defense. The defense solutions generated on this platform are more likely to be applied to actual business scenarios, thereby improving the security and stability of the network model.
本说明书中,第一反馈数据、第一攻击算法等词语中的“第一”,仅仅是为了区分和描述方便,而不具有任何限定意义。In this specification, the "first" in terms such as first feedback data and first attack algorithm is only for convenience of distinction and description and does not have any limiting meaning.
上述内容对本说明书的特定实施例进行了描述,其他实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行,并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要按照示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的,或者可能是有利的。The foregoing description describes specific embodiments of the specification, and other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desired results. Additionally, the processes depicted in the figures do not necessarily require the specific order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain implementations.
图3为实施例提供的一种针对网络模型的攻防对抗仿真测试系统的示意性框图。该系统包括攻击方平台310和防御方平台320,网络模型部署在防御方平台320。其中,攻击 方平台310和防御方平台320都可以通过任何具有计算、处理能力的装置、设备、平台、设备集群等来实现。该系统实施例与图2所示方法实施例相对应。该系统300包括:FIG. 3 is a schematic block diagram of an attack and defense confrontation simulation test system for a network model provided by the embodiment. The system includes an attacker platform 310 and a defender platform 320, and the network model is deployed on the defender platform 320. Among them, attack Both the party platform 310 and the defender platform 320 can be implemented by any device, equipment, platform, device cluster, etc. with computing and processing capabilities. The system embodiment corresponds to the method embodiment shown in Figure 2. The system 300 includes:
攻击方平台310,用于基于攻击算法向防御方平台320发送业务请求,所述业务请求携带待预测的业务数据;The attacker platform 310 is configured to send a service request to the defender platform 320 based on the attack algorithm, where the service request carries the business data to be predicted;
防御方平台320,用于接收攻击方平台310发送的业务请求,并通过所述网络模型确定所述业务数据的预测结果,基于所述预测结果向攻击方平台310发送反馈数据,对所述业务请求的处理过程进行异常检测;The defender platform 320 is used to receive the service request sent by the attacker platform 310, determine the prediction results of the business data through the network model, and send feedback data to the attacker platform 310 based on the prediction results to evaluate the business Perform anomaly detection in the request processing process;
攻击方平台310,用于接收防御方平台320针对所述业务请求发送的反馈数据,并在所述反馈数据满足预设条件时调整所述攻击算法,继续基于攻击算法向防御方平台320发送业务请求。The attacker platform 310 is configured to receive feedback data sent by the defender platform 320 in response to the service request, adjust the attack algorithm when the feedback data meets the preset conditions, and continue to send services to the defender platform 320 based on the attack algorithm. ask.
在一种实施方式中,防御方平台320还用于:In one embodiment, defender platform 320 is also used to:
在对所述业务请求的处理过程进行异常检测之后,当检测到异常时,基于检测的异常信息执行预设的防御方案;在执行预设的防御方案之后,当检测到异常未排除时调整所述防御方案,继续执行调整后的防御方案。After anomaly detection is performed on the processing of the business request, when an anomaly is detected, a preset defense plan is executed based on the detected anomaly information; after the preset defense plan is executed, all adjustments are made when the anomaly is detected but not eliminated. The defense plan is described above and continue to implement the adjusted defense plan.
在一种实施方式中,防御方平台320对业务请求的处理过程进行异常检测时,包括:In one implementation, when the defender platform 320 detects anomalies in the processing of business requests, it includes:
基于接收到的业务请求和/或对应的预测结果,进行异常检测。Perform anomaly detection based on received business requests and/or corresponding prediction results.
在一种实施方式中,攻击方平台310在所述反馈数据满足预设条件时调整所述攻击算法时,包括:In one implementation, when the attacker platform 310 adjusts the attack algorithm when the feedback data meets the preset conditions, it includes:
当所述反馈数据满足预设的攻击失败条件时,对所述攻击算法中的运行逻辑进行调整。When the feedback data meets the preset attack failure conditions, the operating logic in the attack algorithm is adjusted.
在一种实施方式中,攻击方平台310基于攻击算法向防御方平台320发送业务请求时,包括:In one implementation, when the attacker platform 310 sends a service request to the defender platform 320 based on the attack algorithm, it includes:
基于多个不同的攻击算法向防御方平台320分别发送业务请求;Send service requests to the defender platform 320 based on multiple different attack algorithms;
攻击方平台310,在所述反馈数据满足预设条件时调整所述攻击算法时,包括:The attacker platform 310 adjusts the attack algorithm when the feedback data meets the preset conditions, including:
当接收到的针对不同的攻击算法的反馈数据中,存在满足预设的攻击成功条件的第一反馈数据时,将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法。When there is first feedback data that satisfies the preset attack success conditions among the received feedback data for different attack algorithms, the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
在一种实施方式中,攻击方平台310还用于:In one implementation, the attacker platform 310 is also used to:
在停止使用其他攻击算法之后,当后续接收到的针对所述第一攻击算法的反馈数据满足预设的攻击失败条件时,对所述第一攻击算法中的运行逻辑进行调整。After stopping using other attack algorithms, when the subsequently received feedback data for the first attack algorithm satisfies the preset attack failure condition, the operating logic in the first attack algorithm is adjusted.
在一种实施方式中,攻击方平台310基于多个不同的攻击算法向防御方平台320分别发送业务请求时,包括:In one implementation, when the attacker platform 310 sends service requests to the defender platform 320 based on multiple different attack algorithms, the following include:
基于多个不同的攻击算法,在不同的攻击算法对应的设定流量限制下,向防御方平台320分别发送业务请求;其中,多个攻击算法对应的设定流量的总和小于总设定流量。Based on multiple different attack algorithms, service requests are respectively sent to the defender platform 320 under the set traffic limits corresponding to the different attack algorithms; where the sum of the set traffic corresponding to the multiple attack algorithms is less than the total set traffic.
在一种实施方式中,攻击方平台310将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法时,包括: In one implementation, the attacker platform 310 uses the first attack algorithm corresponding to the first feedback data as the attack algorithm used in subsequent attacks. When it stops using other attack algorithms, it includes:
基于总剩余流量,增大所述第一攻击算法对应的剩余流量,并将其他攻击算法对应的剩余流量设置为0。Based on the total remaining traffic, increase the remaining traffic corresponding to the first attack algorithm, and set the remaining traffic corresponding to other attack algorithms to 0.
在一种实施方式中,攻击方平台310,还用于统计预设时段内攻击成功的次数,并将所述次数发送至指定设备;In one implementation, the attacker platform 310 is also used to count the number of successful attacks within a preset period and send the number to the designated device;
防御方平台320,还用于统计所述预设时段内防御成功的次数,并将所述次数发送至所述指定设备,以使得所述指定设备基于攻击方平台310攻击成功的次数,以及防御方平台320防御成功的次数,对针对所述网络模型的攻防对抗仿真测试过程进行评估。The defender platform 320 is also used to count the number of successful defenses within the preset period, and send the number to the designated device, so that the designated device is based on the number of successful attacks by the attacker platform 310, and the defense The number of successful defenses of the platform 320 is used to evaluate the attack and defense confrontation simulation test process for the network model.
上述系统实施例与方法实施例相对应,具体说明可以参见方法实施例部分的描述,此处不再赘述。系统实施例是基于对应的方法实施例得到,与对应的方法实施例具有同样的技术效果,具体说明可参见对应的方法实施例。The above system embodiments correspond to the method embodiments. For specific descriptions, please refer to the description of the method embodiments and will not be described again here. The system embodiment is obtained based on the corresponding method embodiment and has the same technical effect as the corresponding method embodiment. For specific description, please refer to the corresponding method embodiment.
本说明书实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行图1和图2任一项所述的方法。Embodiments of this specification also provide a computer-readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is caused to execute the method described in either of Figures 1 and 2.
本说明书实施例还提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现图1和图2任一项所述的方法。Embodiments of this specification also provide a computing device, including a memory and a processor. Executable code is stored in the memory. When the processor executes the executable code, any one of Figures 1 and 2 can be implemented. method described.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于存储介质和计算设备实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner. The same and similar parts between the various embodiments can be referred to each other. Each embodiment focuses on its differences from other embodiments. In particular, the storage medium and computing device embodiments are described simply because they are basically similar to the method embodiments. For relevant details, please refer to the partial description of the method embodiments.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明实施例所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should realize that in one or more of the above examples, the functions described in the embodiments of the present invention can be implemented using hardware, software, firmware, or any combination thereof. When implemented using software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
以上所述的具体实施方式,对本发明实施例的目的、技术方案和有益效果进行了进一步的详细说明。所应理解的是,以上所述仅为本发明实施例的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。 The above-mentioned specific implementation modes further describe the objectives, technical solutions and beneficial effects of the embodiments of the present invention in detail. It should be understood that the above are only specific implementation modes of the embodiments of the present invention, and are not used to limit the protection scope of the present invention. Any modifications and equivalent substitutions made on the basis of the technical solutions of the present invention , improvements, etc., should be included in the protection scope of the present invention.

Claims (15)

  1. 一种针对网络模型的攻防对抗仿真测试方法,包括攻击方平台和防御方平台,所述网络模型部署在所述防御方平台,所述方法包括:An attack and defense confrontation simulation test method for a network model, including an attacker platform and a defender platform. The network model is deployed on the defender platform. The method includes:
    所述攻击方平台,基于攻击算法向所述防御方平台发送业务请求,所述业务请求携带待预测的业务数据;The attacker platform sends a service request to the defender platform based on the attack algorithm, and the service request carries business data to be predicted;
    所述防御方平台,接收所述攻击方平台发送的业务请求,并通过所述网络模型确定所述业务数据的预测结果,基于所述预测结果向所述攻击方平台发送反馈数据,对所述业务请求的处理过程进行异常检测;The defender platform receives the service request sent by the attacker platform, determines the prediction result of the business data through the network model, and sends feedback data to the attacker platform based on the prediction result, and Detect anomalies in the processing of business requests;
    所述攻击方平台,接收所述防御方平台针对所述业务请求发送的反馈数据,并在所述反馈数据满足预设条件时调整所述攻击算法,继续执行所述基于攻击算法向所述防御方平台发送业务请求的步骤。The attacker platform receives feedback data sent by the defender platform in response to the service request, adjusts the attack algorithm when the feedback data meets preset conditions, and continues to execute the attack algorithm-based attack algorithm to the defense. Steps for sending business requests to the party platform.
  2. 根据权利要求1所述的方法,在对所述业务请求的处理过程进行异常检测之后,还包括:The method according to claim 1, after performing anomaly detection on the processing of the service request, further comprising:
    当检测到异常时,基于检测的异常信息执行预设的防御方案;When an anomaly is detected, a preset defense plan is executed based on the detected anomaly information;
    在执行预设的防御方案之后,当检测到异常未排除时调整所述防御方案,继续执行调整后的防御方案。After executing the preset defense plan, when an abnormality is detected but not eliminated, the defense plan is adjusted and the adjusted defense plan is continued.
  3. 根据权利要求1所述的方法,所述对所述业务请求的处理过程进行异常检测的步骤,包括:The method according to claim 1, the step of detecting anomalies in the processing of the service request includes:
    基于接收到的业务请求和/或对应的预测结果,进行异常检测。Perform anomaly detection based on received business requests and/or corresponding prediction results.
  4. 根据权利要求1所述的方法,所述在所述反馈数据满足预设条件时调整所述攻击算法的步骤,包括:The method according to claim 1, the step of adjusting the attack algorithm when the feedback data meets a preset condition includes:
    当所述反馈数据满足预设的攻击失败条件时,对所述攻击算法中的运行逻辑进行调整。When the feedback data meets the preset attack failure conditions, the operating logic in the attack algorithm is adjusted.
  5. 根据权利要求1所述的方法,所述基于攻击算法向所述防御方平台发送业务请求的步骤,包括:According to the method of claim 1, the step of sending a service request to the defender platform based on an attack algorithm includes:
    基于多个不同的攻击算法向所述防御方平台分别发送业务请求;Send service requests to the defender platform respectively based on multiple different attack algorithms;
    所述在所述反馈数据满足预设条件时调整所述攻击算法的步骤,包括:The step of adjusting the attack algorithm when the feedback data meets a preset condition includes:
    当接收到的针对不同的攻击算法的反馈数据中,存在满足预设的攻击成功条件的第一反馈数据时,将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法。When there is first feedback data that satisfies the preset attack success conditions among the received feedback data for different attack algorithms, the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
  6. 根据权利要求5所述的方法,在停止使用其他攻击算法之后,所述方法还包括:The method according to claim 5, after stopping using other attack algorithms, the method further includes:
    当后续接收到的针对所述第一攻击算法的反馈数据满足预设的攻击失败条件时,对所述第一攻击算法中的运行逻辑进行调整。When the subsequently received feedback data for the first attack algorithm satisfies the preset attack failure condition, the operating logic in the first attack algorithm is adjusted.
  7. 根据权利要求5所述的方法,所述基于多个不同的攻击算法向所述防御方平台分别发送业务请求的步骤,包括: According to the method of claim 5, the step of sending service requests to the defender platform respectively based on multiple different attack algorithms includes:
    基于多个不同的攻击算法,在不同的攻击算法对应的设定流量限制下,向所述防御方平台分别发送业务请求;其中,多个攻击算法对应的设定流量的总和小于总设定流量。Based on multiple different attack algorithms, and under the set traffic limits corresponding to different attack algorithms, send business requests to the defender platform respectively; wherein the sum of the set traffic corresponding to the multiple attack algorithms is less than the total set traffic .
  8. 根据权利要求7所述的方法,所述将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法的步骤,包括:The method according to claim 7, the step of using the first attack algorithm corresponding to the first feedback data as the attack algorithm used in subsequent attacks and stopping using other attack algorithms includes:
    基于总剩余流量,增大所述第一攻击算法对应的剩余流量,并将其他攻击算法对应的剩余流量设置为0。Based on the total remaining traffic, increase the remaining traffic corresponding to the first attack algorithm, and set the remaining traffic corresponding to other attack algorithms to 0.
  9. 根据权利要求1所述的方法,其中还包括:The method of claim 1, further comprising:
    所述攻击方平台,统计预设时段内攻击成功的次数,并将所述次数发送至指定设备;The attacker's platform counts the number of successful attacks within a preset period and sends the number to the designated device;
    所述防御方平台,统计所述预设时段内防御成功的次数,并将所述次数发送至所述指定设备;The defender platform counts the number of successful defenses within the preset period and sends the number to the designated device;
    所述指定设备,基于所述攻击方平台攻击成功的次数,以及所述防御方平台防御成功的次数,对针对所述网络模型的攻防对抗仿真测试过程进行评估。The designated device evaluates the attack and defense confrontation simulation test process for the network model based on the number of successful attacks on the attacker's platform and the number of successful defenses on the defender's platform.
  10. 一种针对网络模型的攻防对抗仿真测试系统,包括攻击方平台和防御方平台,所述网络模型部署在所述防御方平台,所述系统包括:An attack and defense confrontation simulation test system for a network model, including an attacker platform and a defender platform. The network model is deployed on the defender platform. The system includes:
    所述攻击方平台,用于基于攻击算法向所述防御方平台发送业务请求,所述业务请求携带待预测的业务数据;The attacker platform is configured to send a service request to the defender platform based on an attack algorithm, where the service request carries business data to be predicted;
    所述防御方平台,用于接收所述攻击方平台发送的业务请求,并通过所述网络模型确定所述业务数据的预测结果,基于所述预测结果向所述攻击方平台发送反馈数据,对所述业务请求的处理过程进行异常检测;The defender platform is used to receive the service request sent by the attacker platform, determine the prediction result of the business data through the network model, and send feedback data to the attacker platform based on the prediction result, and Perform anomaly detection in the processing process of the business request;
    所述攻击方平台,用于接收所述防御方平台针对所述业务请求发送的反馈数据,并在所述反馈数据满足预设条件时调整所述攻击算法,继续基于攻击算法向所述防御方平台发送业务请求。The attacker platform is configured to receive feedback data sent by the defender platform in response to the service request, adjust the attack algorithm when the feedback data meets preset conditions, and continue to send data to the defender based on the attack algorithm. The platform sends business requests.
  11. 根据权利要求10所述的系统,所述防御方平台还用于:According to the system of claim 10, the defender platform is also used for:
    在对所述业务请求的处理过程进行异常检测之后,当检测到异常时,基于检测的异常信息执行预设的防御方案;在执行预设的防御方案之后,当检测到异常未排除时调整所述防御方案,继续执行调整后的防御方案。After anomaly detection is performed on the processing of the business request, when an anomaly is detected, a preset defense plan is executed based on the detected anomaly information; after the preset defense plan is executed, all adjustments are made when the anomaly is detected but not eliminated. The defense plan is described above and continue to implement the adjusted defense plan.
  12. 根据权利要求10所述的系统,所述攻击方平台,基于攻击算法向所述防御方平台发送业务请求时,包括:According to the system of claim 10, when the attacker platform sends a service request to the defender platform based on an attack algorithm, it includes:
    基于多个不同的攻击算法向所述防御方平台分别发送业务请求;Send service requests to the defender platform respectively based on multiple different attack algorithms;
    所述攻击方平台,在所述反馈数据满足预设条件时调整所述攻击算法时,包括:The attacker's platform, when adjusting the attack algorithm when the feedback data meets the preset conditions, includes:
    当接收到的针对不同的攻击算法的反馈数据中,存在满足预设的攻击成功条件的第一反馈数据时,将所述第一反馈数据对应的第一攻击算法作为后续攻击使用的攻击算法,停止使用其他攻击算法。 When there is first feedback data that satisfies the preset attack success conditions among the received feedback data for different attack algorithms, the first attack algorithm corresponding to the first feedback data is used as the attack algorithm used in subsequent attacks, Stop using other attack algorithms.
  13. 根据权利要求10所述的系统,其中,The system of claim 10, wherein:
    所述攻击方平台,还用于统计预设时段内攻击成功的次数,并将所述次数发送至指定设备;The attacker platform is also used to count the number of successful attacks within a preset period and send the number to the designated device;
    所述防御方平台,还用于统计所述预设时段内防御成功的次数,并将所述次数发送至所述指定设备,以使得所述指定设备基于所述攻击方平台攻击成功的次数,以及所述防御方平台防御成功的次数,对针对所述网络模型的攻防对抗仿真测试过程进行评估。The defender platform is also used to count the number of successful defenses within the preset period, and send the number to the designated device, so that the designated device is based on the number of successful attacks on the attacker platform, As well as the number of times the defender's platform has successfully defended, the attack and defense confrontation simulation test process for the network model is evaluated.
  14. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-9中任一项所述的方法。A computer-readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is caused to perform the method described in any one of claims 1-9.
  15. 一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-9中任一项所述的方法。 A computing device includes a memory and a processor. The memory stores executable code. When the processor executes the executable code, the method according to any one of claims 1-9 is implemented.
PCT/CN2023/087367 2022-06-22 2023-04-10 Attack-defense confrontation simulation test method and system for network model WO2023246237A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210711294.3 2022-06-22
CN202210711294.3A CN114859758A (en) 2022-06-22 2022-06-22 Attack-defense confrontation simulation test method and system for network model

Publications (1)

Publication Number Publication Date
WO2023246237A1 true WO2023246237A1 (en) 2023-12-28

Family

ID=82626197

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/087367 WO2023246237A1 (en) 2022-06-22 2023-04-10 Attack-defense confrontation simulation test method and system for network model

Country Status (2)

Country Link
CN (1) CN114859758A (en)
WO (1) WO2023246237A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117650948A (en) * 2024-01-29 2024-03-05 北京丈八网络安全科技有限公司 Network attack and defense simulation method based on discrete event model

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114859758A (en) * 2022-06-22 2022-08-05 支付宝(杭州)信息技术有限公司 Attack-defense confrontation simulation test method and system for network model
CN116599762A (en) * 2023-06-25 2023-08-15 北京五一嘉峪科技有限公司 Distributed denial of service attack and defense exercise system and method
CN117634501A (en) * 2024-01-23 2024-03-01 青岛理工大学 Computer file confidentiality checking method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112766315A (en) * 2020-12-31 2021-05-07 湖南大学 Method and system for testing robustness of artificial intelligence model
CN113688383A (en) * 2021-08-31 2021-11-23 林楠 Attack defense testing method based on artificial intelligence and artificial intelligence analysis system
CN114338172A (en) * 2021-12-30 2022-04-12 北京西普阳光教育科技股份有限公司 Mobile network target range system and network flow attack simulation method
CN114579962A (en) * 2022-02-15 2022-06-03 浙江大学 AI safety attack and defense test method
CN114859758A (en) * 2022-06-22 2022-08-05 支付宝(杭州)信息技术有限公司 Attack-defense confrontation simulation test method and system for network model

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112766315A (en) * 2020-12-31 2021-05-07 湖南大学 Method and system for testing robustness of artificial intelligence model
CN113688383A (en) * 2021-08-31 2021-11-23 林楠 Attack defense testing method based on artificial intelligence and artificial intelligence analysis system
CN114338172A (en) * 2021-12-30 2022-04-12 北京西普阳光教育科技股份有限公司 Mobile network target range system and network flow attack simulation method
CN114579962A (en) * 2022-02-15 2022-06-03 浙江大学 AI safety attack and defense test method
CN114859758A (en) * 2022-06-22 2022-08-05 支付宝(杭州)信息技术有限公司 Attack-defense confrontation simulation test method and system for network model

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117650948A (en) * 2024-01-29 2024-03-05 北京丈八网络安全科技有限公司 Network attack and defense simulation method based on discrete event model
CN117650948B (en) * 2024-01-29 2024-04-12 北京丈八网络安全科技有限公司 Network attack and defense simulation method based on discrete event model

Also Published As

Publication number Publication date
CN114859758A (en) 2022-08-05

Similar Documents

Publication Publication Date Title
WO2023246237A1 (en) Attack-defense confrontation simulation test method and system for network model
JP7086972B2 (en) Continuous learning for intrusion detection
US11856021B2 (en) Detecting and mitigating poison attacks using data provenance
US10516698B2 (en) Honeypot computing services that include simulated computing resources
US10812504B2 (en) Systems and methods for cyber intrusion detection and prevention
US10320841B1 (en) Fraud score heuristic for identifying fradulent requests or sets of requests
US10460102B2 (en) Cognitive learning to counter security threats for kinematic actions in robots
US20200004961A1 (en) System and method of identifying malicious files using a learning model trained on a malicious file
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
US10911480B2 (en) Detection of scripted activity
US20230274003A1 (en) Identifying and correcting vulnerabilities in machine learning models
KR20230005995A (en) IUPG: Adversarial Anti-False Positive Deep Learning Model
US10931706B2 (en) System and method for detecting and identifying a cyber-attack on a network
Nugraha et al. Performance evaluation of botnet detection using deep learning techniques
CN111163070A (en) Method, device, equipment and medium for judging correct link of service chain safety deployment under mimicry defense
US11290486B1 (en) Allocating defective computing resources for honeypot services
GB2619589A (en) Fuzz testing of machine learning models to detect malicious activity on a computer
JP2023523079A (en) Endpoint security using behavior prediction model
CN113874860A (en) Apparatus and method for detecting malware
US20240160744A1 (en) Identifying and assessing costs associated with correcting vulnerabilities in machine learning models
US20230336574A1 (en) Accelerated data movement between data processing unit (dpu) and graphics processing unit (gpu) to address real-time cybersecurity requirements
Tsang et al. Meta-ATMoS+: A Meta-Reinforcement Learning Framework for Threat Mitigation in Software-Defined Networks
CN115913668A (en) Network behavior detection method, device, equipment and storage medium
CN115712893A (en) Attack detection method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23825892

Country of ref document: EP

Kind code of ref document: A1