基于多目标演化优化的SVM对抗仿真测试算法

doi:10.16182/j.issn1004731x.joss.24-0101

摘要/Abstract

摘要：

机器学习通常从数据中挖掘潜在的模式与规则，容易受到数据的影响而产生诸如过拟合、欠拟合等现象，进而影响学习模型的泛化与鲁棒性能。从对抗仿真测试的角度考察SVM可能存在的脆弱不稳定性，采用的对抗仿真策略是通过选择性地污染训练样本标签，模拟攻击SVM分类器使其性能退化，以测试其对训练样本的依赖性。为探究SVM分类器在不同样本组合攻击下的性能损失上限，设计了最小攻击代价-最大攻击成效这一对矛盾目标，构建了SVM仿真测试的多目标优化模型。该模型本质上是一种典型的多目标组合优化问题，可采用适当的多目标演化算法求解目标间的一组非支配解集，揭示分类器在不同样本组合攻击下的分类性能表现。在人工及真实数据集上的仿真对比实验结果表明：所提方法能够一次性生成不同攻击水平下的最优攻击样本组合，取得最大的分类性能损失，更能全面测试SVM分类器性能的稳定性。

关键词: 对抗仿真测试, 污染标签, 支持向量机, 性能损失, 多目标优化, 非支配解集

Abstract:

Machine learning typically mines underlying patterns and rules from data, making it susceptible to phenomena such as overfitting and underfitting, which in turn affects the generalization and robustness of learning models. This paper explores the potential fragility and instability of SVM from the perspective of adversarial simulation testing. The adversarial simulation strategy employed involves selectively contaminating training sample labels to simulate an attack on the SVM classifier, thereby degrading its performance and testing its dependency on training samples. To explore the ceiling of performance degradation of an SVM classifier under the combination attack of different samples, the contradictory objectives of minimum attack cost-maximum attack effectiveness are designed, and a multi-objective optimization model is constructed for SVM simulation tests. This model is fundamentally a typical multi-objective combinatorial optimization problem that can be properly solved using multi-objective evolutionary algorithms to find a set of non-dominated solutions among the objectives, facilitating the investigation of the classifier's stability under the combination attack of different samples. Comparative experimental results on simulated and real datasets show that the proposed method can identify optimal attack sample combination at varying attack levels in a single run, and achieve more severe classification performance degradation, making it more suitable and effective for investigating the stability of classifiers comprehensively.

Key words: adversarial simulation testing, label contamination, SVM, performance degradation, multi-objective optimization, non-dominated solutions

中图分类号:

TP306+.2

李飞行,邢立宁,周宇 . 基于多目标演化优化的SVM对抗仿真测试算法[J]. 系统仿真学报, 2024, 36(9): 2016-2031.

Li Feixing,Xing Lining,Zhou Yu . Adversarial Simulation Testing Algorithm for SVM Based on Multi-objective Evolutionary Optimization[J]. Journal of System Simulation, 2024, 36(9): 2016-2031.

图/表 14

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

表1

图12

图13

参考文献 33

1	Biggio Battista, Didaci Luca, Fumera Giorgio, et al. Poisoning Attacks to Compromise Face Templates[C]//2013 International Conference on Biometrics (ICB). Piscataway: IEEE, 2013: 1-7.
2	Rosenfeld E, Winston E, Ravikumar P, et al. Certified Robustness to Label-flipping Attacks via Randomized Smoothing[C]//Proceedings of the 37th International Conference on Machine Learning. Chia Laguna Resort: PMLR, 2020: 8230-8241.
3	Biggio Battista, Fumera Giorgio, Roli Fabio. Pattern Recognition Systems Under Attack: Design Issues and Research Challenges[J]. International Journal of Pattern Recognition and Artificial Intelligence, 2014, 28(7): 1460002.
4	P K Chan Patrick, Luo Fengzhi, Chen Zitong, et al. Transfer Learning Based Countermeasure Against Label Flipping Poisoning Attack[J]. Information Sciences, 2021, 548: 450-460.
5	Zhuo Lü, Cao Hongbo, Zhang Feng, et al. AWFC: Preventing Label Flipping Attacks Towards Federated Learning for Intelligent IoT[J]. The Computer Journal, 2022, 65(11): 2849-2859.
6	Najeeb Moharram Jebreel, Domingo-Ferrer Josep, Sánchez David, et al. LFighter: Defending Against the Label-flipping Attack in Federated Learning[J]. Neural Networks, 2024, 170: 111-126.
7	Fahri Anıl Yerlikaya, Bahtiyar Serif. Data Poisoning Attacks Against Machine Learning Algorithms[J]. Expert Systems with Applications, 2022, 208: 118101.
8	Biggio Battista, Corona Igino, Nelson Blaine, et al. Security Evaluation of Support Vector Machines in Adversarial Environments[M]//Ma Yunqian, Guo Guodong. Support Vector Machines Applications. Cham: Springer International Publishing, 2014: 105-153.
9	Xu Qianqian, Yang Zhiyong, Zhao Yunrui, et al. Rethinking Label Flipping Attack: From Sample Masking to Sample Thresholding[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023, 45(6): 7668-7685.
10	Konda Reddy Mopuri, Shaj Vaisakh, Venkatesh Babu R. Adversarial Fooling Beyond "Flipping the Label"[C]//2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). Piscataway: IEEE, 2020: 3374-3382.
11	Zhang Hongpo, Cheng Ning, Zhang Yang, et al. Label Flipping Attacks Against Naive Bayes on Spam Filtering Systems[J]. Applied Intelligence, 2021, 51(7): 4503-4514.
12	Xiao Han, Stibor Thomas, Eckert Claudia. Evasion Attack of Multi-class Linear Classifiers[C]//Proceedings of the 16th Pacific-Asia Conference on Advances in Knowledge Discovery and Data Mining. Berlin: Springer Berlin Heidelberg, 2012: 207-218.
13	Barreno M, Nelson B, Joseph A D, et al. The Security of Machine Learning[J]. Machine Learning, 2010, 81(2): 121-148.
14	Zhou Yan, Kantarcioglu M, Thuraisingham B, et al. Adversarial Support Vector Machine Learning[C]//Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: Association for Computing Machinery, 2012: 1059-1067.
15	Biggio Battista, Nelson Blaine, Laskov Pavel. Poisoning Attacks Against Support Vector Machines[C]//Proceedings of the 29th International Coference on Machine Learning. Madison: Omnipress, 2012: 1467-1474.
16	Biggio Battista, Nelson Blaine, Laskov Pavel. Support Vector Machines Under Adversarial Label Noise[C]//Proceedings of the Asian Conference on Machine Learning. Chia Laguna Resort: PMLR, 2011: 97-112.
17	Xiao Han, Xiao Huang, Eckert Claudia. Adversarial Label Flips Attack on Support Vector Machines[C]//Proceedings of the 20th European Conference on Artificial Intelligence. NLD: IOS Press, 2012: 870-875.
18	Xiao Huang, Biggio Battista, Nelson Blaine, et al. Support Vector Machines Under Adversarial Label Contamination[J]. Neurocomputing, 2015, 160: 53-62.
19	Mei Shike, Zhu Xiaojin. Using Machine Teaching to Identify Optimal Training-set Attacks on Machine Learners[C]//Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence. Palo Alto: AAAI Press, 2015: 2871-2877.
20	Burkard C, Lagesse B. Analysis of Causative Attacks Against SVMs Learning from Data Streams[C]//Proceedings of the 3rd ACM on International Workshop on Security and Privacy Analytics. New York: Association for Computing Machinery, 2017: 31-36.
21	钱亚冠, 卢红波, 纪守领, 等. 基于粒子群优化的对抗样本生成算法[J]. 电子与信息学报, 2019, 41(7): 1658-1665.
	Qian Yaguan, Lu Hongbo, Ji Shouling, et al. Adversarial Example Generation Based on Particle Swarm Optimization[J]. Journal of Electronics & Information Technology, 2019, 41(7): 1658-1665.
22	Chakraborty Anirban, Alam Manaar, Dey V, et al. A Survey on Adversarial Attacks and Defences[J]. CAAI Transactions on Intelligence Technology, 2021, 6(1): 25-45.
23	Koh P W, Steinhardt J, Liang P. Stronger Data Poisoning Attacks Break Data Sanitization Defenses[J]. Machine Learning, 2022, 111(1): 1-47.
24	Jha R D, Hayase J, Oh S. Label Poisoning Is All You Need[C]//Proceedings of the 37th International Conference on Neural Information Processing Systems. Red Hook: Curran Associates Inc., 2023: 71029-71052.
25	Lingam Vijay, Mohammad Sadegh Akhondzadeh, Bojchevski Aleksandar. Rethinking Label Poisoning for Gnns: Pitfalls and Attacks[C]//ICLR 2024. New York: ICLR, 2024: 1-29.
26	Yao Feng, Du Yonghao, Li Lei, et al. General Modeling and Optimization Technique for Real-world Earth Observation Satellite Scheduling[J]. Frontiers of Engineering Management, 2023, 10(4): 695-709.
27	Wang Yuting, Han Yuyan, Gong Dunwei, et al. A Review of Intelligent Optimization for Group Scheduling Problems in Cellular Manufacturing[J]. Frontiers of Engineering Management, 2023, 10(3): 406-426.
28	He Yongming, Xing Lining, Chen Yingwu, et al. A Generic Markov Decision Process Model and Reinforcement Learning Method for Scheduling Agile Earth Observation Satellites[J]. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2022, 52(3): 1463-1474.
29	Xing Lining, Rohlfshagen P, Chen Yingwu, et al. An Evolutionary Approach to the Multidepot Capacitated Arc Routing Problem[J]. IEEE Transactions on Evolutionary Computation, 2010, 14(3): 356-374.
30	Xing Lining, Rohlfshagen P, Chen Yingwu, et al. A Hybrid Ant Colony Optimization Algorithm for the Extended Capacitated Arc Routing Problem[J]. IEEE Transactions on Systems Man and Cybernetics Part B-Cybernetics, 2011, 41(4): 1110-1123.
31	Wang Xuewu, Hua Yi, Gao Jin, et al. Digital Twin Implementation of Autonomous Planning Arc Welding Robot System[J]. Complex System Modeling and Simulation, 2023, 3(3): 236-251.
32	Zhang Qingfu, Li Hui. MOEA/D: A Multiobjective Evolutionary Algorithm Based on Decomposition[J]. IEEE Transactions on Evolutionary Computation, 2007, 11(6): 712-731.
33	Ni Wayan Surya Wardhani, Masithoh Yessi Rochayani, Iriany Atiek, et al. Cross-validation Metrics for Evaluating Classification Performance on Imbalanced Data[C]//2019 International Conference on Computer, Control, Informatics and its Applications (IC3INA). Piscataway: IEEE, 2019: 14-18.

模式	核函数	原模型	ALFA	ALFA-CR	ALFA-Tilt	ALFA-CC	NLFA	FLFA	RLFA	ALFA-MO
线性可分模式	线性核	0.987 8	0.950 1	0.928 8	0.891 6	0.928 0	0.975 0	0.915 1	0.955 5	0.822 3
	径向基核	0.976 1	0.890 5	0.952 4	0.838 5	0.942 1	0.952 1	0.966 7	0.974 4	0.820 2
	多项式核	0.979 5	0.788 2	0.934 7	0.847 8	0.902 2	0.974 8	0.808 9	0.937 9	0.737 8
抛物可分模式	线性核	0.760 1	0.656 7	0.762 1	0.656 3	0.761 4	0.760 6	0.755 7	0.760 8	0.640 3
	径向基核	0.972 9	0.899 4	0.953 3	0.924 6	0.924 6	0.956 9	0.912 2	0.965 1	0.823 3
	多项式核	0.871 3	0.618 5	0.820 4	0.762 7	0.810 2	0.871 7	0.616 5	0.835 5	0.603 0
环形可分模式	径向基核	0.956 7	0.932 3	0.952 4	0.911 9	0.887 1	0.943 9	0.939 9	0.948 0	0.785 4
环形可分模式	多项式核	0.763 8	0.397 2	0.589 2	0.469 4	0.727 6	0.745 1	0.397 2	0.721 1	0.357 1

[1]	张闻强, 王晓萌, 张晓晓, 张国辉. 集配一体化车辆路径规划的混合进化多目标优化[J]. 系统仿真学报, 2024, 36(8): 1914-1928.
[2]	蒋权, 魏静萱. 用于动态柔性作业车间调度的实时调度方法[J]. 系统仿真学报, 2024, 36(7): 1609-1620.
[3]	邓明君, 胡辛瑕, 李响, 徐丽萍. 基于车速引导和感应控制的干线协调优化方法[J]. 系统仿真学报, 2024, 36(6): 1309-1321.
[4]	温廷新, 关婷誉. 考虑能耗和运输的有限缓冲区混合流水车间调度[J]. 系统仿真学报, 2024, 36(6): 1344-1358.
[5]	赵嘉, 赖智臻, 吴润秀, 崔志华, 王晖. 层级引导的增强型多目标萤火虫算法[J]. 系统仿真学报, 2024, 36(5): 1152-1164.
[6]	王昱博, 胡成玉, 龚文引. 基于帕累托前沿关系求解约束多目标优化问题[J]. 系统仿真学报, 2024, 36(4): 901-914.
[7]	曾少达, 刘海林. 5G室内分布系统规划建模及优化算法[J]. 系统仿真学报, 2024, 36(3): 659-672.
[8]	安靖, 司光亚, 曾妙婷. 模型与数据混合驱动的代理模型构建方法研究[J]. 系统仿真学报, 2024, 36(3): 756-769.
[9]	王辉, 彭乐. 改进多目标蜂群算法优化洗出运动及仿真实验[J]. 系统仿真学报, 2024, 36(2): 436-448.
[10]	钟麟, 佟明安, 李盛. 特定多任务下飞机航迹规划研究[J]. 系统仿真学报, 2023, 35(9): 1909-1917.
[11]	张立, 贺明玲, 尹秋霜, 李宁, 余乐安. 不确定条件下多周期应急物资配送优化研究[J]. 系统仿真学报, 2023, 35(8): 1669-1680.
[12]	胡蓉, 丁帅, 钱斌, 张长胜. 超启发式三维EDA求解绿色双边装配线平衡问题[J]. 系统仿真学报, 2023, 35(3): 454-469.
[13]	王旭, 季伟东, 周国辉, 杨佳慧. 基于多指标精英个体博弈机制的多目标优化算法[J]. 系统仿真学报, 2023, 35(3): 494-514.
[14]	张朝阳, 徐莉萍, 李健, 赵义豪, 何奎. 基于改进狼群算法的柔性作业车间调度研究[J]. 系统仿真学报, 2023, 35(3): 534-543.
[15]	季伟东, 岳玉麒, 王旭, 林平. 基于降维和聚类的大规模多目标自然计算方法[J]. 系统仿真学报, 2023, 35(1): 41-56.