针对卷积神经网络流量分类器的对抗样本攻击防御

With the rise of deep learning, deep neural networks have been successfully applied in many fields, but recent research shows that deep neural network is vulnerable to adversarial examples attacks. Convolutional Neural Networks (CNNs) as one type of deep neural networks have also been successfully applied to the classification of network traffic, however, recent research shows that CNN is as well vulnerable to adversarial examples. To improve the CNN traffic classifier's defense against the attack of adversarial examples, we first propose a batch-adversarial-training method, which uses the characteristics of back propagation error in the training process to calculate the example gradient and weight gradient simultaneously in the process of error back-propagation. This method can improve the training efficiency. At the same time, sine the adversarial examples for training are generated on the target mode, it can effectively defend white-box attacks. To further improve the defense against black-box attacks, we propose an enhanced-adversarial-training method. In order to prevent the transferability of the adversarial examples, we craft the adversarial examples adopted in adversarial training on multiple substitute models for diversity. The benefit of this method is the adversarial examples from these models will have misaligned gradients. We conduct experiments on the real traffic dataset USTC-TFC2016. We craft traffic composed of adversarial examples to simulate attacks. The experimental results show that batch-adversarial-training can improve the classification accuracy of adversarial examples from 17.29% to 75.37% for white-box attacks and for black-box attacks, the enhanced-adversarial-training can improve the classification accuracy of adversarial examples from 26.37% to 68.39%. Due to the black-box characteristics of deep neural network, there is no consistent understanding of its working mechanism and the real cause of adversarial examples. The next step is to further study the vulnerability mechanism of CNN, so as to find a better method to improve the effect of adversarial training.