[go: up one dir, main page]

CN116956294A - Code attack detection methods, systems, equipment and media applied to training models - Google Patents

Code attack detection methods, systems, equipment and media applied to training models Download PDF

Info

Publication number
CN116956294A
CN116956294A CN202311205645.4A CN202311205645A CN116956294A CN 116956294 A CN116956294 A CN 116956294A CN 202311205645 A CN202311205645 A CN 202311205645A CN 116956294 A CN116956294 A CN 116956294A
Authority
CN
China
Prior art keywords
model
preset
tag
training
label
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311205645.4A
Other languages
Chinese (zh)
Other versions
CN116956294B (en
Inventor
林文丛
尹芳
邓小宁
金剑
郭鹏
李凤荣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
North Health Medical Big Data Technology Co ltd
Original Assignee
North Health Medical Big Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by North Health Medical Big Data Technology Co ltd filed Critical North Health Medical Big Data Technology Co ltd
Priority to CN202311205645.4A priority Critical patent/CN116956294B/en
Publication of CN116956294A publication Critical patent/CN116956294A/en
Application granted granted Critical
Publication of CN116956294B publication Critical patent/CN116956294B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biophysics (AREA)
  • Computer Hardware Design (AREA)
  • Biomedical Technology (AREA)
  • Computational Linguistics (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a code attack detection method, a system, equipment and a medium applied to a training model, which mainly relate to the technical field of code detection and are used for solving the problems that the existing method is invalid for a trigger specific to a tag and is also invalid for a trigger unknown to the tag, and the code attack detection cannot be effectively realized. Comprising the following steps: obtaining model labels generated by training; determining a model label which can cause the training module to perform error classification after the modification of the preset variable data as an attack target label; the absolute intermediate level of the obtained model tag is further determined, an abnormal value in the model tag is further determined, and the model tag corresponding to the abnormal value is determined to be an attack target tag; determining whether loadable data exists or not through a preset code detection statement; when loadable data exists, determining that a model tag corresponding to the loadable data exists as an attack target tag; and acquiring an active filter corresponding to the attack target label, and taking the active filter as an input filter of the training model.

Description

应用于训练模型的代码攻击检测方法、系统、设备及介质Code attack detection methods, systems, equipment and media applied to training models

技术领域Technical field

本申请涉及代码检测技术领域,尤其涉及一种应用于训练模型的代码攻击检测方法、系统、设备及介质。The present application relates to the field of code detection technology, and in particular to a code attack detection method, system, equipment and medium applied to training models.

背景技术Background technique

近年来,随着健康医疗大数据中心逐渐发展,数据越来越多进入到应用层的阶段。在健康医疗大数据的人工智能应用场景中,用户往往只有使用数据进行模型训练的权限,在模型训练完成后,模型经过审核可以供用户使用,而数据完成训练模型后,重新回归大数据中心。在以上应用场景汇总,模型的审核阶段是关键和难点,这就涉及到医疗模型中可能存在的代码攻击问题。In recent years, with the gradual development of health and medical big data centers, more and more data have entered the application layer stage. In artificial intelligence application scenarios of health and medical big data, users often only have permission to use data for model training. After the model training is completed, the model can be used by users after being reviewed, and after the data completes training the model, it returns to the big data center. In the summary of the above application scenarios, the review stage of the model is the key and difficult point, which involves possible code attacks in the medical model.

代码攻击根据受影响的不同,可以归纳为:代码投毒攻击,外包攻击,预训练攻击,数据收集攻击,协作学习攻击,部署后攻击几类。现有,代码攻击检测和防御方法主要有以下几类:①基于剪枝的防御方法:通过对编码触发器对应的神经元剪枝来抵御;②基于显著图的防御方法:此方法先计算每张图片的显著图,再根据不同图片之间显著性相同的区域从而定位触发器。Depending on the impact, code attacks can be summarized as: code poisoning attacks, outsourcing attacks, pre-training attacks, data collection attacks, collaborative learning attacks, and post-deployment attacks. Currently, code attack detection and defense methods mainly fall into the following categories: ① Defense methods based on pruning: resist by pruning the neurons corresponding to coding triggers; ② Defense methods based on saliency maps: This method first calculates each The saliency map of each picture is used to locate the trigger based on the areas with the same saliency between different pictures.

但是,上述基于剪枝的防御方法对标签特异的触发器是无效的,基于显著图的防御方法对标签特异的触发器同样无效,进而无法有效实现代码攻击检测和防御的目的。However, the above-mentioned pruning-based defense methods are ineffective against tag-specific triggers, and the saliency map-based defense methods are also ineffective against tag-specific triggers, thus failing to effectively achieve the purpose of code attack detection and defense.

发明内容Contents of the invention

针对现有技术的上述不足,本申请提供一种应用于训练模型的代码攻击检测方法、系统、设备及介质,以解决现有的方法对标签特异的触发器是无效的,对不知标签的触发器同样无效,无法有效实现代码攻击检测的目的。In view of the above-mentioned shortcomings of the existing technology, this application provides a code attack detection method, system, equipment and medium for training models to solve the problem that the existing method is ineffective for tag-specific triggers and triggers for unknown tags. The device is also invalid and cannot effectively achieve the purpose of code attack detection.

第一方面,本申请提供了一种应用于训练模型的代码攻击检测方法,方法包括:获取训练好的训练模型,以获得由训练产生的模型标签;通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签;基于绝对中位差技术,以获取的模型标签的绝对中位差,进而确定模型标签中的异常值,确定异常值对应的模型标签为攻击目标标签;通过预设代码检测语句,对模型标签进行检测,以确定是否存在可加载数据;以在存在可加载数据时,确定存在可加载数据对应的模型标签为攻击目标标签;获取攻击目标标签对应的主动过滤器,以将主动过滤器作为训练模型的输入过滤器。In the first aspect, this application provides a code attack detection method applied to a training model. The method includes: obtaining a trained training model to obtain model labels generated by training; through preset triggers and preset variable data, It is determined that the model labels that can cause the training module to misclassify after modification of the preset variable data are attack target labels; based on the absolute median difference technology, the absolute median difference of the model labels is obtained, and then the outliers in the model labels are determined. Determine the model label corresponding to the outlier as the attack target label; use the preset code detection statement to detect the model label to determine whether there is loadable data; when there is loadable data, determine that there is a model label corresponding to the loadable data. is the attack target label; obtain the active filter corresponding to the attack target label, and use the active filter as the input filter of the training model.

进一步地,在通过预设代码检测语句,对模型标签进行检测,以确定是否存在可加载数据之后,方法还包括:在存在可加载数据时,通过后端编辑界面,获取可加载数据对应的替换数据。Further, after detecting the model label through the preset code detection statement to determine whether loadable data exists, the method also includes: when loadable data exists, obtain the replacement corresponding to the loadable data through the backend editing interface data.

进一步地,在通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签之前,方法包括:通过预设界面获得预设变量数据;其中,预设变量数据包括模型标签名称和变量值。Further, before determining through the preset trigger and preset variable data that the model label that can cause the training module to misclassify after modification of the preset variable data is the attack target label, the method includes: obtaining the preset variable through the preset interface Data; among them, the preset variable data includes model tag names and variable values.

进一步地,通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签,具体包括:通过预设触发器,将模型标签名称对应的模型标签增加或降低变量值大小,以获得模型标签的变化范围;确定模型标签的变化范围是否与预设触发器中预设的模型标签危险范围存在相交区域,在存在相交区域时,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签。Further, through the preset trigger and preset variable data, it is determined that the model label that can cause the training module to misclassify after modification of the preset variable data is the attack target label, which specifically includes: using the preset trigger, changing the model label name The corresponding model label increases or decreases the variable value to obtain the change range of the model label; determine whether the change range of the model label intersects with the model label danger range preset in the preset trigger. When there is an intersection area, determine Model labels that can cause the training module to misclassify after modifying the preset variable data are attack target labels.

第二方面,本申请提供了一种应用于训练模型的代码攻击检测系统,系统包括:获得模块,用于获取训练好的训练模型,以获得由训练产生的模型标签;确定模块,用于通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签;基于绝对中位差技术,以获取的模型标签的绝对中位差,进而确定模型标签中的异常值,确定异常值对应的模型标签为攻击目标标签;通过预设代码检测语句,对模型标签进行检测,以确定是否存在可加载数据;以在存在可加载数据时,确定存在可加载数据对应的模型标签为攻击目标标签;过滤器获取模块,用于获取攻击目标标签对应的主动过滤器,以将主动过滤器作为训练模型的输入过滤器。In the second aspect, this application provides a code attack detection system applied to a training model. The system includes: an acquisition module, used to acquire a trained training model to obtain model labels generated by training; a determination module, used to pass Preset trigger and preset variable data, determine the model label that can cause the training module to misclassify after modifying the preset variable data as the attack target label; based on the absolute median difference technology, obtain the absolute median difference of the model label , and then determine the outliers in the model labels, and determine the model labels corresponding to the outliers as attack target labels; detect the model labels through preset code detection statements to determine whether there is loadable data; when there is loadable data , it is determined that the model label corresponding to the loadable data is the attack target label; the filter acquisition module is used to obtain the active filter corresponding to the attack target label, so as to use the active filter as the input filter of the training model.

进一步地,确定模块包括替换单元,用于在存在可加载数据时,通过后端编辑界面,获取可加载数据对应的替换数据。Further, the determination module includes a replacement unit, which is used to obtain replacement data corresponding to the loadable data through the back-end editing interface when there is loadable data.

进一步地,确定模块包括获取单元,用于通过预设界面获得预设变量数据;其中,预设变量数据包括模型标签名称和变量值。Further, the determination module includes an acquisition unit for obtaining preset variable data through a preset interface; wherein the preset variable data includes model tag names and variable values.

进一步地,确定模块包括触发器单元,用于通过预设触发器,将模型标签名称对应的模型标签增加或降低变量值大小,以获得模型标签的变化范围;确定模型标签的变化范围是否与预设触发器中预设的模型标签危险范围存在相交区域,在存在相交区域时,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签。Further, the determination module includes a trigger unit, which is used to increase or decrease the variable value of the model label corresponding to the model label name through a preset trigger to obtain the change range of the model label; determine whether the change range of the model label is consistent with the predetermined change range. It is assumed that the dangerous range of the model labels preset in the trigger has an intersecting area. When the intersecting area exists, the model label that can cause the training module to be misclassified after modifying the preset variable data is determined to be the attack target label.

第三方面,本申请提供了一种应用于训练模型的代码攻击检测设备,设备包括:处理器;以及存储器,其上存储有可执行代码,当可执行代码被执行时,使得处理器执行如上述任一项的一种应用于训练模型的代码攻击检测方法。In a third aspect, this application provides a code attack detection device applied to a training model. The device includes: a processor; and a memory on which executable code is stored. When the executable code is executed, the processor executes: A code attack detection method applying any of the above to the trained model.

第四方面,本申请提供了一种非易失性计算机存储介质,其上存储有计算机指令,计算机指令在被执行时实现如上述任一项的一种应用于训练模型的代码攻击检测方法。In a fourth aspect, the present application provides a non-volatile computer storage medium on which computer instructions are stored. When executed, the computer instructions implement any one of the above code attack detection methods applied to training models.

本领域技术人员能够理解的是,本申请至少具有如下有益效果:Those skilled in the art can understand that this application has at least the following beneficial effects:

本申请通过遍历模型标签触发器检测、绝对中位差技术和预设代码检测语句,实现了多方面检测是否存在攻击目标标签,对不知标签的训练模型,依然能够实现获得攻击目标标签。通过获取攻击目标标签对应的主动过滤器,以将主动过滤器作为训练模型的输入过滤器。在获得存在工具风险的标签(攻击目标标签)后,获得能够过滤攻击目标标签对应风险输入的主动过滤器,并将主动过滤器作为训练模型的输入过滤器,过滤掉了外来输入数据攻击存在工具风险的标签(攻击目标标签)的风险。This application realizes multi-faceted detection of whether there is an attack target label by traversing model label trigger detection, absolute median difference technology and preset code detection statements. For a training model that does not know the label, it is still possible to obtain the attack target label. By obtaining the active filter corresponding to the attack target label, the active filter can be used as the input filter of the training model. After obtaining the label with tool risk (attack target label), obtain an active filter that can filter the risk input corresponding to the attack target label, and use the active filter as the input filter of the training model to filter out the external input data attack tool. Risk tag (attack target tag) risk.

附图说明Description of the drawings

下面参照附图来描述本公开的部分实施例,附图中:Some embodiments of the present disclosure are described below with reference to the accompanying drawings, in which:

图1是本申请实施例提供的一种应用于训练模型的代码攻击检测方法流程图。Figure 1 is a flow chart of a code attack detection method applied to training models provided by an embodiment of the present application.

图2是本申请实施例提供的一种应用于训练模型的代码攻击检测系统内部结构示意图。Figure 2 is a schematic diagram of the internal structure of a code attack detection system applied to training models provided by an embodiment of the present application.

图3是本申请实施例提供的一种应用于训练模型的代码攻击检测设备内部结构示意图。Figure 3 is a schematic diagram of the internal structure of a code attack detection device used in training models provided by an embodiment of the present application.

具体实施方式Detailed ways

本领域技术人员应当理解的是,下文所描述的实施例仅仅是本公开的优选实施例,并不表示本公开仅能通过该优选实施例实现,该优选实施例仅仅是用于解释本公开的技术原理,并非用于限制本公开的保护范围。基于本公开提供的优选实施例,本领域普通技术人员在没有付出创造性劳动的情况下所获得的其它所有实施例,仍应落入到本公开的保护范围之内。Those skilled in the art should understand that the embodiments described below are only preferred embodiments of the present disclosure, and do not mean that the present disclosure can only be realized through the preferred embodiments. The preferred embodiments are only used to explain the present disclosure. Technical principles are not used to limit the scope of protection of the present disclosure. Based on the preferred embodiments provided by the present disclosure, all other embodiments obtained by those of ordinary skill in the art without exerting creative efforts should still fall within the protection scope of the present disclosure.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "comprises," "comprises" or any other variation thereof are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements not only includes those elements, but also includes Other elements are not expressly listed or are inherent to the process, method, article or equipment. Without further limitation, an element qualified by the statement "comprises a..." does not exclude the presence of additional identical elements in the process, method, good, or device that includes the element.

下面通过附图对本申请实施例提出的技术方案进行详细的说明。The technical solutions proposed in the embodiments of the present application will be described in detail below through the accompanying drawings.

本申请实施例还提供了一种应用于训练模型的代码攻击检测方法,如图1所示,本申请实施例提供的方法,主要包括以下步骤:The embodiment of the present application also provides a code attack detection method applied to the training model. As shown in Figure 1, the method provided by the embodiment of the present application mainly includes the following steps:

步骤110、获取训练好的训练模型,以获得由训练产生的模型标签。Step 110: Obtain the trained training model to obtain the model label generated by training.

需要说明的是,训练模型可以为深度神经网络模型。获得模型标签的过程,可由本领域技术人员根据现有技术获得,本申请对此不做限定。It should be noted that the training model can be a deep neural network model. The process of obtaining model labels can be obtained by those skilled in the art based on existing technologies, and is not limited in this application.

步骤120、通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签;基于绝对中位差技术,以获取的模型标签的绝对中位差,进而确定模型标签中的异常值,确定异常值对应的模型标签为攻击目标标签;通过预设代码检测语句,对模型标签进行检测,以确定是否存在可加载数据;以在存在可加载数据时,确定存在可加载数据对应的模型标签为攻击目标标签。Step 120: Through the preset trigger and preset variable data, determine that the model label that can cause the training module to misclassify after modifying the preset variable data is the attack target label; based on the absolute median difference technology, use the obtained model label The absolute median difference is used to determine the outliers in the model labels, and the model labels corresponding to the outliers are determined as attack target labels; through preset code detection statements, the model labels are detected to determine whether there is loadable data; to determine if there is When data can be loaded, it is determined that the model label corresponding to the loadable data is the attack target label.

需要说明的是,绝对中位差技术为现有的离群值检测,用于检测异常值。预设代码检测语句用于对模型标签进行加载等代码的检测的代码语句,预设代码检测语句可以具体为tf.data.Dataset、map(func)等。可加载数据为能够加载的数据。具体地,能够被预设代码检测语句进行加载的模型标签为可加载数据。It should be noted that the absolute median difference technique is an existing outlier detection and is used to detect outliers. The preset code detection statement is used to detect code such as loading model tags. The preset code detection statement can be specifically tf.data.Dataset, map(func), etc. Loadable data is data that can be loaded. Specifically, models that can be loaded by preset code detection statements are labeled as loadable data.

另外,本申请能够提供界面,将可加载数据替换为不可加载的数据,具体过程可以为:在存在可加载数据时,通过后端编辑界面,获取可加载数据对应的替换数据。In addition, this application can provide an interface to replace loadable data with unloadable data. The specific process can be: when loadable data exists, obtain the replacement data corresponding to the loadable data through the back-end editing interface.

为了实现有效更新预设变量数据,提高预设触发器的准确性,本申请能够在通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签之前,通过预设界面获得(初始或变更)预设变量数据;其中,预设变量数据包括模型标签名称和变量值。In order to effectively update the preset variable data and improve the accuracy of the preset trigger, this application can determine the model that can cause the training module to misclassify after modifying the preset variable data through the preset trigger and the preset variable data. Before the label is an attack target label, the preset variable data (initial or changed) is obtained through the preset interface; where the preset variable data includes the model label name and variable value.

其中,通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签,具体可以为:Among them, through the preset trigger and preset variable data, it is determined that the model label that can cause the training module to misclassify after modification of the preset variable data is the attack target label. Specifically, it can be:

通过预设触发器,将模型标签名称对应的模型标签增加或降低变量值大小,以获得模型标签的变化范围;确定模型标签的变化范围是否与预设触发器中预设的模型标签危险范围存在相交区域,在存在相交区域时,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签。Through the preset trigger, increase or decrease the variable value of the model label corresponding to the model label name to obtain the change range of the model label; determine whether the change range of the model label is consistent with the preset dangerous range of the model label in the preset trigger. Intersection area. When there is an intersection area, determine the model label that can cause the training module to misclassify after modifying the preset variable data as the attack target label.

需要说明的是,预设触发器能够将模型标签名称对应的模型标签增加或降低变量值大小,以获得模型标签的变化范围;确定模型标签的变化范围是否与预设触发器中预设的模型标签危险范围存在相交区域,在存在相交区域时,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签的设备或装置等。It should be noted that the preset trigger can increase or decrease the variable value of the model label corresponding to the model label name to obtain the change range of the model label; determine whether the change range of the model label is consistent with the model preset in the preset trigger. There is an intersecting area in the label danger range. When there is an intersecting area, it is determined that the model label that can cause the training module to misclassify after modifying the preset variable data is a device or device with an attack target label.

步骤130、获取攻击目标标签对应的主动过滤器,以将主动过滤器作为训练模型的输入过滤器。Step 130: Obtain the active filter corresponding to the attack target label, and use the active filter as an input filter for the training model.

需要说明的是,获取攻击目标标签对应的主动过滤器的过程,可以具体为,通过预设过滤器获取界面获取。It should be noted that the process of obtaining the active filter corresponding to the attack target label can be obtained through the preset filter acquisition interface.

除此之外,图2为本申请实施例提供的一种应用于训练模型的代码攻击检测系统。如图2所示,本申请实施例提供的系统,主要包括:In addition, Figure 2 shows a code attack detection system applied to training models provided by an embodiment of the present application. As shown in Figure 2, the system provided by the embodiment of this application mainly includes:

系统通过获得模块210获取训练好的训练模型,以获得由训练产生的模型标签。The system obtains the trained training model through the obtaining module 210 to obtain model labels generated by training.

需要说明的是,获得模块210可以为任意可行的能够获取训练模型,并从模型中获得模型标签的设备或装置等。It should be noted that the obtaining module 210 can be any feasible device or device that can obtain a training model and obtain a model label from the model.

系统中的确定模块220通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签;基于绝对中位差技术,以获取的模型标签的绝对中位差,进而确定模型标签中的异常值,确定异常值对应的模型标签为攻击目标标签;通过预设代码检测语句,对模型标签进行检测,以确定是否存在可加载数据;以在存在可加载数据时,确定存在可加载数据对应的模型标签为攻击目标标签。The determination module 220 in the system determines that the model label that can cause the training module to misclassify after modification of the preset variable data is the attack target label through the preset trigger and preset variable data; based on the absolute median difference technology, to obtain The absolute median difference of the model labels is used to determine the outliers in the model labels, and the model labels corresponding to the outliers are determined to be attack target labels; through preset code detection statements, the model labels are detected to determine whether there is loadable data; When loadable data exists, the model label corresponding to the loadable data is determined to be the attack target label.

需要说明的是,确定模块220可以为任意可行的能够从模型标签中筛选出攻击目标标签的设备或装置等。It should be noted that the determination module 220 may be any feasible device or device capable of filtering out attack target tags from model tags.

另外,本申请能够提供界面将可加载数据替换为不可加载的数据,具体过程可以为,在存在可加载数据时,确定模块220中的替换单元221通过后端编辑界面,获取可加载数据对应的替换数据。In addition, this application can provide an interface to replace loadable data with unloadable data. The specific process may be: when loadable data exists, the replacement unit 221 in the determination module 220 obtains the corresponding loadable data through the back-end editing interface. Replace data.

为了实现有效更新预设变量数据,提高预设触发器的准确性,确定模块220中的获取单元222通过预设界面获得预设变量数据;其中,预设变量数据包括模型标签名称和变量值。In order to effectively update the preset variable data and improve the accuracy of the preset trigger, the acquisition unit 222 in the determination module 220 obtains the preset variable data through the preset interface; where the preset variable data includes model tag names and variable values.

其中,通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签,具体可以为:Among them, through the preset trigger and preset variable data, it is determined that the model label that can cause the training module to misclassify after modification of the preset variable data is the attack target label. Specifically, it can be:

确定模块220中的触发器单元223通过预设触发器,将模型标签名称对应的模型标签增加或降低变量值大小,以获得模型标签的变化范围;确定模型标签的变化范围是否与预设触发器中预设的模型标签危险范围存在相交区域,在存在相交区域时,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签。The trigger unit 223 in the determination module 220 uses a preset trigger to increase or decrease the variable value of the model label corresponding to the model label name to obtain the change range of the model label; determine whether the change range of the model label is consistent with the preset trigger There is an intersecting area in the dangerous range of the preset model labels. When there is an intersecting area, the model label that can cause the training module to be misclassified after modifying the preset variable data is determined to be the attack target label.

过滤器获取模块230,用于获取攻击目标标签对应的主动过滤器,以将主动过滤器作为训练模型的输入过滤器。The filter acquisition module 230 is used to acquire the active filter corresponding to the attack target label, so as to use the active filter as an input filter for the training model.

过滤器获取模块230为任意可行的能够获取主动过滤器,将主动过滤器作为训练模型的输入过滤器的设备或装置等。The filter acquisition module 230 is any feasible device or device that can acquire active filters and use active filters as input filters for training models.

以上为本申请中的方法实施例,基于同样的发明构思,本申请实施例还提供了一种应用于训练模型的代码攻击检测设备。如图3所示,该设备包括:处理器;以及存储器,其上存储有可执行代码,当可执行代码被执行时,使得处理器执行如上述实施例中的一种应用于训练模型的代码攻击检测方法。The above are the method embodiments in this application. Based on the same inventive concept, the embodiments of this application also provide a code attack detection device applied to training models. As shown in Figure 3, the device includes: a processor; and a memory on which executable code is stored. When the executable code is executed, the processor executes one of the codes applied to training the model in the above embodiment. Attack detection methods.

具体地,服务器端获取训练好的训练模型,以获得由训练产生的模型标签;通过预设触发器和预设变量数据,确定进行预设变量数据修改后能够导致训练模块进行错误分类的模型标签为攻击目标标签;基于绝对中位差技术,以获取的模型标签的绝对中位差,进而确定模型标签中的异常值,确定异常值对应的模型标签为攻击目标标签;通过预设代码检测语句,对模型标签进行检测,以确定是否存在可加载数据;以在存在可加载数据时,确定存在可加载数据对应的模型标签为攻击目标标签;获取攻击目标标签对应的主动过滤器,以将主动过滤器作为训练模型的输入过滤器。Specifically, the server side obtains the trained training model to obtain the model label generated by the training; through the preset trigger and the preset variable data, it determines the model label that can cause the training module to misclassify after modifying the preset variable data. is the attack target label; based on the absolute median difference technology, the absolute median difference of the model labels is obtained, and then the outliers in the model labels are determined, and the model label corresponding to the outlier is determined to be the attack target label; statements are detected through the preset code , detect the model label to determine whether there is loadable data; when there is loadable data, it is determined that the model label corresponding to the loadable data is the attack target label; obtain the active filter corresponding to the attack target label, so as to convert the active filter serves as an input filter for training the model.

除此之外,本申请实施例还提供了一种非易失性计算机存储介质,其上存储有可执行指令,在该可执行指令被执行时,实现如上述的一种应用于训练模型的代码攻击检测方法。In addition, embodiments of the present application also provide a non-volatile computer storage medium on which executable instructions are stored. When the executable instructions are executed, the above-mentioned method for training a model is implemented. Code attack detection methods.

至此,已经结合前文的多个实施例描述了本公开的技术方案,但是,本领域技术人员容易理解的是,本公开的保护范围并不仅限于这些具体实施例。在不偏离本公开技术原理的前提下,本领域技术人员可以对上述各个实施例中的技术方案进行拆分和组合,也可以对相关技术特征作出等同的更改或替换,凡在本公开的技术构思和/或技术原理之内所做的任何更改、等同替换、改进等都将落入本公开的保护范围之内。So far, the technical solutions of the present disclosure have been described in conjunction with the foregoing embodiments. However, those skilled in the art can easily understand that the protection scope of the present disclosure is not limited to these specific embodiments. Without departing from the technical principles of the present disclosure, those skilled in the art can split and combine the technical solutions in the above embodiments, and can also make equivalent changes or replacements to the relevant technical features. Any changes, equivalent substitutions, improvements, etc. made within the concept and/or technical principles will fall within the protection scope of the present disclosure.

Claims (10)

1. A method for detecting a code attack applied to a training model, the method comprising:
obtaining a trained training model to obtain a model label generated by training;
determining a model tag which can cause the training module to perform error classification after modification of the preset variable data as an attack target tag through the preset trigger and the preset variable data; based on an absolute medium-level difference technology, determining an abnormal value in the model label by using the acquired absolute medium-level difference of the model label, and determining the model label corresponding to the abnormal value as an attack target label; detecting the model tag through a preset code detection statement to determine whether loadable data exists or not; when loadable data exists, determining that a model tag corresponding to the loadable data exists as an attack target tag;
and acquiring an active filter corresponding to the attack target label, and taking the active filter as an input filter of the training model.
2. The method for detecting a code attack applied to a training model according to claim 1, wherein after detecting a model tag by a preset code detection statement to determine whether loadable data exists, the method further comprises:
when loadable data exists, acquiring replacement data corresponding to the loadable data through a back-end editing interface.
3. The code attack detection method applied to a training model according to claim 1, wherein before determining, through a preset trigger and preset variable data, that a model tag capable of causing a training module to perform an erroneous classification after modification of the preset variable data is an attack target tag, the method comprises:
acquiring preset variable data through a preset interface; the preset variable data comprises a model tag name and a variable value.
4. The method for detecting a code attack applied to a training model according to claim 3, wherein the model tag which can cause the training module to perform error classification after modification of the preset variable data is determined to be an attack target tag through a preset trigger and preset variable data, and specifically comprises:
the method comprises the steps that through a preset trigger, a model label corresponding to a model label name is increased or decreased in variable value, so that the change range of the model label is obtained;
determining whether an intersection area exists between the change range of the model tag and the dangerous range of the model tag preset in the preset trigger, and determining that the model tag which can cause the training module to perform error classification after the preset variable data modification is an attack target tag when the intersection area exists.
5. A code attack detection system for application to a training model, the system comprising:
the obtaining module is used for obtaining a trained training model so as to obtain a model label generated by training;
the determining module is used for determining that the model tag which can cause the training module to perform error classification after the modification of the preset variable data is an attack target tag through the preset trigger and the preset variable data; based on an absolute medium-level difference technology, determining an abnormal value in the model label by using the acquired absolute medium-level difference of the model label, and determining the model label corresponding to the abnormal value as an attack target label; detecting the model tag through a preset code detection statement to determine whether loadable data exists or not; when loadable data exists, determining that a model tag corresponding to the loadable data exists as an attack target tag;
the filter acquisition module is used for acquiring an active filter corresponding to the attack target label so as to take the active filter as an input filter of the training model.
6. The code attack detection system applied to a training model according to claim 5, wherein the determination module comprises a replacement unit,
and acquiring the replacement data corresponding to the loadable data through the back-end editing interface when the loadable data exists.
7. The code attack detection system applied to a training model according to claim 5, wherein the determining module comprises an acquiring unit,
the method comprises the steps of obtaining preset variable data through a preset interface; the preset variable data comprises a model tag name and a variable value.
8. The code attack detection system applied to a training model according to claim 7, wherein the determining module comprises a trigger unit,
the method comprises the steps that a model label corresponding to a model label name is increased or decreased by a variable value through a preset trigger, so that the change range of the model label is obtained; determining whether an intersection area exists between the change range of the model tag and the dangerous range of the model tag preset in the preset trigger, and determining that the model tag which can cause the training module to perform error classification after the preset variable data modification is an attack target tag when the intersection area exists.
9. A code attack detection device for application to a training model, the device comprising:
a processor;
and a memory having executable code stored thereon that, when executed, causes the processor to perform a code attack detection method applied to a training model as claimed in any of claims 1-4.
10. A non-transitory computer storage medium having stored thereon computer instructions which, when executed, implement a code attack detection method applied to a training model according to any of claims 1-4.
CN202311205645.4A 2023-09-19 2023-09-19 Code attack detection method, system, equipment and medium applied to training model Active CN116956294B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311205645.4A CN116956294B (en) 2023-09-19 2023-09-19 Code attack detection method, system, equipment and medium applied to training model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311205645.4A CN116956294B (en) 2023-09-19 2023-09-19 Code attack detection method, system, equipment and medium applied to training model

Publications (2)

Publication Number Publication Date
CN116956294A true CN116956294A (en) 2023-10-27
CN116956294B CN116956294B (en) 2024-01-09

Family

ID=88446491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311205645.4A Active CN116956294B (en) 2023-09-19 2023-09-19 Code attack detection method, system, equipment and medium applied to training model

Country Status (1)

Country Link
CN (1) CN116956294B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780165A (en) * 2015-03-27 2015-07-15 杭州华三通信技术有限公司 Security verification method and equipment for incoming label of message
US20170103674A1 (en) * 2011-04-08 2017-04-13 Wombat Security Technologies, Inc. Mock Attack Cybersecurity Training System and Methods
US20200387608A1 (en) * 2019-05-29 2020-12-10 Anomalee Inc. Post-Training Detection and Identification of Human-Imperceptible Backdoor-Poisoning Attacks
CN112381232A (en) * 2020-11-16 2021-02-19 成都信息工程大学 Method for learning anti-attack model by quantum fuzzy machine
WO2021047401A1 (en) * 2019-09-10 2021-03-18 华为技术有限公司 Service classification method and apparatus, and internet system
CN114266041A (en) * 2021-12-15 2022-04-01 上海观安信息技术股份有限公司 Method, device and system for improving rear door defense capacity of model
CN115240039A (en) * 2022-07-19 2022-10-25 北京大学 A test method and system for the adversarial stability of a target detector
CN115361224A (en) * 2022-08-29 2022-11-18 浙江工业大学 Deep reinforcement learning traffic signal control poisoning defense method based on strong disturbance detection and model retraining
CN116305103A (en) * 2023-03-30 2023-06-23 南京大学 Neural network model backdoor detection method based on confidence coefficient difference
CN116346456A (en) * 2023-03-24 2023-06-27 中国建设银行股份有限公司 Business logic vulnerability attack detection model training method and device
CN116702005A (en) * 2023-06-15 2023-09-05 华中科技大学 A neural network-based data anomaly diagnosis method and electronic equipment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170103674A1 (en) * 2011-04-08 2017-04-13 Wombat Security Technologies, Inc. Mock Attack Cybersecurity Training System and Methods
CN104780165A (en) * 2015-03-27 2015-07-15 杭州华三通信技术有限公司 Security verification method and equipment for incoming label of message
US20200387608A1 (en) * 2019-05-29 2020-12-10 Anomalee Inc. Post-Training Detection and Identification of Human-Imperceptible Backdoor-Poisoning Attacks
WO2021047401A1 (en) * 2019-09-10 2021-03-18 华为技术有限公司 Service classification method and apparatus, and internet system
CN112381232A (en) * 2020-11-16 2021-02-19 成都信息工程大学 Method for learning anti-attack model by quantum fuzzy machine
CN114266041A (en) * 2021-12-15 2022-04-01 上海观安信息技术股份有限公司 Method, device and system for improving rear door defense capacity of model
CN115240039A (en) * 2022-07-19 2022-10-25 北京大学 A test method and system for the adversarial stability of a target detector
CN115361224A (en) * 2022-08-29 2022-11-18 浙江工业大学 Deep reinforcement learning traffic signal control poisoning defense method based on strong disturbance detection and model retraining
CN116346456A (en) * 2023-03-24 2023-06-27 中国建设银行股份有限公司 Business logic vulnerability attack detection model training method and device
CN116305103A (en) * 2023-03-30 2023-06-23 南京大学 Neural network model backdoor detection method based on confidence coefficient difference
CN116702005A (en) * 2023-06-15 2023-09-05 华中科技大学 A neural network-based data anomaly diagnosis method and electronic equipment

Also Published As

Publication number Publication date
CN116956294B (en) 2024-01-09

Similar Documents

Publication Publication Date Title
CN113614748B (en) System and method for incremental learning of object detection
US11783243B2 (en) Targeted prioritization within a network based on user-defined factors and success rates
CN110347840B (en) Prediction method, system, equipment and storage medium for complaint text category
US11301977B2 (en) Systems and methods for automatic defect recognition
CN111274821B (en) A method and device for evaluating the quality of named entity recognition data annotation
US11188981B1 (en) Identifying matching transfer transactions
CN113822144B (en) Target detection method, device, computer equipment and storage medium
US12386794B2 (en) Predictive recommendations for schema mapping
CN110555488A (en) Image sequence auditing method and system, electronic equipment and storage medium
JP2023500037A (en) System, method, and program for facilitating small-shot temporal action localization
CN114329455A (en) User abnormal behavior detection method and device based on heterogeneous graph embedding
CN113220801A (en) Structured data classification method, device, equipment and medium
CN114511731A (en) Training method, device, storage medium and electronic device for target detector
CN114706985B (en) Text classification method, device, electronic device and storage medium
US20140164399A1 (en) Inferring valid values for objects in a glossary using reference data
CN110853069A (en) Neural network model construction method and system for vehicle appearance segmentation
CN115062779A (en) Event prediction method and device based on dynamic knowledge graph
CN112613072B (en) Information management method, management system and management cloud platform based on archive big data
CN116956294A (en) Code attack detection methods, systems, equipment and media applied to training models
CN113761867A (en) Address identification method, device, computer equipment and storage medium
US20250173441A1 (en) Facilitating modification of components of artificial intelligence computing applications via aggregated risk scores
CN113221762A (en) Cost balance decision method, insurance claim settlement decision method, device and equipment
CN116883181B (en) Financial service pushing method based on user portrait, storage medium and server
CN105824871B (en) A kind of picture detection method and equipment
CN115511015B (en) Sample screening method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant