面向机器学习模型安全的测试与修复  被引量：7

作　　者：张笑宇 沈超[1,2] 蔺琛皓[1,2] 李前 王骞 李琦[4,5] 管晓宏[1,2] ZHANG Xiao-yu;SHEN Chao;LIN Chen-hao;LI Qian;WANG Qian;LI Qi;GUAN Xiao-hong(School of Cyber Science and Engineering,Faculty of Electronic and Information Engineering,Xi’an Jiaotong University,Xi’an,Shaanxi 710049,China;Key Laboratory for Intelligent Networks and Network Security(Xi’an Jiaotong University),Xi’an,Shaanxi 710049,China;School of Cyber Science and Engineering,Wuhan University,Wuhan,Hubei 430072,China;Institute for Network Sciences and Cyberspace,Tsinghua University,Beijing 100084,China;Zhongguancun Laboratory,Beijing 100094,China)

机构地区：[1]西安交通大学电子与信息学部网络空间安全学院,陕西西安710049 [2]智能网络与网络安全教育部重点实验室(西安交通大学),陕西西安710049 [3]武汉大学国家网络安全学院,湖北武汉430072 [4]清华大学网络科学与网络空间研究院,北京100084 [5]中关村实验室,北京100094

出　　处：《电子学报》2022年第12期2884-2918,共35页Acta Electronica Sinica

基　　金：科技创新2030——“新一代人工智能”重大项目(No.2020AAA0107702);国家自然科学基金(No.62161160337,No.U21B2018,No.U20A20177,No.62132011,No.62006181,No.U20B2049);陕西重点研发计划项目(No.2021ZD LGY01-02)。

摘　　要：近年来,以机器学习算法为代表的人工智能技术在计算机视觉、自然语言处理、语音识别等领域取得了广泛的应用,各式各样的机器学习模型为人们的生活带来了巨大的便利.机器学习模型的工作流程可以分为三个阶段.首先,模型接收人工收集或算法生成的原始数据作为输入,并通过预处理算法(如数据增强和特征提取)对数据进行预处理.随后,模型定义神经元或层的架构,并通过运算符(例如卷积和池)构建计算图.最后,模型调用机器学习框架的函数功能实现计算图并执行计算,根据模型神经元的权重计算输入数据的预测结果.在这个过程中,模型中单个神经元输出的轻微波动可能会导致完全不同的模型输出,从而带来巨大的安全风险.然而,由于对机器学习模型的固有脆弱性及其黑箱特征行为的理解不足,研究人员很难提前识别或定位这些潜在的安全风险,这为个人生命财产安全乃至国家安全带来了诸多风险和隐患.研究机器学习模型安全的相关测试与修复方法,对深刻理解模型内部风险与脆弱性、全面保障机器学习系统安全性以及促进人工智能技术的广泛应用有着重要意义.本文从不同安全测试属性出发,详细介绍了现有的机器学习模型安全测试和修复技术,总结和分析了现有研究中的不足,探讨针对机器学习模型安全的测试与修复的技术进展和未来挑战,为模型的安全应用提供了指导和参考.本文首先介绍了机器学习模型的结构组成和主要安全测试属性,随后从机器学习模型的三个组成部分即数据、算法和实现,六种模型安全相关测试属性即正确性、鲁棒性、公平性、效率、可解释性和隐私性,分析、归纳和总结了相关的测试与修复方法及技术,并探讨了现有方法的局限.最后本文讨论和展望了机器学习模型安全的测试与修复方法的主要技术挑战和发展趋势.In recent years,artificial intelligence technology led by machine learning algorithms has been widely used in many fields,such as computer vision,natural language processing,speech recognition,etc.A variety of machine learning models have greatly facilitated people’s lives.The workflow of a machine learning model consists of three stages.First,the model receives the raw data which is collected or generated by the developers as the model input and preprocesses the data through preprocessing algorithms,such as data augmentation and feature extraction.Subsequently,the model defines the architecture of neurons or layers in the model and constructs a computational graph through operators(e.g.,convolution and pooling).Finally,the model calls the machine learning framework function to implement the operators and calculates the prediction result of the input data according to the weights of model neurons.In this process,slight fluctuations in the output of individual neurons in the model may lead to an entirely different model output,which can bring huge security risks.However,due to the insufficient understanding of the inherent vulnerability of machine learning models and their black box characteristic behaviors,it is difficult for researchers to identify or locate these potential security risks in advance.This brings many risks and hidden dangers to personal property safety and even national security.There is great significance to studying the testing and repairing methods for machine learning model security,which can help deeply understand the internal risks and vulnerabilities of models,comprehensively guarantee the security of machine learning systems,and widely apply artificial intelligence technology.The existing testing research for the machine learning model security has mainly focused on the correctness,robustness,and other testing properties of the model,and this research has achieved certain results.This paper intends to start from different security testing attributes,introduces the existing machine learn

关 键 词：人工智能安全 机器学习安全 机器学习模型测试 机器学习模型修复 软件测试 软件修复 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]