自编码器端到端通信系统后门攻击方法  

作　　者：甘润 魏祥麟 王超 王斌[1] 王敏 范建华 GAN Run;WEI Xianglin;WANG Chao;WANG Bin;WANG Min;FAN Jianhua(School of Electronic and Information Engineering,Nanjing University of Information Science and Technology,Nanjing 210044,China;The 63rd Research Institute,National University of Defense Technology,Nanjing 210007,China;School of Computer and Software,Nanjing University of Information Science and Technology,Nanjing 210044,China)

机构地区：[1]南京信息工程大学电子与信息工程学院,南京210044 [2]国防科技大学第六十三研究所,南京210007 [3]南京信息工程大学计算机与软件学院,南京210044

出　　处：《计算机科学》2024年第7期413-421,共9页Computer Science

摘　　要：自编码器端到端通信系统无需显式地设计通信协议,比传统模块式通信系统复杂性更低,且灵活性和鲁棒性更高。然而,自编码器模型的弱可解释性也给端到端通信系统带来了新的安全隐患。实验表明,在信道未知且解码器单独训练的场景下,通过在信道层添加精心设计的触发器就可以让原本表现良好的解码器产生误判,并且不影响解码器处理不含触发器样本时的性能,从而实现针对通信系统的后门攻击。文中设计了一种触发器生成模型,并提出了将触发器生成模型与自编码器模型进行联合训练的后门攻击方法,实现动态的触发器的自动生成,在增加攻击隐蔽性的同时提升了攻击成功率。为了验证所提方法的有效性,分别实现了4种不同的自编码器模型,考察了不同信噪比、不同投毒率、不同触发器尺寸以及不同触发信号比场景下的后门攻击效果。实验结果表明,在6dB信噪比下,针对4种不同的自编码器模型,所提方法的攻击成功率与干净样本识别率均超过92%。End-to-end communication systems based on auto-encoders do not require an explicit design of communication protocols,resulting in lower complexity compared to traditional modular communication systems,as well as higher flexibility and robustness.However,the weak interpretability of the auto-encoder model has brought new security risks to the end-to-end communication system.Experiment shows that,in the scenario of unknown channel and separate training of the decoder,by adding carefully designed triggers at the channel layer,the originally well-performing decoder can produce misjudgments,without affecting the performance of the decoder when processing samples without triggers,achieving a backdoor attack on the communication system.This paper designs a trigger generation model and proposes a backdoor attack method that combines the trigger generation model with the auto-encoder model for joint training,realizing the automatic generation of dynamic triggers,increasing the stealthiness of the attack while improving the success rate of the attack.In order to verify the effectiveness of the proposed me-thod,four different auto-encoder models are implemented,and the backdoor attack effects under different signal-to-noise ratios,different poisoning rates,different trigger sizes,and different trigger signal ratios are studied.Experimental results show that under a 6dB signal-to-noise ratio,the attack success rate and clean sample recognition rate of our proposal are both greater than 92%for the four different auto-encoder models.

关 键 词：深度学习 后门攻击 端到端通信 触发器 自编码器 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]