CN109951484B - Test method and system for attacking machine learning product - Google Patents

Abstract

The invention discloses a test method for attacking a machine learning product, which comprises the following steps of carrying out periodic attack access on the machine learning product by adopting a malicious sample test set; the method comprises the steps that a machine learning product obtains characteristic factors of a plurality of malicious access data in a malicious sample test set, analyzes the characteristic factors and carries out classification management on the characteristic factors according to an analysis result; adopting a piece of malicious access data in the malicious sample test set to carry out attack access on the machine learning product, analyzing the characteristic factors in the piece of malicious access data by the machine learning product, comparing the characteristic factors with the characteristic factors in the classified normal access characteristic value library and abnormal access characteristic value library, and judging whether the machine learning product is in normal access or abnormal access; outputting a judgment result; the invention also discloses a test system for attacking the machine learning product, and the invention further improves the safety of the machine learning product.

Description

Test method and system for attacking machine learning product

Technical Field

The invention relates to the technical field of internet security testing, in particular to a testing method and a testing system for attacking a machine learning product.

Background

With the rapid development of the internet, the security of the internet is now increasingly emphasized by people, the attack and protection means of the internet are gradually upgraded, and the rise and application of machine learning bring a great challenge to security testing. Through long-term development, the application of machine learning is already in all fields. Because the network application module made by machine learning has no test method with obvious effect, a test method for a network attacker to attack by using a machine learning product is produced.

At present, when the safety test of a machine learning product is carried out, the limitations of traditional and single test method, lack of obvious test results and the like exist.

Disclosure of Invention

In order to solve the problems in the prior art, the invention aims to provide a test method and a test system for attacking a machine learning product, wherein a large amount of malicious access data is collected to access a target network using machine learning, so that the malicious access data in a malicious sample set is changed into a judgment rule of machine learning and bypasses a detection rule of machine learning, a machine learning system is polluted, and an attacker can enjoy the functions; the safety researcher predicts that machine learning will eventually modify the code in real time based on the test method and results to avoid this hazard.

In order to achieve the purpose, the invention adopts the technical scheme that: a test method for attacking aiming at a machine learning product comprises the following steps:

the method comprises the following steps that firstly, a malicious sample test set is adopted to carry out periodic attack access on a machine learning product, wherein the malicious sample test set comprises a plurality of malicious access data;

secondly, the machine learning product obtains characteristic factors of a plurality of malicious access data in a malicious sample test set, analyzes the characteristic factors, performs classified management on the characteristic factors according to an analysis result, and judges whether the characteristic factors are placed in a normal access characteristic value library or an abnormal access characteristic value library;

thirdly, attack access is carried out on the machine learning product by adopting a piece of malicious access data in the malicious sample test set again, the machine learning product analyzes the characteristic factors in the piece of malicious access data, compares the characteristic factors with the characteristic factors in the classified normal access characteristic value library and abnormal access characteristic value library, and judges whether the access is normal access or abnormal access;

and step four, outputting a judgment result.

In a preferred embodiment, in the fourth step, if the output determination result is a normal access, it indicates that the machine learning product has a bug, and if the output determination result is an abnormal access, it indicates that the machine learning product is normal.

In another preferred embodiment, in the first step, the amount of malicious access data for performing attack access on the machine learning product is greater than the normal access amount of the machine learning product in the same period.

In another preferred embodiment, in the first step, the period of access of the malicious sample test set to the machine learning product attack is longer than that of the machine learning product defense algorithm.

The invention also provides a test system for attacking a machine learning product, which comprises:

the sample module is used for storing a malicious sample test set for attack access and training the characteristic factors of malicious access data in the malicious sample set;

the algorithm module is used for the machine learning product to acquire the characteristic factors of the malicious access data, analyze and classify the acquired characteristic factors and establish and perfect the prediction and judgment module;

the prediction judgment module comprises a normal access characteristic value library and an abnormal access characteristic value library and is used for storing the classified characteristic factors, monitoring the access logs on the machine learning product server in real time, comparing the access logs with the characteristic factors stored in the normal access characteristic value library and the abnormal access characteristic value library, and performing prediction output if abnormal access behaviors are found;

the malicious access module is used for carrying out attack access on the machine learning product by adopting a piece of malicious access data, and the malicious access data comprises characteristic factors to be predicted;

and the prediction result module is used for receiving the prediction output result of the prediction judgment module and judging whether the test of the attack access of the malicious access data in the malicious access module to the machine learning product is successful.

In a preferred embodiment, the malicious sample set is malicious access data provided manually.

The invention has the beneficial effects that: the invention utilizes the machine learning product to carry out the attack test from the network attacker, has novel angle, can attack the tested machine learning product from the angle of bypassing the machine learning algorithm, provides a new test thought for a safety researcher, provides an effective means for instantly discovering the vulnerability of the machine learning product, and finally modifies the code in real time based on the test method and the result by the safety researcher to avoid the harm, thereby ensuring the information safety of the product and the user and further improving the safety of the machine learning product; through the test of the invention, the fact that the machine Learning products based on the DQN (deep Learning-Learning) Algorithm (the deep Learning is combined with the reinforcement Learning), the TRPO (Trust Region Policy optimization) trust domain strategy optimization and the A3C (Actor-critical Algorithm) Algorithm are successfully attacked by malicious access data proves that the machine Learning products based on the Algorithm also have vulnerabilities, and a security researcher can modify the codes conveniently to improve the security of the machine Learning products.

Drawings

FIG. 1 is a block flow diagram of an embodiment of the present invention;

fig. 2 is a system block diagram of an embodiment of the invention.

Detailed Description

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

Example (b):

as shown in fig. 1, a testing method for attacking a machine learning product includes the following steps:

presetting conditions: the PC with the operating system of WIN7 or WIN8 or WIN10 or Linux is the attacked machine learning product server (taking a fire wall as an example);

the method comprises the following steps that firstly, a malicious sample test set is adopted to carry out periodic attack access on a machine learning product, wherein the malicious sample test set comprises a plurality of malicious access data; the number of malicious access data for performing attack access on the machine learning product is larger than the normal access amount of the machine learning product in the same period, and the period of attack access of the malicious sample test set on the machine learning product is larger than the period of a defense algorithm of the machine learning product;

secondly, the machine learning product obtains characteristic factors of a plurality of malicious access data in a malicious sample test set, analyzes the characteristic factors, performs classified management on the characteristic factors according to an analysis result, and judges whether the characteristic factors are placed in a normal access characteristic value library or an abnormal access characteristic value library; in this embodiment, a large amount of malicious access data access a tested machine learning product for a long time, so that the machine learning product obtains a large amount of malicious access data information and analyzes all malicious access data, and because the number of the malicious access data is large, the machine learning product judges the malicious access data as normal access data and extracts characteristic factors of the malicious access data to put the malicious access data into a normal access characteristic value library;

thirdly, attack access is carried out on the machine learning product by adopting a piece of malicious access data (such as < script > alert ('xss'); script >) in the malicious sample test set again, the machine learning product analyzes the characteristic factors in the piece of malicious access data, compares the characteristic factors with the characteristic factors in the classified normal access characteristic value library and abnormal access characteristic value library and judges whether the access is normal access or abnormal access;

step four, outputting a judgment result; the output of the embodiment is normal access data, which indicates that the malicious access data can be accessed by the identity of the normal data, successfully bypasses a waf (web Application firewall) firewall system of the machine learning product, pops up an XSS bullet box, and an attacker successfully attacks the machine learning product.

As shown in fig. 2, the present embodiment further provides a test system for attacking a machine learning product, including:

the sample module is used for storing a malicious sample test set for attack access and training the characteristic factors of malicious access data in the malicious sample set;

the algorithm module is used for the machine learning product to acquire the characteristic factors of the malicious access data, analyze and classify the acquired characteristic factors and establish and perfect the prediction and judgment module; in the embodiment, an attacker in the algorithm module accesses a tested machine learning product for a long time in a large amount, so that the algorithm module obtains a large amount of malicious access data information and analyzes all malicious access data;

the prediction judgment module comprises a normal access characteristic value library and an abnormal access characteristic value library and is used for storing the classified characteristic factors, monitoring the access logs on the machine learning product server in real time, comparing the access logs with the characteristic factors stored in the normal access characteristic value library and the abnormal access characteristic value library, and performing prediction output if abnormal access behaviors are found; in the embodiment, when attack access is performed on the machine learning product by adopting a piece of malicious access data (such as < script > alert ('xss');, < script >) in the malicious sample test set again, the prediction and judgment module puts the abnormal malicious access data into the normal access characteristic value library;

the malicious access module is used for carrying out attack access on the machine learning product by adopting a piece of malicious access data, and the malicious access data comprises characteristic factors to be predicted;

the prediction result module is used for receiving the prediction output result of the prediction judgment module and judging whether the test of the attack access of the malicious access data in the malicious access module to the machine learning product is successful or not; in this embodiment, the prediction result module monitors the prediction output of the prediction judgment module as normal access data, the malicious data can be accessed by the identity of the normal data, the waf (web Application firewall) firewall system of the machine learning product is successfully bypassed, an XSS box is popped up, and an attacker successfully attacks the firewall. The test result of the system to the machine learning product shows that the machine learning product has a bug.

The above-mentioned embodiments only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.

Claims (4)

1. A test method for attacking a machine learning product is characterized by comprising the following steps:

the method comprises the following steps that firstly, a malicious sample test set is adopted to carry out periodic attack access on a machine learning product, wherein the malicious sample test set comprises a plurality of malicious access data; the period of attack access of the malicious sample test set to the machine learning product is greater than the period of the machine learning product defense algorithm;

secondly, the machine learning product obtains characteristic factors of a plurality of malicious access data in a malicious sample test set, analyzes the characteristic factors, performs classified management on the characteristic factors according to an analysis result, and judges whether the characteristic factors are placed in a normal access characteristic value library or an abnormal access characteristic value library;

thirdly, attack access is carried out on the machine learning product by adopting a piece of malicious access data in the malicious sample test set again, the machine learning product analyzes the characteristic factors in the piece of malicious access data, compares the characteristic factors with the characteristic factors in the classified normal access characteristic value library and abnormal access characteristic value library, and judges whether the access is normal access or abnormal access;

and step four, outputting a judgment result, if the output judgment result is normal access, indicating that the machine learning product has a bug, and if the output judgment result is abnormal access, indicating that the machine learning product is normal.

2. The method for testing against machine learning products according to claim 1, wherein in the first step, the amount of malicious access data for performing attack access on the machine learning products is greater than the normal access amount of the machine learning products in the same period.

3. A test system for attacking a machine learning product, comprising:

the sample module is used for storing a malicious sample test set for attack access and training the characteristic factors of malicious access data in the malicious sample set; the period of attack access of the malicious sample test set to the machine learning product is greater than the period of the machine learning product defense algorithm;

the algorithm module is used for the machine learning product to acquire the characteristic factors of the malicious access data, analyze and classify the acquired characteristic factors and establish and perfect the prediction and judgment module;

the prediction judgment module comprises a normal access characteristic value library and an abnormal access characteristic value library and is used for storing the classified characteristic factors, monitoring the access logs on the machine learning product server in real time, comparing the access logs with the characteristic factors stored in the normal access characteristic value library and the abnormal access characteristic value library, and performing prediction output if abnormal access behaviors are found;

the malicious access module is used for carrying out attack access on the machine learning product by adopting a piece of malicious access data, and the malicious access data comprises characteristic factors to be predicted;

and the prediction result module is used for receiving the prediction output result of the prediction judgment module and judging whether the test of attack access of the malicious access data in the malicious access module on the machine learning product is successful or not, if the output judgment result is normal access, the machine learning product is indicated to have a bug, and if the output judgment result is abnormal access, the machine learning product is indicated to be normal.

4. The system of claim 3, wherein the malicious sample set is manually provided malicious access data.

Images