PDF(3857 KB)
针对工业故障分类系统的单变量攻击及其防御
Yue Zhuo, Yuri A.W. Shardt, Zhiqiang Ge
工程(英文) ›› 2022, Vol. 19 ›› Issue (12) : 240-251.
PDF(3857 KB)
PDF(3857 KB)
针对工业故障分类系统的单变量攻击及其防御
One-Variable Attack on The Industrial Fault Classification System and Its Defense
近年来,工业过程故障分类系统主要是由数据驱动的,得益于大量的数据模式,基于深度神经网络的模型显著地提高了故障分类的准确性。但是,这些数据驱动模型容易受到对抗攻击,因此,在样本上的微小扰动会导致模型提供错误的故障预测。最近的研究已经证明了机器学习模型的脆弱性以及对抗样本的广泛存在。本文针对安全、关键的工业故障分类系统提出了一种具有极端约束的黑盒攻击方法:只扰动一个变量来制作对抗样本。此外,为了将对抗样本隐藏在可视化空间中,本文使用了雅可比矩阵来引导扰动变量的选择,使降维空间中的对抗样本对人眼不可见。利用单变量攻击(OVA)方法,文本探究了不同工业变量和故障类别的脆弱性,有助于理解故障分类系统的几何特征。基于攻击方法,文本还提出了相应的对抗训练防御方法,该方法能够有效地防御单变量攻击,并提高分类器的预测精度。在实验中,将本文所提出的方法在田纳西-伊士曼过程(TEP)和钢板(SP)故障数据集上进行了测试。本文探索了变量和故障类别的脆弱相关性,并验证了各种分类器和数据集的单变量攻击和防御方法的有效性。对于工业故障分类系统,单变量攻击方法的攻击成功率接近(在TEP上)甚至高于(在SP 上)目前最有效的一阶白盒攻击方法(该方法需要对所有变量进行扰动)。
Recently developed fault classification methods for industrial processes are mainly data-driven. Notably, models based on deep neural networks have significantly improved fault classification accuracy owing to the inclusion of a large number of data patterns. However, these data-driven models are vulnerable to adversarial attacks; thus, small perturbations on the samples can cause the models to provide incorrect fault predictions. Several recent studies have demonstrated the vulnerability of machine learning methods and the existence of adversarial samples. This paper proposes a black-box attack method with an extreme constraint for a safe-critical industrial fault classification system: Only one variable can be perturbed to craft adversarial samples. Moreover, to hide the adversarial samples in the visualization space, a Jacobian matrix is used to guide the perturbed variable selection, making the adversarial samples in the dimensional reduction space invisible to the human eye. Using the one-variable attack (OVA) method, we explore the vulnerability of industrial variables and fault types, which can help understand the geometric characteristics of fault classification systems. Based on the attack method, a corresponding adversarial training defense method is also proposed, which efficiently defends against an OVA and improves the prediction accuracy of the classifiers. In experiments, the proposed method was tested on two datasets from the Tennessee–Eastman process (TEP) and Steel Plates (SP). We explore the vulnerability and correlation within variables and faults and verify the effectiveness of OVAs and defenses for various classifiers and datasets. For industrial fault classification systems, the attack success rate of our method is close to (on TEP) or even higher than (on SP) the current most effective first-order white-box attack method, which requires perturbation of all variables.
Adversarial samples / Black-box attack / Industrial data security / Fault classification system
| [1] |
Ge Z. Semi-supervised data modeling and analytics in the process industry: current research status and challenges. IFAC J Syst Control 2021;16:100150.
|
| [2] |
Ge Z, Song Z, Ding SX, Huang B. Data mining and analytics in the process industry: the role of machine learning. IEEE Access 2017;5:20590–616.
|
| [3] |
Dash PK, Samantaray SR, Panda G. Fault classification and section identification of an advanced series-compensated transmission line using support vector machine. IEEE Trans Power Deliv 2007;22(1):67–73.
|
| [4] |
Chen X, Ge Z. Switching LDS-based approach for process fault detection and classification. Chemom Intell Lab Syst 2015;146(C):169–78.
|
| [5] |
Wang Y, Wu D, Yuan X. LDA-based deep transfer learning for fault diagnosis in industrial chemical processes. Comput Chem Eng 2020;140:106964.
|
| [6] |
Chen G, Ge Z. SVM-tree and SVM-forest algorithms for imbalanced fault classification in industrial processes. IFAC J Syst Control 2019;8:100052.
|
| [7] |
Zhao D, Wang T, Chu F. Deep convolutional neural network based planet bearing fault classification. Comput Ind 2019;107:59–66.
|
| [8] |
Chadha GS, Panambilly A, Schwung A, Ding SX. Bidirectional deep recurrent neural networks for process fault classification. ISA Trans 2020;106:330–42.
|
| [9] |
Jiang L, Ge Z, Song Z. Semi-supervised fault classification based on dynamic sparse stacked auto-encoders model. Chemom Intell Lab Syst 2017;168:72–83.
|
| [10] |
Ren K, Zheng T, Qin Z, Liu X. Adversarial attacks and defenses in deep learning. Engineering 2020;6(3):346–60.
|
| [11] |
Akhtar N, Mian A. Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 2018;6:14410–30.
|
| [12] |
Xu H, Ma Y, Liu H, Deb D, Liu H, Tang J, et al. Adversarial attacks and defenses in images, graphs and text: a review. Int J Autom Comput 2020;17(2):151–78.
|
| [13] |
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, et al. Intriguing properties of neural networks. In: Proceedings of the 2nd International Conference on Learning Representations; 2014 Apr 14–16; Banff, AB, Canada; 2014.
|
| [14] |
Goodfellow I, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: Proceedings of the 3rd International Conference on Learning Representations; 2015 May 7–9; San Diego, CA, USA; 2015.
|
| [15] |
Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: Proceedings of the 6th International Conference on Learning Representations; 2018 Apr 30–May 3; Vancouver, BC, Canada; 2018.
|
| [16] |
Shafahi A, Najibi M, Ghiasi MA, Xu Z, Dickerson J, Studer C, et al. Adversarial training for free! In: Proceedings of Advances in Neural Information Processing Systems 32; 2019 Dec 8–14; Vancouver, BC, Canada; 2019.
|
| [17] |
Zhang D, Zhang T, Lu Y, Zhu Z, Dong B. You only propagate once: accelerating adversarial training via maximal principle. In: Proceedings of Advances in Neural Information Processing Systems 32; 2019 Dec 8–14; Vancouver, BC, Canada; 2019.
|
| [18] |
Su J, Vargas DV, Sakurai K. One pixel attack for fooling deep neural networks. IEEE Trans Evol Comput 2019;23(5):828–41.
|
| [19] |
Papernot N, McDaniel PD, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In: Proceedings of the 1st IEEE European Symposium on Security and Privacy; 2016 Mar 21–24; Saarbrücken, Germany; 2016.
|
| [20] |
Barreno M, Nelson B, Joseph AD, Tygar JD. The security of machine learning. Mach Learn 2010;81(2):121–48.
|
| [21] |
Biggio B, Corona I, Maiorca D, Nelson B, Srndic N, Laskov P, et al. Evasion attacks against machine learning at test time. In: European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases; 2013 Sep 23–27; Prague, Czech Republic. Heidelberg: Springer; 2013. p. 387–402.
|
| [22] |
Hu W, Tan Y. Generating adversarial malware examples for black-box attacks based on GAN. 2017. arXiv:1702.05983.
|
| [23] |
Sankaranarayanan S, Jain A, Chellappa R, Lim SN. Regularizing deep networks using efficient layerwise adversarial training. In: Proceedings of the ThirtySecond AAAI Conference on Artificial Intelligence; 2018 Feb 2–7; New Orleans, LA, USA; 2018.
|
| [24] |
Gu S, Rigazio L. Towards deep neural network architectures robust to adversarial examples. In: Proceedings of the 3rd International Conference on Learning Representations (ICLR 2015); 2015 May 7–9; San Diego, CA, USA; 2015.
|
| [25] |
Papernot N, Mcdaniel P, Goodfellow I, Jha S, Celik ZB, Swami A. Practical blackbox attacks against machine learning. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security; 2017 Apr 2–6; Abu Dhabi, United Arab Emirates. New York City: Association for Computing Machinery; 2017. p. 506–519.
|
| [26] |
Akhtar N, Liu J, Mian A. Defense against universal adversarial perturbations. In: Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018 Jun 18–23; Salt Lake City, UT, USA; 2018.
|
| [27] |
Shang C, You F. Data analytics and machine learning for smart process manufacturing: recent advances and perspectives in the big data era. Engineering 2019;5(6):1010–6.
|
| [28] |
Chen Y. Integrated and intelligent manufacturing: perspectives and enablers. Engineering 2017;3(5):588–95.
|
| [29] |
Yi TH, Huang HB, Li HN. Development of sensor validation methodologies for structural health monitoring: a comprehensive review. Measurement 2017;109:200–14.
|
| [30] |
Downs JJ, Vogel EF. A plant-wide industrial process control problem. Comput Chem Eng 1993;17(3):245–55.
|
| [31] |
Research center of sciences of communication [Internet]. Rome: Semeion Communication Science Research Centre; 2022 Apr 19 [cited 2022 Apr 30]. Available from: https://www.semeion.it.
|
/
| 〈 |
|
〉 |
