作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2024, Vol. 50 ›› Issue (10): 228-239. doi: 10.19678/j.issn.1000-3428.0068371

• 网络空间安全 • 上一篇    下一篇

基于深度学习的指纹室内定位对抗样本攻击研究

张学军1,*(), 席阿友1, 加小红1, 张斌1, 李梅1, 杜晓刚2, 黄海燕1   

  1. 1. 兰州交通大学电子与信息工程学院, 甘肃 兰州 730070
    2. 陕西科技大学电子信息与人工智能学院, 陕西 西安 710021
  • 收稿日期:2023-09-11 出版日期:2024-10-15 发布日期:2024-03-06
  • 通讯作者: 张学军
  • 基金资助:
    国家自然科学基金(61762058); 国家自然科学基金(62366029); 甘肃省自然科学基金(21JR7RA282); 甘肃省自然科学基金(23JRRA855); 甘肃省教育厅产业支撑项目(2022CYZC-38); 兰州交通大学校青年科学基金(2023006); 兰州交通大学校青年科学基金(2023008)

Study on Adversarial Sample Attacks on Deep Learning Based Fingerprinting Indoor Localization

ZHANG Xuejun1,*(), XI Ayou1, JIA Xiaohong1, ZHANG Bin1, LI Mei1, DU Xiaogang2, HUANG Haiyan1   

  1. 1. School of Electronic and Information Engineering, Lanzhou Jiaotong University, Lanzhou 730070, Gansu, China
    2. School of Electronic Information and Artificial Intelligence, Shaanxi University of Science & Technology, Xi'an 710021, Shaanxi China
  • Received:2023-09-11 Online:2024-10-15 Published:2024-03-06
  • Contact: ZHANG Xuejun

摘要:

基于深度学习的指纹室内定位系统因其能够有效抽取接收信号强度(RSS)指纹数据的深层特征而大幅提高了室内定位性能, 但该类方法需要大量多样化的RSS指纹数据训练模型, 并且目前对其安全漏洞也缺乏充分的研究, 这些安全漏洞源于无线Wi-Fi媒体的开放性和分类器的固有缺陷(如易遭受对抗性攻击等)。为此, 对基于深度学习的RSS指纹室内定位系统的对抗性攻击进行研究, 提出一种基于Wi-Fi指纹室内定位的对抗样本攻击框架, 并利用该框架研究对抗攻击对基于深度学习的RSS指纹室内定位模型性能的影响。该框架包含离线训练和在线定位两个阶段。在离线训练阶段, 设计适用于增广Wi-Fi RSS指纹数据的条件生成对抗网络(CGAN)来生成大量多样化的RSS指纹数据训练高鲁棒的室内定位深度学习模型; 在线定位阶段, 构造最强的一阶攻击策略来生成针对Wi-Fi RSS指纹室内定位系统的有效RSS对抗样本, 研究对抗攻击对不同室内定位深度学习模型性能的影响。实验结果显示: 在公开UJIIndoorLoc数据集上, 由所提框架生成的RSS指纹对抗样本对卷积神经网络(CNN)、深度神经网络(DNN)、多层感知机(MLP)、pixeldp_CNN指纹室内定位模型的攻击成功率分别达到94.1%、63.75%、43.45%、72.5%;对由CGAN增广数据训练的上述4种指纹室内定位模型的攻击成功率分别达到84.95%、44.8%、15.7%、11.5%。由此表明, 现有的基于深度学习的指纹室内定位模型易遭受对抗样本攻击的影响, 由真实数据和增广数据混合训练的室内定位模型在面临对抗样本攻击时具有更好的鲁棒性。

关键词: 室内定位, 条件生成对抗网络, 对抗攻击, 深度学习, 鲁棒性

Abstract:

This study investigated adversarial attacks on Deep Learning(DL) based Wi-Fi fingerprint indoor positioning systems, which have significantly improved indoor localization performance by effectively extracting deep features from Received Signal Strength(RSS) fingerprint data. However, such methods require a large and diverse dataset of RSS fingerprint data for model training. Furthermore, there is a lack of sufficient research on their security vulnerabilities stemming from the openness of wireless Wi-Fi media and inherent flaws in classifiers, such as susceptibility to adversarial attacks. To address this issue, we researched adversarial attacks on DL based RSS fingerprint indoor positioning systems. Herein, we proposed an adversarial sample attack framework based on Wi-Fi fingerprint indoor positioning. Furthermore, we utilized this framework to assess the impact of adversarial attacks on the performance of DL based RSS fingerprint indoor positioning models. The framework consists of two phases: offline training and online positioning. In the offline training phase, we designed a Conditional Generative Adversarial Network(CGAN) suitable for augmenting Wi-Fi RSS fingerprint data to generate a large and diverse dataset for training robust indoor positioning DL models. In the online positioning phase, we constructed the most potent first-order attack strategy to generate effective RSS fingerprint adversarial samples and studied the impact of adversarial attacks on different indoor positioning DL models. Experimental results on the publicly available UJIIndoorLoc dataset showed that the adversarial samples generated by the proposed framework achieved average attack success rates of 94.1%, 63.75%, 43.45%, and 72.5% on existing fingerprint indoor positioning models based on Convolutional Neural Network(CNN), Deep Neural Network(DNN), Multilayer Perceptron(MLP), and pixeldp_CNN, respectively. Furthermore, the average attack success rates on the fingerprint indoor positioning models trained with data augmented by the CGAN were 84.95%, 44.8%, 15.7%, and 11.5% for CNN, DNN, MLP, and pixeldp_CNN, respectively. Therefore, existing DL based fingerprint indoor positioning models were susceptible to adversarial sample attacks. The models trained using a mixture of real and augmented data exhibited better robustness when encountering adversarial sample attacks.

Key words: indoor localization, Conditional Generative Adversarial Network(CGAN), adversarial attack, Deep Learning(DL), robustness