-
摘要:
随着城市智能化的发展, 基于WiFi接收信号强度(RSS)的指纹室内定位服务受到社会的广泛关注。深度学习技术是利用RSS信号获得高室内定位性能的一种重要手段, 但其易遭受对抗样本攻击, 给定位系统带来严重安全隐患。为此, 提出了一种抵御对抗样本攻击的基于深度学习的RSS指纹室内定位方法(AdvILoc)。该方法基于图像识别领域对抗样本防御方法的研究和分析, 结合室内RSS指纹数据特征单一且高维的特点, 通过在RSS指纹室内定位深度学习模型中添加池化层、全连接层, 以及满足差分隐私的噪声层来抵御对抗样本攻击, 解决了基于深度学习的室内定位模型易过拟合且泛化能力不高的问题。通过添加Dropout层, 以及设计模型参数正则化方法, 提高模型抵御对抗样本攻击的鲁棒性。在2个真实RSS指纹室内定位数据集上的实验结果表明:与已有基于多层感知机(MLP)、卷积神经网络(CNN)的RSS指纹室内定位方法相比, 所提方法在保证时间开销和基本不影响定位模型性能的情况下, 提高了模型抵御对抗样本攻击的鲁棒性;在满足
l 2范式规范的C&W攻击下, 随着攻击大小不断增大, 模型的定位准确率下降也更平稳。Abstract:With the development of urban intelligence, the indoor positioning services based on WiFi received signal strength (RSS) have attracted extensive attention of society. The deep learning technology is a powerful method to achieve high indoor positioning performance using RSS signal. However, it is vulnerable to adversarial sample attack, which brings serious security risks to the indoor positioning system. In this paper, we propose a deep learning based fingerprint indoor localization method using WiFi RSS against adversarial samples attack (AdvILoc), leveraging the research and analysis of anti-sample defense methods in the field of image recognition. The AdvILoc defend against adversarial samples attack through adding a polling layer, a full connection layer, and a noise layer with differential privacy to the fingerprint indoor positioning deep learning model, which contemplates the characteristics of single and dimension of RSS signals. It also solves the problem of overfitting and weak generalization of deep learning based fingerprint indoor localization model. Meanwhile, the robustness of the model against adversarial samples attack is improved by adding a Dropout layer and designing the parameters regularization of model. The experimental results on two real indoor RSS fingerprint datasets show that, compared with the existing indoor localization methods based on multi-layer perception (MLP) and convolution neural network (CNN), the AdvILoc improves the robustness of the localization model against adversarial samples attack without compromising the localization performance. Additionally, under the C&W attack that meets the
l 2-normal form specification, the localization accuracy of the model also decreases more smoothly with the increment of the attack size.-
Key words:
- indoor localization /
- adversarial samples /
- deep learning /
- C&W attacks /
- differential privacy
-
表 1 不同隐私预算ε下室内定位模型的认证准确率
Table 1. Certified accuracy of indoor localization model under different privacy budgets ε
数据集 ε σ CA/% Mall 0.1 25.373 9.5 0.2 12.686 10.4 0.3 8.458 10.9 0.4 6.343 16.6 0.5 5.075 29.6 0.6 4.229 38.6 0.7 3.625 32.6 0.8 3.172 36.8 0.9 2.819 49.8 1.0 2.537 50.8 UJIIndoorLoc 0.1 25.373 10.0 0.2 12.686 11.5 0.3 8.458 52.1 0.4 6.343 75.2 0.5 5.075 72.8 0.6 4.229 73.6 0.7 3.625 72.3 0.8 3.172 77.8 0.9 2.819 75.7 1.0 2.537 73.7 表 2 室内定位深度学习模型在不同约束攻击界限L下的认证准确率对比
Table 2. Certified accuracy of indoor localization DL model under different constraint attack boundaries L
数据集 认证准确率/% L=0.03 L=0.1 L=0.3 L=1.0 Mall 60.0 57.2 56.4 54.6 UJIIndoorLoc 77.9 76.6 76.4 70.1 表 3 AdvILoc与基于PixelDP的室内定位模型计算效率对比
Table 3. Comparative evaluation of calculation efficiency between AdvILoc and indoor localization model based on PixelDP
数据集 模型 训练时间/s 测试时间/ms Mall Pixel 14.717 9 0.761 2 本文方法 15.688 1 0.761 5 UJIIndoorLoc Pixel 30.120 2 0.761 2 本文方法 29.940 2 0.761 2 表 4 ε-RssDP与基于CNN、MLP网络结构构建的室内定位深度学习模型计算效率的对比
Table 4. Comparative evaluation of calculation efficiency between ε-RssDP and indoor localization DL model based on CNN and MLP network structure
数据集 方法 训练时间/s 测试时间/ms Mall CNN 13.303 7 0.761 2 MLP 15.800 6 0.761 1 本文方法 15.454 2 0.761 5 UJIIndoorLoc CNN 24.043 1 0.761 2 MLP 24.643 5 0.761 1 本文方法 28.712 9 0.761 3 -
[1] 钱堃, 张新宇, 杨铮, 等. 基于离开角的商用毫米波设备定位方法研究[J]. 中国科学: 信息科学, 2021, 51(1): 122-138. https://www.cnki.com.cn/Article/CJFDTOTAL-PZKX202101009.htmQIAN K, ZHANF X Y, YANG Z, et al. AoD-based localization with cots millimeter-wave device[J]. Scientia Sinica Informationis, 2021, 51(1): 122-138(in Chinese). https://www.cnki.com.cn/Article/CJFDTOTAL-PZKX202101009.htm [2] 石柯, 宋小妹, 王信达, 等. 多传感器辅助的WiFi信号指纹室内定位技术[J]. 软件学报, 2019, 30(11): 3457-3468. https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB201911015.htmSHI K, SONG X M, WANG X D, et al. Multi-sensor assisted WiFi signal fingerprint based indoor positioning technology[J]. Journal of Software, 2019, 30(11): 3457-3468(in Chinese). https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB201911015.htm [3] ZHANG L, LIU X, SONG J. A comprehensive study of bluetooth fingerprinting-based algorithms for localization[C]//Procee-dings of the 27th International Conference on Advanced Information Networking and Applications Workshops. Piscataway: IEEE Press, 2013: 300-305. [4] LEE S, HA K N, LEE K C. A pyroelectric infrared sensor-based indoor location-aware system for the smart home[J]. IEEE Transactions on Consumer Electronics, 2006, 52(4): 1311-1317. doi: 10.1109/TCE.2006.273150 [5] GONZÁLEZ E, PRADOS L, RUBIO A J. ATLINTIDA: A robust indoor ultrasound location system: Design and evaluation[C]// Proceeding of the 3rd Symposium of Ubiquitous Computing and Ambient Intelligence. Berlin: Springer, 2009, 51: 180-190. [6] BAHL P, PADMANABHAN V N. RADAR: An in-building RF-based user location and tracking system[C]//Proceedings of the IEEE Conference on Computer Communications. Piscataway: IEEE Press, 2000: 775-784. [7] HSIEH C H, CHEN J Y, NIEN B H. Deep learning-based indoor localization using received signal strength and channel state information[J]. IEEE Access, 2019, 7: 33256-33267. doi: 10.1109/ACCESS.2019.2903487 [8] WANG X Y, WANG X Y, MAO S W. Deep convolution neural networks for indoor localization with CSI images[J]. IEEE Transactions on Network Science and Engineering, 2020, 7(1): 316-327. doi: 10.1109/TNSE.2018.2871165 [9] 张学军, 何福存, 盖继扬, 等. 边缘计算下指纹室内定位差分私有联邦学习模型[J/OL]. 计算机研究与发展, 2022(2022-02-11). https://kns.cnki.net/kcms/detail/11.1777.TP.20220211.1039.004.html.ZHANG X J, HE F C, GAI J Y, et al. Differential federated learning model for indoor fingerprint location under edge calculation[J/OL]. Journal of Computer Research and Development, 2022(2022-02-11). http://kns.cnki.net/kcms/detail/11.1777.TP.20220211.1039.004.html(in Chinese). [10] PATIL M, WANG X, WANG X, et al. Adversarial attacks on deep learning-based floor classification and indoor localization[C]//Proceeding of the 3rd ACM Workshop on Wireless Security and Machine Learning. New York: ACM, 2021: 7-12. [11] 钱亚冠, 张锡敏, 王滨, 等. 基于二节对抗样本的对抗训练防御[J]. 电子与信息学报, 2021, 43(11): 3367-3373. https://www.cnki.com.cn/Article/CJFDTOTAL-DZYX202111034.htmQIAN Y G, ZHANG X M, WANG B, et al. Adversarial training defense based on second-order adversarial examples[J]. Journal of Electronics & Information Technology, 2021, 43(11): 3367-3373(in Chinese). https://www.cnki.com.cn/Article/CJFDTOTAL-DZYX202111034.htm [12] 刘西蒙, 谢乐辉, 王耀鹏, 等. 深度学习中的对抗攻击与防御[J]. 网络与信息安全学报, 2020, 6(5): 36-53. https://www.cnki.com.cn/Article/CJFDTOTAL-WXAQ202005005.htmLIU X M, XIE L H, WANG Y P, et al. Adversarial attacks and defenses in deep learning[J]. Chinese Journal of Network and Information Security, 2020, 6(5): 36-53(in Chinese). https://www.cnki.com.cn/Article/CJFDTOTAL-WXAQ202005005.htm [13] 王滨, 郭艳凯, 钱亚冠, 等. 针对卷积神经网络流量分类器的对抗样本攻击防御[J]. 信息安全学报, 2022, 7(1): 145-156. https://www.cnki.com.cn/Article/CJFDTOTAL-XAXB202201010.htmWANG B, GUO Y K, QIAN Y G, et al. Defense against sample attack against convolutional neural network traffic classifier[J]. Journal of Information Security, 2022, 7(1): 145-156(in Chinese). https://www.cnki.com.cn/Article/CJFDTOTAL-XAXB202201010.htm [14] XIE C, WANG J, ZHANG Z, et al. Mitigating adversarial effects through randomization[C]//Proceeding of 6th International Conference on Learning Representations, 2018: 1-16. [15] LIU X, LI Y, WU C, et al. Adv-BNN: Improved adversarial defense through robust Bayesian neural network[EB/OL]. (2019-05-04)[2021-12-25]. https://arxiv.org/abs/1810.01279. [16] LECUYER M, ATLIDAKIS V, GEAMBASU R, et al. Certified robustness to adversarial examples with differential privacy[C]//Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway: IEEE Press, 2019: 656-672. [17] CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]//Proceedings of the 2017 IEEE Symposium on Security and Privacy. Piscataway: IEEE Press, 2017: 39-57. [18] SHI Y, WANG S, HAN Y. Curls & Whey: Boosting black-box adversarial attacks[C]//2019 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE Press, 2019: 6519-6527. [19] DWORK C, ROTH A. The algorithmic foundations of differential privacy[J]. Foundations and Trends in Theoretical Computer Science, 2014, 9(3-4): 211-407. [20] BENESTY J, CHEN J, HUANG Y, et al. Pearson correlation coefficient[M]//COHEN I, HUANG Y, CHEN J, et al. Noise reduction in speech processing. Berlin: Springer, 2009: 1-4. [21] JIANG X, CHEN Y, LIU J. FSELM: Fusion semi-supervised extreme learning machine for indoor localization with Wi-Fi and bluetooth fingerprints[J]. Soft Computing, 2018, 22(6): 3621-3635. [22] TORRES-SOSPEDRA J. UJIIndoorLoc: A new multi-building and multi-floor database for WLAN fingerprint-based indoor localization problems[C]//Proceeding of 2014 International Conference on Indoor Positioning and Indoor Navigation. Piscataway: IEEE Press, 2014: 261-270. [23] JIANG X, LIU J, CHEN Y. Feature adaptive online sequential extreme learning machine for lifelong indoor localization[J]. Neural Computing and Applications, 2016, 27(1): 215-225. [24] STYAN G P H. Hadamard products and multivariate statistical analysis[J]. Linear Algebra and Its Applications, 1973, 6: 217-240. [25] WONG E, KOLTER Z. Provable defenses against adversarial examples via the convex outer adversarial polytope[C]//35th International Conference on Machine Learning, 2018: 5286-5295. [26] RAGHUNATHAN A, STEINHARDT J, LIANG P. Certified defenses against adversarial examples[EB/OL]. (2020-10-31)[2021-12-25]. https://arxiv.org/abs/1801.09344v1. [27] DVIJOTHAM K, GOWAL S, STANFORTH R, et al. Training verified learners with learned verifiers[EB/OL]. (2018-05-29)[2021-12-25]. https://arxiv.org/abs/1805.10265v1.