阅读说明：本技术 一种对抗样本生成方法、装置、电子设备及存储介质 (Countermeasure sample generation method and device, electronic equipment and storage medium ) 是由 喻民 刘超 娄尘哲 姜建国 刘明奇 黄伟庆 于 2020-04-30 设计创作，主要内容包括：本发明实施例提供一种对抗样本生成方法、装置、电子设备及存储介质,所述方法包括：分别由恶意文档样本集和良性文档样本集获取第一关联规则和第二关联规则；基于第一预设规则,由第一关联规则与第二关联规则获取约束规则；以攻击样本对对机器学习模型进行迭代攻击,将成功攻击机器学习模型的攻击样本作为对抗样本,其中在每轮迭代攻击前基于约束规则对攻击样本进行迭代修改。通过分别获取恶意文档的第一关联规则与良性文档的第二关联规则,获得由两类特征指示的约束规则,进而以此生成具有更高通用性的对抗样本,使其适用于更多种类的检测器。(The embodiment of the invention provides a countermeasure sample generation method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: respectively acquiring a first association rule and a second association rule from the malicious document sample set and the benign document sample set; based on a first preset rule, acquiring a constraint rule by the first association rule and the second association rule; and carrying out iterative attack on the machine learning model by using the attack samples, and taking the attack samples successfully attacking the machine learning model as countersamples, wherein the attack samples are subjected to iterative modification based on a constraint rule before each round of iterative attack. Constraint rules indicated by the two types of features are obtained by respectively obtaining a first association rule of a malicious document and a second association rule of a benign document, and then a countermeasure sample with higher universality is generated, so that the method is suitable for more types of detectors.)

1. A challenge sample generation method, comprising:

respectively obtaining a first association rule and a second association rule from a malicious document sample set and a benign document sample set, wherein the first association rule is used for indicating the characteristics of the malicious document based on the first class characteristics and the second class characteristics of the malicious document, and the second association rule is used for indicating the characteristics of the benign document based on the first class characteristics and the second class characteristics of the benign document;

based on a first preset rule, acquiring a constraint rule by the first association rule and a second association rule;

and carrying out iterative attack on the machine learning model by using the attack samples, and taking the attack samples which successfully attack the machine learning model as countersamples, wherein the attack samples are iteratively modified based on the constraint rule before each iteration attack.

2. The countermeasure sample generation method of claim 1, wherein the first predetermined rule is:

and acquiring an intersection of the first association rule and the second association rule, and taking the residual rule obtained by removing the intersection in the first association rule as the constraint rule.

3. The countermeasure sample generation method according to claim 1 or 2, wherein the obtaining of the first association rule from the malicious document sample set includes:

extracting each first type of feature and each second type of feature of the malicious document sample from the malicious document sample in the malicious document sample set, and performing permutation and combination to obtain a plurality of feature pairs of the malicious document, so that each feature pair comprises a first type of feature and a second type of feature, and obtaining a first association rule from the plurality of feature pairs of the malicious document based on a second preset rule;

said obtaining a second association rule from a sample set of benign documents comprises:

for benign document samples in the benign document sample set, extracting each first type feature and each second type feature of the benign document samples to be arranged and combined to obtain a plurality of feature pairs of the benign document, wherein each feature pair comprises one first type feature and one second type feature, and obtaining the second association rule from the plurality of feature pairs of the benign document based on the second preset rule.

4. The challenge sample generation method of claim 3, wherein: the second preset rule comprises: a confidence rule, a support degree rule, a promotion degree rule and a physical structure relationship rule between two features of the first class feature pair and the second class feature pair.

5. The method of claim 1 or 2, wherein the attack samples are attack vectors, and the iteratively modifying the attack samples based on the constraint rule before each iteration of attack comprises:

before each round of iterative attack, modifying an attack vector based on the constraint rule, reversely generating an attack sample by the attack vector, converting the regularized attack sample into the attack vector and inputting the attack vector to the next round of iterative attack.

6. The method of generating countermeasure samples according to claim 1 or 2, wherein the iterative attack is a momentum iterative attack.

7. The challenge sample generation method according to claim 1 or 2, characterized in that: the first class of features are content-based features and the second class of features are structure-based features.

8. A challenge sample generating device, the device comprising:

an association rule generating module, configured to obtain a first association rule and a second association rule from a malicious document sample set and a benign document sample set, respectively, where the first association rule is used to indicate a feature of the malicious document based on a first class feature and a second class feature of the malicious document, and the second association rule is used to indicate a feature of the benign document based on the first class feature and the second class feature of the benign document;

the constraint rule generating module is used for acquiring a first preset rule and a second association rule according to the first association rule and the second association rule;

and the countermeasure sample generation module is used for carrying out iterative attack on the machine learning model by using the attack samples and taking the attack samples which successfully attack the machine learning model as countermeasure samples, wherein the attack samples are iteratively modified based on the constraint rule before each iteration attack.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the challenge sample generation method of any of claims 1 to 7 are implemented when the program is executed by the processor.

10. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the steps of the countermeasure sample generation method of any of claims 1 to 7.

Technical Field

The invention relates to the technical field of computer security, in particular to a countermeasure sample generation method and device, electronic equipment and a storage medium.

Background

Malicious documents belong to a type of malware that, unlike executable files, are more convenient and transparent, easily allowing people to ignore their security threats. Attackers hide malicious code by modifying common documents and propagate explosively through spam or the internet, even in conjunction with social engineering to form the most threatening APT attacks. Machine learning based detectors have become the mainstream method of detecting malicious documents. However, practice has shown that these detectors also need to remain robust against potentially unknown attacks. Ignoring any attack scenario may produce a challenge sample that can fool the detector, causing the malicious document detector to make a false decision.

Researchers at home and abroad manufacture confrontation samples based on the idea of military preparedness competition, and the confrontation samples are utilized for confrontation training, so that the robustness of the detector is improved. The method mainly comprises the steps of selecting a plurality of seed documents with real maliciousness, defining three document modifying means which are respectively adding, deleting and replacing, modifying the seed documents by using the three modifying means in each generation to cause mutation, and finding out a successful countermeasure sample from all the offspring. The method proves that the malicious document countermeasure sample exists, and the success rate of generating the countermeasure sample by using the algorithm is high. The evadex ml method, although it is considered that the detector for malicious PDF documents may not use the same feature space, such as testing on a content feature-based detector and a structure path feature-based detector, respectively, the testing process is independent, segmenting the continuity of the challenge sample across different detectors. Other generation methods proposed later, while adding more constraint limits to the target detector, still consider the scenario to be overly simplified. The generated countermeasure sample has uncertainty in generality and portability.

Therefore, there is a need for a method and apparatus for generating more versatile challenge samples suitable for training more types of detectors.

Disclosure of Invention

In order to solve the above problems in the prior art, embodiments of the present invention provide a countermeasure sample generation method, apparatus, electronic device, and storage medium.

In a first aspect, an embodiment of the present invention provides a countermeasure sample generation method, including:

respectively obtaining a first association rule and a second association rule from a malicious document sample set and a benign document sample set, wherein the first association rule is used for indicating the characteristics of the malicious document based on the first class characteristics and the second class characteristics of the malicious document, and the second association rule is used for indicating the characteristics of the benign document based on the first class characteristics and the second class characteristics of the benign document;

based on a first preset rule, acquiring a constraint rule by the first association rule and a second association rule;

and carrying out iterative attack on the machine learning model by using the attack samples, and taking the attack samples which successfully attack the machine learning model as countersamples, wherein the attack samples are iteratively modified based on the constraint rule before each iteration attack.

Optionally, the first preset rule is:

and acquiring an intersection of the first association rule and the second association rule, and taking the residual rule obtained by removing the intersection in the first association rule as the constraint rule.

Optionally, the obtaining of the first association rule by the malicious document sample set includes:

extracting each first type of feature and each second type of feature of the malicious document sample from the malicious document sample in the malicious document sample set, and performing permutation and combination to obtain a plurality of feature pairs of the malicious document, so that each feature pair comprises a first type of feature and a second type of feature, and obtaining a first association rule from the plurality of feature pairs of the malicious document based on a second preset rule;

said obtaining a second association rule from a sample set of benign documents comprises:

for benign document samples in the benign document sample set, extracting each first type feature and each second type feature of the benign document samples to be arranged and combined to obtain a plurality of feature pairs of the benign document, wherein each feature pair comprises one first type feature and one second type feature, and obtaining the second association rule from the plurality of feature pairs of the benign document based on the second preset rule.

Optionally, the second preset rule includes: a confidence rule, a support degree rule, a promotion degree rule and a physical structure relationship rule between two features of the first class feature pair and the second class feature pair.

Optionally, the attack samples are attack vectors, and accordingly, the iteratively modifying the attack samples based on the constraint rule before each iteration of attack includes:

before each round of iterative attack, modifying an attack vector based on the constraint rule, reversely generating an attack sample by the attack vector, converting the regularized attack sample into the attack vector and inputting the attack vector to the next round of iterative attack.

Optionally, the iterative attack is a momentum iterative attack.

Optionally, the first class of features are content-based features and the second class of features are structure-based features.

In a second aspect, an embodiment of the present invention provides a challenge sample generating device, including:

an association rule generating module, configured to obtain a first association rule and a second association rule from a malicious document sample set and a benign document sample set, respectively, where the first association rule is used to indicate a feature of the malicious document based on a first class feature and a second class feature of the malicious document, and the second association rule is used to indicate a feature of the benign document based on the first class feature and the second class feature of the benign document;

the constraint rule generating module is used for acquiring a first preset rule and a second association rule according to the first association rule and the second association rule;

and the countermeasure sample generation module is used for carrying out iterative attack on the machine learning model by using the attack samples and taking the attack samples which successfully attack the machine learning model as countermeasure samples, wherein the attack samples are iteratively modified based on the constraint rule before each iteration attack.

In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method according to the first aspect when executing the program.

In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method according to the first aspect.

The countermeasure sample generation method, the apparatus, the electronic device and the storage medium provided by the embodiment of the invention obtain the constraint rules indicated by the two types of features by respectively obtaining the first association rule of the malicious document and the second association rule of the benign document, and further generate the countermeasure sample with higher universality, so that the countermeasure sample is suitable for more types of detectors.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

FIG. 1 is a flow chart of a challenge sample generation method according to an embodiment of the present invention;

FIG. 2 is a diagram illustrating structural features of a PDF document according to an embodiment of the present invention;

fig. 3 is a schematic flow chart of an association rule generation method according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of an iterative attack provided in an embodiment of the present invention;

fig. 5 is a schematic view of a modification flow of an attack sample according to an embodiment of the present invention;

FIG. 6 is a schematic structural diagram of a challenge sample generating device according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 is a flowchart of a challenge sample generation method according to an embodiment of the present invention, and as shown in fig. 1, the method includes:

s101, acquiring a first association rule and a second association rule from a malicious document sample set and a benign document sample set respectively, wherein the first association rule is used for indicating the characteristics of the malicious document based on the first class characteristics and the second class characteristics of the malicious document, and the second association rule is used for indicating the characteristics of the benign document based on the first class characteristics and the second class characteristics of the benign document.

Specifically, the malicious document sample set includes a plurality of malicious document samples, and the malicious document samples are document samples having malicious codes and the like and causing threats to the user equipment. Accordingly, the benign document sample set includes a plurality of benign document samples, which are document samples that do not pose a threat to the user device.

The first class of features may be, for example, content-based features and the second class of features may be, for example, structure-based features, or the second class of features may be content-based features and the first class of features may be structure-based features. In addition, the first type of feature or the second type of feature may also be other types of features that may be used to detect whether a document is a malicious document, which is not limited in this embodiment of the present invention.

Taking a PDF document as an example, the content-based features are mainly metadata and object features of the PDF document, and mainly come from a physical structure of the PDF document. The metadata characteristics comprise file size, author, creation date and the like, and the object characteristics mainly comprise object keywords and object properties such as type, position, number, length and the like.

The structure-based feature mainly takes a logical structure path of a PDF document as a feature, and objects in the PDF document may form an integral logical tree structure through an indirect reference relationship, as shown in fig. 2, where a node is an object or an array, and an edge corresponds to a name of a child object in a parent object. A logical structure path is a sequence of edges from a root node to any node.

Extracting a first class of features and a second class of features of the malicious document sample set, and obtaining a first association rule through a probability calculation and other ways, wherein the first class of association rule indicates the features of the malicious document through the first class of features and the second class of features. For example, fig. 3 is a flowchart illustrating an association rule generating method according to an embodiment of the present invention.

Correspondingly, the first class features and the second class features of the benign document sample set are extracted, and a second association rule is obtained through probability calculation and the like, wherein the second association rule indicates the features of the benign document through the first class features and the second class features.

The steps of obtaining the first association rule and the second association rule may be performed simultaneously or sequentially, and the order of performing the steps is not particularly limited in the embodiment of the present invention.

S102, based on a first preset rule, obtaining a constraint rule by the first association rule and the second association rule.

In particular, since the first association rule and the second association rule respectively indicate the characteristics of a malicious document and the characteristics of a benign document, the characteristics exhibited by the malicious document and the benign document include both the specific malicious or benign characteristics and the universality characteristics of the common documents contained in all the documents. Therefore, after the first association rule and the second association rule are obtained, based on a preset first rule, a feature which only exists in a malicious document is obtained according to the first association rule and the second association rule and is used as a constraint rule.

The first preset rule may be, for example, an intersection of the first association rule and the second association rule is obtained, and a remaining rule obtained by removing the intersection in the first association rule is used as the constraint rule.

S103, carrying out iterative attack on the machine learning model by using the attack sample, and taking the attack sample which successfully attacks the machine learning model as a countersample, wherein before each iteration attack, the attack sample is iteratively modified based on the constraint rule.

Specifically, after the constraint rule is obtained, iterative attack is performed on the machine learning model by using attack samples in the attack data set. In a case where the first-type features or the second-type features used by the association rule correspond to each other, the machine learning model may be a model obtained by training based on content-based features extracted from a training set, may also be a model obtained by training based on structure-based features extracted from a training set, or may be obtained by training based on other types of features, which is not particularly limited in this embodiment of the present invention.

Before each iteration of attack, the attack sample is iteratively modified based on the constraint rule obtained in step S102, so that the modification satisfies the constraint rule. For example, when a content-based feature is modified, the corresponding structure-based feature is also modified according to the constraint rule under the constraint of the constraint rule.

In each iteration attack, whether the current attack sample successfully attacks the learning model is judged, and if yes, the current attack sample is used as a countercheck sample to be reserved or recorded. The flow of the iterative attack may refer to the example of the flow of the iterative attack given in fig. 4.

The countermeasure sample generation method provided by the embodiment of the invention obtains the constraint rules indicated by the two types of characteristics by respectively obtaining the first association rule of the malicious document and the second association rule of the benign document, and further generates the countermeasure sample with higher universality, so that the countermeasure sample is suitable for more types of detectors.

On the basis of the above embodiment of the present invention, the obtaining of the first association rule by the malicious document sample set includes:

and extracting each first type of feature and each second type of feature of the malicious document sample from the malicious document sample in the malicious document sample set, and performing permutation and combination to obtain a plurality of feature pairs of the malicious document, so that each feature pair comprises one first type of feature and one second type of feature, and obtaining the first association rule from the plurality of feature pairs of the malicious document based on a second preset rule.

Specifically, for each malicious document sample in the malicious document sample set, each first type feature and each second type feature of the malicious document sample set are extracted, and the obtained each first type feature and each second type feature are arranged and combined to form a plurality of feature pairs, wherein each feature pair comprises a first type feature and a second type feature. For example, M first-class features and N second-class features are extracted from the malicious document, and accordingly, M × N feature pairs can be formed.

The feature value of each malicious document sample can obtain the statistical feature of each feature pair, and on the basis of the statistical feature, a second association rule for representing the malicious document feature can be obtained through a second preset rule. The second preset rule may be determined based on factors such as probability, actual physical relationship between the first class of features and the second class of features, and the like, which is not particularly limited in the implementation of the present invention.

Accordingly, said obtaining a second association rule from a benign document sample set comprises:

for benign document samples in the benign document sample set, extracting each first type feature and each second type feature of the benign document samples to be arranged and combined to obtain a plurality of feature pairs of the benign document, wherein each feature pair comprises one first type feature and one second type feature, and obtaining the second association rule from the plurality of feature pairs of the benign document based on the second preset rule.

The step of obtaining the second association rule is similar to the step of obtaining the first association rule, and is not described herein again.

Further, the second preset rule may include, for example: a confidence rule, a support degree rule, a promotion degree rule and a physical structure relationship rule between two features of the first class feature pair and the second class feature pair.

The confidence rule represents the possibility of the second type of features Y when the first type of features X appear, the support rule represents the possibility of the first type of features X and the second type of features Y appearing at the same time, and the promotion rule represents the degree of promotion of the probability of the appearance of the Y when the first type of features X appear compared with the probability of the appearance of the Y when the first type of features X do not appear. After a preliminary association rule is obtained by the confidence rule, the support degree rule and the promotion degree rule, whether a related physical structure relationship directly exists between two features in the preliminary association rule is judged, and the association rule which does not actually exist in the physical structure relationship is removed, so that the final first or second association rule is obtained.

According to the embodiment of the invention, the association rule with strong association relationship is obtained through the constraints of the confidence rule, the support degree rule and the promotion degree rule, and further, the correctness of the finally obtained first or second association rule is further ensured through verifying the actual physical structure again, so that the two characteristics under the limitation of the first or second association rule are the characteristics capable of being synchronously modified.

On the basis of the above embodiment of the present invention, the attack samples are attack vectors, and accordingly, the iteratively modifying the attack samples based on the constraint rule before each iteration attack includes:

before each round of iterative attack, modifying an attack vector based on the constraint rule, reversely generating an attack sample by the attack vector, converting the regularized attack sample into the attack vector and inputting the attack vector to the next round of iterative attack.

In the method for generating the countermeasure sample based on the feature space, the countermeasure vector is continuously approximated by using an iteration mode, and only the vectorized sample needs to be modified in the iteration process. In the embodiment of the invention, the modification of the vector is expanded into the associated modification of the attack sample, namely, under the limit of the constraint rule, the vector reversely generates a real sample, and then the regularized sample is converted into the vector to be input into the next iteration. The specific process is shown in fig. 5.

According to the embodiment of the invention, the real sample is generated by reversing the vector, and then the regularized sample is converted into the vector, so that the problem that the vector after multiple rounds of modification can not be restored into the real document sample or the problem that the generated countermeasure sample can not successfully retain the original malicious behavior is avoided.

Further, the iterative attack is a momentum iterative attack. The attack method of momentum iteration is that the gradient is accelerated to descend by accumulating velocity vectors in the gradient direction of a loss function in the iteration process, the gradient before maintenance is beneficial to quickly passing through an unwanted local maximum or minimum, and the influence of characteristic dependence on a modified vector under a test scene is reduced.

Fig. 6 is a schematic structural diagram of a countermeasure sample generation apparatus according to an embodiment of the present invention, as shown in fig. 6, the countermeasure sample generation apparatus includes an association rule generation module 601, a constraint rule generation module 602, and a countermeasure sample generation module 603, where:

an association rule generating module 601, configured to obtain a first association rule and a second association rule from a malicious document sample set and a benign document sample set, respectively, where the first association rule is used to indicate a feature of the malicious document based on a first class feature and a second class feature of the malicious document, and the second association rule is used to indicate a feature of the benign document based on the first class feature and the second class feature of the benign document;

a constraint rule generating module 602, configured to obtain a constraint rule according to a first preset rule and a second association rule;

and the countercheck sample generation module 603 is configured to perform iterative attack on the machine learning model by using attack samples, and use the attack samples successfully attacking the machine learning model as countercheck samples, where the attack samples are iteratively modified based on the constraint rule before each iteration attack.

Specifically, the malicious document sample set includes a plurality of malicious document samples, and the malicious document samples are document samples having malicious codes and the like and causing threats to the user equipment. Accordingly, the benign document sample set includes a plurality of benign document samples, which are document samples that do not pose a threat to the user device.

The first class of features may be, for example, content-based features and the second class of features may be, for example, structure-based features, or the second class of features may be content-based features and the first class of features may be structure-based features. In addition, the first type of feature or the second type of feature may also be other types of features that may be used to detect whether a document is a malicious document, which is not limited in this embodiment of the present invention.

Taking a PDF document as an example, the content-based features are mainly metadata and object features of the PDF document, and mainly come from a physical structure of the PDF document. The metadata characteristics comprise file size, author, creation date and the like, and the object characteristics mainly comprise object keywords and object properties such as type, position, number, length and the like.

The structure-based feature mainly takes a logical structure path of a PDF document as a feature, and objects in the PDF document may form an integral logical tree structure through an indirect reference relationship, as shown in fig. 2, where a node is an object or an array, and an edge corresponds to a name of a child object in a parent object. A logical structure path is a sequence of edges from a root node to any node.

The association rule generating module 601 extracts the first class features and the second class features of the malicious document sample set, and obtains the first association rule through probability calculation and other approaches, wherein the first class association rule indicates the features of the malicious document through the first class features and the second class features. For example, fig. 3 is a flowchart illustrating an association rule generating method according to an embodiment of the present invention.

Correspondingly, the association rule generating module 601 further extracts the first class feature and the second class feature of the benign document sample set, and obtains the second association rule through probability calculation and the like, wherein the second class association rule indicates the feature of the benign document by the first class feature and the second class feature.

The steps of obtaining the first association rule and the second association rule may be performed simultaneously or sequentially, and the order of performing the steps is not particularly limited in the embodiment of the present invention.

Further, since the first association rule and the second association rule respectively indicate the characteristics of the malicious document and the characteristics of the benign document, the characteristics exhibited by the malicious document and the benign document include both the specific malicious or benign characteristics and the universality characteristics of the common document contained in all the documents. Therefore, after the first association rule and the second association rule are obtained, the constraint rule generating module 602 needs to obtain, based on the preset first rule, a feature that is only present in the malicious document according to the first association rule and the second association rule as the constraint rule.

The first preset rule may be, for example, an intersection of the first association rule and the second association rule is obtained, and a remaining rule obtained by removing the intersection in the first association rule is used as the constraint rule.

After obtaining the constraint rule, the countermeasure sample generation module 603 performs iterative attack on the machine learning model using the attack samples in the attack data set. The machine learning model may be a model obtained by training based on content-based features extracted from a training set, may also be a model obtained by training based on structure-based features extracted from a training set, or may be obtained by training through other types of features, which is not specifically limited in this embodiment of the present invention.

Before each iteration of attack, the countermeasure sample generation module 603 iteratively modifies the attack sample based on the constraint rule obtained in the constraint rule generation module 602 so that the modification satisfies the constraint rule. For example, when a content-based feature is modified, the corresponding structure-based feature is also modified according to the constraint rule under the constraint of the constraint rule.

In each iteration attack, the confrontation sample generation module 603 determines whether the current attack sample successfully attacks the learning model, and if so, retains or records the confrontation sample as the confrontation sample.

The countermeasure sample generation device provided by the embodiment of the invention obtains the constraint rules indicated by the two types of characteristics by respectively obtaining the first association rule of the malicious document and the second association rule of the benign document, and further generates the countermeasure sample with higher universality, so that the countermeasure sample generation device is suitable for more types of detectors.

Fig. 7 illustrates a physical structure diagram of an electronic device, and as shown in fig. 7, the electronic device may include: a processor (processor)710, a communication Interface (Communications Interface)720, a memory (memory)730, and a communication bus 740, wherein the processor 710, the communication Interface 720, and the memory 730 communicate with each other via the communication bus 740. Processor 710 may call logic instructions in memory 730 to perform the following countermeasure sample generation method:

respectively obtaining a first association rule and a second association rule from a malicious document sample set and a benign document sample set, wherein the first association rule is used for indicating the characteristics of the malicious document based on the first class characteristics and the second class characteristics of the malicious document, and the second association rule is used for indicating the characteristics of the benign document based on the first class characteristics and the second class characteristics of the benign document;

based on a first preset rule, acquiring a constraint rule by the first association rule and a second association rule;

and carrying out iterative attack on the machine learning model by using attack samples, and taking the attack samples which successfully attack the machine learning model as countersamples, wherein the attack samples are iteratively modified based on the constraint rule before each iteration attack.

In addition, the logic instructions in the memory 730 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

In another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the countermeasure sample generation method provided in the foregoing embodiments when executed by a processor, for example, the method includes:

respectively obtaining a first association rule and a second association rule from a malicious document sample set and a benign document sample set, wherein the first association rule is used for indicating the characteristics of the malicious document based on the first class characteristics and the second class characteristics of the malicious document, and the second association rule is used for indicating the characteristics of the benign document based on the first class characteristics and the second class characteristics of the benign document;

based on a first preset rule, acquiring a constraint rule by the first association rule and a second association rule;

and carrying out iterative attack on the machine learning model by using attack samples, and taking the attack samples which successfully attack the machine learning model as countersamples, wherein the attack samples are iteratively modified based on the constraint rule before each iteration attack.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.