Exploring data correlation between feature pairs for generating constraint-based adversarial examples

Adversarial example (AE), an input that is modified slightly to cause a machine learning system to produce erroneous outputs, has seen significant studies recently. Unfortunately, the fine data perturbation of AE ignores to keep potential data correlations between feature pairs. Thus, such AE will be easily filtered by configuring data correlations as basic filtering rules. In this paper, avoiding not to be filtered as well as causing false classification, an advanced robust AE generation attack is proposed. We first define four basic data correlations called strict linear constraint, approximate linear constraint, addition boundary constraint and zero multiplication constraint. Then, based on embedding multiple data correlations into one constraint matrix from the Pearson analysis, our approach can enable a Hadamard product of the constraint matrix and the sign of gradient matrix to craft perturbations, keeping consistent data correlations. Experimental results on intrusion detection system (IDS) indicate: 1) Nearly all AEs from original IFGSM are invalid by filtering according to basic data correlations; 2) In our method, AEs against a targeted DNN-based classifier can achieve an attack success rate of 99%, with transfer attack ability of 94% average success rate to attack other different mainstream classifiers.