 Research
 Open access
 Published:
Attack based on data: a novel perspective to attack sensitive points directly
Cybersecurity volume 6, Article number: 43 (2023)
Abstract
Adversarial attack for timeseries classification model is widely explored and many attack methods are proposed. But there is not a method of attack based on the data itself. In this paper, we innovatively proposed a blackbox sparse attack method based on data location. Our method directly attack the sensitive points in the timeseries data according to statistical features extract from the dataset. At first, we have validated the transferability of sensitive points among DNNs with different structures. Secondly, we use the statistical features extract from the dataset and the sensitive rate of each point as the training set to train the predictive model. Then, predicting the sensitive rate of test set by predictive model. Finally, perturbing according to the sensitive rate. The attack is limited by constraining the L0 norm to achieve onepoint attack. We conduct experiments on several datasets to validate the effectiveness of this method.
Introduction
Time Series Classification (TSC) problems are encountered in various real world data mining tasks such as security (Tan et al. 2017; Tobiyama et al. 2016), transportation (Nguyen et al. 2018), health care (Abdelfattah et al. 2018; Ma et al. 2018; Fawaz et al. 2018), etc. Under the background of big data, deep learning technology has developed rapidly and has been widely used in various fields such as computer vision and autonomous vehicles. In recent years, researchers have begun to apply deep learning techniques to TSC problems (Ismail Fawaz et al. 2019; Fawaz et al. 2019).
However, due to the wide applicability of DNNs, they pose a threat that cannot be ignored, so researchers began to study the vulnerability of DNNs. Adversarial attacks in the field of TSC are capable of leading neural networks to misclassify adversarial time series data while remaining difficult for humans to detect (MoosaviDezfooli et al. 2016; Papernot et al. 2016a). There are several types of attack methods that have been developed to perturb the input data in order to mislead the model’s output, such as Gradientbased attacks (Goodfellow et al. 2014; Szegedy et al. 2014), Optimizationbased attacks (Carlini and Wagner 2017), Transferability attacks (Papernot et al. 2017), DecisionBased attacks (Brendel et al. 2017), etc. In recent years, thanks to the increasingly indepth research conducted by scholars, more and more effective adversarial attack methods and theories have been proposed.
Among the many attack methods, onepixel attack has received widespread attention as an extreme attack method. Onepixel attack was presented by Su et al. (2019) as a special blackbox sparse attack, due to its particular attack pattern, which only perturbs a single pixel of an image to mislead the classifier, different from other attacks that may change hundreds of pixels (Wang et al. 2020). Notwithstanding its efficacy with small datasets, the onepixel attack method encounters difficulties in larger datasets due to the significant computational demands imposed by the requirement for thousands of iterations, thus constraining its practical application.
Inspired by the attack pattern of the onepixel attack, we propose a blackbox sparse attack method based on data which can find the sensitive locations directly.
Compared with the onepixel attack proposed by Su et al. (2019), the adversarial attack method proposed in this paper is not based on query but based on statistical features of the datasets, which can substantially decrease the number of queries and attack the sensitive points directly. We believe that our approach presents a novel perspective to the field of adversarial attacks. The difference between the method presented in this article and the traditional methods are illustrated in Fig. 1.
In brief, the main contributions of this paper are summarized as follows.

This article proposes a blackbox attack method based on data and directly attack sensitive points, similar to the onepixel attack, which only needs to perturb a very small number of time points, or even only one point.

We have conducted experiments under various parameters of the method proposed in this paper. The experiments prove that adversarial attacks can be based not only on classification models but also on the statistical features of the dataset.
Related works
The security problem of DNN has become a critical topic since Szegedy et al. (2014) proposed adversarial examples for image recognition. Many researchers proposed attack methods from different perspectives. In the field of blackbox attack, the methods are mainly based on substitute models, genetic algorithms, and zerothorder optimization. For instance, Papernot et al. (2016b) proposed that utilizes the transferability property of the substitute model to approximate the target model. Wei et al. (2021) manipulated the image attributes to perform the blackbox attacks with a genetic algorithm. Szegedy et al. (2014) revealed the sensitivity to welltuned artificial perturbation which can be crafted by several gradientbased algorithms using backpropagation for obtaining gradient information. Specifically, the gradientbased method was proposed by Goodfellow et al. (2015), the attackers perturb the image in the direction of the gradient of the loss function with respect to the input image thus reducing the classification accuracy. Lin et al. (2020) propose a blackbox technique: Blackbox Momentum Iterative Fast Gradient Sign Method (BMIFGSM) to test the robustness of DNN models.
Recently, new attack methods are proposed. Hu et al. (2022) propose Adversarial Texture (AdvTexture) which hides from person detectors by covering clothes. Yang et al. (2022) propose a gradientfree blackbox method called TSadv to attack DNNs with local perturbations. He et al. (2022) introduce a generator architecture to alleviate the overfitting issue. Kahla et al. (2022) proposed BoundaryRepelling Model Inversion (BREPMI) to invert private training data using only the target model’s predicted labels. Luo et al. (2022) proposed a novel algorithm that attacks semantic similarity on feature representations.
onepixel attack Su et al. (2019) showed how neural networks can be fooled by altering the value of just a single input pixel. As shown in Fig. 2, unlike most attack methods,onepixel attack only needs to perturb one point. By constraining the \(\textbf{L0}\) norm, they enforced a limit on the number of pixels that were allowed to be perturbed. Onepixel attack using differential evolution (Storn and Price 1997) which is an optimization algorithm that can be used to search for the minimum or maximum of a function. The researchers encode the perturbation into an array (candidate solution), each candidate solution contains a fixed number of perturbations and each perturbation is a tuple holding five elements: xy coordinates and RGB value of the perturbation.
Once generated, each candidate solution competes with their parents according to the index of the population and the winner survive for next iteration.
In summary, each blackbox attack method has its own strengths and weaknesses, and the choice of attack method depends on the specific target model and the attacker’s resources and goals.
Among all the methods mentioned above, none of them is databased, while our approach is a huge innovation in the field of adversarial attacks.
Methodology
In this section, initially, we provide a description of the problem. Subsequently, we introduce the dataset and the main diagram illustration of the experiment. Finally, we describe the attack methodology in detail.
Problem description
We assume that the attacker has access to the target model in a blackbox setting. The information, such as architecture, parameters is not accessible. Then, we assume part of the dataset (including both time series and labels) is public. Let f represent the target model.
For a time series it can be represented as \({\textbf{x}} = (x_1,\ldots , x_n)\), each element is a numeric value at the corresponding time step. If the original time series \({\textbf{x}}\) belongs to class ori, the output probability of f is, therefore, \({f}_{ori}(x)\). While the perturbation can be represented as \(\delta (x)\). The magnitude of perturbation \(\epsilon\) is controlled via a factor \(\beta\). \(\epsilon\) is defined as
where \({x}_{i}^{max}\) and \({x}_{i}^{min}\) separately represent the maximum and minimum value of a time series of the total T items.
Our goal is to find the solution \(\delta (x)\) for the following problem:
Subject to \(\delta\)(\({\textbf{x}}\)) is limited in the shapelet interval l
where \(\Vert \delta ({\textbf{x}})\Vert _0\) and \(\Vert \delta ({\textbf{x}})\Vert _{\infty }\) represent the \(L_0\) and \(L_{\infty }\) norms of \(\delta ({{\textbf {x}}})\), respectively. That means we want to add perturbations to minimize the confidence score of class ori.
In order to visit the target model as little as possible, our method uses predictive model to predict the coordinates of sensitive locations in the test set. By using predictive model we can attack the sensitive locations directly.
The main diagram illustration
Before the formal experiment begins, we take the result of onepixel attack based on differential evolution as the baseline for comparison.
The whole experimental process is shown in Fig. 3. Since it’s not available for the architecture of the target model under the blackbox attack state, we have to use the public part of the datasets to prepare the models with multiple architectures as substitute models.
To test the transformability of perturbation parameters between different CNNs, we designed the perturbation parameters transformability experiment.
There are six architecture using in this experiment, respectively MLP,CNN,ResNet,Inception,Encoder and FCN. The code for the above architectures is referenced in the Ismail Fawaz et al. (2019)’s open source project.
We obtained the sensitive rate of the typical datasets through the global search algorithm used on multiple substitute models.
Then, we extract the statistical feature of the public part of the typical datasets.
In the step of training predictive model, the extracted statistical feature and sensitive rate are used to train predictive models.
As shown in Fig. 4, after obtaining the predictive models, the sensitive rate of the test set are obtained by predictive models. Then, complete onepoint attack by perturbing the sensitive points.
Data preparation and predictive models training
This section introduce the datasets mentioned in this paper and how to extract and use the training set to train the prediction model.
In order to fully demonstrate the effect of the experiment, this experiment selected several typical datasets from the number of classes, length, size of datasets and other aspects as demonstration examples(as shown in Table 1). These datasets are from the UCR/UEA archive (Chen et al. 2015).
There are two data necessary for the training of predictive models, one is the sensitive rate of each point, and the other is the statistical feature. We will introduce them in turn.
The method of onepoint attack is to only perturb one point in a time series resulting misclassification of some wellperforming models. The perturbation parameters are consist of the parameter records the coordinates of points and the perturbation that can lead to misclassification.
Due to the limitation of blackbox state, the attacker is unaware of the model’s architecture. Therefore, it is necessary to consider the impact of the substitute models’ architectures on the results before the training of substitute model. To address this, we design an experiment to test the transformability of perturbation parameters. That is, testing the attack success rate (ASR) of perturbation parameters which extract from the model A on other models. Specifically, the ASR of perturbation parameters extract from the model A on model B can be represented as
where \(f^{B}_{max*\ne ori}\) represents the highest probability among all classes output by model B when the time series not belong original class. Otherwise, it output is 0. \(\delta _{A}\mathbf ({\textbf{x}})\) represents the perturbation parameters generated by model A.
Sensitive rate
To quantitatively evaluate the vulnerability of a point, we define a degree of difficulty of causing the classifier to produce wrong results after a point is attacked as sensitive rate. The points with high sensitive rate are called sensitive points which means it’s sensitive to attack.
The sensitive rate of a point is related to the value of dividing the minimum perturbation that causes models to misjudge (\(\delta (\mathbf {x_i})_{j}^v\big _{\text {min}}^f\)) by the sum of the perturbation applied at that point (\({\sum _{i=\text {min}}^{\text {max}}\delta (\mathbf {x_i})_{j}^v}\)), as shown in equation 6. The higher the sensitive rate of a point, the easier it is to be attacked, and vice versa.
Perturbation parameters are obtained by global search algorithm which continuously perturbs the value of time series data and record the perturbation parameters when perturbing successfully, as shown in Fig. 5. For a time series \({\textbf{x}}\), its solution space of global search algorithm can be represented as
For the purpose of obtaining more perturbation parameters, we expand the solution space of the global search algorithm in terms of parameter setting, which can improve the generalization ability of the attack. Specifically, we increase the parameter \(\textbf{exp}\) from \({\textbf{1}}\) to \(\mathbf {1.5}\).
In our method, there are two statistical features used to train the predictive model. One is global statistical feature, and the other is classified statistical feature.
Global statistical feature
For a coordinate, the values of all time series data in this dataset at this coordinate are spliced into a row of sequences. Calculate the average value, standard deviation, number of peaks and valleys, skewness and kurtosis of this group of sequences, and splice these five values as the statistical feature of this point. This statistical feature is called the global statistical feature of this dataset. By this method, we can get the global statistical features of each point of this dataset.
where \(feature_{i}^{global}\) represents the statistical feature of \({\textbf{i}}\) th point, mean is the average value of the input sequence, std is the standard deviation of the input sequence, wave is the number of peaks and valleys of the input sequence, skew is the skewness of the input sequence, kurt is the kurtosis of the input sequence, \(E_i(X)\) is a sequence consisting of the values of the \({\textbf{i}}\) th point of each time series.
Classified statistical feature
Separate the time series in the dataset by class, calculate the statistical feature sequence of a point in the time series of each class according to the method of calculating the global statistical feature, then splice the statistical feature sequence of each class to form a classified statistical feature matrix with width \({\textbf{C}} \times {\textbf{5}}\), height \({\textbf{n}}\), where \({\textbf{C}}\) is the number of classes and n is the number of time series.
\(feature_{i}^{classes}\) represents the classified statistical feature of the \({\textbf{i}}\) th point, f is the classifier, t is the category of time series, m is the number of categories, \(X^t\) is the time series of the t category.
Onepoint attack with predict model
Input the features extracted from the testing set into the trained predictive model to predict the sensitive rate of each point in the testing set. Onepoint attack can be completed by perturbing sensitive points with high sensitive rate.
In detail, the predicted results of the predictive model are recorded in a array of \(\mathbf {keyvalue}\) \(\textbf{pairs}\) named \(\textbf{SensitivePoints}\). Each keyvalue pair consists of a index and a sensitive rate. The keyvalue pairs are arranged from largest to smallest according to the sensitive rate.
According to the sequence of keyvalue pairs, all time series in the testing set are modified at a single point according to the current keyvalue pair. If the point where the index is located is on the wave crest, subtract a perturbation. If the point where the index is located is in wave valley, add a perturbation. The reason for this is in accordance with the Frequency Principle (FPrinciple).
The Frequency Principle (FPrinciple) was proposed by Xu et al. (2019), which reveals the information that deep neural networks (DNNs) attend to during the classification process. The FPrinciple suggests that DNNs often fit target functions from low to high frequencies.
Owing to trained DNNs focus on the high frequency information of data, in order to mislead DNNs, we try to modify the frequency information of the original time series data by perturbing the wave crests and wave valleys.
The value of perturbation is positive, which depends on the span of the dataset, and is generally 30% of the difference between the maximum value of the original dataset and the minimum value.
Due to the keyvalue pairs are sorted according to the sensitive rate, the higher the keyvalue pair is, the more vulnerable the point is, and the lower the keyvalue pair is, the more robust the point pair is.
In order to ensure the efficiency of onepoint attack, the experiment in this article only uses the first five keyvalue pairs for onepoint attack.
Experiment results and analyse
Perturbation parameters transformbility experiment
The result of perturbation parameters transformability experiment is shown in Fig. 6, where the yaxis represents the architectures that generating perturbation parameters, and the xaxis represents the architectures for testing. The values of the heatmap represent the ASR of the perturbation parameters generated by the yaxis architectures attack on the xaxis architectures.
From Fig. 6, in most cases, the perturbation parameters generated by different architectures is transformability. However, the ASR of attacking the ResNet architecture using perturbation parameters generated by other architectures are very low, which shows that only a small part of the perturbation parameters generated by the other five architectures can make the ResNet architecture misclassification. In contrast, the ASR in the first row of the heatmap are generally high, which indicates that most perturbation parameters generated by the ResNet architecture can lead to the misclassification of the other architectures. This shows from the side that the robustness of ResNet model is significantly higher than the other five models.
The analyse of data preparation
Figure 7 shows the aligned figures of class activation diagram and sensitive curve. The Fig. 8 shows the class activation diagram of each architecture in a certain class on the Adiac dataset. The Fig. 9 shows the sensitive curve of some datasets (both figures are obtained through ResNet architecture). For CAM, the highlighted part of the class activation diagram is the vulnerable part. The data plotted in Fig. 7,8,9 is generated from perturbed data produced by the global search algorithm.
Through the analysis of Fig. 8, we can further understand the reason of the special phenomenon in Fig. 6.
Only the highlighted positions of the ResNet architecture are very concentrated and distributed in a point shape, while the highlighted positions of the activation diagrams of other architectures are distributed in a strip shape. This shows that to increase the ASR of the ResNet architecture, it is necessary to focus on attacking its highlighted location. Because the highlighted area of ResNet is very small and concentrated, which leads to better robustness of ResNet compared with the other five architectures. Besides, the global search algorithm proves that the number of successful attacks on ResNet architecture is the lowest among all architectures.
Figure 7 shows the coordinates with high sensitive rate in the time series data are usually located at the peaks or troughs. If at a certain location in a dataset, the more common wave crests and wave valleys appear, the more sensitive to perturbation. This phenomenon can be understood as if the wave form of this position vulnerable they are similar in most time series, then a perturbation is added to this position, which results in the value form of this position exceeding the value range under normal conditions and leads to misjudgment of classifier. What’s more, it can also be explained by the theory of FPrinciple. For DNNS, as iteration steps of training increase, the highfrequencies are fitted, the locations of the wave crests and wave valleys are usually the location with highfrequency information.
Table 2 shows the proportion of the perturbation parameters whose values are within the range of the original time series data values in the perturbation parameters obtained using the global search algorithm \((exp=1.5)\). The table shows that the perturb in the original value range only accounts for a small part of the total perturbation parameters, in the field of adversarial attack, properly expanding the value range of perturbation can effectively improve the ASR.
The result of onepoint attack
Figure 10 shows that the accuracy of each architecture under different perturbation magnitudes. It can be observed from the figure that the accuracy of architectures decreases as the magnitude of the perturbation increases. The accuracy of the CNNs under the onepoint attack based data is basically lower than that of the onepoint attack with DE (The perturbation amplitude of onepoint attack based on evolutionary algorithm is 1).
Table 3 shows that the size of the dataset and the quantity of perturbed points that impact the effect of the attack. For instance, when the parameter proportion is set to 0.3, then there are 30% samples of the original dataset used to obtain keyvalue pairs. When the parameter proportion is fixed, the accuracy decreases as the number of perturbation points increases. It is intuitive that when the number of perturbation points increases the success rate of the attack should rightfully increase, which also means that the accuracy of the model on the counter sample decreases. When the number of perturbed points is fixed, the accuracy decreases as parameter proportion decreases. This phenomenon illustrate that the statistical features obatined from the larger size of dataset have more information of the original dataset which is more beneficial for the attacker.
Discussion and conclusion
We propose a new blackbox attack based on data and attack according to the highfrequency component of time series.
Compared to the evolutionary algorithmbased attack method, we are able to generalise to a wider range of application scenarios. Our approach has a higher ASR under the same perturbation magnitude constraints. The method of onepoint attack can be used in extreme environments with minimal modification of the original data. This attack has the following features compared to other blackbox attacks:

Based on data.

Fewer submissions.

Attack the sensitive points directly
However, our approach does not achieve good performance on some datasets, such as ECG200 and DistalPhalanxTW, which may be because my method only focuses on statistical features, while the information related to sensitivity in these datasets is also contained in the frequency domain and time domain. In future experiments, we plan to increase the number and types of features. We believe that increasing the number and types offeatures can improve the accuracy of predictions and enable the development of more databased adversarial attack methods.
Moreover, with the progress of explainable artificial intelligence, we hope we can rely on the work of previous researchers, proposing more theoretical work content. Additionally, it would be interesting to investigate the use of more sophisticated substitute models, such as generative models or deep neural networks, to improve the transferability of the attack across different target models.
In addition to theoretical research, we also hope to find practical applications for this achievement in the real world. The attack could be extended to consider other types of time series data beyond those studied in this work, such as images, audio or video. Overall, we believe that our work lays the foundation for further research into the data based blackbox attack method.
References
Abdelfattah SM, Abdelrahman GM, Wang M (2018) Augmenting the size of eeg datasets using generative adversarial networks. In: 2018 International joint conference on neural networks (IJCNN), pp 1–6. https://doi.org/10.1109/IJCNN.2018.8489727
Brendel W, Rauber J, Bethge M (2017) Decisionbased adversarial attacks: Reliable attacks against blackbox machine learning models. arXiv preprint arXiv:1712.04248
Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (SP), pp 39–57. IEEE
Chen Y, Keogh E, Hu B, Begum N, Bagnall A, Mueen A, Batista G (2015) The UCR time series classification archive. www.cs.ucr.edu/eamonn/time_series_data/
Fawaz HI, Forestier G, Weber J, Idoumghar L, Muller PA (2018) Evaluating surgical skills from kinematic data using convolutional neural networks. CoRR, abs/1806.02750 arxiv:1806.02750
Fawaz HI, Forestier G, Weber J, Idoumghar L, Muller PA (2019) Adversarial attacks on deep neural networks for time series classification. In: 2019 international joint conference on neural networks (IJCNN), pp 1–8. IEEE
Goodfellow I, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples
Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples
He Z, Wang W, Dong J, Tan T (2022) Transferable sparse adversarial attack. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 14963–14972
Hu Z, Huang S, Zhu X, Sun F, Zhang B, Hu X (2022) Adversarial texture for fooling person detectors in the physical world. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 13307–13316
Fawaz HI, Forestier G, Weber J, Idoumghar L, Muller PA (2019) Deep learning for time series classification: a review. Data Min Knowl Disc 33(4):917–963
Kahla M, Chen S, Just HA, Jia R (2022) Labelonly model inversion attacks via boundary repulsion. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 15045–15053
Lin JX, Lei LY, Xiangyu Z (2020) Blackbox adversarial sample generation based on differential evolution. J Syst Softw 170:110767
Linardatos P, Papastefanopoulos V, Kotsiantis S (2021) Explainable AI: a review of machine learning interpretability methods. Entropy. https://doi.org/10.3390/e23010018
Luo C, Lin Q, Xie W, Wu B, Xie J, Shen L (2022) Frequencydriven imperceptible adversarial attack on semantic similarity. In: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pp 15315–15324
Ma T, Xiao C, Wang F (2018) HealthATM: a deep architecture for multifaceted patient health record representation and risk prediction, pp 261–269. https://doi.org/10.1137/1.9781611975321.30
MoosaviDezfooli SM, Fawzi A, Frossard P (2016) Deepfool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 2574–2582
Nguyen H, Kieu LM, Wen T, Cai C (2018) Deep learning methods in transportation domain: a review. IET Intell Transp Syst
Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016a) The limitations of deep learning in adversarial settings. In: 2016 IEEE European symposium on security and privacy (EuroS &P), pp 372–387. IEEE
Papernot N, McDaniel PD, Goodfellow IJ (2016b) Transferability in machine learning: from phenomena to blackbox attacks using adversarial samples. CoRR. arxiv:abs/1605.07277
Papernot N, McDaniel P, Goodfellow I, Jha S, Celik ZB, Ananthram S (2017) Practical blackbox attacks against machine learning. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security, pp 506–519
Storn R, Price K (1997) Differential evolutiona simple and efficient heuristic for global optimization over continuous spaces. J Glob Optim 11(4):341
Su J, Vargas DV, Sakurai K (2019) One pixel attack for fooling deep neural networks. IEEE Trans Evolut Comput 23(5):828–841. https://doi.org/10.1109/TEVC.2019.2890858
Christian S, Wojciech Z, Ilya S, Joan B, Dumitru E, Ian G, Rob F (2014) Intriguing properties of neural networks. Inputoutput mapping;Linear combinations;Prediction errors;Semantic information;Specific nature;Stateoftheart performance;Visual recognition, Banff, AB, Canada
Tan CW, Webb GI, Petitjean F(2017) Indexing and classifying gigabytes of time series under time warping. In: Proceedings of the 2017 SIAM international conference on data mining, pp 282–290. SIAM
Tobiyama S, Yamaguchi Y, Shimada H, Ikuse T, Yagi T (2016) Malware detection with deep neural network using process behavior. In: 2016 IEEE 40th annual computer software and applications conference (COMPSAC), volume 2, pp 577–582. IEEE
Wang W, Sun J, Wang G (2020) Visualizing one pixel attack using adversarial maps, pp 924–929, Shanghai, China. https://doi.org/10.1109/CAC51589.2020.9327603
Wei X, Guo Y, Li B (2021) Blackbox adversarial attacks by manipulating image attributes. Inf Sci 550:285–296. https://doi.org/10.1016/j.ins.2020.10.028
Xu ZQJ, Zhang Y, Luo T, Xiao Y, Ma Z (2019) Frequency principle: Fourier analysis sheds light on deep neural networks. CoRR, arxiv:abs/1901.06523
Yang W, Yuan J, Wang X, Zhao P (2022) Tsadv: blackbox adversarial attack on time series with local perturbations. Eng Appl Artif Intell 114. ISSN 09521976. https://doi.org/10.1016/j.engappai.2022.105218
Funding
This work is supported by the Key Program of National Natural Science Foundation of China (No. 61832004) and International Cooperation and Exchange Program of National Natural Science Foundation of China (Grant no. 62061136006).
Author information
Authors and Affiliations
Contributions
YG: Designing computer programs; implementation of the computer code and supporting algorithms; Testing of existing code components. Writing  Original Draft. ZY: Ideas; formulation or evolution of overarching research goals and aims; Acquisition of the financial support for the project leading to this publication; Design of methodology; Supervision; Review and Editing. LZ: Data Curation; Data analysis. YW: Visualization; Translate. CL: Review and Editing. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
All authors disclosed no relevant relationships.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Ge, Y., Yang, Z., Chen, L. et al. Attack based on data: a novel perspective to attack sensitive points directly. Cybersecurity 6, 43 (2023). https://doi.org/10.1186/s42400023001794
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400023001794