Showing total 58 results

1. Effectiveness of machine learning based android malware detectors against adversarial attacks.

Author

Jyothish, A., Mathew, Ashik, and Vinod, P.

Subjects

*DEEP learning, *MACHINE learning, *GENERATIVE adversarial networks, *MOBILE operating systems, *MALWARE, *GABOR filters

Abstract

Android is the most targeted mobile operating system for malware attacks. Most modern anti-malware solutions largely incorporate deep learning or machine learning techniques to detect malwares. In this paper, we conduct a comprehensive analysis on 10 deep learning and 5 machine learning classifiers in their abilities to identify Android malware applications. We used 1-gram dataset, 2-gram dataset and image dataset generated from the system call co-occurrence matrix for our experiments. Among the machine learning classifiers, XGBoost with 2-gram dataset showed the highest F1-score of 0.98. Also, the deep learning classifiers such as extreme learning machine with the system call images demonstrated the best F1-score of 0.952. We experimented using Gabor filters to investigate classifier performance on textures extracted from system call images. We observed an F1-score of 0.953 using the extreme learning machine with the Gabor images. We generated the Gabor image dataset by combining the images generated by passing system call images through 25 different Gabor configurations. In addition, to enhance the performance of the baseline classifiers, we considered the combination of autoencoders with machine learning classifiers. We observed that the amalgam of autoencoder with Random Forest displayed the best F1-score of 0.98. To evaluate the effectiveness of the aforesaid classifiers with diverse features on adversarial examples, we simulated a black-box based attack using a Generative Adversarial Network. The True Positive Rate of XGBoost on the 1-gram dataset, Random Forest on the 2-gram dataset and the Extreme Learning Machine on the system call image dataset significantly dropped to 0 from 0.98, 0.001 from 0.99 and 0 from 0.984 after the attack. Our experiments exposed a crucial vulnerability in classifiers used in modern anti-malware systems. A similar event in a real-world system could potentially render grave catastrophes. To defend against such probable attacks, we should continue further research and develop adequate security mechanisms. [ABSTRACT FROM AUTHOR]

Published

2024

2. Not So Robust after All: Evaluating the Robustness of Deep Neural Networks to Unseen Adversarial Attacks.

Author

Garaev, Roman, Rasheed, Bader, and Khan, Adil Mehmood

Subjects

*ARTIFICIAL neural networks, *PERTURBATION theory, *SCIENTIFIC community

Abstract

Deep neural networks (DNNs) have gained prominence in various applications, but remain vulnerable to adversarial attacks that manipulate data to mislead a DNN. This paper aims to challenge the efficacy and transferability of two contemporary defense mechanisms against adversarial attacks: (a) robust training and (b) adversarial training. The former suggests that training a DNN on a data set consisting solely of robust features should produce a model resistant to adversarial attacks. The latter creates an adversarially trained model that learns to minimise an expected training loss over a distribution of bounded adversarial perturbations. We reveal a significant lack in the transferability of these defense mechanisms and provide insight into the potential dangers posed by L ∞ -norm attacks previously underestimated by the research community. Such conclusions are based on extensive experiments involving (1) different model architectures, (2) the use of canonical correlation analysis, (3) visual and quantitative analysis of the neural network's latent representations, (4) an analysis of networks' decision boundaries and (5) the use of equivalence of L 2 and L ∞ perturbation norm theories. [ABSTRACT FROM AUTHOR]

Published

2024

3. A Robust SNMP-MIB Intrusion Detection System Against Adversarial Attacks.

Author

Alslman, Yasmeen, Alkasassbeh, Mouhammd, and Almseidin, Mohammad

Subjects

*INTRUSION detection systems (Computer security), *MACHINE learning, *CYBERTERRORISM, *INTERNET security

Abstract

With the increase in cyber security attacks, organizations tend to use an intrusion detection system (IDS) based on machine learning. Through the years, IDS based on machine learning has shown their effectiveness in protecting one against attacks. Aside from the machine learning nature being a black-box, there is a possibility of adversaries that can mess up the classification model. Using machine learning in critical aspects such as the medical field and intrusion detection system can result in disastrous impacts on organizations if it is vulnerable to adversary attacks. This paper proposes a new defense approach based on denoising auto-encoder (DAE) to protect IDS from adversarial attacks. To verify the efficacy of the proposed defense mechanism in mitigating adversarial attacks, two datasets were used. The experimental results show that the proposed defense mechanism proves validity against four white-box attacks and one black-box attack. The system's accuracy under adversarial attack elevates from around 68% to 90% and 97% under normal conditions on the first dataset. Similarly, on the second dataset, the models' accuracy increases from 64 to 85% under normal conditions and adversarial attacks. [ABSTRACT FROM AUTHOR]

Published

2024

4. A P4-Based Adversarial Attack Mitigation on Machine Learning Models in Data Plane Devices.

Author

Reddy, Sankepally Sainath, Nishoak, Kosaraju, Shreya, J. L., Reddy, Yennam Vishwambhar, and Venkanna, U.

Abstract

In recent times, networks have been prone to several types of attacks, such as DDoS attacks, volumetric attacks, replay attacks, eavesdropping, etc., which drastically degrade the network’s performance. Fortunately, programmable switches facilitate the network monitoring function that helps to solve several security challenges in the network. Nowadays, programmable switches rely on Machine Learning (ML) models to identify intrusions and detect network attacks at a line rate. However, the developed ML models are prone to certain security risks, such as malicious inputs designed to achieve negative outcomes, evasive attacks on the system, and data poisoning attacks. This paper presents a novel framework using the P4 programming language to overcome the above problem on the ML models. Our proposed framework identifies the important features after feature analysis and generates perturbations to showcase the evasion-based adversarial attack in the data plane switches, which an attacker might perform to disrupt the actual behavior of the deployed ML model at the data plane P4 switches. Further, we analyze the plausible impacts of such evasion-based adversarial attacks. Additionally, as part of our framework, we have also proposed a mitigation technique aimed at reducing the impact of these evasion-based adversarial attacks. The results show that the model’s classification rate, under adversarial attack when tested against CICIDS and USB-IDS Datasets, can significantly drop from 99.2% to as low as 50.14% and from 93.7% to as low as 65.1% respectively and increased by 17%,12% after the implementation of proposed mitigation technique in the data plane. [ABSTRACT FROM AUTHOR]

Published

2024

5. Deceptive Tricks in Artificial Intelligence: Adversarial Attacks in Ophthalmology.

Author

Zbrzezny, Agnieszka M. and Grzybowski, Andrzej E.

Subjects

*DIABETIC retinopathy, *ARTIFICIAL intelligence, *MACULAR degeneration, *MEDICAL imaging systems, *OPHTHALMOLOGY, *LITERATURE reviews

Abstract

The artificial intelligence (AI) systems used for diagnosing ophthalmic diseases have significantly progressed in recent years. The diagnosis of difficult eye conditions, such as cataracts, diabetic retinopathy, age-related macular degeneration, glaucoma, and retinopathy of prematurity, has become significantly less complicated as a result of the development of AI algorithms, which are currently on par with ophthalmologists in terms of their level of effectiveness. However, in the context of building AI systems for medical applications such as identifying eye diseases, addressing the challenges of safety and trustworthiness is paramount, including the emerging threat of adversarial attacks. Research has increasingly focused on understanding and mitigating these attacks, with numerous articles discussing this topic in recent years. As a starting point for our discussion, we used the paper by Ma et al. "Understanding Adversarial Attacks on Deep Learning Based Medical Image Analysis Systems". A literature review was performed for this study, which included a thorough search of open-access research papers using online sources (PubMed and Google). The research provides examples of unique attack strategies for medical images. Unfortunately, unique algorithms for attacks on the various ophthalmic image types have yet to be developed. It is a task that needs to be performed. As a result, it is necessary to build algorithms that validate the computation and explain the findings of artificial intelligence models. In this article, we focus on adversarial attacks, one of the most well-known attack methods, which provide evidence (i.e., adversarial examples) of the lack of resilience of decision models that do not include provable guarantees. Adversarial attacks have the potential to provide inaccurate findings in deep learning systems and can have catastrophic effects in the healthcare industry, such as healthcare financing fraud and wrong diagnosis. [ABSTRACT FROM AUTHOR]

Published

2023

6. DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour.

Author

Žiža, Kristijan, Tadić, Predrag, and Vuletić, Pavle

Subjects

*INTERNET domain naming system, *SCIENTIFIC community

Abstract

The Domain Name System (DNS) exfiltration is an activity in which an infected device sends data to the attacker's server by encoding it in DNS request messages. Because of the frequent use of DNS exfiltration for malicious purposes, exfiltration detection gained attention from the research community which proposed several predominantly machine learning-based methods. The majority of previous studies used publicly available DNS exfiltration tools with the default configuration parameters, resulting in datasets created from DNS exfiltration requests that are usually significantly longer, have more DNS name labels, and higher character entropy than average regular DNS requests. This further led to overly optimistic detection rates. In this paper, we have explored some of the strategies an attacker could use to avoid exfiltration detection. First, we have explored the impact of DNS exfiltration tools' parameter variation on the exfiltration detection accuracy. Second, we have modified the DNSExfiltrator tool to produce exfiltration requests which have significantly lower character entropy. This approach proved to be capable of deceiving classifiers based on single DNS request features. Only around 1% of modified DNS requests shorter or equal to 9 bytes, and less than one third of DNS exfiltration requests in the overall population were accurately detected. In addition, we present a methodology and an aggregated feature set (including inter-request timing statistics) which can be used for accurate DNS exfiltration in this kind of adversarial settings. [ABSTRACT FROM AUTHOR]

Published

2023

7. Adversarial attacks against mouse- and keyboard-based biometric authentication: black-box versus domain-specific techniques.

Author

López, Christian, Solano, Jesús, Rivera, Esteban, Tengana, Lizzy, Florez-Lozano, Johana, Castelblanco, Alejandra, and Ochoa, Martín

Subjects

*BIOMETRIC identification, *MACHINE learning, *MICE, *BIOMETRY

Abstract

Adversarial attacks have recently gained popularity due to their simplicity, impact, and applicability to a wide range of machine learning scenarios. However, knowledge of a particular security scenario can be advantageous for adversaries to craft better attacks. In other words, in some scenarios, attackers may come up naturally with ad hoc black-box attack techniques inspired directly by problem space characteristics rather than using generic adversarial techniques. This paper explores an intuitive attack technique based on reusing legitimate user inputs and applying it to mouse-based behavioral biometrics and keyboard-based behavioral biometrics. Moreover, it compares the model's effectiveness against adversarial machine learning attacks, achieving attack success rates up to 87 and 86% for the mouse and keyboard settings, respectively. We show that attacks leveraging domain knowledge have higher transferability when applied to various machine-learning techniques and are more challenging to defend against. We also propose countermeasures against such attacks and discuss their effectiveness. [ABSTRACT FROM AUTHOR]

Published

2023

8. Low-Pass Image Filtering to Achieve Adversarial Robustness.

Author

Ziyadinov, Vadim and Tereshonok, Maxim

Subjects

*ARTIFICIAL neural networks, *CONVOLUTIONAL neural networks, *OBJECT recognition (Computer vision), *IMAGING systems, *IMAGE recognition (Computer vision)

Abstract

In this paper, we continue the research cycle on the properties of convolutional neural network-based image recognition systems and ways to improve noise immunity and robustness. Currently, a popular research area related to artificial neural networks is adversarial attacks. The adversarial attacks on the image are not highly perceptible to the human eye, and they also drastically reduce the neural network's accuracy. Image perception by a machine is highly dependent on the propagation of high frequency distortions throughout the network. At the same time, a human efficiently ignores high-frequency distortions, perceiving the shape of objects as a whole. We propose a technique to reduce the influence of high-frequency noise on the CNNs. We show that low-pass image filtering can improve the image recognition accuracy in the presence of high-frequency distortions in particular, caused by adversarial attacks. This technique is resource efficient and easy to implement. The proposed technique makes it possible to measure up the logic of an artificial neural network to that of a human, for whom high-frequency distortions are not decisive in object recognition. [ABSTRACT FROM AUTHOR]

Published

2023

9. A perspective on human activity recognition from inertial motion data.

Author

Gomaa, Walid and Khamis, Mohamed A.

Subjects

*ARTIFICIAL intelligence, *LARGE scale systems, *FEATURE selection, *HUMAN activity recognition, *FEATURE extraction, *MOTION detectors, *MOBILE learning

Abstract

Human activity recognition (HAR) using inertial motion data has gained a lot of momentum in recent years both in research and industrial applications. From the abstract perspective, this has been driven by the rapid dynamics for building intelligent, smart environments, and ubiquitous systems that cover all aspects of human life including healthcare, sports, manufacturing, commerce, etc., which necessitate and subsume activity recognition aiming at recognizing the actions, characteristics, and goals of one or more agent(s) from a temporal series of observations streamed from one or more sensors. From a more concrete and seemingly orthogonal perspective, such momentum has been driven by the ubiquity of inertial motion sensors on-board mobile and wearable devices including smartphones, smartwatches, etc. In this paper we give an introductory and a comprehensive survey to the subject from a given perspective. We focus on a subset of topics, that we think are major, that will have significant and influential impacts on the future research and industrial-scale deployment of HAR systems. These include: (1) a comprehensive and detailed description of the inertial motion benchmark datasets that are publicly available and/or accessible, (2) feature selection and extraction techniques and the corresponding learning methods used to build workable HAR systems; we survey classical handcrafted datasets as well as data-oriented automatic representation learning approach to the subject, (3) transfer learning as a way to overcome many hurdles in actual deployments of HAR systems on a large scale, (4) embedded implementations of HAR systems on mobile and/or wearable devices, and finally (5) we touch on adversarial attacks, a topic that is essentially related to the security and privacy of HAR systems. As the field is very huge and diverse, this article is by no means comprehensive; it is though meant to provide a logically and conceptually rather complete picture to advanced practitioners, as well as to present a readable guided introduction to newcomers. Our logical and conceptual perspectives mimic the typical data science pipeline for state-of-the-art AI-based systems. [ABSTRACT FROM AUTHOR]

Published

2023

10. State-of-the-art optical-based physical adversarial attacks for deep learning computer vision systems.

Author

Fang, Junbin, Jiang, You, Jiang, Canjian, Jiang, Zoe L., Liu, Chuanyi, and Yiu, Siu-Ming

Subjects

*DEEP learning, *COMPUTER systems, *COMPUTER vision, *COMPUTER security, *CYBERTERRORISM, *INVISIBILITY

Abstract

Adversarial attacks can mislead deep learning models to make false predictions by implanting small perturbations to the original input that are imperceptible to the human eye, which poses a huge security threat to computer vision systems based on deep learning. Physical adversarial attacks, which is more realistic, as the perturbation is introduced to the input before it is captured and converted to a image inside the vision system, when compared to digital adversarial attacks. In this paper, we focus on physical adversarial attacks and further classify them into invasive and non-invasive. Optical-based physical adversarial attack techniques (e.g. using light irradiation) belong to the non-invasive category. The perturbations can be easily ignored by humans as the perturbations are very similar to the effects generated by a natural environment in the real world. With high invisibility and executability, optical-based physical adversarial attacks can pose a significant or even lethal threat to real systems. This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical-based physical adversarial attack techniques. [ABSTRACT FROM AUTHOR]

Published

2024

11. SGAN-IDS: Self-Attention-Based Generative Adversarial Network against Intrusion Detection Systems.

Author

Aldhaheri, Sahar and Alhuzali, Abeer

Subjects

*GENERATIVE adversarial networks, *INTRUSION detection systems (Computer security), *COMPUTER network traffic

Abstract

In cybersecurity, a network intrusion detection system (NIDS) is a critical component in networks. It monitors network traffic and flags suspicious activities. To effectively detect malicious traffic, several detection techniques, including machine learning-based NIDSs (ML-NIDSs), have been proposed and implemented. However, in much of the existing ML-NIDS research, the experimental settings do not accurately reflect real-world scenarios where new attacks are constantly emerging. Thus, the robustness of intrusion detection systems against zero-day and adversarial attacks is a crucial area that requires further investigation. In this paper, we introduce and develop a framework named SGAN-IDS. This framework constructs adversarial attack flows designed to evade detection by five BlackBox ML-based IDSs. SGAN-IDS employs generative adversarial networks and self-attention mechanisms to generate synthetic adversarial attack flows that are resilient to detection. Our evaluation results demonstrate that SGAN-IDS has successfully constructed adversarial flows for various attack types, reducing the detection rate of all five IDSs by an average of 15.93%. These findings underscore the robustness and broad applicability of the proposed model. [ABSTRACT FROM AUTHOR]

Published

2023

12. Enhanced covertness class discriminative universal adversarial perturbations.

Author

Gao, Haoran, Zhang, Hua, Zhang, Xin, Li, Wenmin, Wang, Jiahui, and Gao, Fei

Subjects

*ARTIFICIAL neural networks

Abstract

The main aim of class discriminative universal adversarial perturbations (CD-UAPs) is that the adversary can flexibly control the targeted class and influence remaining classes limitedly. CD-UAPs generated by the existing attack strategies suffer from a high fooling ratio of non-targeted source classes under non-targeted and targeted attacks, and face the increasing risk of discovery. In this paper, we propose a training framework for generating enhanced covertness CD-UAPs. It trains the targeted source class set and the non-targeted source classes set alternately to update the perturbation and introduces logit pairing to mitigate the influence of perturbation on the non-targeted source classes set. Further, we extend CD-UAPs on the targeted (one-targeted) attack to the multi-targeted attack, which perturbs a targeted source class to multiple targeted sink classes that seriously threaten the current scenario. It can not only provide the adversary with freedom of precise attack but reduce the risk of being detected. This attack poses a strong threat to security-sensitive applications. Extensive experiments on the CIFAR-10, CIFAR-100 and ImageNet datasets show our method can generate more deceptive perturbations and enhance the covertness of CD-UAPs. For example, our method improves the absolute fooling ratio gaps of ResNet-20 and VGG-16 by 9.46% and 6.94% compared with the baseline method, respectively. We achieve the multi-targeted attack with a high fooling ratio on the GTSRB dataset. The average absolute target fooling ratio gaps of ResNet-20 and VGG-16 are 81.89% and 76.33%, respectively. [ABSTRACT FROM AUTHOR]

Published

2023

13. SOLARNet: A single stage regression based framework for efficient and robust object recognition in aerial images.

Author

Saini, Nandini, Chattopadhyay, Chiranjoy, and Das, Debasis

Subjects

*RECOGNITION (Psychology), *IMAGE recognition (Computer vision), *OBJECT recognition (Computer vision), *AERIAL spraying & dusting in agriculture, *MULTISCALE modeling

Abstract

• An end-to-end one stage detection model to detect multiscale and rotated objects through aerial image. • Performing both the tasks, i.e., horizontal bounding box detection and oriented bounding box detection for input image. • Identifying aerial image objects with high inference speed and detection mean Average Precision (mAP) accuracy. • Ensuring the robustness for adversarial attacks such as FGSM, BIM, and JSM attacks. Object recognition and localization play a crucial role in aerial images and their applications. The aerial images are challenging due to the large aspect ratio, arbitrary orientation, variation in scales, and non-uniform and cluttered object distribution. To address these challenges, we propose an efficient and robust model called the Simultaneous Object Localization and Recognition Network (SOLARNet), which is a fusion network that integrates two different sub-networks: PixelAttentionDetector (PD) and RotationDetector (RD). The PD considers features from different scales and cluttered objects, while RD handles rotation invariance, giving horizontal and oriented object detection results. The state-of-the-art model fails to improve accuracy when images are adversarially attacked. SOLARNet is not only efficient in terms of accuracy but also robust concerning to Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Jacobian Based Saliency Map (JSM) adversarial attacks, which is the crucial factor for any mission-critical system. We have performed experiments and achieved the accuracy on the publicly available DOTA dataset (75.00% mAP, 66.40% mAP) and DIOR dataset (88.60% mAP, 81.50% mAP) for horizontal and oriented object recognition tasks respectively while having high inference speed. Qualitative and quantitative results reported in this paper substantiate the superiority of SOLARNet over other state-of-the-art methodologies. [ABSTRACT FROM AUTHOR]

Published

2023

14. Neural Adversarial Attacks with Random Noises.

Author

Hajri, Hatem, Césaire, Manon, Schott, Lucas, Lamprier, Sylvain, and Gallinari, Patrick

Subjects

*RANDOM noise theory, *TAYLOR'S series

Abstract

In this paper, we present an approach which relies on the use of random noises to generate adversarial examples of deep neural network classifiers. We argue that existing deterministic attacks, which perform by sequentially applying maximal perturbations on selected components of the input, fail at reaching accurate adversarial examples on real-world large scale datasets. By exploiting a simple Taylor expansion of the expected output probability under the noise perturbation, we introduce noise-based sparse (or L0) targeted and untargeted attacks. Our proposed method, called Voting Folded Gaussian Attack (VFGA), achieves significantly better L0 scores than state-of-the-art L0 attacks (such as SparseFool and Sparse-RS) while being faster on both CIFAR-10 and ImageNet. Moreover, we show that VFGA is also applicable as an L∞ attack and outperforms the state-of-the-art projected gradient attack (PGD) method. [ABSTRACT FROM AUTHOR]

Published

2023

15. Adversarial Training Methods for Deep Learning: A Systematic Review.

Author

Zhao, Weimin, Alwidian, Sanaa, and Mahmoud, Qusay H.

Subjects

*ARTIFICIAL neural networks, *DEEP learning, *PATENT databases, *TECHNICAL literature, *DATA scrubbing, *ROBUST optimization

Abstract

Deep neural networks are exposed to the risk of adversarial attacks via the fast gradient sign method (FGSM), projected gradient descent (PGD) attacks, and other attack algorithms. Adversarial training is one of the methods used to defend against the threat of adversarial attacks. It is a training schema that utilizes an alternative objective function to provide model generalization for both adversarial data and clean data. In this systematic review, we focus particularly on adversarial training as a method of improving the defensive capacities and robustness of machine learning models. Specifically, we focus on adversarial sample accessibility through adversarial sample generation methods. The purpose of this systematic review is to survey state-of-the-art adversarial training and robust optimization methods to identify the research gaps within this field of applications. The literature search was conducted using Engineering Village (Engineering Village is an engineering literature search tool, which provides access to 14 engineering literature and patent databases), where we collected 238 related papers. The papers were filtered according to defined inclusion and exclusion criteria, and information was extracted from these papers according to a defined strategy. A total of 78 papers published between 2016 and 2021 were selected. Data were extracted and categorized using a defined strategy, and bar plots and comparison tables were used to show the data distribution. The findings of this review indicate that there are limitations to adversarial training methods and robust optimization. The most common problems are related to data generalization and overfitting. [ABSTRACT FROM AUTHOR]

Published

2022

16. Defending the Defender: Adversarial Learning Based Defending Strategy for Learning Based Security Methods in Cyber-Physical Systems (CPS).

Author

Sheikh, Zakir Ahmad, Singh, Yashwant, Singh, Pradeep Kumar, and Gonçalves, Paulo J. Sequeira

Subjects

*CYBER physical systems, *GENERATIVE adversarial networks, *LEARNING strategies, *SECURITY systems, *RANDOM forest algorithms

Abstract

Cyber-Physical Systems (CPS) are prone to many security exploitations due to a greater attack surface being introduced by their cyber component by the nature of their remote accessibility or non-isolated capability. Security exploitations, on the other hand, rise in complexities, aiming for more powerful attacks and evasion from detections. The real-world applicability of CPS thus poses a question mark due to security infringements. Researchers have been developing new and robust techniques to enhance the security of these systems. Many techniques and security aspects are being considered to build robust security systems; these include attack prevention, attack detection, and attack mitigation as security development techniques with consideration of confidentiality, integrity, and availability as some of the important security aspects. In this paper, we have proposed machine learning-based intelligent attack detection strategies which have evolved as a result of failures in traditional signature-based techniques to detect zero-day attacks and attacks of a complex nature. Many researchers have evaluated the feasibility of learning models in the security domain and pointed out their capability to detect known as well as unknown attacks (zero-day attacks). However, these learning models are also vulnerable to adversarial attacks like poisoning attacks, evasion attacks, and exploration attacks. To make use of a robust-cum-intelligent security mechanism, we have proposed an adversarial learning-based defense strategy for the security of CPS to ensure CPS security and invoke resilience against adversarial attacks. We have evaluated the proposed strategy through the implementation of Random Forest (RF), Artificial Neural Network (ANN), and Long Short-Term Memory (LSTM) on the ToN_IoT Network dataset and an adversarial dataset generated through the Generative Adversarial Network (GAN) model. [ABSTRACT FROM AUTHOR]

Published

2023

17. Adversarial attacks on graph-level embedding methods: a case study.

Author

Giordano, Maurizio, Maddalena, Lucia, Manzo, Mario, and Guarracino, Mario Rosario

Abstract

As the number of graph-level embedding techniques increases at an unprecedented speed, questions arise about their behavior and performance when training data undergo perturbations. This is the case when an external entity maliciously alters training data to invalidate the embedding. This paper explores the effects of such attacks on some graph datasets by applying different graph-level embedding techniques. The main attack strategy involves manipulating training data to produce an altered model. In this context, our goal is to go in-depth about methods, resources, experimental settings, and performance results to observe and study all the aspects that derive from the attack stage. [ABSTRACT FROM AUTHOR]

Published

2023

18. Fooling the Big Picture in Classification Tasks.

Author

Alkhouri, Ismail, Atia, George, and Mikhael, Wasfy

Subjects

*CLASSIFICATION, *CONVEX programming

Abstract

Minimally perturbed adversarial examples were shown to drastically reduce the performance of one-stage classifiers while being imperceptible. This paper investigates the susceptibility of hierarchical classifiers, which use fine and coarse level output categories, to adversarial attacks. We formulate a program that encodes minimax constraints to induce misclassification of the coarse class of a hierarchical classifier (e.g., changing the prediction of a 'monkey' to a 'vehicle' instead of some 'animal'). Subsequently, we develop solutions based on convex relaxations of said program. An algorithm is obtained using the alternating direction method of multipliers with competitive performance in comparison with state-of-the-art solvers. We show the ability of our approach to fool the coarse classification through a set of measures such as the relative loss in coarse classification accuracy and imperceptibility factors. In comparison with perturbations generated for one-stage classifiers, we show that fooling a classifier about the 'big picture' requires higher perturbation levels which results in lower imperceptibility. We also examine the impact of different label groupings on the performance of the proposed attacks. [ABSTRACT FROM AUTHOR]

Published

2023

19. Review of the Data-Driven Methods for Electricity Fraud Detection in Smart Metering Systems.

Author

Badr, Mahmoud M., Ibrahem, Mohamed I., Kholidy, Hisham A., Fouda, Mostafa M., and Ismail, Muhammad

Subjects

*ARTIFICIAL neural networks, *FRAUD investigation, *SMART meters, *ELECTRIC utilities, *PUBLIC utilities

Abstract

In smart grids, homes are equipped with smart meters (SMs) to monitor electricity consumption and report fine-grained readings to electric utility companies for billing and energy management. However, malicious consumers tamper with their SMs to report low readings to reduce their bills. This problem, known as electricity fraud, causes tremendous financial losses to electric utility companies worldwide and threatens the power grid's stability. To detect electricity fraud, several methods have been proposed in the literature. Among the existing methods, the data-driven methods achieve state-of-art performance. Therefore, in this paper, we study the main existing data-driven electricity fraud detection methods, with emphasis on their pros and cons. We study supervised methods, including wide and deep neural networks and multi-data-source deep learning models, and unsupervised methods, including clustering. Then, we investigate how to preserve the consumers' privacy, using encryption and federated learning, while enabling electricity fraud detection because it has been shown that fine-grained readings can reveal sensitive information about the consumers' activities. After that, we investigate how to design robust electricity fraud detectors against adversarial attacks using ensemble learning and model distillation because they enable malicious consumers to evade detection while stealing electricity. Finally, we provide a comprehensive comparison of the existing works, followed by our recommendations for future research directions to enhance electricity fraud detection. [ABSTRACT FROM AUTHOR]

Published

2023

20. Survey on federated learning threats: Concepts, taxonomy on attacks and defences, experimental study and challenges.

Author

Rodríguez-Barroso, Nuria, Jiménez-López, Daniel, Luzón, M. Victoria, Herrera, Francisco, and Martínez-Cámara, Eugenio

Subjects

*CONCEPT learning, *ARTIFICIAL intelligence, *MACHINE learning, *TAXONOMY, *GLOBAL method of teaching, *DATA privacy

Abstract

Federated learning is a machine learning paradigm that emerges as a solution to the privacy-preservation demands in artificial intelligence. As machine learning, federated learning is threatened by adversarial attacks against the integrity of the learning model and the privacy of data via a distributed approach to tackle local and global learning. This weak point is exacerbated by the inaccessibility of data in federated learning, which makes the protection against adversarial attacks harder and evidences the need to furtherance the research on defence methods to make federated learning a real solution for safeguarding data privacy. In this paper, we present an extensive review of the threats of federated learning, as well as as their corresponding countermeasures, attacks versus defences. This survey provides a taxonomy of adversarial attacks and a taxonomy of defence methods that depict a general picture of this vulnerability of federated learning and how to overcome it. Likewise, we expound guidelines for selecting the most adequate defence method according to the category of the adversarial attack. Besides, we carry out an extensive experimental study from which we draw further conclusions about the behaviour of attacks and defences and the guidelines for selecting the most adequate defence method according to the category of the adversarial attack. Finally, we present our learned lessons and challenges. • We claim that adversarial attacks are a significant challenge in federated learning. • We propose taxonomies of adversarial attacks and defences in federated learning. • We conduct a wide experimental study the results of which support our claim. • We define guidelines for selecting a proper defence method according to the attack. • We stand out a set of lessons learnt, open challenges and final conclusions. [ABSTRACT FROM AUTHOR]

Published

2023

21. Empiricism in the foundations of cognition.

Author

Childers, Timothy, Hvorecký, Juraj, and Majer, Ondrej

Subjects

*PHILOSOPHY of science, *DEEP learning, *EMPIRICISM, *BEHAVIORISM (Psychology), *COGNITION, *COMPUTER science

Abstract

This paper traces the empiricist program from early debates between nativism and behaviorism within philosophy, through debates about early connectionist approaches within the cognitive sciences, and up to their recent iterations within the domain of deep learning. We demonstrate how current debates on the nature of cognition via deep network architecture echo some of the core issues from the Chomsky/Quine debate and investigate the strength of support offered by these various lines of research to the empiricist standpoint. Referencing literature from both computer science and philosophy, we conclude that the current state of deep learning does not offer strong encouragement to the empiricist side despite some arguments to the contrary. [ABSTRACT FROM AUTHOR]

Published

2023

22. Divergence-Agnostic Unsupervised Domain Adaptation by Adversarial Attacks.

Author

Li, Jingjing, Du, Zhekai, Zhu, Lei, Ding, Zhengming, Lu, Ke, and Shen, Heng Tao

Subjects

*MACHINE learning, *COMMUNITIES, *KNOWLEDGE transfer, *GENERALIZATION, *FEATURE extraction

Abstract

Conventional machine learning algorithms suffer the problem that the model trained on existing data fails to generalize well to the data sampled from other distributions. To tackle this issue, unsupervised domain adaptation (UDA) transfers the knowledge learned from a well-labeled source domain to a different but related target domain where labeled data is unavailable. The majority of existing UDA methods assume that data from the source domain and the target domain are available and complete during training. Thus, the divergence between the two domains can be formulated and minimized. In this paper, we consider a more practical yet challenging UDA setting where either the source domain data or the target domain data are unknown. Conventional UDA methods would fail this setting since the domain divergence is agnostic due to the absence of the source data or the target data. Technically, we investigate UDA from a novel view—adversarial attack—and tackle the divergence-agnostic adaptive learning problem in a unified framework. Specifically, we first report the motivation of our approach by investigating the inherent relationship between UDA and adversarial attacks. Then we elaborately design adversarial examples to attack the training model and harness these adversarial examples. We argue that the generalization ability of the model would be significantly improved if it can defend against our attack, so as to improve the performance on the target domain. Theoretically, we analyze the generalization bound for our method based on domain adaptation theories. Extensive experimental results on multiple UDA benchmarks under conventional, source-absent and target-absent UDA settings verify that our method is able to achieve a favorable performance compared with previous ones. Notably, this work extends the scope of both domain adaptation and adversarial attack, and expected to inspire more ideas in the community. [ABSTRACT FROM AUTHOR]

Published

2022

23. Evaluation of adversarial attacks sensitivity of classifiers with occluded input data.

Author

Sooksatra, Korn and Rivas, Pablo

Subjects

*DEEP learning, *COST control, *TRUST, *EVALUATION methodology, *QUALITY of life

Abstract

With the noteworthy achievements of deep learning models, there are transformative applications that aim at cost reduction and the improvement in human quality of life. Nevertheless, recent work aimed at testing a classifier's ability to withstand targeted and black-box adversarial attacks demonstrated that deep learning models, in particular, are brittle and lack certain robustness that makes them particularly weak, and ultimately leading to a lack of trust. For this specific area, a question arises concerning certain regions' sensitivity in the input space against adversarial perturbations for a classification model. This paper aims to study such a problem by looking into a Sensitivity-inspired Constrained Evaluation Method (SICEM) to deterministically evaluate how much a region of the input space is vulnerable to adversarial perturbations compared to other regions and also the entire input space. Our experiments suggest that SICEM can accurately quantify region vulnerabilities on MNIST and CIFAR-10 datasets. [ABSTRACT FROM AUTHOR]

Published

2022

24. Model and Training Method of the Resilient Image Classifier Considering Faults, Concept Drift, and Adversarial Attacks.

Author

Moskalenko, Viacheslav, Kharchenko, Vyacheslav, Moskalenko, Alona, and Petrov, Sergey

Subjects

*IMAGE recognition (Computer vision), *CONVOLUTIONAL neural networks, *DISTILLATION

Abstract

Modern trainable image recognition models are vulnerable to different types of perturbations; hence, the development of resilient intelligent algorithms for safety-critical applications remains a relevant concern to reduce the impact of perturbation on model performance. This paper proposes a model and training method for a resilient image classifier capable of efficiently functioning despite various faults, adversarial attacks, and concept drifts. The proposed model has a multi-section structure with a hierarchy of optimized class prototypes and hyperspherical class boundaries, which provides adaptive computation, perturbation absorption, and graceful degradation. The proposed training method entails the application of a complex loss function assembled from its constituent parts in a particular way depending on the result of perturbation detection and the presence of new labeled and unlabeled data. The training method implements principles of self-knowledge distillation, the compactness maximization of class distribution and the interclass gap, the compression of feature representations, and consistency regularization. Consistency regularization makes it possible to utilize both labeled and unlabeled data to obtain a robust model and implement continuous adaptation. Experiments are performed on the publicly available CIFAR-10 and CIFAR-100 datasets using model backbones based on modules ResBlocks from the ResNet50 architecture and Swin transformer blocks. It is experimentally proven that the proposed prototype-based classifier head is characterized by a higher level of robustness and adaptability in comparison with the dense layer-based classifier head. It is also shown that multi-section structure and self-knowledge distillation feature conserve resources when processing simple samples under normal conditions and increase computational costs to improve the reliability of decisions when exposed to perturbations. [ABSTRACT FROM AUTHOR]

Published

2022

25. Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation.

Author

Rezgui, Zohra, Bassit, Amina, and Veldhuis, Raymond

Subjects

*DEEP learning, *SPACE (Architecture), *GENDER, *FACE, *CLASSIFICATION, *BIOMETRY

Abstract

Most deep learning‐based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among models performing the same task. However, models performing different tasks but sharing the same input space and model architecture were never considered in the transferability scenarios presented in the literature. In this paper, this phenomenon was analysed in the context of VGG16‐based and ResNet50‐based biometric classifiers. The authors investigate the impact of two white‐box attacks on a gender classifier and contrast a defence method as a countermeasure. Then, using adversarial images generated by the attacks, a pre‐trained face recognition classifier is attacked in a black‐box fashion. Two verification comparison settings are employed, in which images perturbed with the same and different magnitude of the perturbation are compared. The authors' results indicate transferability in the fixed perturbation setting for a Fast Gradient Sign Method attack and non‐transferability in a pixel‐guided denoiser attack setting. The interpretation of this non‐transferability can support the use of fast and train‐free adversarial attacks targeting soft biometric classifiers as means to achieve soft biometric privacy protection while maintaining facial identity as utility. [ABSTRACT FROM AUTHOR]

Published

2022

26. Explaining adversarial vulnerability with a data sparsity hypothesis.

Author

Paknezhad, Mahsa, Ngo, Cuong Phuc, Winarto, Amadeus Aristo, Cheong, Alistair, Beh, Chuen Yang, Wu, Jiayang, and Lee, Hwee Kuan

Subjects

*DATA distribution, *DEEP learning, *HYPOTHESIS, *PREDICTION models

Abstract

Despite many proposed algorithms to provide robustness to deep learning (DL) models, DL models remain susceptible to adversarial attacks. We hypothesize that the adversarial vulnerability of DL models stems from two factors. The first factor is data sparsity which is that in the high dimensional input data space, there exist large regions outside the support of the data distribution. The second factor is the existence of many redundant parameters in the DL models. Owing to these factors, different models are able to come up with different decision boundaries with comparably high prediction accuracy. The appearance of the decision boundaries in the space outside the support of the data distribution does not affect the prediction accuracy of the model. However, it makes an important difference in the adversarial robustness of the model. We hypothesize that the ideal decision boundary is as far as possible from the support of the data distribution. In this paper, we develop a training framework to observe if DL models are able to learn such a decision boundary spanning the space around the class distributions further from the data points themselves. Semi-supervised learning was deployed during training by leveraging unlabeled data generated in the space outside the support of the data distribution. We measured adversarial robustness of the models trained using this training framework against well-known adversarial attacks and by using robustness metrics. We found that models trained using our framework, as well as other regularization methods and adversarial training support our hypothesis of data sparsity and that models trained with these methods learn to have decision boundaries more similar to the aforementioned ideal decision boundary. We show that the unlabeled data generated by noise in our framework is almost as effective on adversarial robustness as unlabeled data sourced from existing datasets or generated by synthesis algorithms. The code for our training framework is available online. [ABSTRACT FROM AUTHOR]

Published

2022

27. A Simple and Strong Baseline for Universal Targeted Attacks on Siamese Visual Tracking.

Author

Li, Zhenbang, Shi, Yaya, Gao, Jin, Wang, Shaoru, Li, Bing, Liang, Pengpeng, and Hu, Weiming

Subjects

*ADDITION (Mathematics), *ARTIFICIAL neural networks

Abstract

Siamese trackers are shown to be vulnerable to adversarial attacks recently. However, the existing attack methods craft the perturbations for each video independently, which comes at a non-negligible computational cost. In this paper, we show the existence of universal perturbations that can enable the targeted attack, e.g., forcing a tracker to follow the ground-truth trajectory with specified offsets, to be video-agnostic and free from inference in a network. Specifically, we attack a tracker by adding a universal translucent perturbation to the template image and adding a fake target, i.e., a small universal adversarial patch, into the search images adhering to the predefined trajectory, so that the tracker outputs the location and size of the fake target instead of the real target. Our approach allows perturbing a novel video to come at no additional cost except the mere addition operations – and not require gradient optimization or network inference. Experimental results on several datasets demonstrate that our approach can effectively fool the Siamese trackers in a targeted attack manner. We show that the proposed perturbations are not only universal across videos, but also generalize well across different trackers. Such perturbations are therefore doubly universal, both with respect to the data and the network architectures. Our code is available at https://github.com/lizhenbang56/SiamAttack. [ABSTRACT FROM AUTHOR]

Published

2022

28. Face Recognition System Against Adversarial Attack Using Convolutional Neural Network.

Author

Kadhim, Ansam and Al-Darraji, Salah

Subjects

*HUMAN facial recognition software, *CONVOLUTIONAL neural networks, *FACE, *FACE perception

Abstract

Face recognition is the technology that verifies or recognizes faces from images, videos, or real-time streams. It can be used in security or employee attendance systems. Face recognition systems may encounter some attacks that reduce their ability to recognize faces properly. So, many noisy images mixed with original ones lead to confusion in the results. Various attacks that exploit this weakness affect the face recognition systems such as Fast Gradient Sign Method (FGSM), Deep Fool, and Projected Gradient Descent (PGD). This paper proposes a method to protect the face recognition system against these attacks by distorting images through different attacks, then training the recognition deep network model, specifically Convolutional Neural Network (CNN), using the original and distorted images. Diverse experiments have been conducted using combinations of original and distorted images to test the effectiveness of the system. The system showed an accuracy of 93% using FGSM attack, 97% using deep fool, and 95% using PGD. [ABSTRACT FROM AUTHOR]

Published

2022

29. Adversarial learning techniques for security and privacy preservation: A comprehensive review.

Author

Hathaliya, Jigna J., Tanwar, Sudeep, and Sharma, Priyanka

Abstract

In recent years, the use of smart devices has increased exponentially, resulting in massive amounts of data. To handle this data, effective data storage and management has required. Cloud computing (CC) is a promising solution to deal with this huge amount of data. Electronic devices are collecting real‐time data from sensors and applications through a wireless communication channel in the digital era. In some cases, CC cannot protect against various malicious attacks in the wireless communication channel. To address this issue, we have used machine learning (ML) and deep learning (DL) techniques for attack detection in a wireless channel on an early basis. It trains a model to predict malicious activities of attackers, which aids in the security of CC's sensitive data. We employed adversarial learning techniques (AL) to add fake data into the model to ensure that the trained model was correct. The trained model can distinguish between the fake and real data from the training samples and improve the training samples' performance. AL provides different defense mechanisms to preserve the privacy of ML‐ and DL‐based model but does not ensure the system's robustness. To improve the system's robustness, we have used federated learning with blockchain technology to make a system more robust, reliable, accurate, and transparent. This integration aids in providing high‐graded security against adversarial attacks. This paper presents a comprehensive review to highlight the recent improvements in AL techniques. Moreover, we explored the various AL applications in security and privacy preservation. Finally, open research issues and future directions are discussed to show future research avenues. [ABSTRACT FROM AUTHOR]

Published

2022

30. RNAS-CL: Robust Neural Architecture Search by Cross-Layer Knowledge Distillation.

Author

Nath, Utkarsh, Wang, Yancheng, Turaga, Pavan, and Yang, Yingzhen

Subjects

*ARTIFICIAL neural networks, *MACHINE learning

Abstract

Deep Neural Networks are often vulnerable to adversarial attacks. Neural Architecture Search (NAS), one of the tools for developing novel deep neural architectures, demonstrates superior performance in prediction accuracy in various machine learning applications. However, the performance of a neural architecture discovered by NAS against adversarial attacks has not been sufficiently studied, especially under the regime of knowledge distillation. Given the presence of a robust teacher, we investigate if NAS would produce a robust neural architecture by inheriting robustness from the teacher. In this paper, we propose Robust Neural Architecture Search by Cross-Layer knowledge distillation (RNAS-CL), a novel NAS algorithm that improves the robustness of NAS by learning from a robust teacher through cross-layer knowledge distillation. Unlike previous knowledge distillation methods that encourage close student-teacher output only in the last layer, RNAS-CL automatically searches for the best teacher layer to supervise each student layer. Experimental results demonstrate the effectiveness of RNAS-CL and show that RNAS-CL produces compact and adversarially robust neural architectures. Our results point to new approaches for finding compact and robust neural architecture for many applications. The code of RNAS-CL is available at https://github.com/Statistical-Deep-Learning/RNAS-CL. [ABSTRACT FROM AUTHOR]

Published

2024

31. Cascade & allocate: A cross-structure adversarial attack against models fusing vision and language.

Author

Zhang, Boyuan, Shi, Yucheng, Han, Yahong, Hu, Qinghua, and Ding, Weiping

Subjects

*ARTIFICIAL neural networks, *MULTISENSOR data fusion

Abstract

The data fusion systems between multiple modals have attracted a wide range of concerns about their adversarial robustness. Recent image captioning attacks lack cross-structure transferability against models with diverse structures. Therefore, the attackers demonstrate satisfactory performance only when they gain full or partial knowledge of target image captioning models. So far, the cross-structure transferability of multi-modal adversarial examples has not been thoroughly investigated. In this paper, a theorem is proposed to analyze the upper bound captioning adversarial transferability. We design a new transfer-based adversarial attack method (Cascade & Allocate) against image captioning models. Our method can be divided into two steps. The first step randomly selects a set of candidate models with diverse structures, and we use a momentum-like strategy to generate perturbations. This 'model cascade' step narrows the gap of the gradient directions between different image captioning models, therefore enhancing the cross-model transferability and generating model-agnostic adversarial perturbations. The second step utilizes the upper bound transferability theorem to allocate the weight of perturbations per model. This 'weight allocate' step enhances the weight of model with the most consistent gradient in all candidate models, which generates more transferable adversarial examples. In the experiments, we compare our approach with other captioning and ensemble-based attacks against five black-box models with different structures on MS COCO and Flickr-30k datasets. The adversarial examples exhibit state-of-the-art adversarial transferability against five black-box models with different structures. The results demonstrate that our approach is practical and generalizes well to a wide range of captioning models. • A cross-structure black-box adversarial attack against image caption models. • A theorem to measure the upper bound of captioning adversarial transferability. • A weight allocation strategy to enhance adversarial transferability. [ABSTRACT FROM AUTHOR]

Published

2024

32. Attack-Resistant and Efficient Cancelable Codeword Generation Using Random walk-Based Methods.

Author

Pandey, Fagul, Dash, Priyabrata, and Sinha, Divyanshi

Subjects

*RANDOM walks

Abstract

Securely handling the biometric information of an individual is still a major challenge in many applications. For this reason, many cancelable techniques are present which were proposed with an aim to provide security, but adversarial attacks like a similarity-based attack on popular methods have recently been reported in the literature. In this paper, we propose a random walk-based method for cancelable template generation (2-d random walk and circular random walk). The novelty of the proposed method is to generate a secure, distinct cancelable template from fingerprint data. Further, the proposed scheme is immune to different security attacks. It also ensures the randomness of the generated cancelable templates. Our proposed scheme achieves comparable performance in terms of average genuine acceptance rate of 97.02 % , average false acceptance rate of 0.13 % for different fingerprint data. Moreover, our proposed scheme has FAR (attack) of 11.11 % , which is very low compared to the state-of-the-art method (such as BioHashing 62.5%). [ABSTRACT FROM AUTHOR]

Published

2022

33. A Novel Lightweight Defense Method Against Adversarial Patches-Based Attacks on Automated Vehicle Make and Model Recognition Systems.

Author

Siddiqui, Abdul Jabbar and Boukerche, Azzedine

Abstract

In smart cities, connected and automated surveillance systems play an essential role in ensuring safety and security of life, property, critical infrastructures and cyber-physical systems. The recent trend of such surveillance systems has been to embrace the use of advanced deep learning models such as convolutional neural networks for the task of detection, monitoring or tracking. In this paper, we focus on the security of an automated surveillance system that is responsible for vehicle make and model recognition (VMMR). We introduce an adversarial attack against such VMMR systems through adversarially learnt patches. We demonstrate the effectiveness of the developed adversarial patches against VMMR through experimental evaluations on a real-world vehicle surveillance dataset. The developed adversarial patches achieve reductions of up to 48 % in VMMR recall scores. In addition, we propose a lightweight defense method called SIHFR (stands for Symmetric Image-Half Flip and Replace) to eliminate the effect of adversarial patches on VMMR performance. Through experimental evaluations, we investigate the robustness of the proposed defense method under varying patch placement strategies and patch sizes. The proposed defense method adds a minimal overhead of less than 2ms per image (on average) and succeeds in enhancing VMMR performance by up to 69.28 % . It is hoped that this work shall guide future studies to develop smart city VMMR surveillance systems that are robust to cyber-physical attacks based on adversarially learnt patches. [ABSTRACT FROM AUTHOR]

Published

2021

34. Small perturbations are enough: Adversarial attacks on time series prediction.

Author

Wu, Tao, Wang, Xuechun, Qiao, Shaojie, Xian, Xingping, Liu, Yanbing, and Zhang, Liang

Subjects

*TIME series analysis, *PREDICTION models, *FORECASTING, *DEEP learning, *IMAGE processing, *DATA mining

Abstract

Time-series data are widespread in real-world industrial scenarios. To recover and infer missing information in real-world applications, the problem of time-series prediction has been widely studied as a classical research topic in data mining. Deep learning architectures have been viewed as next-generation time-series prediction models. However, recent studies have shown that deep learning models are vulnerable to adversarial attacks. In this study, we prospectively examine the problem of time-series prediction adversarial attacks and propose an attack strategy for generating an adversarial time series by adding malicious perturbations to the original time series to deteriorate the performance of time-series prediction models. Specifically, a perturbation-based adversarial example generation algorithm is proposed using the gradient information of the prediction model. In practice, unlike the imperceptibility to humans in the field of image processing, time-series data are more sensitive to abnormal perturbations and there are more stringent requirements regarding the amount of perturbations. To address this challenge, we craft an adversarial time series based on the importance measurement to slightly perturb the original data. Based on comprehensive experiments conducted on real-world time-series datasets, we verify that the proposed adversarial attack methods not only effectively fool the target time-series prediction model LSTNet, they also attack state-of-the-art CNN-, RNN-, and MHANET-based models. Meanwhile, the results show that the proposed methods achieve a good transferability. That is, the adversarial examples generated for a specific prediction model can significantly affect the performance of the other methods. Moreover, through a comparison with existing adversarial attack approaches, we can see that much smaller perturbations are sufficient for the proposed importance-measurement based adversarial attack method. The methods described in this paper are significant in understanding the impact of adversarial attacks on a time-series prediction and promoting the robustness of such prediction technologies. [ABSTRACT FROM AUTHOR]

Published

2022

35. Cognitive data augmentation for adversarial defense via pixel masking.

Author

Agarwal, Akshay, Vatsa, Mayank, Singh, Richa, and Ratha, Nalini

Subjects

*CONVOLUTIONAL neural networks, *PIXELS, *DEFENSE in depth (Computer security), *DATA augmentation

Abstract

• We proposed PixelMask: a novel data augmentation technique for adversarial robustness. • Extensive experiments showcase the effectiveness of the proposed defense algorithm. • Proposed PixelMask defense outperforms other strong data augmentation techniques. The vulnerability of deep networks towards adversarial perturbations has motivated the researchers to design detection and mitigation algorithms. Inspired by the dropout and dropconnect algorithms as well as augmentation techniques, this paper presents "PixelMask" based data augmentation as an efficient method of reducing the sensitivity of convolutional neural networks (CNNs) towards adversarial attacks. In the proposed approach, samples generated using PixelMask are used as augmented data, which helps in learning robust CNN models. Experiments performed with multiple databases and architectures show that the proposed PixelMask based data augmentation approach improves the classification performance on adversarially perturbed images. The proposed defense mechanism can be applied effectively for different adversarial attacks and can easily be combined with any deep neural network (DNN) architecture to increase the robustness. The effectiveness of the proposed defense is demonstrated in gray-box, white-box, and unseen train-test attack scenarios. For example, on the CIFAR-10 database under adaptive attack (i.e., projected gradient descent), the proposed PixelMask is able to improve the recognition performance of CNN by at-least 22.69%. Another advantage of the proposed algorithm over several existing defense algorithms is that the proposed defense either is able to retain or increase the classification accuracy of clean examples. [ABSTRACT FROM AUTHOR]

Published

2021

36. Resilient and constrained consensus against adversarial attacks: A distributed MPC framework.

Author

Wei, Henglai, Zhang, Kunwu, Zhang, Hui, and Shi, Yang

Subjects

*DISTRIBUTED algorithms, *TELECOMMUNICATION systems, *PREDICTION models, *MULTICASTING (Computer networks)

Abstract

This paper proposes a distributed resilient consensus framework consisting of a distributed model predictive control (DMPC)-based consensus protocol and a new distributed attack detection mechanism, aiming to effectively handle the general linear constrained MAS under adversarial attacks. Based on the historical information from neighbors and a resilience set , we can evaluate the reliability of communication links via the attack detection mechanism. The proposed detection mechanism can significantly reduce the requirement on the network robustness compared with the well-known mean-subsequence-reduced (MSR) algorithms. The resilient consensus of general linear constrained MAS with F -locally adversarial attacks is achieved when the communication network is (F + 1)-robust. Furthermore, the DMPC-based resilient consensus framework exhibits the following key feature: the constrained consensus performance is optimized by minimizing a set of control variables. We demonstrate that the recursive feasibility of the associated DMPC optimization problem and the resilient consensus convergence of the constrained MAS can be guaranteed. Finally, the effectiveness of the proposed framework is illustrated through simulation experiments. [ABSTRACT FROM AUTHOR]

Published

2024

37. Knowledge-guided semantic computing network.

Author

Shi, Guangming, Zhang, Zhongqiang, Gao, Dahua, Lin, Jie, Xie, Xuemei, and Liu, Danhua

Subjects

*SEMANTIC computing, *COST functions

Abstract

The excellent performance of deep neural networks mainly relies on the attributes of the dataset, such as the size, diversity, completeness. However, it is usually difficult to obtain a high-qualified training dataset for some scenarios. Inspired by the human visual cognition process with few sample learning, and strong robustness, we believe the experience knowledge is more powerful than large-scale data. To combine the power of knowledge and data, we propose a knowledge-guided semantic computing network (SCN) in this paper, which is constructed with a primary knowledge-guided semantic tree module and an auxiliary data-driven lightweight neural network module. The semantic tree module can calculate the classification results by a forward computing process rapidly. The lightweight neural network module can aid the semantic tree module for higher classification ability. We also propose a hinge cross-entropy loss function to train the SCN, which enables the SCN to focus on those misclassified training samples and further improve the classification accuracy. The experimental results on MNIST and GTSRB data sets prove that the SCN achieves excellent classification accuracy comparable to the state-of-the-art methods on the original training samples and higher classification accuracy than the state-of-the-art methods on few training samples. What is more, at BIM eps = 0.3 on MNIST and FGSM eps = 0.03 on GTSRB adversarial test samples, the proposed SCN(1/4) and SCN(1/8) obtain over 75% and 14% accuracy improvement than the original CapsNet. [ABSTRACT FROM AUTHOR]

Published

2021

38. On the Robustness of Semantic Segmentation Models to Adversarial Attacks.

Author

Arnab, Anurag, Miksik, Ondrej, and Torr, Philip H. S.

Subjects

*CONVOLUTIONAL neural networks, *IMAGE segmentation, *SIGNAL convolution, *IMAGE recognition (Computer vision), *MULTISCALE modeling, *DEEP learning

Abstract

Deep Neural Networks (DNNs) have demonstrated exceptional performance on most recognition tasks such as image classification and segmentation. However, they have also been shown to be vulnerable to adversarial examples. This phenomenon has recently attracted a lot of attention but it has not been extensively studied on multiple, large-scale datasets and structured prediction tasks such as semantic segmentation which often require more specialised networks with additional components such as CRFs, dilated convolutions, skip-connections and multiscale processing. In this paper, we present what to our knowledge is the first rigorous evaluation of adversarial attacks on modern semantic segmentation models, using two large-scale datasets. We analyse the effect of different network architectures, model capacity and multiscale processing, and show that many observations made on the task of classification do not always transfer to this more complex task. Furthermore, we show how mean-field inference in deep structured models, multiscale processing (and more generally, input transformations) naturally implement recently proposed adversarial defenses. Our observations will aid future efforts in understanding and defending against adversarial examples. Moreover, in the shorter term, we show how to effectively benchmark robustness and show which segmentation models should currently be preferred in safety-critical applications due to their inherent robustness. [ABSTRACT FROM AUTHOR]

Published

2020

39. On the robustness of skeleton detection against adversarial attacks.

Author

Bai, Xiuxiu, Yang, Ming, and Liu, Zhe

Subjects

*CONVOLUTIONAL neural networks, *SKELETON

Abstract

Human perception of an object's skeletal structure is particularly robust to diverse perturbations of shape. This skeleton representation possesses substantial advantages for parts-based and invariant shape encoding, which is essential for object recognition. Multiple deep learning-based skeleton detection models have been proposed, while their robustness to adversarial attacks remains unclear. (1) This paper is the first work to study the robustness of deep learning-based skeleton detection against adversarial attacks, which are only slightly unlike the original data but still imperceptible to humans. We systematically analyze the robustness of skeleton detection models through exhaustive adversarial attacking experiments. (2) We propose a novel Frequency attack, which can directly exploit the regular and interpretable perturbations to sharply disrupt skeleton detection models. Frequency attack consists of an excitatory-inhibition waveform with high frequency attribution, which confuses edge-sensitive convolutional filters due to the sudden contrast between crests and troughs. Our comprehensive results verify that skeleton detection models are also vulnerable to adversarial attacks. The meaningful findings will inspire researchers to explore more potential robust models by involving explicit skeleton features. [ABSTRACT FROM AUTHOR]

Published

2020

40. Image Super-Resolution as a Defense Against Adversarial Attacks.

Author

Mustafa, Aamir, Khan, Salman H., Hayat, Munawar, Shen, Jianbing, and Shao, Ling

Subjects

*HIGH resolution imaging, *COMPUTER vision, *IMAGE enhancement (Imaging systems), *CONVOLUTIONAL neural networks, *IMAGE reconstruction, *IMAGE intensifiers, *IMAGE denoising, *IMAGE reconstruction algorithms

Abstract

Convolutional Neural Networks have achieved significant success across multiple computer vision tasks. However, they are vulnerable to carefully crafted, human-imperceptible adversarial noise patterns which constrain their deployment in critical security-sensitive systems. This paper proposes a computationally efficient image enhancement approach that provides a strong defense mechanism to effectively mitigate the effect of such adversarial perturbations. We show that deep image restoration networks learn mapping functions that can bring off-the-manifold adversarial samples onto the natural image manifold, thus restoring classification towards correct classes. A distinguishing feature of our approach is that, in addition to providing robustness against attacks, it simultaneously enhances image quality and retains models performance on clean images. Furthermore, the proposed method does not modify the classifier or requires a separate mechanism to detect adversarial images. The effectiveness of the scheme has been demonstrated through extensive experiments, where it has proven a strong defense in gray-box settings. The proposed scheme is simple and has the following advantages: 1) it does not require any model training or parameter optimization, 2) it complements other existing defense mechanisms, 3) it is agnostic to the attacked model and attack type, and 4) it provides superior performance across all popular attack algorithms. Our codes are publicly available at https://github.com/aamir-mustafa/super-resolution-adversarial-defense. [ABSTRACT FROM AUTHOR]

Published

2020

41. Perturbation analysis of gradient-based adversarial attacks.

Author

Ozbulak, Utku, Gasparyan, Manvel, De Neve, Wesley, and Van Messem, Arnout

Subjects

*COST functions, *CONSTRAINED optimization, *DEEP learning, *COMPARATIVE studies

Abstract

• We analyze the effectiveness of the perturbations generated by popular adversarial attacks. • We present a formal comparison of the objective functions used by popular adversarial attacks. • We expose the limited optimization space of the cross-entropy loss and the cross-entropy sign loss. • We expose the detrimental effect of cross-entropy sign loss and logit loss on adversarial optimization. • We analyze how well neural networks can identify adversarial perturbations generated by adversarial attacks. After the discovery of adversarial examples and their adverse effects on deep learning models, many studies focused on finding more diverse methods to generate these carefully crafted samples. Although empirical results on the effectiveness of adversarial example generation methods against defense mechanisms are discussed in detail in the literature, an in-depth study of the theoretical properties and the perturbation effectiveness of these adversarial attacks has largely been lacking. In this paper, we investigate the objective functions of three popular methods for adversarial example generation: the L-BFGS attack, the Iterative Fast Gradient Sign attack, and Carlini & Wagner's attack. Specifically, we perform a comparative and formal analysis of the loss functions underlying the aforementioned attacks while laying out large-scale experimental results on the ImageNet dataset. This analysis exposes (1) the faster optimization speed as well as the constrained optimization space of the cross-entropy loss, (2) the detrimental effects of using the signature of the cross-entropy loss on optimization precision as well as optimization space, and (3) the slow optimization speed of the logit loss in the context of adversariality. Our experiments reveal that the Iterative Fast Gradient Sign attack, which is thought to be fast for generating adversarial examples, is the worst attack in terms of the number of iterations required to create adversarial examples in the setting of equal perturbation. Moreover, our experiments show that the underlying loss function of Carlini & Wagner's attack, which is criticized for being substantially slower than other adversarial attacks, is not that much slower than other loss functions. Finally, we analyze how well neural networks can identify adversarial perturbations generated by the attacks under consideration, hereby revisiting the idea of adversarial retraining on ImageNet. [ABSTRACT FROM AUTHOR]

Published

2020

42. Adversarial attacks on fingerprint liveness detection.

Author

Fei, Jianwei, Xia, Zhihua, Yu, Peipeng, and Xiao, Fengjun

Subjects

*BIOMETRIC fingerprinting, *DEEP learning

Abstract

Deep neural networks are vulnerable to adversarial samples, posing potential threats to the applications deployed with deep learning models in practical conditions. A typical example is the fingerprint liveness detection module in fingerprint authentication systems. Inspired by great progress of deep learning, deep networks-based fingerprint liveness detection algorithms spring up and dominate the field. Thus, we investigate the feasibility of deceiving state-of-the-art deep networks-based fingerprint liveness detection schemes by leveraging this property in this paper. Extensive evaluations are made with three existing adversarial methods: FGSM, MI-FGSM, and Deepfool. We also proposed an adversarial attack method that enhances the robustness of adversarial fingerprint images to various transformations like rotations and flip. We demonstrate these outstanding schemes are likely to classify fake fingerprints as live fingerprints by adding tiny perturbations, even without internal details of their used model. The experimental results reveal a big loophole and threats for these schemes from a view of security, and enough attention is urgently needed to be paid on anti-adversarial not only in fingerprint liveness detection but also in all deep learning applications. [ABSTRACT FROM AUTHOR]

Published

2020

43. VAASI: Crafting valid and abnormal adversarial samples for anomaly detection systems in industrial scenarios.

Author

Perales Gómez, Angel Luis, Fernández Maimó, Lorenzo, Huertas Celdrán, Alberto, and García Clemente, Félix J.

Subjects

*ANOMALY detection (Computer security), *DEEP learning, *ARTIFICIAL intelligence, *RANDOM forest algorithms, *INTERNET security

Abstract

In the realm of industrial anomaly detection, machine and deep learning models face a critical vulnerability to adversarial attacks. In this context, existing attack methodologies primarily target continuous features, often in the context of images, making them unsuitable for the categorical or discrete features prevalent in industrial systems. To fortify the cybersecurity of industrial environments, this paper introduces a groundbreaking adversarial attack approach tailored to the unique demands of these settings. Our novel technique enables the creation of targeted adversarial samples that are valid within the framework of supervised cyberattack detection models in industrial scenarios, preserving the consistency of discrete values and correcting cases where an adversarial sample transitions into a normal one. Our approach leverages the SHAP interpretability method to identify the most salient features for each sample. Subsequently, the Projected Gradient Descent technique is employed to perturb continuous features, ensuring adversarial sample generation. To handle categorical features for a specific adversarial sample, our method scrutinizes the closest sample within the normal training dataset and replicates its categorical feature values. Additionally, Decision Trees trained within a Random Forest are utilized to ensure that the resulting adversarial samples maintain the essential abnormal behavior required for detection. The validation of our proposal was conducted using the WADI dataset obtained from a water distribution plant, providing a realistic industrial context. During validation, we assessed the mean error and the total number of adversarial samples generated by our approach, comparing it with the original Projected Gradient Descent method and the Carlini & Wagner attack across various parameter configurations. Remarkably, our proposal consistently achieved the best trade-off between mean error and the number of generated adversarial samples, showcasing its superiority in safeguarding industrial systems. [ABSTRACT FROM AUTHOR]

Published

2023

44. Adversarial attacks on deep-learning-based radar range profile target recognition.

Author

Huang, Teng, Chen, Yongfeng, Yao, Bingjian, Yang, Bifen, Wang, Xianmin, and Li, Ya

Subjects

*RADAR, *DEEP learning, *OBJECT recognition (Computer vision), *IMAGE recognition (Computer vision), *OPTICAL images

Abstract

• We generate the nontargeted and targeted fine-grained adversarial perturbations based on the binary search algorithm and the multiple-iteration method, respectively. • We generate nontargeted and targeted UAPs based on the aggregation method and the scaling method, respectively. • We verify that the UAP has transferability and generalization ability. • We verify that the adversarial perturbation is more aggressive to HRRP data than random noise. Target recognition based on a high-resolution range profile (HRRP) has always been a research hotspot in the radar signal interpretation field. Deep learning has been an important method for HRRP target recognition. However, recent research has shown that optical image target recognition methods based on deep learning are vulnerable to adversarial samples. Whether HRRP target recognition methods based on deep learning can be attacked remains an open question. In this paper, four methods of generating adversarial perturbations are proposed. Algorithm 1 generates the nontargeted fine-grained perturbation based on the binary search method. Algorithm 2 generates the targeted fine-grained perturbation based on the multiple-iteration method. Algorithm 3 generates the nontargeted universal adversarial perturbation (UAP) based on aggregating some fine-grained perturbations. Algorithm 4 generates the targeted universal perturbation based on scaling one fine-grained perturbation. These perturbations are used to generate adversarial samples to attack HRRP target recognition methods based on deep learning under white-box and black-box attacks. The experiments are conducted with actual radar data and show that the HRRP adversarial samples have certain aggressiveness. Therefore, HRRP target recognition methods based on deep learning have potential security risks. [ABSTRACT FROM AUTHOR]

Published

2020

45. Improving adversarial robustness of traffic sign image recognition networks.

Author

Hashemi, Atiye Sadat, Mozaffari, Saeed, and Alirezaee, Shahpour

Subjects

*TRAFFIC signs & signals, *ARTIFICIAL neural networks, *CONVOLUTIONAL neural networks, *COST functions, *IMAGE recognition (Computer vision), *WEIGHT training

Abstract

• Proposing a new regularization technique for image recognition convolutional networks. • Developing previous cost functions through adding a regularization parameter to perform weight decay in training phase of recognition networks aiming to make the model performance better. • Evaluating the robustness of several training procedures against both white-box and black-box attacks. • Investigating the adversarial robustness of traffic sign recognition networks by employing a traffic sign benchmark. The robustness of deep neural networks is an increasingly essential issue as they become more and more prevalent in several real-world applications like autonomous vehicles. If traffic signs turn to adversarial examples, an autonomous vehicle will probably be misled and cause fatal accidents. To improve adversarial robustness, a new cost function for training convolutional neural recognition networks is proposed in this paper. Recent works proved that by employing the classifier probabilities on the complement (incorrect) classes as well as the ground-truth class in Softmax Cross Entropy, the model achieves better performance on adversarial inputs. In this paper, we show that in addition to using the information from Softmax layer, the extracted features from convolutional layers also enhance the robustness. In our new cost function, Regularized Guided Complement Entropy (RGCE), by decreasing the output of convolutional layers' activation functions alongside utilizing Softmax layer output in training phase, we reach better model performance on adversarial attacks. Our proposed algorithm is evaluated on CIFAR-10 and GTSRB datasets. The performances of different convolutional neural networks on clean and adversarial images are reported and compared with other methods. [ABSTRACT FROM AUTHOR]

Published

2022

46. Bi-fidelity evolutionary multiobjective search for adversarially robust deep neural architectures.

Author

Liu, Jia, Cheng, Ran, and Jin, Yaochu

Subjects

*ARTIFICIAL neural networks, *EVOLUTIONARY algorithms

Abstract

Deep neural networks have been found vulnerable to adversarial attacks, thus raising potential concerns in security-sensitive contexts. To address this problem, recent research has investigated the adversarial robustness of deep neural networks from the architectural point of view. However, searching for architectures of deep neural networks is computationally expensive, particularly when coupled with an adversarial training process. To meet the above challenge, this paper proposes a bi-fidelity multiobjective neural architecture search approach. First, we formulate the neural architecture search (NAS) problem for enhancing the adversarial robustness of deep neural networks into a multiobjective optimization problem. Specifically, in addition to using low-fidelity estimations as the primary objectives, we leverage the output of a surrogate model trained with high-fidelity evaluations as an auxiliary objective. Secondly, we reduce the computational cost by combining three performance estimation methods, i.e., parameter sharing, low-fidelity evaluation, and surrogate-based predictor. The effectiveness of the proposed approach is confirmed by extensive experiments conducted on CIFAR-10, CIFAR-100 and SVHN datasets. [ABSTRACT FROM AUTHOR]

Published

2023

47. On the vulnerability of deep learning to adversarial attacks for camera model identification.

Author

Marra, F., Gragnaniello, D., and Verdoliva, L.

Subjects

*DEEP learning, *ARTIFICIAL neural networks, *ROBUST control, *JPEG (Image coding standard), *ONLINE social networks

Abstract

Camera model identification is a fundamental task for many investigative activities, and is drawing great attention in the research community. In this context, convolutional neural networks (CNN) are expected to provide a significant performance gain over the current state of the art, as already happened for a wide range of image processing applications. However, recent studies enlightened the vulnerability of CNNs to adversarial attacks, casting shadows on their reliability for critical applications. In this paper, we investigate the robustness to adversarial attacks of CNN-based methods for camera model identification. Several networks and attack methods are considered, both when the attacker has complete knowledge of the network and when only the training set is available. In addition, the analysis concerns both original and JPEG compressed images, to simulate a social network environment. The experiments, carried out on a publicly available dataset with images coming from 29 different camera models, shed some light on the suitability of CNN-based approaches for this task. [ABSTRACT FROM AUTHOR]

Published

2018

48. Collaborative Defense-GAN for protecting adversarial attacks on classification system.

Author

Laykaviriyakul, Pranpaveen and Phaisangittisagul, Ekachai

Subjects

*PLANT defenses, *DEEP learning, *PROBLEM solving, *CLASSIFICATION

Abstract

With rapid progress and significant successes in a wide domain of applications, deep learning has been extensively employed for solving complex problems. However, performance of deep learning has been vulnerable to well-designed samples, called adversarial samples. These samples are carefully designed to deceive the deep learning models without human perception. Therefore, vulnerability to adversarial attacks becomes one of the major concerns in life-critical applications of deep learning. In this paper, a novel approach to counter adversarial samples is proposed to strengthen the robustness of a deep learning model. The strategy is to filter the perturbation noise in adversarial samples prior to prediction. The proposed defense framework is based on DiscoGANs to discover the relation between attacker and defender characteristics. Attacker models are created to generate the adversarial samples from the training data, while the defender model is trained to reconstruct original samples from the adversarial samples. These two frameworks are trained to compete with each other in an alternating manner. The experimental results on different attack models are compared with popular defense mechanisms on three benchmark datasets. Our proposed method shows promising results and can improve the robustness on both white-box and black-box attacks including the computation time. • Adversarial samples without human perception degrade model prediction. • Filtering the perturbation noise can strengthen the robustness of the model. • The proposed method achieves impressive performance over various attacks. • Improvement of computation time of the reconstruction process is demonstrated. • Results illustrate the robustness to both white-box and black-box attacks. [ABSTRACT FROM AUTHOR]

Published

2023

49. Adversarial attacks and active defense on deep learning based identification of GaN power amplifiers under physical perturbation.

Author

Xu, Yuqing, Xu, Guangxia, An, Zeliang, Nielsen, Martin Hedegaard, and Shen, Ming

Subjects

*POWER amplifiers, *DEEP learning, *HUMAN fingerprints, *WIRELESS sensor networks, *GENERATIVE adversarial networks, *GALLIUM nitride

Abstract

Deep learning (DL)-based radiofrequency (RF) fingerprinting identification has shown significantly growing importance in the wireless industry including 5G, IoT and Wireless Sensor Networks (WSN). However, there is little investigation on the robustness of the corresponding DL models against adversarial attacks and adversarial defense. This paper discusses the effects of four cutting-edge adversarial attacks on DL-based RF fingerprinting identification and provides a graphical analysis of RF feature perturbations following adversarial attacks. For the first time we also demonstrate the results of combined physical attack (i.e. tuning the drain currents of the power amplifiers) by tuning the physical features of the device hardware (i.e. drain current), and adversarial attacks on DL-based classifiers. Experimental results from 16 Gallium nitride (GaN) power amplifiers (PA) reveal that adversarial attacks can seriously deteriorate the accuracy of RF identification from about 100.00% to below 10.00% even with only 0.50% adversarial perturbation. In order to deal with the problem of decreased accuracy caused by attacks, we proposed an adversarial defense method based on feature-level interpretability (FIAT), which improved the accuracy of RF identification with interpretability analysis. The results compared with several common defense methods validate that the proposed FIAT can maintain an accuracy of 96.00% even when the adversarial attack perturbation is 5.00% and with physical attack. Moreover, the changes of data features in the process of adversarial attacks and defense are given, providing a new way for the interpretability of adversarial attacks and defense on RF identification tasks. [ABSTRACT FROM AUTHOR]

Published

2023

50. DetectX—Adversarial Input Detection Using Current Signatures in Memristive XBar Arrays.

Author

Moitra, Abhishek and Panda, Priyadarshini

Subjects

*CMOS integrated circuits, *ANALOG integrated circuits, *ANALOG circuits

Abstract

Adversarial input detection has emerged as a prominent technique to harden Deep Neural Networks (DNNs) against adversarial attacks. Most prior works use neural network-based detectors or complex statistical analysis for adversarial detection. These approaches are computationally intensive and vulnerable to adversarial attacks. To this end, we propose DetectX—A hardware friendly adversarial detection mechanism using hardware signatures like Sum of column Currents (SoI) in memristive crossbars (XBar). We show that adversarial inputs have higher SoI compared to clean inputs. However, the difference is too small for reliable adversarial detection. Hence, we propose a dual-phase training methodology: Phase1 training is geared towards increasing the separation between clean and adversarial SoIs; Phase2 training improves the overall robustness against different strengths of adversarial attacks. For hardware-based adversarial detection, we implement the DetectX module using 32 nm CMOS circuits and integrate it with a Neurosim-like analog crossbar architecture. We perform hardware evaluation of the Neurosim+DetectX system on the Neurosim platform using datasets-CIFAR10(VGG8), CIFAR100(VGG16) and TinyImagenet(ResNet18). Our experiments show that DetectX is 10x-25x more energy efficient and immune to dynamic adversarial attacks compared to previous state-of-the-art works. Moreover, we achieve high detection performance (ROC-AUC>0.95) for strong white-box and black-box attacks. [ABSTRACT FROM AUTHOR]

Published

2021