Showing total 69 results

1. Can We Trust AI-Powered Real-Time Embedded Systems? (Invited Paper)

Author

Buttazzo, Giorgio

Subjects

Computer systems organization, Hypervisors, Heterogeneous architectures, Adversarial attacks, FPGA acceleration, Deep learning, Real-Time Systems, Mixed criticality systems, Trustworthy AI

Abstract

The excellent performance of deep neural networks and machine learning algorithms is pushing the industry to adopt such a technology in several application domains, including safety-critical ones, as self-driving vehicles, autonomous robots, and diagnosis support systems for medical applications. However, most of the AI methodologies available today have not been designed to work in safety-critical environments and several issues need to be solved, at different architecture levels, to make them trustworthy. This paper presents some of the major problems existing today in AI-powered embedded systems, highlighting possible solutions and research directions to support them, increasing their security, safety, and time predictability., OASIcs, Vol. 98, Third Workshop on Next Generation Real-Time Embedded Systems (NG-RES 2022), pages 1:1-1:14

Published

2022

2. Sound classification using wavelet transformation and deep learning methods

Author

Brbor, Ana and Milišić, Josipa Pina

Subjects

STFT, spektrogram, TEHNIČKE ZNANOSTI. Računarstvo, spektar, robusnost modela, deep learning, rezidualne neuronske mreže, residual neural networks, spectrum, zvuk, Fourierova transformacija, protivnički napadi, sound, adversarial attacks, MFCC, spectrogram, TECHNICAL SCIENCES. Computing, Fourier transform, model robustness, duboko učenje, DWT

Abstract

Klasifikacija zvuka postaje sve popularniji zadatak s različitim primjenama u današnjem svijetu. U ovom radu smo se bavili klasifikacijom zvuka pomoću modela rezidualne neuronske mreže gdje su ulazni podaci bili spektrogrami dobiveni iz tri transformacije od interesa: Fourierove transformacije na vremenskom otvoru, mel-frekvencijskih kepstralnih koeficijenata i diskretne valićne transformacije. U prvom dijelu rada postavili smo teorijske osnove obrade zvuka pomoću ovih transformacija prije nego što smo prešli na duboko rezidualno učenje i protivničke napade kojima je testirana robusnost modela. Na kraju smo na praktičnom primjeru pokazali treniranje i validaciju jednog rezidualnog modela te komentirali rezultate iz prijašnjih istraživanja uz numerički prikaz rješenja. Rad smo zaključili s komentarima o svim konceptima kroz koje smo prošli te se dotaknuli potencijalnog budućeg istraživanja. Sound classification is an increasingly popular task with different applications in today's world. In this paper we've talked about sound classification using a residual neural network model where the input data were spectrograms obtained from three transformations of interest: short-time Fourier transform, mel-frequency cepstral coefficients and discrete wavelet transform. In the first half of the paper we've set a theoretical basis of sound processing via these transformations before delving into the definition of deep residual learning and adversarial attacks which were used to test the model robustness. In the end we've shown a practical example of training and validating of one such residual model, while commenting the results of prior research with numeric data displayed. We've concluded the paper with comments about all traversed concepts and touched upon potential future research.

Published

2022

3. Detect Adversarial Attacks Against Deep Neural Networks With GPU Monitoring

Author

Andrea Ceccarelli and Tommaso Zoppi

Subjects

General Computer Science, Computer science, Attack detection, Graphics processing unit, Machine learning, computer.software_genre, graphics processing unit, deep Neural Networks, Data modeling, Image (mathematics), Adversarial system, Software, Robustness (computer science), General Materials Science, business.industry, General Engineering, anomaly detection, TK1-9971, adversarial attacks, Deep neural networks, Artificial intelligence, Performance indicator, Electrical engineering. Electronics. Nuclear engineering, business, computer, image classification

Abstract

Deep Neural Networks (DNNs) are the preferred choice for image-based machine learning applications in several domains. However, DNNs are vulnerable to adversarial attacks, that are carefully-crafted perturbations introduced on input images to fool a DNN model. Adversarial attacks may prevent the application of DNNs in security-critical tasks: consequently, relevant research effort is put in securing DNNs. Typical approaches either increase model robustness, or add detection capabilities in the model, or operate on the input data. Instead, in this paper we propose to detect ongoing attacks through monitoring performance indicators of the underlying Graphics Processing Unit (GPU). In fact, adversarial attacks generate images that activate neurons of DNNs in a different way than legitimate images. This also causes an alteration of GPU activities, that can be observed through software monitors and anomaly detectors. This paper presents our monitoring and detection system, and an extensive experimental analysis that includes a total of 14 adversarial attacks, 3 datasets, and 12 models. Results show that, despite limitations on the monitoring resolution, adversarial attacks can be detected in most cases, with peaks of detection accuracy above 90%.

Published

2021

4. Adversarial Scratches: Deployable Attacks to CNN Classifiers

Author

Loris Giulivi, Malhar Jere, Loris Rossi, Farinaz Koushanfar, Gabriela Ciocarlie, Briland Hitaj, and Giacomo Boracchi

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, I.4, I.5, Computer Vision and Pattern Recognition (cs.CV), Adversarial attacks, Computer Science - Computer Vision and Pattern Recognition, Adversarial perturbations, Adversarial attacks, Deep learning, Convolutional neural networks, Bézier curves, Deep learning, Bézier curves, Machine Learning (cs.LG), Adversarial perturbations, Artificial Intelligence, Signal Processing, Convolutional neural networks, Computer Vision and Pattern Recognition, Cryptography and Security (cs.CR), Software

Abstract

A growing body of work has shown that deep neural networks are susceptible to adversarial examples. These take the form of small perturbations applied to the model's input which lead to incorrect predictions. Unfortunately, most literature focuses on visually imperceivable perturbations to be applied to digital images that often are, by design, impossible to be deployed to physical targets. We present Adversarial Scratches: a novel L0 black-box attack, which takes the form of scratches in images, and which possesses much greater deployability than other state-of-the-art attacks. Adversarial Scratches leverage B\'ezier Curves to reduce the dimension of the search space and possibly constrain the attack to a specific location. We test Adversarial Scratches in several scenarios, including a publicly available API and images of traffic signs. Results show that, often, our attack achieves higher fooling rate than other deployable state-of-the-art methods, while requiring significantly fewer queries and modifying very few pixels., Comment: This work is published at Pattern Recognition (Elsevier). This paper stems from 'Scratch that! An Evolution-based Adversarial Attack against Neural Networks' for which an arXiv preprint is available at arXiv:1912.02316. Further studies led to a complete overhaul of the work, resulting in this paper

Published

2022

5. Towards robust rain removal against adversarial attacks: a comprehensive benchmark analysis and beyond

Author

Yi Yu, Wenhan Yang, Yap-Peng Tan, Alex C. Kot, Interdisciplinary Graduate School (IGS), School of Electrical and Electronic Engineering, 2022 IEEE/CVF Computer Vision and Pattern Recognition Conference (CVPR), and Rapid-Rich Object Search (ROSE) Lab

Subjects

FOS: Computer and information sciences, Rain Sreak Removal, Computer Science - Cryptography and Security, Computer science and engineering::Computing methodologies::Image processing and computer vision [Engineering], Computer science and engineering::Computing methodologies::Pattern recognition [Engineering], Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, Cryptography and Security (cs.CR), Adversarial Attacks

Abstract

Rain removal aims to remove rain streaks from images/videos and reduce the disruptive effects caused by rain. It not only enhances image/video visibility but also allows many computer vision algorithms to function properly. This paper makes the first attempt to conduct a comprehensive study on the robustness of deep learning-based rain removal methods against adversarial attacks. Our study shows that, when the image/video is highly degraded, rain removal methods are more vulnerable to the adversarial attacks as small distortions/perturbations become less noticeable or detectable. In this paper, we first present a comprehensive empirical evaluation of various methods at different levels of attacks and with various losses/targets to generate the perturbations from the perspective of human perception and machine analysis tasks. A systematic evaluation of key modules in existing methods is performed in terms of their robustness against adversarial attacks. From the insights of our analysis, we construct a more robust deraining method by integrating these effective modules. Finally, we examine various types of adversarial attacks that are specific to deraining problems and their effects on both human and machine vision tasks, including 1) rain region attacks, adding perturbations only in the rain regions to make the perturbations in the attacked rain images less visible; 2) object-sensitive attacks, adding perturbations only in regions near the given objects. Code is available at https://github.com/yuyi-sd/Robust_Rain_Removal., Comment: 10 pages, 6 figures, to appear in CVPR 2022

Published

2022

6. Survey on federated learning threats: Concepts, taxonomy on attacks and defences, experimental study and challenges

Author

Nuria Rodríguez-Barroso, Daniel Jiménez-López, M. Victoria Luzón, Francisco Herrera, and Eugenio Martínez-Cámara

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Adversarial attacks, Federated learning, Defences, Machine Learning (cs.LG), Artificial Intelligence (cs.AI), Hardware and Architecture, Signal Processing, Privacy attacks, Cryptography and Security (cs.CR), Software, Information Systems

Abstract

Federated learning is a machine learning paradigm that emerges as a solution to the privacy-preservation demands in artificial intelligence. As machine learning, federated learning is threatened by adversarial attacks against the integrity of the learning model and the privacy of data via a distributed approach to tackle local and global learning. This weak point is exacerbated by the inaccessibility of data in federated learning, which makes harder the protection against adversarial attacks and evidences the need to furtherance the research on defence methods to make federated learning a real solution for safeguarding data privacy. In this paper, we present an extensive review of the threats of federated learning, as well as as their corresponding countermeasures, attacks versus defences. This survey provides a taxonomy of adversarial attacks and a taxonomy of defence methods that depict a general picture of this vulnerability of federated learning and how to overcome it. Likewise, we expound guidelines for selecting the most adequate defence method according to the category of the adversarial attack. Besides, we carry out an extensive experimental study from which we draw further conclusions about the behaviour of attacks and defences and the guidelines for selecting the most adequate defence method according to the category of the adversarial attack. This study is finished leading to meditated learned lessons and challenges., R&D&I, Spain - MCIN/AEI PID2020-119478GB-I00 PID2020-116118GA-I00 EQC2018-005084-P, MCIN/AEI FPU18/04475

Published

2023

7. A Pornographic Images Recognition Model based on Deep One-Class Classification With Visual Attention Mechanism

Author

Chun Xu, Gang Liang, Jin Yang, Wenbo He, Chen Junren, and Ruihang Liu

Subjects

General Computer Science, Computer science, 02 engineering and technology, Convolutional neural network, Field (computer science), Image (mathematics), Pornography classification, 0202 electrical engineering, electronic engineering, information engineering, Image scaling, One-class classification, Preprocessor, General Materials Science, Artificial neural network, business.industry, General Engineering, deep learning, 020206 networking & telecommunications, Pattern recognition, one-class classification, Constraint (information theory), adversarial attacks, 020201 artificial intelligence & image processing, Artificial intelligence, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, visual attention mechanism, lcsh:TK1-9971

Abstract

The existing approaches usually treat the recognition of pornographic images as a binary or multi-class classification task, which is realized by extracting a variety of features. However, these approaches ignore the problem of infinite kinds in the negative samples and lose sight of the impact of uncertainty in classification tasks, resulting in inadequate negative data sets and incorrect recognition of samples that are not in the training set. In order to address this challenge, this paper proposes a method named Deep One-Class with Attention for Pornography (DOCAPorn) that recognizes the pornographic images through the one-class classification model based on neural networks and introduces the visual attention mechanism to enhance the performance of recognition. Moreover, since the existing approaches based on deep convolutional neural networks (CNNs) require a fixed-size (e.g., $224\times224$ ) input image, the geometric distortion caused by image scaling is not considerd in the existing approaches, which reduces the pornographic image recognizition accuracy. In order to solve this issue, this paper proposes the Scale Constraint Pooling (SCP) that converts the inputs of different dimensions into outputs of the same dimension. In addition, all the existing approaches ignore the adversarial attacks in the field of pornographic image recognition. In order to deal with this problem, the paper proposes the Preprocessing for Compressing and Reconstructing (PreCR), a pre-processing approach that reduces the subtle perturbation through compressing the images and then reconstructs the purified image for recognition. The proposed approach is verified by conducting comparative experiments using custom datasets. The experimental results showed that we achieved an accuracy of 98.419% on our dataset. In addition, the proposed approach yielded a recognition accuracy of 95.632% on the NPDI dataset. Furthermore, the obtained results demonstrate that the proposed approach not only effectively recognizes pornographic images but also effectively defends the adversarial attacks.

Published

2020

8. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review

Author

Maha Alghawazi, Daniyal Alghazzawi, and Suaad Alarifi

Subjects

SQL injection, machine learning, deep learning, adversarial attacks, Pharmacology (medical)

Abstract

An SQL injection attack, usually occur when the attacker(s) modify, delete, read, and copy data from database servers and are among the most damaging of web application attacks. A successful SQL injection attack can affect all aspects of security, including confidentiality, integrity, and data availability. SQL (structured query language) is used to represent queries to database management systems. Detection and deterrence of SQL injection attacks, for which techniques from different areas can be applied to improve the detect ability of the attack, is not a new area of research but it is still relevant. Artificial intelligence and machine learning techniques have been tested and used to control SQL injection attacks, showing promising results. The main contribution of this paper is to cover relevant work related to different machine learning and deep learning models used to detect SQL injection attacks. With this systematic review, we aims to keep researchers up-to-date and contribute to the understanding of the intersection between SQL injection attacks and the artificial intelligence field.

Published

2022

9. Towards Resilient and Secure Smart Grids against PMU Adversarial Attacks: A Deep Learning-Based Robust Data Engineering Approach

Author

Amirat, Tarek Berghout, Mohamed Benbouzid, and Yassine

Subjects

adversarial attacks, blackbox attack, deep learning, phasor measurement unit (PMU), smart grids, wide area monitoring systems

Abstract

In an attempt to provide reliable power distribution, smart grids integrate monitoring, communication, and control technologies for better energy consumption and management. As a result of such cyberphysical links, smart grids become vulnerable to cyberattacks, highlighting the significance of detecting and monitoring such attacks to uphold their security and dependability. Accordingly, the use of phasor measurement units (PMUs) enables real-time monitoring and control, providing informed-decisions data and making it possible to sense abnormal behavior indicative of cyberattacks. Similar to the ways it dominates other fields, deep learning has brought a lot of interest to the realm of cybersecurity. A common formulation for this issue is learning under data complexity, unavailability, and drift connected to increasing cardinality, imbalance brought on by data scarcity, and fast change in data characteristics, respectively. To address these challenges, this paper suggests a deep learning monitoring method based on robust feature engineering, using PMU data with greater accuracy, even within the presence of cyberattacks. The model is initially investigated using condition monitoring data to identify various disturbances in smart grids free from adversarial attacks. Then, a minimally disruptive experiment using adversarial attack injection with various reality-imitating techniques is conducted, inadvertently damaging the original data and using it to retrain the deep network, boosting its resistance to manipulations. Compared to previous studies, the proposed method demonstrated promising results and better accuracy, making it a potential option for smart grid condition monitoring. The full set of experimental scenarios performed in this study is available online.

Published

2023

10. Detection of Adversarial Attacks against the Hybrid Convolutional Long Short-Term Memory Deep Learning Technique for Healthcare Monitoring Applications

Author

Rassam, Albatul Albattah and Murad A.

Subjects

Internet of Healthcare Things (IoHT), anomaly detection, deep learning, convolutional long short-term memory (ConvLSTM), adversarial attacks

Abstract

Deep learning (DL) models are frequently employed to extract valuable features from heterogeneous and high-dimensional healthcare data, which are used to keep track of patient well-being via healthcare monitoring systems. Essentially, the training and testing data for such models are collected by huge IoT devices that may contain noise (e.g., incorrect labels, abnormal data, and incomplete information) and may be subject to various types of adversarial attacks. Therefore, to ensure the reliability of the various Internet of Healthcare Things (IoHT) applications, the training and testing data that are required for such DL techniques should be guaranteed to be clean. This paper proposes a hybrid convolutional long short-term memory (ConvLSTM) technique to assure the reliability of IoHT monitoring applications by detecting anomalies and adversarial content in the training data used for developing DL models. Furthermore, countermeasure techniques are suggested to protect the DL models against such adversarial attacks during the training phase. An experimental evaluation using the public PhysioNet dataset demonstrates the ability of the proposed model to detect anomalous readings in the presence of adversarial attacks that were introduced in the training and testing stages. The evaluation results revealed that the model achieved an average F1 score of 97% and an accuracy of 98%, despite the introduction of adversarial attacks.

Published

2023

11. One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition

Author

Ali Osman Topal, Raluca Chitic, Franck Leprévost, and University of Luxembourg: High Performance Computing - ULHPC [research center]

Subjects

Computer science [C05] [Engineering, computing & technology], Image classification, Evolutionary algorithm, Adversarial attacks, Black-box attacks, Convolutional neural network, Sciences informatiques [C05] [Ingénierie, informatique & technologie], Software

Abstract

Convolutional neural networks (CNNs) are widely used in computer vision, but can be deceived by carefully crafted adversarial images. In this paper, we propose an evolutionary algorithm (EA) based adversarial attack against CNNs trained on ImageNet. Our EA-based attack aims to generate adversarial images that not only achieve a high confidence probability of being classified into the target category (at least 75%), but also appear indistinguishable to the human eye in a black-box setting. These constraints are implemented to simulate a realistic adversarial attack scenario. Our attack has been thoroughly evaluated on 10 CNNs in various attack scenarios, including high-confidence targeted, good-enough targeted, and untargeted. Furthermore, we have compared our attack favorably against other well-known white-box and black-box attacks. The experimental results revealed that the proposed EA-based attack is superior or on par with its competitors in terms of the success rate and the visual quality of the adversarial images produced.

Published

2023

12. Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation

Author

Rezgui, Zohra, Bassit, Amina, Veldhuis, Raymond, Datamanagement & Biometrics, and Digital Society Institute

Subjects

gender classification, adversarial attacks, privacy protection, Signal Processing, Computer Vision and Pattern Recognition, Software, face recognition

Abstract

Most deep learning-based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among models performing the same task. However, models performing different tasks but sharing the same input space and model architecture were never considered in the transferability scenarios presented in the literature. In this paper, this phenomenon was analysed in the context of VGG16-based and ResNet50-based biometric classifiers. The authors investigate the impact of two white-box attacks on a gender classifier and contrast a defence method as a countermeasure. Then, using adversarial images generated by the attacks, a pre-trained face recognition classifier is attacked in a black-box fashion. Two verification comparison settings are employed, in which images perturbed with the same and different magnitude of the perturbation are compared. The authors’ results indicate transferability in the fixed perturbation setting for a Fast Gradient Sign Method attack and non-transferability in a pixel-guided denoiser attack setting. The interpretation of this non-transferability can support the use of fast and train-free adversarial attacks targeting soft biometric classifiers as means to achieve soft biometric privacy protection while maintaining facial identity as utility.

Published

2022

13. Defending Adversarial Examples via DNN Bottleneck Reinforcement

Author

Li Li, Teddy Furon, Wenqing Liu, Miaojing Shi, Tongji University, Creating and exploiting explicit links between multimedia fragments (LinkMedia), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-MEDIA ET INTERACTIONS (IRISA-D6), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), King‘s College London, ANR-20-CHIA-0011,SAIDA,Sécurité de l'Intelligence Artificielle pour des Applications Défense(2020), MEDIA ET INTERACTIONS (IRISA-D6), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Inria Rennes – Bretagne Atlantique, and Institut National de Recherche en Informatique et en Automatique (Inria)

Subjects

FOS: Computer and information sciences, Computer science, Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, information bottleneck, 010501 environmental sciences, Machine learning, computer.software_genre, 01 natural sciences, Bottleneck, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], Adversarial system, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], [INFO.INFO-TS]Computer Science [cs]/Signal and Image Processing, 0502 economics and business, 050207 economics, Reinforcement, 0105 earth and related environmental sciences, business.industry, 05 social sciences, auto-encoder, Information bottleneck method, Autoencoder, Software and application security, adversarial attacks, Artificial intelligence, business, computer, Classifier (UML), MNIST database

Abstract

This paper presents a DNN bottleneck reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks. Typical DNN classifiers encode the input image into a compressed latent representation more suitable for inference. This information bottleneck makes a trade-off between the image-specific structure and class-specific information in an image. By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation. Hence, this paper proposes to jointly train an auto-encoder (AE) sharing the same encoding weights with the visual classifier. In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network. Unlike existing approaches, our scheme is the first reforming defense per se which keeps the classifier structure untouched without appending any pre-processing head and is trained with clean images only. Extensive experiments on MNIST, CIFAR-10 and ImageNet demonstrate the strong defense of our method against various adversarial attacks., Comment: ACM MM 2020 - Full Paper

Published

2020

14. Adversarial attacks and active defense on deep learning based identification of GaN power amplifiers under physical perturbation

Author

Yuqing Xu, Guangxia Xu, Zeliang An, Martin Hedegaard Nielsen, and Ming Shen

Subjects

Feature-level interpretability, Adversarial attacks, Convolutional neural network, Deep learning, Radiofrequency fingerprinting identification, Electrical and Electronic Engineering

Abstract

Deep learning (DL)-based radiofrequency (RF) fingerprinting identification has shown significantly growing importance in the wireless industry including 5G, IoT and Wireless Sensor Networks (WSN). However, there is little investigation on the robustness of the corresponding DL models against adversarial attacks and adversarial defense. This paper discusses the effects of four cutting-edge adversarial attacks on DL-based RF fingerprinting identification and provides a graphical analysis of RF feature perturbations following adversarial attacks. For the first time we also demonstrate the results of combined physical attack (i.e. tuning the drain currents of the power amplifiers) by tuning the physical features of the device hardware (i.e. drain current), and adversarial attacks on DL-based classifiers. Experimental results from 16 Gallium nitride (GaN) power amplifiers (PA) reveal that adversarial attacks can seriously deteriorate the accuracy of RF identification from about 100.00% to below 10.00% even with only 0.50% adversarial perturbation. In order to deal with the problem of decreased accuracy caused by attacks, we proposed an adversarial defense method based on feature-level interpretability (FIAT), which improved the accuracy of RF identification with interpretability analysis. The results compared with several common defense methods validate that the proposed FIAT can maintain an accuracy of 96.00% even when the adversarial attack perturbation is 5.00% and with physical attack. Moreover, the changes of data features in the process of adversarial attacks and defense are given, providing a new way for the interpretability of adversarial attacks and defense on RF identification tasks.

Published

2023

15. SIEMS:A Secure Intelligent Energy Management System for Industrial IoT applications

Author

Pedram Asef, Rahim Taheri, Mohammad Shojafar, Iosif Mporas, and Rahim Tafazolli

Subjects

Informatics, Resilience, Detectors, Hybrid Microgrid, Computer Science Applications, Machine Learning, Cyber-Physical Security, Internet of things (IoT), Energy management systems, Control and Systems Engineering, Energy Management, Security, SDG 7 - Affordable and Clean Energy, Microgrids, Electrical and Electronic Engineering, Adversarial Attacks, Prediction algorithms, Information Systems

Abstract

In this work, we deploy a one-day-ahead prediction algorithm using a deep neural network for a fast-response BESS in an intelligent energy management system (I-EMS) that is called SIEMS. The main role of the SIEMS is to maintain the state of charge at high rates based on the one-day-ahead information about solar power, which depends on meteorological conditions. The remaining power is supplied by the main grid for sustained power streaming between BESS and end-users. Considering the usage of information and communication technology components in the microgrids, the main objective of this paper is focused on the hybrid microgrid performance under cyber-physical security adversarial attacks. Fast gradient sign, basic iterative, and DeepFool methods, which are investigated for the first time in power systems e.g. smart grid and microgrids, in order to produce perturbation for training data.

Published

2023

16. RSMDA: Random Slices Mixing Data Augmentation

Author

Teerath Kumar, Alessandra Mileo, Rob Brennan, and Malika Bendechache

Subjects

Fluid Flow and Transfer Processes, adversarial attacks, class activation maps, Process Chemistry and Technology, General Engineering, convolutional neural network, deep learning, General Materials Science, Instrumentation, Computer Science Applications, data augmentation, image classification

Abstract

Advanced data augmentation techniques have demonstrated great success in deep learning algorithms. Among these techniques, single-image-based data augmentation (SIBDA), in which a single image’s regions are randomly erased in different ways, has shown promising results. However, randomly erasing image regions in SIBDA can cause a loss of the key discriminating features, consequently misleading neural networks and lowering their performance. To alleviate this issue, in this paper, we propose the random slices mixing data augmentation (RSMDA) technique, in which slices of one image are placed onto another image to create a third image that enriches the diversity of the data. RSMDA also mixes the labels of the original images to create an augmented label for the new image to exploit label smoothing. Furthermore, we propose and investigate three strategies for RSMDA: (i) the vertical slices mixing strategy, (ii) the horizontal slices mixing strategy, and (iii) a random mix of both strategies. Of these strategies, the horizontal slice mixing strategy shows the best performance. To validate the proposed technique, we perform several experiments using different neural networks across four datasets: fashion-MNIST, CIFAR10, CIFAR100, and STL10. The experimental results of the image classification with RSMDA showed better accuracy and robustness than the state-of-the-art (SOTA) single-image-based and multi-image-based methods. Finally, class activation maps are employed to visualize the focus of the neural network and compare maps using the SOTA data augmentation methods.

Published

2023

17. Harnessing the Adversarial Perturbation to Enhance Security in the Autoencoder-Based Communication System

Author

Qian Sang and Zhixiang Deng

Subjects

Computer Networks and Communications, Computer science, 0211 other engineering and technologies, lcsh:TK7800-8360, 02 engineering and technology, Data_CODINGANDINFORMATIONTHEORY, Communications system, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Secure transmission, 021110 strategic, defence & security studies, Artificial neural network, business.industry, Deep learning, lcsh:Electronics, physical layer security, deep learning, 020206 networking & telecommunications, Adversary, Autoencoder, adversarial attacks, Hardware and Architecture, Control and Systems Engineering, Signal Processing, adversarial training, Artificial intelligence, business, autoencoder communication system, Computer network

Abstract

Given the vulnerability of deep neural network to adversarial attacks, the application of deep learning in the wireless physical layer arouses comprehensive security concerns. In this paper, we consider an autoencoder-based communication system with a full-duplex (FD) legitimate receiver and an external eavesdropper. It is assumed that the system is trained from end-to-end based on the concepts of autoencoder. The FD legitimate receiver transmits a well-designed adversary perturbation signal to jam the eavesdropper while receiving information simultaneously. To defend the self-perturbation from the loop-back channel, the legitimate receiver is re-trained with the adversarial training method. The simulation results show that with the scheme proposed in this paper, the block-error-rate (BLER) of the legitimate receiver almost remains unaffected while the BLER of the eavesdropper is increased by orders of magnitude. This ensures reliable and secure transmission between the transmitter and the legitimate receiver.

Published

2020

18. Hardware and Software Optimizations for Accelerating Deep Neural Networks: Survey of Current Trends, Challenges, and the Road Ahead

Author

Maurizio Capra, Alberto Marchisio, Guido Masera, Beatrice Bussolino, Muhammad Shafique, and Maurizio Martina

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Artificial intelligence, Capsule Networks, Computer science, Performance, Area, 02 engineering and technology, Efficiency, Data Flow, Convolutional neural network, Machine Learning (cs.LG), Computer Architecture, Machine Learning, Spiking Neural Networks, Hardware Architecture (cs.AR), 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Computer Science - Hardware Architecture, Adversarial Attacks, Energy, Artificial neural network, AI, CNNs, Convolutional Neural Networks, Deep Learning, Deep Neural Networks, DNNs, Hardware Accelerator, Latency, ML, Optimization, Power Consumption, VLSI, General Engineering, 020202 computer hardware & architecture, 020201 artificial intelligence & image processing, lcsh:TK1-9971, Computer hardware, General Computer Science, Spiking neural network, Flexibility (engineering), business.industry, Deep learning, Key (cryptography), Hardware acceleration, lcsh:Electrical engineering. Electronics. Nuclear engineering, business

Abstract

Currently, Machine Learning (ML) is becoming ubiquitous in everyday life. Deep Learning (DL) is already present in many applications ranging from computer vision for medicine to autonomous driving of modern cars as well as other sectors in security, healthcare, and finance. However, to achieve impressive performance, these algorithms employ very deep networks, requiring a significant computational power, both during the training and inference time. A single inference of a DL model may require billions of multiply-and-accumulated operations, making the DL extremely compute- and energy-hungry. In a scenario where several sophisticated algorithms need to be executed with limited energy and low latency, the need for cost-effective hardware platforms capable of implementing energy-efficient DL execution arises. This paper first introduces the key properties of two brain-inspired models like Deep Neural Network (DNN), and Spiking Neural Network (SNN), and then analyzes techniques to produce efficient and high-performance designs. This work summarizes and compares the works for four leading platforms for the execution of algorithms such as CPU, GPU, FPGA and ASIC describing the main solutions of the state-of-the-art, giving much prominence to the last two solutions since they offer greater design flexibility and bear the potential of high energy-efficiency, especially for the inference process. In addition to hardware solutions, this paper discusses some of the important security issues that these DNN and SNN models may have during their execution, and offers a comprehensive section on benchmarking, explaining how to assess the quality of different networks and hardware systems designed for them., Accepted for publication in IEEE Access

Published

2020

19. A Methodology for Evaluating the Robustness of Anomaly Detectors to Adversarial Attacks in Industrial Scenarios

Author

Lorenzo Fernández Maimó, Javier Maroto, Alberto Huertas Celdrán, Félix Jesús Garcia Clemente, Ángel Luis Perales Gómez, Gérôme Bovet, University of Zurich, and Perales Gómez, Ángel L

Subjects

perturbation methods, industries, General Computer Science, 10009 Department of Informatics, 2208 Electrical and Electronic Engineering, industrial control systems, evasion attacks, General Engineering, deep learning, robustness, 000 Computer science, knowledge & systems, neural networks, 2500 General Materials Science, adversarial attacks, machine learning, 2200 General Engineering, General Materials Science, 1700 General Computer Science, transforms, Electrical and Electronic Engineering, detectors

Abstract

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

Published

2022

20. Adversarial Attacks and Defense Technologies on Autonomous Vehicles: A Review

Author

K. T. Y. Mahima, Mohamed Ayoob, and Guhanathan Poravi

Subjects

QA76.75-76.765, adversarial attacks, machine learning, autonomous driving, adversarial robustness, Computer software, General Medicine, computer vision

Abstract

In recent years, various domains have been influenced by the rapid growth of machine learning. Autonomous driving is an area that has tremendously developed in parallel with the advancement of machine learning. In autonomous vehicles, various machine learning components are used such as traffic lights recognition, traffic sign recognition, limiting speed and pathfinding. For most of these components, computer vision technologies with deep learning such as object detection, semantic segmentation and image classification are used. However, these machine learning models are vulnerable to targeted tensor perturbations called adversarial attacks, which limit the performance of the applications. Therefore, implementing defense models against adversarial attacks has become an increasingly critical research area. The paper aims at summarising the latest adversarial attacks and defense models introduced in the field of autonomous driving with machine learning technologies up until mid-2021.

Published

2021

21. Fruit-classification model resilience under adversarial attack

Author

Raheel Siddiqi

Subjects

Technology, General Chemical Engineering, Science, Adversarial attacks, General Engineering, Fruit image classification, General Physics and Astronomy, Classifier robustness, Fine-tuning, General Earth and Planetary Sciences, General Materials Science, Adversarial training, Challenging fruit images, General Environmental Science

Abstract

An accurate and robust fruit image classifier can have a variety of real-life and industrial applications including automated pricing, intelligent sorting, and information extraction. This paper demonstrates howadversarial trainingcan enhance the robustness of fruit image classifiers. In the past, research in deep-learning-based fruit image classification has focused solely on attaining the highest possible accuracy of the model used in the classification process. However, even the highest accuracy models are still susceptible toadversarial attackswhich pose serious problems for such systems in practice. As a robust fruit classifier can only be developed with the aid of a fruit image dataset consisting of fruit images photographed in realistic settings (rather than images taken in controlled laboratory settings), a new dataset of over three thousand fruit images belonging to seven fruit classes is presented. Each image is carefully selected so that its classification poses a significant challenge for the proposed classifiers. Three Convolutional Neural Network (CNN)-based classifiers are suggested: 1)IndusNet, 2)fine-tuned VGG16, and 3)fine-tuned MobileNet. Fine-tuned VGG16 produced the best test set accuracy of 94.82% compared to the 92.32% and the 94.28% produced by the other two models, respectively. Fine-tuned MobileNet has proved to be the most efficient model with a test time of 9 ms/step compared to the test times of 28 ms/step and 29 ms/step for the other two models. The empirical evidence presented demonstrates that adversarial training enables fruit image classifiers to resist attacks crafted through the Fast Gradient Sign Method (FGSM), while simultaneously improving classifiers’ robustness against other noise forms including ‘Gaussian’, ‘Salt and pepper’ and ‘Speckle’. For example, when the amplitude of the perturbations generated through the Fast Gradient Sign Method (FGSM) was kept at 0.1, adversarial training improved the fine-tuned VGG16’s performance on adversarial images by around 18% (i.e., from 76.6% to 94.82%), while simultaneously improving the classifier’s performance on fruit images corrupted with ‘salt and pepper’ noise by around 8% (i.e., from 69.82% to 77.85%). Other reported results also follow this pattern and demonstrate the effectiveness of adversarial training as a means of enhancing the robustness of fruit image classifiers.

Published

2021

22. Polymorphic Adversarial Cyberattacks Using WGAN

Author

Ravi Chauhan, Ulya Sabeel, Alireza Izaddoost, and Shahram Shah Heydari

Subjects

adversarial attacks, machine learning, Wasserstein Generative Adversarial Network (WGAN), Generative Adversarial Network (GAN), T1-995, Intrusion Detection Systems, DDoS/DoS attacks, Technology (General)

Abstract

Intrusion Detection Systems (IDS) are essential components in preventing malicious traffic from penetrating networks and systems. Recently, these systems have been enhancing their detection ability using machine learning algorithms. This development also forces attackers to look for new methods for evading these advanced Intrusion Detection Systemss. Polymorphic attacks are among potential candidates that can bypass the pattern matching detection systems. To alleviate the danger of polymorphic attacks, the IDS must be trained with datasets that include these attacks. Generative Adversarial Network (GAN) is a method proven in generating adversarial data in the domain of multimedia processing, text, and voice, and can produce a high volume of test data that is indistinguishable from the original training data. In this paper, we propose a model to generate adversarial attacks using Wasserstein GAN (WGAN). The attack data synthesized using the proposed model can be used to train an IDS. To evaluate the trained IDS, we study several techniques for updating the attack feature profile for the generation of polymorphic data. Our results show that by continuously changing the attack profiles, defensive systems that use incremental learning will still be vulnerable to new attacks; meanwhile, their detection rates improve incrementally until the polymorphic attack exhausts its profile variables.

Published

2021

23. Adversarial Deep Learning approach detection and defense against DDoS attacks in SDN environments

Author

Mario Lemes Proença, Jaime Lloret, Matheus P. Novaes, and Luiz F. Carvalho

Subjects

Computer Networks and Communications, Computer science, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, SDN, Adversarial system, Deep Learning, Control theory, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, Control logic, business.industry, Deep learning, Adversarial attacks, 020206 networking & telecommunications, INGENIERIA TELEMATICA, GAN, Hardware and Architecture, 020201 artificial intelligence & image processing, Anomaly detection, Artificial intelligence, DDoS, business, Software-defined networking, computer, Software

Abstract

[EN] Over the last few years, Software Defined Networking (SDN) paradigm has become an emerging architecture to design future networks and to meet new application demands. SDN provides resources for improving network control and management by separating control and data plane, and the logical control is centralized in a controller. However, the centralized control logic can be an ideal target for malicious attacks, mainly Distributed Denial of Service (DDoS) attacks. Recently, Deep Learning has become a powerful technique applied in cybersecurity, and many Network Intrusion Detection (NIDS) have been proposed in recent researches. Some studies have indicated that deep neural networks are sensitive in detecting adversarial attacks. Adversarial attacks are instances with certain perturbations that cause deep neural networks to misclassify. In this paper, we proposed a detection and defense system based on Adversarial training in SDN, which uses Generative Adversarial Network (GAN) framework for detecting DDoS attacks and applies adversarial training to make the system less sensitive to adversarial attacks. The proposed system includes well-defined modules that enable continuous traffic monitoring using IP flow analysis, enabling the anomaly detection system to act in near-real-time. We conducted the experiments on two distinct scenarios, with emulated data and the public dataset CICDDoS 2019. Experimental results demonstrated that the system efficiently detected up-to-date common types of DDoS attacks compared to other approaches., This work has been partially supported by the National Council for Scientific and Technological Development (CNPq) of Brazil under Grant of Project 310668/2019-0 and by SETI, Brazil/Fundacao Araucaria due to the concession of scholarships; by the "Ministerio de Economia y Competitividad, Spain"in the "Programa Estatal de Fomento de la Investigacion Cientifica y Tecnica de Excelencia, Subprograma Estatal de Generacion de Conocimiento"within the project under Grant TIN2017-84802-C2-1-P.

Published

2021

24. Addressing Adversarial Attacks Against Security Systems Based on Machine Learning

Author

Mirco Marchetti, Luca Ferretti, Michele Colajanni, Giovanni Apruzzese, APRUZZESE, GIOVANNI, Colajanni M., FERRETTI, LUCA, and Marchetti M.

Subjects

adversarial attack, Computer science, intrusion detection, 0211 other engineering and technologies, evasion attacks, Evasion (network security), Context (language use), adversarial attacks, deep learning, machine learning, poisoning attacks, 02 engineering and technology, Intrusion detection system, Machine learning, computer.software_genre, 050601 international relations, Domain (software engineering), Adversarial system, 021110 strategic, defence & security studies, business.industry, Deep learning, 05 social sciences, 0506 political science, Damages, Malware, evasion attack, Artificial intelligence, business, computer

Abstract

Machine-learning solutions are successfully adopted in multiple contexts but the application of these techniques to the cyber security domain is complex and still immature. Among the many open issues that affect security systems based on machine learning, we concentrate on adversarial attacks that aim to affect the detection and prediction capabilities of machine-learning models. We consider realistic types of poisoning and evasion attacks targeting security solutions devoted to malware, spam and network intrusion detection. We explore the possible damages that an attacker can cause to a cyber detector and present some existing and original defensive techniques in the context of intrusion detection systems. This paper contains several performance evaluations that are based on extensive experiments using large traffic datasets. The results highlight that modern adversarial attacks are highly effective against machine-learning classifiers for cyber detection, and that existing solutions require improvements in several directions. The paper paves the way for more robust machine-learning-based techniques that can be integrated into cyber security platforms.

Published

2019

25. Adversarial Robust and Explainable Network Intrusion Detection Systems Based on Deep Learning

Author

Kudzai Sauka, Gun-Yoo Shin, Dong-Wook Kim, and Myung-Mook Han

Subjects

Fluid Flow and Transfer Processes, ComputingMethodologies_PATTERNRECOGNITION, Process Chemistry and Technology, General Engineering, machine learning, adversarial attacks, explainable, network intrusion detection system, deep neural networks (DNN), adversarial robust, General Materials Science, Instrumentation, Computer Science Applications

Abstract

The ever-evolving cybersecurity environment has given rise to sophisticated adversaries who constantly explore new ways to attack cyberinfrastructure. Recently, the use of deep learning-based intrusion detection systems has been on the rise. This rise is due to deep neural networks (DNN) complexity and efficiency in making anomaly detection activities more accurate. However, the complexity of these models makes them black-box models, as they lack explainability and interpretability. Not only is the DNN perceived as a black-box model, but recent research evidence has also shown that they are vulnerable to adversarial attacks. This paper developed an adversarial robust and explainable network intrusion detection system based on deep learning by applying adversarial training and implementing explainable AI techniques. In our experiments with the NSL-KDD dataset, the PGD adversarial-trained model was a more robust model than DeepFool adversarial-trained and FGSM adversarial-trained models, with a ROC-AUC of 0.87. The FGSM attack did not affect the PGD adversarial-trained model’s ROC-AUC, while the DeepFool attack caused a minimal 9.20% reduction in PGD adversarial-trained model’s ROC-AUC. PGD attack caused a 15.12% reduction in the DeepFool adversarial-trained model’s ROC-AUC and a 12.79% reduction in FGSM trained model’s ROC-AUC.

Published

2022

26. SIT: Stochastic Input Transformation to Defend Against Adversarial Attacks on Deep Neural Networks

Author

Amira Guesmi, Ihsen Alouani, Mouna Baklouti, Tarek Frikha, Mohamed Abid, Université de Sfax - University of Sfax, Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), Université catholique de Lille (UCL)-Université catholique de Lille (UCL), COMmunications NUMériques - IEMN (COMNUM - IEMN), INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Université catholique de Lille (UCL)-Université catholique de Lille (UCL)-Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), and no information

Subjects

Convolutional Neural Networks, Convolution, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], [SPI.TRON]Engineering Sciences [physics]/Electronics, Machine Learning, Kernel, [SPI]Engineering Sciences [physics], [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Stochastic processes, Hardware and Architecture, Image reconstruction, Security, Feature extraction, Training, [INFO]Computer Science [cs], Electrical and Electronic Engineering, Robustness, [SPI.SIGNAL]Engineering Sciences [physics]/Signal and Image processing, Software, Adversarial Attacks

Abstract

International audience; Deep Neural Networks (DNNs) have been deployed in a wide range of applications, including safety-critical domains, owing to their proven efficiency in solving complex problems. However, these systems have been shown vulnerable to adversarial attacks: carefully crafted perturbations that threaten their integrity and trustworthiness. Several defenses have been recently proposed. However, most of these techniques are costly to deploy since they require retraining and specific fine-tuning procedures. While there are pre-processing defenses that do not require retraining, these were shown to be ineffective against adaptive white-box attacks. In this paper, we propose a model-agnostic defense against adversarial attacks using stochastic pre-processing. Based on a process of down-sampling/up-sampling, we transform the input to a new sample that is: (i) close enough to the initial input to be classified correctly, and (ii) different enough to ignore any potential adversarial noise within it. The proposed defense is generic, easy to deploy and does not require any specific training or fine tuning. We tested our technique comparatively to state-of-the-art defenses under grey-box and strong white-box scenarios. Experimental results show that our defense achieves robustness of up to 94% and 93% against PGD and Cand#x0026;W attacks, respectively, under strong white-box scenario. IEEE

Published

2022

27. Adversarial attacks and defenses in Speaker Recognition Systems

Author

Lan, Jiahe, Zhang, Rui, Yan, Zheng, Wang, Jie, Chen, Yu, Hou, Ronghui, Xidian University, Department of Communications and Networking, San Jose State University, Aalto-yliopisto, and Aalto University

Subjects

Adversarial examples, Adversarial attacks, Speaker recognition system

Abstract

Funding Information: This work is supported in part by the National Natural Science Foundation of China under Grant 62072351 ; in part by the Academy of Finland under Grant 308087 , Grant 335262 , Grant 345072 and Grant 350464 ; in part by the Open research project of ZheJiang Lab under grant 2021PD0AB01 ; in part by the Shaanxi Innovation Team Project under Grant 2018 TD-007; and in part by the 111 Project, China under Grant B16037 . Publisher Copyright: © 2022 Elsevier B.V. Speaker recognition has become very popular in many application scenarios, such as smart homes and smart assistants, due to ease of use for remote control and economic-friendly features. The rapid development of SRSs is inseparable from the advancement of machine learning, especially neural networks. However, previous work has shown that machine learning models are vulnerable to adversarial attacks in the image domain, which inspired researchers to explore adversarial attacks and defenses in Speaker Recognition Systems (SRS). Unfortunately, existing literature lacks a thorough review of this topic. In this paper, we fill this gap by performing a comprehensive survey on adversarial attacks and defenses in SRSs. We first introduce the basics of SRSs and concepts related to adversarial attacks. Then, we propose two sets of criteria to evaluate the performance of attack methods and defense methods in SRSs, respectively. After that, we provide taxonomies of existing attack methods and defense methods, and further review them by employing our proposed criteria. Finally, based on our review, we find some open issues and further specify a number of future directions to motivate the research of SRSs security.

Published

2022

28. Multivariate Lipschitz Analysis of the Stability of Neural Networks

Author

Gupta, Kavya, Kaakai, Fateh, Pesquet-Popescu, Beatrice, Pesquet, Jean-Christophe, Malliaros, Fragkiskos, OPtimisation Imagerie et Santé (OPIS), Inria Saclay - Ile de France, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre de vision numérique (CVN), Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Université Paris-Saclay-CentraleSupélec-Université Paris-Saclay, and Thales LAS France

Subjects

safety, adversarial attacks, [INFO.INFO-LG]Computer Science [cs]/Machine Learning [cs.LG], tabular data, Lipschitz, stability, sensitivity, neural networks, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI]

Abstract

International audience; The stability of neural networks with respect to adversarial perturbations has been extensively studied. One of the main strategies consist of quantifying the Lipschitz regularity of neural networks. In this paper, we introduce a multivariate Lipschitz constant-based stability analysis of fully connected neural networks allowing us to capture the influence of each input or group of inputs on the neural network stability. Our approach relies on a suitable re-normalization of the input space, with the objective to perform a more precise analysis than the one provided by a global Lipschitz constant. We investigate the mathematical properties of the proposed multivariate Lipschitz analysis and show its usefulness in better understanding the sensitivity of the neural network with regard to groups of inputs. We display the results of this analysis by a new representation designed for machine learning practitioners and safety engineers termed as a Lipschitz star. The Lipschitz star is a graphical and practical tool to analyze the sensitivity of a neural network model during its development, with regard to different combinations of inputs. By leveraging this tool, we show that it is possible to build robust-by-design models using spectral normalization techniques for controlling the stability of a neural network, given a safety Lipschitz target. Thanks to our multivariate Lipschitz analysis, we can also measure the efficiency of adversarial training in inference tasks. We perform experiments on various open access tabular datasets, and also on a real Thales Air Mobility industrial application subject to certification requirements.

Published

2022

29. Evolutionary Algorithm-Based Images, Humanly Indistinguishable and Adversarial Against Convolutional Neural Networks: Efficiency and Filter Robustness

Author

Raluca Chitic, Franck Leprévost, and Ali Osman Topal

Subjects

Computer science [C05] [Engineering, computing & technology], filter, evolutionary algorithm, General Computer Science, Computer science, General Engineering, Evolutionary algorithm, Convolutional neural network, adversarial perturbation, Sciences informatiques [C05] [Ingénierie, informatique & technologie], TK1-9971, adversarial attacks, Robustness (computer science), Filter (video), black-box attack, General Materials Science, Electrical engineering. Electronics. Nuclear engineering, evolutionary algorithms, Electrical and Electronic Engineering, Algorithm, image classification

Abstract

Convolutional neural networks (CNNs) have become one of the most important tools for image classification. However, many models are susceptible to adversarial attacks, and CNNs can perform misclassifications. In previous works, we successfully developed an EA-based black-box attack that creates adversarial images for the target scenario that fulfils two criteria. The CNN should classify the adversarial image in the target category with a confidence ≥ 0.95, and a human should not notice any difference between the adversarial and original images. Thanks to extensive experiments performed with the CNN ${\mathcal{C}}$ = VGG-16 trained on the CIFAR-10 dataset to classify images according to 10 categories, this paper, which substantially enhances most aspects of Chitic et al. (2021), addresses four issues. (1) From a pure EA point of view, we highlight the conceptual originality of our algorithm $\text {EA}_{d}^{\text {target}, {\mathcal{C}}}$ , versus the classical EA approach. The competitive advantage obtained was assessed experimentally during image classification. (2) We then measured the intrinsic performance of the EA-based attack for an extensive series of ancestor images. (3) We challenged the filter resistance of the adversarial images created by the EA for five well-known filters. (4) We proceed to the creation of natively filter-resistant adversarial images that can fool humans, CNNs, and CNNs composed with filters.

Published

2021

30. ShuffleDetect: Detecting Adversarial Images against Convolutional Neural Networks

Author

Raluca Chitic, Ali Osman Topal, Franck Leprévost, and University of Luxembourg: High Performance Computing - ULHPC [research center]

Subjects

Computer science [C05] [Engineering, computing & technology], Fluid Flow and Transfer Processes, Process Chemistry and Technology, Convolutional Neural Networks, Evolutionary Algorithm, Security, General Engineering, General Materials Science, Sciences informatiques [C05] [Ingénierie, informatique & technologie], Instrumentation, Adversarial Attacks Detection, adversarial attacks, detection, evolutionary algorithms, convolutional neural networks, security, Computer Science Applications

Abstract

Recently, convolutional neural networks (CNNs) have become the main drivers in many image recognition applications. However, they are vulnerable to adversarial attacks, which can lead to disastrous consequences. This paper introduces ShuffleDetect as a new and efficient unsupervised method for the detection of adversarial images against trained convolutional neural networks. Its main feature is to split an input image into non-overlapping patches, then swap the patches according to permutations, and count the number of permutations for which the CNN classifies the unshuffled input image and the shuffled image into different categories. The image is declared adversarial if and only if the proportion of such permutations exceeds a certain threshold value. A series of 8 targeted or untargeted attacks was applied on 10 diverse and state-of-the-art ImageNet-trained CNNs, leading to 9500 relevant clean and adversarial images. We assessed the performance of ShuffleDetect intrinsically and compared it with another detector. Experiments show that ShuffleDetect is an easy-to-implement, very fast, and near memory-free detector that achieves high detection rates and low false positive rates.

Published

2023

31. Probabilistic Jacobian-Based Saliency Maps Attacks

Author

Théo Combey, António Loison, Maxime Faucher, Hatem Hajri, CentraleSupélec, and IRT SystemX (IRT SystemX)

Subjects

Computer Science - Machine Learning, Computer Science - Cryptography and Security, lcsh:Computer engineering. Computer hardware, Computer science, 0211 other engineering and technologies, Computer Science - Computer Vision and Pattern Recognition, lcsh:TK7885-7895, 02 engineering and technology, MNIST, symbols.namesake, [SPI]Engineering Sciences [physics], Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, CIFAR-10, Saliency map, Fraction (mathematics), 021110 strategic, defence & security studies, Artificial neural network, business.industry, Probabilistic logic, Pattern recognition, TheoryofComputation_MATHEMATICALLOGICANDFORMALLANGUAGES, adversarial attacks, deep neural network classifiers, GTSRB, Jacobian matrix and determinant, Jacobian-based Saliency Map, symbols, 020201 artificial intelligence & image processing, Artificial intelligence, business, MNIST database

Abstract

Neural network classifiers (NNCs) are known to be vulnerable to malicious adversarial perturbations of inputs including those modifying a small fraction of the input features named sparse or $L_0$ attacks. Effective and fast $L_0$ attacks, such as the widely used Jacobian-based Saliency Map Attack (JSMA) are practical to fool NNCs but also to improve their robustness. In this paper, we show that penalising saliency maps of JSMA by the output probabilities and the input features of the NNC allows to obtain more powerful attack algorithms that better take into account each input's characteristics. This leads us to introduce improved versions of JSMA, named Weighted JSMA (WJSMA) and Taylor JSMA (TJSMA), and demonstrate through a variety of white-box and black-box experiments on three different datasets (MNIST, CIFAR-10 and GTSRB), that they are both significantly faster and more efficient than the original targeted and non-targeted versions of JSMA. Experiments also demonstrate, in some cases, very competitive results of our attacks in comparison with the Carlini-Wagner (CW) $L_0$ attack, while remaining, like JSMA, significantly faster (WJSMA and TJSMA are more than 50 times faster than CW $L_0$ on CIFAR-10). Therefore, our new attacks provide good trade-offs between JSMA and CW for $L_0$ real-time adversarial testing on datasets such as the ones previously cited. Codes are publicly available through the link https://github.com/probabilistic-jsmas/probabilistic-jsmas., Comment: Journal Machine Learning and Knowledge Extraction

Published

2020

32. AT-BOD: An Adversarial Attack on Fool DNN-Based Blackbox Object Detection Models

Author

Ilham A. Elaalami, Sunday O. Olatunji, and Rachid M. Zagrouba

Subjects

Fluid Flow and Transfer Processes, Process Chemistry and Technology, General Engineering, adversarial attacks, adversarial examples, black-box attacks, deep neural networks, object detection models, General Materials Science, Instrumentation, Computer Science Applications

Abstract

Object recognition is a fundamental concept in computer vision. Object detection models have recently played a vital role in various applications, including real-time and safety-critical systems such as camera surveillance and self-driving cars. Scientific research has proven that object detection models are prone to adversarial attacks. Although several proposed methods exist throughout the literature, they either target white-box models or specific-task black-box models and do not generalize on other detectors. In this paper, we proposed a new adversarial attack against Blackbox-based object detectors called AT-BOD. The proposed AT-BOD model can fool the single-stage and multi-stage detectors, where we used an optimization algorithm to generate adversarial examples depending only on the detector predictions. AT-BOD model works in two diverse ways, reducing the confidence score and misleading the model to make the wrong decision or hide the object detection models. Our solution achieved a fooling rate of 97% and a false negative increase of 99% on the YOLOv3 detector, and a fooling rate of 61% false-negative increase of 57% on the Faster R-CNN detector. The detection accuracy of YOLOv3 and Faster R-CNN under AT-BOD was dramatically reduced and reached ≤1% and ≤3%, respectively.

Published

2022

33. Robust face recognition: How much face is needed?

Author

Niklas Bunzel and Publica

Subjects

Robust, Machine learning, Adversarial attacks, Face recognition

Abstract

Face recognition systems are used in high security applications for identification, authentication and authorization. Therefore they need to be robust not only to people wearing face accessories and masks like in the COVID19 pandemic, they also need to be robust against adversarial attacks. We have identified three inconspicuous facial areas to wear adversarial examples to attack face recognition. These are the mouth-nose section, the forehead and the eye area. In this paper, we will address the question of how much of a face needs to be present for successful identification and whether removing the critical regions is a viable countermeasure against adversarial examples.

Published

2022

34. SpacePhish

Author

Giovanni Apruzzese, Mauro Conti, and Ying Yuan

Subjects

Computer Science - Networking and Internet Architecture, Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Machine Learning, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Website, Phishing, Cryptography and Security (cs.CR), Adversarial Attacks, Machine Learning (cs.LG)

Abstract

Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model, or defenses that withstand most attacks. Unfortunately, little consideration is given to the actual \textit{cost} of the attack or the defense. Moreover, adversarial samples are often crafted in the "feature-space", making the corresponding evaluations of questionable value. Simply put, the current situation does not allow to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems. We aim to clarify such confusion in this paper. By considering the application of ML for Phishing Website Detection (PWD), we formalize the "evasion-space" in which an adversarial perturbation can be introduced to fool a ML-PWD -- demonstrating that even perturbations in the "feature-space" are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD that are cheap to stage, and hence intrinsically more attractive for real phishers. Finally, we perform the first statistically validated assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true efficacy of evasion attempts that are more likely to occur; and (ii) the impact of perturbations crafted in different evasion-spaces. Our realistic evasion attempts induce a statistically significant degradation (3-10% at $p\!

Published

2022

35. Systematic Literature Review of the Adversarial Attacks on AI in Cyber-Physical Systems

Author

Valeev, Nail

Subjects

machine learning, Datavetenskap (datalogi), Computer Sciences, Adversarial attacks, artificial intelligence, internet of things, cyber-physical system

Abstract

Cyber-physical systems, built from the integration of cyber and physical components, are being used in multiple domains ranging from manufacturing and healthcare to traffic con- trol and safety. Ensuring the security of cyber-physical systems is crucial because they provide the foundation of the critical infrastructure, and security incidents can result in catastrophic failures. Recent publications report that machine learning models are vul- nerable to adversarial examples, crafted by adding small perturbations to input data. For the past decade, machine learning security has become a growing interest area, with a significant number of systematic reviews and surveys that have been published. Secu- rity of artificial intelligence in cyber-physical systems is more challenging in comparison to machine learning security, because adversaries have a wider possible attack surface, in both cyber and physical domains. However, comprehensive systematic literature re- views in this research field are not available. Therefore, this work presents a systematic literature review of the adversarial attacks on artificial intelligence in cyber-physical sys- tems, examining 45 scientific papers, selected from 134 publications found in the Scopus database. It provides the classification of attack algorithms and defense methods, the sur- vey of evaluation metrics, an overview of the state of the art in methodologies and tools, and, as the main contribution, identifies open problems and research gaps and highlights future research challenges in this area of interest.

Published

2022

36. Adversarial attacks on fingerprint liveness detection

Author

Peipeng Yu, Fengjun Xiao, Jianwei Fei, and Zhihua Xia

Subjects

Biometrics, Computer science, Data_MISCELLANEOUS, Liveness, lcsh:TK7800-8360, 02 engineering and technology, Computer security, computer.software_genre, Adversarial system, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, business.industry, Deep learning, Fingerprint liveness detection, Adversarial attacks, lcsh:Electronics, 020207 software engineering, Fingerprint recognition, Signal Processing, Deep neural networks, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer, Information Systems

Abstract

Deep neural networks are vulnerable to adversarial samples, posing potential threats to the applications deployed with deep learning models in practical conditions. A typical example is the fingerprint liveness detection module in fingerprint authentication systems. Inspired by great progress of deep learning, deep networks-based fingerprint liveness detection algorithms spring up and dominate the field. Thus, we investigate the feasibility of deceiving state-of-the-art deep networks-based fingerprint liveness detection schemes by leveraging this property in this paper. Extensive evaluations are made with three existing adversarial methods: FGSM, MI-FGSM, and Deepfool. We also proposed an adversarial attack method that enhances the robustness of adversarial fingerprint images to various transformations like rotations and flip. We demonstrate these outstanding schemes are likely to classify fake fingerprints as live fingerprints by adding tiny perturbations, even without internal details of their used model. The experimental results reveal a big loophole and threats for these schemes from a view of security, and enough attention is urgently needed to be paid on anti-adversarial not only in fingerprint liveness detection but also in all deep learning applications.

Published

2020

37. AI can turn the clock back before we know it

Author

Anne Gerdes

Subjects

reinforcement learning, adversarial attacks, embodied cognition, research integrity, AI hype, artificial intelligence

Abstract

This paper outlines intertwined challenges related to three areas: The hype surrounding AI, the consequences of corporate influence on the AI research agenda, and the public sector's uncritical embracement of AI technologies. We argue that AI can backfire if overconfident predictions influence decisions to introduce AI in high-risk domains. Moreover, the corporate colonization of the AI research agenda may cause a decline in societal trust in science, which is highly problematic considering that AI will increasingly power important domains in society.

Published

2021

38. Lower Voltage for Higher Security: Using Voltage Overscaling to Secure Deep Neural Networks

Author

Shohidul Islam, Ihsen Alouani, Khaled N. Khasawneh, George Mason University [Fairfax], Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), Université catholique de Lille (UCL)-Université catholique de Lille (UCL), COMmunications NUMériques - IEMN (COMNUM - IEMN), INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Université catholique de Lille (UCL)-Université catholique de Lille (UCL)-Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), and no information

Subjects

[SPI]Engineering Sciences [physics], machine learning, approx- imate computing, Adversarial attacks, voltage overscalin

Abstract

International audience; Deep neural networks (DNNs) are shown to be vulnerable to adversarial attacks-- carefully crafted additive noise that undermines DNNs integrity. Previously proposed defenses against these attacks require substantial overheads, making it challenging to deploy these solutions in power and computational resource-constrained devices, such as embedded systems and the Edge. In this paper, we explore the use of voltage overscaling (VOS) as a lightweight defense against adversarial attacks. Specifically, we exploit the stochastic timing violations of VOS to implement a moving-target defense for DNNs. Our experimental results demonstrate that VOS guarantees effective defense against different attack methods, does not require any software/hardware modifications, and offers a by-product reduction in power consumption.

Published

2021

39. Universal Adversarial Attack via Conditional Sampling for Text Classification

Author

Junan Yang, Hui Liu, Kun Shao, and Yu Zhang

Subjects

Technology, Computer science, QH301-705.5, QC1-999, Transferability, Sample (statistics), Conditional sampling, Machine learning, computer.software_genre, Adversarial system, sentiment classification, General Materials Science, Biology (General), Instrumentation, QD1-999, universal adversarial perturbations, Fluid Flow and Transfer Processes, conditional BERT sampling, business.industry, Process Chemistry and Technology, Physics, General Engineering, Sampling (statistics), Engineering (General). Civil engineering (General), Computer Science Applications, Chemistry, adversarial attacks, deep neural networks, Face (geometry), Deep neural networks, Artificial intelligence, TA1-2040, business, computer

Abstract

Despite deep neural networks (DNNs) having achieved impressive performance in various domains, it has been revealed that DNNs are vulnerable in the face of adversarial examples, which are maliciously crafted by adding human-imperceptible perturbations to an original sample to cause the wrong output by the DNNs. Encouraged by numerous researches on adversarial examples for computer vision, there has been growing interest in designing adversarial attacks for Natural Language Processing (NLP) tasks. However, the adversarial attacking for NLP is challenging because text is discrete data and a small perturbation can bring a notable shift to the original input. In this paper, we propose a novel method, based on conditional BERT sampling with multiple standards, for generating universal adversarial perturbations: input-agnostic of words that can be concatenated to any input in order to produce a specific prediction. Our universal adversarial attack can create an appearance closer to natural phrases and yet fool sentiment classifiers when added to benign inputs. Based on automatic detection metrics and human evaluations, the adversarial attack we developed dramatically reduces the accuracy of the model on classification tasks, and the trigger is less easily distinguished from natural text. Experimental results demonstrate that our method crafts more high-quality adversarial examples as compared to baseline methods. Further experiments show that our method has high transferability. Our goal is to prove that adversarial attacks are more difficult to detect than previously thought and enable appropriate defenses.

Published

2021

40. Preprocessing Pipelines including Block-Matching Convolutional Neural Network for Image Denoising to Robustify Deep Reidentification against Evasion Attacks

Author

Marek Pawlicki and Ryszard S. Choraś

Subjects

Computer science, Science, QC1-999, General Physics and Astronomy, Evasion (network security), 02 engineering and technology, Machine learning, computer.software_genre, Astrophysics, Convolutional neural network, Article, computer vision, 020204 information systems, Classifier (linguistics), 0202 electrical engineering, electronic engineering, information engineering, Preprocessor, Artificial neural network, business.industry, Deep learning, Physics, Security domain, deep learning, Pipeline (software), adversarial defences, QB460-466, adversarial attacks, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer

Abstract

Artificial neural networks have become the go-to solution for computer vision tasks, including problems of the security domain. One such example comes in the form of reidentification, where deep learning can be part of the surveillance pipeline. The use case necessitates considering an adversarial setting—and neural networks have been shown to be vulnerable to a range of attacks. In this paper, the preprocessing defences against adversarial attacks are evaluated, including block-matching convolutional neural network for image denoising used as an adversarial defence. The benefit of using preprocessing defences comes from the fact that it does not require the effort of retraining the classifier, which, in computer vision problems, is a computationally heavy task. The defences are tested in a real-life-like scenario of using a pre-trained, widely available neural network architecture adapted to a specific task with the use of transfer learning. Multiple preprocessing pipelines are tested and the results are promising.

Published

2021

41. Adversarial attack vulnerability of medical image analysis systems: Unexplored factors

Author

Cristina González-Gonzalo, Mitko Veta, Bart Liefers, Clara I. Sánchez, Marleen de Bruijne, Florian Dubost, Suzanne C. Wetstein, Ioannis Katramados, Gerda Bortsova, Laurens Hogeweg, Josien P. W. Pluim, Bram van Ginneken, Medical Image Analysis, Eindhoven MedTech Innovation Center, EAISI Health, AI&Health, IvI Research (FNWI), and Radiology & Nuclear Medicine

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Cybersecurity, Neural Networks, Computer science, Computer Vision and Pattern Recognition (cs.CV), Transferability, Computer Science - Computer Vision and Pattern Recognition, Vulnerability, Initialization, Health Informatics, Machine learning, computer.software_genre, Sensory disorders Donders Center for Medical Neuroscience [Radboudumc 12], Machine Learning, Adversarial system, Computer, Surrogate model, FOS: Electrical engineering, electronic engineering, information engineering, Humans, Radiology, Nuclear Medicine and imaging, Radiological and Ultrasound Technology, business.industry, Deep learning, Adversarial attacks, Image and Video Processing (eess.IV), Electrical Engineering and Systems Science - Image and Video Processing, Computer Graphics and Computer-Aided Design, Clinical Practice, Computer Vision and Pattern Recognition, Artificial intelligence, Neural Networks, Computer, Medical imaging, business, computer, Cryptography and Security (cs.CR), Rare cancers Radboud Institute for Health Sciences [Radboudumc 9]

Abstract

Adversarial attacks are considered a potentially serious security threat for machine learning systems. Medical image analysis (MedIA) systems have recently been argued to be vulnerable to adversarial attacks due to strong financial incentives and the associated technological infrastructure. In this paper, we study previously unexplored factors affecting adversarial attack vulnerability of deep learning MedIA systems in three medical domains: ophthalmology, radiology, and pathology. We focus on adversarial black-box settings, in which the attacker does not have full access to the target model and usually uses another model, commonly referred to as surrogate model, to craft adversarial examples. We consider this to be the most realistic scenario for MedIA systems. Firstly, we study the effect of weight initialization (ImageNet vs. random) on the transferability of adversarial attacks from the surrogate model to the target model. Secondly, we study the influence of differences in development data between target and surrogate models. We further study the interaction of weight initialization and data differences with differences in model architecture. All experiments were done with a perturbation degree tuned to ensure maximal transferability at minimal visual perceptibility of the attacks. Our experiments show that pre-training may dramatically increase the transferability of adversarial examples, even when the target and surrogate's architectures are different: the larger the performance gain using pre-training, the larger the transferability. Differences in the development data between target and surrogate models considerably decrease the performance of the attack; this decrease is further amplified by difference in the model architecture. We believe these factors should be considered when developing security-critical MedIA systems planned to be deployed in clinical practice., Comment: First three authors contributed equally

Published

2021

42. Towards Adversarial Attacks for Clinical Document Classification

Author

Nina Fatehi, Qutaiba Alasad, and Mohammed Alawad

Subjects

Computer Networks and Communications, Hardware and Architecture, Control and Systems Engineering, Signal Processing, adversarial attacks, document classification, CNN, NLP, Electrical and Electronic Engineering

Abstract

Regardless of revolutionizing improvements in various domains thanks to recent advancements in the field of Deep Learning (DL), recent studies have demonstrated that DL networks are susceptible to adversarial attacks. Such attacks are crucial in sensitive environments to make critical and life-changing decisions, such as health decision-making. Research efforts on using textual adversaries to attack DL for natural language processing (NLP) have received increasing attention in recent years. Among the available textual adversarial studies, Electronic Health Records (EHR) have gained the least attention. This paper investigates the effectiveness of adversarial attacks on clinical document classification and proposes a defense mechanism to develop a robust convolutional neural network (CNN) model and counteract these attacks. Specifically, we apply various black-box attacks based on concatenation and editing adversaries on unstructured clinical text. Then, we propose a defense technique based on feature selection and filtering to improve the robustness of the models. Experimental results show that a small perturbation to the unstructured text in clinical documents causes a significant drop in performance. Performing the proposed defense mechanism under the same adversarial attacks, on the other hand, avoids such a drop in performance. Therefore, it enhances the robustness of the CNN model for clinical document classification.

Published

2022

43. Model and Training Method of the Resilient Image Classifier Considering Faults, Concept Drift, and Adversarial Attacks

Author

Viacheslav Moskalenko, Vyacheslav Kharchenko, Alona Moskalenko, and Sergey Petrov

Subjects

Numerical Analysis, convolutional neural network, robustness, concept drift, image classification, resilience, graceful degradation, adversarial attacks, faults injection, self-learning, self-knowledge distillation, prototypical classifier, contrastive-center loss, Theoretical Computer Science, Computational Mathematics, Computational Theory and Mathematics

Abstract

Modern trainable image recognition models are vulnerable to different types of perturbations; hence, the development of resilient intelligent algorithms for safety-critical applications remains a relevant concern to reduce the impact of perturbation on model performance. This paper proposes a model and training method for a resilient image classifier capable of efficiently functioning despite various faults, adversarial attacks, and concept drifts. The proposed model has a multi-section structure with a hierarchy of optimized class prototypes and hyperspherical class boundaries, which provides adaptive computation, perturbation absorption, and graceful degradation. The proposed training method entails the application of a complex loss function assembled from its constituent parts in a particular way depending on the result of perturbation detection and the presence of new labeled and unlabeled data. The training method implements principles of self-knowledge distillation, the compactness maximization of class distribution and the interclass gap, the compression of feature representations, and consistency regularization. Consistency regularization makes it possible to utilize both labeled and unlabeled data to obtain a robust model and implement continuous adaptation. Experiments are performed on the publicly available CIFAR-10 and CIFAR-100 datasets using model backbones based on modules ResBlocks from the ResNet50 architecture and Swin transformer blocks. It is experimentally proven that the proposed prototype-based classifier head is characterized by a higher level of robustness and adaptability in comparison with the dense layer-based classifier head. It is also shown that multi-section structure and self-knowledge distillation feature conserve resources when processing simple samples under normal conditions and increase computational costs to improve the reliability of decisions when exposed to perturbations.

Published

2022

44. Adversarial Attacks in a Multi-view Setting: An Empirical Study of the Adversarial Patches Inter-view Transferability

Author

Anouar Ben Khalifa, Mohamed Ali Mahjoub, Ihsen Alouani, Bilel Tarchoun, Laboratory of Advanced Technology and Intelligent Systems (LATIS), Ecole Nationale d'Ingénieurs de Sousse (ENISo), Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), Université catholique de Lille (UCL)-Université catholique de Lille (UCL), Communications Numériques (COMNUM), Laboratoire Traitement et Communication de l'Information (LTCI), Institut Mines-Télécom [Paris] (IMT)-Télécom Paris-Institut Mines-Télécom [Paris] (IMT)-Télécom Paris, and no information

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer science, Context (language use), Machine learning, computer.software_genre, Machine Learning (cs.LG), Perspective Geometric Transformations, Adversarial system, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Empirical research, Adversarial patches, Adversarial Attacks, Vulnerability (computing), Artificial neural network, business.industry, Geometric transformation, Object detection, View Angles, Multi-View, Artificial intelligence, Noise (video), business, Cryptography and Security (cs.CR), computer

Abstract

While machine learning applications are getting mainstream owing to a demonstrated efficiency in solving complex problems, they suffer from inherent vulnerability to adversarial attacks. Adversarial attacks consist of additive noise to an input which can fool a detector. Recently, successful real-world printable adversarial patches were proven efficient against state-of-the-art neural networks. In the transition from digital noise based attacks to real-world physical attacks, the myriad of factors affecting object detection will also affect adversarial patches. Among these factors, view angle is one of the most influential, yet under-explored. In this paper, we study the effect of view angle on the effectiveness of an adversarial patch. To this aim, we propose the first approach that considers a multi-view context by combining existing adversarial patches with a perspective geometric transformation in order to simulate the effect of view angle changes. Our approach has been evaluated on two datasets: the first dataset which contains most real world constraints of a multi-view context, and the second dataset which empirically isolates the effect of view angle. The experiments show that view angle significantly affects the performance of adversarial patches, where in some cases the patch loses most of its effectiveness. We believe that these results motivate taking into account the effect of view angles in future adversarial attacks, and open up new opportunities for adversarial defenses., To appear in the 20th CyberWorlds Conference

Published

2021

45. R-SNN: An Analysis and Design Methodology for Robustifying Spiking Neural Networks against Adversarial Attacks through Noise Filters for Dynamic Vision Sensors

Author

Alberto Marchisio, Giacomo Pira, Maurizio Martina, Guido Masera, and Muhammad Shafique

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Filter, Spiking Neural Networks, SNNs, Deep Learning, Adversarial Attacks, Security, Robustness, Defense, Perturbation, Noise, Dynamic Vision Sensors, DVS, Neuromorphic, Event-Based, DVS-Gesture, NMNIST, Computer Science - Neural and Evolutionary Computing, Machine Learning (cs.LG), ComputerSystemsOrganization_SPECIAL-PURPOSEANDAPPLICATION-BASEDSYSTEMS, Neural and Evolutionary Computing (cs.NE), Cryptography and Security (cs.CR)

Abstract

Spiking Neural Networks (SNNs) aim at providing energy-efficient learning capabilities when implemented on neuromorphic chips with event-based Dynamic Vision Sensors (DVS). This paper studies the robustness of SNNs against adversarial attacks on such DVS-based systems, and proposes R-SNN, a novel methodology for robustifying SNNs through efficient DVS-noise filtering. We are the first to generate adversarial attacks on DVS signals (i.e., frames of events in the spatio-temporal domain) and to apply noise filters for DVS sensors in the quest for defending against adversarial attacks. Our results show that the noise filters effectively prevent the SNNs from being fooled. The SNNs in our experiments provide more than 90% accuracy on the DVS-Gesture and NMNIST datasets under different adversarial threat models., To appear at the 2021 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS 2021). arXiv admin note: text overlap with arXiv:2107.00415

Published

2021

46. Defense against adversarial attacks on deep convolutional neural networks through nonlocal denoising

Author

Sandhya Aneja, Nagender Aneja, Pg Emeroylariffion Abas, and Abdul Ghani Naim

Subjects

FOS: Computer and information sciences, Denoising, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Information Systems and Management, Computer Vision and Pattern Recognition (cs.CV), Adversarial attacks, Computer Science - Computer Vision and Pattern Recognition, Deep learning, Adversarial machine learning, Machine Learning (cs.LG), Artificial Intelligence, Control and Systems Engineering, Convolutional neural networks, Electrical and Electronic Engineering, Cryptography and Security (cs.CR)

Abstract

Despite substantial advances in network architecture performance, the susceptibility of adversarial attacks makes deep learning challenging to implement in safety-critical applications. This paper proposes a data-centric approach to addressing this problem. A nonlocal denoising method with different luminance values has been used to generate adversarial examples from the Modified National Institute of Standards and Technology database (MNIST) and Canadian Institute for Advanced Research (CIFAR-10) data sets. Under perturbation, the method provided absolute accuracy improvements of up to 9.3% in the MNIST data set and 13% in the CIFAR-10 data set. Training using transformed images with higher luminance values increases the robustness of the classifier. We have shown that transfer learning is disadvantageous for adversarial machine learning. The results indicate that simple adversarial examples can improve resilience and make deep learning easier to apply in various applications.

Published

2022

47. Adversarial Training for Deep Learning-based Intrusion Detection Systems

Author

Debicha, Islam, Debatty, Thibault, Dricot, Jean-Michel, and Mees, Wim

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Adversarial attacks, Intrusion detection, Deep learning, Adversarial training, Intelligence artificielle, Cryptography and Security (cs.CR), Machine Learning (cs.LG)

Abstract

Nowadays, Deep Neural Networks (DNNs) report state-of-the-art results in many machine learning areas, including intrusion detection. Nevertheless, recent studies in computer vision have shown that DNNs can be vulnerable to adversarial attacks that are capable of deceiving them into misclassification by injecting specially crafted data. In security-critical areas, such attacks can cause serious damage; therefore, in this paper, we examine the effect of adversarial attacks on deep learning-based intrusion detection. In addition, we investigate the effectiveness of adversarial training as a defense against such attacks. Experimental results show that with sufficient distortion, adversarial examples are able to mislead the detector and that the use of adversarial training can improve the robustness of intrusion detection., Already published in The Sixteenth International Conference on Systems (ICONS 2021)

Published

2021

48. Universal Spectral Adversarial Attacks for Deformable Shapes

Author

Simone Melzi, Luca Cosmo, Arianna Rampini, Emanuele Rodolà, Franco Pestarini, Rampini, A, Pestarini, F, Cosmo, L, Melzi, S, and Rodola, E

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, adversarial attack, Computer science, Point cloud, 02 engineering and technology, 030218 nuclear medicine & medical imaging, Domain (software engineering), Machine Learning (cs.LG), 03 medical and health sciences, 0302 clinical medicine, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, Polygon mesh, Eigenvalues and eigenvectors, Geometric data analysis, Computer Science::Cryptography and Security, Settore INF/01 - Informatica, business.industry, universal attack, Perspective (graphical), shape classification, Data point, adversarial attacks, spectral geometry processing, universal attacks, 020201 artificial intelligence & image processing, Artificial intelligence, business, Algorithm

Abstract

Machine learning models are known to be vulnerable to adversarial attacks, namely perturbations of the data that lead to wrong predictions despite being imperceptible. However, the existence of "universal" attacks (i.e., unique perturbations that transfer across different data points) has only been demonstrated for images to date. Part of the reason lies in the lack of a common domain, for geometric data such as graphs, meshes, and point clouds, where a universal perturbation can be defined. In this paper, we offer a change in perspective and demonstrate the existence of universal attacks for geometric data (shapes). We introduce a computational procedure that operates entirely in the spectral domain, where the attacks take the form of small perturbations to short eigenvalue sequences; the resulting geometry is then synthesized via shape-from-spectrum recovery. Our attacks are universal, in that they transfer across different shapes, different representations (meshes and point clouds), and generalize to previously unseen data., Published at CVPR 2021

Published

2021

49. Experimental assessment of аdversarial attacks to the deep neural networks in medical image recognition

Author

D. M. Voynov and V. A. Kovalev

Subjects

adversarial attacks, histology images, Electronic computers. Computer science, security of neural networks, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, deep learning, QA75.5-76.95, chest x-ray images

Abstract

This paper addresses the problem of dependence of the success rate of adversarial attacks to the deep neural networks on the biomedical image type and control parameters of generation of adversarial examples. With this work we are going to contribute towards accumulation of experimental results on adversarial attacks for the community dealing with biomedical images. The white-box Projected Gradient Descent attacks were examined based on 8 classification tasks and 13 image datasets containing more than 900 000 chest X-ray and histology images of malignant tumors. An increase of the amplitude and the number of iterations of adversarial perturbations in generating malicious adversarial images leads to a growth of the fraction of successful attacks for the majority of image types examined in this study. Histology images tend to be less sensitive to the growth of amplitude of adversarial perturbations. It was found that the success of attacks was dropping dramatically when the original confidence of predicting image class exceeded 0,95.

Published

2019

50. DDSA: A Defense Against Adversarial Attacks Using Deep Denoising Sparse Autoencoder

Author

Yassine Bakhti, Sid Ahmed Fezza, Wassim Hamidouche, Olivier Deforges, Institut d'Électronique et des Technologies du numéRique (IETR), Université de Nantes (UN)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), Institut National des Télécommunications et des TIC (INTTIC), Nantes Université (NU)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), and Université de Nantes (UN)-Université de Rennes 1 (UR1)

Subjects

0209 industrial biotechnology, General Computer Science, Computer science, security, 02 engineering and technology, Deep neural network, [INFO.INFO-NE]Computer Science [cs]/Neural and Evolutionary Computing [cs.NE], Machine learning, computer.software_genre, Facial recognition system, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 020901 industrial engineering & automation, Robustness (computer science), Classifier (linguistics), denoising, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Electrical and Electronic Engineering, Set (psychology), Block (data storage), business.industry, General Engineering, Autoencoder, defense, adversarial attacks, sparse autoencoder, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, Noise (video), Artificial intelligence, business, lcsh:TK1-9971, computer, MNIST database

Abstract

International audience; Given their outstanding performance, the Deep Neural Networks (DNNs) models have been deployed in many real-world applications. However, recent studies have demonstrated that they are vulnerable to small carefully crafted perturbations, i.e., adversarial examples, which considerably decrease their performance and can lead to devastating consequences, especially for safety-critical applications, such as autonomous vehicles, healthcare and face recognition. Therefore, it is of paramount importance to offer defense solutions that increase the robustness of DNNs against adversarial attacks. In this paper, we propose a novel defense solution based on a Deep Denoising Sparse Autoencoder (DDSA). The proposed method is performed as a pre-processing step, where the adversarial noise of the input samples is removed before feeding the classifier. The pre-processing defense block can be associated with any classifier, without any change to their architecture or training procedure. In addition, the proposed method is a universal defense, since it does not require any knowledge about the attack, making it usable against any type of attack. The experimental results on MNIST and CIFAR-10 datasets have shown that the proposed DDSA defense provides a high robustness against a set of prominent attacks under white-, gray- and black-box settings, and outperforms state-of-the-art defense methods.

Published

2019