Showing total 19 results

1. Enhancing Security in Real-Time Video Surveillance: A Deep Learning-Based Remedial Approach for Adversarial Attack Mitigation

Author

Gyana Ranjana Panigrahi, Prabira Kumar Sethy, Santi Kumari Behera, Manoj Gupta, Farhan A. Alenizi, and Aziz Nanthaamornphong

Subjects

Adversarial attacks, deep learning, face mask recognition, video surveillance systems, face mask detection, ShuffleNetV1, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

This paper introduces an innovative methodology to disrupt deep-learning (DL) surveillance systems by implementing an adversarial framework strategy, inducing misclassification in live video objects and extending attacks to real-time models. Focusing on the vulnerability of image-categorization models, the study evaluates the effectiveness of face mask surveillance against adversarial threats. A real-time system, employing the ShuffleNet V1 transfer-learning algorithm, was trained on a Kaggle dataset for face mask detection accuracy. Using a white-box Fast Gradient Sign Method (FGSM) attack with epsilon at 0.13, the study successfully generated adversarial frames, deceiving the face mask detection system and prompting unintended video predictions. The findings highlight the risks posed by adversarial attacks on critical video surveillance systems, specifically those designed for face mask detection. The paper emphasizes the need for proactive measures to safeguard these systems before real-world deployment, crucial for ensuring their robustness and reliability in the face of potential adversarial threats.

Published

2024

2. Adversarially Robust Fault Zone Prediction in Smart Grids With Bayesian Neural Networks

Author

Emad Efatinasab, Alberto Sinigaglia, Nahal Azadi, Gian Antonio Susto, and Mirco Rampazzo

Subjects

Adversarial attacks, Bayesian neural networks, fault prediction, smart grids, uncertainty quantification, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The rapid growth of the global population, economy, and urbanization is significantly increasing energy consumption, necessitating the integration of renewable energy sources. This integration presents challenges that demand innovative solutions to maintain grid stability and efficiency. Smart grids offer enhanced reliability, efficiency, sustainability, and bi-directional communication. However, the reliance on advanced technologies in smart grids introduces vulnerabilities, particularly concerning adversarial attacks. This paper addresses two critical issues in smart grid fault prediction: the vulnerability of machine learning models to adversarial attacks and the operational challenges posed by false alarms. We propose a Bayesian Neural Network (BNN) framework for fault zone prediction that quantifies uncertainty in predictions, enhancing robustness and reducing false alarms. Our BNN model achieves up to 0.958 accuracy and 0.960 precision in fault zone prediction. To counter adversarial attacks, we developed an uncertainty-based detection scheme that leverages prediction uncertainty. This framework distinguishes between normal and adversarial data using predictive entropy and mutual information as metrics. It detects complex white-box adversarial attacks, which are challenging due to attackers’ detailed knowledge of the model, with a mean accuracy of 0.891 using predictive entropy and 0.981 using mutual information. The model’s performance, combined with minimal computational overhead, underscores its practicality and robustness for enhancing smart grid security.

Published

2024

3. Adversarial Robustness of Vision Transformers Versus Convolutional Neural Networks

Author

Kazim Ali, Muhammad Shahid Bhatti, Atif Saeed, Atifa Athar, Mohammed A. Al Ghamdi, Sultan H. Almotiri, and Samina Akram

Subjects

Vision transformers, convolutional neural networks, clean accuracy, adversarially robustness, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Vision Transformers (ViTs) have proved to be a more powerful substitute for Convolutional Neural Networks (CNNs) in various computer vision tasks, using the self-attention approach to gain remarkable results and observations. However, the adversarial robustness of ViTs against adversarial attack methods raises critical questions, and the issues of using these models in security-related applications remain under discussion. This paper presents a novel and systematic approach to evaluate and compare the adversarial robustness of ViTs with CNNs, explicitly concentrating on the image classification problem. We have performed extensive experiments using state-of-the-art adversarial example attacks, such as the Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and DeepFool Attack (DFA). The findings of this research study represent that CNNs are more robust against more straightforward attacks such as FGSM. Still, ViTs show excellent resistance against more dangerous attacks like PGD and DFA attack methods. This work provides useful outcomes revealing the advantages and limitations of CNNs and ViTs, which are helpful for further study and applications regarding safer and more effective use of deep learning models of CNNs and ViTs.

Published

2024

4. Adaptive Selection of Loss Function for Federated Learning Clients Under Adversarial Attacks

Author

Suchul Lee

Subjects

Adaptive selection of loss function, adversarial attacks, adversarial training, Byzantine-robust aggregation, federated learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Federated learning (FL) is a deep learning paradigm that allows clients to train deep learning models distributively, keeping raw data local rather than sending it to the cloud, thereby reducing security and privacy concerns. Although FL is designed to be inherently secure, it still has many vulnerabilities. In this paper, we consider an FL scenario where clients are subjected to an adversarial attack that exploits vulnerabilities in the decision-making process of deep learning models to induce misclassification. We observed that adversarial training has a trade-off relationship in which, as classification performance for adversarial examples increases, classification performance for normal samples decreases. To effectively utilize this trade-off relationship in adversarial training, we propose an adaptive selection scheme of the loss function depending on whether the FL client is attacked. The proposed scheme was experimentally proven to achieve the best robust accuracy while minimizing the decrease in natural accuracy. Further, we combined the proposed scheme with Byzantine-robust aggregation. We expected model training to converge stably because Byzantine-robust aggregation prevents highly distorted models from being aggregated, but we obtained experimental results that were contrary to our expectations.

Published

2024

5. The Impact of Simultaneous Adversarial Attacks on Robustness of Medical Image Analysis

Author

Shantanu Pal, Saifur Rahman, Maedeh Beheshti, Ahsan Habib, Zahra Jadidi, and Chandan Karmakar

Subjects

Machine learning, deep learning, medical image analysis, robustness, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep learning models are widely used in healthcare systems. However, deep learning models are vulnerable to attacks themselves. Significantly, due to the black-box nature of the deep learning model, it is challenging to detect attacks. Furthermore, due to data sensitivity, such adversarial attacks in healthcare systems are considered potential security and privacy threats. In this paper, we provide a comprehensive analysis of adversarial attacks on medical image analysis, including two adversary methods, FGSM and PGD, applied to an entire image or partial image. The partial attack comes in various sizes, either the individual or combinational format of attack. We use three medical datasets to examine the impact of the model’s accuracy and robustness. Finally, we provide a complete implementation of the attacks and discuss the results. Our results indicate the weakness and robustness of four deep learning models and exhibit how varying perturbations stimulate model behaviour regarding the specific area and critical features.

Published

2024

6. How Deep Learning Sees the World: A Survey on Adversarial Attacks & Defenses

Author

Joana C. Costa, Tiago Roxo, Hugo Proenca, and Pedro Ricardo Morais Inacio

Subjects

Adversarial attacks, adversarial defenses, datasets, evaluation metrics, review, vision transformers, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep Learning is currently used to perform multiple tasks, such as object recognition, face recognition, and natural language processing. However, Deep Neural Networks (DNNs) are vulnerable to perturbations that alter the network prediction, named adversarial examples, which raise concerns regarding the usage of DNNs in critical areas, such as Self-driving Vehicles, Malware Detection, and Healthcare. This paper compiles the most recent adversarial attacks in Object Recognition, grouped by the attacker capacity and knowledge, and modern defenses clustered by protection strategies, providing background details to understand the topic of adversarial attacks and defenses. The new advances regarding Vision Transformers are also presented, which have not been previously done in the literature, showing the resemblance and dissimilarity between this architecture and Convolutional Neural Networks. Furthermore, the most used datasets and metrics in adversarial settings are summarized, along with datasets requiring further evaluation, which is another contribution. This survey compares the state-of-the-art results under different attacks for multiple architectures and compiles all the adversarial attacks and defenses with available code, comprising significant contributions to the literature. Finally, practical applications are discussed, and open issues are identified, being a reference for future works.

Published

2024

7. Privacy and Security Concerns in Generative AI: A Comprehensive Survey

Author

Abenezer Golda, Kidus Mekonen, Amit Pandey, Anushka Singh, Vikas Hassija, Vinay Chamola, and Biplab Sikdar

Subjects

Generative artificial intelligence, privacy concerns, security concerns, deep learning, adversarial attacks, synthetic data, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Generative Artificial Intelligence (GAI) has sparked a transformative wave across various domains, including machine learning, healthcare, business, and entertainment, owing to its remarkable ability to generate lifelike data. This comprehensive survey offers a meticulous examination of the privacy and security challenges inherent to GAI. It provides five pivotal perspectives essential for a comprehensive understanding of these intricacies. The paper encompasses discussions on GAI architectures, diverse generative model types, practical applications, and recent advancements within the field. In addition, it highlights current security strategies and proposes sustainable solutions, emphasizing user, developer, institutional, and policymaker involvement.

Published

2024

8. A Framework for Robust Deep Learning Models Against Adversarial Attacks Based on a Protection Layer Approach

Author

Mohammed Nasser Al-Andoli, Shing Chiang Tan, Kok Swee Sim, Pey Yun Goh, and Chee Peng Lim

Subjects

Deep learning, adversarial examples, security, adversarial attacks, adversarial examples detection, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep learning (DL) has demonstrated remarkable achievements in various fields. Nevertheless, DL models encounter significant challenges in detecting and defending against adversarial samples (AEs). These AEs are meticulously crafted by adversaries, introducing imperceptible perturbations to clean data to deceive DL models. Consequently, AEs pose potential risks to DL applications. In this paper, we propose an effective framework for enhancing the robustness of DL models against adversarial attacks. The framework leverages convolutional neural networks (CNNs) for feature learning, Deep Neural Networks (DNNs) with softmax for classification, and a defense mechanism to identify and exclude AEs. Evasion attacks are employed to create AEs to evade and mislead the classifier by generating malicious samples during the test phase of DL models i.e., CNN and DNN, using the Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Projected Gradient Descent (PGD), and Square Attack (SA). A protection layer is developed as a detection mechanism placed before the DNN classifier to identify and exclude AEs. The detection mechanism incorporates a machine learning model, which includes one of the following: Fuzzy ARTMAP, Random Forest, K-Nearest Neighbors, XGBoost, or Gradient Boosting Machine. Extensive evaluations are conducted on the MNIST, CIFAR-10, SVHN, and Fashion-MNIST data sets to assess the effectiveness of the proposed framework. The experimental results indicate the framework’s ability to effectively and accurately detect AEs generated by four popular attacking methods, highlighting the potential of our developed framework in enhancing its robustness against AEs.

Published

2024

9. SAAM: Stealthy Adversarial Attack on Monocular Depth Estimation

Author

Amira Guesmi, Muhammad Abdullah Hanif, Bassem Ouni, and Muhammad Shafique

Subjects

Adversarial attacks, adversarial patch, CNN, collision avoidance, localization, machine learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Monocular depth estimation (MDE) is an important task in scene understanding, and significant improvements in its performance have been witnessed with the utilization of convolutional neural networks (CNNs). These models can now be deployed on edge devices, thanks to advancements in CNN optimization, enabling effective depth estimation in safety-critical and security-sensitive systems like robots, rovers, drones, and autonomous cars. However, CNNs used for MDE are susceptible to adversarial attacks, which can be exploited for malicious purposes by generating plausible images containing carefully crafted perturbations that distort the model’s output. To assess the vulnerability of CNN-based depth prediction methods, recent studies have attempted to design adversarial patches specifically targeting MDE. However, these methods have not been powerful enough to fully deceive the vision system in a systemically threatening manner. Their impact is less effective, misleading the depth prediction of only certain parts within the overlapping region of the input image by using conspicuous and eye-catching patterns. In this paper, we investigate the vulnerability of MDE to adversarial patches. We propose a novel Stealthy Adversarial Attacks on MDE (SAAM) that compromises MDE by either corrupting the estimated distance or causing an object to seamlessly blend into its surroundings. Our experiments demonstrate that the designed stealthy patch successfully causes a CNN to misestimate the depth of objects. In fact, our proposed adversarial patch achieves a significant 60% depth error with 99% ratio of the affected region. Importantly, despite its adversarial nature, the patch maintains a naturalistic appearance, making it inconspicuous to human observers. We believe that this work sheds light on the threat of adversarial attacks in the context of MDE on edge devices. We hope it raises awareness within the community about the potential real-life harm of such attacks and encourages further research into developing more robust and adaptive defense mechanisms.

Published

2024

10. Privacy and Security in Distributed Learning: A Review of Challenges, Solutions, and Open Research Issues

Author

Muhammad Usman Afzal, Alaa Awad Abdellatif, Muhammad Zubair, Muhammad Qasim Mehmood, and Yehia Massoud

Subjects

Data privacy and security, Internet of Things (IoT), deep learning, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In recent years, the way that machine learning is used has undergone a paradigm shift driven by distributed and collaborative learning. Several approaches have emerged to enable pervasive computing and distributed learning in ubiquitous Internet of Things (IoT) systems. Numerous decentralized strategies have been proposed to deal with the limitations of centralized learning, including privacy and latency due to sharing local data, while utilizing distributed computations as a promising substitute to centralized learning. However, such distributed learning schemes come with new security and privacy concerns that should be addressed. Thus, in this paper, we first provide an overview for the emerging paradigms developed for distributed learning. Then, we performed a comprehensive survey for the privacy and security challenges associated with distributed learning along with the presented solutions to overcome them. Furthermore, we highlight key challenges and open future research directions toward implementing more robust distributed systems.

Published

2023

11. Exploring Transferability on Adversarial Attacks

Author

Enrique Alvarez, Rafael Alvarez, and Miguel Cazorla

Subjects

Adversarial attacks, convolutional neural networks, deep learning, GeoDA, HopSkipJump, SurFree, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Despite of the progress that has been made in the field, the problem of adversarial attacks remains unresolved. The most up-to-date models are still vulnerable, and there is not a simple way to defend against these kinds of attacks; even transformers can be affected by this problem, although they have not been extensively studied yet. In this paper, we study transferability, which is a property of adversarial attacks in which images generated for one architecture can be transferred to another and still be effective. In real-world scenarios like self-driving cars, malware detection, and face recognition authentication systems, transferability can lead to security issues. In order to conduct a behavioral analysis, we select a diverse set of networks and measure how effectively the images produced by various attacks can be transferred among them. We generate adversarial samples for each network and then evaluate them with other networks to determine the corresponding transferability performance. We can observe that all networks are susceptible to transferability attacks, albeit in some cases at the expense of severely distorted images.

Published

2023

12. Defending AI-Based Automatic Modulation Recognition Models Against Adversarial Attacks

Author

Haolin Tang, Ferhat Ozgur Catak, Murat Kuzlu, Evren Catak, and Yanxiao Zhao

Subjects

Artificial intelligence, next-generation networks, automatic modulation recognition, adversarial attacks, model poisoning, defensive distillation, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Automatic Modulation Recognition (AMR) is one of the critical steps in the signal processing chain of wireless networks, which can significantly improve communication performance. AMR detects the modulation scheme of the received signal without any prior information. Recently, many Artificial Intelligence (AI) based AMR methods have been proposed, inspired by the considerable progress of AI methods in various fields. On the one hand, AI-based AMR methods can outperform traditional methods in terms of accuracy and efficiency. On the other hand, they are susceptible to new types of cyberattacks, such as model poisoning or adversarial attacks. This paper explores the vulnerabilities of an AI-based AMR model to adversarial attacks in both single-input-single-output and multiple-input-multiple-output scenarios. We show that these attacks can significantly reduce the classification performance of the AI-based AMR model, which highlights the security and robustness concerns. Therefore, we propose a widely used mitigation method (i.e., defensive distillation) to reduce the vulnerabilities of the model against adversarial attacks. The simulation results indicate that the AI-based AMR model can be highly vulnerable to adversarial attacks, but their vulnerabilities can be significantly reduced by using mitigation methods.

Published

2023

13. Secure Convolutional Neural Network-Based Internet-of-Healthcare Applications

Author

Lazhar Khriji, Soulef Bouaafia, Seifeddine Messaoud, Ahmed Chiheb Ammari, and Mohsen Machhout

Subjects

Convolutional neural networks, internet of healthcare, medical data, adversarial attacks, security and privacy, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Convolutional neural networks (CNNs) have gained popularity for Internet-of-Healthcare (IoH) applications such as medical diagnostics. However, new research shows that adversarial attacks with slight imperceptible changes can undermine deep neural network techniques in healthcare. This raises questions regarding the safety of deploying these IoH devices in clinical situations. In this paper, we review the techniques used in fighting against cyber-attacks. Then, we propose to study the robustness of some well-known CNN architectures’ belonging to sequential, parallel, and residual families, such as LeNet5, MobileNetV1, VGG16, ResNet50, and InceptionV3 against fast gradient sign method (FGSM) and projected gradient descent (PGD) attacks, in the context of classification of chest radiographs (X-rays) based on the IoH application. Finally, we propose to improve the security of these CNN structures by studying standard and adversarial training. The results show that, among these models, smaller models with lower computational complexity are more secure against hostile threats than larger models that are frequently used in IoH applications. In contrast, we reveal that when these networks are learned adversarially, they can outperform standard trained networks. The experimental results demonstrate that the model performance breakpoint is represented by $\gamma =0.3$ with a maximum loss of accuracy tolerated at 2%.

Published

2023

14. Turning Federated Learning Systems Into Covert Channels

Author

Gabriele Costa, Fabio Pinelli, Simone Soderi, and Gabriele Tolomei

Subjects

Federated learning, adversarial attacks, machine learning security, covert channel, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. This paper proves that FL systems can be turned into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a sequence of bits. We mounted our attack on an FL system to verify its feasibility. Experimental evidence shows that this covert channel is reliable, efficient, and extremely hard to counter. These results highlight that our new attacker model threatens FL infrastructures.

Published

2022

15. A Methodology for Evaluating the Robustness of Anomaly Detectors to Adversarial Attacks in Industrial Scenarios

Author

Angel Luis Perales Gomez, Lorenzo Fernandez Maimo, Felix J. Garcia Clemente, Javier Alejandro Maroto Morales, Alberto Huertas Celdran, and Gerome Bovet

Subjects

Adversarial attacks, evasion attacks, industrial control systems, machine learning, deep learning, robustness, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

Published

2022

16. A Highly Stealthy Adaptive Decay Attack Against Speaker Recognition

Author

Xinyu Zhang, Yang Xu, Sicong Zhang, and Xiaojian Li

Subjects

Deep learning, adversarial attacks, speaker recognition, adaptive decay attack, adversarial training, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Speaker recognition based on deep learning is currently the most advanced and mainstream technology in the industry. Adversarial attacks, an emerging and powerful attack against neural network models, also posing serious security problems for speaker recognition. Common gradient-based attack methods such as FGSM (Fast Gradient Sign Method), PGD (Projected Gradient Descent), and MI-FGSM (Momentum Iteration-FGSM) generate adversarial examples that are poorly stealthy and easily perceived by the human ear. To improve the stealthiness of the adversarial examples, this paper proposes a new attack method called the Adaptive Decay Attack (ADA), whose stealth is very close to the CW2(Carlini&Wagner) method based on optimization attacks, with much less computation time than CW2. The method takes the set number of iterations as the termination condition, automatically adjusts the size of the maximum perturbation according to whether the attack is successful or not, and then uses the decay methods in learning rates such as exponential decay and cosine annealing to continuously reduce the step size. The experimental results show that under the two speaker recognition models x-vector, and i-vector, the proposed attack method improves the stealthiness metrics such as SNR and PESQ by at least 30% and 39%, respectively, compared with the best PGD attack under speaker identification of untargeted attacks. For the speaker identification task with targeted attacks, the average improvement is at least 20% and 25% compared to PGD. For the speaker verification task, the improvement is at least 29.5% and 33.4% compared to PGD. In addition, we also use this attack method for adversarial training to enhance the robustness of the model. Experimental results show that ADA-based adversarial training takes 28.31% less time than PGD-based adversarial training, and its improved robustness is generally superior to PGD-based adversarial training. Specifically, the attack success rate of PGD and ADA methods decreased from 50.88% to 36.47% and 64.74% to 45.82%, respectively.

Published

2022

17. A Survey on Efficient Methods for Adversarial Robustness

Author

Awais Muhammad and Sung-Ho Bae

Subjects

Neural networks, deep learning, efficient training, adversarial robustness, adversarial attacks, adversarial learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep learning has revolutionized computer vision with phenomenal success and widespread applications. Despite impressive results in complex problems, neural networks are susceptible to adversarial attacks: small and imperceptible changes in input space that lead these models to incorrect outputs. Adversarial attacks have raised serious concerns, and robustness to these attacks has become a vital issue. Adversarial training, a min-max optimization approach, has shown promise against these attacks. The computational cost of adversarial training, however, makes it prohibitively difficult to scale as well as to be useful in practice. Recently, several works have explored different approaches to make adversarial training computationally more affordable. This paper presents a comprehensive survey on efficient adversarial robustness methods with an aim to present a holistic outlook to make future exploration more systematic and exhaustive. We start by mathematically defining fundamental ideas in adversarially robust learning. We then divide these approaches into two categories based on underlying mechanisms: methods that modify initial adversarial training and techniques that leverage transfer learning to improve efficiency. Finally, based on this overview, we analyze and present an outlook of future directions.

Published

2022

18. Robust Natural Language Processing: Recent Advances, Challenges, and Future Directions

Author

Marwan Omar, Soohyeon Choi, Daehun Nyang, and David Mohaisen

Subjects

Natural language processing, adversarial attacks, robustness, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Recent natural language processing (NLP) techniques have accomplished high performance on benchmark data sets, primarily due to the significant improvement in the performance of deep learning. The advances in the research community have led to great enhancements in state-of-the-art production systems for NLP tasks, such as virtual assistants, speech recognition, and sentiment analysis. However, such NLP systems still often fail when tested with adversarial attacks. The initial lack of robustness exposed troubling gaps in current models’ language understanding capabilities, creating problems when NLP systems are deployed in real life. In this paper, we present a structured overview of NLP robustness research by summarizing the literature in a systemic way across various dimensions. We then take a deep-dive into the various dimensions of robustness, across techniques, metrics, embedding, and benchmarks. Finally, we argue that robustness should be multi-dimensional, provide insights into current research, identify gaps in the literature to suggest directions worth pursuing to address these gaps

Published

2022

19. A Methodology for Evaluating the Robustness of Anomaly Detectors to Adversarial Attacks in Industrial Scenarios

Author

Lorenzo Fernández Maimó, Javier Maroto, Alberto Huertas Celdrán, Félix Jesús Garcia Clemente, Ángel Luis Perales Gómez, Gérôme Bovet, University of Zurich, and Perales Gómez, Ángel L

Subjects

perturbation methods, industries, General Computer Science, 10009 Department of Informatics, 2208 Electrical and Electronic Engineering, industrial control systems, evasion attacks, General Engineering, deep learning, robustness, 000 Computer science, knowledge & systems, neural networks, 2500 General Materials Science, adversarial attacks, machine learning, 2200 General Engineering, General Materials Science, 1700 General Computer Science, transforms, Electrical and Electronic Engineering, detectors

Abstract

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

Published

2022