Showing total 18 results

1. Adversarial Scratches: Deployable Attacks to CNN Classifiers

Author

Loris Giulivi, Malhar Jere, Loris Rossi, Farinaz Koushanfar, Gabriela Ciocarlie, Briland Hitaj, and Giacomo Boracchi

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, I.4, I.5, Computer Vision and Pattern Recognition (cs.CV), Adversarial attacks, Computer Science - Computer Vision and Pattern Recognition, Adversarial perturbations, Adversarial attacks, Deep learning, Convolutional neural networks, Bézier curves, Deep learning, Bézier curves, Machine Learning (cs.LG), Adversarial perturbations, Artificial Intelligence, Signal Processing, Convolutional neural networks, Computer Vision and Pattern Recognition, Cryptography and Security (cs.CR), Software

Abstract

A growing body of work has shown that deep neural networks are susceptible to adversarial examples. These take the form of small perturbations applied to the model's input which lead to incorrect predictions. Unfortunately, most literature focuses on visually imperceivable perturbations to be applied to digital images that often are, by design, impossible to be deployed to physical targets. We present Adversarial Scratches: a novel L0 black-box attack, which takes the form of scratches in images, and which possesses much greater deployability than other state-of-the-art attacks. Adversarial Scratches leverage B\'ezier Curves to reduce the dimension of the search space and possibly constrain the attack to a specific location. We test Adversarial Scratches in several scenarios, including a publicly available API and images of traffic signs. Results show that, often, our attack achieves higher fooling rate than other deployable state-of-the-art methods, while requiring significantly fewer queries and modifying very few pixels., Comment: This work is published at Pattern Recognition (Elsevier). This paper stems from 'Scratch that! An Evolution-based Adversarial Attack against Neural Networks' for which an arXiv preprint is available at arXiv:1912.02316. Further studies led to a complete overhaul of the work, resulting in this paper

Published

2022

2. Survey on federated learning threats: Concepts, taxonomy on attacks and defences, experimental study and challenges

Author

Nuria Rodríguez-Barroso, Daniel Jiménez-López, M. Victoria Luzón, Francisco Herrera, and Eugenio Martínez-Cámara

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Adversarial attacks, Federated learning, Defences, Machine Learning (cs.LG), Artificial Intelligence (cs.AI), Hardware and Architecture, Signal Processing, Privacy attacks, Cryptography and Security (cs.CR), Software, Information Systems

Abstract

Federated learning is a machine learning paradigm that emerges as a solution to the privacy-preservation demands in artificial intelligence. As machine learning, federated learning is threatened by adversarial attacks against the integrity of the learning model and the privacy of data via a distributed approach to tackle local and global learning. This weak point is exacerbated by the inaccessibility of data in federated learning, which makes harder the protection against adversarial attacks and evidences the need to furtherance the research on defence methods to make federated learning a real solution for safeguarding data privacy. In this paper, we present an extensive review of the threats of federated learning, as well as as their corresponding countermeasures, attacks versus defences. This survey provides a taxonomy of adversarial attacks and a taxonomy of defence methods that depict a general picture of this vulnerability of federated learning and how to overcome it. Likewise, we expound guidelines for selecting the most adequate defence method according to the category of the adversarial attack. Besides, we carry out an extensive experimental study from which we draw further conclusions about the behaviour of attacks and defences and the guidelines for selecting the most adequate defence method according to the category of the adversarial attack. This study is finished leading to meditated learned lessons and challenges., R&D&I, Spain - MCIN/AEI PID2020-119478GB-I00 PID2020-116118GA-I00 EQC2018-005084-P, MCIN/AEI FPU18/04475

Published

2023

3. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review

Author

Maha Alghawazi, Daniyal Alghazzawi, and Suaad Alarifi

Subjects

SQL injection, machine learning, deep learning, adversarial attacks, Pharmacology (medical)

Abstract

An SQL injection attack, usually occur when the attacker(s) modify, delete, read, and copy data from database servers and are among the most damaging of web application attacks. A successful SQL injection attack can affect all aspects of security, including confidentiality, integrity, and data availability. SQL (structured query language) is used to represent queries to database management systems. Detection and deterrence of SQL injection attacks, for which techniques from different areas can be applied to improve the detect ability of the attack, is not a new area of research but it is still relevant. Artificial intelligence and machine learning techniques have been tested and used to control SQL injection attacks, showing promising results. The main contribution of this paper is to cover relevant work related to different machine learning and deep learning models used to detect SQL injection attacks. With this systematic review, we aims to keep researchers up-to-date and contribute to the understanding of the intersection between SQL injection attacks and the artificial intelligence field.

Published

2022

4. Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation

Author

Rezgui, Zohra, Bassit, Amina, Veldhuis, Raymond, Datamanagement & Biometrics, and Digital Society Institute

Subjects

gender classification, adversarial attacks, privacy protection, Signal Processing, Computer Vision and Pattern Recognition, Software, face recognition

Abstract

Most deep learning-based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among models performing the same task. However, models performing different tasks but sharing the same input space and model architecture were never considered in the transferability scenarios presented in the literature. In this paper, this phenomenon was analysed in the context of VGG16-based and ResNet50-based biometric classifiers. The authors investigate the impact of two white-box attacks on a gender classifier and contrast a defence method as a countermeasure. Then, using adversarial images generated by the attacks, a pre-trained face recognition classifier is attacked in a black-box fashion. Two verification comparison settings are employed, in which images perturbed with the same and different magnitude of the perturbation are compared. The authors’ results indicate transferability in the fixed perturbation setting for a Fast Gradient Sign Method attack and non-transferability in a pixel-guided denoiser attack setting. The interpretation of this non-transferability can support the use of fast and train-free adversarial attacks targeting soft biometric classifiers as means to achieve soft biometric privacy protection while maintaining facial identity as utility.

Published

2022

5. A Methodology for Evaluating the Robustness of Anomaly Detectors to Adversarial Attacks in Industrial Scenarios

Author

Lorenzo Fernández Maimó, Javier Maroto, Alberto Huertas Celdrán, Félix Jesús Garcia Clemente, Ángel Luis Perales Gómez, Gérôme Bovet, University of Zurich, and Perales Gómez, Ángel L

Subjects

perturbation methods, industries, General Computer Science, 10009 Department of Informatics, 2208 Electrical and Electronic Engineering, industrial control systems, evasion attacks, General Engineering, deep learning, robustness, 000 Computer science, knowledge & systems, neural networks, 2500 General Materials Science, adversarial attacks, machine learning, 2200 General Engineering, General Materials Science, 1700 General Computer Science, transforms, Electrical and Electronic Engineering, detectors

Abstract

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

Published

2022

6. Adversarial Attacks and Defense Technologies on Autonomous Vehicles: A Review

Author

K. T. Y. Mahima, Mohamed Ayoob, and Guhanathan Poravi

Subjects

QA76.75-76.765, adversarial attacks, machine learning, autonomous driving, adversarial robustness, Computer software, General Medicine, computer vision

Abstract

In recent years, various domains have been influenced by the rapid growth of machine learning. Autonomous driving is an area that has tremendously developed in parallel with the advancement of machine learning. In autonomous vehicles, various machine learning components are used such as traffic lights recognition, traffic sign recognition, limiting speed and pathfinding. For most of these components, computer vision technologies with deep learning such as object detection, semantic segmentation and image classification are used. However, these machine learning models are vulnerable to targeted tensor perturbations called adversarial attacks, which limit the performance of the applications. Therefore, implementing defense models against adversarial attacks has become an increasingly critical research area. The paper aims at summarising the latest adversarial attacks and defense models introduced in the field of autonomous driving with machine learning technologies up until mid-2021.

Published

2021

7. Adversarial Deep Learning approach detection and defense against DDoS attacks in SDN environments

Author

Mario Lemes Proença, Jaime Lloret, Matheus P. Novaes, and Luiz F. Carvalho

Subjects

Computer Networks and Communications, Computer science, Denial-of-service attack, 02 engineering and technology, Computer security, computer.software_genre, SDN, Adversarial system, Deep Learning, Control theory, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, Control logic, business.industry, Deep learning, Adversarial attacks, 020206 networking & telecommunications, INGENIERIA TELEMATICA, GAN, Hardware and Architecture, 020201 artificial intelligence & image processing, Anomaly detection, Artificial intelligence, DDoS, business, Software-defined networking, computer, Software

Abstract

[EN] Over the last few years, Software Defined Networking (SDN) paradigm has become an emerging architecture to design future networks and to meet new application demands. SDN provides resources for improving network control and management by separating control and data plane, and the logical control is centralized in a controller. However, the centralized control logic can be an ideal target for malicious attacks, mainly Distributed Denial of Service (DDoS) attacks. Recently, Deep Learning has become a powerful technique applied in cybersecurity, and many Network Intrusion Detection (NIDS) have been proposed in recent researches. Some studies have indicated that deep neural networks are sensitive in detecting adversarial attacks. Adversarial attacks are instances with certain perturbations that cause deep neural networks to misclassify. In this paper, we proposed a detection and defense system based on Adversarial training in SDN, which uses Generative Adversarial Network (GAN) framework for detecting DDoS attacks and applies adversarial training to make the system less sensitive to adversarial attacks. The proposed system includes well-defined modules that enable continuous traffic monitoring using IP flow analysis, enabling the anomaly detection system to act in near-real-time. We conducted the experiments on two distinct scenarios, with emulated data and the public dataset CICDDoS 2019. Experimental results demonstrated that the system efficiently detected up-to-date common types of DDoS attacks compared to other approaches., This work has been partially supported by the National Council for Scientific and Technological Development (CNPq) of Brazil under Grant of Project 310668/2019-0 and by SETI, Brazil/Fundacao Araucaria due to the concession of scholarships; by the "Ministerio de Economia y Competitividad, Spain"in the "Programa Estatal de Fomento de la Investigacion Cientifica y Tecnica de Excelencia, Subprograma Estatal de Generacion de Conocimiento"within the project under Grant TIN2017-84802-C2-1-P.

Published

2021

8. ShuffleDetect: Detecting Adversarial Images against Convolutional Neural Networks

Author

Raluca Chitic, Ali Osman Topal, Franck Leprévost, and University of Luxembourg: High Performance Computing - ULHPC [research center]

Subjects

Computer science [C05] [Engineering, computing & technology], Fluid Flow and Transfer Processes, Process Chemistry and Technology, Convolutional Neural Networks, Evolutionary Algorithm, Security, General Engineering, General Materials Science, Sciences informatiques [C05] [Ingénierie, informatique & technologie], Instrumentation, Adversarial Attacks Detection, adversarial attacks, detection, evolutionary algorithms, convolutional neural networks, security, Computer Science Applications

Abstract

Recently, convolutional neural networks (CNNs) have become the main drivers in many image recognition applications. However, they are vulnerable to adversarial attacks, which can lead to disastrous consequences. This paper introduces ShuffleDetect as a new and efficient unsupervised method for the detection of adversarial images against trained convolutional neural networks. Its main feature is to split an input image into non-overlapping patches, then swap the patches according to permutations, and count the number of permutations for which the CNN classifies the unshuffled input image and the shuffled image into different categories. The image is declared adversarial if and only if the proportion of such permutations exceeds a certain threshold value. A series of 8 targeted or untargeted attacks was applied on 10 diverse and state-of-the-art ImageNet-trained CNNs, leading to 9500 relevant clean and adversarial images. We assessed the performance of ShuffleDetect intrinsically and compared it with another detector. Experiments show that ShuffleDetect is an easy-to-implement, very fast, and near memory-free detector that achieves high detection rates and low false positive rates.

Published

2023

9. Multivariate Lipschitz Analysis of the Stability of Neural Networks

Author

Gupta, Kavya, Kaakai, Fateh, Pesquet-Popescu, Beatrice, Pesquet, Jean-Christophe, Malliaros, Fragkiskos, OPtimisation Imagerie et Santé (OPIS), Inria Saclay - Ile de France, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre de vision numérique (CVN), Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Université Paris-Saclay-CentraleSupélec-Université Paris-Saclay, and Thales LAS France

Subjects

safety, adversarial attacks, [INFO.INFO-LG]Computer Science [cs]/Machine Learning [cs.LG], tabular data, Lipschitz, stability, sensitivity, neural networks, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI]

Abstract

International audience; The stability of neural networks with respect to adversarial perturbations has been extensively studied. One of the main strategies consist of quantifying the Lipschitz regularity of neural networks. In this paper, we introduce a multivariate Lipschitz constant-based stability analysis of fully connected neural networks allowing us to capture the influence of each input or group of inputs on the neural network stability. Our approach relies on a suitable re-normalization of the input space, with the objective to perform a more precise analysis than the one provided by a global Lipschitz constant. We investigate the mathematical properties of the proposed multivariate Lipschitz analysis and show its usefulness in better understanding the sensitivity of the neural network with regard to groups of inputs. We display the results of this analysis by a new representation designed for machine learning practitioners and safety engineers termed as a Lipschitz star. The Lipschitz star is a graphical and practical tool to analyze the sensitivity of a neural network model during its development, with regard to different combinations of inputs. By leveraging this tool, we show that it is possible to build robust-by-design models using spectral normalization techniques for controlling the stability of a neural network, given a safety Lipschitz target. Thanks to our multivariate Lipschitz analysis, we can also measure the efficiency of adversarial training in inference tasks. We perform experiments on various open access tabular datasets, and also on a real Thales Air Mobility industrial application subject to certification requirements.

Published

2022

10. Towards Adversarial Attacks for Clinical Document Classification

Author

Nina Fatehi, Qutaiba Alasad, and Mohammed Alawad

Subjects

Computer Networks and Communications, Hardware and Architecture, Control and Systems Engineering, Signal Processing, adversarial attacks, document classification, CNN, NLP, Electrical and Electronic Engineering

Abstract

Regardless of revolutionizing improvements in various domains thanks to recent advancements in the field of Deep Learning (DL), recent studies have demonstrated that DL networks are susceptible to adversarial attacks. Such attacks are crucial in sensitive environments to make critical and life-changing decisions, such as health decision-making. Research efforts on using textual adversaries to attack DL for natural language processing (NLP) have received increasing attention in recent years. Among the available textual adversarial studies, Electronic Health Records (EHR) have gained the least attention. This paper investigates the effectiveness of adversarial attacks on clinical document classification and proposes a defense mechanism to develop a robust convolutional neural network (CNN) model and counteract these attacks. Specifically, we apply various black-box attacks based on concatenation and editing adversaries on unstructured clinical text. Then, we propose a defense technique based on feature selection and filtering to improve the robustness of the models. Experimental results show that a small perturbation to the unstructured text in clinical documents causes a significant drop in performance. Performing the proposed defense mechanism under the same adversarial attacks, on the other hand, avoids such a drop in performance. Therefore, it enhances the robustness of the CNN model for clinical document classification.

Published

2022

11. Model and Training Method of the Resilient Image Classifier Considering Faults, Concept Drift, and Adversarial Attacks

Author

Viacheslav Moskalenko, Vyacheslav Kharchenko, Alona Moskalenko, and Sergey Petrov

Subjects

Numerical Analysis, convolutional neural network, robustness, concept drift, image classification, resilience, graceful degradation, adversarial attacks, faults injection, self-learning, self-knowledge distillation, prototypical classifier, contrastive-center loss, Theoretical Computer Science, Computational Mathematics, Computational Theory and Mathematics

Abstract

Modern trainable image recognition models are vulnerable to different types of perturbations; hence, the development of resilient intelligent algorithms for safety-critical applications remains a relevant concern to reduce the impact of perturbation on model performance. This paper proposes a model and training method for a resilient image classifier capable of efficiently functioning despite various faults, adversarial attacks, and concept drifts. The proposed model has a multi-section structure with a hierarchy of optimized class prototypes and hyperspherical class boundaries, which provides adaptive computation, perturbation absorption, and graceful degradation. The proposed training method entails the application of a complex loss function assembled from its constituent parts in a particular way depending on the result of perturbation detection and the presence of new labeled and unlabeled data. The training method implements principles of self-knowledge distillation, the compactness maximization of class distribution and the interclass gap, the compression of feature representations, and consistency regularization. Consistency regularization makes it possible to utilize both labeled and unlabeled data to obtain a robust model and implement continuous adaptation. Experiments are performed on the publicly available CIFAR-10 and CIFAR-100 datasets using model backbones based on modules ResBlocks from the ResNet50 architecture and Swin transformer blocks. It is experimentally proven that the proposed prototype-based classifier head is characterized by a higher level of robustness and adaptability in comparison with the dense layer-based classifier head. It is also shown that multi-section structure and self-knowledge distillation feature conserve resources when processing simple samples under normal conditions and increase computational costs to improve the reliability of decisions when exposed to perturbations.

Published

2022

12. Defense against adversarial attacks on deep convolutional neural networks through nonlocal denoising

Author

Sandhya Aneja, Nagender Aneja, Pg Emeroylariffion Abas, and Abdul Ghani Naim

Subjects

FOS: Computer and information sciences, Denoising, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Information Systems and Management, Computer Vision and Pattern Recognition (cs.CV), Adversarial attacks, Computer Science - Computer Vision and Pattern Recognition, Deep learning, Adversarial machine learning, Machine Learning (cs.LG), Artificial Intelligence, Control and Systems Engineering, Convolutional neural networks, Electrical and Electronic Engineering, Cryptography and Security (cs.CR)

Abstract

Despite substantial advances in network architecture performance, the susceptibility of adversarial attacks makes deep learning challenging to implement in safety-critical applications. This paper proposes a data-centric approach to addressing this problem. A nonlocal denoising method with different luminance values has been used to generate adversarial examples from the Modified National Institute of Standards and Technology database (MNIST) and Canadian Institute for Advanced Research (CIFAR-10) data sets. Under perturbation, the method provided absolute accuracy improvements of up to 9.3% in the MNIST data set and 13% in the CIFAR-10 data set. Training using transformed images with higher luminance values increases the robustness of the classifier. We have shown that transfer learning is disadvantageous for adversarial machine learning. The results indicate that simple adversarial examples can improve resilience and make deep learning easier to apply in various applications.

Published

2022

13. DDSA: A Defense Against Adversarial Attacks Using Deep Denoising Sparse Autoencoder

Author

Yassine Bakhti, Sid Ahmed Fezza, Wassim Hamidouche, Olivier Deforges, Institut d'Électronique et des Technologies du numéRique (IETR), Université de Nantes (UN)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), Institut National des Télécommunications et des TIC (INTTIC), Nantes Université (NU)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS), and Université de Nantes (UN)-Université de Rennes 1 (UR1)

Subjects

0209 industrial biotechnology, General Computer Science, Computer science, security, 02 engineering and technology, Deep neural network, [INFO.INFO-NE]Computer Science [cs]/Neural and Evolutionary Computing [cs.NE], Machine learning, computer.software_genre, Facial recognition system, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], 020901 industrial engineering & automation, Robustness (computer science), Classifier (linguistics), denoising, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Electrical and Electronic Engineering, Set (psychology), Block (data storage), business.industry, General Engineering, Autoencoder, defense, adversarial attacks, sparse autoencoder, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, Noise (video), Artificial intelligence, business, lcsh:TK1-9971, computer, MNIST database

Abstract

International audience; Given their outstanding performance, the Deep Neural Networks (DNNs) models have been deployed in many real-world applications. However, recent studies have demonstrated that they are vulnerable to small carefully crafted perturbations, i.e., adversarial examples, which considerably decrease their performance and can lead to devastating consequences, especially for safety-critical applications, such as autonomous vehicles, healthcare and face recognition. Therefore, it is of paramount importance to offer defense solutions that increase the robustness of DNNs against adversarial attacks. In this paper, we propose a novel defense solution based on a Deep Denoising Sparse Autoencoder (DDSA). The proposed method is performed as a pre-processing step, where the adversarial noise of the input samples is removed before feeding the classifier. The pre-processing defense block can be associated with any classifier, without any change to their architecture or training procedure. In addition, the proposed method is a universal defense, since it does not require any knowledge about the attack, making it usable against any type of attack. The experimental results on MNIST and CIFAR-10 datasets have shown that the proposed DDSA defense provides a high robustness against a set of prominent attacks under white-, gray- and black-box settings, and outperforms state-of-the-art defense methods.

Published

2019

14. Two to Trust: AutoML for Safe Modelling and Interpretable Deep Learning for Robustness

Author

Mohammadreza Amirian, Lukas Tuggener, Ricardo Chavarriaga, Yvan Putra Satyawan, Frank-Peter Schilling, Friedhelm Schwenker, and Thilo Stadelmann

Subjects

Automated deep learning, Adversarial attacks, AutoDL, 005: Computerprogrammierung, Programme und Daten, 006: Spezielle Computerverfahren

Abstract

With great power comes great responsibility. The success of machine learning, especially deep learning, in research and practice has attracted a great deal of interest, which in turn necessitates increased trust. Sources of mistrust include matters of model genesis ("Is this really the appropriate model?") and interpretability ("Why did the model come to this conclusion?", "Is the model safe from being easily fooled by adversaries?"). In this paper, two partners for the trustworthiness tango are presented: recent advances and ideas, as well as practical applications in industry in (a) Automated machine learning (AutoML), a powerful tool to optimize deep neural network architectures and netune hyperparameters, which promises to build models in a safer and more comprehensive way; (b) Interpretability of neural network outputs, which addresses the vital question regarding the reasoning behind model predictions and provides insights to improve robustness against adversarial attacks.

Published

2021

15. Tiki-Taka

Author

Xavier Costa-Perez, Chaoyun Zhang, and Paul Patras

Subjects

Feature engineering, Artificial neural network, business.industry, Computer science, Deep learning, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Botnet, Evasion (network security), 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Network Intrusion Detection Systems, Computer security, computer.software_genre, Adversarial system, Deep Learning, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer, Adversarial Attacks

Abstract

Neural networks are increasingly important in the developmentof Network Intrusion Detection Systems (NIDS), as they have the potential to achieve high detection accuracy while requiring limited feature engineering. Deep learning-based detectors can be however vulnerable to adversarial examples, by which attackers that maybe oblivious to the precise mechanics of the targeted NIDS add subtle perturbations to malicious traffic features, with the aim of evading detection and disrupting critical systems in a cost-effective manner. Defending against such adversarial attacks is therefore of high importance, but requires to address daunting challenges.In this paper, we introduce Tiki-Taka, a general framework for (i) assessing the robustness of state-of-the-art deep learning-based NIDS against adversarial manipulations, and which (ii) incorporates our proposed defense mechanisms to increase the NIDS’ resistance to attacks employing such evasion techniques. Specifically, we select five different cutting-edge adversarial attack mechanisms to subvert three popular malicious traffic detectors that employ neural networks. We experiment with a publicly available dataset and consider both one-to-all and one-to-one classification scenarios, i.e., discriminating illicit vs benign traffic and respectively identifying specific types of anomalous traffic among many observed. The results obtained reveal that, under realistic constraints, attackers can evade NIDS with up to 35.7% success rates, by only altering time-based features of the traffic generated. To counteract these weaknesses, we propose three defense mechanisms, namely: model voting ensembling, ensembling adversarial training, and query detection. To the best of our knowledge, our work is the first to propose defenses against adversarial attacks targeting NIDS. We demonstrate that when employing the proposed methods, intrusion detection rates can be improved to nearly 100% against most types of malicious traffic, and attacks with potentially catastrophic consequences (e.g., botnet) can be thwarted. This confirms the effectiveness of our solutions and makes the case for their adoption when designing robust and reliable deep anomaly detectors

Published

2020

16. Universal Adversarial Attacks on Spoken Language Assessment Systems

Author

Kate Knill, Mark J. F. Gales, and Vyas Raina

Subjects

Adversarial system, adversarial attacks, Computer science, spoken language assessment, assessment malpractice, Linguistics, Spoken language

Abstract

There is an increasing demand for automated spoken language assessment (SLA) systems, partly driven by the performance improvements that have come from deep learning based approaches. One aspect of deep learning systems is that they do not require expert derived features, operating directly on the original signal such as a speech recognition (ASR) transcript. This, however, increases their potential susceptibility to adversarial attacks as a form of candidate malpractice. In this paper the sensitivity of SLA systems to a universal black-box attack on the ASR text output is explored. The aim is to obtain a single, universal phrase to maximally increase any candidate's score. Four approaches to detect such adversarial attacks are also described. All the systems, and associated detection approaches, are evaluated on a free (spontaneous) speaking section from a Business English test. It is shown that on deep learning based SLA systems the average candidate score can be increased by almost one grade level using a single six word phrase appended to the end of the response hypothesis. Although these large gains can be obtained, they can be easily detected based on detection shifts from the scores of a “traditional” Gaussian Process based grader.

Published

2020

17. Noticeability Versus Impact in Traffic Signal Tampering

Author

Timothy Mulumba, Saif Eddin Jabari, and Bilal Thonnam Thodi

Subjects

urban traffic networks, Network vulnerability, Optimization problem, General Computer Science, cybersecurity, Computer science, Real-time computing, SIGNAL (programming language), General Engineering, Throughput, traffic flow dynamics, signal tampering, Systems and Control (eess.SY), Flow network, Electrical Engineering and Systems Science - Systems and Control, Traffic signal, adversarial attacks, FOS: Electrical engineering, electronic engineering, information engineering, Graph (abstract data type), General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, Traffic network, lcsh:TK1-9971, Vulnerability (computing)

Abstract

This paper investigates the vulnerability of urban traffic networks to cyber attacks on traffic lights. We model traffic signal tampering as a bi-objective optimization problem that simultaneously seeks to reduce vehicular throughput in the network over time (maximize impact) while introducing minimal changes to network signal timings (minimize noticeability). We represent the Spatio-temporal traffic dynamics as a static network flow problem on a time-expanded graph. This allows us to reduce the (non-convex) attack problem to a tractable form, which can be solved using traditional techniques used to solve linear network programming problems. We show that minor but objective adjustments in the signal timings over time can severely impact traffic conditions at the network level. We investigate network vulnerability by examining the concavity of the Pareto-optimal frontier obtained by solving the bi-objective attack problem. Numerical experiments are carried to illustrate the types of insights that can be extracted from the Pareto-optimal frontier. For instance, our experiments suggest that the vulnerability of a traffic network to signal tampering is independent of the demand levels.

Published

2020

18. RLXSS: Optimizing XSS Detection Model to Defend Against Adversarial Attacks Based on Reinforcement Learning

Author

Yong Fang, Cheng Huang, Yijia Xu, and Li Yang

Subjects

reinforcement learning, lcsh:T58.5-58.64, lcsh:Information technology, Computer Networks and Communications, business.industry, Computer science, Deep learning, Cross-site scripting, Sample (statistics), computer.software_genre, Machine learning, double deep Q network, Adversarial system, Attack model, cross-site scripting, adversarial attacks, Scripting language, Reinforcement learning, Escape rate, Artificial intelligence, business, computer

Abstract

With the development of artificial intelligence, machine learning algorithms and deep learning algorithms are widely applied to attack detection models. Adversarial attacks against artificial intelligence models become inevitable problems when there is a lack of research on the cross-site scripting (XSS) attack detection model for defense against attacks. It is extremely important to design a method that can effectively improve the detection model against attack. In this paper, we present a method based on reinforcement learning (called RLXSS), which aims to optimize the XSS detection model to defend against adversarial attacks. First, the adversarial samples of the detection model are mined by the adversarial attack model based on reinforcement learning. Secondly, the detection model and the adversarial model are alternately trained. After each round, the newly-excavated adversarial samples are marked as a malicious sample and are used to retrain the detection model. Experimental results show that the proposed RLXSS model can successfully mine adversarial samples that escape black-box and white-box detection and retain aggressive features. What is more, by alternately training the detection model and the confrontation attack model, the escape rate of the detection model is continuously reduced, which indicates that the model can improve the ability of the detection model to defend against attacks.

Published

2019