Showing total 67 results

1. Vulnerability issues in Automatic Speaker Verification (ASV) systems.

Author

Gupta, Priyanka, Patil, Hemant A., and Guido, Rodrigo Capobianco

Subjects

MACHINE learning, SECURITY systems

Abstract

Claimed identities of speakers can be verified by means of automatic speaker verification (ASV) systems, also known as voice biometric systems. Focusing on security and robustness against spoofing attacks on ASV systems, and observing that the investigation of attacker's perspectives is capable of leading the way to prevent known and unknown threats to ASV systems, several countermeasures (CMs) have been proposed during ASVspoof 2015, 2017, 2019, and 2021 challenge campaigns that were organized during INTERSPEECH conferences. Furthermore, there is a recent initiative to organize the ASVSpoof 5 challenge with the objective of collecting the massive spoofing/deepfake attack data (i.e., phase 1), and the design of a spoofing-aware ASV system using a single classifier for both ASV and CM, to design integrated CM-ASV solutions (phase 2). To that effect, this paper presents a survey on a diversity of possible strategies and vulnerabilities explored to successfully attack an ASV system, such as target selection, unavailability of global countermeasures to reduce the attacker's chance to explore the weaknesses, state-of-the-art adversarial attacks based on machine learning, and deepfake generation. This paper also covers the possibility of attacks, such as hardware attacks on ASV systems. Finally, we also discuss the several technological challenges from the attacker's perspective, which can be exploited to come up with better defence mechanisms for the security of ASV systems. [ABSTRACT FROM AUTHOR]

Published

2024

2. IRADA: integrated reinforcement learning and deep learning algorithm for attack detection in wireless sensor networks.

Author

Shakya, Vandana, Choudhary, Jaytrilok, and Singh, Dhirendra Pratap

Subjects

DEEP reinforcement learning, REINFORCEMENT learning, MACHINE learning, WIRELESS sensor networks, DEEP learning, INTRUSION detection systems (Computer security)

Abstract

Wireless Sensor Networks (WSNs) play a vital role in various applications, necessitating robust network security to protect sensitive data. Intrusion Detection Systems (IDSs) are crucial for preserving the integrity, availability, and confidentiality of WSNs by detecting and countering potential attacks. Despite significant research efforts, the existing IDS solutions still suffer from challenges related to detection accuracy and false alarms. To address these challenges, in this paper, we propose a Bayesian optimization-based Deep Learning (DL) model. However, the proposed optimized DL model, while showing promising results in enhancing security, encounters challenges such as data dependency, computational complexity, and the potential for overfitting. In the literature, researchers have employed Reinforcement Learning (RL) to address these issues. However, it also introduces its own concerns, including exploration, reward design, and prolonged training times. Consequently, to address these challenges, this paper proposes an Innovative Integrated RL-based Advanced DL Algorithm (IRADA) for attack detection in WSNs. IRADA leverages the convergence of DL and RL models to achieve superior intrusion detection performance. The performance analysis of IRADA reveals impressive results, including accuracy (99.50%), specificity (99.94%), sensitivity (99.48%), F1-Score (98.26%), Kappa statistics (99.42%), and area under the curve (99.38%). Additionally, we analyze IRADA's robustness against adversarial attacks, ensuring its applicability in real-world security scenarios. [ABSTRACT FROM AUTHOR]

Published

2024

3. A Pilot Study of Observation Poisoning on Selective Reincarnation in Multi-Agent Reinforcement Learning.

Author

Putla, Harsha, Patibandla, Chanakya, Singh, Krishna Pratap, and Nagabhushan, P

Abstract

This research explores the vulnerability of selective reincarnation, a concept in Multi-Agent Reinforcement Learning (MARL), in response to observation poisoning attacks. Observation poisoning is an adversarial strategy that subtly manipulates an agent’s observation space, potentially leading to a misdirection in its learning process. The primary aim of this paper is to systematically evaluate the robustness of selective reincarnation in MARL systems against the subtle yet potentially debilitating effects of observation poisoning attacks. Through assessing how manipulated observation data influences MARL agents, we seek to highlight potential vulnerabilities and inform the development of more resilient MARL systems. Our experimental testbed was the widely used HalfCheetah environment, utilizing the Independent Deep Deterministic Policy Gradient algorithm within a cooperative MARL setting. We introduced a series of triggers, namely Gaussian noise addition, observation reversal, random shuffling, and scaling, into the teacher dataset of the MARL system provided to the reincarnating agents of HalfCheetah. Here, the “teacher dataset” refers to the stored experiences from previous training sessions used to accelerate the learning of reincarnating agents in MARL. This approach enabled the observation of these triggers’ significant impact on reincarnation decisions. Specifically, the reversal technique showed the most pronounced negative effect for maximum returns, with an average decrease of 38.08% in Kendall’s tau values across all the agent combinations. With random shuffling, Kendall’s tau values decreased by 17.66%. On the other hand, noise addition and scaling aligned with the original ranking by only 21.42% and 32.66%, respectively. The results, quantified by Kendall’s tau metric, indicate the fragility of the selective reincarnation process under adversarial observation poisoning. Our findings also reveal that vulnerability to observation poisoning varies significantly among different agent combinations, with some exhibiting markedly higher susceptibility than others. This investigation elucidates our understanding of selective reincarnation’s robustness against observation poisoning attacks, which is crucial for developing more secure MARL systems and also for making informed decisions about agent reincarnation. [ABSTRACT FROM AUTHOR]

Published

2024

4. Effectiveness of machine learning based android malware detectors against adversarial attacks.

Author

Jyothish, A., Mathew, Ashik, and Vinod, P.

Subjects

DEEP learning, MACHINE learning, GENERATIVE adversarial networks, MOBILE operating systems, MALWARE, GABOR filters

Abstract

Android is the most targeted mobile operating system for malware attacks. Most modern anti-malware solutions largely incorporate deep learning or machine learning techniques to detect malwares. In this paper, we conduct a comprehensive analysis on 10 deep learning and 5 machine learning classifiers in their abilities to identify Android malware applications. We used 1-gram dataset, 2-gram dataset and image dataset generated from the system call co-occurrence matrix for our experiments. Among the machine learning classifiers, XGBoost with 2-gram dataset showed the highest F1-score of 0.98. Also, the deep learning classifiers such as extreme learning machine with the system call images demonstrated the best F1-score of 0.952. We experimented using Gabor filters to investigate classifier performance on textures extracted from system call images. We observed an F1-score of 0.953 using the extreme learning machine with the Gabor images. We generated the Gabor image dataset by combining the images generated by passing system call images through 25 different Gabor configurations. In addition, to enhance the performance of the baseline classifiers, we considered the combination of autoencoders with machine learning classifiers. We observed that the amalgam of autoencoder with Random Forest displayed the best F1-score of 0.98. To evaluate the effectiveness of the aforesaid classifiers with diverse features on adversarial examples, we simulated a black-box based attack using a Generative Adversarial Network. The True Positive Rate of XGBoost on the 1-gram dataset, Random Forest on the 2-gram dataset and the Extreme Learning Machine on the system call image dataset significantly dropped to 0 from 0.98, 0.001 from 0.99 and 0 from 0.984 after the attack. Our experiments exposed a crucial vulnerability in classifiers used in modern anti-malware systems. A similar event in a real-world system could potentially render grave catastrophes. To defend against such probable attacks, we should continue further research and develop adequate security mechanisms. [ABSTRACT FROM AUTHOR]

Published

2024

5. Cheating Automatic Short Answer Grading with the Adversarial Usage of Adjectives and Adverbs.

Author

Filighera, Anna, Ochs, Sebastian, Steuer, Tim, and Tregel, Thomas

Abstract

Automatic grading models are valued for the time and effort saved during the instruction of large student bodies. Especially with the increasing digitization of education and interest in large-scale standardized testing, the popularity of automatic grading has risen to the point where commercial solutions are widely available and used. However, for short answer formats, automatic grading is challenging due to natural language ambiguity and versatility. While automatic short answer grading models are beginning to compare to human performance on some datasets, their robustness, especially to adversarially manipulated data, is questionable. Exploitable vulnerabilities in grading models can have far-reaching consequences ranging from cheating students receiving undeserved credit to undermining automatic grading altogether—even when most predictions are valid. In this paper, we devise a black-box adversarial attack tailored to the educational short answer grading scenario to investigate the grading models' robustness. In our attack, we insert adjectives and adverbs into natural places of incorrect student answers, fooling the model into predicting them as correct. We observed a loss of prediction accuracy between 10 and 22 percentage points using the state-of-the-art models BERT and T5. While our attack made answers appear less natural to humans in our experiments, it did not significantly increase the graders' suspicions of cheating. Based on our experiments, we provide recommendations for utilizing automatic grading systems more safely in practice. [ABSTRACT FROM AUTHOR]

Published

2024

6. Dealing with the unevenness: deeper insights in graph-based attack and defense.

Author

Zhan, Haoxi and Pei, Xiaobing

Subjects

GRAPH neural networks

Abstract

Graph Neural Networks (GNNs) have achieved state-of-the-art performance on various graph-related learning tasks. Due to the importance of safety in real-life applications, adversarial attacks and defenses on GNNs have attracted significant research attention. While the adversarial attacks successfully degrade GNNs' performance significantly, the internal mechanisms and theoretical properties of graph-based attacks remain largely unexplored. In this paper, we develop deeper insights into graph structure attacks. Firstly, investigating the perturbations of representative attacking methods such as Metattack, we reveal that the perturbations are unevenly distributed on the graph. By analyzing empirically, we show that such perturbations shift the distribution of the training set to break the i.i.d. assumption. Although degrading GNNs' performance successfully, such attacks lack robustness. Simply training the network on the validation set could severely degrade the attacking performance. To overcome the drawbacks, we propose a novel k-fold training strategy, leading to the Black-Box Gradient Attack algorithm. Extensive experiments are conducted to demonstrate that our proposed algorithm is able to achieve stable attacking performance without accessing the training sets. Finally, we introduce the first study to analyze the theoretical properties of graph structure attacks by verifying the existence of trade-offs when conducting graph structure attacks. [ABSTRACT FROM AUTHOR]

Published

2024

7. FedDAA: a robust federated learning framework to protect privacy and defend against adversarial attack.

Author

Lu, Shiwei, Li, Ruihu, and Liu, Wenbin

Abstract

Federated learning (FL) has emerged to break data-silo and protect clients’ privacy in the field of artificial intelligence. However, deep leakage from gradient (DLG) attack can fully reconstruct clients’ data from the submitted gradient, which threatens the fundamental privacy of FL. Although cryptology and differential privacy prevent privacy leakage from gradient, they bring negative effect on communication overhead or model performance. Moreover, the original distribution of local gradient has been changed in these schemes, which makes it difficult to defend against adversarial attack. In this paper, we propose a novel federated learning framework with model decomposition, aggregation and assembling (FedDAA), along with a training algorithm, to train federated model, where local gradient is decomposed into multiple blocks and sent to different proxy servers to complete aggregation. To bring better privacy protection performance to FedDAA, an indicator is designed based on image structural similarity to measure privacy leakage under DLG attack and an optimization method is given to protect privacy with the least proxy servers. In addition, we give defense schemes against adversarial attack in FedDAA and design an algorithm to verify the correctness of aggregated results. Experimental results demonstrate that FedDAA can reduce the structural similarity between the reconstructed image and the original image to 0.014 and remain model convergence accuracy as 0.952, thus having the best privacy protection performance and model training effect. More importantly, defense schemes against adversarial attack are compatible with privacy protection in FedDAA and the defense effects are not weaker than those in the traditional FL. Moreover, verification algorithm of aggregation results brings about negligible overhead to FedDAA. [ABSTRACT FROM AUTHOR]

Published

2024

8. Maxwell's Demon in MLP-Mixer: towards transferable adversarial attacks.

Author

Lyu, Haoran, Wang, Yajie, Tan, Yu-an, Zhou, Huipeng, Zhao, Yuhang, and Zhang, Quanxin

Subjects

CONVOLUTIONAL neural networks, DEMONOLOGY, ARCHITECTURAL designs, IMAGE recognition (Computer vision)

Abstract

Models based on MLP-Mixer architecture are becoming popular, but they still suffer from adversarial examples. Although it has been shown that MLP-Mixer is more robust to adversarial attacks compared to convolutional neural networks (CNNs), there has been no research on adversarial attacks tailored to its architecture. In this paper, we fill this gap. We propose a dedicated attack framework called Maxwell's demon Attack (MA). Specifically, we break the channel-mixing and token-mixing mechanisms of the MLP-Mixer by perturbing inputs of each Mixer layer to achieve high transferability. We demonstrate that disrupting the MLP-Mixer's capture of the main information of images by masking its inputs can generate adversarial examples with cross-architectural transferability. Extensive evaluations show the effectiveness and superior performance of MA. Perturbations generated based on masked inputs obtain a higher success rate of black-box attacks than existing transfer attacks. Moreover, our approach can be easily combined with existing methods to improve the transferability both within MLP-Mixer based models and to models with different architectures. We achieve up to 55.9% attack performance improvement. Our work exploits the true generalization potential of the MLP-Mixer adversarial space and helps make it more robust for future deployments. [ABSTRACT FROM AUTHOR]

Published

2024

9. TRIESTE: translation based defense for text classifiers.

Author

Gupta, Anup Kumar, Paliwal, Vardhan, Rastogi, Aryan, and Gupta, Puneet

Abstract

The field of natural language processing (NLP) has significantly evolved with the advent of state-of-the-art models. The discovery of these models has entirely revolutionised how NLP tasks such as machine translation, sentiment analysis and many others are performed. However, despite their high efficacy and meticulous performance, these models are prone to adversarial attacks. Adversarial attacks involve the introduction of perturbations imperceptible to humans, which can severely impact the model's learning and prediction accuracy. Current defenses on text data include approaches such as spell-checking and adversarial training, which have their limitations against state-of-the-art adversarial attacks. This paper put forward an effective transformation-based defense, TRIESTE (TRanslatIon basEd defenSe for Text classifiErs). The proposed defense overcomes the shortcomings of existing defenses by translating the input text from the source language to a target language and again back to the source language before providing it to the text classifier. Translation ensures that the sentiment of the translated text is similar to that of the input text by taking the entire text into consideration, which leads to the removal of adversarial perturbations. Rigorous evaluation on publicly available datasets showcases that TRIESTE is successful against state-of-the-art attacks without a significant drop in the classifier accuracy. [ABSTRACT FROM AUTHOR]

Published

2023

10. Adversarial attacks against mouse- and keyboard-based biometric authentication: black-box versus domain-specific techniques.

Author

López, Christian, Solano, Jesús, Rivera, Esteban, Tengana, Lizzy, Florez-Lozano, Johana, Castelblanco, Alejandra, and Ochoa, Martín

Subjects

BIOMETRIC identification, MACHINE learning, MICE, BIOMETRY

Abstract

Adversarial attacks have recently gained popularity due to their simplicity, impact, and applicability to a wide range of machine learning scenarios. However, knowledge of a particular security scenario can be advantageous for adversaries to craft better attacks. In other words, in some scenarios, attackers may come up naturally with ad hoc black-box attack techniques inspired directly by problem space characteristics rather than using generic adversarial techniques. This paper explores an intuitive attack technique based on reusing legitimate user inputs and applying it to mouse-based behavioral biometrics and keyboard-based behavioral biometrics. Moreover, it compares the model's effectiveness against adversarial machine learning attacks, achieving attack success rates up to 87 and 86% for the mouse and keyboard settings, respectively. We show that attacks leveraging domain knowledge have higher transferability when applied to various machine-learning techniques and are more challenging to defend against. We also propose countermeasures against such attacks and discuss their effectiveness. [ABSTRACT FROM AUTHOR]

Published

2023

11. A perspective on human activity recognition from inertial motion data.

Author

Gomaa, Walid and Khamis, Mohamed A.

Subjects

ARTIFICIAL intelligence, LARGE scale systems, FEATURE selection, HUMAN activity recognition, FEATURE extraction, MOTION detectors, MOBILE learning

Abstract

Human activity recognition (HAR) using inertial motion data has gained a lot of momentum in recent years both in research and industrial applications. From the abstract perspective, this has been driven by the rapid dynamics for building intelligent, smart environments, and ubiquitous systems that cover all aspects of human life including healthcare, sports, manufacturing, commerce, etc., which necessitate and subsume activity recognition aiming at recognizing the actions, characteristics, and goals of one or more agent(s) from a temporal series of observations streamed from one or more sensors. From a more concrete and seemingly orthogonal perspective, such momentum has been driven by the ubiquity of inertial motion sensors on-board mobile and wearable devices including smartphones, smartwatches, etc. In this paper we give an introductory and a comprehensive survey to the subject from a given perspective. We focus on a subset of topics, that we think are major, that will have significant and influential impacts on the future research and industrial-scale deployment of HAR systems. These include: (1) a comprehensive and detailed description of the inertial motion benchmark datasets that are publicly available and/or accessible, (2) feature selection and extraction techniques and the corresponding learning methods used to build workable HAR systems; we survey classical handcrafted datasets as well as data-oriented automatic representation learning approach to the subject, (3) transfer learning as a way to overcome many hurdles in actual deployments of HAR systems on a large scale, (4) embedded implementations of HAR systems on mobile and/or wearable devices, and finally (5) we touch on adversarial attacks, a topic that is essentially related to the security and privacy of HAR systems. As the field is very huge and diverse, this article is by no means comprehensive; it is though meant to provide a logically and conceptually rather complete picture to advanced practitioners, as well as to present a readable guided introduction to newcomers. Our logical and conceptual perspectives mimic the typical data science pipeline for state-of-the-art AI-based systems. [ABSTRACT FROM AUTHOR]

Published

2023

12. Generating adversarial samples by manipulating image features with auto-encoder.

Author

Yang, Jianxin, Shao, Mingwen, Liu, Huan, and Zhuang, Xinkai

Abstract

Existing adversarial attack methods usually add perturbations directly to the pixel space of an image, resulting in significant local noise in the image. Besides, the performance of existing attack methods is affected by various pixel-space based defense strategies. In this paper, we propose a novel method to generate adversarial examples by adding perturbations to the feature space. Specifically, the perturbation of the feature space is induced by a style-shifting-based network architecture called AdvAdaIN. Furthermore, we expose the feature space to the attacker via an encoder, and then the perturbation is injected into the feature space by AdvAdaIN. Simultaneously, due to the specificity of feature space perturbations, we trained a decoder to reflect the changes in feature space to pixel space and ensure that the perturbations are not easily detected. Meanwhile, we align the original image with another image in the feature space, adding additional adversarial information to the model. In addition, we can generate diverse adversarial samples by varying the perturbation parameters, which mainly change the overall color and brightness of the image. Experiments demonstrate that the proposed method outperforms existing methods and produces more natural adversarial samples when facing defensive strategies. [ABSTRACT FROM AUTHOR]

Published

2023

13. A robust hybrid digital watermarking technique against a powerful CNN-based adversarial attack.

Author

Sharma, Sai Shyam and Chandrasekaran, V.

Subjects

DIGITAL watermarking, DIGITAL image watermarking, CONVOLUTIONAL neural networks, DIGITAL images, IMAGE encryption, DIGITAL signatures

Abstract

Digital watermarking techniques are valuable tools to embed digital signatures on multimedia content to establish the legal ownership and authenticity claims by the owners. Firstly this paper investigates the robustness of popular transform domain-based digital image watermarking schemes such as DCT, SVD, DWT, and their hybrid combinations against known image processing type attacks such as image blurring, compression, noise addition, rotation and cropping. Then, an enhanced hybrid scheme using DWT and SVD methods is proposed and its improved performance is demonstrated in terms of the quality of the extracted watermarks measured in terms of PSNR, SSIM and NCC values. This paper then proposes a novel adversarial attack based on a powerful Deep Convolutional Neural Network based Autoencoder(CAE) scheme. The CAE is specifically chosen to exploit its intrinsic capability to represent the image content (spatial and structural) through lower dimensional projections in the intermediate layers. The CAE is trained and tested on the entire image repository of the CIFAR10 data set. Once CAE is trained on a class of images and the parameters are frozen, it will serve as a system to produce a perceptually close image for any unseen input image belonging to the same class. The power of the proposed adversarial attack scheme is shown in terms of the quality of extracted watermarks against popular water mark embedding schemes. Finally the proposed enhanced hybrid strategy of DWT+SVD is shown to be robust against the new form of attack and outperforms all other techniques measured in terms of its high quality watermark extraction. [ABSTRACT FROM AUTHOR]

Published

2020

14. Adversarial attacks on graph-level embedding methods: a case study.

Author

Giordano, Maurizio, Maddalena, Lucia, Manzo, Mario, and Guarracino, Mario Rosario

Abstract

As the number of graph-level embedding techniques increases at an unprecedented speed, questions arise about their behavior and performance when training data undergo perturbations. This is the case when an external entity maliciously alters training data to invalidate the embedding. This paper explores the effects of such attacks on some graph datasets by applying different graph-level embedding techniques. The main attack strategy involves manipulating training data to produce an altered model. In this context, our goal is to go in-depth about methods, resources, experimental settings, and performance results to observe and study all the aspects that derive from the attack stage. [ABSTRACT FROM AUTHOR]

Published

2023

15. Learning key steps to attack deep reinforcement learning agents.

Author

Yu, Chien-Min, Chen, Ming-Hsin, and Lin, Hsuan-Tien

Subjects

DEEP learning, REINFORCEMENT learning, HEURISTIC

Abstract

Deep reinforcement learning agents are vulnerable to adversarial attacks. In particular, recent studies have shown that attacking a few key steps can effectively decrease the agent's cumulative reward. However, all existing attacking methods define those key steps with human-designed heuristics, and it is not clear how more effective key steps can be identified. This paper introduces a novel reinforcement learning framework that learns key steps through interacting with the agent. The proposed framework does not require any human heuristics nor knowledge, and can be flexibly coupled with any white-box or black-box adversarial attack scenarios. Experiments on benchmark Atari games across different scenarios demonstrate that the proposed framework is superior to existing methods for identifying effective key steps. The results highlight the weakness of RL agents even under budgeted attacks. [ABSTRACT FROM AUTHOR]

Published

2023

16. Fooling the Big Picture in Classification Tasks.

Author

Alkhouri, Ismail, Atia, George, and Mikhael, Wasfy

Subjects

CLASSIFICATION, CONVEX programming

Abstract

Minimally perturbed adversarial examples were shown to drastically reduce the performance of one-stage classifiers while being imperceptible. This paper investigates the susceptibility of hierarchical classifiers, which use fine and coarse level output categories, to adversarial attacks. We formulate a program that encodes minimax constraints to induce misclassification of the coarse class of a hierarchical classifier (e.g., changing the prediction of a 'monkey' to a 'vehicle' instead of some 'animal'). Subsequently, we develop solutions based on convex relaxations of said program. An algorithm is obtained using the alternating direction method of multipliers with competitive performance in comparison with state-of-the-art solvers. We show the ability of our approach to fool the coarse classification through a set of measures such as the relative loss in coarse classification accuracy and imperceptibility factors. In comparison with perturbations generated for one-stage classifiers, we show that fooling a classifier about the 'big picture' requires higher perturbation levels which results in lower imperceptibility. We also examine the impact of different label groupings on the performance of the proposed attacks. [ABSTRACT FROM AUTHOR]

Published

2023

17. On the robustness of vision transformers for in-flight monocular depth estimation.

Author

Ercolino, Simone, Devoto, Alessio, Monorchio, Luca, Santini, Matteo, Mazzaro, Silvio, and Scardapane, Simone

Subjects

TRANSFORMER models, MONOCULARS, CUSTOMIZATION, FORECASTING, DESIGN

Abstract

Monocular depth estimation (MDE) has shown impressive performance recently, even in zero-shot or few-shot scenarios. In this paper, we consider the use of MDE on board low-altitude drone flights, which is required in a number of safety-critical and monitoring operations. In particular, we evaluate a state-of-the-art vision transformer (ViT) variant, pre-trained on a massive MDE dataset. We test it both in a zero-shot scenario and after fine-tuning on a dataset of flight records, and compare its performance to that of a classical fully convolutional network. In addition, we evaluate for the first time whether these models are susceptible to adversarial attacks, by optimizing a small adversarial patch that generalizes across scenarios. We investigate several variants of losses for this task, including weighted error losses in which we can customize the design of the patch to selectively decrease the performance of the model on a desired depth range. Overall, our results highlight that (a) ViTs can outperform convolutive models in this context after a proper fine-tuning, and (b) they appear to be more robust to adversarial attacks designed in the form of patches, which is a crucial property for this family of tasks. [ABSTRACT FROM AUTHOR]

Published

2023

18. Empiricism in the foundations of cognition.

Author

Childers, Timothy, Hvorecký, Juraj, and Majer, Ondrej

Subjects

PHILOSOPHY of science, DEEP learning, EMPIRICISM, BEHAVIORISM (Psychology), COGNITION, COMPUTER science

Abstract

This paper traces the empiricist program from early debates between nativism and behaviorism within philosophy, through debates about early connectionist approaches within the cognitive sciences, and up to their recent iterations within the domain of deep learning. We demonstrate how current debates on the nature of cognition via deep network architecture echo some of the core issues from the Chomsky/Quine debate and investigate the strength of support offered by these various lines of research to the empiricist standpoint. Referencing literature from both computer science and philosophy, we conclude that the current state of deep learning does not offer strong encouragement to the empiricist side despite some arguments to the contrary. [ABSTRACT FROM AUTHOR]

Published

2023

19. A P4-Based Adversarial Attack Mitigation on Machine Learning Models in Data Plane Devices.

Author

Reddy, Sankepally Sainath, Nishoak, Kosaraju, Shreya, J. L., Reddy, Yennam Vishwambhar, and Venkanna, U.

Abstract

In recent times, networks have been prone to several types of attacks, such as DDoS attacks, volumetric attacks, replay attacks, eavesdropping, etc., which drastically degrade the network’s performance. Fortunately, programmable switches facilitate the network monitoring function that helps to solve several security challenges in the network. Nowadays, programmable switches rely on Machine Learning (ML) models to identify intrusions and detect network attacks at a line rate. However, the developed ML models are prone to certain security risks, such as malicious inputs designed to achieve negative outcomes, evasive attacks on the system, and data poisoning attacks. This paper presents a novel framework using the P4 programming language to overcome the above problem on the ML models. Our proposed framework identifies the important features after feature analysis and generates perturbations to showcase the evasion-based adversarial attack in the data plane switches, which an attacker might perform to disrupt the actual behavior of the deployed ML model at the data plane P4 switches. Further, we analyze the plausible impacts of such evasion-based adversarial attacks. Additionally, as part of our framework, we have also proposed a mitigation technique aimed at reducing the impact of these evasion-based adversarial attacks. The results show that the model’s classification rate, under adversarial attack when tested against CICIDS and USB-IDS Datasets, can significantly drop from 99.2% to as low as 50.14% and from 93.7% to as low as 65.1% respectively and increased by 17%,12% after the implementation of proposed mitigation technique in the data plane. [ABSTRACT FROM AUTHOR]

Published

2024

20. A Robust SNMP-MIB Intrusion Detection System Against Adversarial Attacks.

Author

Alslman, Yasmeen, Alkasassbeh, Mouhammd, and Almseidin, Mohammad

Subjects

*INTRUSION detection systems (Computer security), *MACHINE learning, *CYBERTERRORISM, *INTERNET security

Abstract

With the increase in cyber security attacks, organizations tend to use an intrusion detection system (IDS) based on machine learning. Through the years, IDS based on machine learning has shown their effectiveness in protecting one against attacks. Aside from the machine learning nature being a black-box, there is a possibility of adversaries that can mess up the classification model. Using machine learning in critical aspects such as the medical field and intrusion detection system can result in disastrous impacts on organizations if it is vulnerable to adversary attacks. This paper proposes a new defense approach based on denoising auto-encoder (DAE) to protect IDS from adversarial attacks. To verify the efficacy of the proposed defense mechanism in mitigating adversarial attacks, two datasets were used. The experimental results show that the proposed defense mechanism proves validity against four white-box attacks and one black-box attack. The system's accuracy under adversarial attack elevates from around 68% to 90% and 97% under normal conditions on the first dataset. Similarly, on the second dataset, the models' accuracy increases from 64 to 85% under normal conditions and adversarial attacks. [ABSTRACT FROM AUTHOR]

Published

2024

21. Adversarial examples for extreme multilabel text classification.

Author

Qaraei, Mohammadreza and Babbar, Rohit

Subjects

DEEP learning, RECOMMENDER systems, CLASSIFICATION

Abstract

Extreme Multilabel Text Classification (XMTC) is a text classification problem in which, (i) the output space is extremely large, (ii) each data point may have multiple positive labels, and (iii) the data follows a strongly imbalanced distribution. With applications in recommendation systems and automatic tagging of web-scale documents, the research on XMTC has been focused on improving prediction accuracy and dealing with imbalanced data. However, the robustness of deep learning based XMTC models against adversarial examples has been largely underexplored. In this paper, we investigate the behaviour of XMTC models under adversarial attacks. To this end, first, we define adversarial attacks in multilabel text classification problems. We categorize attacking multilabel text classifiers as (a) positive-to-negative, where the target positive label should fall out of top-k predicted labels, and (b) negative-to-positive, where the target negative label should be among the top-k predicted labels. Then, by experiments on APLC-XLNet and AttentionXML, we show that XMTC models are highly vulnerable to positive-to-negative attacks but more robust to negative-to-positive ones. Furthermore, our experiments show that the success rate of positive-to-negative adversarial attacks has an imbalanced distribution. More precisely, tail classes are highly vulnerable to adversarial attacks for which an attacker can generate adversarial samples with high similarity to the actual data-points. To overcome this problem, we explore the effect of rebalanced loss functions in XMTC where not only do they increase accuracy on tail classes, but they also improve the robustness of these classes against adversarial attacks. The code for our experiments is available at https://github.com/xmc-aalto/adv-xmtc. [ABSTRACT FROM AUTHOR]

Published

2022

22. Evaluation of adversarial attacks sensitivity of classifiers with occluded input data.

Author

Sooksatra, Korn and Rivas, Pablo

Subjects

DEEP learning, COST control, TRUST, EVALUATION methodology, QUALITY of life

Abstract

With the noteworthy achievements of deep learning models, there are transformative applications that aim at cost reduction and the improvement in human quality of life. Nevertheless, recent work aimed at testing a classifier's ability to withstand targeted and black-box adversarial attacks demonstrated that deep learning models, in particular, are brittle and lack certain robustness that makes them particularly weak, and ultimately leading to a lack of trust. For this specific area, a question arises concerning certain regions' sensitivity in the input space against adversarial perturbations for a classification model. This paper aims to study such a problem by looking into a Sensitivity-inspired Constrained Evaluation Method (SICEM) to deterministically evaluate how much a region of the input space is vulnerable to adversarial perturbations compared to other regions and also the entire input space. Our experiments suggest that SICEM can accurately quantify region vulnerabilities on MNIST and CIFAR-10 datasets. [ABSTRACT FROM AUTHOR]

Published

2022

23. Adversarial example detection for DNN models: a review and experimental comparison.

Author

Aldahdooh, Ahmed, Hamidouche, Wassim, Fezza, Sid Ahmed, and Déforges, Olivier

Subjects

COMPUTER vision, DEEP learning, SECURITY systems, DETECTORS, AUTONOMOUS vehicles

Abstract

Deep learning (DL) has shown great success in many human-related tasks, which has led to its adoption in many computer vision based applications, such as security surveillance systems, autonomous vehicles and healthcare. Such safety-critical applications have to draw their path to success deployment once they have the capability to overcome safety-critical challenges. Among these challenges are the defense against or/and the detection of the adversarial examples (AEs). Adversaries can carefully craft small, often imperceptible, noise called perturbations to be added to the clean image to generate the AE. The aim of AE is to fool the DL model which makes it a potential risk for DL applications. Many test-time evasion attacks and countermeasures, i.e., defense or detection methods, are proposed in the literature. Moreover, few reviews and surveys were published and theoretically showed the taxonomy of the threats and the countermeasure methods with little focus in AE detection methods. In this paper, we focus on image classification task and attempt to provide a survey for detection methods of test-time evasion attacks on neural network classifiers. A detailed discussion for such methods is provided with experimental results for eight state-of-the-art detectors under different scenarios on four datasets. We also provide potential challenges and future perspectives for this research direction. [ABSTRACT FROM AUTHOR]

Published

2022

24. Adversarial attacks on fingerprint liveness detection.

Author

Fei, Jianwei, Xia, Zhihua, Yu, Peipeng, and Xiao, Fengjun

Subjects

BIOMETRIC fingerprinting, DEEP learning

Abstract

Deep neural networks are vulnerable to adversarial samples, posing potential threats to the applications deployed with deep learning models in practical conditions. A typical example is the fingerprint liveness detection module in fingerprint authentication systems. Inspired by great progress of deep learning, deep networks-based fingerprint liveness detection algorithms spring up and dominate the field. Thus, we investigate the feasibility of deceiving state-of-the-art deep networks-based fingerprint liveness detection schemes by leveraging this property in this paper. Extensive evaluations are made with three existing adversarial methods: FGSM, MI-FGSM, and Deepfool. We also proposed an adversarial attack method that enhances the robustness of adversarial fingerprint images to various transformations like rotations and flip. We demonstrate these outstanding schemes are likely to classify fake fingerprints as live fingerprints by adding tiny perturbations, even without internal details of their used model. The experimental results reveal a big loophole and threats for these schemes from a view of security, and enough attention is urgently needed to be paid on anti-adversarial not only in fingerprint liveness detection but also in all deep learning applications. [ABSTRACT FROM AUTHOR]

Published

2020

25. DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour.

Author

Žiža, Kristijan, Tadić, Predrag, and Vuletić, Pavle

Subjects

*INTERNET domain naming system, *SCIENTIFIC community

Abstract

The Domain Name System (DNS) exfiltration is an activity in which an infected device sends data to the attacker's server by encoding it in DNS request messages. Because of the frequent use of DNS exfiltration for malicious purposes, exfiltration detection gained attention from the research community which proposed several predominantly machine learning-based methods. The majority of previous studies used publicly available DNS exfiltration tools with the default configuration parameters, resulting in datasets created from DNS exfiltration requests that are usually significantly longer, have more DNS name labels, and higher character entropy than average regular DNS requests. This further led to overly optimistic detection rates. In this paper, we have explored some of the strategies an attacker could use to avoid exfiltration detection. First, we have explored the impact of DNS exfiltration tools' parameter variation on the exfiltration detection accuracy. Second, we have modified the DNSExfiltrator tool to produce exfiltration requests which have significantly lower character entropy. This approach proved to be capable of deceiving classifiers based on single DNS request features. Only around 1% of modified DNS requests shorter or equal to 9 bytes, and less than one third of DNS exfiltration requests in the overall population were accurately detected. In addition, we present a methodology and an aggregated feature set (including inter-request timing statistics) which can be used for accurate DNS exfiltration in this kind of adversarial settings. [ABSTRACT FROM AUTHOR]

Published

2023

26. Attack-Resistant and Efficient Cancelable Codeword Generation Using Random walk-Based Methods.

Author

Pandey, Fagul, Dash, Priyabrata, and Sinha, Divyanshi

Subjects

RANDOM walks

Abstract

Securely handling the biometric information of an individual is still a major challenge in many applications. For this reason, many cancelable techniques are present which were proposed with an aim to provide security, but adversarial attacks like a similarity-based attack on popular methods have recently been reported in the literature. In this paper, we propose a random walk-based method for cancelable template generation (2-d random walk and circular random walk). The novelty of the proposed method is to generate a secure, distinct cancelable template from fingerprint data. Further, the proposed scheme is immune to different security attacks. It also ensures the randomness of the generated cancelable templates. Our proposed scheme achieves comparable performance in terms of average genuine acceptance rate of 97.02 % , average false acceptance rate of 0.13 % for different fingerprint data. Moreover, our proposed scheme has FAR (attack) of 11.11 % , which is very low compared to the state-of-the-art method (such as BioHashing 62.5%). [ABSTRACT FROM AUTHOR]

Published

2022

27. A Novel Lightweight Defense Method Against Adversarial Patches-Based Attacks on Automated Vehicle Make and Model Recognition Systems.

Author

Siddiqui, Abdul Jabbar and Boukerche, Azzedine

Abstract

In smart cities, connected and automated surveillance systems play an essential role in ensuring safety and security of life, property, critical infrastructures and cyber-physical systems. The recent trend of such surveillance systems has been to embrace the use of advanced deep learning models such as convolutional neural networks for the task of detection, monitoring or tracking. In this paper, we focus on the security of an automated surveillance system that is responsible for vehicle make and model recognition (VMMR). We introduce an adversarial attack against such VMMR systems through adversarially learnt patches. We demonstrate the effectiveness of the developed adversarial patches against VMMR through experimental evaluations on a real-world vehicle surveillance dataset. The developed adversarial patches achieve reductions of up to 48 % in VMMR recall scores. In addition, we propose a lightweight defense method called SIHFR (stands for Symmetric Image-Half Flip and Replace) to eliminate the effect of adversarial patches on VMMR performance. Through experimental evaluations, we investigate the robustness of the proposed defense method under varying patch placement strategies and patch sizes. The proposed defense method adds a minimal overhead of less than 2ms per image (on average) and succeeds in enhancing VMMR performance by up to 69.28 % . It is hoped that this work shall guide future studies to develop smart city VMMR surveillance systems that are robust to cyber-physical attacks based on adversarially learnt patches. [ABSTRACT FROM AUTHOR]

Published

2021

28. RNAS-CL: Robust Neural Architecture Search by Cross-Layer Knowledge Distillation.

Author

Nath, Utkarsh, Wang, Yancheng, Turaga, Pavan, and Yang, Yingzhen

Subjects

*ARTIFICIAL neural networks, *MACHINE learning

Abstract

Deep Neural Networks are often vulnerable to adversarial attacks. Neural Architecture Search (NAS), one of the tools for developing novel deep neural architectures, demonstrates superior performance in prediction accuracy in various machine learning applications. However, the performance of a neural architecture discovered by NAS against adversarial attacks has not been sufficiently studied, especially under the regime of knowledge distillation. Given the presence of a robust teacher, we investigate if NAS would produce a robust neural architecture by inheriting robustness from the teacher. In this paper, we propose Robust Neural Architecture Search by Cross-Layer knowledge distillation (RNAS-CL), a novel NAS algorithm that improves the robustness of NAS by learning from a robust teacher through cross-layer knowledge distillation. Unlike previous knowledge distillation methods that encourage close student-teacher output only in the last layer, RNAS-CL automatically searches for the best teacher layer to supervise each student layer. Experimental results demonstrate the effectiveness of RNAS-CL and show that RNAS-CL produces compact and adversarially robust neural architectures. Our results point to new approaches for finding compact and robust neural architecture for many applications. The code of RNAS-CL is available at https://github.com/Statistical-Deep-Learning/RNAS-CL. [ABSTRACT FROM AUTHOR]

Published

2024

29. Machine learning security and privacy: a review of threats and countermeasures.

Author

Paracha, Anum, Arshad, Junaid, Farah, Mohamed Ben, and Ismail, Khalid

Subjects

REVERSE engineering, DIGITAL technology, PRIVACY, INFRASTRUCTURE (Economics), NATURAL resources, MACHINE learning

Abstract

Machine learning has become prevalent in transforming diverse aspects of our daily lives through intelligent digital solutions. Advanced disease diagnosis, autonomous vehicular systems, and automated threat detection and triage are some prominent use cases. Furthermore, the increasing use of machine learning in critical national infrastructures such as smart grids, transport, and natural resources makes it an attractive target for adversaries. The threat to machine learning systems is aggravated due to the ability of mal-actors to reverse engineer publicly available models, gaining insight into the algorithms underpinning these models. Focusing on the threat landscape for machine learning systems, we have conducted an in-depth analysis to critically examine the security and privacy threats to machine learning and the factors involved in developing these adversarial attacks. Our analysis highlighted that feature engineering, model architecture, and targeted system knowledge are crucial aspects in formulating these attacks. Furthermore, one successful attack can lead to other attacks; for instance, poisoning attacks can lead to membership inference and backdoor attacks. We have also reviewed the literature concerning methods and techniques to mitigate these threats whilst identifying their limitations including data sanitization, adversarial training, and differential privacy. Cleaning and sanitizing datasets may lead to other challenges, including underfitting and affecting model performance, whereas differential privacy does not completely preserve model's privacy. Leveraging the analysis of attack surfaces and mitigation techniques, we identify potential research directions to improve the trustworthiness of machine learning systems. [ABSTRACT FROM AUTHOR]

Published

2024

30. Analyzing the robustness of decentralized horizontal and vertical federated learning architectures in a non-IID scenario.

Author

Sánchez Sánchez, Pedro Miguel, Huertas Celdrán, Alberto, Martínez Pérez, Enrique Tomás, Demeter, Daniel, Bovet, Gérôme, Martínez Pérez, Gregorio, and Stiller, Burkhard

Subjects

FEDERATED learning, MACHINE learning, DEEP learning, DISTRIBUTED artificial intelligence, DATA privacy, COMPUTER network protocols

Abstract

Federated learning (FL) enables participants to collaboratively train machine and deep learning models while safeguarding data privacy. However, the FL paradigm still has drawbacks that affect its trustworthiness, as malicious participants could launch adversarial attacks against the training process. Previous research has examined the robustness of horizontal FL scenarios under various attacks. However, there is a lack of research evaluating the robustness of decentralized vertical FL and comparing it with horizontal FL architectures affected by adversarial attacks. Therefore, this study proposes three decentralized FL architectures: HoriChain, VertiChain, and VertiComb. These architectures feature different neural networks and training protocols suitable for horizontal and vertical scenarios. Subsequently, a decentralized, privacy-preserving, and federated use case with non-IID data to classify handwritten digits is deployed to assess the performance of the three architectures. Finally, a series of experiments computes and compares the robustness of the proposed architectures when they are affected by different data poisoning methods, including image watermarks and gradient poisoning adversarial attacks. The experiments demonstrate that while specific configurations of both attacks can undermine the classification performance of the architectures, HoriChain is the most robust one. [ABSTRACT FROM AUTHOR]

Published

2024

31. 3DVerifier: efficient robustness verification for 3D point cloud models.

Author

Mu, Ronghui, Ruan, Wenjie, Marcolino, Leandro S., and Ni, Qiang

Subjects

POINT cloud, ARTIFICIAL neural networks

Abstract

3D point cloud models are widely applied in safety-critical scenes, which delivers an urgent need to obtain more solid proofs to verify the robustness of models. Existing verification method for point cloud model is time-expensive and computationally unattainable on large networks. Additionally, they cannot handle the complete PointNet model with joint alignment network that contains multiplication layers, which effectively boosts the performance of 3D models. This motivates us to design a more efficient and general framework to verify various architectures of point cloud models. The key challenges in verifying the large-scale complete PointNet models are addressed as dealing with the cross-non-linearity operations in the multiplication layers and the high computational complexity of high-dimensional point cloud inputs and added layers. Thus, we propose an efficient verification framework, 3DVerifier, to tackle both challenges by adopting a linear relaxation function to bound the multiplication layer and combining forward and backward propagation to compute the certified bounds of the outputs of the point cloud models. Our comprehensive experiments demonstrate that 3DVerifier outperforms existing verification algorithms for 3D models in terms of both efficiency and accuracy. Notably, our approach achieves an orders-of-magnitude improvement in verification efficiency for the large network, and the obtained certified bounds are also significantly tighter than the state-of-the-art verifiers. We release our tool 3DVerifier via https://github.com/TrustAI/3DVerifier for use by the community. [ABSTRACT FROM AUTHOR]

Published

2024

32. Defense against adversarial attacks: robust and efficient compressed optimized neural networks.

Author

Kraidia, Insaf, Ghenai, Afifa, and Belhaouari, Samir Brahim

Abstract

In the ongoing battle against adversarial attacks, adopting a suitable strategy to enhance model efficiency, bolster resistance to adversarial threats, and ensure practical deployment is crucial. To achieve this goal, a novel four-component methodology is introduced. First, introducing a pioneering batch-cumulative approach, the exponential particle swarm optimization (ExPSO) algorithm was developed for meticulous parameter fine-tuning within each batch. A cumulative updating loss function was employed for overall optimization, demonstrating remarkable superiority over traditional optimization techniques. Second, weight compression is applied to streamline the deep neural network (DNN) parameters, boosting the storage efficiency and accelerating inference. It also introduces complexity to deter potential attackers, enhancing model accuracy in adversarial settings. This study compresses the generative pre-trained transformer (GPT) by 65%, saving time and memory without causing performance loss. Compared to state-of-the-art methods, the proposed method achieves the lowest perplexity (14.28), the highest accuracy (93.72%), and an 8 × speedup in the central processing unit. The integration of the preceding two components involves the simultaneous training of multiple versions of the compressed GPT. This training occurs across various compression rates and different segments of a dataset and is ultimately associated with a novel multi-expert architecture. This enhancement significantly fortifies the model's resistance to adversarial attacks by introducing complexity into attackers' attempts to anticipate the model's prediction integration process. Consequently, this leads to a remarkable average performance improvement of 25% across 14 different attack scenarios and various datasets, surpassing the capabilities of current state-of-the-art methods. [ABSTRACT FROM AUTHOR]

Published

2024

33. Unlocking adversarial transferability: a security threat towards deep learning-based surveillance systems via black box inference attack- a case study on face mask surveillance.

Author

sheikh, Burhan Ul Haque and Zafar, Aasim

Abstract

With the increasing demand for reliable face mask detection systems during the COVID-19 pandemic, deep learning (DL) and machine learning (ML) algorithms have been widely used. However, these models are vulnerable to adversarial attacks, which pose a significant challenge to their reliability. This study investigates the susceptibility of a DL-based face mask detection model to a black box adversarial attack using a substitute model approach. A transfer learning-based face mask detection model is employed as the target model, while a CNN model acts as the substitute model for generating adversarial examples. The experiment is conducted under the assumption of a black-box attack, where attackers have limited access to the target model's architecture and gradients but access to training data. The results demonstrate the successful reduction of the face mask detection model's classification accuracy from 97.18% to 46.52% through the black-box adversarial attack, highlighting the vulnerability of current face mask detection methods to such attacks. These findings underscore the need for robust defense measures to be implemented in face mask detection systems to ensure their reliability in practical applications. [ABSTRACT FROM AUTHOR]

Published

2024

34. Untargeted white-box adversarial attack to break into deep learning based COVID-19 monitoring face mask detection system.

Author

Sheikh, Burhan Ul haque and Zafar, Aasim

Abstract

The face mask detection system has been a valuable tool to combat COVID-19 by preventing its rapid transmission. This article demonstrated that the present deep learning-based face mask detection systems are vulnerable to adversarial attacks. We proposed a framework for a robust face mask detection system that is resistant to adversarial attacks. We first developed a face mask detection system by fine-tuning the MobileNetv2 model and training it on the custom-built dataset. The model performed exceptionally well, achieving 95.83% of accuracy on test data. Then, the model's performance is assessed using adversarial images calculated by the fast gradient sign method (FGSM). The FGSM attack reduced the model's classification accuracy from 95.83% to 14.53%, indicating that the adversarial attack on the proposed model severely damaged its performance. Finally, we illustrated that the proposed robust framework enhanced the model's resistance to adversarial attacks. Although there was a notable drop in the accuracy of the robust model on unseen clean data from 95.83% to 92.79%, the model performed exceptionally well, improving the accuracy from 14.53% to 92% on adversarial data. We expect our research to heighten awareness of adversarial attacks on COVID-19 monitoring systems and inspire others to protect healthcare systems from similar attacks. [ABSTRACT FROM AUTHOR]

Published

2024

35. Clustering-based attack detection for adversarial reinforcement learning.

Author

Majadas, Rubén, García, Javier, and Fernández, Fernando

Subjects

REINFORCEMENT learning, MARKOV processes, CHANGE-point problems, PROBLEM solving

Abstract

Detecting malicious attacks presents a major challenge in the field of reinforcement learning (RL), as such attacks can force the victim to perform abnormal actions, with potentially severe consequences. To mitigate these risks, current research focuses on the enhancement of RL algorithms with efficient detection mechanisms, especially for real-world applications. Adversarial attacks have the potential to alter the environmental dynamics of a Markov Decision Process (MDP) perceived by an RL agent. Leveraging these changes in dynamics, we propose a novel approach to detect attacks. Our contribution can be summarized in two main aspects. Firstly, we propose a novel formalization of the attack detection problem that entails analyzing modifications made by attacks to the transition and reward dynamics within the environment. This problem can be framed as a context change detection problem, where the goal is to identify the transition from a "free-of-attack" situation to an "under-attack" scenario. To solve this problem, we propose a groundbreaking "model-free" clustering-based countermeasure. This approach consists of two essential steps: first, partitioning the transition space into clusters, and then using this partitioning to identify changes in environmental dynamics caused by adversarial attacks. To assess the efficiency of our detection method, we performed experiments on four established RL domains (grid-world, mountain car, carpole, and acrobot) and subjected them to four advanced attack types. Uniform, Strategically-timed, Q-value, and Multi-objective. Our study proves that our technique has a high potential for perturbation detection, even in scenarios where attackers employ more sophisticated strategies. [ABSTRACT FROM AUTHOR]

Published

2024

36. Robust Federated Learning for execution time-based device model identification under label-flipping attack.

Author

Sánchez Sánchez, Pedro Miguel, Huertas Celdrán, Alberto, Buendía Rubio, José Rafael, Bovet, Gérôme, and Martínez Pérez, Gregorio

Subjects

FEDERATED learning, DATA privacy, DEEP learning, ELECTRONIC data processing, HUMAN fingerprints, DATA protection

Abstract

The computing device deployment explosion experienced in recent years, motivated by the advances of technologies such as Internet-of-Things (IoT) and 5G, has led to a global scenario with increasing cybersecurity risks and threats. Among them, device spoofing and impersonation cyberattacks stand out due to their impact and, usually, low complexity required to be launched. To solve this issue, several solutions have emerged to identify device models and types based on the combination of behavioral fingerprinting and Machine/Deep Learning (ML/DL) techniques. However, these solutions are not appropriate for scenarios where data privacy and protection are a must, as they require data centralization for processing. In this context, newer approaches such as Federated Learning (FL) have not been fully explored yet, especially when malicious clients are present in the scenario setup. The present work analyzes and compares the device model identification performance of a centralized DL model with an FL one while using execution time-based events. For experimental purposes, a dataset containing execution-time features of 55 Raspberry Pis belonging to four different models has been collected and published. Using this dataset, the proposed solution achieved 0.9999 accuracy in both setups, centralized and federated, showing no performance decrease while preserving data privacy. Later, the impact of a label-flipping attack during the federated model training is evaluated using several aggregation mechanisms as countermeasures. Zeno and coordinate-wise median aggregation show the best performance, although their performance greatly degrades when the percentage of fully malicious clients (all training samples poisoned) grows over 50%. [ABSTRACT FROM AUTHOR]

Published

2024

37. Towards the transferable audio adversarial attack via ensemble methods.

Author

Guo, Feng, Sun, Zheng, Chen, Yuxuan, and Ju, Lei

Subjects

SPEECH perception, DEEP learning, SPEECH, AUTONOMOUS vehicles

Abstract

In recent years, deep learning (DL) models have achieved significant progress in many domains, such as autonomous driving, facial recognition, and speech recognition. However, the vulnerability of deep learning models to adversarial attacks has raised serious concerns in the community because of their insufficient robustness and generalization. Also, transferable attacks have become a prominent method for black-box attacks. In this work, we explore the potential factors that impact adversarial examples (AEs) transferability in DL-based speech recognition. We also discuss the vulnerability of different DL systems and the irregular nature of decision boundaries. Our results show a remarkable difference in the transferability of AEs between speech and images, with the data relevance being low in images but opposite in speech recognition. Motivated by dropout-based ensemble approaches, we propose random gradient ensembles and dynamic gradient-weighted ensembles, and we evaluate the impact of ensembles on the transferability of AEs. The results show that the AEs created by both approaches are valid for transfer to the black box API. [ABSTRACT FROM AUTHOR]

Published

2023

38. Vulnerable point detection and repair against adversarial attacks for convolutional neural networks.

Author

Gao, Jie, Xia, Zhaoqiang, Dai, Jing, Dang, Chen, Jiang, Xiaoyue, and Feng, Xiaoyi

Abstract

Recently, convolutional neural networks have been shown to be sensitive to artificially designed perturbations that are imperceptible to the naked eye. Whether it is image classification, semantic segmentation, or object detection, all of them will face such problem. The existence of adversarial examples raises questions about the security of smart applications. Some works have paid attention to this problem and proposed several defensive strategies to resist adversarial attacks. However, no one explored the vulnerable area of the model under multiple attacks. In this work, we fill this gap by exploring the vulnerable areas of the model, which is vulnerable to adversarial attacks. Specifically, under various attack methods with different strengths, we conduct extensive experiments on two datasets based on three different networks and illustrate some phenomena. Besides, by exploiting the Siamese Network, we propose a novel approach to more intuitively discover the deficiencies of the model. Moreover, we further provide a novel adaptive vulnerable point repair method to improve the adversarial robustness of the model. Extensive experimental results show that our proposed method can effectively improve the adversarial robustness of the model. [ABSTRACT FROM AUTHOR]

Published

2023

39. Adversarial machine learning phases of matter.

Author

Jiang, Si, Lu, Sirui, and Deng, Dong-Ling

Subjects

PHASE transitions, MACHINE learning, PHYSICAL laws, ROBUST control, PERTURBATION theory

Abstract

We study the robustness of machine learning approaches to adversarial perturbations, with a focus on supervised learning scenarios. We find that typical phase classifiers based on deep neural networks are extremely vulnerable to adversarial perturbations: adding a tiny amount of carefully crafted noises into the original legitimate examples will cause the classifiers to make incorrect predictions at a notably high confidence level. Through the lens of activation maps, we find that some important underlying physical principles and symmetries remain to be adequately captured for classifiers with even near-perfect performance. This explains why adversarial perturbations exist for fooling these classifiers. In addition, we find that, after adversarial training the classifiers will become more consistent with physical laws and consequently more robust to certain kinds of adversarial perturbations. Our results provide valuable guidance for both theoretical and experimental future studies on applying machine learning techniques to condensed matter physics. [ABSTRACT FROM AUTHOR]

Published

2023

40. Detection of Iterative Adversarial Attacks via Counter Attack.

Author

Rottmann, Matthias, Maag, Kira, Peyron, Mathis, Gottschalk, Hanno, and Krejić, Nataša

Subjects

ARTIFICIAL neural networks

Abstract

Deep neural networks (DNNs) have proven to be powerful tools for processing unstructured data. However, for high-dimensional data, like images, they are inherently vulnerable to adversarial attacks. Small almost invisible perturbations added to the input can be used to fool DNNs. Various attacks, hardening methods and detection methods have been introduced in recent years. Notoriously, Carlini–Wagner (CW)-type attacks computed by iterative minimization belong to those that are most difficult to detect. In this work we outline a mathematical proof that the CW attack can be used as a detector itself. That is, under certain assumptions and in the limit of attack iterations this detector provides asymptotically optimal separation of original and attacked images. In numerical experiments, we experimentally validate this statement and furthermore obtain AUROC values up to 99.73 % on CIFAR10 and ImageNet. This is in the upper part of the spectrum of current state-of-the-art detection rates for CW attacks. [ABSTRACT FROM AUTHOR]

Published

2023

41. Exploring misclassifications of robust neural networks to enhance adversarial attacks.

Author

Schwinn, Leo, Raab, René, Nguyen, An, Zanca, Dario, and Eskofier, Bjoern

Subjects

SCIENTIFIC community, COMPUTER vision, DEEP learning, PREDICTION models, SCIENTIFIC observation

Abstract

Progress in making neural networks more robust against adversarial attacks is mostly marginal, despite the great efforts of the research community. Moreover, the robustness evaluation is often imprecise, making it challenging to identify promising approaches. We do an observational study on the classification decisions of 19 different state-of-the-art neural networks trained to be robust against adversarial attacks. This analysis gives a new indication of the limits of the robustness of current models on a common benchmark. In addition, our findings suggest that current untargeted adversarial attacks induce misclassification toward only a limited amount of different classes. Similarly, we find that previous attacks under-explore the perturbation space during optimization. This leads to unsuccessful attacks for samples where the initial gradient direction is not a good approximation of the final adversarial perturbation direction. Additionally, we observe that both over- and under-confidence in model predictions result in an inaccurate assessment of model robustness. Based on these observations, we propose a novel loss function for adversarial attacks that consistently improves their efficiency and success rate compared to prior attacks for all 30 analyzed models. [ABSTRACT FROM AUTHOR]

Published

2023

42. Towards the universal defense for query-based audio adversarial attacks on speech recognition system.

Author

Guo, Feng, Sun, Zheng, Chen, Yuxuan, and Ju, Lei

Subjects

AUTOMATIC speech recognition, DENIAL of service attacks, SPEECH perception, DEEP learning

Abstract

Recently, studies show that deep learning-based automatic speech recognition (ASR) systems are vulnerable to adversarial examples (AEs), which add a small amount of noise to the original audio examples. These AE attacks pose new challenges to deep learning security and have raised significant concerns about deploying ASR systems and devices. The existing defense methods are either limited in application or only defend on results, but not on process. In this work, we propose a novel method to infer the adversary intent and discover audio adversarial examples based on the AEs generation process. The insight of this method is based on the observation: many existing audio AE attacks utilize query-based methods, which means the adversary must send continuous and similar queries to target ASR models during the audio AE generation process. Inspired by this observation, We propose a memory mechanism by adopting audio fingerprint technology to analyze the similarity of the current query with a certain length of memory query. Thus, we can identify when a sequence of queries appears to be suspectable to generate audio AEs. Through extensive evaluation on four state-of-the-art audio AE attacks, we demonstrate that on average our defense identify the adversary's intent with over 90 % accuracy. With careful regard for robustness evaluations, we also analyze our proposed defense and its strength to withstand two adaptive attacks. Finally, our scheme is available out-of-the-box and directly compatible with any ensemble of ASR defense models to uncover audio AE attacks effectively without model retraining. [ABSTRACT FROM AUTHOR]

Published

2023

43. Towards adversarial realism and robust learning for IoT intrusion detection and classification.

Author

Vitorino, João, Praça, Isabel, and Maia, Eva

Abstract

The internet of things (IoT) faces tremendous security challenges. Machine learning models can be used to tackle the growing number of cyber-attack variations targeting IoT systems, but the increasing threat posed by adversarial attacks restates the need for reliable defense strategies. This work describes the types of constraints required for a realistic adversarial cyber-attack example and proposes a methodology for a trustworthy adversarial robustness analysis with a realistic adversarial evasion attack vector. The proposed methodology was used to evaluate three supervised algorithms, random forest (RF), extreme gradient boosting (XGB), and light gradient boosting machine (LGBM), and one unsupervised algorithm, isolation forest (IFOR). Constrained adversarial examples were generated with the adaptative perturbation pattern method (A2PM), and evasion attacks were performed against models created with regular and adversarial training. Even though RF was the least affected in binary classification, XGB consistently achieved the highest accuracy in multi-class classification. The obtained results evidence the inherent susceptibility of tree-based algorithms and ensembles to adversarial evasion attacks and demonstrate the benefits of adversarial training and a security-by-design approach for a more robust IoT network intrusion detection and cyber-attack classification. [ABSTRACT FROM AUTHOR]

Published

2023

44. Evil vs evil: using adversarial examples to against backdoor attack in federated learning.

Author

Liu, Tao, Li, Mingjun, Zheng, Haibin, Ming, Zhaoyan, and Chen, Jinyin

Subjects

TASK performance, DATA scrubbing, GOOD & evil

Abstract

As a distributed learning paradigm, federated learning (FL) has shown great success in aggregating information from different clients to train a shared global model. Unfortunately, by uploading carefully crafted updated models, a malicious client can embed a backdoor into the global model during FL's training. Numerous secure aggregation strategies and robust training protocols have been proposed to defend FL against backdoor attacks. However, they are still challenged, either being bypassed by adaptive attacks or sacrificing the main task performance of FL. By conducting empirical studies of backdoor attacks in FL, we gain an interesting insight that adversarial perturbations can activate backdoors in backdoor models. Consequently, behavior differences of models fed by adversarial examples are compared for backdoor update detection. We propose a novel FL backdoor defense method using adversarial examples, denoted as E ̲ v i l v ̲ s E ̲ v i l (EVE). Specifically, a small data set of clean examples for FL's main task training is collected in the sever for adversarial examples generation. By observing the behavior of updated models under the adversarial examples, EVE uses a clustering algorithm to select benign models and to exclude the other models, without any loss of the main task performance of FL itself. Extensive evaluations across four data sets and the corresponding DNNs demonstrate the state-of-the-art (SOTA) defense performance of EVE compared with five baselines. In particular, EVE under 40% of malicious clients can reduce the attack success rate from 99% to 1%. In addition, we verify that EVE is still robust under the adaptive attacks. EVE is open sourced to facilitate future research. [ABSTRACT FROM AUTHOR]

Published

2023

45. Minimally Distorted Structured Adversarial Attacks.

Author

Kazemi, Ehsan, Kerdreux, Thomas, and Wang, Liqiang

Subjects

SYNCOPE, MATHEMATICAL optimization, MATHEMATICAL regularization

Abstract

White box adversarial perturbations are generated via iterative optimization algorithms most often by minimizing an adversarial loss on a ℓ p neighborhood of the original image, the so-called distortion set. Constraining the adversarial search with different norms results in disparately structured adversarial examples. Here we explore several distortion sets with structure-enhancing algorithms. These new structures for adversarial examples might provide challenges for provable and empirical robust mechanisms. Because adversarial robustness is still an empirical field, defense mechanisms should also reasonably be evaluated against differently structured attacks. Besides, these structured adversarial perturbations may allow for larger distortions size than their ℓ p counterpart while remaining imperceptible or perceptible as natural distortions of the image. We will demonstrate in this work that the proposed structured adversarial examples can significantly bring down the classification accuracy of adversarially trained classifiers while showing a low ℓ 2 distortion rate. For instance, on ImagNet dataset the structured attacks drop the accuracy of the adversarial model to near zero with only 50% of ℓ 2 distortion generated using white-box attacks like PGD. As a byproduct, our findings on structured adversarial examples can be used for adversarial regularization of models to make models more robust or improve their generalization performance on datasets that are structurally different. [ABSTRACT FROM AUTHOR]

Published

2023

46. Generate adversarial examples by adaptive moment iterative fast gradient sign method.

Author

Zhang, Jiebao, Qian, Wenhua, Nie, Rencan, Cao, Jinde, and Xu, Dan

Subjects

ARTIFICIAL neural networks, COSINE function

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples that are similar to original samples but contain the perturbations intentionally crafted by adversaries. Many efficient and typical attacks are based on the fast gradient sign method and usually against models by adding invariant perturbation magnitude to the input of DNN in each iteration. Some studies report that the loss surface demonstrates significant non-smooth variation in the input space. The invariant perturbation size may not be conducive to finding adversarial examples fast in iterations. In this work, we propose the adaptive moment iterative fast gradient sign method (Adam-FGSM), a new iterative white-box attack. According to the moment estimations of the gradients, Adam-FGSM can follow stable perturbation directions by the first-order moment estimation of gradients and adaptively compute the perturbation size with the second-order moment estimations. The experimental results show that Adam-FGSM could adopt rugged input loss space to generate adversarial examples with a higher attack success rate and acceptable transferability in fewer iterations. We analyze the attack process of Adam-FGSM to explain why it can achieve outstanding performance by visualizing the L1, L ∞ norms, and the cosine similarity of perturbations. Furthermore, we plot trajectories of iterative attack methods to observe the geometric characteristics intuitively. [ABSTRACT FROM AUTHOR]

Published

2023

47. Revisiting model's uncertainty and confidences for adversarial example detection.

Author

Aldahdooh, Ahmed, Hamidouche, Wassim, and Déforges, Olivier

Subjects

ARTIFICIAL neural networks, CONFIDENCE

Abstract

Security-sensitive applications that rely on Deep Neural Networks (DNNs) are vulnerable to small perturbations that are crafted to generate Adversarial Examples. The (AEs) are imperceptible to humans and cause DNN to misclassify them. Many defense and detection techniques have been proposed. Model's confidences and Dropout, as a popular way to estimate the model's uncertainty, have been used for AE detection but they showed limited success against black- and gray-box attacks. Moreover, the state-of-the-art detection techniques have been designed for specific attacks or broken by others, need knowledge about the attacks, are not consistent, increase model parameters overhead, are time-consuming, or have latency in inference time. To trade off these factors, we revisit the model's uncertainty and confidences and propose a novel unsupervised ensemble AE detection mechanism that 1) uses the uncertainty method called SelectiveNet, 2) processes model layers outputs, i.e. feature maps, to generate new confidence probabilities. The detection method is called SFAD. Experimental results show that the proposed approach achieves better performance against black- and gray-box attacks than the state-of-the-art methods and achieves comparable performance against white-box attacks. Moreover, results show that SFAD is fully robust against High Confidence Attacks (HCAs) for MNIST and partially robust for CIFAR10 datasets.1 [ABSTRACT FROM AUTHOR]

Published

2023

48. Understanding deep learning defenses against adversarial examples through visualizations for dynamic risk assessment.

Author

Echeberria-Barrio, Xabier, Gil-Lerchundi, Amaia, Egana-Zubia, Jon, and Orduna-Urrutia, Raul

Subjects

ARTIFICIAL neural networks, DEEP learning, CONVOLUTIONAL neural networks, BEHAVIOR modification, RISK assessment

Abstract

In recent years, deep neural network models have been developed in different fields, where they have brought many advances. However, they have also started to be used in tasks where risk is critical. Misdiagnosis of these models can lead to serious accidents or even death. This concern has led to an interest among researchers to study possible attacks on these models, discovering a long list of vulnerabilities, from which every model should be defended. The adversarial example attack is a widely known attack among researchers, who have developed several defenses to avoid such a threat. However, these defenses are as opaque as a deep neural network model, how they work is still unknown. This is why visualizing how they change the behavior of the target model is interesting in order to understand more precisely how the performance of the defended model is being modified. For this work, three defense strategies, against adversarial example attacks, have been selected in order to visualize the behavior modification of each of them in the defended model. Adversarial training, dimensionality reduction, and prediction similarity were the selected defenses, which have been developed using a model composed of convolution neural network layers and dense neural network layers. In each defense, the behavior of the original model has been compared with the behavior of the defended model, representing the target model by a graph in a visualization. This visualization allows identifying the vulnerabilities of the model and shows how the defenses try to avoid them. [ABSTRACT FROM AUTHOR]

Published

2022

49. Just noticeable difference for machine perception and generation of regularized adversarial images with minimal perturbation.

Author

Akan, Adil Kaan, Akbas, Emre, and Vural, Fatos T. Yarman

Abstract

In this study, we introduce a measure for machine perception, inspired by the concept of Just Noticeable Difference (JND) of human perception. Based on this measure, we suggest an adversarial image generation algorithm, which iteratively distorts an image by an additive noise until the model detects the change in the image by outputting a false label. The noise added to the original image is defined as the gradient of the cost function of the model. A novel cost function is defined to explicitly minimize the amount of perturbation applied to the input image while enforcing the perceptual similarity between the adversarial and input images. For this purpose, the cost function is regularized by the well-known total variation and bounded range terms to meet the natural appearance of the adversarial image. We evaluate the adversarial images generated by our algorithm both qualitatively and quantitatively on CIFAR10, ImageNet, and MS COCO datasets. Our experiments on image classification and object detection tasks show that adversarial images generated by our JND method are both more successful in deceiving the recognition/detection models and less perturbed compared to the images generated by the state-of-the-art methods, namely, FGV, FSGM, and DeepFool methods. [ABSTRACT FROM AUTHOR]

Published

2022

50. FATALRead - Fooling visual speech recognition models: Put words on Lips.

Author

Gupta, Anup Kumar, Gupta, Puneet, and Rahtu, Esa

Subjects

SPEECH perception, LIPS, DEEP learning, WORD recognition, SPEECH, LIPREADING, LOGITS

Abstract

Visual speech recognition is essential in understanding speech in several real-world applications such as surveillance systems and aiding differently-abled. It proliferates the research in the realm of visual speech recognition, also known as Automatic Lip Reading (ALR). In recent years, Deep Learning (DL) methods are being utilised for developing ALR systems. DL models tend to be vulnerable to adversarial attacks. Studying these attacks creates new research directions in designing robust DL systems. Existing attacks on images and videos classification models are not directly applicable to ALR systems. Since the ALR systems encompass temporal information, attacking these systems is comparatively more challenging and strenuous than attacking image classification models. Similarly, compared to other video classification tasks, the region-of-interest is smaller in the case of ALR systems. Despite these factors, our proposed method, Fooling AuTomAtic Lip Reading (FATALRead), can successfully perform adversarial attacks on state-of-the-art ALR systems. To the best of our knowledge, we are the first to successfully fool ALR systems for the word recognition task. We further demonstrate that the success of the attack is increased by incorporating logits instead of probabilities in the loss function. Our extensive experiments on a publicly available dataset, show that our attack successfully circumvents the well-known transformation based defences. [ABSTRACT FROM AUTHOR]

Published

2022