Showing total 7 results

1. Defending Adversarial Examples via DNN Bottleneck Reinforcement

Author

Li Li, Teddy Furon, Wenqing Liu, Miaojing Shi, Tongji University, Creating and exploiting explicit links between multimedia fragments (LinkMedia), Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-MEDIA ET INTERACTIONS (IRISA-D6), Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-Institut National de Recherche en Informatique et en Automatique (Inria)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Rennes (UR)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université de Bretagne Sud (UBS)-École normale supérieure - Rennes (ENS Rennes)-CentraleSupélec-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), King‘s College London, ANR-20-CHIA-0011,SAIDA,Sécurité de l'Intelligence Artificielle pour des Applications Défense(2020), MEDIA ET INTERACTIONS (IRISA-D6), Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National des Sciences Appliquées (INSA)-Université de Rennes (UNIV-RENNES)-Institut National de Recherche en Informatique et en Automatique (Inria)-École normale supérieure - Rennes (ENS Rennes)-Centre National de la Recherche Scientifique (CNRS)-Université de Rennes 1 (UR1), Université de Rennes (UNIV-RENNES)-CentraleSupélec-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Bretagne Sud (UBS)-Institut National des Sciences Appliquées - Rennes (INSA Rennes), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Inria Rennes – Bretagne Atlantique, and Institut National de Recherche en Informatique et en Automatique (Inria)

Subjects

FOS: Computer and information sciences, Computer science, Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, information bottleneck, 010501 environmental sciences, Machine learning, computer.software_genre, 01 natural sciences, Bottleneck, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], Adversarial system, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], [INFO.INFO-TS]Computer Science [cs]/Signal and Image Processing, 0502 economics and business, 050207 economics, Reinforcement, 0105 earth and related environmental sciences, business.industry, 05 social sciences, auto-encoder, Information bottleneck method, Autoencoder, Software and application security, adversarial attacks, Artificial intelligence, business, computer, Classifier (UML), MNIST database

Abstract

This paper presents a DNN bottleneck reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks. Typical DNN classifiers encode the input image into a compressed latent representation more suitable for inference. This information bottleneck makes a trade-off between the image-specific structure and class-specific information in an image. By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation. Hence, this paper proposes to jointly train an auto-encoder (AE) sharing the same encoding weights with the visual classifier. In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network. Unlike existing approaches, our scheme is the first reforming defense per se which keeps the classifier structure untouched without appending any pre-processing head and is trained with clean images only. Extensive experiments on MNIST, CIFAR-10 and ImageNet demonstrate the strong defense of our method against various adversarial attacks., Comment: ACM MM 2020 - Full Paper

Published

2020

2. SIT: Stochastic Input Transformation to Defend Against Adversarial Attacks on Deep Neural Networks

Author

Amira Guesmi, Ihsen Alouani, Mouna Baklouti, Tarek Frikha, Mohamed Abid, Université de Sfax - University of Sfax, Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), Université catholique de Lille (UCL)-Université catholique de Lille (UCL), COMmunications NUMériques - IEMN (COMNUM - IEMN), INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Université catholique de Lille (UCL)-Université catholique de Lille (UCL)-Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), and no information

Subjects

Convolutional Neural Networks, Convolution, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], [SPI.TRON]Engineering Sciences [physics]/Electronics, Machine Learning, Kernel, [SPI]Engineering Sciences [physics], [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Stochastic processes, Hardware and Architecture, Image reconstruction, Security, Feature extraction, Training, [INFO]Computer Science [cs], Electrical and Electronic Engineering, Robustness, [SPI.SIGNAL]Engineering Sciences [physics]/Signal and Image processing, Software, Adversarial Attacks

Abstract

International audience; Deep Neural Networks (DNNs) have been deployed in a wide range of applications, including safety-critical domains, owing to their proven efficiency in solving complex problems. However, these systems have been shown vulnerable to adversarial attacks: carefully crafted perturbations that threaten their integrity and trustworthiness. Several defenses have been recently proposed. However, most of these techniques are costly to deploy since they require retraining and specific fine-tuning procedures. While there are pre-processing defenses that do not require retraining, these were shown to be ineffective against adaptive white-box attacks. In this paper, we propose a model-agnostic defense against adversarial attacks using stochastic pre-processing. Based on a process of down-sampling/up-sampling, we transform the input to a new sample that is: (i) close enough to the initial input to be classified correctly, and (ii) different enough to ignore any potential adversarial noise within it. The proposed defense is generic, easy to deploy and does not require any specific training or fine tuning. We tested our technique comparatively to state-of-the-art defenses under grey-box and strong white-box scenarios. Experimental results show that our defense achieves robustness of up to 94% and 93% against PGD and Cand#x0026;W attacks, respectively, under strong white-box scenario. IEEE

Published

2022

3. Lower Voltage for Higher Security: Using Voltage Overscaling to Secure Deep Neural Networks

Author

Shohidul Islam, Ihsen Alouani, Khaled N. Khasawneh, George Mason University [Fairfax], Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), Université catholique de Lille (UCL)-Université catholique de Lille (UCL), COMmunications NUMériques - IEMN (COMNUM - IEMN), INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Université catholique de Lille (UCL)-Université catholique de Lille (UCL)-Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), and no information

Subjects

[SPI]Engineering Sciences [physics], machine learning, approx- imate computing, Adversarial attacks, voltage overscalin

Abstract

International audience; Deep neural networks (DNNs) are shown to be vulnerable to adversarial attacks-- carefully crafted additive noise that undermines DNNs integrity. Previously proposed defenses against these attacks require substantial overheads, making it challenging to deploy these solutions in power and computational resource-constrained devices, such as embedded systems and the Edge. In this paper, we explore the use of voltage overscaling (VOS) as a lightweight defense against adversarial attacks. Specifically, we exploit the stochastic timing violations of VOS to implement a moving-target defense for DNNs. Our experimental results demonstrate that VOS guarantees effective defense against different attack methods, does not require any software/hardware modifications, and offers a by-product reduction in power consumption.

Published

2021

4. Adversarial Attacks in a Multi-view Setting: An Empirical Study of the Adversarial Patches Inter-view Transferability

Author

Anouar Ben Khalifa, Mohamed Ali Mahjoub, Ihsen Alouani, Bilel Tarchoun, Laboratory of Advanced Technology and Intelligent Systems (LATIS), Ecole Nationale d'Ingénieurs de Sousse (ENISo), Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-JUNIA (JUNIA), Université catholique de Lille (UCL)-Université catholique de Lille (UCL), Communications Numériques (COMNUM), Laboratoire Traitement et Communication de l'Information (LTCI), Institut Mines-Télécom [Paris] (IMT)-Télécom Paris-Institut Mines-Télécom [Paris] (IMT)-Télécom Paris, and no information

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer science, Context (language use), Machine learning, computer.software_genre, Machine Learning (cs.LG), Perspective Geometric Transformations, Adversarial system, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Empirical research, Adversarial patches, Adversarial Attacks, Vulnerability (computing), Artificial neural network, business.industry, Geometric transformation, Object detection, View Angles, Multi-View, Artificial intelligence, Noise (video), business, Cryptography and Security (cs.CR), computer

Abstract

While machine learning applications are getting mainstream owing to a demonstrated efficiency in solving complex problems, they suffer from inherent vulnerability to adversarial attacks. Adversarial attacks consist of additive noise to an input which can fool a detector. Recently, successful real-world printable adversarial patches were proven efficient against state-of-the-art neural networks. In the transition from digital noise based attacks to real-world physical attacks, the myriad of factors affecting object detection will also affect adversarial patches. Among these factors, view angle is one of the most influential, yet under-explored. In this paper, we study the effect of view angle on the effectiveness of an adversarial patch. To this aim, we propose the first approach that considers a multi-view context by combining existing adversarial patches with a perspective geometric transformation in order to simulate the effect of view angle changes. Our approach has been evaluated on two datasets: the first dataset which contains most real world constraints of a multi-view context, and the second dataset which empirically isolates the effect of view angle. The experiments show that view angle significantly affects the performance of adversarial patches, where in some cases the patch loses most of its effectiveness. We believe that these results motivate taking into account the effect of view angles in future adversarial attacks, and open up new opportunities for adversarial defenses., To appear in the 20th CyberWorlds Conference

Published

2021

5. Laplacian networks: bounding indicator function smoothness for neural networks robustness

Author

Antonio Ortega, Carlos Lassance, Vincent Gripon, Département Mathematical and Electrical Engineering (IMT Atlantique - MEE), IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Equipe Algorithm Architecture Interactions (Lab-STICC_2AI), Laboratoire des sciences et techniques de l'information, de la communication et de la connaissance (Lab-STICC), École Nationale d'Ingénieurs de Brest (ENIB)-Université de Bretagne Sud (UBS)-Université de Brest (UBO)-École Nationale Supérieure de Techniques Avancées Bretagne (ENSTA Bretagne)-Institut Mines-Télécom [Paris] (IMT)-Centre National de la Recherche Scientifique (CNRS)-Université Bretagne Loire (UBL)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-École Nationale d'Ingénieurs de Brest (ENIB)-Université de Bretagne Sud (UBS)-Université de Brest (UBO)-École Nationale Supérieure de Techniques Avancées Bretagne (ENSTA Bretagne)-Institut Mines-Télécom [Paris] (IMT)-Centre National de la Recherche Scientifique (CNRS)-Université Bretagne Loire (UBL)-IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT), University of California [Los Angeles] (UCLA), and University of California

Subjects

Similarity (geometry), Computer science, Graph signal processing, 02 engineering and technology, Machine learning, computer.software_genre, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], Indicator function, [INFO.INFO-LG]Computer Science [cs]/Machine Learning [cs.LG], [INFO.INFO-TS]Computer Science [cs]/Signal and Image Processing, Robustness (computer science), Bounding overwatch, 0202 electrical engineering, electronic engineering, information engineering, 0601 history and archaeology, Representation (mathematics), Robustness, 060102 archaeology, Artificial neural network, [INFO.INFO-GT]Computer Science [cs]/Computer Science and Game Theory [cs.GT], business.industry, Deep learning, Supervised learning, Adversarial attacks, 020206 networking & telecommunications, 06 humanities and the arts, Signal Processing, Artificial intelligence, Laplacian, business, computer, Information Systems

Abstract

International audience; For the past few years, deep learning (DL) robustness (i.e. the ability to maintain the same decision when inputs are subject to perturbations) has become a question of paramount importance, in particular in settings where misclassification can have dramatic consequences. To address this question, authors have proposed different approaches, such as adding regularizers or training using noisy examples. In this paper we introduce a regularizer based on the Laplacian of similarity graphs obtained from the representation of training data at each layer of the DL architecture. This regularizer penalizes large changes (across consecutive layers in the architecture) in the distance between examples of different classes, and as such enforces smooth variations of the class boundaries. We provide theoretical justification for this regularizer and demonstrate its effectiveness to improve robustness on classical supervised learning vision datasets for various types of perturbations. We also show it can be combined with existing methods to increase overall robustness.

Published

2021

6. Neuroattack: undermining spiking neural networks security through externally triggered bit-flips

Author

Alberto Marchisio, Valerio Venceslai, Maurizio Martina, Muhammad Shafique, Ihsen Alouani, Vienna University of Technology (TU Wien), Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF), COMmunications NUMériques - IEMN (COMNUM - IEMN), Institut d’Électronique, de Microélectronique et de Nanotechnologie - Département Opto-Acousto-Électronique - UMR 8520 (IEMN-DOAE), Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France)-Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France), Politecnico di Torino = Polytechnic of Turin (Polito), This work has been partially supported by the Doctoral CollegeResilient Embedded Systems which is run jointly by TU Wien’sFaculty of Informatics and FH-Technikum Wien., Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-Institut d’Électronique, de Microélectronique et de Nanotechnologie - UMR 8520 (IEMN), Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF)-Centrale Lille-Institut supérieur de l'électronique et du numérique (ISEN)-Université de Valenciennes et du Hainaut-Cambrésis (UVHC)-Université de Lille-Centre National de la Recherche Scientifique (CNRS)-Université Polytechnique Hauts-de-France (UPHF), INSA Institut National des Sciences Appliquées Hauts-de-France (INSA Hauts-De-France), and Institut National des Sciences Appliquées (INSA)

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Computer science, Distributed computing, Reliability (computer networking), Machine Learning (stat.ML), 02 engineering and technology, 01 natural sciences, SNN, Machine Learning (cs.LG), [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], Machine Learning, Spiking Neural Networks, [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], [SPI]Engineering Sciences [physics], Hardware, Statistics - Machine Learning, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, [INFO]Computer Science [cs], Fault-Injection Attacks, Resilience (network), Adversarial Attacks, 010302 applied physics, Spiking neural network, Deep Neural Networks, Resilience, Machine Learning, Spiking Neural Networks, Reliability, Adversarial Attacks, Fault-Injection Attacks, Deep Neural Networks, DNN, SNN, Security, Resilience, Cross-Layer, Biological system modeling, Reliability, 020202 computer hardware & architecture, [SPI.TRON]Engineering Sciences [physics]/Electronics, Cross layer, Cross-Layer, Security, Noise (video), Biological neural networks, Cryptography and Security (cs.CR), [SPI.SIGNAL]Engineering Sciences [physics]/Signal and Image processing, DNN

Abstract

Due to their proven efficiency, machine-learning systems are deployed in a wide range of complex real-life problems. More specifically, Spiking Neural Networks (SNNs) emerged as a promising solution to the accuracy, resource-utilization, and energy-efficiency challenges in machine-learning systems. While these systems are going mainstream, they have inherent security and reliability issues. In this paper, we propose NeuroAttack, a cross-layer attack that threatens the SNNs integrity by exploiting low-level reliability issues through a high-level attack. Particularly, we trigger a fault-injection based sneaky hardware backdoor through a carefully crafted adversarial input noise. Our results on Deep Neural Networks (DNNs) and SNNs show a serious integrity threat to state-of-the art machine-learning techniques., Accepted for publication at the 2020 International Joint Conference on Neural Networks (IJCNN)

Published

2020

7. A machine learning based approach to detect malicious android apps using discriminant system calls

Author

P. Vinod, Akka Zemmari, Mauro Conti, Laboratoire Bordelais de Recherche en Informatique (LaBRI), Université de Bordeaux (UB)-Centre National de la Recherche Scientifique (CNRS)-École Nationale Supérieure d'Électronique, Informatique et Radiocommunications de Bordeaux (ENSEIRB), and Universita degli Studi di Padova

Subjects

Computer science, Computer Networks and Communications, Data poisoning, 02 engineering and technology, Machine learning, computer.software_genre, Adversarial machine learning, Classifier, Mobile malware, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], [INFO.INFO-MC]Computer Science [cs]/Mobile Computing, Adversarial attacks, Feature selection, Malware detection, Software, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), ComputingMilieux_MISCELLANEOUS, business.industry, 020206 networking & telecommunications, Discriminant, Malware, 020201 artificial intelligence & image processing, [INFO.INFO-ES]Computer Science [cs]/Embedded Systems, Artificial intelligence, business, Classifier (UML), computer

Abstract

The openness of Android framework and the enhancement of users trust have gained the attention of malware writers. The momentum of downloaded applications (app for short) from numerous app stores has stimulated the proliferation of mobile malware. Now the threat is due to the sophistication in malware being written to bypass signature-based detectors. In this paper, we investigate system calls to tackle mobile malware on Android operating system. To do so, we first employed machine learning to extract system calls. We then performed the empirical estimation of system calls derived from diverse datasets employing human interaction and random inputs. After accomplishing intensive experiments on synthesized system calls with two feature selection approach, namely Absolute Difference of Weighted System Calls (ADWSC) and Ranked System Calls using Large Population Test (RSLPT), we validated the results on five datasets. All classifiers generated in Area Under Curve of 1.0 with an accuracy exceeding 99.9% suggest the appropriateness and efficacy of the proposed approach. Finally, we evaluated the effectiveness of classifier against adversarial attacks and found that the classifiers are vulnerable to data poisoning and label flipping attacks. Adversarial examples created by poisoning malware samples resulted in the significant drop of classifier performance on perturbing 12–18 prominent attributes. Moreover, we implemented class label poisoning attacks which brought down the classification accuracy by 50% on altering labels of 50 malicious training instances.

Published

2019