Showing total 47 results

1. A Novel Deep Fuzzy Classifier by Stacking Adversarial Interpretable TSK Fuzzy Sub-Classifiers With Smooth Gradient Information.

Author

Gu, Suhang, Chung, Fu-Lai, and Wang, Shitong

Abstract

Different from our previous stacked-structure-based deep fuzzy classifier, in this paper, we explore the distinctive role of adversarial outputs of training samples in enhancing the classification performance of a stacked-structure-based deep fuzzy classifier. In order to achieve such goals, an adversarial Takagi–Sugeno–Kang (TSK) fuzzy classifier, which is denoted as TSKa, is proposed. With the TSKa, interpretable IF parts of first-order fuzzy rules can be generated by the random selection of fixed linguistic terms along each feature. According to our theoretical analysis, adversarial outputs of training samples enhance TSKa's generalization capability, thereby, resulting in the potential feasibility of leveraging their smooth gradient information with respect to the inputs in the training input space to construct a stacked-structure-based deep fuzzy classifier. In this paper, a novel deep fuzzy classifier is devised by stacking a series of TSKa sub-classifiers and training them by a deep learning strategy. An advantage of the proposed deep fuzzy classifier is its easy yet fast training. The training of each layer consists of two basic steps: computation of the smooth gradient information of adversarial outputs with respect to the inputs, and fast training of each corresponding TSKa by the least learning machine method. Comprehensive experiments on both benchmark datasets and an industrial case demonstrate the promising performance and advantages of the proposed deep fuzzy classifier. [ABSTRACT FROM AUTHOR]

Published

2020

2. Enhancing Security in Real-Time Video Surveillance: A Deep Learning-Based Remedial Approach for Adversarial Attack Mitigation

Author

Gyana Ranjana Panigrahi, Prabira Kumar Sethy, Santi Kumari Behera, Manoj Gupta, Farhan A. Alenizi, and Aziz Nanthaamornphong

Subjects

Adversarial attacks, deep learning, face mask recognition, video surveillance systems, face mask detection, ShuffleNetV1, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

This paper introduces an innovative methodology to disrupt deep-learning (DL) surveillance systems by implementing an adversarial framework strategy, inducing misclassification in live video objects and extending attacks to real-time models. Focusing on the vulnerability of image-categorization models, the study evaluates the effectiveness of face mask surveillance against adversarial threats. A real-time system, employing the ShuffleNet V1 transfer-learning algorithm, was trained on a Kaggle dataset for face mask detection accuracy. Using a white-box Fast Gradient Sign Method (FGSM) attack with epsilon at 0.13, the study successfully generated adversarial frames, deceiving the face mask detection system and prompting unintended video predictions. The findings highlight the risks posed by adversarial attacks on critical video surveillance systems, specifically those designed for face mask detection. The paper emphasizes the need for proactive measures to safeguard these systems before real-world deployment, crucial for ensuring their robustness and reliability in the face of potential adversarial threats.

Published

2024

3. Divergence-Agnostic Unsupervised Domain Adaptation by Adversarial Attacks.

Author

Li, Jingjing, Du, Zhekai, Zhu, Lei, Ding, Zhengming, Lu, Ke, and Shen, Heng Tao

Subjects

MACHINE learning, COMMUNITIES, KNOWLEDGE transfer, GENERALIZATION, FEATURE extraction

Abstract

Conventional machine learning algorithms suffer the problem that the model trained on existing data fails to generalize well to the data sampled from other distributions. To tackle this issue, unsupervised domain adaptation (UDA) transfers the knowledge learned from a well-labeled source domain to a different but related target domain where labeled data is unavailable. The majority of existing UDA methods assume that data from the source domain and the target domain are available and complete during training. Thus, the divergence between the two domains can be formulated and minimized. In this paper, we consider a more practical yet challenging UDA setting where either the source domain data or the target domain data are unknown. Conventional UDA methods would fail this setting since the domain divergence is agnostic due to the absence of the source data or the target data. Technically, we investigate UDA from a novel view—adversarial attack—and tackle the divergence-agnostic adaptive learning problem in a unified framework. Specifically, we first report the motivation of our approach by investigating the inherent relationship between UDA and adversarial attacks. Then we elaborately design adversarial examples to attack the training model and harness these adversarial examples. We argue that the generalization ability of the model would be significantly improved if it can defend against our attack, so as to improve the performance on the target domain. Theoretically, we analyze the generalization bound for our method based on domain adaptation theories. Extensive experimental results on multiple UDA benchmarks under conventional, source-absent and target-absent UDA settings verify that our method is able to achieve a favorable performance compared with previous ones. Notably, this work extends the scope of both domain adaptation and adversarial attack, and expected to inspire more ideas in the community. [ABSTRACT FROM AUTHOR]

Published

2022

4. A Simple and Strong Baseline for Universal Targeted Attacks on Siamese Visual Tracking.

Author

Li, Zhenbang, Shi, Yaya, Gao, Jin, Wang, Shaoru, Li, Bing, Liang, Pengpeng, and Hu, Weiming

Subjects

ADDITION (Mathematics), ARTIFICIAL neural networks

Abstract

Siamese trackers are shown to be vulnerable to adversarial attacks recently. However, the existing attack methods craft the perturbations for each video independently, which comes at a non-negligible computational cost. In this paper, we show the existence of universal perturbations that can enable the targeted attack, e.g., forcing a tracker to follow the ground-truth trajectory with specified offsets, to be video-agnostic and free from inference in a network. Specifically, we attack a tracker by adding a universal translucent perturbation to the template image and adding a fake target, i.e., a small universal adversarial patch, into the search images adhering to the predefined trajectory, so that the tracker outputs the location and size of the fake target instead of the real target. Our approach allows perturbing a novel video to come at no additional cost except the mere addition operations – and not require gradient optimization or network inference. Experimental results on several datasets demonstrate that our approach can effectively fool the Siamese trackers in a targeted attack manner. We show that the proposed perturbations are not only universal across videos, but also generalize well across different trackers. Such perturbations are therefore doubly universal, both with respect to the data and the network architectures. Our code is available at https://github.com/lizhenbang56/SiamAttack. [ABSTRACT FROM AUTHOR]

Published

2022

5. Adversarial XAI Methods in Cybersecurity.

Author

Kuppa, Aditya and Le-Khac, Nhien-An

Abstract

Machine Learning methods are playing a vital role in combating ever-evolving threats in the cybersecurity domain. Explanation methods that shed light on the decision process of black-box classifiers are one of the biggest drivers in the successful adoption of these models. Explaining predictions that address ‘Why?/Why Not?’ questions help users/stakeholders/analysts understand and accept the predicted outputs with confidence and build trust. Counterfactual explanations are gaining popularity as an alternative method to help users to not only understand the decisions of black-box models (why?) but also to provide a mechanism to highlight mutually exclusive data instances that would change the outcomes (why not?). Recent Explainable Artificial Intelligence literature has focused on three main areas: (a) creating and improving explainability methods that help users better understand how the internal of ML models work as well as their outputs; (b) attacks on interpreters with a white-box setting; (c) defining the relevant properties, metrics of explanations generated by models. Nevertheless, there is no thorough study of how the model explanations can introduce new attack surfaces to the underlying systems. A motivated adversary can leverage the information provided by explanations to launch membership inference, and model extraction attacks to compromise the overall privacy of the system. Similarly, explanations can also facilitate powerful evasion attacks such as poisoning and back door attacks. In this paper, we cover this gap by tackling various cybersecurity properties and threat models related to counterfactual explanations. We propose a new black-box attack that leverages Explainable Artificial Intelligence (XAI) methods to compromise the confidentiality and privacy properties of underlying classifiers. We validate our approach with datasets and models used in the cyber security domain to demonstrate that our method achieves the attacker’s goal under threat models which reflect the real-world settings. [ABSTRACT FROM AUTHOR]

Published

2021

6. On the Algorithmic Solvability of Channel Dependent Classification Problems in Communication Systems.

Author

Boche, Holger, Schaefer, Rafael F., and Poor, H. Vincent

Subjects

GOVERNMENT communication systems, TURING machines, COMMUNICATION barriers, DENIAL of service attacks, COMMUNICATION policy, TELECOMMUNICATION systems

Abstract

For communication systems there is a recent trend towards shifting functionalities from the physical layer to higher layers by enabling software-focused solutions. Having obtained a (physical layer-based) description of the communication channel, such approaches exploit this knowledge to enable various services by subsequently processing it on higher layers. For this it is a crucial task to first find out in which state the underlying communication channel is. This paper develops a framework based on Turing machines and studies whether or not it is in principle possible to algorithmically solve such classification tasks, i.e., to decide in which state the communication system is. Turing machines have no limitations on computational complexity, computing capacity and storage, and can simulate any given algorithm and therewith are a simple but very powerful model of computation. They characterize the fundamental performance limits for today’s digital computers. It is shown that there exists no Turing machine that takes the physical description of the communication channel as an input and solves a non-trivial classification task. Subsequently, this general result is used to study communication under adversarial attacks and it is shown that it is impossible to algorithmically detect denial-of-service (DoS) attacks on the transmission. Jamming attacks on ACK/NACK feedback cannot be detected as well and, in addition, ACK/NACK feedback is shown to be useless for the detection of DoS on the actual message transmission. Further applications are discussed including DoS attacks on the Post Shannon task of identification, and on physical layer security and resilience by design. [ABSTRACT FROM AUTHOR]

Published

2021

7. On the Robustness of Semantic Segmentation Models to Adversarial Attacks.

Author

Arnab, Anurag, Miksik, Ondrej, and Torr, Philip H. S.

Subjects

CONVOLUTIONAL neural networks, IMAGE segmentation, SIGNAL convolution, IMAGE recognition (Computer vision), MULTISCALE modeling, DEEP learning

Abstract

Deep Neural Networks (DNNs) have demonstrated exceptional performance on most recognition tasks such as image classification and segmentation. However, they have also been shown to be vulnerable to adversarial examples. This phenomenon has recently attracted a lot of attention but it has not been extensively studied on multiple, large-scale datasets and structured prediction tasks such as semantic segmentation which often require more specialised networks with additional components such as CRFs, dilated convolutions, skip-connections and multiscale processing. In this paper, we present what to our knowledge is the first rigorous evaluation of adversarial attacks on modern semantic segmentation models, using two large-scale datasets. We analyse the effect of different network architectures, model capacity and multiscale processing, and show that many observations made on the task of classification do not always transfer to this more complex task. Furthermore, we show how mean-field inference in deep structured models, multiscale processing (and more generally, input transformations) naturally implement recently proposed adversarial defenses. Our observations will aid future efforts in understanding and defending against adversarial examples. Moreover, in the shorter term, we show how to effectively benchmark robustness and show which segmentation models should currently be preferred in safety-critical applications due to their inherent robustness. [ABSTRACT FROM AUTHOR]

Published

2020

8. Image Super-Resolution as a Defense Against Adversarial Attacks.

Author

Mustafa, Aamir, Khan, Salman H., Hayat, Munawar, Shen, Jianbing, and Shao, Ling

Subjects

HIGH resolution imaging, COMPUTER vision, IMAGE enhancement (Imaging systems), CONVOLUTIONAL neural networks, IMAGE reconstruction, IMAGE intensifiers, IMAGE denoising, IMAGE reconstruction algorithms

Abstract

Convolutional Neural Networks have achieved significant success across multiple computer vision tasks. However, they are vulnerable to carefully crafted, human-imperceptible adversarial noise patterns which constrain their deployment in critical security-sensitive systems. This paper proposes a computationally efficient image enhancement approach that provides a strong defense mechanism to effectively mitigate the effect of such adversarial perturbations. We show that deep image restoration networks learn mapping functions that can bring off-the-manifold adversarial samples onto the natural image manifold, thus restoring classification towards correct classes. A distinguishing feature of our approach is that, in addition to providing robustness against attacks, it simultaneously enhances image quality and retains models performance on clean images. Furthermore, the proposed method does not modify the classifier or requires a separate mechanism to detect adversarial images. The effectiveness of the scheme has been demonstrated through extensive experiments, where it has proven a strong defense in gray-box settings. The proposed scheme is simple and has the following advantages: 1) it does not require any model training or parameter optimization, 2) it complements other existing defense mechanisms, 3) it is agnostic to the attacked model and attack type, and 4) it provides superior performance across all popular attack algorithms. Our codes are publicly available at https://github.com/aamir-mustafa/super-resolution-adversarial-defense. [ABSTRACT FROM AUTHOR]

Published

2020

9. Detect Adversarial Attacks Against Deep Neural Networks With GPU Monitoring

Author

Tommaso Zoppi and Andrea Ceccarelli

Subjects

Attack detection, anomaly detection, graphics processing unit, deep Neural Networks, adversarial attacks, image classification, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep Neural Networks (DNNs) are the preferred choice for image-based machine learning applications in several domains. However, DNNs are vulnerable to adversarial attacks, that are carefully-crafted perturbations introduced on input images to fool a DNN model. Adversarial attacks may prevent the application of DNNs in security-critical tasks: consequently, relevant research effort is put in securing DNNs. Typical approaches either increase model robustness, or add detection capabilities in the model, or operate on the input data. Instead, in this paper we propose to detect ongoing attacks through monitoring performance indicators of the underlying Graphics Processing Unit (GPU). In fact, adversarial attacks generate images that activate neurons of DNNs in a different way than legitimate images. This also causes an alteration of GPU activities, that can be observed through software monitors and anomaly detectors. This paper presents our monitoring and detection system, and an extensive experimental analysis that includes a total of 14 adversarial attacks, 3 datasets, and 12 models. Results show that, despite limitations on the monitoring resolution, adversarial attacks can be detected in most cases, with peaks of detection accuracy above 90%.

Published

2021

10. Adversarial Analysis for Source Camera Identification.

Author

Wang, Bo, Zhao, Mengnan, Wang, Wei, Dai, Xiaorui, Li, Yi, and Guo, Yanqing

Subjects

CONVOLUTIONAL neural networks, DEFENSE mechanisms (Psychology)

Abstract

Recent studies highlight the vulnerability of convolutional neural networks (CNNs) to adversarial attacks, which also calls into question the reliability of forensic methods. Existing adversarial attacks generate one-to-one noise, which means these methods have not learned the fingerprint information. Therefore, we introduce two powerful attacks, fingerprint copy-move attack, and joint feature-based auto-learning attack. To validate the performance of attack methods, we move a step ahead and introduce the higher possible defense mechanism relation mismatch. which expands the characterization differences of classifiers in the same classification network. Extensive experiments show that relation mismatch is superior in recognizing adversarial examples and prove that the proposed fingerprint-based attacks are more powerful. Both proposed attacks show excellent attack transferability to unknown samples. The Pytorch® implementations of these methods can download from an open-source GitHub project https://github.com/Dlut-lab-zmn/Source-attack. [ABSTRACT FROM AUTHOR]

Published

2021

11. A Pornographic Images Recognition Model based on Deep One-Class Classification With Visual Attention Mechanism

Author

Junren Chen, Gang Liang, Wenbo He, Chun Xu, Jin Yang, and Ruihang Liu

Subjects

Pornography classification, deep learning, one-class classification, visual attention mechanism, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The existing approaches usually treat the recognition of pornographic images as a binary or multi-class classification task, which is realized by extracting a variety of features. However, these approaches ignore the problem of infinite kinds in the negative samples and lose sight of the impact of uncertainty in classification tasks, resulting in inadequate negative data sets and incorrect recognition of samples that are not in the training set. In order to address this challenge, this paper proposes a method named Deep One-Class with Attention for Pornography (DOCAPorn) that recognizes the pornographic images through the one-class classification model based on neural networks and introduces the visual attention mechanism to enhance the performance of recognition. Moreover, since the existing approaches based on deep convolutional neural networks (CNNs) require a fixed-size (e.g., $224\times224$ ) input image, the geometric distortion caused by image scaling is not considerd in the existing approaches, which reduces the pornographic image recognizition accuracy. In order to solve this issue, this paper proposes the Scale Constraint Pooling (SCP) that converts the inputs of different dimensions into outputs of the same dimension. In addition, all the existing approaches ignore the adversarial attacks in the field of pornographic image recognition. In order to deal with this problem, the paper proposes the Preprocessing for Compressing and Reconstructing (PreCR), a pre-processing approach that reduces the subtle perturbation through compressing the images and then reconstructs the purified image for recognition. The proposed approach is verified by conducting comparative experiments using custom datasets. The experimental results showed that we achieved an accuracy of 98.419% on our dataset. In addition, the proposed approach yielded a recognition accuracy of 95.632% on the NPDI dataset. Furthermore, the obtained results demonstrate that the proposed approach not only effectively recognizes pornographic images but also effectively defends the adversarial attacks.

Published

2020

12. Adversarial Robustness of Vision Transformers Versus Convolutional Neural Networks

Author

Kazim Ali, Muhammad Shahid Bhatti, Atif Saeed, Atifa Athar, Mohammed A. Al Ghamdi, Sultan H. Almotiri, and Samina Akram

Subjects

Vision transformers, convolutional neural networks, clean accuracy, adversarially robustness, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Vision Transformers (ViTs) have proved to be a more powerful substitute for Convolutional Neural Networks (CNNs) in various computer vision tasks, using the self-attention approach to gain remarkable results and observations. However, the adversarial robustness of ViTs against adversarial attack methods raises critical questions, and the issues of using these models in security-related applications remain under discussion. This paper presents a novel and systematic approach to evaluate and compare the adversarial robustness of ViTs with CNNs, explicitly concentrating on the image classification problem. We have performed extensive experiments using state-of-the-art adversarial example attacks, such as the Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and DeepFool Attack (DFA). The findings of this research study represent that CNNs are more robust against more straightforward attacks such as FGSM. Still, ViTs show excellent resistance against more dangerous attacks like PGD and DFA attack methods. This work provides useful outcomes revealing the advantages and limitations of CNNs and ViTs, which are helpful for further study and applications regarding safer and more effective use of deep learning models of CNNs and ViTs.

Published

2024

13. Adaptive Selection of Loss Function for Federated Learning Clients Under Adversarial Attacks

Author

Suchul Lee

Subjects

Adaptive selection of loss function, adversarial attacks, adversarial training, Byzantine-robust aggregation, federated learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Federated learning (FL) is a deep learning paradigm that allows clients to train deep learning models distributively, keeping raw data local rather than sending it to the cloud, thereby reducing security and privacy concerns. Although FL is designed to be inherently secure, it still has many vulnerabilities. In this paper, we consider an FL scenario where clients are subjected to an adversarial attack that exploits vulnerabilities in the decision-making process of deep learning models to induce misclassification. We observed that adversarial training has a trade-off relationship in which, as classification performance for adversarial examples increases, classification performance for normal samples decreases. To effectively utilize this trade-off relationship in adversarial training, we propose an adaptive selection scheme of the loss function depending on whether the FL client is attacked. The proposed scheme was experimentally proven to achieve the best robust accuracy while minimizing the decrease in natural accuracy. Further, we combined the proposed scheme with Byzantine-robust aggregation. We expected model training to converge stably because Byzantine-robust aggregation prevents highly distorted models from being aggregated, but we obtained experimental results that were contrary to our expectations.

Published

2024

14. The Impact of Simultaneous Adversarial Attacks on Robustness of Medical Image Analysis

Author

Shantanu Pal, Saifur Rahman, Maedeh Beheshti, Ahsan Habib, Zahra Jadidi, and Chandan Karmakar

Subjects

Machine learning, deep learning, medical image analysis, robustness, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep learning models are widely used in healthcare systems. However, deep learning models are vulnerable to attacks themselves. Significantly, due to the black-box nature of the deep learning model, it is challenging to detect attacks. Furthermore, due to data sensitivity, such adversarial attacks in healthcare systems are considered potential security and privacy threats. In this paper, we provide a comprehensive analysis of adversarial attacks on medical image analysis, including two adversary methods, FGSM and PGD, applied to an entire image or partial image. The partial attack comes in various sizes, either the individual or combinational format of attack. We use three medical datasets to examine the impact of the model’s accuracy and robustness. Finally, we provide a complete implementation of the attacks and discuss the results. Our results indicate the weakness and robustness of four deep learning models and exhibit how varying perturbations stimulate model behaviour regarding the specific area and critical features.

Published

2024

15. How Deep Learning Sees the World: A Survey on Adversarial Attacks & Defenses

Author

Joana C. Costa, Tiago Roxo, Hugo Proenca, and Pedro Ricardo Morais Inacio

Subjects

Adversarial attacks, adversarial defenses, datasets, evaluation metrics, review, vision transformers, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep Learning is currently used to perform multiple tasks, such as object recognition, face recognition, and natural language processing. However, Deep Neural Networks (DNNs) are vulnerable to perturbations that alter the network prediction, named adversarial examples, which raise concerns regarding the usage of DNNs in critical areas, such as Self-driving Vehicles, Malware Detection, and Healthcare. This paper compiles the most recent adversarial attacks in Object Recognition, grouped by the attacker capacity and knowledge, and modern defenses clustered by protection strategies, providing background details to understand the topic of adversarial attacks and defenses. The new advances regarding Vision Transformers are also presented, which have not been previously done in the literature, showing the resemblance and dissimilarity between this architecture and Convolutional Neural Networks. Furthermore, the most used datasets and metrics in adversarial settings are summarized, along with datasets requiring further evaluation, which is another contribution. This survey compares the state-of-the-art results under different attacks for multiple architectures and compiles all the adversarial attacks and defenses with available code, comprising significant contributions to the literature. Finally, practical applications are discussed, and open issues are identified, being a reference for future works.

Published

2024

16. Privacy and Security Concerns in Generative AI: A Comprehensive Survey

Author

Abenezer Golda, Kidus Mekonen, Amit Pandey, Anushka Singh, Vikas Hassija, Vinay Chamola, and Biplab Sikdar

Subjects

Generative artificial intelligence, privacy concerns, security concerns, deep learning, adversarial attacks, synthetic data, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Generative Artificial Intelligence (GAI) has sparked a transformative wave across various domains, including machine learning, healthcare, business, and entertainment, owing to its remarkable ability to generate lifelike data. This comprehensive survey offers a meticulous examination of the privacy and security challenges inherent to GAI. It provides five pivotal perspectives essential for a comprehensive understanding of these intricacies. The paper encompasses discussions on GAI architectures, diverse generative model types, practical applications, and recent advancements within the field. In addition, it highlights current security strategies and proposes sustainable solutions, emphasizing user, developer, institutional, and policymaker involvement.

Published

2024

17. A Framework for Robust Deep Learning Models Against Adversarial Attacks Based on a Protection Layer Approach

Author

Mohammed Nasser Al-Andoli, Shing Chiang Tan, Kok Swee Sim, Pey Yun Goh, and Chee Peng Lim

Subjects

Deep learning, adversarial examples, security, adversarial attacks, adversarial examples detection, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep learning (DL) has demonstrated remarkable achievements in various fields. Nevertheless, DL models encounter significant challenges in detecting and defending against adversarial samples (AEs). These AEs are meticulously crafted by adversaries, introducing imperceptible perturbations to clean data to deceive DL models. Consequently, AEs pose potential risks to DL applications. In this paper, we propose an effective framework for enhancing the robustness of DL models against adversarial attacks. The framework leverages convolutional neural networks (CNNs) for feature learning, Deep Neural Networks (DNNs) with softmax for classification, and a defense mechanism to identify and exclude AEs. Evasion attacks are employed to create AEs to evade and mislead the classifier by generating malicious samples during the test phase of DL models i.e., CNN and DNN, using the Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Projected Gradient Descent (PGD), and Square Attack (SA). A protection layer is developed as a detection mechanism placed before the DNN classifier to identify and exclude AEs. The detection mechanism incorporates a machine learning model, which includes one of the following: Fuzzy ARTMAP, Random Forest, K-Nearest Neighbors, XGBoost, or Gradient Boosting Machine. Extensive evaluations are conducted on the MNIST, CIFAR-10, SVHN, and Fashion-MNIST data sets to assess the effectiveness of the proposed framework. The experimental results indicate the framework’s ability to effectively and accurately detect AEs generated by four popular attacking methods, highlighting the potential of our developed framework in enhancing its robustness against AEs.

Published

2024

18. SAAM: Stealthy Adversarial Attack on Monocular Depth Estimation

Author

Amira Guesmi, Muhammad Abdullah Hanif, Bassem Ouni, and Muhammad Shafique

Subjects

Adversarial attacks, adversarial patch, CNN, collision avoidance, localization, machine learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Monocular depth estimation (MDE) is an important task in scene understanding, and significant improvements in its performance have been witnessed with the utilization of convolutional neural networks (CNNs). These models can now be deployed on edge devices, thanks to advancements in CNN optimization, enabling effective depth estimation in safety-critical and security-sensitive systems like robots, rovers, drones, and autonomous cars. However, CNNs used for MDE are susceptible to adversarial attacks, which can be exploited for malicious purposes by generating plausible images containing carefully crafted perturbations that distort the model’s output. To assess the vulnerability of CNN-based depth prediction methods, recent studies have attempted to design adversarial patches specifically targeting MDE. However, these methods have not been powerful enough to fully deceive the vision system in a systemically threatening manner. Their impact is less effective, misleading the depth prediction of only certain parts within the overlapping region of the input image by using conspicuous and eye-catching patterns. In this paper, we investigate the vulnerability of MDE to adversarial patches. We propose a novel Stealthy Adversarial Attacks on MDE (SAAM) that compromises MDE by either corrupting the estimated distance or causing an object to seamlessly blend into its surroundings. Our experiments demonstrate that the designed stealthy patch successfully causes a CNN to misestimate the depth of objects. In fact, our proposed adversarial patch achieves a significant 60% depth error with 99% ratio of the affected region. Importantly, despite its adversarial nature, the patch maintains a naturalistic appearance, making it inconspicuous to human observers. We believe that this work sheds light on the threat of adversarial attacks in the context of MDE on edge devices. We hope it raises awareness within the community about the potential real-life harm of such attacks and encourages further research into developing more robust and adaptive defense mechanisms.

Published

2024

19. ATZSL: Defensive Zero-Shot Recognition in the Presence of Adversaries.

Author

Zhang, Xingxing, Gui, Shupeng, Jin, Jian, Zhu, Zhenfeng, and Zhao, Yao

Published

2024

20. Privacy and Security in Distributed Learning: A Review of Challenges, Solutions, and Open Research Issues

Author

Muhammad Usman Afzal, Alaa Awad Abdellatif, Muhammad Zubair, Muhammad Qasim Mehmood, and Yehia Massoud

Subjects

Data privacy and security, Internet of Things (IoT), deep learning, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In recent years, the way that machine learning is used has undergone a paradigm shift driven by distributed and collaborative learning. Several approaches have emerged to enable pervasive computing and distributed learning in ubiquitous Internet of Things (IoT) systems. Numerous decentralized strategies have been proposed to deal with the limitations of centralized learning, including privacy and latency due to sharing local data, while utilizing distributed computations as a promising substitute to centralized learning. However, such distributed learning schemes come with new security and privacy concerns that should be addressed. Thus, in this paper, we first provide an overview for the emerging paradigms developed for distributed learning. Then, we performed a comprehensive survey for the privacy and security challenges associated with distributed learning along with the presented solutions to overcome them. Furthermore, we highlight key challenges and open future research directions toward implementing more robust distributed systems.

Published

2023

21. Exploring Transferability on Adversarial Attacks

Author

Enrique Alvarez, Rafael Alvarez, and Miguel Cazorla

Subjects

Adversarial attacks, convolutional neural networks, deep learning, GeoDA, HopSkipJump, SurFree, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Despite of the progress that has been made in the field, the problem of adversarial attacks remains unresolved. The most up-to-date models are still vulnerable, and there is not a simple way to defend against these kinds of attacks; even transformers can be affected by this problem, although they have not been extensively studied yet. In this paper, we study transferability, which is a property of adversarial attacks in which images generated for one architecture can be transferred to another and still be effective. In real-world scenarios like self-driving cars, malware detection, and face recognition authentication systems, transferability can lead to security issues. In order to conduct a behavioral analysis, we select a diverse set of networks and measure how effectively the images produced by various attacks can be transferred among them. We generate adversarial samples for each network and then evaluate them with other networks to determine the corresponding transferability performance. We can observe that all networks are susceptible to transferability attacks, albeit in some cases at the expense of severely distorted images.

Published

2023

22. Defending AI-Based Automatic Modulation Recognition Models Against Adversarial Attacks

Author

Haolin Tang, Ferhat Ozgur Catak, Murat Kuzlu, Evren Catak, and Yanxiao Zhao

Subjects

Artificial intelligence, next-generation networks, automatic modulation recognition, adversarial attacks, model poisoning, defensive distillation, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Automatic Modulation Recognition (AMR) is one of the critical steps in the signal processing chain of wireless networks, which can significantly improve communication performance. AMR detects the modulation scheme of the received signal without any prior information. Recently, many Artificial Intelligence (AI) based AMR methods have been proposed, inspired by the considerable progress of AI methods in various fields. On the one hand, AI-based AMR methods can outperform traditional methods in terms of accuracy and efficiency. On the other hand, they are susceptible to new types of cyberattacks, such as model poisoning or adversarial attacks. This paper explores the vulnerabilities of an AI-based AMR model to adversarial attacks in both single-input-single-output and multiple-input-multiple-output scenarios. We show that these attacks can significantly reduce the classification performance of the AI-based AMR model, which highlights the security and robustness concerns. Therefore, we propose a widely used mitigation method (i.e., defensive distillation) to reduce the vulnerabilities of the model against adversarial attacks. The simulation results indicate that the AI-based AMR model can be highly vulnerable to adversarial attacks, but their vulnerabilities can be significantly reduced by using mitigation methods.

Published

2023

23. Secure Convolutional Neural Network-Based Internet-of-Healthcare Applications

Author

Lazhar Khriji, Soulef Bouaafia, Seifeddine Messaoud, Ahmed Chiheb Ammari, and Mohsen Machhout

Subjects

Convolutional neural networks, internet of healthcare, medical data, adversarial attacks, security and privacy, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Convolutional neural networks (CNNs) have gained popularity for Internet-of-Healthcare (IoH) applications such as medical diagnostics. However, new research shows that adversarial attacks with slight imperceptible changes can undermine deep neural network techniques in healthcare. This raises questions regarding the safety of deploying these IoH devices in clinical situations. In this paper, we review the techniques used in fighting against cyber-attacks. Then, we propose to study the robustness of some well-known CNN architectures’ belonging to sequential, parallel, and residual families, such as LeNet5, MobileNetV1, VGG16, ResNet50, and InceptionV3 against fast gradient sign method (FGSM) and projected gradient descent (PGD) attacks, in the context of classification of chest radiographs (X-rays) based on the IoH application. Finally, we propose to improve the security of these CNN structures by studying standard and adversarial training. The results show that, among these models, smaller models with lower computational complexity are more secure against hostile threats than larger models that are frequently used in IoH applications. In contrast, we reveal that when these networks are learned adversarially, they can outperform standard trained networks. The experimental results demonstrate that the model performance breakpoint is represented by $\gamma =0.3$ with a maximum loss of accuracy tolerated at 2%.

Published

2023

24. Detect Adversarial Attacks Against Deep Neural Networks With GPU Monitoring

Author

Andrea Ceccarelli and Tommaso Zoppi

Subjects

General Computer Science, Computer science, Attack detection, Graphics processing unit, Machine learning, computer.software_genre, graphics processing unit, deep Neural Networks, Data modeling, Image (mathematics), Adversarial system, Software, Robustness (computer science), General Materials Science, business.industry, General Engineering, anomaly detection, TK1-9971, adversarial attacks, Deep neural networks, Artificial intelligence, Performance indicator, Electrical engineering. Electronics. Nuclear engineering, business, computer, image classification

Abstract

Deep Neural Networks (DNNs) are the preferred choice for image-based machine learning applications in several domains. However, DNNs are vulnerable to adversarial attacks, that are carefully-crafted perturbations introduced on input images to fool a DNN model. Adversarial attacks may prevent the application of DNNs in security-critical tasks: consequently, relevant research effort is put in securing DNNs. Typical approaches either increase model robustness, or add detection capabilities in the model, or operate on the input data. Instead, in this paper we propose to detect ongoing attacks through monitoring performance indicators of the underlying Graphics Processing Unit (GPU). In fact, adversarial attacks generate images that activate neurons of DNNs in a different way than legitimate images. This also causes an alteration of GPU activities, that can be observed through software monitors and anomaly detectors. This paper presents our monitoring and detection system, and an extensive experimental analysis that includes a total of 14 adversarial attacks, 3 datasets, and 12 models. Results show that, despite limitations on the monitoring resolution, adversarial attacks can be detected in most cases, with peaks of detection accuracy above 90%.

Published

2021

25. Mitigating Malicious Adversaries Evasion Attacks in Industrial Internet of Things.

Author

Rafiq, Husnain, Aslam, Nauman, Ahmed, Usman, and Lin, Jerry Chun-Wei

Abstract

With advanced 5G/6G networks, data-driven interconnected devices will increase exponentially. As a result, the Industrial Internet of Things (IIoT) requires data secure information extraction to apply digital services, medical diagnoses, and financial forecasting. This introduction of high-speed network mobile applications will also adapt. As a consequence, the scale and complexity of Android malware are rising. Detection of malware classification is vulnerable to attacks. A fabricated feature can force misclassification to produce the desired output. This article proposes a subset feature selection method to evade fabricated attacks in the IIoT environment. The method extracts application-aware features from a single android application to train an independent classification model. Ensemble-based learning is then used to train the distinct classification models. Finally, the collaborative ML classifier makes independent decisions to fight against adversarial evasion attacks. We compare and evaluate the benchmark Android malware dataset. The proposed method achieved 91% accuracy with 14 fabricated input features. [ABSTRACT FROM AUTHOR]

Published

2023

26. SIEMS: A Secure Intelligent Energy Management System for Industrial IoT Applications.

Author

Asef, Pedram, Taheri, Rahim, Shojafar, Mohammad, Mporas, Iosif, and Tafazolli, Rahim

Abstract

Microgrids are industrial technologies that can provide energy resources for the Internet of Things (IoT) demands in smart grids. Hybrid microgrids supply quality power to the IoT devices and ensure high resiliency in supply and demand for PV-based grid-tied microgrids. In this system, the usage of predictive energy management systems (EMS) is essential to dispatch power from different resources, while the battery energy storage system (BESS) is feeding the loads. In this article, we deploy a one-day-ahead prediction algorithm using a deep neural network for a fast-response BESS in an intelligent energy management system (I-EMS) that is called SIEMS. The main role of the SIEMS is to maintain the SOC at high rates based on the one-day-ahead information about solar power, which depends on meteorological conditions. The remaining power is supplied by the main grid for sustained power streaming between BESS and end-users. Considering the usage of information and communication technology components in the microgrids, the main objective of this article is focused on the hybrid microgrid performance under cyber-physical security adversarial attacks. Fast gradient sign, basic iterative, and DeepFool methods, which are investigated for the first time in power systems e.g., smart grid and microgrids, in order to produce perturbation for training data. To secure the microgrid’s SIEMS, we propose two Defence algorithms based on defensive distillation and adversarial training strategies for the first time in EMSs. We apply and evaluate these benchmark adversarial attack and Defence methods against the proposed machine learning models to increase the robustness of the models in the system against adversarial attacks. [ABSTRACT FROM AUTHOR]

Published

2023

27. A Pornographic Images Recognition Model based on Deep One-Class Classification With Visual Attention Mechanism

Author

Chun Xu, Gang Liang, Jin Yang, Wenbo He, Chen Junren, and Ruihang Liu

Subjects

General Computer Science, Computer science, 02 engineering and technology, Convolutional neural network, Field (computer science), Image (mathematics), Pornography classification, 0202 electrical engineering, electronic engineering, information engineering, Image scaling, One-class classification, Preprocessor, General Materials Science, Artificial neural network, business.industry, General Engineering, deep learning, 020206 networking & telecommunications, Pattern recognition, one-class classification, Constraint (information theory), adversarial attacks, 020201 artificial intelligence & image processing, Artificial intelligence, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, visual attention mechanism, lcsh:TK1-9971

Abstract

The existing approaches usually treat the recognition of pornographic images as a binary or multi-class classification task, which is realized by extracting a variety of features. However, these approaches ignore the problem of infinite kinds in the negative samples and lose sight of the impact of uncertainty in classification tasks, resulting in inadequate negative data sets and incorrect recognition of samples that are not in the training set. In order to address this challenge, this paper proposes a method named Deep One-Class with Attention for Pornography (DOCAPorn) that recognizes the pornographic images through the one-class classification model based on neural networks and introduces the visual attention mechanism to enhance the performance of recognition. Moreover, since the existing approaches based on deep convolutional neural networks (CNNs) require a fixed-size (e.g., $224\times224$ ) input image, the geometric distortion caused by image scaling is not considerd in the existing approaches, which reduces the pornographic image recognizition accuracy. In order to solve this issue, this paper proposes the Scale Constraint Pooling (SCP) that converts the inputs of different dimensions into outputs of the same dimension. In addition, all the existing approaches ignore the adversarial attacks in the field of pornographic image recognition. In order to deal with this problem, the paper proposes the Preprocessing for Compressing and Reconstructing (PreCR), a pre-processing approach that reduces the subtle perturbation through compressing the images and then reconstructs the purified image for recognition. The proposed approach is verified by conducting comparative experiments using custom datasets. The experimental results showed that we achieved an accuracy of 98.419% on our dataset. In addition, the proposed approach yielded a recognition accuracy of 95.632% on the NPDI dataset. Furthermore, the obtained results demonstrate that the proposed approach not only effectively recognizes pornographic images but also effectively defends the adversarial attacks.

Published

2020

28. Distributed Attack-Robust Submodular Maximization for Multirobot Planning.

Author

Zhou, Lifeng, Tzoumas, Vasileios, Pappas, George J., and Tokekar, Pratap

Subjects

DENIAL of service attacks, ROBUST optimization, DISTRIBUTED algorithms, ROBOT motion, LOCAL mass media, APPROXIMATION algorithms, ROBOT kinematics

Abstract

In this article, we design algorithms to protect swarm-robotics applications against sensor denial-of-service attacks on robots. We focus on applications requiring the robots to jointly select actions, e.g., which trajectory to follow, among a set of available actions. Such applications are central in large-scale robotic applications, such as multirobot motion planning for target tracking. But the current attack-robust algorithms are centralized. In this article, we propose a general-purpose distributed algorithm toward robust optimization at scale, with local communications only. We name it distributed robust maximization (DRM). DRM proposes a divide-and-conquer approach that distributively partitions the problem among cliques of robots. Then, the cliques optimize in parallel, independently of each other. We prove DRM achieves a close-to-optimal performance. We demonstrate DRM’s performance in Gazebo and MATLAB simulations, in scenarios of active target tracking with swarms of robots. In the simulations, DRM achieves computational speed-ups, being 1 to 2 orders faster than the centralized algorithms. Yet, it nearly matches the tracking performance of the centralized counterparts. Since, DRM overestimates the number of attacks in each clique, in this article, we also introduce an improved distributed robust maximization (IDRM) algorithm. IDRM infers the number of attacks in each clique less conservatively than DRM by leveraging three-hop neighboring communications. We verify IDRM improves DRM’s performance in simulations. [ABSTRACT FROM AUTHOR]

Published

2022

29. Turning Federated Learning Systems Into Covert Channels

Author

Gabriele Costa, Fabio Pinelli, Simone Soderi, and Gabriele Tolomei

Subjects

Federated learning, adversarial attacks, machine learning security, covert channel, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. This paper proves that FL systems can be turned into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a sequence of bits. We mounted our attack on an FL system to verify its feasibility. Experimental evidence shows that this covert channel is reliable, efficient, and extremely hard to counter. These results highlight that our new attacker model threatens FL infrastructures.

Published

2022

30. A Methodology for Evaluating the Robustness of Anomaly Detectors to Adversarial Attacks in Industrial Scenarios

Author

Angel Luis Perales Gomez, Lorenzo Fernandez Maimo, Felix J. Garcia Clemente, Javier Alejandro Maroto Morales, Alberto Huertas Celdran, and Gerome Bovet

Subjects

Adversarial attacks, evasion attacks, industrial control systems, machine learning, deep learning, robustness, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

Published

2022

31. A Highly Stealthy Adaptive Decay Attack Against Speaker Recognition

Author

Xinyu Zhang, Yang Xu, Sicong Zhang, and Xiaojian Li

Subjects

Deep learning, adversarial attacks, speaker recognition, adaptive decay attack, adversarial training, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Speaker recognition based on deep learning is currently the most advanced and mainstream technology in the industry. Adversarial attacks, an emerging and powerful attack against neural network models, also posing serious security problems for speaker recognition. Common gradient-based attack methods such as FGSM (Fast Gradient Sign Method), PGD (Projected Gradient Descent), and MI-FGSM (Momentum Iteration-FGSM) generate adversarial examples that are poorly stealthy and easily perceived by the human ear. To improve the stealthiness of the adversarial examples, this paper proposes a new attack method called the Adaptive Decay Attack (ADA), whose stealth is very close to the CW2(Carlini&Wagner) method based on optimization attacks, with much less computation time than CW2. The method takes the set number of iterations as the termination condition, automatically adjusts the size of the maximum perturbation according to whether the attack is successful or not, and then uses the decay methods in learning rates such as exponential decay and cosine annealing to continuously reduce the step size. The experimental results show that under the two speaker recognition models x-vector, and i-vector, the proposed attack method improves the stealthiness metrics such as SNR and PESQ by at least 30% and 39%, respectively, compared with the best PGD attack under speaker identification of untargeted attacks. For the speaker identification task with targeted attacks, the average improvement is at least 20% and 25% compared to PGD. For the speaker verification task, the improvement is at least 29.5% and 33.4% compared to PGD. In addition, we also use this attack method for adversarial training to enhance the robustness of the model. Experimental results show that ADA-based adversarial training takes 28.31% less time than PGD-based adversarial training, and its improved robustness is generally superior to PGD-based adversarial training. Specifically, the attack success rate of PGD and ADA methods decreased from 50.88% to 36.47% and 64.74% to 45.82%, respectively.

Published

2022

32. A Survey on Efficient Methods for Adversarial Robustness

Author

Awais Muhammad and Sung-Ho Bae

Subjects

Neural networks, deep learning, efficient training, adversarial robustness, adversarial attacks, adversarial learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Deep learning has revolutionized computer vision with phenomenal success and widespread applications. Despite impressive results in complex problems, neural networks are susceptible to adversarial attacks: small and imperceptible changes in input space that lead these models to incorrect outputs. Adversarial attacks have raised serious concerns, and robustness to these attacks has become a vital issue. Adversarial training, a min-max optimization approach, has shown promise against these attacks. The computational cost of adversarial training, however, makes it prohibitively difficult to scale as well as to be useful in practice. Recently, several works have explored different approaches to make adversarial training computationally more affordable. This paper presents a comprehensive survey on efficient adversarial robustness methods with an aim to present a holistic outlook to make future exploration more systematic and exhaustive. We start by mathematically defining fundamental ideas in adversarially robust learning. We then divide these approaches into two categories based on underlying mechanisms: methods that modify initial adversarial training and techniques that leverage transfer learning to improve efficiency. Finally, based on this overview, we analyze and present an outlook of future directions.

Published

2022

33. Robust Natural Language Processing: Recent Advances, Challenges, and Future Directions

Author

Marwan Omar, Soohyeon Choi, Daehun Nyang, and David Mohaisen

Subjects

Natural language processing, adversarial attacks, robustness, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Recent natural language processing (NLP) techniques have accomplished high performance on benchmark data sets, primarily due to the significant improvement in the performance of deep learning. The advances in the research community have led to great enhancements in state-of-the-art production systems for NLP tasks, such as virtual assistants, speech recognition, and sentiment analysis. However, such NLP systems still often fail when tested with adversarial attacks. The initial lack of robustness exposed troubling gaps in current models’ language understanding capabilities, creating problems when NLP systems are deployed in real life. In this paper, we present a structured overview of NLP robustness research by summarizing the literature in a systemic way across various dimensions. We then take a deep-dive into the various dimensions of robustness, across techniques, metrics, embedding, and benchmarks. Finally, we argue that robustness should be multi-dimensional, provide insights into current research, identify gaps in the literature to suggest directions worth pursuing to address these gaps

Published

2022

34. Backpack: A Backpropagable Adversarial Embedding Scheme.

Author

Bernard, Solene, Bas, Patrick, Klein, John, and Pevny, Tomas

Abstract

A minmax protocol offers a general method to automatically optimize steganographic algorithm against a wide class of steganalytic detectors. The quality of the resulting steganograhic algorithm depends on the ability to find an “adversarial” stego image undetectable by a set of detectors while communicating a given message. Despite minmax protocol instantiated with ADV-EMB scheme leading to unexpectedly good results, we show it suffers a significant flaw and we present a theoretically sound solution called Backpack. Extensive experimental verification of minmax protocol with Backpack shows superior performance to ADV-EMB, the generality of the tool by targeting a new JPEG QF100 compatibility attack and further improves the security of steganographic algorithms. [ABSTRACT FROM AUTHOR]

Published

2022

35. Adversarial Attacks Against Deep Learning-Based Network Intrusion Detection Systems and Defense Mechanisms.

Author

Zhang, Chaoyun, Costa-Perez, Xavier, and Patras, Paul

Subjects

DEEP learning, VEHICLE detectors, INTRUSION detection systems (Computer security), FEATURE extraction

Abstract

Neural networks (NNs) are increasingly popular in developing NIDS, yet can prove vulnerable to adversarial examples. Through these, attackers that may be oblivious to the precise mechanics of the targeted NIDS add subtle perturbations to malicious traffic features, with the aim of evading detection and disrupting critical systems. Defending against such adversarial attacks is of high importance, but requires to address daunting challenges. Here, we introduce TIKI- TAKA, a general framework for (i) assessing the robustness of state-of-the-art deep learning-based NIDS against adversarial manipulations, and which (ii) incorporates defense mechanisms that we propose to increase resistance to attacks employing such evasion techniques. Specifically, we select five cutting-edge adversarial attack types to subvert three popular malicious traffic detectors that employ NNs. We experiment with publicly available datasets and consider both one-to-all and one-to-one classification scenarios, i.e., discriminating illicit vs benign traffic and respectively identifying specific types of anomalous traffic among many observed. The results obtained reveal that attackers can evade NIDS with up to 35.7% success rates, by only altering time-based features of the traffic generated. To counteract these weaknesses, we propose three defense mechanisms: model voting ensembling, ensembling adversarial training, and query detection. We demonstrate that these methods can restore intrusion detection rates to nearly 100% against most types of malicious traffic, and attacks with potentially catastrophic consequences (e.g., botnet) can be thwarted. This confirms the effectiveness of our solutions and makes the case for their adoption when designing robust and reliable deep anomaly detectors. [ABSTRACT FROM AUTHOR]

Published

2022

36. Adversarial Attacks on Neural-Network-Based Soft Sensors: Directly Attack Output.

Author

Kong, Xiangyin and Ge, Zhiqiang

Abstract

Neural-network-based soft sensors are widely employed in the industrial process. Such models have great significance to smart manufacturing. Considering the strict requirements of industrial production, it is vital to ensure the safety and robustness of these models in their actual deployment. However, recent research has shown that neural networks are quite vulnerable to adversarial attacks. By imposing tiny perturbation to the original sample, the fabricated adversarial sample can cheat these models to make wrong decisions. Such a phenomenon may bring serious trouble to the practical application of soft sensors. This article focuses on the adversarial attacks on industrial soft sensors. For the first time, we verify and analyze the effectiveness and deficiencies of the existing attack methods in the industrial soft sensor scenario. Based on solving these defects, this article proposes a novel perspective for attacking soft sensors. We analyze the optimization mechanism behind this new idea and then design two algorithms to perform attacks. The proposed methods more conform to the actual situation. Besides, compared with the existing approaches, the proposed methods have potentials to cause severer damages since their attacks are not only more concealed but also more likely to cheat the technicians to execute wrong operations. The research and analyses of the proposed methods lay a solid foundation for more thorough defenses against various attacks, which is quite necessary for making the deployed soft sensors more robust and secure. [ABSTRACT FROM AUTHOR]

Published

2022

37. Certifiable Robustness to Adversarial State Uncertainty in Deep Reinforcement Learning.

Author

Everett, Michael, Lutjens, Bjorn, and How, Jonathan P.

Subjects

REINFORCEMENT learning, MACHINE learning, JOB performance, Q-switched lasers

Abstract

Deep neural network-based systems are now state-of-the-art in many robotics tasks, but their application in safety-critical domains remains dangerous without formal guarantees on network robustness. Small perturbations to sensor inputs (from noise or adversarial examples) are often enough to change network-based decisions, which was recently shown to cause an autonomous vehicle to swerve into another lane. In light of these dangers, numerous algorithms have been developed as defensive mechanisms from these adversarial inputs, some of which provide formal robustness guarantees or certificates. This work leverages research on certified adversarial robustness to develop an online certifiably robust for deep reinforcement learning algorithms. The proposed defense computes guaranteed lower bounds on state-action values during execution to identify and choose a robust action under a worst case deviation in input space due to possible adversaries or noise. Moreover, the resulting policy comes with a certificate of solution quality, even though the true state and optimal action are unknown to the certifier due to the perturbations. The approach is demonstrated on a deep Q-network (DQN) policy and is shown to increase robustness to noise and adversaries in pedestrian collision avoidance scenarios, a classic control task, and Atari Pong. This article extends our prior work with new performance guarantees, extensions to other reinforcement learning algorithms, expanded results aggregated across more scenarios, an extension into scenarios with adversarial behavior, comparisons with a more computationally expensive method, and visualizations that provide intuition about the robustness algorithm. [ABSTRACT FROM AUTHOR]

Published

2022

38. Deep Learning-Based Autonomous Driving Systems: A Survey of Attacks and Defenses.

Author

Deng, Yao, Zhang, Tiehua, Lou, Guannan, Zheng, Xi, Jin, Jiong, and Han, Qing-Long

Abstract

The rapid development of artificial intelligence, especially deep learning technology, has advanced autonomous driving systems (ADSs) by providing precise control decisions to counterpart almost any driving event, spanning from antifatigue safe driving to intelligent route planning. However, ADSs are still plagued by increasing threats from different attacks, which could be categorized into physical attacks, cyberattacks and learning-based adversarial attacks. Inevitably, the safety and security of deep learning-based autonomous driving are severely challenged by these attacks, from which the countermeasures should be analyzed and studied comprehensively to mitigate all potential risks. This survey provides a thorough analysis of different attacks that may jeopardize ADSs, as well as the corresponding state-of-the-art defense mechanisms. The analysis is unrolled by taking an in-depth overview of each step in the ADS workflow, covering adversarial attacks for various deep learning models and attacks in both physical and cyber context. Furthermore, some promising research directions are suggested in order to improve deep learning-based autonomous driving safety, including model robustness training, model testing and verification, and anomaly detection based on cloud/edge servers. [ABSTRACT FROM AUTHOR]

Published

2021

39. Noticeability Versus Impact in Traffic Signal Tampering

Author

Bilal Thonnam Thodi, Timothy Mulumba, and Saif Eddin Jabari

Subjects

Network vulnerability, signal tampering, traffic flow dynamics, urban traffic networks, adversarial attacks, cybersecurity, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

This paper investigates the vulnerability of urban traffic networks to cyber attacks on traffic lights. We model traffic signal tampering as a bi-objective optimization problem that simultaneously seeks to reduce vehicular throughput in the network over time (maximize impact) while introducing minimal changes to network signal timings (minimize noticeability). We represent the Spatio-temporal traffic dynamics as a static network flow problem on a time-expanded graph. This allows us to reduce the (non-convex) attack problem to a tractable form, which can be solved using traditional techniques used to solve linear network programming problems. We show that minor but objective adjustments in the signal timings over time can severely impact traffic conditions at the network level. We investigate network vulnerability by examining the concavity of the Pareto-optimal frontier obtained by solving the bi-objective attack problem. Numerical experiments are carried to illustrate the types of insights that can be extracted from the Pareto-optimal frontier. For instance, our experiments suggest that the vulnerability of a traffic network to signal tampering is independent of the demand levels.

Published

2020

40. Study of Pre-Processing Defenses Against Adversarial Attacks on State-of-the-Art Speaker Recognition Systems.

Author

Joshi, Sonal, Villalba, Jesus, Zelasko, Piotr, Moro-Velazquez, Laureano, and Dehak, Najim

Abstract

Adversarial examples are designed to fool the speaker recognition (SR) system by adding a carefully crafted human-imperceptible noise to the speech signals. Posing a severe security threat to state-of-the-art SR systems, it becomes vital to deep-dive and study their vulnerabilities. Moreover, it is of greater importance to propose countermeasures that can protect the systems against these attacks. Addressing these concerns, we first investigated how state-of-the-art x-vector based SR systems are affected by white-box adversarial attacks, i.e., when the adversary has full knowledge of the system. x-Vector based SR systems are evaluated against white-box adversarial attacks common in the literature like fast gradient sign method (FGSM), basic iterative method (BIM)–a.k.a. iterative-FGSM–, projected gradient descent (PGD), and Carlini-Wagner (CW) attack. To mitigate against these attacks, we investigated four pre-processing defenses which do not need adversarial examples during training. The four pre-processing defenses–viz. randomized smoothing, DefenseGAN, variational autoencoder (VAE), and Parallel WaveGAN vocoder (PWG) are compared against the baseline defense of adversarial training. Performing powerful adaptive white-box adversarial attack (i.e., when the adversary has full knowledge of the system, including the defense), our conclusions indicate that SR systems were extremely vulnerable under BIM, PGD, and CW attacks. Among the proposed pre-processing defenses, PWG combined with randomized smoothing offers the most protection against the attacks, with accuracy averaging 93% compared to 52% in the undefended system and an absolute improvement >90% for BIM attacks with $L_\infty >0.001$ and CW attack. [ABSTRACT FROM AUTHOR]

Published

2021

41. The Best Defense Is a Good Offense: Adversarial Attacks to Avoid Modulation Detection.

Author

Hameed, Muhammad Zaid, Gyorgy, Andras, and Gunduz, Deniz

Abstract

We consider a communication scenario, in which an intruder tries to determine the modulation scheme of the intercepted signal. Our aim is to minimize the accuracy of the intruder, while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This is achieved by perturbing channel input symbols at the encoder, similarly to adversarial attacks against classifiers in machine learning. In image classification, the perturbation is limited to be imperceptible to a human observer, while in our case the perturbation is constrained so that the message can still be reliably decoded by the legitimate receiver, which is oblivious to the perturbation. Simulation results demonstrate the viability of our approach to make wireless communication secure against state-of-the-art intruders (using deep learning or decision trees) with minimal sacrifice in the communication performance. On the other hand, we also demonstrate that using diverse training data and curriculum learning can significantly boost the accuracy of the intruder. [ABSTRACT FROM AUTHOR]

Published

2021

42. DDSA: A Defense Against Adversarial Attacks Using Deep Denoising Sparse Autoencoder

Author

Yassine Bakhti, Sid Ahmed Fezza, Wassim Hamidouche, and Olivier Deforges

Subjects

Deep neural network, security, adversarial attacks, defense, sparse autoencoder, denoising, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Given their outstanding performance, the Deep Neural Networks (DNNs) models have been deployed in many real-world applications. However, recent studies have demonstrated that they are vulnerable to small carefully crafted perturbations, i.e., adversarial examples, which considerably decrease their performance and can lead to devastating consequences, especially for safety-critical applications, such as autonomous vehicles, healthcare and face recognition. Therefore, it is of paramount importance to offer defense solutions that increase the robustness of DNNs against adversarial attacks. In this paper, we propose a novel defense solution based on a Deep Denoising Sparse Autoencoder (DDSA). The proposed method is performed as a pre-processing step, where the adversarial noise of the input samples is removed before feeding the classifier. The pre-processing defense block can be associated with any classifier, without any change to their architecture or training procedure. In addition, the proposed method is a universal defense, since it does not require any knowledge about the attack, making it usable against any type of attack. The experimental results on MNIST and CIFAR-10 datasets have shown that the proposed DDSA defense provides a high robustness against a set of prominent attacks under white-, gray- and black-box settings, and outperforms state-of-the-art defense methods.

Published

2019

43. DetectX—Adversarial Input Detection Using Current Signatures in Memristive XBar Arrays.

Author

Moitra, Abhishek and Panda, Priyadarshini

Subjects

*CMOS integrated circuits, *ANALOG integrated circuits, *ANALOG circuits

Abstract

Adversarial input detection has emerged as a prominent technique to harden Deep Neural Networks (DNNs) against adversarial attacks. Most prior works use neural network-based detectors or complex statistical analysis for adversarial detection. These approaches are computationally intensive and vulnerable to adversarial attacks. To this end, we propose DetectX—A hardware friendly adversarial detection mechanism using hardware signatures like Sum of column Currents (SoI) in memristive crossbars (XBar). We show that adversarial inputs have higher SoI compared to clean inputs. However, the difference is too small for reliable adversarial detection. Hence, we propose a dual-phase training methodology: Phase1 training is geared towards increasing the separation between clean and adversarial SoIs; Phase2 training improves the overall robustness against different strengths of adversarial attacks. For hardware-based adversarial detection, we implement the DetectX module using 32 nm CMOS circuits and integrate it with a Neurosim-like analog crossbar architecture. We perform hardware evaluation of the Neurosim+DetectX system on the Neurosim platform using datasets-CIFAR10(VGG8), CIFAR100(VGG16) and TinyImagenet(ResNet18). Our experiments show that DetectX is 10x-25x more energy efficient and immune to dynamic adversarial attacks compared to previous state-of-the-art works. Moreover, we achieve high detection performance (ROC-AUC>0.95) for strong white-box and black-box attacks. [ABSTRACT FROM AUTHOR]

Published

2021

44. Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks.

Author

Sagduyu, Yalin E., Shi, Yi, and Erpek, Tugba

Subjects

DEEP learning, DATA transmission systems, POISONING, TRANSMITTERS (Communication), DECISION making, WIRELESS communications, SELF-poisoning

Abstract

An adversarial deep learning approach is presented to launch over-the-air spectrum poisoning attacks. A transmitter applies deep learning on its spectrum sensing results to predict idle time slots for data transmission. In the meantime, an adversary learns the transmitter's behavior (exploratory attack) by building another deep neural network to predict when transmissions will succeed. The adversary falsifies (poisons) the transmitter's spectrum sensing data over the air by transmitting during the short spectrum sensing period of the transmitter. Depending on whether the transmitter uses the sensing results as test data to make transmit decisions or as training data to retrain its deep neural network, either it is fooled into making incorrect decisions (evasion attack) or the transmitter's algorithm is retrained incorrectly for future decisions (causative attack). Both attacks are energy efficient and hard to detect (stealth) compared to jamming the long data transmission period, and substantially reduce the throughput. A dynamic defense is designed for the transmitter that deliberately makes a small number of incorrect transmissions (selected by the confidence score on channel classification) to manipulate the adversary's training data. This defense effectively fools the adversary (if any) and helps the transmitter sustain its throughput with or without an adversary present. [ABSTRACT FROM AUTHOR]

Published

2021

45. FCDM: A Methodology Based on Sensor Pattern Noise Fingerprinting for Fast Confidence Detection to Adversarial Attacks.

Author

Lan, Yazhu, Nixon, Kent W., Guo, Qingli, Zhang, Guohe, Xu, Yuanchao, Li, Hai, and Chen, Yiran

Subjects

INTRUSION detection systems (Computer security), CONFIDENCE, FIELD programmable gate arrays, BLOCK ciphers

Abstract

Deep neural networks (DNNs) have shown phenomenal success in many real-world applications. However, a concerning weakness of DNNs is their vulnerability to adversarial attacks. Although there exist some methods to detect adversarial attacks, they often suffer from high computational cost and constraints on certain types of attacks, and ignore external features that could aid during attack detection. In this article, we propose fast confidence detection method (FCDM), an innovative method for fast confidence detection of adversarial attacks based on measuring the integrity of sensor pattern noise fingerprinting embedded in input examples. We note that the existing adversarial detectors are often designed as a binary classifier to differentiate clean or adversarial examples. However, the detection of adversarial examples can be much more complicated than such a scenario. Our key insight is that the confidence level of detecting an input sample as an adversarial example is a more useful info for the system to properly take an action to resist potential attacks. The experimental results show that FCDM is capable to give a confidence distribution model of the most popular adversarial attacks. And, using the confidence distribution model, FCDM can quickly determine the confidence level of the input sample. Based on different properties of the confidence distribution models associated with these adversarial attacks, FCDM can provide early attack warning including even the possible attack types of the adversarial attack examples. FCDM also has the following advantages: 1) it is effective for both a white-box attack and black-box attack; 2) it do not depend on the class of adversarial attacks and can be used as both known attack defense and unknown attack defense; and 3) it does not need to know the details of the DNN model and does not affect the functionality of the DNN. Since fast confidence detection method (FCDM) is a computationally heavy task, we propose an FPGA-based accelerator based on a series of optimization techniques, such as the quantization, data reuse and operation replacement, etc. We implement our method on an FPGA platform and achieve a system clock frequency of 279 MHz with a power consumption of the only 0.7626 W. Moreover, in the real system performance test, we obtain a high efficiency of 29.740 IPS/W and a low latency of just 44.1 ms with very marginal accuracy loss. [ABSTRACT FROM AUTHOR]

Published

2020

46. Evolutionary Algorithm-Based Images, Humanly Indistinguishable and Adversarial Against Convolutional Neural Networks: Efficiency and Filter Robustness

Author

Raluca Chitic, Franck Leprévost, and Ali Osman Topal

Subjects

Computer science [C05] [Engineering, computing & technology], filter, evolutionary algorithm, General Computer Science, Computer science, General Engineering, Evolutionary algorithm, Convolutional neural network, adversarial perturbation, Sciences informatiques [C05] [Ingénierie, informatique & technologie], TK1-9971, adversarial attacks, Robustness (computer science), Filter (video), black-box attack, General Materials Science, Electrical engineering. Electronics. Nuclear engineering, evolutionary algorithms, Electrical and Electronic Engineering, Algorithm, image classification

Abstract

Convolutional neural networks (CNNs) have become one of the most important tools for image classification. However, many models are susceptible to adversarial attacks, and CNNs can perform misclassifications. In previous works, we successfully developed an EA-based black-box attack that creates adversarial images for the target scenario that fulfils two criteria. The CNN should classify the adversarial image in the target category with a confidence ≥ 0.95, and a human should not notice any difference between the adversarial and original images. Thanks to extensive experiments performed with the CNN ${\mathcal{C}}$ = VGG-16 trained on the CIFAR-10 dataset to classify images according to 10 categories, this paper, which substantially enhances most aspects of Chitic et al. (2021), addresses four issues. (1) From a pure EA point of view, we highlight the conceptual originality of our algorithm $\text {EA}_{d}^{\text {target}, {\mathcal{C}}}$ , versus the classical EA approach. The competitive advantage obtained was assessed experimentally during image classification. (2) We then measured the intrinsic performance of the EA-based attack for an extensive series of ancestor images. (3) We challenged the filter resistance of the adversarial images created by the EA for five well-known filters. (4) We proceed to the creation of natively filter-resistant adversarial images that can fool humans, CNNs, and CNNs composed with filters.

Published

2021

47. AI can turn the clock back before we know it

Author

Anne Gerdes

Subjects

reinforcement learning, adversarial attacks, embodied cognition, research integrity, AI hype, artificial intelligence

Abstract

This paper outlines intertwined challenges related to three areas: The hype surrounding AI, the consequences of corporate influence on the AI research agenda, and the public sector's uncritical embracement of AI technologies. We argue that AI can backfire if overconfident predictions influence decisions to introduce AI in high-risk domains. Moreover, the corporate colonization of the AI research agenda may cause a decline in societal trust in science, which is highly problematic considering that AI will increasingly power important domains in society.

Published

2021