Showing total 537 results

201. On the robustness of skeleton detection against adversarial attacks.

Author

Bai, Xiuxiu, Yang, Ming, and Liu, Zhe

Subjects

*CONVOLUTIONAL neural networks, *SKELETON

Abstract

Human perception of an object's skeletal structure is particularly robust to diverse perturbations of shape. This skeleton representation possesses substantial advantages for parts-based and invariant shape encoding, which is essential for object recognition. Multiple deep learning-based skeleton detection models have been proposed, while their robustness to adversarial attacks remains unclear. (1) This paper is the first work to study the robustness of deep learning-based skeleton detection against adversarial attacks, which are only slightly unlike the original data but still imperceptible to humans. We systematically analyze the robustness of skeleton detection models through exhaustive adversarial attacking experiments. (2) We propose a novel Frequency attack, which can directly exploit the regular and interpretable perturbations to sharply disrupt skeleton detection models. Frequency attack consists of an excitatory-inhibition waveform with high frequency attribution, which confuses edge-sensitive convolutional filters due to the sudden contrast between crests and troughs. Our comprehensive results verify that skeleton detection models are also vulnerable to adversarial attacks. The meaningful findings will inspire researchers to explore more potential robust models by involving explicit skeleton features. [ABSTRACT FROM AUTHOR]

Published

2020

202. Reconstruction-Based Adversarial Attack Detection in Vision-Based Autonomous Driving Systems

Author

Manzoor Hussain and Jang-Eui Hong

Subjects

deep learning, adversarial attacks, robustness, safety, autonomous vehicles, autoencoders, Computer engineering. Computer hardware, TK7885-7895

Abstract

The perception system is a safety-critical component that directly impacts the overall safety of autonomous driving systems (ADSs). It is imperative to ensure the robustness of the deep-learning model used in the perception system. However, studies have shown that these models are highly vulnerable to the adversarial perturbation of input data. The existing works mainly focused on studying the impact of these adversarial attacks on classification rather than regression models. Therefore, this paper first introduces two generalized methods for perturbation-based attacks: (1) We used naturally occurring noises to create perturbations in the input data. (2) We introduce a modified square, HopSkipJump, and decision-based/boundary attack to attack the regression models used in ADSs. Then, we propose a deep-autoencoder-based adversarial attack detector. In addition to offline evaluation metrics (e.g., F1 score and precision, etc.), we introduce an online evaluation framework to evaluate the robustness of the model under attack. The framework considers the reconstruction loss of the deep autoencoder that validates the robustness of the models under attack in an end-to-end fashion at runtime. Our experimental results showed that the proposed adversarial attack detector could detect square, HopSkipJump, and decision-based/boundary attacks with a true positive rate (TPR) of 93%.

Published

2023

203. Method for testing NLP models with text adversarial examples

Author

Artem B. Menisov, Aleksandr G. Lomako, and Timur R. Sabirov

Subjects

artificial intelligence, natural language processing, information security, adversarial attacks, security testing, Optics. Light, QC350-467, Electronic computers. Computer science, QA75.5-76.95

Abstract

At present, the interpretability of Natural Language Processing (NLP) models is unsatisfactory due to the imperfection of the scientific and methodological apparatus for describing the functioning of both individual elements and models as a whole. One of the problems associated with poor interpretability is the low reliability of the functioning of neural networks that process natural language texts. Small perturbations in text data are known to affect the stability of neural networks. The paper presents a method for testing NLP models for the threat of evasion attacks. The method includes the following text adversarial examples generations: random text modification and modification generation network. Random text modification is made using homoglyphs, rearranging text, adding invisible characters and removing characters randomly. The modification generation network is based on a generative adversarial architecture of neural networks. The conducted experiments demonstrated the effectiveness of the testing method based on the network for generating text adversarial examples. The advantage of the developed method is, firstly, in the possibility of generating more natural and diverse adversarial examples, which have less restrictions, and, secondly, that multiple requests to the model under test are not required. This may be applicable in more complex test scenarios where interaction with the model is limited. The experiments showed that the developed method allowed achieving a relatively better balance of effectiveness and stealth of textual adversarial examples (e.g. GigaChat and YaGPT models tested). The results of the work showed the need to test for defects and vulnerabilities that can be exploited by attackers in order to reduce the quality of the functioning of NLP models. This indicates a lot of potential in terms of ensuring the reliability of machine learning models. A promising direction is the problem of restoring the level of security (confidentiality, availability and integrity) of NLP models.

Published

2023

204. Perturbation analysis of gradient-based adversarial attacks.

Author

Ozbulak, Utku, Gasparyan, Manvel, De Neve, Wesley, and Van Messem, Arnout

Subjects

*COST functions, *CONSTRAINED optimization, *DEEP learning, *COMPARATIVE studies

Abstract

• We analyze the effectiveness of the perturbations generated by popular adversarial attacks. • We present a formal comparison of the objective functions used by popular adversarial attacks. • We expose the limited optimization space of the cross-entropy loss and the cross-entropy sign loss. • We expose the detrimental effect of cross-entropy sign loss and logit loss on adversarial optimization. • We analyze how well neural networks can identify adversarial perturbations generated by adversarial attacks. After the discovery of adversarial examples and their adverse effects on deep learning models, many studies focused on finding more diverse methods to generate these carefully crafted samples. Although empirical results on the effectiveness of adversarial example generation methods against defense mechanisms are discussed in detail in the literature, an in-depth study of the theoretical properties and the perturbation effectiveness of these adversarial attacks has largely been lacking. In this paper, we investigate the objective functions of three popular methods for adversarial example generation: the L-BFGS attack, the Iterative Fast Gradient Sign attack, and Carlini & Wagner's attack. Specifically, we perform a comparative and formal analysis of the loss functions underlying the aforementioned attacks while laying out large-scale experimental results on the ImageNet dataset. This analysis exposes (1) the faster optimization speed as well as the constrained optimization space of the cross-entropy loss, (2) the detrimental effects of using the signature of the cross-entropy loss on optimization precision as well as optimization space, and (3) the slow optimization speed of the logit loss in the context of adversariality. Our experiments reveal that the Iterative Fast Gradient Sign attack, which is thought to be fast for generating adversarial examples, is the worst attack in terms of the number of iterations required to create adversarial examples in the setting of equal perturbation. Moreover, our experiments show that the underlying loss function of Carlini & Wagner's attack, which is criticized for being substantially slower than other adversarial attacks, is not that much slower than other loss functions. Finally, we analyze how well neural networks can identify adversarial perturbations generated by the attacks under consideration, hereby revisiting the idea of adversarial retraining on ImageNet. [ABSTRACT FROM AUTHOR]

Published

2020

205. VAASI: Crafting valid and abnormal adversarial samples for anomaly detection systems in industrial scenarios.

Author

Perales Gómez, Angel Luis, Fernández Maimó, Lorenzo, Huertas Celdrán, Alberto, and García Clemente, Félix J.

Subjects

*ANOMALY detection (Computer security), *DEEP learning, *ARTIFICIAL intelligence, *RANDOM forest algorithms, *INTERNET security

Abstract

In the realm of industrial anomaly detection, machine and deep learning models face a critical vulnerability to adversarial attacks. In this context, existing attack methodologies primarily target continuous features, often in the context of images, making them unsuitable for the categorical or discrete features prevalent in industrial systems. To fortify the cybersecurity of industrial environments, this paper introduces a groundbreaking adversarial attack approach tailored to the unique demands of these settings. Our novel technique enables the creation of targeted adversarial samples that are valid within the framework of supervised cyberattack detection models in industrial scenarios, preserving the consistency of discrete values and correcting cases where an adversarial sample transitions into a normal one. Our approach leverages the SHAP interpretability method to identify the most salient features for each sample. Subsequently, the Projected Gradient Descent technique is employed to perturb continuous features, ensuring adversarial sample generation. To handle categorical features for a specific adversarial sample, our method scrutinizes the closest sample within the normal training dataset and replicates its categorical feature values. Additionally, Decision Trees trained within a Random Forest are utilized to ensure that the resulting adversarial samples maintain the essential abnormal behavior required for detection. The validation of our proposal was conducted using the WADI dataset obtained from a water distribution plant, providing a realistic industrial context. During validation, we assessed the mean error and the total number of adversarial samples generated by our approach, comparing it with the original Projected Gradient Descent method and the Carlini & Wagner attack across various parameter configurations. Remarkably, our proposal consistently achieved the best trade-off between mean error and the number of generated adversarial samples, showcasing its superiority in safeguarding industrial systems. [ABSTRACT FROM AUTHOR]

Published

2023

206. Brain programming is immune to adversarial attacks: Towards accurate and robust image classification using symbolic learning.

Author

Ibarra-Vazquez, Gerardo, Olague, Gustavo, Chan-Ley, Mariana, Puente, Cesar, and Soubervielle-Montalvo, Carlos

Subjects

ARTIFICIAL neural networks, NEURAL computers, CONVOLUTIONAL neural networks, MEDIA art, ART materials, DEEP learning, COMPUTER vision

Abstract

• This article presents brain programming as a methodology for image classification robust to adversarial attacks. • The paper compares three state-of-the art image classification methodologies from the standpoint of accuracy and robustness. • The study of the effect of adversarial attacks on art media categorization beyond machine learning. • The proposal of brain programming as an accurate and robust technique to recognize artwork media. • The analysis of robustness through pair-wise statistical tests based on prediction confidence and multiple comparisons. In recent years, the security concerns about the vulnerability of deep convolutional neural networks to adversarial attacks in slight modifications to the input image almost invisible to human vision make their predictions untrustworthy. Therefore, it is necessary to provide robustness to adversarial examples with an accurate score when developing a new classifier. In this work, we perform a comparative study of the effects of these attacks on the complex problem of art media categorization, which involves a sophisticated analysis of features to classify a fine collection of artworks. We tested a prevailing bag of visual words approach from computer vision, four deep convolutional neural networks (AlexNet, VGG, ResNet, ResNet101), and brain programming. The results showed that brain programming predictions' change in accuracy was below 2% using adversarial examples from the fast gradient sign method. With a multiple-pixel attack, brain programming obtained four out of seven classes without changes and the rest with a maximum error of 4%. Finally, brain programming got four categories without changes using adversarial patches and for the remaining three classes with an accuracy variation of 1%. The statistical analysis confirmed that brain programming predictions' confidence was not significantly different for each pair of clean and adversarial examples in every experiment. These results prove brain programming's robustness against adversarial examples compared to deep convolutional neural networks and the computer vision method for the art media categorization problem. [ABSTRACT FROM AUTHOR]

Published

2022

207. Towards the transferable audio adversarial attack via ensemble methods.

Author

Guo, Feng, Sun, Zheng, Chen, Yuxuan, and Ju, Lei

Subjects

SPEECH perception, DEEP learning, SPEECH, AUTONOMOUS vehicles

Abstract

In recent years, deep learning (DL) models have achieved significant progress in many domains, such as autonomous driving, facial recognition, and speech recognition. However, the vulnerability of deep learning models to adversarial attacks has raised serious concerns in the community because of their insufficient robustness and generalization. Also, transferable attacks have become a prominent method for black-box attacks. In this work, we explore the potential factors that impact adversarial examples (AEs) transferability in DL-based speech recognition. We also discuss the vulnerability of different DL systems and the irregular nature of decision boundaries. Our results show a remarkable difference in the transferability of AEs between speech and images, with the data relevance being low in images but opposite in speech recognition. Motivated by dropout-based ensemble approaches, we propose random gradient ensembles and dynamic gradient-weighted ensembles, and we evaluate the impact of ensembles on the transferability of AEs. The results show that the AEs created by both approaches are valid for transfer to the black box API. [ABSTRACT FROM AUTHOR]

Published

2023

208. A Survey of Adversarial Defenses and Robustness in NLP.

Author

GOYAL, SHREYA, DODDAPANENI, SUMANTH, KHAPRA, MITESH M., and RAVINDRAN, BALARAMAN

Subjects

ARTIFICIAL neural networks, NATURAL language processing, COMPUTER vision, CYBERTERRORISM, NATURAL languages

Abstract

In the past few years, it has become increasingly evident that deep neural networks are not resilient enough to withstand adversarial perturbations in input data, leaving them vulnerable to attack. Various authors have proposed strong adversarial attacks for computer vision and Natural Language Processing (NLP) tasks. As a response, many defense mechanisms have also been proposed to prevent these networks from failing. The significance of defending neural networks against adversarial attacks lies in ensuring that the model's predictions remain unchanged even if the input data is perturbed. Several methods for adversarial defense in NLP have been proposed, catering to different NLP tasks such as text classification, named entity recognition, and natural language inference. Some of these methods not only defend neural networks against adversarial attacks but also act as a regularization mechanism during training, saving the model from overfitting. This survey aims to review the various methods proposed for adversarial defenses in NLP over the past few years by introducing a novel taxonomy. The survey also highlights the fragility of advanced deep neural networks in NLP and the challenges involved in defending them. [ABSTRACT FROM AUTHOR]

Published

2023

209. Vulnerable point detection and repair against adversarial attacks for convolutional neural networks.

Author

Gao, Jie, Xia, Zhaoqiang, Dai, Jing, Dang, Chen, Jiang, Xiaoyue, and Feng, Xiaoyi

Abstract

Recently, convolutional neural networks have been shown to be sensitive to artificially designed perturbations that are imperceptible to the naked eye. Whether it is image classification, semantic segmentation, or object detection, all of them will face such problem. The existence of adversarial examples raises questions about the security of smart applications. Some works have paid attention to this problem and proposed several defensive strategies to resist adversarial attacks. However, no one explored the vulnerable area of the model under multiple attacks. In this work, we fill this gap by exploring the vulnerable areas of the model, which is vulnerable to adversarial attacks. Specifically, under various attack methods with different strengths, we conduct extensive experiments on two datasets based on three different networks and illustrate some phenomena. Besides, by exploiting the Siamese Network, we propose a novel approach to more intuitively discover the deficiencies of the model. Moreover, we further provide a novel adaptive vulnerable point repair method to improve the adversarial robustness of the model. Extensive experimental results show that our proposed method can effectively improve the adversarial robustness of the model. [ABSTRACT FROM AUTHOR]

Published

2023

210. CAPTIVE: Constrained Adversarial Perturbations to Thwart IC Reverse Engineering.

Author

Zargari, Amir Hosein Afandizadeh, AshrafiAmiri, Marzieh, Seo, Minjun, Pudukotai Dinakarrao, Sai Manoj, Fouda, Mohammed E., and Kurdahi, Fadi

Subjects

REVERSE engineering, LOGIC circuits, ELECTRONIC design automation, INTEGRATED circuits, MACHINE learning, INTELLECTUAL property

Abstract

Reverse engineering (RE) in Integrated Circuits (IC) is a process in which one will attempt to extract the internals of an IC, extract the circuit structure, and determine the gate-level information of an IC. In general, the RE process can be done for validation as well as Intellectual Property (IP) stealing intentions. In addition, RE also facilitates different illicit activities such as the insertion of hardware Trojan, pirating, or counterfeiting a design, or developing an attack. In this work, we propose an approach to introduce cognitive perturbations, with the aid of adversarial machine learning, to the IC layout that could prevent the RE process from succeeding. We first construct a layer-by-layer image dataset of 45 nm predictive technology. With this dataset, we propose a conventional neural network model called RecoG-Net to recognize the logic gates, which is the first step in RE. RecoG-Net is successful in recognizing the gates with more than 99.7% accuracy. Our thwarting approach utilizes the concept of adversarial attack generation algorithms to generate perturbation. Unlike traditional adversarial attacks in machine learning, the perturbation generation needs to be highly constrained to meet the fab rules such as Design Rule Checking (DRC) Layout vs. Schematic (LVS) checks. Hence, we propose CAPTIVE as a constrained perturbation generation satisfying the DRC. The experiments show that the accuracy of reverse engineering using machine learning techniques can decrease from 100% to approximately 30% based on the adversary generator. [ABSTRACT FROM AUTHOR]

Published

2023

211. Exploring Adversarial Robustness of LiDAR Semantic Segmentation in Autonomous Driving.

Author

Mahima, K. T. Yasas, Perera, Asanka, Anavatti, Sreenatha, and Garratt, Matt

Subjects

DEEP learning, LIDAR, OBJECT recognition (Computer vision), AUTONOMOUS vehicles, DRIVERLESS cars

Abstract

Deep learning networks have demonstrated outstanding performance in 2D and 3D vision tasks. However, recent research demonstrated that these networks result in failures when imperceptible perturbations are added to the input known as adversarial attacks. This phenomenon has recently received increased interest in the field of autonomous vehicles and has been extensively researched on 2D image-based perception tasks and 3D object detection. However, the adversarial robustness of 3D LiDAR semantic segmentation in autonomous vehicles is a relatively unexplored topic. This study expands the adversarial examples to LiDAR-based 3D semantic segmentation. We developed and analyzed three LiDAR point-based adversarial attack methods on different networks developed on the SemanticKITTI dataset. The findings illustrate that the Cylinder3D network has the highest adversarial susceptibility to the analyzed attacks. We investigated how the class-wise point distribution influences the adversarial robustness of each class in the SemanticKITTI dataset and discovered that ground-level points are extremely vulnerable to point perturbation attacks. Further, the transferability of each attack strategy was assessed, and we found that networks relying on point data representation demonstrate a notable level of resistance. Our findings will enable future research in developing more complex and specific adversarial attacks against LiDAR segmentation and countermeasures against adversarial attacks. [ABSTRACT FROM AUTHOR]

Published

2023

212. Adversarial machine learning phases of matter.

Author

Jiang, Si, Lu, Sirui, and Deng, Dong-Ling

Subjects

PHASE transitions, MACHINE learning, PHYSICAL laws, ROBUST control, PERTURBATION theory

Abstract

We study the robustness of machine learning approaches to adversarial perturbations, with a focus on supervised learning scenarios. We find that typical phase classifiers based on deep neural networks are extremely vulnerable to adversarial perturbations: adding a tiny amount of carefully crafted noises into the original legitimate examples will cause the classifiers to make incorrect predictions at a notably high confidence level. Through the lens of activation maps, we find that some important underlying physical principles and symmetries remain to be adequately captured for classifiers with even near-perfect performance. This explains why adversarial perturbations exist for fooling these classifiers. In addition, we find that, after adversarial training the classifiers will become more consistent with physical laws and consequently more robust to certain kinds of adversarial perturbations. Our results provide valuable guidance for both theoretical and experimental future studies on applying machine learning techniques to condensed matter physics. [ABSTRACT FROM AUTHOR]

Published

2023

213. CamoNet: A Target Camouflage Network for Remote Sensing Images Based on Adversarial Attack.

Author

Zhou, Yue, Jiang, Wanghan, Jiang, Xue, Chen, Lin, and Liu, Xingzhao

Subjects

REMOTE sensing, OBJECT recognition (Computer vision), IMAGE recognition (Computer vision), CONVOLUTIONAL neural networks, SIGNAL-to-noise ratio

Abstract

Object detection algorithms based on convolutional neural networks (CNNs) have achieved remarkable success in remote sensing images (RSIs), such as aircraft and ship detection, which play a vital role in military and civilian fields. However, CNNs are fragile and can be easily fooled. There have been a series of studies on adversarial attacks for image classification in RSIs. However, the existing gradient attack algorithms designed for classification cannot achieve excellent performance when directly applied to object detection, which is an essential task in RSI understanding. Although we can find some works on adversarial attacks for object detection, they are weak in concealment and easily detected by the naked eye. To handle these problems, we propose a target camouflage network for object detection in RSIs, called CamoNet, to deceive CNN-based detectors by adding imperceptible perturbation to the image. In addition, we propose a detection space initialization strategy to maximize the diversity in the detector's outputs among the generated samples. It can enhance the performance of the gradient attack algorithms in the object detection task. Moreover, a key pixel distillation module is employed, which can further reduce the modified pixels without weakening the concealment effect. Compared with several of the most advanced adversarial attacks, the proposed attack has advantages in terms of both peak signal-to-noise ratio (PSNR) and attack success rate. The transferability of the proposed target camouflage network is evaluated on three dominant detection algorithms (RetinaNet, Faster R-CNN, and RTMDet) with two commonly used remote sensing datasets (i.e., DOTA and DIOR). [ABSTRACT FROM AUTHOR]

Published

2023

214. VeriFace: Defending against Adversarial Attacks in Face Verification Systems.

Author

Sayed, Awny, Kinlany, Sohair, Zaki, Alaa, and Mahfouz, Ahmed

Subjects

HUMAN fingerprints, BIOMETRIC identification, SECURITY systems

Abstract

Face verification systems are critical in a wide range of applications, such as security systems and biometric authentication. However, these systems are vulnerable to adversarial attacks, which can significantly compromise their accuracy and reliability. Adversarial attacks are designed to deceive the face verification system by adding subtle perturbations to the input images. These perturbations can be imperceptible to the human eye but can cause the systemtomisclassifyor fail torecognize thepersoninthe image. Toaddress this issue, we propose a novel system called VeriFace that comprises two defense mechanisms, adversarial detection, and adversarial removal. The first mechanism, adversarial detection, is designed to identify whether an input image has been subjected to adversarial perturbations. The second mechanism, adversarial removal, is designed to remove these perturbations from the input image to ensure the face verification system can accurately recognize the person in the image. To evaluate the effectiveness of the VeriFace system, we conducted experiments on different types of adversarial attacks using the Labelled Faces in theWild (LFW) dataset. Our results show that the VeriFace adversarial detector can accurately identify adversarial imageswith a high detection accuracy of 100%.Additionally, our proposedVeriFace adversarial removalmethod has a significantly lower attack success rate of 6.5% compared to state-of-the-art removalmethods. [ABSTRACT FROM AUTHOR]

Published

2023

215. Rethinking the Evaluation of Deep Neural Network Robustness

Author

Fan, Mingyuan, Wang, Fuyi, Yan, Bosheng, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Yang, Xiaochun, editor, Suhartanto, Heru, editor, Wang, Guoren, editor, Wang, Bin, editor, Jiang, Jing, editor, Li, Bing, editor, Zhu, Huaijie, editor, and Cui, Ningning, editor

Published

2023

216. Unfooling SHAP and SAGE: Knockoff Imputation for Shapley Values

Author

Blesch, Kristin, Wright, Marvin N., Watson, David, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, and Longo, Luca, editor

Published

2023

217. Reliable Aircraft Trajectory Prediction Using Autoencoder Secured with P2P Blockchain

Author

Hashemi, Seyed Mohammad, Hashemi, Seyed Ali, Botez, Ruxandra Mihaela, Karakoc, T. Hikmet, Series Editor, Colpan, C Ozgur, Series Editor, Dalkiran, Alper, Series Editor, Le Clainche, Soledad, editor, Chen, Xin, editor, and Ercan, Ali Haydar, editor

Published

2023

218. Boosting Adversarial Transferability Through Intermediate Feature

Author

He, Chenghai, Li, Xiaoqian, Zhang, Xiaohang, Zhang, Kai, Li, Hailing, Xiong, Gang, Li, Xuan, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Iliadis, Lazaros, editor, Papaleonidas, Antonios, editor, Angelov, Plamen, editor, and Jayne, Chrisina, editor

Published

2023

219. Towards Robustness of Large Language Models on Text-to-SQL Task: An Adversarial and Cross-Domain Investigation

Author

Zhang, Weixu, Wang, Yu, Fan, Ming, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Iliadis, Lazaros, editor, Papaleonidas, Antonios, editor, Angelov, Plamen, editor, and Jayne, Chrisina, editor

Published

2023

220. Data-Free Model Extraction Attacks in the Context of Object Detection

Author

Shah, Harshit, Aravindhan, G., Kulkarni, Pavan, Govindarajulu, Yuvaraj, Parmar, Manojkumar, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Christensen, Henrik I., editor, Corke, Peter, editor, Detry, Renaud, editor, Weibel, Jean-Baptiste, editor, and Vincze, Markus, editor

Published

2023

221. Neutralizing Adversarial Machine Learning in Industrial Control Systems Using Blockchain

Author

Moradpoor, Naghmeh, Barati, Masoud, Robles-Durazno, Andres, Abah, Ezra, McWhinnie, James, Onwubiko, Cyril, editor, Rosati, Pierangelo, editor, Rege, Aunshul, editor, Erola, Arnau, editor, Bellekens, Xavier, editor, Hindy, Hanan, editor, and Jaatun, Martin Gilje, editor

Published

2023

222. Backdoor Mitigation in Deep Neural Networks via Strategic Retraining

Author

Dhonthi, Akshay, Hahn, Ernst Moritz, Hashemi, Vahid, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Chechik, Marsha, editor, Katoen, Joost-Pieter, editor, and Leucker, Martin, editor

Published

2023

223. Preventing Adversarial Attacks on Autonomous Driving Models

Author

Sajid, Junaid, Anam, Bareera, Khattak, Hasan Ali, Malik, Asad Waqar, Abbas, Assad, Khan, Samee U., Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin, Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Haas, Zygmunt J., editor, Prakash, Ravi, editor, Ammari, Habib, editor, and Wu, Weili, editor

Published

2023

224. Attribution-Based Confidence Metric for Detection of Adversarial Attacks on Breast Histopathological Images

Author

Fernandes, Steven L., Krivic, Senka, Sharma, Poonam, Jha, Sumit K., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Karlinsky, Leonid, editor, Michaeli, Tomer, editor, and Nishino, Ko, editor

Published

2023

225. Developing future human-centered smart cities: Critical analysis of smart city security, Data management, and Ethical challenges.

Author

Ahmad, Kashif, Maabreh, Majdi, Ghaly, Mohamed, Khan, Khalil, Qadir, Junaid, and Al-Fuqaha, Ala

Subjects

SMART cities, DATA management, CRITICAL analysis, SOCIAL services, SOCIAL problems, INTERNET addiction, COMPLEMENT receptors

Abstract

As the globally increasing population drives rapid urbanization in various parts of the world, there is a great need to deliberate on the future of the cities worth living. In particular, as modern smart cities embrace more and more data-driven artificial intelligence services, it is worth remembering that (1) technology can facilitate prosperity, wellbeing, urban livability, or social justice, but only when it has the right analog complements (such as well-thought out policies, mature institutions, responsible governance); and (2) the ultimate objective of these smart cities is to facilitate and enhance human welfare and social flourishing. Researchers have shown that various technological business models and features can in fact contribute to social problems such as extremism, polarization, misinformation, and Internet addiction. In the light of these observations, addressing the philosophical and ethical questions involved in ensuring the security, safety, and interpretability of such AI algorithms that will form the technological bedrock of future cities assumes paramount importance. Globally there are calls for technology to be made more humane and human-centered. In this paper, we analyze and explore key challenges including security, robustness, interpretability, and ethical (data and algorithmic) challenges to a successful deployment of AI in human-centric applications, with a particular emphasis on the convergence of these concepts/challenges. We provide a detailed review of existing literature on these key challenges and analyze how one of these challenges may lead to others or help in solving other challenges. The paper also advises on the current limitations, pitfalls, and future directions of research in these domains, and how it can fill the current gaps and lead to better solutions. We believe such rigorous analysis will provide a baseline for future research in the domain. [ABSTRACT FROM AUTHOR]

Published

2022

226. Evaluating Neural Networks’ Ability to Generalize against Adversarial Attacks in Cross-Lingual Settings

Author

Vidhu Mathur, Tanvi Dadu, and Swati Aggarwal

Subjects

cross-lingual NLP, multilingual models, adversarial attacks, XLM roberta, mBART, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

Cross-lingual transfer learning using multilingual models has shown promise for improving performance on natural language processing tasks with limited training data. However, translation can introduce superficial patterns that negatively impact model generalization. This paper evaluates two state-of-the-art multilingual models, Cross-Lingual Model-Robustly Optimized BERT Pretraining Approach (XLM-Roberta) and Multilingual Bi-directional Auto-Regressive Transformer (mBART), on the cross-lingual natural language inference (XNLI) natural language inference task using both original and machine-translated evaluation sets. Our analysis demonstrates that translation can facilitate cross-lingual transfer learning, but maintaining linguistic patterns is critical. The results provide insights into the strengths and limitations of state-of-the-art multilingual natural language processing architectures for cross-lingual understanding.

Published

2024

227. Evaluating Realistic Adversarial Attacks against Machine Learning Models for Windows PE Malware Detection

Author

Muhammad Imran, Annalisa Appice, and Donato Malerba

Subjects

Windows PE Malware, adversarial attacks, integrity violation, transferability, adversarial training, explainable artificial intelligence, Information technology, T58.5-58.64

Abstract

During the last decade, the cybersecurity literature has conferred a high-level role to machine learning as a powerful security paradigm to recognise malicious software in modern anti-malware systems. However, a non-negligible limitation of machine learning methods used to train decision models is that adversarial attacks can easily fool them. Adversarial attacks are attack samples produced by carefully manipulating the samples at the test time to violate the model integrity by causing detection mistakes. In this paper, we analyse the performance of five realistic target-based adversarial attacks, namely Extend, Full DOS, Shift, FGSM padding + slack and GAMMA, against two machine learning models, namely MalConv and LGBM, learned to recognise Windows Portable Executable (PE) malware files. Specifically, MalConv is a Convolutional Neural Network (CNN) model learned from the raw bytes of Windows PE files. LGBM is a Gradient-Boosted Decision Tree model that is learned from features extracted through the static analysis of Windows PE files. Notably, the attack methods and machine learning models considered in this study are state-of-the-art methods broadly used in the machine learning literature for Windows PE malware detection tasks. In addition, we explore the effect of accounting for adversarial attacks on securing machine learning models through the adversarial training strategy. Therefore, the main contributions of this article are as follows: (1) We extend existing machine learning studies that commonly consider small datasets to explore the evasion ability of state-of-the-art Windows PE attack methods by increasing the size of the evaluation dataset. (2) To the best of our knowledge, we are the first to carry out an exploratory study to explain how the considered adversarial attack methods change Windows PE malware to fool an effective decision model. (3) We explore the performance of the adversarial training strategy as a means to secure effective decision models against adversarial Windows PE malware files generated with the considered attack methods. Hence, the study explains how GAMMA can actually be considered the most effective evasion method for the performed comparative analysis. On the other hand, the study shows that the adversarial training strategy can actually help in recognising adversarial PE malware generated with GAMMA by also explaining how it changes model decisions.

Published

2024

228. Not So Robust after All: Evaluating the Robustness of Deep Neural Networks to Unseen Adversarial Attacks

Author

Roman Garaev, Bader Rasheed, and Adil Mehmood Khan

Subjects

machine learning, deep learning, adversarial attacks, Industrial engineering. Management engineering, T55.4-60.8, Electronic computers. Computer science, QA75.5-76.95

Abstract

Deep neural networks (DNNs) have gained prominence in various applications, but remain vulnerable to adversarial attacks that manipulate data to mislead a DNN. This paper aims to challenge the efficacy and transferability of two contemporary defense mechanisms against adversarial attacks: (a) robust training and (b) adversarial training. The former suggests that training a DNN on a data set consisting solely of robust features should produce a model resistant to adversarial attacks. The latter creates an adversarially trained model that learns to minimise an expected training loss over a distribution of bounded adversarial perturbations. We reveal a significant lack in the transferability of these defense mechanisms and provide insight into the potential dangers posed by L∞-norm attacks previously underestimated by the research community. Such conclusions are based on extensive experiments involving (1) different model architectures, (2) the use of canonical correlation analysis, (3) visual and quantitative analysis of the neural network’s latent representations, (4) an analysis of networks’ decision boundaries and (5) the use of equivalence of L2 and L∞ perturbation norm theories.

Published

2024

229. RLXSS: Optimizing XSS Detection Model to Defend Against Adversarial Attacks Based on Reinforcement Learning.

Author

Fang, Yong, Huang, Cheng, Xu, Yijia, and Li, Yang

Subjects

REINFORCEMENT learning, DEEP learning, MACHINE learning, ARTIFICIAL intelligence

Abstract

With the development of artificial intelligence, machine learning algorithms and deep learning algorithms are widely applied to attack detection models. Adversarial attacks against artificial intelligence models become inevitable problems when there is a lack of research on the cross-site scripting (XSS) attack detection model for defense against attacks. It is extremely important to design a method that can effectively improve the detection model against attack. In this paper, we present a method based on reinforcement learning (called RLXSS), which aims to optimize the XSS detection model to defend against adversarial attacks. First, the adversarial samples of the detection model are mined by the adversarial attack model based on reinforcement learning. Secondly, the detection model and the adversarial model are alternately trained. After each round, the newly-excavated adversarial samples are marked as a malicious sample and are used to retrain the detection model. Experimental results show that the proposed RLXSS model can successfully mine adversarial samples that escape black-box and white-box detection and retain aggressive features. What is more, by alternately training the detection model and the confrontation attack model, the escape rate of the detection model is continuously reduced, which indicates that the model can improve the ability of the detection model to defend against attacks. [ABSTRACT FROM AUTHOR]

Published

2019

230. Adversarial attacks on deep-learning-based radar range profile target recognition.

Author

Huang, Teng, Chen, Yongfeng, Yao, Bingjian, Yang, Bifen, Wang, Xianmin, and Li, Ya

Subjects

*RADAR, *DEEP learning, *OBJECT recognition (Computer vision), *IMAGE recognition (Computer vision), *OPTICAL images

Abstract

• We generate the nontargeted and targeted fine-grained adversarial perturbations based on the binary search algorithm and the multiple-iteration method, respectively. • We generate nontargeted and targeted UAPs based on the aggregation method and the scaling method, respectively. • We verify that the UAP has transferability and generalization ability. • We verify that the adversarial perturbation is more aggressive to HRRP data than random noise. Target recognition based on a high-resolution range profile (HRRP) has always been a research hotspot in the radar signal interpretation field. Deep learning has been an important method for HRRP target recognition. However, recent research has shown that optical image target recognition methods based on deep learning are vulnerable to adversarial samples. Whether HRRP target recognition methods based on deep learning can be attacked remains an open question. In this paper, four methods of generating adversarial perturbations are proposed. Algorithm 1 generates the nontargeted fine-grained perturbation based on the binary search method. Algorithm 2 generates the targeted fine-grained perturbation based on the multiple-iteration method. Algorithm 3 generates the nontargeted universal adversarial perturbation (UAP) based on aggregating some fine-grained perturbations. Algorithm 4 generates the targeted universal perturbation based on scaling one fine-grained perturbation. These perturbations are used to generate adversarial samples to attack HRRP target recognition methods based on deep learning under white-box and black-box attacks. The experiments are conducted with actual radar data and show that the HRRP adversarial samples have certain aggressiveness. Therefore, HRRP target recognition methods based on deep learning have potential security risks. [ABSTRACT FROM AUTHOR]

Published

2020

231. Preprocessing Pipelines including Block-Matching Convolutional Neural Network for Image Denoising to Robustify Deep Reidentification against Evasion Attacks.

Author

Pawlicki, Marek and Choraś, Ryszard S.

Subjects

CONVOLUTIONAL neural networks, COMPUTER vision, ARTIFICIAL neural networks, IMAGE denoising, DEEP learning

Abstract

Artificial neural networks have become the go-to solution for computer vision tasks, including problems of the security domain. One such example comes in the form of reidentification, where deep learning can be part of the surveillance pipeline. The use case necessitates considering an adversarial setting—and neural networks have been shown to be vulnerable to a range of attacks. In this paper, the preprocessing defences against adversarial attacks are evaluated, including block-matching convolutional neural network for image denoising used as an adversarial defence. The benefit of using preprocessing defences comes from the fact that it does not require the effort of retraining the classifier, which, in computer vision problems, is a computationally heavy task. The defences are tested in a real-life-like scenario of using a pre-trained, widely available neural network architecture adapted to a specific task with the use of transfer learning. Multiple preprocessing pipelines are tested and the results are promising. [ABSTRACT FROM AUTHOR]

Published

2021

232. Bi-fidelity evolutionary multiobjective search for adversarially robust deep neural architectures.

Author

Liu, Jia, Cheng, Ran, and Jin, Yaochu

Subjects

*ARTIFICIAL neural networks, *EVOLUTIONARY algorithms

Abstract

Deep neural networks have been found vulnerable to adversarial attacks, thus raising potential concerns in security-sensitive contexts. To address this problem, recent research has investigated the adversarial robustness of deep neural networks from the architectural point of view. However, searching for architectures of deep neural networks is computationally expensive, particularly when coupled with an adversarial training process. To meet the above challenge, this paper proposes a bi-fidelity multiobjective neural architecture search approach. First, we formulate the neural architecture search (NAS) problem for enhancing the adversarial robustness of deep neural networks into a multiobjective optimization problem. Specifically, in addition to using low-fidelity estimations as the primary objectives, we leverage the output of a surrogate model trained with high-fidelity evaluations as an auxiliary objective. Secondly, we reduce the computational cost by combining three performance estimation methods, i.e., parameter sharing, low-fidelity evaluation, and surrogate-based predictor. The effectiveness of the proposed approach is confirmed by extensive experiments conducted on CIFAR-10, CIFAR-100 and SVHN datasets. [ABSTRACT FROM AUTHOR]

Published

2023

233. One evolutionary algorithm deceives humans and ten convolutional neural networks trained on ImageNet at image recognition.

Author

Topal, Ali Osman, Chitic, Raluca, and Leprévost, Franck

Subjects

CONVOLUTIONAL neural networks, IMAGE recognition (Computer vision), COMPUTER vision, EYE tracking, EVOLUTIONARY algorithms

Abstract

Convolutional neural networks (CNNs) are widely used in computer vision, but can be deceived by carefully crafted adversarial images. In this paper, we propose an evolutionary algorithm (EA) based adversarial attack against CNNs trained on ImageNet. Our EA-based attack aims to generate adversarial images that not only achieve a high confidence probability of being classified into the target category (at least 75%), but also appear indistinguishable to the human eye in a black-box setting. These constraints are implemented to simulate a realistic adversarial attack scenario. Our attack has been thoroughly evaluated on 10 CNNs in various attack scenarios, including high-confidence targeted, good-enough targeted, and untargeted. Furthermore, we have compared our attack favorably against other well-known white-box and black-box attacks. The experimental results revealed that the proposed EA-based attack is superior or on par with its competitors in terms of the success rate and the visual quality of the adversarial images produced. • EA-based black-box attack creates human-imperceptible adversarial images for CNNs. • It is effectively challenged against 10 ImageNet trained CNNs in different scenarios. • The effectiveness of six adversarial attacks is assessed on 10 ImageNet-trained CNNs. • Results show that the EA-based attack outperforms or is on par with these attacks. [ABSTRACT FROM AUTHOR]

Published

2023

234. Universal backdoor attack on deep neural networks for malware detection.

Author

Zhang, Yunchun, Feng, Fan, Liao, Zikun, Li, Zixuan, and Yao, Shaowen

Subjects

ARTIFICIAL neural networks, DEEP learning, CONVOLUTIONAL neural networks, MALWARE

Abstract

Backdoor attacks targeting the deep neural network are flourishing recently and are more stealthy than existing adversarial attacks. A deep understanding of the backdoor attacks targeting malware detection models is still missing. We design a highly transferable backdoor attack targeting three benchmark convolutional neural networks (CNNs) for malware detection. The designed backdoor attack involves two steps: trigger generation and trigger insertion. Firstly, based on the computation of the most significant byte sub-sequence from samples of a chosen target label, the trigger patterns are generated by training a class activation mapping-based deep neural network (CAM-DNN). Then, the byte sequence with the maximum class activation mapping score is chosen as the candidate trigger pattern. The computed trigger pattern is then inserted into an index-based place that satisfies the minimum distance between a predefined feature space to the target label. Through detailed experiments, the CAM-DNN-based backdoor considers many influential factors, including the number of backdoor triggers, the degree of perturbations applied on a single trigger pattern, the length of the inserted trigger, etc. The experiments demonstrate that the CAM-DNN-based backdoor attack achieves an 89.58% success rate on average at the cost of a 2.25% accuracy drop on clean inputs. More importantly, the poisoned malware ensures high integrity because the original malicious functions are preserved to a large extent. [Display omitted] • This paper proposes a class activation mapping-based backdoor trigger generation method while preserving the malicious functionalities. • We design an efficient backdoor attack targeting multiple deep learning-based malware detection models. [ABSTRACT FROM AUTHOR]

Published

2023

235. Exploring misclassifications of robust neural networks to enhance adversarial attacks.

Author

Schwinn, Leo, Raab, René, Nguyen, An, Zanca, Dario, and Eskofier, Bjoern

Subjects

SCIENTIFIC community, COMPUTER vision, DEEP learning, PREDICTION models, SCIENTIFIC observation

Abstract

Progress in making neural networks more robust against adversarial attacks is mostly marginal, despite the great efforts of the research community. Moreover, the robustness evaluation is often imprecise, making it challenging to identify promising approaches. We do an observational study on the classification decisions of 19 different state-of-the-art neural networks trained to be robust against adversarial attacks. This analysis gives a new indication of the limits of the robustness of current models on a common benchmark. In addition, our findings suggest that current untargeted adversarial attacks induce misclassification toward only a limited amount of different classes. Similarly, we find that previous attacks under-explore the perturbation space during optimization. This leads to unsuccessful attacks for samples where the initial gradient direction is not a good approximation of the final adversarial perturbation direction. Additionally, we observe that both over- and under-confidence in model predictions result in an inaccurate assessment of model robustness. Based on these observations, we propose a novel loss function for adversarial attacks that consistently improves their efficiency and success rate compared to prior attacks for all 30 analyzed models. [ABSTRACT FROM AUTHOR]

Published

2023

236. PSI Analysis of Adversarial-Attacked DCNN Models.

Author

Lee, Youngseok and Kim, Jongweon

Subjects

CONVOLUTIONAL neural networks, ARTIFICIAL intelligence, TASK performance

Abstract

In the past few years, deep convolutional neural networks (DCNNs) have surpassed human performance in tasks related to recognizing objects. However, DCNNs are also threatened by performance degradation due to adversarial examples. DCNNs are essentially black-boxed, and it is not known how the output is determined internally; consequently, it is not known how adversarial attacks cause performance degradation inside the DCNNs. To observe the internal neuronal activities of DCNN models for adversarial examples, we analyzed the population sparseness index (PSI) values at each layer of two representative DCNN models, namely AlexNet and VGG11. From the experimental results, we observed that the internal responses of the two DCNN models to adversarial examples exhibited distinct layer-wise PSI values, differing from the internal responses to benign examples. The main contribution of this study is the discovery of significant differences in the internal responses of two specific DCNN models to adversarial and benign examples by PSI. Furthermore, our research has the potential not only to contribute to the design of more robust DCNN models against adversarial examples but also to bridge the gap between the fields of artificial intelligence and neurophysiology of the brain. [ABSTRACT FROM AUTHOR]

Published

2023

237. Multi‐aspects AI‐based modeling and adversarial learning for cybersecurity intelligence and robustness: A comprehensive overview.

Author

Sarker, Iqbal H.

Subjects

ARTIFICIAL intelligence, INDUSTRY 4.0, INTERNET security, DATA security failures, SECURITY systems

Abstract

Due to the rising dependency on digital technology, cybersecurity has emerged as a more prominent field of research and application that typically focuses on securing devices, networks, systems, data and other resources from various cyber‐attacks, threats, risks, damages, or unauthorized access. Artificial intelligence (AI), also referred to as a crucial technology of the current Fourth Industrial Revolution (Industry 4.0 or 4IR), could be the key to intelligently dealing with these cyber issues. Various forms of AI methodologies, such as analytical, functional, interactive, textual as well as visual AI can be employed to get the desired cyber solutions according to their computational capabilities. However, the dynamic nature and complexity of real‐world situations and data gathered from various cyber sources make it challenging nowadays to build an effective AI‐based security model. Moreover, defending robustly against adversarial attacks is still an open question in the area. In this article, we provide a comprehensive view on "Cybersecurity Intelligence and Robustness," emphasizing multi‐aspects AI‐based modeling and adversarial learning that could lead to addressing diverse issues in various cyber applications areas such as detecting malware or intrusions, zero‐day attacks, phishing, data breach, cyberbullying and other cybercrimes. Thus the eventual security modeling process could be automated, intelligent, and robust compared to traditional security systems. We also emphasize and draw attention to the future aspects of cybersecurity intelligence and robustness along with the research direction within the context of our study. Overall, our goal is not only to explore AI‐based modeling and pertinent methodologies but also to focus on the resulting model's applicability for securing our digital systems and society. [ABSTRACT FROM AUTHOR]

Published

2023

238. Explainable and secure artificial intelligence: taxonomy, cases of study, learned lessons, challenges and future directions.

Author

Eldrandaly, Khalid A., Abdel-Basset, Mohamed, Ibrahim, Mahmoud, and Abdel-Aziz, Nabil M.

Subjects

ARTIFICIAL intelligence, DEEP learning, TAXONOMY, MACHINE learning

Abstract

Explainable artificial intelligence (XAI) is an evolving discipline that mainly emphasises unboxing in these Black-Boxes. This study provides in-depth review of XAI literature together with a new taxonomy of categorising XAI methods. Moreover, the security of Deep learning (DL) against different attacks turned to be a critical concern for both industry and academia. This study presents a taxonomic overview of the attacks on DL solutions and methods for securing DL against these attacks. Experiments are performed to evaluate and analyse the cutting-edge methods for explaining and securing DL models on real-world case studies of Twitter sentimental analysis using state-of-the-art DL models. [ABSTRACT FROM AUTHOR]

Published

2023

239. Towards the universal defense for query-based audio adversarial attacks on speech recognition system.

Author

Guo, Feng, Sun, Zheng, Chen, Yuxuan, and Ju, Lei

Subjects

AUTOMATIC speech recognition, DENIAL of service attacks, SPEECH perception, DEEP learning

Abstract

Recently, studies show that deep learning-based automatic speech recognition (ASR) systems are vulnerable to adversarial examples (AEs), which add a small amount of noise to the original audio examples. These AE attacks pose new challenges to deep learning security and have raised significant concerns about deploying ASR systems and devices. The existing defense methods are either limited in application or only defend on results, but not on process. In this work, we propose a novel method to infer the adversary intent and discover audio adversarial examples based on the AEs generation process. The insight of this method is based on the observation: many existing audio AE attacks utilize query-based methods, which means the adversary must send continuous and similar queries to target ASR models during the audio AE generation process. Inspired by this observation, We propose a memory mechanism by adopting audio fingerprint technology to analyze the similarity of the current query with a certain length of memory query. Thus, we can identify when a sequence of queries appears to be suspectable to generate audio AEs. Through extensive evaluation on four state-of-the-art audio AE attacks, we demonstrate that on average our defense identify the adversary's intent with over 90 % accuracy. With careful regard for robustness evaluations, we also analyze our proposed defense and its strength to withstand two adaptive attacks. Finally, our scheme is available out-of-the-box and directly compatible with any ensemble of ASR defense models to uncover audio AE attacks effectively without model retraining. [ABSTRACT FROM AUTHOR]

Published

2023

240. Towards adversarial realism and robust learning for IoT intrusion detection and classification.

Author

Vitorino, João, Praça, Isabel, and Maia, Eva

Abstract

The internet of things (IoT) faces tremendous security challenges. Machine learning models can be used to tackle the growing number of cyber-attack variations targeting IoT systems, but the increasing threat posed by adversarial attacks restates the need for reliable defense strategies. This work describes the types of constraints required for a realistic adversarial cyber-attack example and proposes a methodology for a trustworthy adversarial robustness analysis with a realistic adversarial evasion attack vector. The proposed methodology was used to evaluate three supervised algorithms, random forest (RF), extreme gradient boosting (XGB), and light gradient boosting machine (LGBM), and one unsupervised algorithm, isolation forest (IFOR). Constrained adversarial examples were generated with the adaptative perturbation pattern method (A2PM), and evasion attacks were performed against models created with regular and adversarial training. Even though RF was the least affected in binary classification, XGB consistently achieved the highest accuracy in multi-class classification. The obtained results evidence the inherent susceptibility of tree-based algorithms and ensembles to adversarial evasion attacks and demonstrate the benefits of adversarial training and a security-by-design approach for a more robust IoT network intrusion detection and cyber-attack classification. [ABSTRACT FROM AUTHOR]

Published

2023

241. Adversarial Attack and Defense in Breast Cancer Deep Learning Systems.

Author

Li, Yang and Liu, Shaoying

Subjects

DEEP learning, BREAST cancer, INSTRUCTIONAL systems, MEDICAL imaging systems, IMAGE recognition (Computer vision), DIAGNOSIS

Abstract

Deep-learning-assisted medical diagnosis has brought revolutionary innovations to medicine. Breast cancer is a great threat to women's health, and deep-learning-assisted diagnosis of breast cancer pathology images can save manpower and improve diagnostic accuracy. However, researchers have found that deep learning systems based on natural images are vulnerable to attacks that can lead to errors in recognition and classification, raising security concerns about deep systems based on medical images. We used the adversarial attack algorithm FGSM to reveal that breast cancer deep learning systems are vulnerable to attacks and thus misclassify breast cancer pathology images. To address this problem, we built a deep learning system for breast cancer pathology image recognition with better defense performance. Accurate diagnosis of medical images is related to the health status of patients. Therefore, it is very important and meaningful to improve the security and reliability of medical deep learning systems before they are actually deployed. [ABSTRACT FROM AUTHOR]

Published

2023

242. Medical Image Fusion Based on Anisotropic Diffusion and Non-Subsampled Contourlet Transform.

Author

Goyal, Bhawna, Dogra, Ayush, Khoond, Rahul, Lepcha, Dawa Chyophel, Goyal, Vishal, and Fernandes, Steven L.

Subjects

IMAGE fusion, DIAGNOSTIC imaging, IMAGE analysis, HOUGH transforms, RESEARCH & development, THERAPEUTICS

Abstract

The synthesis of visual information from multiple medical imaging inputs to a single fused image without any loss of detail and distortion is known as multimodal medical image fusion. It improves the quality of biomedical images by preserving detailed features to advance the clinical utility of medical imaging meant for the analysis and treatment of medical disorders. This study develops a novel approach to fuse multimodal medical images utilizing anisotropic diffusion (AD) and non-subsampled contourlet transform (NSCT). First, the method employs anisotropic diffusion for decomposing input images to their base and detail layers to coarsely split two features of input images such as structural and textural information. The detail and base layers are further combined utilizing a sum-based fusion rule which maximizes noise filtering contrast level by effectively preserving most of the structural and textural details. NSCT is utilized to further decompose these images into their low and high-frequency coefficients. These coefficients are then combined utilizing the principal component analysis/Karhunen-Loeve (PCA/KL) based fusion rule independently by substantiating eigenfeature reinforcement in the fusion results. An NSCT-based multiresolution analysis is performed on the combined salient feature information and the contrastenhanced fusion coefficients. Finally, an inverse NSCT is applied to each coefficient to produce the final fusion result. Experimental results demonstrate an advantage of the proposed technique using a publicly accessible dataset and conducted comparative studies on three pairs of medical images from different modalities and health. Our approach offers better visual and robust performance with better objective measurements for research development since it excellently preserves significant salient features and precision without producing abnormal information in the case of qualitative and quantitative analysis. [ABSTRACT FROM AUTHOR]

Published

2023

243. Towards Adversarial Robustness for Multi-Mode Data through Metric Learning.

Author

Khan, Sarwar, Chen, Jun-Cheng, Liao, Wen-Hung, and Chen, Chu-Song

Subjects

ARTIFICIAL neural networks, DEEP learning

Abstract

Adversarial attacks have become one of the most serious security issues in widely used deep neural networks. Even though real-world datasets usually have large intra-variations or multiple modes, most adversarial defense methods, such as adversarial training, which is currently one of the most effective defense methods, mainly focus on the single-mode setting and thus fail to capture the full data representation to defend against adversarial attacks. To confront this challenge, we propose a novel multi-prototype metric learning regularization for adversarial training which can effectively enhance the defense capability of adversarial training by preventing the latent representation of the adversarial example changing a lot from its clean one. With extensive experiments on CIFAR10, CIFAR100, MNIST, and Tiny ImageNet, the evaluation results show the proposed method improves the performance of different state-of-the-art adversarial training methods without additional computational cost. Furthermore, besides Tiny ImageNet, in the multi-prototype CIFAR10 and CIFAR100 where we reorganize the whole datasets of CIFAR10 and CIFAR100 into two and ten classes, respectively, the proposed method outperforms the state-of-the-art approach by 2.22% and 1.65%, respectively. Furthermore, the proposed multi-prototype method also outperforms its single-prototype version and other commonly used deep metric learning approaches as regularization for adversarial training and thus further demonstrates its effectiveness. [ABSTRACT FROM AUTHOR]

Published

2023

244. Privacy and Security in Distributed Learning: A Review of Challenges, Solutions, and Open Research Issues

Author

Muhammad Usman Afzal, Alaa Awad Abdellatif, Muhammad Zubair, Muhammad Qasim Mehmood, and Yehia Massoud

Subjects

Data privacy and security, Internet of Things (IoT), deep learning, adversarial attacks, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In recent years, the way that machine learning is used has undergone a paradigm shift driven by distributed and collaborative learning. Several approaches have emerged to enable pervasive computing and distributed learning in ubiquitous Internet of Things (IoT) systems. Numerous decentralized strategies have been proposed to deal with the limitations of centralized learning, including privacy and latency due to sharing local data, while utilizing distributed computations as a promising substitute to centralized learning. However, such distributed learning schemes come with new security and privacy concerns that should be addressed. Thus, in this paper, we first provide an overview for the emerging paradigms developed for distributed learning. Then, we performed a comprehensive survey for the privacy and security challenges associated with distributed learning along with the presented solutions to overcome them. Furthermore, we highlight key challenges and open future research directions toward implementing more robust distributed systems.

Published

2023

245. Exploring Transferability on Adversarial Attacks

Author

Enrique Alvarez, Rafael Alvarez, and Miguel Cazorla

Subjects

Adversarial attacks, convolutional neural networks, deep learning, GeoDA, HopSkipJump, SurFree, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Despite of the progress that has been made in the field, the problem of adversarial attacks remains unresolved. The most up-to-date models are still vulnerable, and there is not a simple way to defend against these kinds of attacks; even transformers can be affected by this problem, although they have not been extensively studied yet. In this paper, we study transferability, which is a property of adversarial attacks in which images generated for one architecture can be transferred to another and still be effective. In real-world scenarios like self-driving cars, malware detection, and face recognition authentication systems, transferability can lead to security issues. In order to conduct a behavioral analysis, we select a diverse set of networks and measure how effectively the images produced by various attacks can be transferred among them. We generate adversarial samples for each network and then evaluate them with other networks to determine the corresponding transferability performance. We can observe that all networks are susceptible to transferability attacks, albeit in some cases at the expense of severely distorted images.

Published

2023

246. Defending AI-Based Automatic Modulation Recognition Models Against Adversarial Attacks

Author

Haolin Tang, Ferhat Ozgur Catak, Murat Kuzlu, Evren Catak, and Yanxiao Zhao

Subjects

Artificial intelligence, next-generation networks, automatic modulation recognition, adversarial attacks, model poisoning, defensive distillation, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Automatic Modulation Recognition (AMR) is one of the critical steps in the signal processing chain of wireless networks, which can significantly improve communication performance. AMR detects the modulation scheme of the received signal without any prior information. Recently, many Artificial Intelligence (AI) based AMR methods have been proposed, inspired by the considerable progress of AI methods in various fields. On the one hand, AI-based AMR methods can outperform traditional methods in terms of accuracy and efficiency. On the other hand, they are susceptible to new types of cyberattacks, such as model poisoning or adversarial attacks. This paper explores the vulnerabilities of an AI-based AMR model to adversarial attacks in both single-input-single-output and multiple-input-multiple-output scenarios. We show that these attacks can significantly reduce the classification performance of the AI-based AMR model, which highlights the security and robustness concerns. Therefore, we propose a widely used mitigation method (i.e., defensive distillation) to reduce the vulnerabilities of the model against adversarial attacks. The simulation results indicate that the AI-based AMR model can be highly vulnerable to adversarial attacks, but their vulnerabilities can be significantly reduced by using mitigation methods.

Published

2023

247. Secure Convolutional Neural Network-Based Internet-of-Healthcare Applications

Author

Lazhar Khriji, Soulef Bouaafia, Seifeddine Messaoud, Ahmed Chiheb Ammari, and Mohsen Machhout

Subjects

Convolutional neural networks, internet of healthcare, medical data, adversarial attacks, security and privacy, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Convolutional neural networks (CNNs) have gained popularity for Internet-of-Healthcare (IoH) applications such as medical diagnostics. However, new research shows that adversarial attacks with slight imperceptible changes can undermine deep neural network techniques in healthcare. This raises questions regarding the safety of deploying these IoH devices in clinical situations. In this paper, we review the techniques used in fighting against cyber-attacks. Then, we propose to study the robustness of some well-known CNN architectures’ belonging to sequential, parallel, and residual families, such as LeNet5, MobileNetV1, VGG16, ResNet50, and InceptionV3 against fast gradient sign method (FGSM) and projected gradient descent (PGD) attacks, in the context of classification of chest radiographs (X-rays) based on the IoH application. Finally, we propose to improve the security of these CNN structures by studying standard and adversarial training. The results show that, among these models, smaller models with lower computational complexity are more secure against hostile threats than larger models that are frequently used in IoH applications. In contrast, we reveal that when these networks are learned adversarially, they can outperform standard trained networks. The experimental results demonstrate that the model performance breakpoint is represented by $\gamma =0.3$ with a maximum loss of accuracy tolerated at 2%.

Published

2023

248. PrivacyMask: Real-world privacy protection in face ID systems

Author

Guangmin Sun, Hao Wang, Yu Bai, Kun Zheng, Yanjun Zhang, Xiaoyong Li, and Jie Liu

Subjects

privacy protection, neural network, facial recognition, adversarial attacks, spatial mapping, transferability, nonlinear transformation, Biotechnology, TP248.13-248.65, Mathematics, QA1-939

Abstract

Recent works have illustrated that many facial privacy protection methods are effective in specific face recognition algorithms. However, the COVID-19 pandemic has promoted the rapid innovation of face recognition algorithms for face occlusion, especially for the face wearing a mask. It is tricky to avoid being tracked by artificial intelligence only through ordinary props because many facial feature extractors can determine the ID only through a tiny local feature. Therefore, the ubiquitous high-precision camera makes privacy protection worrying. In this paper, we establish an attack method directed against liveness detection. A mask printed with a textured pattern is proposed, which can resist the face extractor optimized for face occlusion. We focus on studying the attack efficiency in adversarial patches mapping from two-dimensional to three-dimensional space. Specifically, we investigate a projection network for the mask structure. It can convert the patches to fit perfectly on the mask. Even if it is deformed, rotated and the lighting changes, it will reduce the recognition ability of the face extractor. The experimental results show that the proposed method can integrate multiple types of face recognition algorithms without significantly reducing the training performance. If we combine it with the static protection method, people can prevent face data from being collected.

Published

2023

249. Sound classification using wavelet transformation and deep learning methods

Author

Brbor, Ana and Milišić, Josipa Pina

Subjects

STFT, spektrogram, TEHNIČKE ZNANOSTI. Računarstvo, spektar, robusnost modela, deep learning, rezidualne neuronske mreže, residual neural networks, spectrum, zvuk, Fourierova transformacija, protivnički napadi, sound, adversarial attacks, MFCC, spectrogram, TECHNICAL SCIENCES. Computing, Fourier transform, model robustness, duboko učenje, DWT

Abstract

Klasifikacija zvuka postaje sve popularniji zadatak s različitim primjenama u današnjem svijetu. U ovom radu smo se bavili klasifikacijom zvuka pomoću modela rezidualne neuronske mreže gdje su ulazni podaci bili spektrogrami dobiveni iz tri transformacije od interesa: Fourierove transformacije na vremenskom otvoru, mel-frekvencijskih kepstralnih koeficijenata i diskretne valićne transformacije. U prvom dijelu rada postavili smo teorijske osnove obrade zvuka pomoću ovih transformacija prije nego što smo prešli na duboko rezidualno učenje i protivničke napade kojima je testirana robusnost modela. Na kraju smo na praktičnom primjeru pokazali treniranje i validaciju jednog rezidualnog modela te komentirali rezultate iz prijašnjih istraživanja uz numerički prikaz rješenja. Rad smo zaključili s komentarima o svim konceptima kroz koje smo prošli te se dotaknuli potencijalnog budućeg istraživanja. Sound classification is an increasingly popular task with different applications in today's world. In this paper we've talked about sound classification using a residual neural network model where the input data were spectrograms obtained from three transformations of interest: short-time Fourier transform, mel-frequency cepstral coefficients and discrete wavelet transform. In the first half of the paper we've set a theoretical basis of sound processing via these transformations before delving into the definition of deep residual learning and adversarial attacks which were used to test the model robustness. In the end we've shown a practical example of training and validating of one such residual model, while commenting the results of prior research with numeric data displayed. We've concluded the paper with comments about all traversed concepts and touched upon potential future research.

Published

2022

250. On the vulnerability of deep learning to adversarial attacks for camera model identification.

Author

Marra, F., Gragnaniello, D., and Verdoliva, L.

Subjects

*DEEP learning, *ARTIFICIAL neural networks, *ROBUST control, *JPEG (Image coding standard), *ONLINE social networks

Abstract

Camera model identification is a fundamental task for many investigative activities, and is drawing great attention in the research community. In this context, convolutional neural networks (CNN) are expected to provide a significant performance gain over the current state of the art, as already happened for a wide range of image processing applications. However, recent studies enlightened the vulnerability of CNNs to adversarial attacks, casting shadows on their reliability for critical applications. In this paper, we investigate the robustness to adversarial attacks of CNN-based methods for camera model identification. Several networks and attack methods are considered, both when the attacker has complete knowledge of the network and when only the training set is available. In addition, the analysis concerns both original and JPEG compressed images, to simulate a social network environment. The experiments, carried out on a publicly available dataset with images coming from 29 different camera models, shed some light on the suitability of CNN-based approaches for this task. [ABSTRACT FROM AUTHOR]

Published

2018