Showing total 539 results

251. Sound classification using wavelet transformation and deep learning methods

Author

Brbor, Ana and Milišić, Josipa Pina

Subjects

STFT, spektrogram, TEHNIČKE ZNANOSTI. Računarstvo, spektar, robusnost modela, deep learning, rezidualne neuronske mreže, residual neural networks, spectrum, zvuk, Fourierova transformacija, protivnički napadi, sound, adversarial attacks, MFCC, spectrogram, TECHNICAL SCIENCES. Computing, Fourier transform, model robustness, duboko učenje, DWT

Abstract

Klasifikacija zvuka postaje sve popularniji zadatak s različitim primjenama u današnjem svijetu. U ovom radu smo se bavili klasifikacijom zvuka pomoću modela rezidualne neuronske mreže gdje su ulazni podaci bili spektrogrami dobiveni iz tri transformacije od interesa: Fourierove transformacije na vremenskom otvoru, mel-frekvencijskih kepstralnih koeficijenata i diskretne valićne transformacije. U prvom dijelu rada postavili smo teorijske osnove obrade zvuka pomoću ovih transformacija prije nego što smo prešli na duboko rezidualno učenje i protivničke napade kojima je testirana robusnost modela. Na kraju smo na praktičnom primjeru pokazali treniranje i validaciju jednog rezidualnog modela te komentirali rezultate iz prijašnjih istraživanja uz numerički prikaz rješenja. Rad smo zaključili s komentarima o svim konceptima kroz koje smo prošli te se dotaknuli potencijalnog budućeg istraživanja. Sound classification is an increasingly popular task with different applications in today's world. In this paper we've talked about sound classification using a residual neural network model where the input data were spectrograms obtained from three transformations of interest: short-time Fourier transform, mel-frequency cepstral coefficients and discrete wavelet transform. In the first half of the paper we've set a theoretical basis of sound processing via these transformations before delving into the definition of deep residual learning and adversarial attacks which were used to test the model robustness. In the end we've shown a practical example of training and validating of one such residual model, while commenting the results of prior research with numeric data displayed. We've concluded the paper with comments about all traversed concepts and touched upon potential future research.

Published

2022

252. On the vulnerability of deep learning to adversarial attacks for camera model identification.

Author

Marra, F., Gragnaniello, D., and Verdoliva, L.

Subjects

*DEEP learning, *ARTIFICIAL neural networks, *ROBUST control, *JPEG (Image coding standard), *ONLINE social networks

Abstract

Camera model identification is a fundamental task for many investigative activities, and is drawing great attention in the research community. In this context, convolutional neural networks (CNN) are expected to provide a significant performance gain over the current state of the art, as already happened for a wide range of image processing applications. However, recent studies enlightened the vulnerability of CNNs to adversarial attacks, casting shadows on their reliability for critical applications. In this paper, we investigate the robustness to adversarial attacks of CNN-based methods for camera model identification. Several networks and attack methods are considered, both when the attacker has complete knowledge of the network and when only the training set is available. In addition, the analysis concerns both original and JPEG compressed images, to simulate a social network environment. The experiments, carried out on a publicly available dataset with images coming from 29 different camera models, shed some light on the suitability of CNN-based approaches for this task. [ABSTRACT FROM AUTHOR]

Published

2018

253. MODEL-AGNOSTIC META-LEARNING FOR RESILIENCE OPTIMIZATION OF ARTIFICIAL INTELLIGENCE SYSTEM.

Author

V. V., Moskalenko

Subjects

ARTIFICIAL intelligence, MACHINE learning, IMAGE recognition (Computer vision), DEEP learning, ITERATIVE learning control

Abstract

Context. The problem of optimizing the resilience of artificial intelligence systems to destructive disturbances has not yet been fully solved and is quite relevant for safety-critical applications. The task of optimizing the resilience of an artificial intelligence system to disturbing influences is a high-level task in relation to efficiency optimization, which determines the prospects of using the ideas and methods of meta-learning to solve it. The object of current research is the process of meta-learning aimed at optimizing the resilience of an artificial intelligence system to destructive disturbances. The subjects of the study are architectural add-ons and the meta-learning method which optimize resilience to adversarial attacks, fault injection, and task changes. Objective. Stated research goal is to develop an effective meta-learning method for optimizing the resilience of an artificial intelligence system to destructive disturbances. Method. The resilience optimization is implemented by combining the ideas and methods of adversarial learning, fault-tolerant learning, model-agnostic meta-learning, few-shot learning, gradient optimization methods, and probabilistic gradient approximation strategies. The choice of architectural add-ons is based on parameter-efficient knowledge transfer designed to save resources and avoid the problem of catastrophic forgetting. Results. A model-agnostic meta-learning method for optimizing the resilience of artificial intelligence systems based on gradient meta-updates or meta-updates using an evolutionary strategy has been developed. This method involves the use of tuner and metatuner blocks that perform parallel correction of the building blocks of a original deep neural network. The ability of the proposed approach to increase the efficiency of perturbation absorption and increase the integral resilience indicator of the artificial intelligence system is experimentally tested on the example of the image classification task. The experiments were conducted on a model with the ResNet-18 architecture, with an add-on in the form of tuners and meta-tuners with the Conv-Adapter architecture. In this case, CIFAR-10 is used as a base set on which the model was trained, and CIFAR-100 is used as a set for generating samples on which adaptation is performed using a few-shot learning scenarios. We compare the resilience of the artificial intelligence system after pre-training tuners and meta-tuners using the adversarial learning algorithm, the fault-tolerant learning algorithm, the conventional model-agnostic meta-learning algorithm, and the proposed meta-learning method for optimizing resilience. Also, the meta-learning algorithms with meta-gradient updating and meta-updating based on the evolutionary strategy are compared on the basis of the integral resilience indicator. Conclusions. It has been experimentally confirmed that the proposed method provides a better resilience to random bit-flip injection compared to fault injection training by an average of 5%. Also, the proposed method provides a better resilience to L∞ - adversarial evasion attacks compared to adversarial training by an average of 4.8%. In addition, an average 4.8% increase in the resilience to task changes is demonstrated compared to conventional fine-tuning of tuners. Moreover, meta-learning with an evolutionary strategy provides, on average, higher values of the resilience indicator. On the downside, this meta-learning method requires more iterations. [ABSTRACT FROM AUTHOR]

Published

2023

254. Evil vs evil: using adversarial examples to against backdoor attack in federated learning.

Author

Liu, Tao, Li, Mingjun, Zheng, Haibin, Ming, Zhaoyan, and Chen, Jinyin

Subjects

TASK performance, DATA scrubbing, GOOD & evil

Abstract

As a distributed learning paradigm, federated learning (FL) has shown great success in aggregating information from different clients to train a shared global model. Unfortunately, by uploading carefully crafted updated models, a malicious client can embed a backdoor into the global model during FL's training. Numerous secure aggregation strategies and robust training protocols have been proposed to defend FL against backdoor attacks. However, they are still challenged, either being bypassed by adaptive attacks or sacrificing the main task performance of FL. By conducting empirical studies of backdoor attacks in FL, we gain an interesting insight that adversarial perturbations can activate backdoors in backdoor models. Consequently, behavior differences of models fed by adversarial examples are compared for backdoor update detection. We propose a novel FL backdoor defense method using adversarial examples, denoted as E ̲ v i l v ̲ s E ̲ v i l (EVE). Specifically, a small data set of clean examples for FL's main task training is collected in the sever for adversarial examples generation. By observing the behavior of updated models under the adversarial examples, EVE uses a clustering algorithm to select benign models and to exclude the other models, without any loss of the main task performance of FL itself. Extensive evaluations across four data sets and the corresponding DNNs demonstrate the state-of-the-art (SOTA) defense performance of EVE compared with five baselines. In particular, EVE under 40% of malicious clients can reduce the attack success rate from 99% to 1%. In addition, we verify that EVE is still robust under the adaptive attacks. EVE is open sourced to facilitate future research. [ABSTRACT FROM AUTHOR]

Published

2023

255. Boosting Adversarial Training Using Robust Selective Data Augmentation

Author

Rasheed, Bader, Masood Khattak, Asad, Khan, Adil, Protasov, Stanislav, and Ahmad, Muhammad

Published

2023

256. Securing DNN for smart vehicles: an overview of adversarial attacks, defenses, and frameworks

Author

Almutairi, Suzan and Barnawi, Ahmed

Published

2023

257. Are Graph Neural Network Explainers Robust to Graph Noises?

Author

Li, Yiqiao, Verma, Sunny, Yang, Shuiqiao, Zhou, Jianlong, Chen, Fang, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Aziz, Haris, editor, Corrêa, Débora, editor, and French, Tim, editor

Published

2022

258. Adversarial Robustness of MR Image Reconstruction Under Realistic Perturbations

Author

Morshuis, Jan Nikolas, Gatidis, Sergios, Hein, Matthias, Baumgartner, Christian F., Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Haq, Nandinee, editor, Johnson, Patricia, editor, Maier, Andreas, editor, Qin, Chen, editor, Würfl, Tobias, editor, and Yoo, Jaejun, editor

Published

2022

259. Defense Against Adversarial Attacks Using Chained Dual-GAN Approach

Author

Singh, Amitoj Bir, Awasthi, Lalit Kumar, Urvashi, Bansal, Jagdish Chand, Series Editor, Deep, Kusum, Series Editor, Nagar, Atulya K., Series Editor, Asokan, R., editor, Ruiz, Diego P., editor, Baig, Zubair A., editor, and Piramuthu, Selwyn, editor

Published

2022

260. Consistency Regularization Helps Mitigate Robust Overfitting in Adversarial Training

Author

Zhang, Shudong, Gao, Haichang, Zhou, Yunyi, Wu, Zihui, Tang, Yiwen, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Memmi, Gerard, editor, Yang, Baijian, editor, Kong, Linghe, editor, Zhang, Tianwei, editor, and Qiu, Meikang, editor

Published

2022

261. Addressing Adversarial Machine Learning Attacks in Smart Healthcare Perspectives

Author

Selvakkumar, Arawinkumaar, Pal, Shantanu, Jadidi, Zahra, Angrisani, Leopoldo, Series Editor, Arteaga, Marco, Series Editor, Panigrahi, Bijaya Ketan, Series Editor, Chakraborty, Samarjit, Series Editor, Chen, Jiming, Series Editor, Chen, Shanben, Series Editor, Chen, Tan Kay, Series Editor, Dillmann, Rüdiger, Series Editor, Duan, Haibin, Series Editor, Ferrari, Gianluigi, Series Editor, Ferre, Manuel, Series Editor, Hirche, Sandra, Series Editor, Jabbari, Faryar, Series Editor, Jia, Limin, Series Editor, Kacprzyk, Janusz, Series Editor, Khamis, Alaa, Series Editor, Kroeger, Torsten, Series Editor, Li, Yong, Series Editor, Liang, Qilian, Series Editor, Martín, Ferran, Series Editor, Ming, Tan Cher, Series Editor, Minker, Wolfgang, Series Editor, Misra, Pradeep, Series Editor, Möller, Sebastian, Series Editor, Mukhopadhyay, Subhas, Series Editor, Ning, Cun-Zheng, Series Editor, Nishida, Toyoaki, Series Editor, Oneto, Luca, Series Editor, Pascucci, Federica, Series Editor, Qin, Yong, Series Editor, Seng, Gan Woon, Series Editor, Speidel, Joachim, Series Editor, Veiga, Germano, Series Editor, Wu, Haitao, Series Editor, Zamboni, Walter, Series Editor, Zhang, Junjie James, Series Editor, Suryadevara, Nagender Kumar, editor, George, Boby, editor, Jayasundera, Krishanthi P., editor, Roy, Joyanta Kumar, editor, and Mukhopadhyay, Subhas Chandra, editor

Published

2022

262. AGS: Attribution Guided Sharpening as a Defense Against Adversarial Attacks

Author

Perez Tobia, Javier, Braun, Phillip, Narayan, Apurva, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Bouadi, Tassadit, editor, Fromont, Elisa, editor, and Hüllermeier, Eyke, editor

Published

2022

263. Deep Reinforcement Learning for Cybersecurity Threat Detection and Protection: A Review

Author

Sewak, Mohit, Sahay, Sanjay K., Rathore, Hemant, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Krishnan, Ram, editor, Rao, H. Raghav, editor, Sahay, Sanjay K., editor, Samtani, Sagar, editor, and Zhao, Ziming, editor

Published

2022

264. Robustness Against Adversarial Attacks Using Dimensionality

Author

Chattopadhyay, Nandish, Chatterjee, Subhrojyoti, Chattopadhyay, Anupam, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Batina, Lejla, editor, Picek, Stjepan, editor, and Mondal, Mainack, editor

Published

2022

265. AI Approach for Autonomous Vehicles to Defend from Adversarial Attacks

Author

Dhawale, Kritika, Gupta, Prachee, Jain, Tapan Kumar, Bansal, Jagdish Chand, Series Editor, Deep, Kusum, Series Editor, Nagar, Atulya K., Series Editor, Agarwal, Basant, editor, Rahman, Azizur, editor, Patnaik, Srikant, editor, and Poonia, Ramesh Chandra, editor

Published

2022

266. Reinforce NIDS Using GAN to Detect U2R and R2L Attacks

Author

Sreerag, V., Aswin, S., Menon, Akash A., Namboothiri, Leena Vishnu, Howlett, Robert J., Series Editor, Jain, Lakhmi C., Series Editor, Karuppusamy, P., editor, Perikos, Isidoros, editor, and García Márquez, Fausto Pedro, editor

Published

2022

267. BreakingBED: Breaking Binary and Efficient Deep Neural Networks by Adversarial Attacks

Author

Vemparala, Manoj-Rohit, Frickenstein, Alexander, Fasfous, Nael, Frickenstein, Lukas, Zhao, Qi, Kuhn, Sabine, Ehrhardt, Daniel, Wu, Yuankai, Unger, Christian, Nagaraja, Naveen-Shankar, Stechele, Walter, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, and Arai, Kohei, editor

Published

2022

268. Robust Malware Detection System Against Adversarial Attacks

Author

Yang, Xu, Li, Qian, Li, Cong, Qi, Yong, Xhafa, Fatos, Series Editor, and Li, Xiaolong, editor

Published

2022

269. Adversarial robustness and attacks for multi-view deep models.

Author

Sun, Xuli and Sun, Shiliang

Subjects

*CONVOLUTIONAL neural networks, *DEEP learning, *MACHINE learning, *SIGNAL convolution

Abstract

Recent work has highlighted the vulnerability of many deep machine learning models to adversarial examples. It attracts increasing attention to adversarial attacks, which can be used to evaluate the security and robustness of models before they are deployed. However, to our best knowledge, there is no specific research on the adversarial robustness and attacks for multi-view deep models. Based on the fact that adversarial examples generalize well among different models, this paper takes the adversarial attack on the multi-view convolutional neural network as an example to investigate the adversarial robustness of multi-view deep models, and further proposes effective multi-view adversarial attacks. This paper proposes two strategies, two-stage attack (TSA) and end-to-end attack (ETEA), to attack against well-trained multi-view models. With the mild assumption that the single-view model on which the target multi-view model is based is known, we first propose the TSA strategy. The main idea of TSA is to attack the multi-view model with adversarial examples generated by attacking the associated single-view model, by which state-of-the-art single-view attack methods are directly extended to the multi-view scenario. Then we further propose the ETEA strategy where the multi-view model is provided publicly. The ETEA is applied to accomplish direct attacks on the target multi-view model, where we develop three effective multi-view attack methods. Extensive experimental results show that multi-view models are more robust than single-view models and demonstrate the effectiveness of the proposed multi-view adversarial attacks. [ABSTRACT FROM AUTHOR]

Published

2021

270. Detect Adversarial Attacks Against Deep Neural Networks With GPU Monitoring

Author

Andrea Ceccarelli and Tommaso Zoppi

Subjects

General Computer Science, Computer science, Attack detection, Graphics processing unit, Machine learning, computer.software_genre, graphics processing unit, deep Neural Networks, Data modeling, Image (mathematics), Adversarial system, Software, Robustness (computer science), General Materials Science, business.industry, General Engineering, anomaly detection, TK1-9971, adversarial attacks, Deep neural networks, Artificial intelligence, Performance indicator, Electrical engineering. Electronics. Nuclear engineering, business, computer, image classification

Abstract

Deep Neural Networks (DNNs) are the preferred choice for image-based machine learning applications in several domains. However, DNNs are vulnerable to adversarial attacks, that are carefully-crafted perturbations introduced on input images to fool a DNN model. Adversarial attacks may prevent the application of DNNs in security-critical tasks: consequently, relevant research effort is put in securing DNNs. Typical approaches either increase model robustness, or add detection capabilities in the model, or operate on the input data. Instead, in this paper we propose to detect ongoing attacks through monitoring performance indicators of the underlying Graphics Processing Unit (GPU). In fact, adversarial attacks generate images that activate neurons of DNNs in a different way than legitimate images. This also causes an alteration of GPU activities, that can be observed through software monitors and anomaly detectors. This paper presents our monitoring and detection system, and an extensive experimental analysis that includes a total of 14 adversarial attacks, 3 datasets, and 12 models. Results show that, despite limitations on the monitoring resolution, adversarial attacks can be detected in most cases, with peaks of detection accuracy above 90%.

Published

2021

271. Adversarial Scratches: Deployable Attacks to CNN Classifiers

Author

Loris Giulivi, Malhar Jere, Loris Rossi, Farinaz Koushanfar, Gabriela Ciocarlie, Briland Hitaj, and Giacomo Boracchi

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, I.4, I.5, Computer Vision and Pattern Recognition (cs.CV), Adversarial attacks, Computer Science - Computer Vision and Pattern Recognition, Adversarial perturbations, Adversarial attacks, Deep learning, Convolutional neural networks, Bézier curves, Deep learning, Bézier curves, Machine Learning (cs.LG), Adversarial perturbations, Artificial Intelligence, Signal Processing, Convolutional neural networks, Computer Vision and Pattern Recognition, Cryptography and Security (cs.CR), Software

Abstract

A growing body of work has shown that deep neural networks are susceptible to adversarial examples. These take the form of small perturbations applied to the model's input which lead to incorrect predictions. Unfortunately, most literature focuses on visually imperceivable perturbations to be applied to digital images that often are, by design, impossible to be deployed to physical targets. We present Adversarial Scratches: a novel L0 black-box attack, which takes the form of scratches in images, and which possesses much greater deployability than other state-of-the-art attacks. Adversarial Scratches leverage B\'ezier Curves to reduce the dimension of the search space and possibly constrain the attack to a specific location. We test Adversarial Scratches in several scenarios, including a publicly available API and images of traffic signs. Results show that, often, our attack achieves higher fooling rate than other deployable state-of-the-art methods, while requiring significantly fewer queries and modifying very few pixels., Comment: This work is published at Pattern Recognition (Elsevier). This paper stems from 'Scratch that! An Evolution-based Adversarial Attack against Neural Networks' for which an arXiv preprint is available at arXiv:1912.02316. Further studies led to a complete overhaul of the work, resulting in this paper

Published

2022

272. Towards robust rain removal against adversarial attacks: a comprehensive benchmark analysis and beyond

Author

Yi Yu, Wenhan Yang, Yap-Peng Tan, Alex C. Kot, Interdisciplinary Graduate School (IGS), School of Electrical and Electronic Engineering, 2022 IEEE/CVF Computer Vision and Pattern Recognition Conference (CVPR), and Rapid-Rich Object Search (ROSE) Lab

Subjects

FOS: Computer and information sciences, Rain Sreak Removal, Computer Science - Cryptography and Security, Computer science and engineering::Computing methodologies::Image processing and computer vision [Engineering], Computer science and engineering::Computing methodologies::Pattern recognition [Engineering], Computer Vision and Pattern Recognition (cs.CV), Computer Science - Computer Vision and Pattern Recognition, Cryptography and Security (cs.CR), Adversarial Attacks

Abstract

Rain removal aims to remove rain streaks from images/videos and reduce the disruptive effects caused by rain. It not only enhances image/video visibility but also allows many computer vision algorithms to function properly. This paper makes the first attempt to conduct a comprehensive study on the robustness of deep learning-based rain removal methods against adversarial attacks. Our study shows that, when the image/video is highly degraded, rain removal methods are more vulnerable to the adversarial attacks as small distortions/perturbations become less noticeable or detectable. In this paper, we first present a comprehensive empirical evaluation of various methods at different levels of attacks and with various losses/targets to generate the perturbations from the perspective of human perception and machine analysis tasks. A systematic evaluation of key modules in existing methods is performed in terms of their robustness against adversarial attacks. From the insights of our analysis, we construct a more robust deraining method by integrating these effective modules. Finally, we examine various types of adversarial attacks that are specific to deraining problems and their effects on both human and machine vision tasks, including 1) rain region attacks, adding perturbations only in the rain regions to make the perturbations in the attacked rain images less visible; 2) object-sensitive attacks, adding perturbations only in regions near the given objects. Code is available at https://github.com/yuyi-sd/Robust_Rain_Removal., Comment: 10 pages, 6 figures, to appear in CVPR 2022

Published

2022

273. Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review

Author

Maha Alghawazi, Daniyal Alghazzawi, and Suaad Alarifi

Subjects

SQL injection, machine learning, deep learning, adversarial attacks, Technology (General), T1-995

Abstract

An SQL injection attack, usually occur when the attacker(s) modify, delete, read, and copy data from database servers and are among the most damaging of web application attacks. A successful SQL injection attack can affect all aspects of security, including confidentiality, integrity, and data availability. SQL (structured query language) is used to represent queries to database management systems. Detection and deterrence of SQL injection attacks, for which techniques from different areas can be applied to improve the detect ability of the attack, is not a new area of research but it is still relevant. Artificial intelligence and machine learning techniques have been tested and used to control SQL injection attacks, showing promising results. The main contribution of this paper is to cover relevant work related to different machine learning and deep learning models used to detect SQL injection attacks. With this systematic review, we aims to keep researchers up-to-date and contribute to the understanding of the intersection between SQL injection attacks and the artificial intelligence field.

Published

2022

274. Transferability analysis of adversarial attacks on gender classification to face recognition: Fixed and variable attack perturbation

Author

Zohra Rezgui, Amina Bassit, and Raymond Veldhuis

Subjects

adversarial attacks, face recognition, gender classification, privacy protection, Electronic computers. Computer science, QA75.5-76.95

Abstract

Abstract Most deep learning‐based image classification models are vulnerable to adversarial attacks that introduce imperceptible changes to the input images for the purpose of model misclassification. It has been demonstrated that these attacks, targeting a specific model, are transferable among models performing the same task. However, models performing different tasks but sharing the same input space and model architecture were never considered in the transferability scenarios presented in the literature. In this paper, this phenomenon was analysed in the context of VGG16‐based and ResNet50‐based biometric classifiers. The authors investigate the impact of two white‐box attacks on a gender classifier and contrast a defence method as a countermeasure. Then, using adversarial images generated by the attacks, a pre‐trained face recognition classifier is attacked in a black‐box fashion. Two verification comparison settings are employed, in which images perturbed with the same and different magnitude of the perturbation are compared. The authors’ results indicate transferability in the fixed perturbation setting for a Fast Gradient Sign Method attack and non‐transferability in a pixel‐guided denoiser attack setting. The interpretation of this non‐transferability can support the use of fast and train‐free adversarial attacks targeting soft biometric classifiers as means to achieve soft biometric privacy protection while maintaining facial identity as utility.

Published

2022

275. Collaborative Defense-GAN for protecting adversarial attacks on classification system.

Author

Laykaviriyakul, Pranpaveen and Phaisangittisagul, Ekachai

Subjects

*PLANT defenses, *DEEP learning, *PROBLEM solving, *CLASSIFICATION

Abstract

With rapid progress and significant successes in a wide domain of applications, deep learning has been extensively employed for solving complex problems. However, performance of deep learning has been vulnerable to well-designed samples, called adversarial samples. These samples are carefully designed to deceive the deep learning models without human perception. Therefore, vulnerability to adversarial attacks becomes one of the major concerns in life-critical applications of deep learning. In this paper, a novel approach to counter adversarial samples is proposed to strengthen the robustness of a deep learning model. The strategy is to filter the perturbation noise in adversarial samples prior to prediction. The proposed defense framework is based on DiscoGANs to discover the relation between attacker and defender characteristics. Attacker models are created to generate the adversarial samples from the training data, while the defender model is trained to reconstruct original samples from the adversarial samples. These two frameworks are trained to compete with each other in an alternating manner. The experimental results on different attack models are compared with popular defense mechanisms on three benchmark datasets. Our proposed method shows promising results and can improve the robustness on both white-box and black-box attacks including the computation time. • Adversarial samples without human perception degrade model prediction. • Filtering the perturbation noise can strengthen the robustness of the model. • The proposed method achieves impressive performance over various attacks. • Improvement of computation time of the reconstruction process is demonstrated. • Results illustrate the robustness to both white-box and black-box attacks. [ABSTRACT FROM AUTHOR]

Published

2023

276. Adversarial attacks and active defense on deep learning based identification of GaN power amplifiers under physical perturbation.

Author

Xu, Yuqing, Xu, Guangxia, An, Zeliang, Nielsen, Martin Hedegaard, and Shen, Ming

Subjects

*POWER amplifiers, *DEEP learning, *HUMAN fingerprints, *WIRELESS sensor networks, *GENERATIVE adversarial networks, *GALLIUM nitride

Abstract

Deep learning (DL)-based radiofrequency (RF) fingerprinting identification has shown significantly growing importance in the wireless industry including 5G, IoT and Wireless Sensor Networks (WSN). However, there is little investigation on the robustness of the corresponding DL models against adversarial attacks and adversarial defense. This paper discusses the effects of four cutting-edge adversarial attacks on DL-based RF fingerprinting identification and provides a graphical analysis of RF feature perturbations following adversarial attacks. For the first time we also demonstrate the results of combined physical attack (i.e. tuning the drain currents of the power amplifiers) by tuning the physical features of the device hardware (i.e. drain current), and adversarial attacks on DL-based classifiers. Experimental results from 16 Gallium nitride (GaN) power amplifiers (PA) reveal that adversarial attacks can seriously deteriorate the accuracy of RF identification from about 100.00% to below 10.00% even with only 0.50% adversarial perturbation. In order to deal with the problem of decreased accuracy caused by attacks, we proposed an adversarial defense method based on feature-level interpretability (FIAT), which improved the accuracy of RF identification with interpretability analysis. The results compared with several common defense methods validate that the proposed FIAT can maintain an accuracy of 96.00% even when the adversarial attack perturbation is 5.00% and with physical attack. Moreover, the changes of data features in the process of adversarial attacks and defense are given, providing a new way for the interpretability of adversarial attacks and defense on RF identification tasks. [ABSTRACT FROM AUTHOR]

Published

2023

277. DDSG-GAN: Generative Adversarial Network with Dual Discriminators and Single Generator for Black-Box Attacks.

Author

Wang, Fangwei, Ma, Zerou, Zhang, Xiaohan, Li, Qingru, and Wang, Changguang

Subjects

GENERATIVE adversarial networks, ARTIFICIAL intelligence

Abstract

As one of the top ten security threats faced by artificial intelligence, the adversarial attack has caused scholars to think deeply from theory to practice. However, in the black-box attack scenario, how to raise the visual quality of an adversarial example (AE) and perform a more efficient query should be further explored. This study aims to use the architecture of GAN combined with the model-stealing attack to train surrogate models and generate high-quality AE. This study proposes an image AE generation method based on the generative adversarial networks with dual discriminators and a single generator (DDSG-GAN) and designs the corresponding loss function for each model. The generator can generate adversarial perturbation, and two discriminators constrain the perturbation, respectively, to ensure the visual quality and attack effect of the generated AE. We extensively experiment on MNIST, CIFAR10, and Tiny-ImageNet datasets. The experimental results illustrate that our method can effectively use query feedback to generate an AE, which significantly reduces the number of queries on the target model and can implement effective attacks. [ABSTRACT FROM AUTHOR]

Published

2023

278. Defending Adversarial Examples by a Clipped Residual U-Net Model.

Author

Ali, Kazim, Qureshi, Adnan N., Bhatti, Muhammad Shahid, Sohail, Abid, and Hijji, Mohammad

Subjects

GENERATIVE adversarial networks, OBJECT recognition (Computer vision), COMPUTER vision, DEEP learning, CONVOLUTIONAL neural networks, MACHINE learning

Abstract

Deep learning-based systems have succeeded in many computer vision tasks. However, it is found that the latest study indicates that these systems are in danger in the presence of adversarial attacks. These attacks can quickly spoil deep learning models, e.g., different convolutional neural networks (CNNs), used in various computer vision tasks from image classification to object detection. The adversarial examples are carefully designed by injecting a slight perturbation into the clean images. The proposed CRU-Net defense model is inspired by state-ofthe-art defense mechanisms such as MagNet defense, Generative Adversarial Network Defense, Deep Regret Analytic Generative Adversarial Networks Defense, Deep Denoising Sparse Autoencoder Defense, and Condtional Generattive Adversarial Network Defense. We have experimentally proved that our approach is better than previous defensive techniques. Our proposed CRU-Net model maps the adversarial image examples into clean images by eliminating the adversarial perturbation. The proposed defensive approach is based on residual and U-Net learning. Many experiments are done on the datasets MNIST and CIFAR10 to prove that our proposed CRU-Net defense model prevents adversarial example attacks in WhiteBox and BlackBox settings and improves the robustness of the deep learning algorithms especially in the computer vision field. We have also reported similarity (SSIM and PSNR) between the original and restored clean image examples by the proposed CRU-Net defense model. [ABSTRACT FROM AUTHOR]

Published

2023

279. Mitigating Malicious Adversaries Evasion Attacks in Industrial Internet of Things.

Author

Rafiq, Husnain, Aslam, Nauman, Ahmed, Usman, and Lin, Jerry Chun-Wei

Abstract

With advanced 5G/6G networks, data-driven interconnected devices will increase exponentially. As a result, the Industrial Internet of Things (IIoT) requires data secure information extraction to apply digital services, medical diagnoses, and financial forecasting. This introduction of high-speed network mobile applications will also adapt. As a consequence, the scale and complexity of Android malware are rising. Detection of malware classification is vulnerable to attacks. A fabricated feature can force misclassification to produce the desired output. This article proposes a subset feature selection method to evade fabricated attacks in the IIoT environment. The method extracts application-aware features from a single android application to train an independent classification model. Ensemble-based learning is then used to train the distinct classification models. Finally, the collaborative ML classifier makes independent decisions to fight against adversarial evasion attacks. We compare and evaluate the benchmark Android malware dataset. The proposed method achieved 91% accuracy with 14 fabricated input features. [ABSTRACT FROM AUTHOR]

Published

2023

280. SIEMS: A Secure Intelligent Energy Management System for Industrial IoT Applications.

Author

Asef, Pedram, Taheri, Rahim, Shojafar, Mohammad, Mporas, Iosif, and Tafazolli, Rahim

Abstract

Microgrids are industrial technologies that can provide energy resources for the Internet of Things (IoT) demands in smart grids. Hybrid microgrids supply quality power to the IoT devices and ensure high resiliency in supply and demand for PV-based grid-tied microgrids. In this system, the usage of predictive energy management systems (EMS) is essential to dispatch power from different resources, while the battery energy storage system (BESS) is feeding the loads. In this article, we deploy a one-day-ahead prediction algorithm using a deep neural network for a fast-response BESS in an intelligent energy management system (I-EMS) that is called SIEMS. The main role of the SIEMS is to maintain the SOC at high rates based on the one-day-ahead information about solar power, which depends on meteorological conditions. The remaining power is supplied by the main grid for sustained power streaming between BESS and end-users. Considering the usage of information and communication technology components in the microgrids, the main objective of this article is focused on the hybrid microgrid performance under cyber-physical security adversarial attacks. Fast gradient sign, basic iterative, and DeepFool methods, which are investigated for the first time in power systems e.g., smart grid and microgrids, in order to produce perturbation for training data. To secure the microgrid’s SIEMS, we propose two Defence algorithms based on defensive distillation and adversarial training strategies for the first time in EMSs. We apply and evaluate these benchmark adversarial attack and Defence methods against the proposed machine learning models to increase the robustness of the models in the system against adversarial attacks. [ABSTRACT FROM AUTHOR]

Published

2023

281. Adversarial Machine Learning in Image Classification: A Survey Toward the Defender’s Perspective.

Author

RESENDE MACHADO, GABRIEL, SILVA, EUGÊNIO, and GOLDSCHMIDT, RONALDO RIBEIRO

Subjects

ARTIFICIAL neural networks, COMPUTER vision, DEEP learning, CLASSIFICATION, MACHINE learning, DRIVERLESS cars, MATHEMATICAL optimization

Abstract

Deep Learning algorithms have achieved state-of-the-art performance for Image Classification. For this reason, they have been used even in security-critical applications, such as biometric recognition systems and self-driving cars. However, recent works have shown those algorithms, which can even surpass human capabilities, are vulnerable to adversarial examples. In Computer Vision, adversarial examples are images containing subtle perturbations generated by malicious optimization algorithms to fool classifiers. As an attempt to mitigate these vulnerabilities, numerous countermeasures have been proposed recently in the literature. However, devising an efficient defense mechanism has proven to be a difficult task, since many approaches demonstrated to be ineffective against adaptive attackers. Thus, this article aims to provide all readerships with a review of the latest research progress on Adversarial Machine Learning in Image Classification, nevertheless, with a defender’s perspective. This article introduces novel taxonomies for categorizing adversarial attacks and defenses, as well as discuss possible reasons regarding the existence of adversarial examples. In addition, relevant guidance is also provided to assist researchers when devising and evaluating defenses. Finally, based on the reviewed literature, this article suggests some promising paths for future research. [ABSTRACT FROM AUTHOR]

Published

2023

282. Minimally Distorted Structured Adversarial Attacks.

Author

Kazemi, Ehsan, Kerdreux, Thomas, and Wang, Liqiang

Subjects

SYNCOPE, MATHEMATICAL optimization, MATHEMATICAL regularization

Abstract

White box adversarial perturbations are generated via iterative optimization algorithms most often by minimizing an adversarial loss on a ℓ p neighborhood of the original image, the so-called distortion set. Constraining the adversarial search with different norms results in disparately structured adversarial examples. Here we explore several distortion sets with structure-enhancing algorithms. These new structures for adversarial examples might provide challenges for provable and empirical robust mechanisms. Because adversarial robustness is still an empirical field, defense mechanisms should also reasonably be evaluated against differently structured attacks. Besides, these structured adversarial perturbations may allow for larger distortions size than their ℓ p counterpart while remaining imperceptible or perceptible as natural distortions of the image. We will demonstrate in this work that the proposed structured adversarial examples can significantly bring down the classification accuracy of adversarially trained classifiers while showing a low ℓ 2 distortion rate. For instance, on ImagNet dataset the structured attacks drop the accuracy of the adversarial model to near zero with only 50% of ℓ 2 distortion generated using white-box attacks like PGD. As a byproduct, our findings on structured adversarial examples can be used for adversarial regularization of models to make models more robust or improve their generalization performance on datasets that are structurally different. [ABSTRACT FROM AUTHOR]

Published

2023

283. Generate adversarial examples by adaptive moment iterative fast gradient sign method.

Author

Zhang, Jiebao, Qian, Wenhua, Nie, Rencan, Cao, Jinde, and Xu, Dan

Subjects

ARTIFICIAL neural networks, COSINE function

Abstract

Deep neural networks (DNNs) are vulnerable to adversarial examples that are similar to original samples but contain the perturbations intentionally crafted by adversaries. Many efficient and typical attacks are based on the fast gradient sign method and usually against models by adding invariant perturbation magnitude to the input of DNN in each iteration. Some studies report that the loss surface demonstrates significant non-smooth variation in the input space. The invariant perturbation size may not be conducive to finding adversarial examples fast in iterations. In this work, we propose the adaptive moment iterative fast gradient sign method (Adam-FGSM), a new iterative white-box attack. According to the moment estimations of the gradients, Adam-FGSM can follow stable perturbation directions by the first-order moment estimation of gradients and adaptively compute the perturbation size with the second-order moment estimations. The experimental results show that Adam-FGSM could adopt rugged input loss space to generate adversarial examples with a higher attack success rate and acceptable transferability in fewer iterations. We analyze the attack process of Adam-FGSM to explain why it can achieve outstanding performance by visualizing the L1, L ∞ norms, and the cosine similarity of perturbations. Furthermore, we plot trajectories of iterative attack methods to observe the geometric characteristics intuitively. [ABSTRACT FROM AUTHOR]

Published

2023

284. Revisiting model's uncertainty and confidences for adversarial example detection.

Author

Aldahdooh, Ahmed, Hamidouche, Wassim, and Déforges, Olivier

Subjects

ARTIFICIAL neural networks, CONFIDENCE

Abstract

Security-sensitive applications that rely on Deep Neural Networks (DNNs) are vulnerable to small perturbations that are crafted to generate Adversarial Examples. The (AEs) are imperceptible to humans and cause DNN to misclassify them. Many defense and detection techniques have been proposed. Model's confidences and Dropout, as a popular way to estimate the model's uncertainty, have been used for AE detection but they showed limited success against black- and gray-box attacks. Moreover, the state-of-the-art detection techniques have been designed for specific attacks or broken by others, need knowledge about the attacks, are not consistent, increase model parameters overhead, are time-consuming, or have latency in inference time. To trade off these factors, we revisit the model's uncertainty and confidences and propose a novel unsupervised ensemble AE detection mechanism that 1) uses the uncertainty method called SelectiveNet, 2) processes model layers outputs, i.e. feature maps, to generate new confidence probabilities. The detection method is called SFAD. Experimental results show that the proposed approach achieves better performance against black- and gray-box attacks than the state-of-the-art methods and achieves comparable performance against white-box attacks. Moreover, results show that SFAD is fully robust against High Confidence Attacks (HCAs) for MNIST and partially robust for CIFAR10 datasets.1 [ABSTRACT FROM AUTHOR]

Published

2023

285. An Adversarial Approach for Intrusion Detection Systems Using Jacobian Saliency Map Attacks (JSMA) Algorithm.

Author

Qureshi, Ayyaz Ul Haq, Larijani, Hadi, Yousefi, Mehdi, Adeel, Ahsan, and Mtetwa, Nhamoinesu

Subjects

ALGORITHMS, COMPUTER network security, INFORMATION storage & retrieval systems, MACHINE learning, MALWARE, MALWARE prevention

Abstract

In today's digital world, the information systems are revolutionizing the way we connect. As the people are trying to adopt and integrate intelligent systems into daily lives, the risks around cyberattacks on user-specific information have significantly grown. To ensure safe communication, the Intrusion Detection Systems (IDS) were developed often by using machine learning (ML) algorithms that have the unique ability to detect malware against network security violations. Recently, it was reported that the IDS are prone to carefully crafted perturbations known as adversaries. With the aim to understand the impact of such attacks, in this paper, we have proposed a novel random neural network-based adversarial intrusion detection system (RNN-ADV). The NSL-KDD dataset is utilized for training. For adversarial attack crafting, the Jacobian Saliency Map Attack (JSMA) algorithm is used, which identifies the feature which can cause maximum change to the benign samples with minimum added perturbation. To check the effectiveness of the proposed adversarial scheme, the results are compared with a deep neural network which indicates that RNN-ADV performs better in terms of accuracy, precision, recall, F1 score and training epochs. [ABSTRACT FROM AUTHOR]

Published

2020

286. Effectiveness of the Execution and Prevention of Metric-Based Adversarial Attacks on Social Network Data †.

Author

Parulian, Nikolaus Nova, Lu, Tiffany, Mishra, Shubhanshu, Avram, Mihai, and Diesner, Jana

Subjects

SCALE-free network (Statistical physics), SOCIAL networks, SOCIAL sciences education, SOCIAL systems, COMPUTER network security, SOCIAL dynamics

Abstract

Observed social networks are often considered as proxies for underlying social networks. The analysis of observed networks oftentimes involves the identification of influential nodes via various centrality measures. This paper brings insights from research on adversarial attacks on machine learning systems to the domain of social networks by studying strategies by which an adversary can minimally perturb the observed network structure to achieve their target function of modifying the ranking of a target node according to centrality measures. This can represent the attempt of an adversary to boost or demote the degree to which others perceive individual nodes as influential or powerful. We study the impact of adversarial attacks on targets and victims, and identify metric-based security strategies to mitigate such attacks. We conduct a series of controlled experiments on synthetic network data to identify attacks that allow the adversary to achieve their objective with a single move. We then replicate the experiments with empirical network data. We run our experiments on common network topologies and use common centrality measures. We identify a small set of moves that result in the adversary achieving their objective. This set is smaller for decreasing centrality measures than for increasing them. For both synthetic and empirical networks, we observe that larger networks are less prone to adversarial attacks than smaller ones. Adversarial moves have a higher impact on cellular and small-world networks, while random and scale-free networks are harder to perturb. Also, empirical networks are harder to attack than synthetic networks. Using correlation analysis on our experimental results, we identify how combining measures with low correlation can aid in reducing the effectiveness of adversarial moves. Our results also advance the knowledge about the robustness of centrality measures to network perturbations. The notion of changing social network data to yield adversarial outcomes has practical implications, e.g., for information diffusion on social media, influence and power dynamics in social systems, and developing solutions to improving network security. [ABSTRACT FROM AUTHOR]

Published

2020

287. Low-Pass Image Filtering to Achieve Adversarial Robustness

Author

Vadim Ziyadinov and Maxim Tereshonok

Subjects

adversarial attacks, artificial neural networks, robustness, image filtering, convolutional neural networks, image recognition, Chemical technology, TP1-1185

Abstract

In this paper, we continue the research cycle on the properties of convolutional neural network-based image recognition systems and ways to improve noise immunity and robustness. Currently, a popular research area related to artificial neural networks is adversarial attacks. The adversarial attacks on the image are not highly perceptible to the human eye, and they also drastically reduce the neural network’s accuracy. Image perception by a machine is highly dependent on the propagation of high frequency distortions throughout the network. At the same time, a human efficiently ignores high-frequency distortions, perceiving the shape of objects as a whole. We propose a technique to reduce the influence of high-frequency noise on the CNNs. We show that low-pass image filtering can improve the image recognition accuracy in the presence of high-frequency distortions in particular, caused by adversarial attacks. This technique is resource efficient and easy to implement. The proposed technique makes it possible to measure up the logic of an artificial neural network to that of a human, for whom high-frequency distortions are not decisive in object recognition.

Published

2023

288. Improving Adversarial Robustness via Distillation-Based Purification

Author

Inhwa Koo, Dong-Kyu Chae, and Sang-Chul Lee

Subjects

adversarial robustness, adversarial attacks, adversarial purification, knowledge distillation, image classification, convolutional autoencoders, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

Despite the impressive performance of deep neural networks on many different vision tasks, they have been known to be vulnerable to intentionally added noise to input images. To combat these adversarial examples (AEs), improving the adversarial robustness of models has emerged as an important research topic, and research has been conducted in various directions including adversarial training, image denoising, and adversarial purification. Among them, this paper focuses on adversarial purification, which is a kind of pre-processing that removes noise before AEs enter a classification model. The advantage of adversarial purification is that it can improve robustness without affecting the model’s nature, while another defense techniques like adversarial training suffer from a decrease in model accuracy. Our proposed purification framework utilizes a Convolutional Autoencoder as a base model to capture the features of images and their spatial structure.We further aim to improve the adversarial robustness of our purification model by distilling the knowledge from teacher models. To this end, we train two Convolutional Autoencoders (teachers), one with adversarial training and the other with normal training. Then, through ensemble knowledge distillation, we transfer the ability of denoising and restoring of original images to the student model (purification model). Our extensive experiments confirm that our student model achieves high purification performance(i.e., how accurately a pre-trained classification model classifies purified images). The ablation study confirms the positive effect of our idea of ensemble knowledge distillation from two teachers on performance.

Published

2023

289. On the Robustness of ML-Based Network Intrusion Detection Systems: An Adversarial and Distribution Shift Perspective

Author

Minxiao Wang, Ning Yang, Dulaj H. Gunasinghe, and Ning Weng

Subjects

network intrusion detection systems, robustness, machine learning, adversarial attacks, distribution shifts, Electronic computers. Computer science, QA75.5-76.95

Abstract

Utilizing machine learning (ML)-based approaches for network intrusion detection systems (NIDSs) raises valid concerns due to the inherent susceptibility of current ML models to various threats. Of particular concern are two significant threats associated with ML: adversarial attacks and distribution shifts. Although there has been a growing emphasis on researching the robustness of ML, current studies primarily concentrate on addressing specific challenges individually. These studies tend to target a particular aspect of robustness and propose innovative techniques to enhance that specific aspect. However, as a capability to respond to unexpected situations, the robustness of ML should be comprehensively built and maintained in every stage. In this paper, we aim to link the varying efforts throughout the whole ML workflow to guide the design of ML-based NIDSs with systematic robustness. Toward this goal, we conduct a methodical evaluation of the progress made thus far in enhancing the robustness of the targeted NIDS application task. Specifically, we delve into the robustness aspects of ML-based NIDSs against adversarial attacks and distribution shift scenarios. For each perspective, we organize the literature in robustness-related challenges and technical solutions based on the ML workflow. For instance, we introduce some advanced potential solutions that can improve robustness, such as data augmentation, contrastive learning, and robustness certification. According to our survey, we identify and discuss the ML robustness research gaps and future direction in the field of NIDS. Finally, we highlight that building and patching robustness throughout the life cycle of an ML-based NIDS is critical.

Published

2023

290. Structure Estimation of Adversarial Distributions for Enhancing Model Robustness: A Clustering-Based Approach

Author

Bader Rasheed, Adil Khan, and Asad Masood Khattak

Subjects

deep neural networks, robustness, adversarial attacks, adversarial training, clustering, Technology, Engineering (General). Civil engineering (General), TA1-2040, Biology (General), QH301-705.5, Physics, QC1-999, Chemistry, QD1-999

Abstract

In this paper, we propose an advanced method for adversarial training that focuses on leveraging the underlying structure of adversarial perturbation distributions. Unlike conventional adversarial training techniques that consider adversarial examples in isolation, our approach employs clustering algorithms in conjunction with dimensionality reduction techniques to group adversarial perturbations, effectively constructing a more intricate and structured feature space for model training. Our method incorporates density and boundary-aware clustering mechanisms to capture the inherent spatial relationships among adversarial examples. Furthermore, we introduce a strategy for utilizing adversarial perturbations to enhance the delineation between clusters, leading to the formation of more robust and compact clusters. To substantiate the method’s efficacy, we performed a comprehensive evaluation using well-established benchmarks, including MNIST and CIFAR-10 datasets. The performance metrics employed for the evaluation encompass the adversarial clean accuracy trade-off, demonstrating a significant improvement in both robust and standard test accuracy over traditional adversarial training methods. Through empirical experiments, we show that the proposed clustering-based adversarial training framework not only enhances the model’s robustness against a range of adversarial attacks, such as FGSM and PGD, but also improves generalization in clean data domains.

Published

2023

291. A Pornographic Images Recognition Model based on Deep One-Class Classification With Visual Attention Mechanism

Author

Chun Xu, Gang Liang, Jin Yang, Wenbo He, Chen Junren, and Ruihang Liu

Subjects

General Computer Science, Computer science, 02 engineering and technology, Convolutional neural network, Field (computer science), Image (mathematics), Pornography classification, 0202 electrical engineering, electronic engineering, information engineering, Image scaling, One-class classification, Preprocessor, General Materials Science, Artificial neural network, business.industry, General Engineering, deep learning, 020206 networking & telecommunications, Pattern recognition, one-class classification, Constraint (information theory), adversarial attacks, 020201 artificial intelligence & image processing, Artificial intelligence, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, visual attention mechanism, lcsh:TK1-9971

Abstract

The existing approaches usually treat the recognition of pornographic images as a binary or multi-class classification task, which is realized by extracting a variety of features. However, these approaches ignore the problem of infinite kinds in the negative samples and lose sight of the impact of uncertainty in classification tasks, resulting in inadequate negative data sets and incorrect recognition of samples that are not in the training set. In order to address this challenge, this paper proposes a method named Deep One-Class with Attention for Pornography (DOCAPorn) that recognizes the pornographic images through the one-class classification model based on neural networks and introduces the visual attention mechanism to enhance the performance of recognition. Moreover, since the existing approaches based on deep convolutional neural networks (CNNs) require a fixed-size (e.g., $224\times224$ ) input image, the geometric distortion caused by image scaling is not considerd in the existing approaches, which reduces the pornographic image recognizition accuracy. In order to solve this issue, this paper proposes the Scale Constraint Pooling (SCP) that converts the inputs of different dimensions into outputs of the same dimension. In addition, all the existing approaches ignore the adversarial attacks in the field of pornographic image recognition. In order to deal with this problem, the paper proposes the Preprocessing for Compressing and Reconstructing (PreCR), a pre-processing approach that reduces the subtle perturbation through compressing the images and then reconstructs the purified image for recognition. The proposed approach is verified by conducting comparative experiments using custom datasets. The experimental results showed that we achieved an accuracy of 98.419% on our dataset. In addition, the proposed approach yielded a recognition accuracy of 95.632% on the NPDI dataset. Furthermore, the obtained results demonstrate that the proposed approach not only effectively recognizes pornographic images but also effectively defends the adversarial attacks.

Published

2020

292. Robust Federated Learning for execution time-based device model identification under label-flipping attack

Author

Sánchez Sánchez, Pedro Miguel, Huertas Celdrán, Alberto, Buendía Rubio, José Rafael, Bovet, Gérôme, and Martínez Pérez, Gregorio

Published

2023

293. Robust transformer with locality inductive bias and feature normalization

Author

Omid Nejati Manzari, Hossein Kashiani, Hojat Asgarian Dehkordi, and Shahriar B. Shokouhi

Subjects

Vision transformer, Robustness, Adversarial attacks, Traffic sign classification, Engineering (General). Civil engineering (General), TA1-2040

Abstract

Vision transformers have been demonstrated to yield state-of-the-art results on a variety of computer vision tasks using attention-based networks. However, research works in transformers mostly do not investigate robustness/accuracy trade-off, and they still struggle to handle adversarial perturbations. In this paper, we explore the robustness of vision transformers against adversarial perturbations and try to enhance their robustness/accuracy trade-off in white box attack settings. To this end, we propose Locality iN Locality (LNL) transformer model. We prove that the locality introduction to LNL contributes to the robustness performance since it aggregates local information such as lines, edges, shapes, and even objects. In addition, to further improve the robustness performance, we encourage LNL to extract training signal from the moments (a.k.a., mean and standard deviation) and the normalized features. We validate the effectiveness and generality of LNL by achieving state-of-the-art results in terms of accuracy and robustness metrics on German Traffic Sign Recognition Benchmark (GTSRB) and Canadian Institute for Advanced Research (CIFAR-10). More specifically, for traffic sign classification, the proposed LNL yields gains of 1.1% and 35% in terms of clean and robustness accuracy compared to the state-of-the-art studies.

Published

2023

294. Resilience enhancement of multi-agent reinforcement learning-based demand response against adversarial attacks.

Author

Zeng, Lanting, Qiu, Dawei, and Sun, Mingyang

Subjects

*REINFORCEMENT learning, *REINFORCEMENT (Psychology), *DIGITAL communications, *TELECOMMUNICATION, *INTERNET security, *MARL

Abstract

Demand response improves grid security by adjusting the flexibility of consumers meanwhile maintaining their demand–supply balance in real-time. With the large-scale deployment of distributed digital communication technologies and advanced metering infrastructures, data-driven approaches such as multi-agent reinforcement learning (MARL) are being widely employed to solve demand response problems. Nevertheless, the massive interaction of data inside and outside the demand response management system may lead to severe threats from the perspective of cyber-attacks. The cyber security requirements of MARL-based demand response problems are less discussed in the existing studies. To this end, this paper proposes a robust adversarial multi-agent reinforcement learning framework for demand response (RAMARL-DR) with an enhanced resilience against adversarial attacks. In particular, the proposed RAMARL-DR first constructs an adversary agent that aims to cause the worst-case performance via formulating an adversarial attack; and then adopts periodic alternating robust adversarial training scenarios with the optimal adversary aiming to diminish the severe impacts induced by adversarial attacks. Case studies are conducted based on an OpenAI Gym environment CityLearn, which provides a standard evaluation platform of MARL algorithms for demand response problems. Empirical results indicate that the MARL-based demand response management system is vulnerable when the adversary agent occurs, and its performance can be significantly improved after periodic alternating robust adversarial training. It can be found that the adversary agent can result in a 41.43% higher metric value of Ramping than the no adversary case, whereas the proposed RAMARL-DR can significantly enhance the system resilience with an approximately 38.85% reduction in the ramping of net demand. • The RAMARL-DR is proposed to improve the resilience of DR management system. • A single-agent adversary is formulated to generate optimal adversarial attacks. • Alternating training algorithm can jointly optimize adversary and victim policies. • An open-source platform with real energy data is employed as the environment. • The robustness of RAMARL-DR is verified across different training and test scenarios. [ABSTRACT FROM AUTHOR]

Published

2022

295. Understanding deep learning defenses against adversarial examples through visualizations for dynamic risk assessment.

Author

Echeberria-Barrio, Xabier, Gil-Lerchundi, Amaia, Egana-Zubia, Jon, and Orduna-Urrutia, Raul

Subjects

ARTIFICIAL neural networks, DEEP learning, CONVOLUTIONAL neural networks, BEHAVIOR modification, RISK assessment

Abstract

In recent years, deep neural network models have been developed in different fields, where they have brought many advances. However, they have also started to be used in tasks where risk is critical. Misdiagnosis of these models can lead to serious accidents or even death. This concern has led to an interest among researchers to study possible attacks on these models, discovering a long list of vulnerabilities, from which every model should be defended. The adversarial example attack is a widely known attack among researchers, who have developed several defenses to avoid such a threat. However, these defenses are as opaque as a deep neural network model, how they work is still unknown. This is why visualizing how they change the behavior of the target model is interesting in order to understand more precisely how the performance of the defended model is being modified. For this work, three defense strategies, against adversarial example attacks, have been selected in order to visualize the behavior modification of each of them in the defended model. Adversarial training, dimensionality reduction, and prediction similarity were the selected defenses, which have been developed using a model composed of convolution neural network layers and dense neural network layers. In each defense, the behavior of the original model has been compared with the behavior of the defended model, representing the target model by a graph in a visualization. This visualization allows identifying the vulnerabilities of the model and shows how the defenses try to avoid them. [ABSTRACT FROM AUTHOR]

Published

2022

296. A Two Stream Fusion Assisted Deep Learning Framework for Stomach Diseases Classification.

Author

Amin, Muhammad Shahid, Shah, Jamal Hussain, Yasmin, Mussarat, Ansari, Ghulam Jillani, Khan, Muhamamd Attique, Tariq, Usman, Ye Jin Kim, and Byoungchol Chang

Subjects

GASTRIC diseases, DEEP learning, NOSOLOGY, CAPSULE endoscopy, ARTIFICIAL intelligence, MACHINE learning

Abstract

Due to rapid development in Artificial Intelligence (AI) and Deep Learning (DL), it is difficult to maintain the security and robustness of these techniques and algorithms due to emergence of novel term adversary sampling. Such technique is sensitive to these models. Thus, fake samples cause AI and DL model to produce diverse results. Adversarial attacks that successfully implemented in real world scenarios highlight their applicability even further. In this regard, minor modifications of input images cause “Adversarial Attacks” that altered the performance of competing attacks dramatically. Recently, such attacks and defensive strategies are gaining lot of attention by the machine learning and security researchers. Doctors use different kinds of technologies to examine the patient abnormalities including Wireless Capsule Endoscopy (WCE). However, using WCE it is very difficult for doctors to detect an abnormality within images since it takes enough time while inspection and deciding abnormality. As a result, it took weeks to generate patients test report, which is tiring and strenuous for them. Therefore, researchers come out with the solution to adopt computerized technologies, which are more suitable for the classification and detection of such abnormalities. As far as the classification is concern, the adversarial attacks generate problems in classified images. Now days, to handle this issue machine learning is mainstream defensive approach against adversarial attacks. Hence, this research exposes the attacks by altering the datasets with noise including salt and pepper and Fast Gradient Sign Method (FGSM) and then reflects that how machine learning algorithms work fine to handle these noises in order to avoid attacks. Results obtained on the WCE images which are vulnerable to adversarial attack are 96.30% accurate and prove that the proposed defensive model is robust when compared to competitive existing methods. [ABSTRACT FROM AUTHOR]

Published

2022

297. Distributed Attack-Robust Submodular Maximization for Multirobot Planning.

Author

Zhou, Lifeng, Tzoumas, Vasileios, Pappas, George J., and Tokekar, Pratap

Subjects

DENIAL of service attacks, ROBUST optimization, DISTRIBUTED algorithms, ROBOT motion, LOCAL mass media, APPROXIMATION algorithms, ROBOT kinematics

Abstract

In this article, we design algorithms to protect swarm-robotics applications against sensor denial-of-service attacks on robots. We focus on applications requiring the robots to jointly select actions, e.g., which trajectory to follow, among a set of available actions. Such applications are central in large-scale robotic applications, such as multirobot motion planning for target tracking. But the current attack-robust algorithms are centralized. In this article, we propose a general-purpose distributed algorithm toward robust optimization at scale, with local communications only. We name it distributed robust maximization (DRM). DRM proposes a divide-and-conquer approach that distributively partitions the problem among cliques of robots. Then, the cliques optimize in parallel, independently of each other. We prove DRM achieves a close-to-optimal performance. We demonstrate DRM’s performance in Gazebo and MATLAB simulations, in scenarios of active target tracking with swarms of robots. In the simulations, DRM achieves computational speed-ups, being 1 to 2 orders faster than the centralized algorithms. Yet, it nearly matches the tracking performance of the centralized counterparts. Since, DRM overestimates the number of attacks in each clique, in this article, we also introduce an improved distributed robust maximization (IDRM) algorithm. IDRM infers the number of attacks in each clique less conservatively than DRM by leveraging three-hop neighboring communications. We verify IDRM improves DRM’s performance in simulations. [ABSTRACT FROM AUTHOR]

Published

2022

298. Turning Federated Learning Systems Into Covert Channels

Author

Gabriele Costa, Fabio Pinelli, Simone Soderi, and Gabriele Tolomei

Subjects

Federated learning, adversarial attacks, machine learning security, covert channel, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. This paper proves that FL systems can be turned into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a sequence of bits. We mounted our attack on an FL system to verify its feasibility. Experimental evidence shows that this covert channel is reliable, efficient, and extremely hard to counter. These results highlight that our new attacker model threatens FL infrastructures.

Published

2022

299. A Methodology for Evaluating the Robustness of Anomaly Detectors to Adversarial Attacks in Industrial Scenarios

Author

Angel Luis Perales Gomez, Lorenzo Fernandez Maimo, Felix J. Garcia Clemente, Javier Alejandro Maroto Morales, Alberto Huertas Celdran, and Gerome Bovet

Subjects

Adversarial attacks, evasion attacks, industrial control systems, machine learning, deep learning, robustness, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Anomaly Detection systems based on Machine and Deep learning are the most promising solutions to detect cyberattacks in the industry. However, these techniques are vulnerable to adversarial attacks that downgrade prediction performance. Several techniques have been proposed to measure the robustness of Anomaly Detection in the literature. However, they do not consider that, although a small perturbation in an anomalous sample belonging to an attack, i.e., Denial of Service, could cause it to be misclassified as normal while retaining its ability to damage, an excessive perturbation might also transform it into a truly normal sample, with no real impact on the industrial system. This paper presents a methodology to calculate the robustness of Anomaly Detection models in industrial scenarios. The methodology comprises four steps and uses a set of additional models called support models to determine if an adversarial sample remains anomalous. We carried out the validation using the Tennessee Eastman process, a simulated testbed of a chemical process. In such a scenario, we applied the methodology to both a Long-Short Term Memory (LSTM) neural network and 1-dimensional Convolutional Neural Network (1D-CNN) focused on detecting anomalies produced by different cyberattacks. The experiments showed that 1D-CNN is significantly more robust than LSTM for our testbed. Specifically, a perturbation of 60% (empirical robustness of 0.6) of the original sample is needed to generate adversarial samples for LSTM, whereas in 1D-CNN the perturbation required increases up to 111% (empirical robustness of 1.11).

Published

2022

300. A Highly Stealthy Adaptive Decay Attack Against Speaker Recognition

Author

Xinyu Zhang, Yang Xu, Sicong Zhang, and Xiaojian Li

Subjects

Deep learning, adversarial attacks, speaker recognition, adaptive decay attack, adversarial training, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Speaker recognition based on deep learning is currently the most advanced and mainstream technology in the industry. Adversarial attacks, an emerging and powerful attack against neural network models, also posing serious security problems for speaker recognition. Common gradient-based attack methods such as FGSM (Fast Gradient Sign Method), PGD (Projected Gradient Descent), and MI-FGSM (Momentum Iteration-FGSM) generate adversarial examples that are poorly stealthy and easily perceived by the human ear. To improve the stealthiness of the adversarial examples, this paper proposes a new attack method called the Adaptive Decay Attack (ADA), whose stealth is very close to the CW2(Carlini&Wagner) method based on optimization attacks, with much less computation time than CW2. The method takes the set number of iterations as the termination condition, automatically adjusts the size of the maximum perturbation according to whether the attack is successful or not, and then uses the decay methods in learning rates such as exponential decay and cosine annealing to continuously reduce the step size. The experimental results show that under the two speaker recognition models x-vector, and i-vector, the proposed attack method improves the stealthiness metrics such as SNR and PESQ by at least 30% and 39%, respectively, compared with the best PGD attack under speaker identification of untargeted attacks. For the speaker identification task with targeted attacks, the average improvement is at least 20% and 25% compared to PGD. For the speaker verification task, the improvement is at least 29.5% and 33.4% compared to PGD. In addition, we also use this attack method for adversarial training to enhance the robustness of the model. Experimental results show that ADA-based adversarial training takes 28.31% less time than PGD-based adversarial training, and its improved robustness is generally superior to PGD-based adversarial training. Specifically, the attack success rate of PGD and ADA methods decreased from 50.88% to 36.47% and 64.74% to 45.82%, respectively.

Published

2022