Wei Emma Zhang,Quan Z. Sheng,Ahoud Alhazmi,Chenliang Li

DOI: https://doi.org/10.48550/arXiv.1901.06796

2019-04-11

Abstract:With the development of high computational devices, deep neural networks (DNNs), in recent years, have gained significant popularity in many Artificial Intelligence (AI) applications. However, previous efforts have shown that DNNs were vulnerable to strategically modified samples, named adversarial examples. These samples are generated with some imperceptible perturbations but can fool the DNNs to give false predictions. Inspired by the popularity of generating adversarial examples for image DNNs, research efforts on attacking DNNs for textual applications emerges in recent years. However, existing perturbation methods for images cannotbe directly applied to texts as text data is discrete. In this article, we review research works that address this difference and generatetextual adversarial examples on DNNs. We collect, select, summarize, discuss and analyze these works in a comprehensive way andcover all the related information to make the article self-contained. Finally, drawing on the reviewed literature, we provide further discussions and suggestions on this topic.

Computation and Language

Wenqi Wang,Run Wang,Lina Wang,Zhibo Wang,Aoshuang Ye

DOI: https://doi.org/10.1109/tkde.2021.3117608

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Deep neural networks (DNNs) have achieved remarkable success in various tasks (e.g., image classification, speech recognition, and natural language processing (NLP)). However, researchers have demonstrated that DNN-based models are vulnerable to adversarial examples, which cause erroneous predictions by adding imperceptible perturbations into legitimate inputs. Recently, studies have revealed adversarial examples in the text domain, which could effectively evade various DNN-based text analyzers and further bring the threats of the proliferation of disinformation. In this paper, we give a comprehensive survey on the existing studies of adversarial techniques for generating adversarial texts written by both English and Chinese characters and the corresponding defense methods. More importantly, we hope that our work could inspire future studies to develop more robust DNN-based text analyzers against known and unknown adversarial techniques. We classify the existing adversarial techniques for crafting adversarial texts based on the perturbation units, helping to better understand the generation of adversarial texts and build robust models for defense. In presenting the taxonomy of adversarial attacks and defenses in the text domain, we introduce the adversarial techniques from the perspective of different NLP tasks. Finally, we discuss the existing challenges of adversarial attacks and defenses in texts and present the future research directions in this emerging and challenging field.

Han Xu,Yao Ma,Hao-Chen Liu,Debayan Deb,Hui Liu,Ji-Liang Tang,Anil K. Jain

DOI: https://doi.org/10.1007/s11633-019-1211-x

2020-03-27

International Journal of Automation and Computing

Abstract:Abstract Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples raises our concerns in adopting deep learning to safety-critical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for three most popular data types, including images, graphs and text.

automation & control systems,computer science, artificial intelligence

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Wenqi Wang,Run Wang,Lina Wang,Zhibo Wang,Aoshuang Ye

DOI: https://doi.org/10.48550/arXiv.1902.07285

2021-04-21

Abstract:Deep neural networks (DNNs) have achieved remarkable success in various tasks (e.g., image classification, speech recognition, and natural language processing (NLP)). However, researchers have demonstrated that DNN-based models are vulnerable to adversarial examples, which cause erroneous predictions by adding imperceptible perturbations into legitimate inputs. Recently, studies have revealed adversarial examples in the text domain, which could effectively evade various DNN-based text analyzers and further bring the threats of the proliferation of disinformation. In this paper, we give a comprehensive survey on the existing studies of adversarial techniques for generating adversarial texts written by both English and Chinese characters and the corresponding defense methods. More importantly, we hope that our work could inspire future studies to develop more robust DNN-based text analyzers against known and unknown adversarial techniques. We classify the existing adversarial techniques for crafting adversarial texts based on the perturbation units, helping to better understand the generation of adversarial texts and build robust models for defense. In presenting the taxonomy of adversarial attacks and defenses in the text domain, we introduce the adversarial techniques from the perspective of different NLP tasks. Finally, we discuss the existing challenges of adversarial attacks and defenses in texts and present the future research directions in this emerging and challenging field.

Computation and Language,Cryptography and Security,Machine Learning

Mesut Ozdag

DOI: https://doi.org/10.1016/j.procs.2018.10.315

2018-01-01

Procedia Computer Science

Abstract:Deep learning has achieved great successes in various types of applications over recent years. On the other hand, it has been found that deep neural networks (DNNs) can be easily fooled by adversarial input samples. This vulnerability raises major concerns in security-sensitive environments. Therefore, research in attacking and defending DNNs with adversarial examples has drawn great attention. The goal of this paper is to review the types of adversarial attacks and defenses, describe the state-of-the-art methods for each group, and compare their results. In addition, we present some of the top-scored competition submissions for Neural Information Processing Systems (NIPS) in 2017, their solution models, and demonstrate their results. This adversary competition was organized by Google Brain for research scientists to come up with novel solutions that generate adversarial examples and also defend against them. Its contribution is significant on this era of machine learning and DNNs.

Xiaojiao Chen,Sheng Li,Hao Huang

DOI: https://doi.org/10.3390/app11188450

2021-09-12

Applied Sciences

Abstract:Voice Processing Systems (VPSes), now widely deployed, have become deeply involved in people’s daily lives, helping drive the car, unlock the smartphone, make online purchases, etc. Unfortunately, recent research has shown that those systems based on deep neural networks are vulnerable to adversarial examples, which attract significant attention to VPS security. This review presents a detailed introduction to the background knowledge of adversarial attacks, including the generation of adversarial examples, psychoacoustic models, and evaluation indicators. Then we provide a concise introduction to defense methods against adversarial attacks. Finally, we propose a systematic classification of adversarial attacks and defense methods, with which we hope to provide a better understanding of the classification and structure for beginners in this field.

Sicong Han,Chenhao Lin,Chao Shen,Qian Wang,Xiaohong Guan

DOI: https://doi.org/10.1145/3594869

IF: 16.6

2023-04-28

ACM Computing Surveys

Abstract:Deep learning technology is increasingly applied in safety-critical scenarios while it has recently been found to be susceptible to imperceptible adversarial perturbations, which raises a serious concern regarding the adversarial robustness of deep neural networks (DNNs) based applications. Accordingly, various adversarial attacks and defense approaches have been proposed. However, current studies implement different types of attacks and defenses with certain assumptions. There is still a lack of full theoretical understanding and interpretation of adversarial examples. Instead of reviewing technical progress in adversarial attacks and defenses, this paper presents a framework consisting of three perspectives to discuss recent works focusing on theoretically explaining adversarial examples comprehensively. In each perspective, various hypotheses are further categorized and summarized into several subcategories and introduced systematically. To the best of our knowledge, this study is the first to concentrate on surveying existing research on adversarial examples and adversarial robustness from the interpretability perspective. By drawing on the reviewed literature, this survey characterizes current problems and challenges that need to be addressed and highlights potential future research directions to further investigate adversarial examples.

computer science, theory & methods

Ziming Zhao,Zhaoxuan Li,Tingting Li,Jiongchi Yu,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1145/3589335.3651524

2024-01-01

Abstract:Recent studies show that deep neural networks are extremely vulnerable, especially for adversarial examples of image classification models. However, the current defense technologies exhibit a series of limitations in terms of the adaptability of different attacks, the trade-off between clean-instance accuracy and robust one, as well as efficiency for train time overhead. To tackle these problems, we present a novel component, named redundant fully connected layer, which can be combined with existing model backbones in a pluggable manner. Specifically, we design a tailor-made loss function for it that leverages cosine similarity to maximize the difference and diversity of multiple fully connected parts. We conduct extensive experiments against 12 representative attacks (white-box and black-box), based on the popular dataset. The empirical evaluations show that our scheme realizes significant outcomes against various attacks with negligible additional training overhead, while hardly bringing collateral damage for clean-instance accuracy.

Jiliang Zhang,Chen Li

DOI: https://doi.org/10.1109/TNNLS.2019.2933524

2019-09-23

Abstract:Deep neural networks (DNNs) have shown huge superiority over humans in image recognition, speech processing, autonomous vehicles and medical diagnosis. However, recent studies indicate that DNNs are vulnerable to adversarial examples (AEs), which are designed by attackers to fool deep learning models. Different from real examples, AEs can mislead the model to predict incorrect outputs while hardly be distinguished by human eyes, therefore threaten security-critical deep-learning applications. In recent years, the generation and defense of AEs have become a research hotspot in the field of artificial intelligence (AI) security. This article reviews the latest research progress of AEs. First, we introduce the concept, cause, characteristics and evaluation metrics of AEs, then give a survey on the state-of-the-art AE generation methods with the discussion of advantages and disadvantages. After that, we review the existing defenses and discuss their limitations. Finally, future research opportunities and challenges on AEs are prospected.

Machine Learning

Charis Eleftheriadis,Andreas Symeonidis,Panagiotis Katsaros

DOI: https://doi.org/10.1007/s00138-024-01519-1

IF: 2.983

2024-03-16

Machine Vision and Applications

Abstract:Deep neural networks (DNNs) are key components for the implementation of autonomy in systems that operate in highly complex and unpredictable environments (self-driving cars, smart traffic systems, smart manufacturing, etc.). It is well known that DNNs are vulnerable to adversarial examples, i.e. minimal and usually imperceptible perturbations, applied to their inputs, leading to false predictions. This threat poses critical challenges, especially when DNNs are deployed in safety or security-critical systems, and renders as urgent the need for defences that can improve the trustworthiness of DNN functions. Adversarial training has proven effective in improving the robustness of DNNs against a wide range of adversarial perturbations. However, a general framework for adversarial defences is needed that will extend beyond a single-dimensional assessment of robustness improvement; it is essential to consider simultaneously several distance metrics and adversarial attack strategies. Using such an approach we report the results from extensive experimentation on adversarial defence methods that could improve DNNs resilience to adversarial threats. We wrap up by introducing a general adversarial training methodology, which, according to our experimental results, opens prospects for an holistic defence against a range of diverse types of adversarial perturbations.

computer science, cybernetics, artificial intelligence,engineering, electrical & electronic

Mark Huasong Meng,Guangdong Bai,Sin Gee Teo,Zhe Hou,Yan Xiao,Yun Lin,Jin Song Dong

DOI: https://doi.org/10.1109/tdsc.2022.3179131

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Neural networks have been widely applied in security applications such as spam and phishing detection, intrusion prevention, and malware detection. This black-box method, however, often has uncertainty and poor explainability in applications. Furthermore, neural networks themselves are often vulnerable to adversarial attacks. For those reasons, there is a high demand for trustworthy and rigorous methods to verify the robustness of neural network models. Adversarial robustness, which concerns the reliability of a neural network when dealing with maliciously manipulated inputs, is one of the hottest topics in security and machine learning. In this work, we survey existing literature in adversarial robustness verification for neural networks and collect 39 diversified research works across machine learning, security, and software engineering domains. We systematically analyze their approaches, including how robustness is formulated, what verification techniques are used, and the strengths and limitations of each technique. We provide a taxonomy from a formal verification perspective for a comprehensive understanding of this topic. We classify the existing techniques based on property specification, problem reduction, and reasoning strategies. We also demonstrate representative techniques that have been applied in existing studies with a sample model. Finally, we discuss open questions for future research.

Puttagunta, Murali Krishna,Ravi, S.,Nelson Kennedy Babu, C

DOI: https://doi.org/10.1007/s11042-023-14702-9

IF: 2.577

2023-03-09

Multimedia Tools and Applications

Abstract:In recent years, significant progress has been achieved using deep neural networks (DNNs) in obtaining human-level performance on various long-standing tasks. With the increased use of DNNs in various applications, public concern over DNNs' trustworthiness has grown. Studies conducted in the last several years have proven that deep learning models are vulnerable to small adversarial perturbations. Adversarial examples are generated from clean images by adding imperceptible perturbations. Adversarial examples are necessary for practical reasons, as they can be physically constructed, implying that DNNs are unsuitable for some image classification applications in their current state. This paper aims to provide an in-depth overview of the numerous adversarial attack strategies and defence methods. The theoretical principles, methods, and applications of adversarial attack strategies are first discussed. After that, a few research attempts on defence techniques covering the field's broad boundary are outlined. Afterwards, this study reviews recently proposed adversarial attack methods to medical deep learning systems and defence techniques against these attacks. The vulnerability of the DL model is evaluated for different medical image modalities using an adversarial attack and defence method. Some unresolved issues and obstacles are highlighted to ignite additional research efforts in this crucial area.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Xu Han,Ying Zhang,Wei Wang,Bin Wang

DOI: https://doi.org/10.1155/2022/6458488

IF: 1.968

2022-04-23

Security and Communication Networks

Abstract:Deep neural networks (DNNs) have been widely used in many fields due to their powerful representation learning capabilities. However, they are exposed to serious threats caused by the increasing security issues. Adversarial examples were early discovered in computer vision (CV) field when the models were fooled by perturbing the original inputs, and they also exist in natural language processing (NLP) community. However, unlike the image, the text is discrete and semantic in nature, making the generation of adversarial attacks even more difficult. In this work, we provide a comprehensive overview of adversarial attacks and defenses in the textual domain. First, we introduce the pipeline of NLP, including the vector representations of text, DNN-based victim models, and a formal definition of adversarial attacks, which makes our review self-contained. Second, we propose a novel taxonomy for the existing adversarial attacks and defenses, which is fine-grained and closely aligned with practical applications. Finally, we summarize and discuss the major existing issues and further research directions of text adversarial attacks and defenses.

computer science, information systems,telecommunications

Yishan Li,Yanming Guo,Yuxiang Xie,Qi Wang

DOI: https://doi.org/10.1109/bigdia56350.2022.9874193

2022-01-01

Abstract:With the development of artificial intelligence technology, to our surprise, deep neural networks have made a series of breakthroughs and achieved optimal results in lots of machine learning tasks, while the image field is the most prominent. Although deep learning technology has brought great convenience to our lives, the security problems of artificial intelligence have gradually become prominent. But deep neural networks are very fragile, and usually a small perturbation can have a serious impact on the neural network, especially adversarial examples. As a small imperceptible perturbation, it can cause malicious effects on the results of image classification. What can we do to protect clean examples from perturbations has become the most important and practical research direction in the current image field. A large number of scholars have begun to invest in adversarial examples research, especially in defense, the achievements are more abundant, and related research results have also shown a blowout state. Based on the research status of recent years, this paper first explains the concept of adversarial examples, organizes the current attack methods, and then summarizes different defense methods according to the criteria of detection defense and robust defense. Improvements are discussed to help further development of adversarial defense of images.

Zhengfei Yu,Yun Zhou,Weiming Zhang

DOI: https://doi.org/10.1109/icaci49185.2020.9177527

2020-01-01

Abstract:Recently, deep neural network has been widely used in computer vision, machine translation and Go playing and has become the important part of artificial intelligence applications. However, the existence of adversarial examples designed by adversaries could let deep neural networks make incorrect outputs, and fail to work in their applications. Indeed, a considerable amount of work on generating adversarial examples has emerged. Thus, it’s important to investigate adversarial examples in deep learning community. Throughout this paper, we introduce some basic knowledge about attacks on DNNs. Then, we discuss several attack methods to generate adversarial examples. Subsequently, we introduce some defense mechanisms to classify or detect adversarial examples correctly. Finally, we review the challenges in this field, along with the corresponding future directions towards dealing with adversarial examples.

Alex Serban,Erik Poll,Joost Visser

DOI: https://doi.org/10.48550/arXiv.2008.04094

2020-08-07

Computer Vision and Pattern Recognition

Abstract:Deep neural networks are at the forefront of machine learning research. However, despite achieving impressive performance on complex tasks, they can be very sensitive: Small perturbations of inputs can be sufficient to induce incorrect behavior. Such perturbations, called adversarial examples, are intentionally designed to test the network's sensitivity to distribution drifts. Given their surprisingly small size, a wide body of literature conjectures on their existence and how this phenomenon can be mitigated. In this article we discuss the impact of adversarial examples on security, safety, and robustness of neural networks. We start by introducing the hypotheses behind their existence, the methods used to construct or protect against them, and the capacity to transfer adversarial examples between different machine learning models. Altogether, the goal is to provide a comprehensive and self-contained survey of this growing field of research.

Ahmed Aldahdooh,Wassim Hamidouche,Sid Ahmed Fezza,Olivier Déforges

DOI: https://doi.org/10.1007/s10462-021-10125-w

IF: 9.588

2022-01-06

Artificial Intelligence Review

Abstract:Deep learning (DL) has shown great success in many human-related tasks, which has led to its adoption in many computer vision based applications, such as security surveillance systems, autonomous vehicles and healthcare. Such safety-critical applications have to draw their path to success deployment once they have the capability to overcome safety-critical challenges. Among these challenges are the defense against or/and the detection of the adversarial examples (AEs). Adversaries can carefully craft small, often imperceptible, noise called perturbations to be added to the clean image to generate the AE. The aim of AE is to fool the DL model which makes it a potential risk for DL applications. Many test-time evasion attacks and countermeasures, i.e., defense or detection methods, are proposed in the literature. Moreover, few reviews and surveys were published and theoretically showed the taxonomy of the threats and the countermeasure methods with little focus in AE detection methods. In this paper, we focus on image classification task and attempt to provide a survey for detection methods of test-time evasion attacks on neural network classifiers. A detailed discussion for such methods is provided with experimental results for eight state-of-the-art detectors under different scenarios on four datasets. We also provide potential challenges and future perspectives for this research direction.

computer science, artificial intelligence

Nicholas Carlini,D. Wagner

DOI: https://doi.org/10.1109/SP.2017.49

2016-08-16

Abstract:Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input x and any target classification t, it is possible to find a new input x' that is similar to x but classified as t. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from 95% to 0.5%.In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

Computer Science