Shasha Zhou,Mingyu Huang,Yanan Sun,Ke Li

DOI: https://doi.org/10.1145/3660808

2024-01-01

Abstract:The emergence of the 'code naturalness' concept, which suggests that software code shares statistical properties with natural language, paves the way for deep neural networks (DNNs) in software engineering (SE). However, DNNs can be vulnerable to certain human imperceptible variations in the input, known as adversarial examples (AEs), which could lead to adverse model performance. Numerous attack strategies have been proposed to generate AEs in the context of computer vision and natural language processing, but the same is less true for source code of programming languages in SE. One of the challenges is derived from various constraints including syntactic, semantics and minimal modification ratio. These constraints, however, are subjective and can be conflicting with the purpose of fooling DNNs. This paper develops a multi-objective adversarial attack method (dubbed MOAA), a tailored NSGA-II, a powerful evolutionary multi-objective (EMO) algorithm, integrated with CodeT5 to generate high-quality AEs based on contextual information of the original code snippet. Experiments on 5 source code tasks with 10 datasets of 6 different programming languages show that our approach can generate a diverse set of high-quality AEs with promising transferability. In addition, using our AEs, for the first time, we provide insights into the internal behavior of pre-trained models.

Yepeng Deng,Chunkai Zhang,Xuan Wang

DOI: https://doi.org/10.1109/DSC.2019.00022

2019-01-01

Abstract:Image classifiers have been proven to be easily fooled by perturbations, but it is still exceedingly challenging to generate imperceptible disturbances, especially without the internal knowledge of the classifiers. Imperceptibility and attack capability are two main evaluating indicators of this problem, while most existing methods, so far, can only either maximize misclassification or minimize the distortion. Although there are some algorithms to consider both of them via the weighted sum method, which is equivalent to solve the multiple optimization problems, it will doubtless enlarge the computation complexity, and the strategy of setting the weights cannot make sure both indicators the optimal solutions. In this paper, we proposed an innovative general algorithm named MOEA-APGA, which is based on multi-objective evolutionary algorithm, taking both factors as the optimization objective function. A set of perturbations with diversity is generated by population evolution, and then an appropriate perturbation is selected by the proposed filtering strategy to synthesize the adversarial example. It can achieve the goal of the targeted attack without the internal knowledge of the victim networks. We tried four perturbation strategies to generate adversarial examples. The experimental results on the MNIST datasets demonstrate the effectiveness of MOEA-APGA. In addition, we refer to a slice of indicators to evaluate the power of the algorithm and the vulnerability of different samples.

Wei Jiang,Shen You,Jinyu Zhan,Xupeng Wang,Hong Lei,Deepak Adhikari

DOI: https://doi.org/10.1109/tevc.2022.3231460

IF: 16.497

2022-01-01

IEEE Transactions on Evolutionary Computation

Abstract:Due to the inherent vulnerability of deep neural networks (DNNs), the adversarial example (AE) attack has become a serious threat to intelligent systems, e.g., the failure cause of an image classification system. Different to existing works, in this article we are interested in the generation of AEs for DNNs with defensive mechanisms. To make the attack more practical, we exploit a query-based method to generate image AEs in a black-box attack setting. Considering that the generation of AEs is inherently a constrained optimization problem, this article first formulates three objectives regarding defensive DNNs, i.e., attack effectiveness, attack evasiveness and attack coverage. Then, this article proposes a query-efficient AE attack based on the genetic algorithm (GA) and particle swarm optimization (PSO) to address the perturbation optimization problem. To improve the efficiency of search and query, AE-specific operators including block-level and pixel-level crossovers, discrete perturbation mutation and direction-driven reproduction are designed within the GA-based search framework. In addition, predication-based adaptation of reproduction-related parameters is implemented to speed up the search convergence. PSO-based jumping process is further devised to avoid stuck in local optimum. Benchmark-based experiments evaluated the efficiency of our method, which can achieve an attack success rate of 100% with averagely 52.95% reduced queries in contrast to existing black-box attacks on nondefensive models. For defensive DNN models, our method can obtain top attack performance with the query reduction up to 70.92% comparing with the candidates.

computer science, artificial intelligence, theory & methods

Chunkai Zhang,Yepeng Deng,Xin Guo,Xuan Wang,Chuanyi Liu

DOI: https://doi.org/10.1007/978-3-030-41579-2_35

2019-01-01

Abstract:Various approaches have been proposed to exploit the vulnerability to challenge the robustness of victim models, in the black-box scenario, it is difficult to generate barely noticeable adversarial examples while guaranteeing the attack success rate. Although some methods could solve this problem to some extent, the imperceptibility of the generated perturbations is still far from that of the most advanced attack, worse still, it is infeasible to attack the color image datasets due to its inefficiency. In MOEA-APGA II, We propose the new objective function and the novel population evolution strategies to reduce the average distortion without sacrificing the attack success rate, and compared to the state-of-the-art black-box attack (ZOO), our method achieves a better attack success rate under fewer queries on the benchmark datasets.

Aminollah Khormali,DaeHun Nyang,David Mohaisen

DOI: https://doi.org/10.48550/arXiv.2007.00146

2020-07-01

Abstract:Deep learning models are widely used in a range of application areas, such as computer vision, computer security, etc. However, deep learning models are vulnerable to Adversarial Examples (AEs),carefully crafted samples to deceive those models. Recent studies have introduced new adversarial attack methods, but, to the best of our knowledge, none provided guaranteed quality for the crafted examples as part of their creation, beyond simple quality measures such as Misclassification Rate (MR). In this paper, we incorporateImage Quality Assessment (IQA) metrics into the design and generation process of AEs. We propose an evolutionary-based single- and multi-objective optimization approaches that generate AEs with high misclassification rate and explicitly improve the quality, thus indistinguishability, of the samples, while perturbing only a limited number of pixels. In particular, several IQA metrics, including edge analysis, Fourier analysis, and feature descriptors, are leveraged into the process of generating AEs. Unique characteristics of the evolutionary-based algorithm enable us to simultaneously optimize the misclassification rate and the IQA metrics of the AEs. In order to evaluate the performance of the proposed method, we conduct intensive experiments on different well-known benchmark datasets(MNIST, CIFAR, GTSRB, and Open Image Dataset V5), while considering various objective optimization configurations. The results obtained from our experiments, when compared with the exist-ing attack methods, validate our initial hypothesis that the use ofIQA metrics within generation process of AEs can substantially improve their quality, while maintaining high misclassification <a class="link-external link-http" href="http://rate.Finally" rel="external noopener nofollow">this http URL</a>, transferability and human perception studies are provided, demonstrating acceptable performance.

Computer Vision and Pattern Recognition,Machine Learning

Zhiyi Lin,Changgen Peng,Weijie Tan,Xing He

DOI: https://doi.org/10.3390/e25030487

2023-03-10

Abstract:Adversarial example generation techniques for neural network models have exploded in recent years. In the adversarial attack scheme for image recognition models, it is challenging to achieve a high attack success rate with very few pixel modifications. To address this issue, this paper proposes an adversarial example generation method based on adaptive parameter adjustable differential evolution. The method realizes the dynamic adjustment of the algorithm performance by adjusting the control parameters and operation strategies of the adaptive differential evolution algorithm, while searching for the optimal perturbation. Finally, the method generates adversarial examples with a high success rate, modifying just a very few pixels. The attack effectiveness of the method is confirmed in CIFAR10 and MNIST datasets. The experimental results show that our method has a greater attack success rate than the One Pixel Attack based on the conventional differential evolution. In addition, it requires significantly less perturbation to be successful compared to global or local perturbation attacks, and is more resistant to perception and detection.

Xiuli Chai,Zhen Chen,Zhihua Gan,Yushu Zhang,Yong Tan

DOI: https://doi.org/10.1109/icspcc59353.2023.10400335

2023-01-01

Abstract:Nowadays, large numbers of private images are stored in the cloud, which may be recognized by unauthorized models, seriously threatening users' privacy security. Although adversarial example (AE) can mislead unauthorized models to protect image privacy, the irreversible perturbations added to images can also mislead the authorized models. Reversible adversarial example (RAE) provides an effective solution that misleads unauthorized models without affecting authorized ones. However, existing RAE generation methods have low attack ability and imperfect image recovery, which makes them unsatisfactory. This paper proposes an RAE generation method that is RAE based on Thumbnail Preserving Encryption (RAE-TPE), where the semantic information of the images is unchanged but the generated RAEs successfully fool traditional classification models. Through decryption, the images can be recovered losslessly. Additionally, we present a novel optimization algorithm called dual annealing evolution (DAE) to enhance the RAEs' visual quality and attack ability. The experimental results on the ImageNet dataset demonstrate that RAEs generated by RAE-TPE show excellent attack ability and robustness.

Kenneth H. Chan,Betty H. C. Cheng

DOI: https://doi.org/10.1007/s10515-024-00470-9

IF: 1.677

2024-11-08

Automated Software Engineering

Abstract:State-of-the-art deep neural networks are increasingly used in image classification, recognition, and detection tasks for a range of real-world applications. Moreover, many of these applications are safety-critical, where the failure of the system may cause serious harm, injuries, or even deaths. Adversarial examples are expected inputs that are maliciously modified, but difficult to detect, such that the machine learning models fail to classify them correctly. While a number of evolutionary search-based approaches have been developed to generate adversarial examples against image classification problems, evolutionary search-based attacks against object detection algorithms remain largely unexplored. This paper describes EvoAttack that demonstrates how evolutionary search-based techniques can be used as a black-box, model- and data-agnostic approach to attack state-of-the-art object detection algorithms (e.g., RetinaNet, Faster R-CNN, and YoloV5). A proof-of-concept implementation is provided to demonstrate how evolutionary search can generate adversarial examples that existing models fail to correctly process, which can be used to assess model robustness against such attacks. In contrast to other adversarial example approaches that cause misclassification or incorrect labeling of objects, EvoAttack applies minor perturbations to generate adversarial examples that suppress the ability of object detection algorithms to detect objects. We applied EvoAttack to popular benchmark datasets for autonomous terrestrial and aerial vehicles.

computer science, software engineering

YiGui Luo,RuiJia Yang,Wei Sha,WeiYi Ding,YouTeng Sun,YiSi Wang

DOI: https://doi.org/10.48550/arXiv.1906.09072

2019-06-21

Abstract:Many studies have been done to prove the vulnerability of neural networks to adversarial example. A trained and well-behaved model can be fooled by a visually imperceptible perturbation, i.e., an originally correctly classified image could be misclassified after a slight perturbation. In this paper, we propose a black-box strategy to attack such networks using an evolution algorithm. First, we formalize the generation of an adversarial example into the optimization problem of perturbations that represent the noise added to an original image at each pixel. To solve this optimization problem in a black-box way, we find that an evolution algorithm perfectly meets our requirement since it can work without any gradient information. Therefore, we test various evolution algorithms, including a simple genetic algorithm, a parameter-exploring policy gradient, an OpenAI evolution strategy, and a covariance matrix adaptive evolution strategy. Experimental results show that a covariance matrix adaptive evolution Strategy performs best in this optimization problem. Additionally, we also perform several experiments to explore the effect of different regularizations on improving the quality of an adversarial example.

Computer Vision and Pattern Recognition

Ye Tian,Jingwen Pan,Shangshang Yang,Xingyi Zhang,Shuping He,Yaochu Jin

DOI: https://doi.org/10.1109/tai.2022.3168038

2023-01-01

IEEE Transactions on Artificial Intelligence

Abstract:The sparse adversarial attack has attracted increasing attention due to the merit of a low attack cost via changing a small number of pixels. However, the generated adversarial examples are easily detected in vision since the perturbation to each pixel is relatively large. To achieve imperceptible and sparse adversarial attacks, this article formulates a bi-objective constrained optimization problem, simultaneously minimizing the $\ell _{0}$ and $\ell _{2}$ distances to the original image, and proposes a dual-population-based constrained evolutionary algorithm to solve it. The proposed method solves the optimization problem by evolving two populations, where one population is responsible for finding feasible solutions (i.e., successful attacks) and the other one is to minimize both the $\ell _{0}$ and $\ell _{2}$ distances. Moreover, a population initialization strategy and two genetic operators are customized to accelerate the convergence speed. Experimental results indicate that the proposed method can achieve high success rates with low attack costs, and strikes a better balance between the $\ell _{0}$ and $\ell _{2}$ distances than state-of-the-art methods.

Phoenix Williams,Ke Li

DOI: https://doi.org/10.48550/arXiv.2203.04405

2022-03-07

Abstract:Deep neural networks (DNNs) have achieved state-of-the-art performance in many tasks but have shown extreme vulnerabilities to attacks generated by adversarial examples. Many works go with a white-box attack that assumes total access to the targeted model including its architecture and gradients. A more realistic assumption is the black-box scenario where an attacker only has access to the targeted model by querying some input and observing its predicted class probabilities. Different from most prevalent black-box attacks that make use of substitute models or gradient estimation, this paper proposes a gradient-free attack by using a concept of evolutionary art to generate adversarial examples that iteratively evolves a set of overlapping transparent shapes. To evaluate the effectiveness of our proposed method, we attack three state-of-the-art image classification models trained on the CIFAR-10 dataset in a targeted manner. We conduct a parameter study outlining the impact the number and type of shapes have on the proposed attack's performance. In comparison to state-of-the-art black-box attacks, our attack is more effective at generating adversarial examples and achieves a higher attack success rate on all three baseline models.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Anh Bui,Trung Le,He Zhao,Quan Tran,Paul Montague,Dinh Phung

2023-06-02

Abstract:Deep learning models, even the-state-of-the-art ones, are highly vulnerable to adversarial examples. Adversarial training is one of the most efficient methods to improve the model's robustness. The key factor for the success of adversarial training is the capability to generate qualified and divergent adversarial examples which satisfy some objectives/goals (e.g., finding adversarial examples that maximize the model losses for simultaneously attacking multiple models). Therefore, multi-objective optimization (MOO) is a natural tool for adversarial example generation to achieve multiple objectives/goals simultaneously. However, we observe that a naive application of MOO tends to maximize all objectives/goals equally, without caring if an objective/goal has been achieved yet. This leads to useless effort to further improve the goal-achieved tasks, while putting less focus on the goal-unachieved tasks. In this paper, we propose \emph{Task Oriented MOO} to address this issue, in the context where we can explicitly define the goal achievement for a task. Our principle is to only maintain the goal-achieved tasks, while letting the optimizer spend more effort on improving the goal-unachieved tasks. We conduct comprehensive experiments for our Task Oriented MOO on various adversarial example generation schemes. The experimental results firmly demonstrate the merit of our proposed approach. Our code is available at \url{<a class="link-external link-https" href="https://github.com/tuananhbui89/TAMOO" rel="external noopener nofollow">this https URL</a>}.

Machine Learning,Computer Vision and Pattern Recognition

Cristopher McIntyre-Garcia,Adrien Heymans,Beril Borali,Won-Sook Lee,Shiva Nejati

2024-04-26

Abstract:Deep Learning (DL) models excel in computer vision tasks but can be susceptible to adversarial examples. This paper introduces Triple-Metric EvoAttack (TM-EVO), an efficient algorithm for evaluating the robustness of object-detection DL models against adversarial attacks. TM-EVO utilizes a multi-metric fitness function to guide an evolutionary search efficiently in creating effective adversarial test inputs with minimal perturbations. We evaluate TM-EVO on widely-used object-detection DL models, DETR and Faster R-CNN, and open-source datasets, COCO and KITTI. Our findings reveal that TM-EVO outperforms the state-of-the-art EvoAttack baseline, leading to adversarial tests with less noise while maintaining efficiency.

Software Engineering,Artificial Intelligence

Chenwang Wu,Wenjian Luo,Nan Zhou,Peilan Xu,Tao Zhu

DOI: https://doi.org/10.1109/cec45853.2021.9504790

2021-01-01

Abstract:Studies have shown that deep neural networks (DNNs) are susceptible to adversarial attacks, which can cause misclassification. The adversarial attack problem can be regarded as an optimization problem, then the genetic algorithm (GA) that is problem-independent can naturally be designed to solve the optimization problem to generate effective adversarial examples. Considering the dimensionality curse in the image processing field, traditional genetic algorithms in high-dimensional problems often fall into local optima. Therefore, we propose a GA with multiple fitness functions (MF-GA). Specifically, we divide the evolution process into three stages, i.e., exploration stage, exploitation stage, and stable stage. Besides, different fitness functions are used for different stages, which could help the GA to jump away from the local optimum.Experiments are conducted on three datasets, and four classic algorithms as well as the basic GA are adopted for comparisons. Experimental results demonstrate that MF-GA is an effective black-box attack method. Furthermore, although MF-GA is a black-box attack method, experimental results demonstrate the performance of MF-GA under the black-box environments is competitive when comparing to four classic algorithms under the white-box attack environments. This shows that evolutionary algorithms have great potential in adversarial attacks.

Ali Borji

DOI: https://doi.org/10.48550/arXiv.2208.02430

2022-08-25

Abstract:Almost all adversarial attacks are formulated to add an imperceptible perturbation to an image in order to fool a model. Here, we consider the opposite which is adversarial examples that can fool a human but not a model. A large enough and perceptible perturbation is added to an image such that a model maintains its original decision, whereas a human will most likely make a mistake if forced to decide (or opt not to decide at all). Existing targeted attacks can be reformulated to synthesize such adversarial examples. Our proposed attack, dubbed NKE, is similar in essence to the fooling images, but is more efficient since it uses gradient descent instead of evolutionary algorithms. It also offers a new and unified perspective into the problem of adversarial vulnerability. Experimental results over MNIST and CIFAR-10 datasets show that our attack is quite efficient in fooling deep neural networks. Code is available at <a class="link-external link-https" href="https://github.com/aliborji/NKE" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Chunkai Zhang,Xin Guo,Yepeng Deng,Xuan Wang,Peiyi Han,Chuanyi Liu,Hanyu Zhang

DOI: https://doi.org/10.1016/j.compeleceng.2021.107402

2021-10-01

Abstract:In black-box scenarios, the adversarial attack algorithms based on iterative optimization perform best. But it may give a false sense of model robustness due to the design of inefficient queries. The adversarial attack algorithm based on multi-objective evolution optimization has been proven to be very effective for the low-dimensional images. However, when the attack space dramatically increases for the high-dimensional color images, the evolutionary efficiency is limited, and it needs more inefficient queries to generate adversarial examples. In this paper, we propose an efficient black-box adversarial attack approach for high dimensional images based on multi-objective optimization (MOO-HD), which includes some novel strategies to solve the above problems. We also propose the strategy of "The transformation of the pixel block with a random step size" to reduce the attack space. The experimental results on three image datasets with different dimensions show that our algorithm can achieve a higher success rate with fewer queries.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Qingan Da,Guoyin Zhang,Sizhao Li,Zechao Liu,Wenshan Wang

DOI: https://doi.org/10.1504/ijbic.2023.136087

2024-01-18

International Journal of Bio-Inspired Computation

Abstract:Deep learning models are susceptible to adversarial examples even in the black-box setting. This means there are security risks in intelligent systems based on deep learning. Research on adversarial attacks is crucial to improving the robustness of deep learning models. Most of the existing algorithms are query-intensive and require models to provide more detailed results. We focus on a restrictive threat model and propose a gradient-free adversarial attack algorithm based on differential evolution. In particular, we design two fitness functions to achieve targeted attacks and non-targeted attacks. And we introduce an elimination mechanism in the selection phase to speed up the convergence of the algorithm. Experiments on MNIST, CIFAR-10, and ImageNet show the effectiveness of the proposed method. The comparison with C&W, ZOO and GenAttack shows our method has better advantages in the attack success rate, the number of queries required for a successful attack, and the information obtained in a single query.

computer science, artificial intelligence, theory & methods

Zhenyu Du,Fangzheng Liu,Xuehu Yan

DOI: https://doi.org/10.3390/e24030396

IF: 2.738

2022-01-01

Entropy

Abstract:Deep neural networks in the area of information security are facing a severe threat from adversarial examples (AEs). Existing methods of AE generation use two optimization models: (1) taking the successful attack as the objective function and limiting perturbations as the constraint; (2) taking the minimum of adversarial perturbations as the target and the successful attack as the constraint. These all involve two fundamental problems of AEs: the minimum boundary of constructing the AEs and whether that boundary is reachable. The reachability means whether the AEs of successful attack models exist equal to that boundary. Previous optimization models have no complete answer to the problems. Therefore, in this paper, for the first problem, we propose the definition of the minimum AEs and give the theoretical lower bound of the amplitude of the minimum AEs. For the second problem, we prove that solving the generation of the minimum AEs is an NPC problem, and then based on its computational inaccessibility, we establish a new third optimization model. This model is general and can adapt to any constraint. To verify the model, we devise two specific methods for generating controllable AEs under the widely used distance evaluation standard of adversarial perturbations, namely Lp constraint and SSIM constraint (structural similarity). This model limits the amplitude of the AEs, reduces the solution space’s search cost, and is further improved in efficiency. In theory, those AEs generated by the new model which are closer to the actual minimum adversarial boundary overcome the blindness of the adversarial amplitude setting of the existing methods and further improve the attack success rate. In addition, this model can generate accurate AEs with controllable amplitude under different constraints, which is suitable for different application scenarios. In addition, through extensive experiments, they demonstrate a better attack ability under the same constraints as other baseline attacks. For all the datasets we test in the experiment, compared with other baseline methods, the attack success rate of our method is improved by approximately 10%.

Mahmood Sharif,Sruti Bhagavatula,Lujo Bauer,Michael K. Reiter

DOI: https://doi.org/10.1145/3317611

IF: 2.717

2019-07-19

ACM Transactions on Privacy and Security

Abstract:Images perturbed subtly to be misclassified by neural networks, called adversarial examples , have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

computer science, information systems

Tao Xiang,Hangcheng Liu,Shangwei Guo,Yan Gan,Xiaofeng Liao

DOI: https://doi.org/10.1145/3511893

2022-01-01

ACM Transactions on Sensor Networks

Abstract:Unrestricted adversarial examples allow the attacker to start attacks without given clean samples, which are quite aggressive and threatening. However, existing works for generating unrestricted adversary examples are quite inefficient and cannot achieve a high success rate. In this article, we explore an end-to-end and effective solution for unrestricted adversary example generation. To stabilize the training process and make our generative model converge to satisfactory results, we design a novel decoupled two-step efficient generative model (EGM), which contains a conditional reference generator and a conditional adversarial transformer. The former is responsible for generating reference samples from noises and source classes. The latter is responsible for converting the reference sample into adversarial examples corresponding to target classes. To improve the success rate, we design a new strategy, augmentation of adversarial labels to produce dynamic target labels and enhance the exploration ability of EGM. Such a strategy can be also applied to existing attacks to improve their attack success rates, which is of independent interest. We conduct extensive experiments to evaluate our proposed model and demonstrate the necessity of decoupling the generation process in EGM. Experimental results show our EGM is much faster and achieves a higher success rate than the state-of-the-art attacks.