Yushi Cheng,Xiaoyu Ji,Wenjun Zhu,Shibo Zhang,Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2023.3334618

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Autonomous vehicles increasingly rely on camera-based computer vision systems to perceive environments and make critical driving decisions. To improve image quality, image stabilizers with inertial sensors are added to reduce image blurring caused by camera jitters. However, this trend creates a new attack surface. This paper identifies a system-level vulnerability resulting from the combination of emerging image stabilizer hardware susceptible to acoustic manipulation and computer vision algorithms subject to adversarial examples. By emitting deliberately designed acoustic signals, an adversary can control the output of an inertial sensor, which triggers unnecessary motion compensation and results in a blurred image, even when the camera is stable. These blurred images can induce object misclassification, affecting safety-critical decision-making. We model the feasibility of such acoustic manipulation and design an attack framework that can accomplish three types of attacks: hiding, creating, and altering objects. Evaluation results demonstrate the effectiveness of our attacks against five object detectors (YOLO V3/V4/V5, Faster R-CNN, and Apollo) and two lane detectors (UFLD and LaneAF). We further introduce the concept of AMpLe attacks, a new class of system-level security vulnerabilities resulting from a combination of adversarial machine learning and physics-based injection of information-carrying signals into hardware.

Qi Liu,Tao Liu,Zihao Liu,Yanzhi Wang,Yier Jin,Wujie Wen

DOI: https://doi.org/10.48550/arXiv.1802.05193

2018-03-20

Abstract:DNN is presenting human-level performance for many complex intelligent tasks in real-world applications. However, it also introduces ever-increasing security concerns. For example, the emerging adversarial attacks indicate that even very small and often imperceptible adversarial input perturbations can easily mislead the cognitive function of deep learning systems (DLS). Existing DNN adversarial studies are narrowly performed on the ideal software-level DNN models with a focus on single uncertainty factor, i.e. input perturbations, however, the impact of DNN model reshaping on adversarial attacks, which is introduced by various hardware-favorable techniques such as hash-based weight compression during modern DNN hardware implementation, has never been discussed. In this work, we for the first time investigate the multi-factor adversarial attack problem in practical model optimized deep learning systems by jointly considering the DNN model-reshaping (e.g. HashNet based deep compression) and the input perturbations. We first augment adversarial example generating method dedicated to the compressed DNN models by incorporating the software-based approaches and mathematical modeled DNN reshaping. We then conduct a comprehensive robustness and vulnerability analysis of deep compressed DNN models under derived adversarial attacks. A defense technique named "gradient inhibition" is further developed to ease the generating of adversarial examples thus to effectively mitigate adversarial attacks towards both software and hardware-oriented DNNs. Simulation results show that "gradient inhibition" can decrease the average success rate of adversarial attacks from 87.99% to 4.77% (from 86.74% to 4.64%) on MNIST (CIFAR-10) benchmark with marginal accuracy degradation across various DNNs.

Machine Learning,Cryptography and Security

Xiuli Chai,Zhihua Gan,Yiran Chen,Yushu Zhang

DOI: https://doi.org/10.1016/j.sigpro.2016.11.016

IF: 5.666

2019-01-01

Optics and Lasers in Engineering

Abstract:A novel visually secure image encryption scheme based on compressive sensing (CS) is proposed. Firstly, the plain image is transformed into wavelet coefficients, and then confused by a zigzag path and encrypted into a compressed cipher image using compressive sensing. Next, the cipher image is embedded into a carrier image, and finally a visually secure cipher image is obtained. SHA 256 hash function of the original image is generated to calculate the parameters for zigzag confusion and one-dimensional skew tent map, and the map is used to produce the measurement matrix for CS. Therefore, the proposed algorithm is highly sensitive to the plain image, and it can effectively withstand known-plaintext and chosen-plaintext attacks. Besides, our algorithm can achieve the image data security and image appearance security simultaneously, and the size of the cipher image and original image is equal, it does not require additional transmission bandwidth and storage space. Simulation results and performance analyses both demonstrate excellent encryption performance of the proposed encryption scheme.

Zhihua Gan,Shiping Song,Lin Zhou,Daojun Han,Jiangyu Fu,Xiuli Chai

DOI: https://doi.org/10.1016/j.jksuci.2022.09.006

2022-01-01

Abstract:Image encryption is an effective method to protect private images by converting them into meaningless ones, but many current image encryption algorithms still have security and efficiency problems. This paper combines compressed sensing (CS) and secret image sharing (SIS) to propose a certifiable visually secure image selection encryption. Firstly, a selective encryption based on multi-task convolutional neural network (SE-MTCNN) is presented to distinguish and encrypt the sensitive and non-sensitive information of plain images. Subsequently, the SIS algorithm is used to decompose the resulting plain image into multiple shadow images to disperse the risk of cryptographic image loss and resist hacking attacks. Herein, a pseudo-convolutional sliding scrambling based on chaotic sequences driven by plaintext (PCSS-CSDP) is proposed to eliminate the correlation between adjacent image pixels. Finally, the IWT-M-embedding algorithm is used to embed shadow images into carrier images to get multiple visually meaningful cipher images. Additionally, a new authentication scheme based on bit-level cyclic shifts and dynamic combination (AS-BCSDC) is introduced, and the obtained authentication information is fused into cipher images to prevent the deception of illegal users and malicious tampering of cloud platform. Experiments demonstrate the effectiveness of our algorithm, and it may be applied for image secure communication.

Donghua Wang,Wen Yao,Tingsong Jiang,Guijian Tang,Xiaoqian Chen

2023-09-18

Abstract:Over the past decade, deep learning has revolutionized conventional tasks that rely on hand-craft feature extraction with its strong feature learning capability, leading to substantial enhancements in traditional tasks. However, deep neural networks (DNNs) have been demonstrated to be vulnerable to adversarial examples crafted by malicious tiny noise, which is imperceptible to human observers but can make DNNs output the wrong result. Existing adversarial attacks can be categorized into digital and physical adversarial attacks. The former is designed to pursue strong attack performance in lab environments while hardly remaining effective when applied to the physical world. In contrast, the latter focus on developing physical deployable attacks, thus exhibiting more robustness in complex physical environmental conditions. Recently, with the increasing deployment of the DNN-based system in the real world, strengthening the robustness of these systems is an emergency, while exploring physical adversarial attacks exhaustively is the precondition. To this end, this paper reviews the evolution of physical adversarial attacks against DNN-based computer vision tasks, expecting to provide beneficial information for developing stronger physical adversarial attacks. Specifically, we first proposed a taxonomy to categorize the current physical adversarial attacks and grouped them. Then, we discuss the existing physical attacks and focus on the technique for improving the robustness of physical attacks under complex physical environmental conditions. Finally, we discuss the issues of the current physical adversarial attacks to be solved and give promising directions.

Computer Vision and Pattern Recognition

Allen Y. Yang,Zihan Zhou,Yi Ma,S. Shankar Sastry

DOI: https://doi.org/10.21437/interspeech.2010-618

2010-01-01

Abstract:An application of compressive sensing (CS) theory in image-based robust face recognition is considered. Most contemporary face recognition systems suffer from limited abilities to handle image nuisances such as illumination, facial disguise, and pose misalignment. Motivated by CS, the problem has been recently cast in a sparse representation framework: The sparsest linear combination of a query image is sought using all prior training images as an overcomplete dictionary, and the dominant sparse coefficients reveal the identity of the query image. The ability to perform dense error correction directly in the image space also provides an intriguing solution to compensate pixel corruption and improve the recognition accuracy exceeding most existing solutions. Furthermore, a local iterative process can be applied to solve for an image transformation applied to the face region when the query image is misaligned. Finally, we discuss the state of the art in fast l(1)-minimization to improve the speed of the robust face recognition system. The paper also provides useful guidelines to practitioners working in similar fields, such as acoustic/speech recognition.

Hui Wei,Hao Tang,Xuemei Jia,Zhixiang Wang,Hanxun Yu,Zhubo Li,Shin'ichi Satoh,Luc Van Gool,Zheng Wang

2023-10-01

Abstract:Despite the impressive achievements of Deep Neural Networks (DNNs) in computer vision, their vulnerability to adversarial attacks remains a critical concern. Extensive research has demonstrated that incorporating sophisticated perturbations into input images can lead to a catastrophic degradation in DNNs' performance. This perplexing phenomenon not only exists in the digital space but also in the physical world. Consequently, it becomes imperative to evaluate the security of DNNs-based systems to ensure their safe deployment in real-world scenarios, particularly in security-sensitive applications. To facilitate a profound understanding of this topic, this paper presents a comprehensive overview of physical adversarial attacks. Firstly, we distill four general steps for launching physical adversarial attacks. Building upon this foundation, we uncover the pervasive role of artifacts carrying adversarial perturbations in the physical world. These artifacts influence each step. To denote them, we introduce a new term: adversarial medium. Then, we take the first step to systematically evaluate the performance of physical adversarial attacks, taking the adversarial medium as a first attempt. Our proposed evaluation metric, hiPAA, comprises six perspectives: Effectiveness, Stealthiness, Robustness, Practicability, Aesthetics, and Economics. We also provide comparative results across task categories, together with insightful observations and suggestions for future research directions.

Computer Vision and Pattern Recognition

Yingzhe He,Guozhu Meng,Kai Chen,Xingbo Hu,Jinwen He

DOI: https://doi.org/10.1109/tse.2020.3034721

IF: 7.4

2021-01-01

IEEE Transactions on Software Engineering

Abstract:Deep learning has gained tremendous success and great popularity in the past few years. However, deep learning systems are suffering several inherent weaknesses, which can threaten the security of learning models. Deep learning's wide use further magnifies the impact and consequences. To this end, lots of research has been conducted with the purpose of exhaustively identifying intrinsic weaknesses and subsequently proposing feasible mitigation. Yet few are clear about how these weaknesses are incurred and how effective these attack approaches are in assaulting deep learning. In order to unveil the security weaknesses and aid in the development of a robust deep learning system, we undertake an investigation on attacks towards deep learning, and analyze these attacks to conclude some findings in multiple views. In particular, we focus on four types of attacks associated with security threats of deep learning: model extraction attack, model inversion attack, poisoning attack and adversarial attack. For each type of attack, we construct its essential workflow as well as adversary capabilities and attack goals. Pivot metrics are devised for comparing the attack approaches, by which we perform quantitative and qualitative analyses. From the analysis, we have identified significant and indispensable factors in an attack vector, e.g., how to reduce queries to target models, what distance should be used for measuring perturbation. We shed light on 18 findings covering these approaches' merits and demerits, success probability, deployment complexity and prospects. Moreover, we discuss other potential security weaknesses and possible mitigation which can inspire relevant research in this area.

engineering, electrical & electronic,computer science, software engineering

Naveed Akhtar,Ajmal Mian

DOI: https://doi.org/10.48550/arXiv.1801.00553

2018-01-02

Computer Vision and Pattern Recognition

Abstract:Deep learning is at the heart of the current rise of machine learning and artificial intelligence. In the field of Computer Vision, it has become the workhorse for applications ranging from self-driving cars to surveillance and security. Whereas deep neural networks have demonstrated phenomenal success (often beyond human capabilities) in solving complex problems, recent studies show that they are vulnerable to adversarial attacks in the form of subtle perturbations to inputs that lead a model to predict incorrect outputs. For images, such perturbations are often too small to be perceptible, yet they completely fool the deep learning models. Adversarial attacks pose a serious threat to the success of deep learning in practice. This fact has lead to a large influx of contributions in this direction. This article presents the first comprehensive survey on adversarial attacks on deep learning in Computer Vision. We review the works that design adversarial attacks, analyze the existence of such attacks and propose defenses against them. To emphasize that adversarial attacks are possible in practical conditions, we separately review the contributions that evaluate adversarial attacks in the real-world scenarios. Finally, we draw on the literature to provide a broader outlook of the research direction.

Yanjie Li,Bin Xie,Songtao Guo,Yuanyuan Yang,Bin Xiao

2023-10-01

Abstract:Benefiting from the rapid development of deep learning, 2D and 3D computer vision applications are deployed in many safe-critical systems, such as autopilot and identity authentication. However, deep learning models are not trustworthy enough because of their limited robustness against adversarial attacks. The physically realizable adversarial attacks further pose fatal threats to the application and human safety. Lots of papers have emerged to investigate the robustness and safety of deep learning models against adversarial attacks. To lead to trustworthy AI, we first construct a general threat model from different perspectives and then comprehensively review the latest progress of both 2D and 3D adversarial attacks. We extend the concept of adversarial examples beyond imperceptive perturbations and collate over 170 papers to give an overview of deep learning model robustness against various adversarial attacks. To the best of our knowledge, we are the first to systematically investigate adversarial attacks for 3D models, a flourishing field applied to many real-world applications. In addition, we examine physical adversarial attacks that lead to safety violations. Last but not least, we summarize present popular topics, give insights on challenges, and shed light on future research on trustworthy AI.

Machine Learning,Artificial Intelligence

Tianyu Du,Shouling Ji,Bo Wang,Sirui He,Jinfeng Li,Bo Li,Tao Wei,Yunhan Jia,Raheem Beyah,Ting Wang

DOI: https://doi.org/10.1002/int.22851

IF: 8.993

2022-02-08

International Journal of Intelligent Systems

Abstract:Despite their tremendous success in various machine learning tasks, deep neural networks (DNNs) are inherently vulnerable to adversarial examples, which are maliciously crafted inputs to cause DNNs to misbehave. Intensive research has been conducted on this phenomenon in simple tasks (e.g., image classification). However, little is known about this adversarial vulnerability for object detection, a much more complicated task, which often requires specialized DNNs and multiple additional components. In this paper, we present DetectSec, a uniform platform for robustness analysis of object detection models. Currently, DetectSec implements 13 representative adversarial attacks with 7 utility metrics and 13 defenses on 18 standard object detection models. Leveraging DetectSec, we conduct the first rigorous evaluation of adversarial attacks on the state‐of‐the‐art object detection models. We analyze the impact of the factors including DNN architecture and capacity on the model robustness. We show that many conclusions about adversarial attacks and defenses in image classification tasks do not transfer to object detection tasks, for example, the targeted attack is stronger than the untargeted attack for two‐stage detectors. Our findings will aid future efforts in understanding and defending against adversarial attacks in complicated tasks. In addition, we compare the robustness of different detection models and discuss their relative strengths and weaknesses. The platform DetectSec will be open source as a unique facility for further research on adversarial attacks and defenses in object detection tasks.

computer science, artificial intelligence

Tianyu Du,Shouling Ji,Bo Wang,Sirui He,Jinfeng Li,Bo Li,Tao Wei,Yunhan Jia,Raheem Beyah,Ting Wang

DOI: https://doi.org/10.1002/int.22851

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:Despite their tremendous success in various machine learning tasks, deep neural networks (DNNs) are inherently vulnerable to adversarial examples, which are maliciously crafted inputs to cause DNNs to misbehave. Intensive research has been conducted on this phenomenon in simple tasks (e.g., image classification). However, little is known about this adversarial vulnerability for object detection, a much more complicated task, which often requires specialized DNNs and multiple additional components. In this paper, we present DetectSec, a uniform platform for robustness analysis of object detection models. Currently, DetectSec implements 13 representative adversarial attacks with 7 utility metrics and 13 defenses on 18 standard object detection models. Leveraging DetectSec, we conduct the first rigorous evaluation of adversarial attacks on the state‐of‐the‐art object detection models. We analyze the impact of the factors including DNN architecture and capacity on the model robustness. We show that many conclusions about adversarial attacks and defenses in image classification tasks do not transfer to object detection tasks, for example, the targeted attack is stronger than the untargeted attack for two‐stage detectors. Our findings will aid future efforts in understanding and defending against adversarial attacks in complicated tasks. In addition, we compare the robustness of different detection models and discuss their relative strengths and weaknesses. The platform DetectSec will be open source as a unique facility for further research on adversarial attacks and defenses in object detection tasks.

Lovi Dhamija,Urvashi Bansal

DOI: https://doi.org/10.1007/s00354-024-00283-0

2024-10-14

New Generation Computing

Abstract:Deep learning plays a significant role in developing a robust and constructive framework for tackling complex learning tasks. Consequently, it is widely utilized in many security-critical contexts, such as Self-Driving and Biometric Systems. Due to their complex structure, Deep Neural Networks (DNN) are vulnerable to adversarial attacks. Adversaries can deploy attacks at training or testing time and can cause significant security risks in safety–critical applications. Therefore, it is essential to comprehend adversarial attacks, their crafting methods, and different defending strategies. Moreover, finding effective defenses to malicious attacks that can promote robustness and provide additional security in deep learning models is critical. Therefore, there is a need to analyze the different challenges concerning deep learning models' robustness. The proposed work aims to present a systematic review of primary studies that focuses on providing an efficient and robust framework against adversarial attacks. This work used a standard SLR (Systematic Literature Review) method to review the studies from different digital libraries. In the next step, this work designed and answered several research questions thoroughly. The study classified several defensive strategies and discussed the major conflicting factors that can enhance robustness and efficiency. Moreover, the impact of adversarial attacks and their perturbation metrics are also analyzed for different defensive approaches. The findings of this study assist researchers and practitioners in choosing an appropriate defensive strategy by incorporating the considerations of varying research issues and recommendations. Finally, relying upon reviewed studies, this work found future directions for researchers to design robust and innovative solutions against adversarial attacks.

computer science, theory & methods, hardware & architecture

Ka-Ho Chow,Ling Liu,Mehmet Emre Gursoy,Stacey Truex,Wenqi Wei,Yanzhao Wu

DOI: https://doi.org/10.48550/arXiv.2007.05828

2020-07-12

Abstract:Deep neural networks based object detection models have revolutionized computer vision and fueled the development of a wide range of visual recognition applications. However, recent studies have revealed that deep object detectors can be compromised under adversarial attacks, causing a victim detector to detect no object, fake objects, or mislabeled objects. With object detection being used pervasively in many security-critical applications, such as autonomous vehicles and smart cities, we argue that a holistic approach for an in-depth understanding of adversarial attacks and vulnerabilities of deep object detection systems is of utmost importance for the research community to develop robust defense mechanisms. This paper presents a framework for analyzing and evaluating vulnerabilities of the state-of-the-art object detectors under an adversarial lens, aiming to analyze and demystify the attack strategies, adverse effects, and costs, as well as the cross-model and cross-resolution transferability of attacks. Using a set of quantitative metrics, extensive experiments are performed on six representative deep object detectors from three popular families (YOLOv3, SSD, and Faster R-CNN) with two benchmark datasets (PASCAL VOC and MS COCO). We demonstrate that the proposed framework can serve as a methodical benchmark for analyzing adversarial behaviors and risks in real-time object detection systems. We conjecture that this framework can also serve as a tool to assess the security risks and the adversarial robustness of deep object detectors to be deployed in real-world applications.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Wei Wu,Haipeng Peng,Haotian Zhu,Derun Zhang

DOI: https://doi.org/10.3390/s24134253

2024-06-30

Abstract:With the rapid development of the Internet of Things (IoT), the sophistication and intelligence of sensors are continually evolving, playing increasingly important roles in smart homes, industrial automation, and remote healthcare. However, these intelligent sensors face many security threats, particularly from malware attacks. Identifying and classifying malware is crucial for preventing such attacks. As the number of sensors and their applications grow, malware targeting sensors proliferates. Processing massive malware samples is challenging due to limited bandwidth and resources in IoT environments. Therefore, compressing malware samples before transmission and classification can improve efficiency. Additionally, sharing malware samples between classification participants poses security risks, necessitating methods that prevent sample exploitation. Moreover, the complex network environments also necessitate robust classification methods. To address these challenges, this paper proposes CSMC (Compressed Sensing Malware Classification), an efficient malware classification method based on compressed sensing. This method compresses malware samples before sharing and classification, thus facilitating more effective sharing and processing. By introducing deep learning, the method can extract malware family features during compression, which classical methods cannot achieve. Furthermore, the irreversibility of the method enhances security by preventing classification participants from exploiting malware samples. Experimental results demonstrate that for malware targeting Windows and Android operating systems, CSMC outperforms many existing methods based on compressed sensing and machine or deep learning. Additionally, experiments on sample reconstruction and noise demonstrate CSMC's capabilities in terms of security and robustness.

Lingling Tong,Feng Dai,Yongdong Zhang,Jintao Li,Dongming Zhang

DOI: https://doi.org/10.1109/VCIP.2011.6115917

2011-01-01

Abstract:Surveillance video privacy protection has drawn significant attention recently. In this paper, we describe a privacy protected video surveillance system which utilizes the emerging compressive sensing (CS) theory. Privacy regions are scrambled through block based CS sampling on quantized coefficients during compression. Security is ensured by key controlled chaotic sequence which is used to construct CS measurement matrix. To prevent drift error caused by scrambling, a coding restricted scheme is exploited. Experimental results show that the proposed system effectively protects privacy with the scene intelligible. Compared with the existing ones, this system has high security and dramatic coding efficiency improvement. © 2011 IEEE.

Junbin Fang,You Jiang,Canjian Jiang,Zoe L. Jiang,Chuanyi Liu,Siu-Ming Yiu

DOI: https://doi.org/10.1016/j.eswa.2024.123761

IF: 8.5

2024-04-08

Expert Systems with Applications

Abstract:Adversarial attacks can mislead deep learning models to make false predictions by implanting small perturbations to the original input that are imperceptible to the human eye, which poses a huge security threat to computer vision systems based on deep learning. Physical adversarial attacks, which is more realistic, as the perturbation is introduced to the input before it is captured and converted to a image inside the vision system, when compared to digital adversarial attacks. In this paper, we focus on physical adversarial attacks and further classify them into invasive and non-invasive. Optical-based physical adversarial attack techniques (e.g. using light irradiation) belong to the non-invasive category. The perturbations can be easily ignored by humans as the perturbations are very similar to the effects generated by a natural environment in the real world. With high invisibility and executability, optical-based physical adversarial attacks can pose a significant or even lethal threat to real systems. This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical-based physical adversarial attack techniques.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

WANG Ping,ZHANG Yushu,HE Xing,ZHONG Sheng

DOI: https://doi.org/10.11959/j.issn.2096-0271.2020002

2020-01-01

Abstract:The current “big bang” of data is mainly driven by interconnection of all things.Various types of IoT sensing devices serving in daily life are constantly capturing personal privacy data.However,these privacy data have become the key targets of network attacks.Data security issues in the resource-constrained IoT applications were analyzed,a novel privacy protection technique based on compressive sensing theory was introduced,which is called secure compressed sensing,and a corresponding big data collection scheme was proposed.As demonstrated by the theoretical and experimental security analysis,there is a conclusive appeal for that secure compressive sensing can be used as a lightweight encryption mechanism which is built into the perception layer to provide first-level security protection for data at almost zero cost.

Yang Sui,Zhuohang Li,Ding Ding,Xiang Pan,Xiaozhong Xu,Shan Liu,Zhenzhong Chen

2024-01-06

Abstract:Adversarial attacks can readily disrupt the image classification system, revealing the vulnerability of DNN-based recognition tasks. While existing adversarial perturbations are primarily applied to uncompressed images or compressed images by the traditional image compression method, i.e., JPEG, limited studies have investigated the robustness of models for image classification in the context of DNN-based image compression. With the rapid evolution of advanced image compression, DNN-based learned image compression has emerged as the promising approach for transmitting images in many security-critical applications, such as cloud-based face recognition and autonomous driving, due to its superior performance over traditional compression. Therefore, there is a pressing need to fully investigate the robustness of a classification system post-processed by learned image compression. To bridge this research gap, we explore the adversarial attack on a new pipeline that targets image classification models that utilize learned image compressors as pre-processing modules. Furthermore, to enhance the transferability of perturbations across various quality levels and architectures of learned image compression models, we introduce a saliency score-based sampling method to enable the fast generation of transferable perturbation. Extensive experiments with popular attack methods demonstrate the enhanced transferability of our proposed method when attacking images that have been post-processed with different learned image compression models.

Computer Vision and Pattern Recognition,Multimedia,Image and Video Processing