Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Kejiang Chen,Yuefeng Chen,Hang Zhou,Chuan Qin,Xiaofeng Mao,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.1109/icassp39728.2021.9414008

2021-01-01

Abstract:Deep neural networks have been proved that they are vulnerable to adversarial examples, which are generated by adding human-imperceptible perturbations to images. To defend these adversarial examples, various detection based methods have been proposed. However, most of them perform poorly on detecting adversarial examples with extremely slight perturbations. By exploring these adversarial examples, we find that there exists compliance between perturbations and prediction confidence, which guides us to detect few-perturbation attacks from the aspect of prediction confidence. To detect both few-perturbation attacks and large-perturbation attacks, we propose a method beyond image space by a two-stream architecture, in which the image stream focuses on the pixel artifacts and the gradient stream copes with the confidence artifacts. The experimental results show that the proposed method outperforms the existing methods under oblivious attacks and is verified effective to defend omniscient attacks as well.

Haobo Wang,Chenxi Zhu,Yangjie Cao,Yan Zhuang,Jie Li,Xianfu Chen

DOI: https://doi.org/10.3390/electronics12040816

IF: 2.9

2023-01-01

Electronics

Abstract:Deep neural networks are susceptible to interference from deliberately crafted noise, which can lead to incorrect classification results. Existing approaches make less use of latent space information and conduct pixel-domain modification in the input space instead, which increases the computational cost and decreases the transferability. In this work, we propose an effective adversarial distribution searching-driven attack (ADSAttack) algorithm to generate adversarial examples against deep neural networks. ADSAttack introduces an affiliated network to search for potential distributions in image latent space for synthesizing adversarial examples. ADSAttack uses an edge-detection algorithm to locate low-level feature mapping in input space to sketch the minimum effective disturbed area. Experimental results demonstrate that ADSAttack achieves higher transferability, better imperceptible visualization, and faster generation speed compared to traditional algorithms. To generate 1000 adversarial examples, ADSAttack takes 11.08s and, on average, achieves a success rate of 98.01%.

Long Tang,Bin Yu

DOI: https://doi.org/10.1109/dsa51864.2020.00051

2020-01-01

Abstract:Deep neural network (DNN) has been widely used in many application scenarios, but it is easy to be affected by slight disturbance, which is referred to as adversarial examples, and produces wrong decisions endangering system security. It is difficult to obtain the structure and parameter information of the target network in the actual scene. In this paper, we propose an optimization-based method to generate adversarial examples. Inspired by the autoencoder and Conditional Generative Adversarial Net (CGAN), we train the encoder to encode the image into latent vector, of which the specific region (category field) is used to represent the category information of the image, and then train the decoder to generate adversarial examples of the specified category. We perform Natural Evolution Strategy in the low-dimensional latent space to further improve the attack. The result shows that our method can successfully attack the target network within only one or a few queries. We evaluate our method on Sign-Language-Digits (SLD) and Cifar-10 datasets. Compared with other methods, our approach can attack the target model with less queries, and maintain a high success rate.

Zhiyuan Liu,Chunjie Cao,Fangjian Tao,Yifan Li,Xiaoyu Lin

DOI: https://doi.org/10.1155/2022/5501035

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Deep neural networks (DNNs) have been closely related to the Pandora’s box from the moment of its birth. Although it achieves a high accuracy significantly in real-world tasks (e.g., object detecting and speech recognition), it still retains fatal vulnerabilities and flaws. Malicious attackers can manipulate DNN model misclassification just by adding tiny perturbations to the original image. These crafted samples are also called adversarial examples. One of the effective defense methods is to detect them before feeding them into the model. In this paper, we delve into the representation of adversarial examples in the original spatial and spectral domains. By qualitative and quantitative analysis, it is confirmed that the high-level representation and high-frequency components of abnormal samples contain richer discriminative information. To further explore the influence mechanism between the two factors, we perform an ablation study and the results show a win-win effect. Utilizing the finding, a detecting method (HLFD) is proposed based on extracting high-level representation and high-frequency components. Compared with other state-of-the-art detection methods, we achieve a better detection performance in most scenarios via a series of experiments conducted on MNIST, CIFAR-10, CIFAR-100, SVHN, and Tiny-ImageNet. In particular, we improve detection rates by a large margin on DeepFool and CW attacks.

Chaochao Li,Yu Yang,Jialin Lin,Rui Zhan

DOI: https://doi.org/10.1109/pic50277.2020.9350850

2020-01-01

Abstract:Deep learning model has good performance in image classification, target detection, face recognition and other tasks, but it is prone to misjudgment in the face of adversarial attack. Research on adversarial sample generation method can improve the security of deep learning model. Compared with the algorithm based on spatial transform, the existing generation methods of adversarial samples based on pixel value perturbation of the original image can effectively reduce the construction time of the adversarial samples, but the generated adversarial samples are significantly different from the original image in perception, which can be easily find by human eyes. The method proposed in this paper aims to reduce the attack time and ensure the similarity of visual perception and attack success rate between the adversarial sample and the original image. The simulation results show that compared with traditional adversarial sample generation method based on spatial transform, this method can reduce time about 30%, at the same time, this method can effectively guarantee the human eye observation under the adversarial samples and the similarity of the original image.

Zhibo Wang,Mengkai Song,Siyan Zheng,Zhifei Zhang,Yang Song,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2019.2929047

2019-01-01

Abstract:Y Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to adversarial examples, which would seriously threaten security-sensitive applications. Existing works synthesized the adversarial examples by perturbing the original/benign images by leveraging the L-p-norm to penalize the perturbations, which restricts the pixel-wise distance between the adversarial images and correspondingly benign images. However, they added perturbations globally to the benign images without explicitly considering their content/spacial structure, resulting in noticeable artifacts especially in those originally clean regions, e.g., sky and smooth surface. In this paper, we propose an invisible adversarial attack, which synthesizes adversarial examples that are visually indistinguishable from benign ones. We adaptively distribute the perturbation according to human sensitivity to a local stimulus in the benign image, i.e., the higher insensitivity, the more perturbation. Two types of adaptive adversarial attacks are proposed: 1) coarse-grained and 2) fine-grained. The former conducts L-p-norm regularized by the novel spatial constraints, which utilizes the rich information of the cluttered regions to mask perturbation. The latter, called Just Noticeable Distortion (JND)-based adversarial attack, utilizes the proposed JND(p) metric for better measuring the perceptual similarity, and adaptively sets penalty by weighting the pixel-wise perceptual redundancy of an image. We conduct extensive experiments on the MNIST, CIFAR-10 and ImageNet datasets and a comprehensive user study with 50 participants. The experimental results demonstrate that JND(p) is a better metric for measuring the perceptual similarity than L-p-norm, and the proposed adaptive adversarial attacks can synthesize indistinguishable adversarial examples from benign ones and outperform the state-of-the-art methods.

Chengyao Hua,Shigeng Zhang,Weiping Wang,Zhankai Li,Jian Zhang

DOI: https://doi.org/10.1109/trustcom56396.2022.00057

2022-01-01

Abstract:The human can easily recognize the incongruous parts of an image, for example, perturbations unrelated to the image itself, but are poor at spotting the small geometric transformations. However, in terms of the robustness of deep neural networks (DNNs), the ability to properly recognize objects with small geometric transformations is still a challenge. In this work, we investigate the problem from the perspective of adversarial attacks: does the performance of DNNs degrade even when small geometric transformations are applied to images? To this end, we propose a novel adversarial attack method, called WBA, a Warping-Based Adversarial attack method, which does not introduce information independent of the original images but manipulates the existing pixels of the images by elastic warping transformations to generate adversarial examples that are imperceptible to the human eye. At the same time, existing adversarial attacks typically generate adversarial examples by modifying pixels in the spatial domain of the image, the addition of such perturbations introduces extra information unrelated to the image itself and is easily detected by the naked eyes. We demonstrate the effectiveness of WBA by extensive experiments on commonly used datasets, including MNIST, CIFAR10, and ImageNet. The results show that WBA can quickly generate adversarial examples with the highest adversarial strength, consumes less time, and can be comparable to optimization-based adversarial attack methods in image perception evaluation metrics such as LPIPS, SSIM, and far more than gradient direction-based iterative methods.

Yuying Hao,Tuanhui Li,Yang Bai,Li Li,Yong Jiang,Xuanye Cheng

DOI: https://doi.org/10.1007/978-3-030-30508-6_52

2019-01-01

Abstract:Deep neural networks (DNNs) have been widely applied in many areas. However, they are quite vulnerable to well-designed perturbations. Most recent methods of generating adversarial examples fail to limit the perturbations while keeping good transferability. In this work, we propose a new method to address these problems. We combine local attack and gradient descent optimization method to generate adversarial examples. Specifically, in forward propagation, we select sensitive pixels and add perturbations to them. In backward propagation, we propose a novel loss function to reduce the difference between adversarial examples and benign images. Extensive experiments demonstrate that our method achieves strong attack ability with lower distortion.

Bo Luo,Yannan Liu,Lingxiao Wei,Qiang Xu

DOI: https://doi.org/10.1609/aaai.v32i1.11499

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Machine learning systems based on deep neural networks, being able to produce state-of-the-art results on various perception tasks, have gained mainstream adoption in many applications. However, they are shown to be vulnerable to adversarial example attack, which generates malicious output by adding slight perturbations to the input. Previous adversarial example crafting methods, however, use simple metrics to evaluate the distances between the original examples and the adversarial ones, which could be easily detected by human eyes. In addition, these attacks are often not robust due to the inevitable noises and deviation in the physical world. In this work, we present a new adversarial example attack crafting method, which takes the human perceptual system into consideration and maximizes the noise tolerance of the crafted adversarial example. Experimental results demonstrate the efficacy of the proposed technique.

Fengting Li,Xuankai Liu,Xiaoli Zhang,Qi Li,Kun Sun,Kang Li

DOI: https://doi.org/10.1109/infocom42981.2021.9488754

2021-01-01

Abstract:Deep neural networks (DNNs) have been applied in a wide range of applications, e.g., face recognition and image classification; however, they are vulnerable to adversarial examples. By adding a small amount of imperceptible perturbations, an attacker can easily manipulate the outputs of a DNN. Particularly, the localized adversarial examples only perturb a small and contiguous region of the target object, so that they are robust and effective in both digital and physical worlds. Although the localized adversarial examples have more severe real-world impacts than traditional pixel attacks, they have not been well addressed in the literature. In this paper, we propose a generic defense system called TaintRadar to accurately detect localized adversarial examples via analyzing critical regions that have been manipulated by attackers. The main idea is that when removing critical regions from input images, the ranking changes of adversarial labels will be larger than those of benign labels. Compared with existing defense solutions, TaintRadar can effectively capture sophisticated localized partial attacks, e.g., the eye-glasses attack, while not requiring additional training or fine-tuning of the original model's structure. Comprehensive experiments have been conducted in both digital and physical worlds to verify the effectiveness and robustness of our defense.

Shangjie Ren,Siyu Xia

DOI: https://doi.org/10.18178/ijmlc.2022.12.1.1073

2022-01-01

International Journal of Machine Learning and Computing

Abstract:In recent years, with the development of deep learning technology, neural networks play an increasingly important role in more and more fields.However, research shows that neural networks are vulnerable to the attack of adversarial examples.The purpose of this paper is to study the principle of adversarial examples generation and propose a new method of generating adversarial examples.Compared with existed methods, our method achieves better deception rate and perturbs less pixels of images.During an epoch in batch dimension iteration, multiple pixels are perturbed while Manhattan-Distance constraints are added to them.Our algorithm performs well in experiments.Compared with Carlini-Wagner method, only 60 more dimensions are perturbed, which indicates that the computation cost of our algorithm is completely acceptable.Besides, compared with FGSM algorithm, the deception rate increases by 12% while the generation times of them are almost same.

Zifei Zhang,Kai Qiao,Lingyun Jiang,Linyuan Wang,Jian Chen,Bin Yan

DOI: https://doi.org/10.1007/978-3-030-62460-6_42

2020-01-01

Abstract:Compared with traditional machine learning models, deep neural networks perform better, especially in image classification tasks. However, they are vulnerable to adversarial examples. Adding small perturbations on examples causes a good-performance model to misclassify the crafted examples, without category differences in the human eyes, and fools deep models successfully. There are two requirements for generating adversarial examples: the attack success rate and image fidelity metrics. Generally, the magnitudes of perturbation are increased to ensure the adversarial examples’ high attack success rate; however, the adversarial examples obtained have poor concealment. To alleviate the tradeoff between the attack success rate and image fidelity, we propose a method named AdvJND, adding visual model coefficients, just noticeable difference, in the constraint of a distortion function when generating adversarial examples. In fact, the visual subjective feeling of the human eyes is added as a priori information, which decides the distribution of perturbations, to improve the image quality of adversarial examples. We tested our method on the FashionMNIST, CIFAR10, and MiniImageNet datasets. Our adversarial examples keep high image quality under slightly decreasing attack success rate. Since our AdvJND algorithm yield gradient distributions that are similar to those of the original inputs, the crafted noise can be hidden in the original inputs, improving the attack concealment significantly.

Guoyin Zhang,Qingan Da,Sizhao Li,Jianguo Sun,Wenshan Wang,Qing Hu,Jiashuai Lu

DOI: https://doi.org/10.1504/ijbic.2022.126789

2022-01-01

International Journal of Bio-Inspired Computation

Abstract:Deep neural networks are susceptible to adversarial examples which can mislead or even manipulate the predictive behaviour of deep neural networks. This raises concerns about the safety of deep learning. In this paper, to ensure rapid generation of adversarial examples, we propose an adversarial transformation network with adaptive perturbations by using the framework of a generative adversarial network. For the adversarial training phase, the direction of the adversarial perturbation is adaptively adjusted to generate more adversarial examples with transferability. Besides, the perceptual constraint based on game theory, the pixel-level constraint based on mixed norms, and the target constraint based on the C$W method are introduced to guide the optimisation of the generator. Experiments conducted on MNIST, CIFAR-10, and ImageNet show the proposed algorithm can generate adversarial examples with stronger attack abilities in a shorter time. And the proposed algorithm can generate more transferable adversarial examples when attacking models with similar structures.

Ayberk Aydin,Alptekin Temizel

DOI: https://doi.org/10.1016/j.patrec.2023.09.003

2023-10-21

Abstract:Deep neural networks are known to be vulnerable to adversarial perturbations. The amount of these perturbations are generally quantified using $L_p$ metrics, such as $L_0$, $L_2$ and $L_\infty$. However, even when the measured perturbations are small, they tend to be noticeable by human observers since $L_p$ distance metrics are not representative of human perception. On the other hand, humans are less sensitive to changes in colorspace. In addition, pixel shifts in a constrained neighborhood are hard to notice. Motivated by these observations, we propose a method that creates adversarial examples by applying spatial transformations, which creates adversarial examples by changing the pixel locations independently to chrominance channels of perceptual colorspaces such as $YC_{b}C_{r}$ and $CIELAB$, instead of making an additive perturbation or manipulating pixel values directly. In a targeted white-box attack setting, the proposed method is able to obtain competitive fooling rates with very high confidence. The experimental evaluations show that the proposed method has favorable results in terms of approximate perceptual distance between benign and adversarially generated images. The source code is publicly available at <a class="link-external link-https" href="https://github.com/ayberkydn/stadv-torch" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition,Image and Video Processing

Sizhao Huang,Shuai Wang,Jian Chen,Guozhi Li,Wenyi Wang

DOI: https://doi.org/10.1109/icassp43922.2022.9747171

2022-01-01

Abstract:Deep neural network (DNN) shows impressive performance on many tasks but they usually suffer from adversarial examples with human eyes invisible slight perturbation. Such examples can not be distinguished by human but can mislead DNN classifiers leading to its important role in DNN attack and defense. Many adversarial examples detection methods perform well in identifying global perturbation adversarial examples but less efficiently for local perturbation ones. We observe both global perturbation and local perturbation adversarial examples have similar BOF histogram distribution after JPEG compression and Error Level Analysis (ELA) while these distributions are clearly different to clean example’s distribution. Meanwhile, researchers have found that the stability of adversarial example after space mapping is worse than that of the clean example. Therefore, we propose a two-branch architecture to detect adversarial examples based on the aforementioned strategies. Experiments show that our method has achieved better or similar performance compared to several state-of-the-art methods in terms of the detection accuracy and generation property for adversarial examples with global and local perturbation.

Haoyu Wang,Chunhua Wu,Kangfeng Zheng

DOI: https://doi.org/10.1016/j.neunet.2024.106176

IF: 7.8

2024-05-01

Neural Networks

Abstract:Deep Learning algorithms have achieved state-of-the-art performance in various important tasks. However, recent studies have found that an elaborate perturbation may cause a network to misclassify, which is known as an adversarial attack. Based on current research, it is suggested that adversarial examples cannot be eliminated completely. Consequently, it is always possible to determine an attack that is effective against a defense model. We render existing adversarial examples invalid by altering the classification boundaries. Meanwhile, for valid adversarial examples generated against the defense model, the adversarial perturbations are increased so that they can be distinguished by the human eye. This paper proposes a method for implementing the abovementioned concepts through color space transformation. Experiments on CIFAR-10, CIFAR-100, and Mini-ImageNet demonstrate the effectiveness and versatility of our defense method. To the best of our knowledge, this is the first defense model based on the amplification of adversarial perturbations.

computer science, artificial intelligence,neurosciences

Xinyang Zhang,Yifan Huang,Chanh Nguyen,Shouling Ji,Ting Wang

2018-01-01

Abstract:One intriguing property of neural networks is their inherent vulnerability to adversarial inputs, which are maliciously crafted samples to trigger target networks to misbehave. The state-of-the-art attacks generate adversarial inputs using either pixel perturbation or spatial transformation. Thus far, several provable defenses have been proposed against pixel perturbation-based attacks; yet, little is known about whether such solutions exist for spatial transformation-based attacks. This paper bridges this striking gap by conducting the first systematic study on provable defenses against spatially transformed adversarial inputs. Our findings convey mixed messages. On the impossibility side, we show that such defenses may not exist in practice: for any given networks, it is possible to find legitimate inputs and imperceptible transformations to generate adversarial inputs that force arbitrarily large errors. On the possibility side, we show that it is still feasible to construct adversarial training methods to significantly improve the resilience of networks against adversarial inputs over empirical datasets. We believe our findings provide insights for designing more effective defenses against spatially transformed adversarial inputs.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Mingxing Duan,Yunchuan Qin,Jiayan Deng,Kenli Li,Bin Xiao

DOI: https://doi.org/10.1109/tnnls.2023.3274142

IF: 14.255

2023-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:The construction of undetectable adversarial examples with few perturbances remains a difficult problem in adversarial attacks. At present, most solutions use the standard gradient optimization algorithm to build adversarial examples by applying global perturbations to benign samples and then launch attacks on the targets (e.g., face recognition systems). However, when the perturbance size is limited, the performance of these approaches suffers substantially. The content of crucial places in an image, on the other hand, will impact the final prediction; if these areas can be investigated and limited perturbances introduced, an acceptable adversarial example will be constructed. Based on the foregoing research, this article offers a dual attention adversarial network (DAAN) to produce adversarial examples with limited perturbations. DAAN initially searches for effective areas in an input image using the spatial attention network and channel attention network, and then creates space and channel weights. Following that, these weights direct an encoder and a decoder to generate effective perturbation, which is then combined with the input to produce an adversarial example. Finally, the discriminator determines if the created adversarial examples are true or false, and the attacked model is utilized to determine whether the generated samples fit the attack targets. Extensive studies on various datasets show that DAAN not only delivers the best attack performance across all comparison algorithms with few perturbations, but it can also significantly improve the defensiveness of the attacked models.