Qianqian Song,Xiangwei Kong,Ziming Wang

DOI: https://doi.org/10.1007/978-3-030-93049-3_4

2021-01-01

Abstract:The accurate interpretation of neural network about how the network works is important. However, a manipulated explanation may have the potential to mislead human users not to trust a reliable network. Therefore, it is necessary to verify interpretation algorithms by designing effective attacks to simulate various possible threats in the real world. In this work, we mainly explore how to mislead interpretation. More specifically, we optimize the noise added to the input, which aims to highlight a certain area that we specify without changing the output category of network. With our proposed algorithm, we demonstrate that the state-of-the-art saliency maps based interpreters, e.g., Grad-CAM, Guided-Feature-Inversion, Grad-CAM++, Score-CAM and Full-Grad can be easily fooled. We propose two situations of fooling, Single-target attack and Multi-target attack, and show that the fooling can be transfered to different interpretation methods as well as generalized to the unseen samples with the universal noise. We also take image patches to fool Grad-CAM. Our results are proved in both qualitative and quantitative ways and we further propose a quantitative metric to measure the effectiveness of algorithm. We believe that our method can serve as an additional evaluation of robustness for future interpretation algorithms.

Lianli Gao,Qilong Zhang,Jingkuan Song,Heng Tao Shen

2020-01-01

Abstract: Although great progress has been made on adversarial attacks for deep neural networks (DNNs), their transferability is still unsatisfactory, especially for targeted attacks. There are two problems behind that have been long overlooked: 1) the conventional setting of $T$ iterations with the step size of $\epsilon/T$ to comply with the $\epsilon$-constraint. In this case, most of the pixels are allowed to add very small noise, much less than $\epsilon$; and 2) usually manipulating pixel-wise noise. However, features of a pixel extracted by DNNs are influenced by its surrounding regions, and different DNNs generally focus on different discriminative regions in recognition. To tackle these issues, we propose a patch-wise iterative method (PIM) aimed at crafting adversarial examples with high transferability. Specifically, we introduce an amplification factor to the step size in each iteration, and one pixel's overall gradient overflowing the $\epsilon$-constraint is properly assigned to its surrounding regions by a project kernel. But targeted attacks aim to push the adversarial examples into the territory of a specific class, and the amplification factor may lead to underfitting. Thus, we introduce the temperature and propose a patch-wise++ iterative method (PIM++) to further improve transferability without significantly sacrificing the performance of the white-box attack. Our method can be generally integrated to any gradient-based attack method. Compared with the current state-of-the-art attack methods, we significantly improve the success rate by 35.9\% for defense models and 32.7\% for normally trained models on average.

Bin Liang,Hongcheng Li,Miaoqiang Su,Xirong Li,Wenchang Shi,Xiaofeng Wang

DOI: https://doi.org/10.1109/tdsc.2018.2874243

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recently, many studies have demonstrated deep neural network (DNN) classifiers can be fooled by the adversarial example, which is crafted via introducing some perturbations into an original sample. Accordingly, some powerful defense techniques were proposed. However, existing defense techniques often require modifying the target model or depend on the prior knowledge of attacks. In this paper, we propose a straightforward method for detecting adversarial image examples, which can be directly deployed into unmodified off-the-shelf DNN models. We consider the perturbation to images as a kind of noise and introduce two classic image processing techniques, scalar quantization and smoothing spatial filter, to reduce its effect. The image entropy is employed as a metric to implement an adaptive noise reduction for different kinds of images. Consequently, the adversarial example can be effectively detected by comparing the classification results of a given sample and its denoised version, without referring to any prior knowledge of attacks. More than 20,000 adversarial examples against some state-of-the-art DNN models are used to evaluate the proposed method, which are crafted with different attack techniques. The experiments show that our detection method can achieve a high overall F1 score of 96.39 percent and certainly raises the bar for defense-aware attacks.

Tingrui Pei,Cong He,Yanchun Li,Jian Weng,Zhetao Li,Shujuan Tian

DOI: https://doi.org/10.2139/ssrn.4246519

2022-01-01

SSRN Electronic Journal

Abstract:The vulnerability and sensitivity of deep neural networks to adversarial examples have attracted researchers’ attention towards the security application of deep model. Because of its location flexibility and color saturation, many methods to generate adversarial patches have been proposed. However, current methods mainly focus on the aggressiveness and size of the patches, while ignoring the imperceptibility and concealment of the patches, which makes the patches very conspicuous and easy to be identified. In this paper, we propose a two-step attack algorithm to generate imperceptible adversarial patches. Specifically, the first step of our algorithm is to obtain the vulnerable target category that is most likely to be misclassified; and the second step is to perform targeted attack using the vulnerable target coming from the first step. The proposed algorithm is very robust and can be generalized to other untargeted attack approaches, such as Shadow attack and I-FGSM. Extensive experiments on widely used classifiers demonstrate the availability and efficiency of the proposed algorithm.

Xiaoyi Dong,Dongdong Chen,Jianmin Bao,Chuan Qin,Lu Yuan,Weiming Zhang,Nenghai Yu,Dong Chen

2020-01-01

Abstract:Modern deep neural networks(DNNs) are vulnerable to adversarial samples. Sparse adversarial samples are a special branch of adversarial samples that can fool the target model by only perturbing a few pixels. The existence of the sparse adversarial attack points out that DNNs are much more vulnerable than people believed, which is also a new aspect for analyzing DNNs. However, current sparse adversarial attack methods still have some shortcomings on both sparsity and invisibility. In this paper, we propose a novel two-stage distortion-aware greedy-based method dubbed as “GreedyFool". Specifically, it first selects the most effective candidate positions to modify by considering both the gradient(for adversary) and the distortion map(for invisibility), then drops some less important points in the reduce stage. Experiments demonstrate that compared with the start-of-the-art method, we only need to modify $3\times$ fewer pixels under the same sparse perturbation setting. For target attack, the success rate of our method is 9.96\% higher than the start-of-the-art method under the same pixel budget. Code can be found at this https URL.

Qingfu Huang,Zhichao Lian,Qianmu Li

DOI: https://doi.org/10.1109/icme52920.2022.9859848

2022-01-01

Abstract:Deep neural networks are vulnerable to adversarial examples generated by black-box attacks with tiny perturbations. However, black-box based transferability attacks usually add perturbation to the whole image. It is easy for the defender to detect the adversarial examples. Inspired by attention modules, we propose a method named Gradient-mask and Attention-whey (GM&AW) to reduce redundant noise and maintain attack effect of them in this work. During Gradient-mask iterations, we only choose the regions with greater gradient and update them along the direction of gradient. Then, we utilize Attention-whey optimization combining attention mechanism and query to further decrease noise. Extensive experiments on Imagenet demonstrate that our approach can achieve enormous decrease on noise in $\ell_{2}$ norm and keep attack success rate for black models.

Zhibo Wang,Mengkai Song,Siyan Zheng,Zhifei Zhang,Yang Song,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2019.2929047

2019-01-01

Abstract:Y Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to adversarial examples, which would seriously threaten security-sensitive applications. Existing works synthesized the adversarial examples by perturbing the original/benign images by leveraging the L-p-norm to penalize the perturbations, which restricts the pixel-wise distance between the adversarial images and correspondingly benign images. However, they added perturbations globally to the benign images without explicitly considering their content/spacial structure, resulting in noticeable artifacts especially in those originally clean regions, e.g., sky and smooth surface. In this paper, we propose an invisible adversarial attack, which synthesizes adversarial examples that are visually indistinguishable from benign ones. We adaptively distribute the perturbation according to human sensitivity to a local stimulus in the benign image, i.e., the higher insensitivity, the more perturbation. Two types of adaptive adversarial attacks are proposed: 1) coarse-grained and 2) fine-grained. The former conducts L-p-norm regularized by the novel spatial constraints, which utilizes the rich information of the cluttered regions to mask perturbation. The latter, called Just Noticeable Distortion (JND)-based adversarial attack, utilizes the proposed JND(p) metric for better measuring the perceptual similarity, and adaptively sets penalty by weighting the pixel-wise perceptual redundancy of an image. We conduct extensive experiments on the MNIST, CIFAR-10 and ImageNet datasets and a comprehensive user study with 50 participants. The experimental results demonstrate that JND(p) is a better metric for measuring the perceptual similarity than L-p-norm, and the proposed adaptive adversarial attacks can synthesize indistinguishable adversarial examples from benign ones and outperform the state-of-the-art methods.

Yizhen Yuan,Rui Kong,Shenghao Xie,Yuanchun Li,Yunxin Liu

DOI: https://doi.org/10.1145/3581783.3612032

2023-08-23

Abstract:Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an attacker-controlled trigger object. Our main techniques include an effective training method to generate the backdoor patch and a digital-physical transformation modeling method to enhance the feasibility of the patch in real deployments. Extensive experiments show that PatchBackdoor can be applied to common deep learning models (VGG, MobileNet, ResNet) with an attack success rate of 93% to 99% on classification tasks. Moreover, we implement PatchBackdoor in real-world scenarios and show that the attack is still threatening.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Yandong Li,Lijun Li,Liqiang Wang,Tong Zhang,Boqing Gong

DOI: https://doi.org/10.48550/arXiv.1905.00441

IF: 5.414

2019-05-01

Machine Learning

Abstract:Powerful adversarial attack methods are vital for understanding how to construct robust deep neural networks (DNNs) and for thoroughly testing defense techniques. In this paper, we propose a black-box adversarial attack algorithm that can defeat both vanilla DNNs and those generated by various defense techniques developed recently. Instead of searching for an "optimal" adversarial example for a benign input to a targeted DNN, our algorithm finds a probability density distribution over a small region centered around the input, such that a sample drawn from this distribution is likely an adversarial example, without the need of accessing the DNN's internal layers or weights. Our approach is universal as it can successfully attack different neural networks by a single algorithm. It is also strong; according to the testing against 2 vanilla DNNs and 13 defended ones, it outperforms state-of-the-art black-box or white-box attack methods for most test cases. Additionally, our results reveal that adversarial training remains one of the best defense techniques, and the adversarial examples are not as transferable across defended DNNs as them across vanilla DNNs.

Jiang Zhu,Hong Zhao,He Yu,Jing Liu

DOI: https://doi.org/10.1145/3638529.3654231

2024-01-01

Abstract:Recent research shows that deep neural networks make wrong predictions when faced with adversarial examples with small perturbations added. In the setting of white-box attack, it is easy to generate adversarial samples with high attack success rate through gradients. But in reality, gradients are usually unavailable. At present, most black-box attack achieves the purpose of the attack by adding small perturbations, the intensity of the perturbation and the attack success rate are a kind of trade off. However, the noise added by most methods is meaningless. This paper introduces a novel adversarial attack algorithm called Pixel Logo Attack (PLA), which rationalizes noise by arranging pixel patterns into a logo-style, thereby presenting itself as an identity for protecting copyright information. Unlike most existing methods, this method can completely expose the added noise to the user without arousing user suspicion, and does not affect the usage of image. We use the differential evolution(DE) to search for suitable pixel positions and RGB values, and compare the performance of PLA with the state-of-the-art adversarial attack algorithms on the CIFAR-10 and ImageNet datasets. Experimental results show that PLA has good performance in solving black-box adversarial attack problems, especially non-targeted attack.

Xinjie Feng,Hongxun Yao,Wenbin Che,Shengping Zhang

DOI: https://doi.org/10.1007/978-3-030-37731-1_32

2019-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples. Generally speaking adversarial examples are defined by adding input samples a small-magnitude perturbation, which is hardly misleading human observers' decision but would lead to misclassifications for a well trained models. Most of existing iterative adversarial attack methods suffer from low success rates in fooling model in a black-box manner. And we find that it is because perturbation neutralize each other in iterative process. To address this issue, we propose a novel boosted iterative method to effectively promote success rates. We conduct the experiments on ImageNet dataset, with five models normally trained for classification. The experimental results show that our proposed strategy can significantly improve success rates of fooling models in a black-box manner. Furthermore, it also outperforms the momentum iterative method (MI-FSGM), which won the first places in NeurIPS Non-targeted Adversarial Attack and Targeted Adversarial Attack competitions.

Tao Bai,Jinqi Luo,Jun Zhao

DOI: https://doi.org/10.48550/arXiv.2106.15202

2021-06-29

Computer Vision and Pattern Recognition

Abstract:Deep learning based image recognition systems have been widely deployed on mobile devices in today's world. In recent studies, however, deep learning models are shown vulnerable to adversarial examples. One variant of adversarial examples, called adversarial patch, draws researchers' attention due to its strong attack abilities. Though adversarial patches achieve high attack success rates, they are easily being detected because of the visual inconsistency between the patches and the original images. Besides, it usually requires a large amount of data for adversarial patch generation in the literature, which is computationally expensive and time-consuming. To tackle these challenges, we propose an approach to generate inconspicuous adversarial patches with one single image. In our approach, we first decide the patch locations basing on the perceptual sensitivity of victim models, then produce adversarial patches in a coarse-to-fine way by utilizing multiple-scale generators and discriminators. The patches are encouraged to be consistent with the background images with adversarial training while preserving strong attack abilities. Our approach shows the strong attack abilities in white-box settings and the excellent transferability in black-box settings through extensive experiments on various models with different architectures and training methods. Compared to other adversarial patches, our adversarial patches hold the most negligible risks to be detected and can evade human observations, which is supported by the illustrations of saliency maps and results of user evaluations. Lastly, we show that our adversarial patches can be applied in the physical world.

Bo Luo,Yannan Liu,Lingxiao Wei,Qiang Xu

DOI: https://doi.org/10.1609/aaai.v32i1.11499

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Machine learning systems based on deep neural networks, being able to produce state-of-the-art results on various perception tasks, have gained mainstream adoption in many applications. However, they are shown to be vulnerable to adversarial example attack, which generates malicious output by adding slight perturbations to the input. Previous adversarial example crafting methods, however, use simple metrics to evaluate the distances between the original examples and the adversarial ones, which could be easily detected by human eyes. In addition, these attacks are often not robust due to the inevitable noises and deviation in the physical world. In this work, we present a new adversarial example attack crafting method, which takes the human perceptual system into consideration and maximizes the noise tolerance of the crafted adversarial example. Experimental results demonstrate the efficacy of the proposed technique.

Yier Wei,Haichang Gao,Yufei Wang,Huan Liu,Yipeng Gao,Sainan Luo,Qianwen Guo

DOI: https://doi.org/10.1007/978-3-031-44192-9_16

2023-01-01

Abstract:Deep neural networks have been proven to be vulnerable to adversarial attacks. The early attacks mostly involved image-specific approaches that generated specific adversarial noises for each individual image. More recent studies have further demonstrated that neural networks can also be fooled by image-agnostic noises, called “universal adversarial perturbation”. However, the current universal adversarial attacks mainly focus on untargeted attacks and exhibit poor transferability. In this paper, we propose TransNoise, a new approach for implementing a transferable universal adversarial attack that involves modifying only a few pixels of the image. Our approach achieves state-of-art success rates in the universal adversarial attack domain for both targeted and nontarget settings. The experimental results demonstrate that our method outperforms the current methods from three aspects of universality: 1) by adding our universal adversarial noises to different images, the fooling rates of our method on the target model are almost all above 95%; 2) when no training data are available for the targeted model, our method is still able to implement targeted attacks; 3) the method transfers well across different models in the untargeted setting.

Yinan Fu,Xiaolong Zheng,Peilun Du,Liang Liu

DOI: https://doi.org/10.1007/978-981-16-8174-5_14

2021-01-01

Abstract:Adversarial patch is an image-independent patch that misleads deep neural networks to output a targeted class. Existing defense strategies mainly rely on patch detection based on the frequency or semantic gaps between the patch and clean image. But we found that they are effective because the gap is huge. This is because existing patch attacks only look for an effective patch instead of the optimized patch that minimizes the gap. We then propose two improved patches, enhanced and smoothed patches, to reduce the gap. Consequently, the decision boundary for adversarial examples of the existing defense means is successfully obscured. To cope with the improved patches, we propose a defense method based on image preprocessing. We leverage multi-scale Gaussian blur to amplify the reduced gap between the patch and clean image. Due to the dense information of patches, for a patch, the dissimilarities of Gaussian blurs with different scales are higher than that of clean images. By enhancing the local multi-scale details and weakening them in another scale set, we maximize its effect on patch with high-frequency information. In this way, our defense method can efficiently distort adversarial patches and cause only a negligible impact on clean images.

Xiaosen Wang,Kunyu Wang

2023-12-05

Abstract:Deep neural networks (DNNs) are vulnerable to various types of adversarial examples, bringing huge threats to security-critical applications. Among these, adversarial patches have drawn increasing attention due to their good applicability to fool DNNs in the physical world. However, existing works often generate patches with meaningless noise or patterns, making it conspicuous to humans. To address this issue, we explore how to generate visually realistic adversarial patches to fool DNNs. Firstly, we analyze that a high-quality adversarial patch should be realistic, position irrelevant, and printable to be deployed in the physical world. Based on this analysis, we propose an effective attack called VRAP, to generate visually realistic adversarial patches. Specifically, VRAP constrains the patch in the neighborhood of a real image to ensure the visual reality, optimizes the patch at the poorest position for position irrelevance, and adopts Total Variance loss as well as gamma transformation to make the generated patch printable without losing information. Empirical evaluations on the ImageNet dataset demonstrate that the proposed VRAP exhibits outstanding attack performance in the digital world. Moreover, the generated adversarial patches can be disguised as the scrawl or logo in the physical world to fool the deep models without being detected, bringing significant threats to DNNs-enabled applications.

Computer Vision and Pattern Recognition

Zhou Yutian,Tan Yu-an,Zhang Quanxin,Kuang Xiaohui,Han Yahong,Hu Jingjing

DOI: https://doi.org/10.1007/s11036-019-01499-x

2020-01-01

Mobile Networks and Applications

Abstract:Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

Zhaoyu Chen,Bo Li,Shuang Wu,Shouhong Ding,Wenqiang Zhang

DOI: https://doi.org/10.1109/tifs.2023.3307908

IF: 7.231

2023-09-13

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural networks (DNNs) have been showed to be highly vulnerable to imperceptible adversarial perturbations. As a complementary type of adversary, patch attacks that introduce perceptible perturbations to the images have attracted the interest of researchers. Existing patch attacks rely on the architecture of the model or the probabilities of predictions and perform poorly in the decision-based setting, which can still construct a perturbation with the minimal information exposed – the top-1 predicted label. In this work, we first explore the decision-based patch attack. To enhance the attack efficiency, we model the patches using paired key-points and use targeted images as the initialization of patches, and parameter optimizations are all performed on the integer domain. Then, we propose a differential evolutionary algorithm named DevoPatch for query-efficient decision-based patch attacks. Experiments demonstrate that DevoPatch outperforms the state-of-the-art black-box patch attacks in terms of patch area and attack success rate within a given query budget on image classification and face verification. Additionally, we conduct the vulnerability evaluation of ViT and MLP on image classification in the decision-based patch attack setting for the first time. Using DevoPatch, we can evaluate the robustness of models to black-box patch attacks. We believe this method could inspire the design and deployment of robust vision models based on various DNN architectures in the future.

computer science, theory & methods,engineering, electrical & electronic