Xu Kang,Bin Song,Dan Wang,Xiaohui Cai

DOI: https://doi.org/10.1016/j.neucom.2022.06.005

IF: 6

2022-01-01

Neurocomputing

Abstract:Recently, researches on universal adversarial perturbations have deepened the public’s attention to the security of deep neural networks (DNNs). Most researchers use iterative methods or generative adversarial networks (GANs) to find universal adversarial perturbations (UAPs). However, just focusing on outputs still cannot separate adversarial examples in feature space and there is almost no correlation between the perturbations generated by random noise and the target network. To cope with these problems, we propose a novel end-to-end UAPs generation framework that uses constant activation information as the input of the generator and adopts a feature adaptive loss function. Experiments show that the attack success rate of our UAPs has reached a competitive level against different classification networks on CIFAR-10 and ImageNet where the average fooling rate can reach 86% and 96%, leading to 19% and 16% improvements over UAP, respectively. Furthermore, we demonstrate the great generalization ability and strong transferability of proposed attacker. Finally, the proposed attacker can achieve lower mAP and mean IoU than several classical white box attackers in object detection task and image segmentation task.

Zifei Wang,Xiaolin Huang,Jie Yang,Nikola K. Kasabov

DOI: https://doi.org/10.1109/is48319.2020.9199956

2020-01-01

Abstract:The vulnerability of Deep Neural Networks (DNNs) to adversarial attacks has become an important research area of machine learning. It has been known that many state-of-the-art DNNs suffer the risk of universal adversarial perturbations, which are image-agnostic and able to lead misclassifications with high probability. In this paper, we propose a novel method to create such universal adversarial perturbations. Our approach is the first to generate universal perturbations by attacking the attention heat maps with the interpretation method, Layer-wise Relevance Propagation. It is demonstrated that our method achieves high fooling ratios on image classification DNNs pre-trained by ImageNet dataset. Moreover, our attack shows good transferability across different DNNs.

Yuhang Zhao,Kunqing Wang,Yuan Xue,Quanxin Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1007/978-3-030-34139-8_7

2019-01-01

Abstract:With the continuous development of deep neural networks (DNNs), it has become the main means of solving problems in the field of computer vision. However, recent research has shown that deep neural networks are vulnerable to well-designed adversarial examples. In this paper, we used a deep neural network to generate adversarial examples to attack black-box object detectors. We trained a generation network to produce universal perturbations, achieving a cross-task attack against black-box object detectors. We demonstrated the feasibility of task-generalizable attacks. Our attack generated efficient universal perturbations on classifiers then attack object detectors. We proved the effectiveness of our attack on two representative object detectors: Faster R-CNN based on proposal and regression-based YOLOv3.

Maosen Li,Yanhua Yang,Kun Wei,Xu Yang,Heng Huang

DOI: https://doi.org/10.1609/aaai.v36i2.20023

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep learning models have shown to be susceptible to universal adversarial perturbation (UAP), which has aroused wide concerns in the community. Compared with the conventional adversarial attacks that generate adversarial samples at the instance level, UAP can fool the target model for different instances with only a single perturbation, enabling us to evaluate the robustness of the model from a more effective and accurate perspective. The existing universal attack methods fail to exploit the differences and connections between the instance and universal levels to produce dominant perturbations. To address this challenge, we propose a new universal attack method that unifies instance-specific and universal attacks from a feature perspective to generate a more dominant UAP. Specifically, we reformulate the UAP generation task as a minimax optimization problem and then utilize the instance-specific attack method to solve the minimization problem thereby obtaining better training data for generating UAP. At the same time, we also introduce a consistency regularizer to explore the relationship between training data, thus further improving the dominance of the generated UAP. Furthermore, our method is generic with no additional assumptions about the training data and hence can be applied to both data-dependent (supervised) and data-independent (unsupervised) manners. Extensive experiments demonstrate that the proposed method improves the performance by a significant margin over the existing methods in both data-dependent and data-independent settings. Code is available at https://github.com/lisenxd/AT-UAP.

Guoyin Zhang,Qingan Da,Sizhao Li,Jianguo Sun,Wenshan Wang,Qing Hu,Jiashuai Lu

DOI: https://doi.org/10.1504/ijbic.2022.126789

2022-01-01

International Journal of Bio-Inspired Computation

Abstract:Deep neural networks are susceptible to adversarial examples which can mislead or even manipulate the predictive behaviour of deep neural networks. This raises concerns about the safety of deep learning. In this paper, to ensure rapid generation of adversarial examples, we propose an adversarial transformation network with adaptive perturbations by using the framework of a generative adversarial network. For the adversarial training phase, the direction of the adversarial perturbation is adaptively adjusted to generate more adversarial examples with transferability. Besides, the perceptual constraint based on game theory, the pixel-level constraint based on mixed norms, and the target constraint based on the C$W method are introduced to guide the optimisation of the generator. Experiments conducted on MNIST, CIFAR-10, and ImageNet show the proposed algorithm can generate adversarial examples with stronger attack abilities in a shorter time. And the proposed algorithm can generate more transferable adversarial examples when attacking models with similar structures.

Yanghao Zhang,Wenjie Ruan,Fu Wang,Xiaowei Huang

DOI: https://doi.org/10.1007/s10994-023-06306-z

IF: 5.414

2023-03-24

Machine Learning

Abstract:Previous studies have shown that universal adversarial attacks can fool deep neural networks over a large set of input images with a single human-invisible perturbation. However, current methods for universal adversarial attacks are based on additive perturbation, which enables misclassification by directly adding the perturbation on the input images. In this paper, for the first time, we show that a universal adversarial attack can also be achieved through spatial transformation (non-additive). More importantly, to unify both additive and non-additive perturbations, we propose a novel unified yet flexible framework for universal adversarial attacks, called GUAP, which can initiate attacks by -norm (additive) perturbation, spatially-transformed (non-additive) perturbation, or a combination of both. Extensive experiments are conducted on two computer vision scenarios, including image classification and semantic segmentation tasks, which contain CIFAR-10, ImageNet and Cityscapes datasets with a number of different deep neural network models, including GoogLeNet, VGG16/19, ResNet101/152, DenseNet121, and FCN-8s. Empirical experiments demonstrate that GUAP can obtain higher attack success rates on these datasets compared to state-of-the-art universal adversarial attacks. In addition, we also demonstrate how universal adversarial training benefits the robustness of the model against universal attacks. We release our tool GUAP on https://github.com/TrustAI/GUAP.

computer science, artificial intelligence

Dian Zhang,Yunwei Dong,Hongji Yang

DOI: https://doi.org/10.1007/s11042-023-17355-w

IF: 2.577

2023-01-01

Multimedia Tools and Applications

Abstract:Due to the continuous development of neural network technology, it has been widely applied in fields such as autonomous driving and biomedicine. However, adversarial attacks can significantly degrade the performance and reliability of neural networks, making defending against such attacks a crucial research area. In this paper, we propose a robust U-Net and adversarial generative network-based defense method, training the target model on a clean training set without adversarial samples. Firstly, we train the target neural network on a clean training set. Then, we train the robust U-Net using the clean training set, employing reparameterization and random noise to resist adversarial perturbations. To supervise the quality of transformed images, we employ the adversarial generative network, utilizing the RU-Net as the generator and a discriminator to ensure the quality of generated images. Finally, we use the transformed images to retrain the target neural network, obtaining a robust neural network model capable of defending against adversarial attacks. Experimental evaluations on CIFAR-10 and Tiny Image Net demonstrate the effectiveness of our method in countering adversarial attacks and enhancing neural network robustness.

Jan Hendrik Metzen,Mummadi Chaithanya Kumar,Thomas Brox,Volker Fischer

DOI: https://doi.org/10.48550/arXiv.1704.05712

2017-08-01

Abstract:While deep learning is remarkably successful on perceptual tasks, it was also shown to be vulnerable to adversarial perturbations of the input. These perturbations denote noise added to the input that was generated specifically to fool the system while being quasi-imperceptible for humans. More severely, there even exist universal perturbations that are input-agnostic but fool the network on the majority of inputs. While recent work has focused on image classification, this work proposes attacks against semantic image segmentation: we present an approach for generating (universal) adversarial perturbations that make the network yield a desired target segmentation as output. We show empirically that there exist barely perceptible universal noise patterns which result in nearly the same predicted segmentation for arbitrary inputs. Furthermore, we also show the existence of universal noise which removes a target class (e.g., all pedestrians) from the segmentation while leaving the segmentation mostly unchanged otherwise.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition,Neural and Evolutionary Computing

Changming Xu,Gagandeep Singh

2023-06-06

Abstract:Universal Adversarial Perturbations (UAPs) are imperceptible, image-agnostic vectors that cause deep neural networks (DNNs) to misclassify inputs with high probability. In practical attack scenarios, adversarial perturbations may undergo transformations such as changes in pixel intensity, scaling, etc. before being added to DNN inputs. Existing methods do not create UAPs robust to these real-world transformations, thereby limiting their applicability in practical attack scenarios. In this work, we introduce and formulate UAPs robust against real-world transformations. We build an iterative algorithm using probabilistic robustness bounds and construct such UAPs robust to transformations generated by composing arbitrary sub-differentiable transformation functions. We perform an extensive evaluation on the popular CIFAR-10 and ILSVRC 2012 datasets measuring our UAPs' robustness under a wide range common, real-world transformations such as rotation, contrast changes, etc. We further show that by using a set of primitive transformations our method can generalize well to unseen transformations such as fog, JPEG compression, etc. Our results show that our method can generate UAPs up to 23% more robust than state-of-the-art baselines.

Machine Learning,Cryptography and Security

Siyu Wang,Yucheng Shi,Yahong Han

DOI: https://doi.org/10.1109/icpr.2018.8546023

2018-01-01

Abstract:Image classifiers based on deep neural networks (DNNs) are vulnerable to tiny, imperceptible perturbations. Maliciously generated adversarial examples can exploit the instability of DNNs and mislead it into outputting a wrong classification result. Prior works showed the transferability of adversarial perturbations between models and between images. In this work, we shed light on the combination of source/target misclassification, black-box attack, and universal perturbation by employing improved evolutionary algorithms. We additionally find that the use of adversarial initialization enhances the efficiency of evolutionary algorithms finding universal perturbations. Experiments demonstrate impressive misclassification rates and surprising transferability for the proposed attack method using different models trained on CIFAR-10 and CIFAR-100 datasets. Our attach method also shows robustness against defensive measures like adversarial training.

Juanjuan Weng,Zhiming Luo,Dazhen Lin,Shaozi Li

2023-06-20

Abstract:The vulnerability of Convolutional Neural Networks (CNNs) to adversarial samples has recently garnered significant attention in the machine learning community. Furthermore, recent studies have unveiled the existence of universal adversarial perturbations (UAPs) that are image-agnostic and highly transferable across different CNN models. In this survey, our primary focus revolves around the recent advancements in UAPs specifically within the image classification task. We categorize UAPs into two distinct categories, i.e., noise-based attacks and generator-based attacks, thereby providing a comprehensive overview of representative methods within each category. By presenting the computational details of these methods, we summarize various loss functions employed for learning UAPs. Furthermore, we conduct a comprehensive evaluation of different loss functions within consistent training frameworks, including noise-based and generator-based. The evaluation covers a wide range of attack settings, including black-box and white-box attacks, targeted and untargeted attacks, as well as the examination of defense mechanisms. Our quantitative evaluation results yield several important findings pertaining to the effectiveness of different loss functions, the selection of surrogate CNN models, the impact of training data and data size, and the training frameworks involved in crafting universal attackers. Finally, to further promote future research on universal adversarial attacks, we provide some visualizations of the perturbations and discuss the potential research directions.

Computer Vision and Pattern Recognition

Huijiao Wang,Ding Cai,Li Wang,Zhuo Xiong

DOI: https://doi.org/10.1109/access.2023.3335094

IF: 3.9

2023-12-01

IEEE Access

Abstract:The vulnerability of Deep Neural Networks (DNNs) to adversarial perturbations has been demonstrated in a large body of research. Compared to image-dependent adversarial perturbations, universal adversarial perturbations(UAPs) is more challenging for indiscriminately attacking the model inputs. However, there are few studies on generating data-free targeted UAPs and the targeted attack success rate of the latest method remains unsatisfactory. Not only that, fewer studies have implemented their approach on Transformers and its efficacy remains uncertain. Therefore, a novel method denoted as Denoising Targeted UAP (DT-UAP) is proposed in this paper that considers the training input as the noise, and takes the input of the last layer into calculation. Specifically, the proposed method minimizes the distance between perturbations and adversarial examples, then incorporates a targeted loss function to generate targeted universal adversarial perturbations for different DNNs and Transformers based on different proxy datasets. DT-UAP has achieved an average improvement of 5% to 10% in terms of both fooling rate and targeted fooling rate comparing to the most recent method for generating targeted universal adversarial perturbation with proxy dataset for DNNs. Additionally, DT-UAP has also achieved a targeted attack success rate of over 80% on Transformers such as MaxVit and SwinTransformer.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zheng Yuan,Jie Zhang,Zhaoyan Jiang,Liangliang Li,Shiguang Shan

DOI: https://doi.org/10.1109/tpami.2024.3367773

IF: 23.6

2024-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:In recent years, the security of deep learning models achieves more and more attentions with the rapid development of neural networks, which are vulnerable to adversarial examples. Almost all existing gradient-based attack methods use the sign function in the generation to meet the requirement of perturbation budget on L_∞ norm. However, we find that the sign function may be improper for generating adversarial examples since it modifies the exact gradient direction. Instead of using the sign function, we propose to directly utilize the exact gradient direction with a scaling factor for generating adversarial perturbations, which improves the attack success rates of adversarial examples even with fewer perturbations. At the same time, we also theoretically prove that this method can achieve better black-box transferability. Moreover, considering that the best scaling factor varies across different images, we propose an adaptive scaling factor generator to seek an appropriate scaling factor for each image, which avoids the computational cost for manually searching the scaling factor. Our method can be integrated with almost all existing gradient-based attack methods to further improve their attack success rates. Extensive experiments on the CIFAR10 and ImageNet datasets show that our method exhibits higher transferability and outperforms the state-of-the-art methods.

computer science, artificial intelligence,engineering, electrical & electronic

Hui Wu,Haoran Li,Jinhong Zhang,Wei Zhou,Lei Guo,Yunyun Dong

DOI: https://doi.org/10.1007/978-981-99-7356-9_25

2023-01-01

Abstract:Deep Neural Networks (DNNs) are suffering from adversarial attacks, where some imperceptible perturbations are added into examples and cause incorrect predictions. Generally, there are two types of adversarial attack methods, i.e., image-dependent and image agnostic. As for the first one, Image-dependent attacks involve crafting unique adversarial perturbations for each clean example. As for the latter case, image-agnostic attacks create a universal adversarial perturbation (UAP) that can fool the target model for all clean examples. However, existing UAP methods only utilize the output of the target DNNs within a limited magnitude, resulting in an ineffective application of UAP to the entire feature extraction process of the DNNs. In this paper, we consider the difference between the mid-level features of the clean example and their corresponding adversarial example in the different intermediate layers of target DNN. Specifically, we maximize the impact of the adversarial examples in the forward propagation process by pulling apart the feature representations of the clean and adversarial examples. Moreover, to achieve targeted and non-targeted attacks, we design a loss function that highlights the UAP feature representation to guide the direction of perturbations in the feature layers. Furthermore, to reduce the training time and training parameters, we adopt a direct optimization approach to craft UAPs and experimentally demonstrate that we can achieve a higher fooling rate with fewer examples. Extensive experimental results show that our approach outperforms state-of-the-art methods in both non-targeted and targeted universal attacks.

Donghua Wang,Wen Yao,Tingsong Jiang,Xiaoqian Chen

DOI: https://doi.org/10.1109/tip.2023.3345136

IF: 10.6

2023-01-01

IEEE Transactions on Image Processing

Abstract:Deep neural networks (DNNs) are shown to be vulnerable to universal adversarial perturbations (UAP), a single quasi-imperceptible perturbation that deceives the DNNs on most input images. The current UAP methods can be divided into data-dependent and data-independent methods. The former exhibits weak transferability in black-box models due to overly relying on model-specific features. The latter shows inferior attack performance in white-box models as it fails to exploit the model's response information to benign images. To address the above issues, this paper proposes a novel universal adversarial attack to generate UAP with strong transferability by disrupting the model-agnostic features (e.g., edges or simple texture), which are invariant to the models. Specifically, we first devise an objective function to weaken the significant channel-wise features and strengthen the less significant channel-wise features, which are partitioned by the designed strategy. Furthermore, the proposed objective function eliminates the dependency on labeled samples, allowing us to utilize out-of-distribution (OOD) data to train UAP. To enhance the attack performance with limited training samples, we exploit the average gradient of the mini-batch input to update the UAP iteratively, which encourages the UAP to capture the local information inside the mini-batch input. In addition, we introduce the momentum term to accumulate the gradient information at each iterative step for the purpose of perceiving the global information over the training set. Finally, extensive experimental results demonstrate that the proposed methods outperform the existing UAP approaches. Additionally, we exhaustively investigate the transferability of the UAP across models, datasets, and tasks.

Yier Wei,Haichang Gao,Yufei Wang,Huan Liu,Yipeng Gao,Sainan Luo,Qianwen Guo

DOI: https://doi.org/10.1007/978-3-031-44192-9_16

2023-01-01

Abstract:Deep neural networks have been proven to be vulnerable to adversarial attacks. The early attacks mostly involved image-specific approaches that generated specific adversarial noises for each individual image. More recent studies have further demonstrated that neural networks can also be fooled by image-agnostic noises, called “universal adversarial perturbation”. However, the current universal adversarial attacks mainly focus on untargeted attacks and exhibit poor transferability. In this paper, we propose TransNoise, a new approach for implementing a transferable universal adversarial attack that involves modifying only a few pixels of the image. Our approach achieves state-of-art success rates in the universal adversarial attack domain for both targeted and nontarget settings. The experimental results demonstrate that our method outperforms the current methods from three aspects of universality: 1) by adding our universal adversarial noises to different images, the fooling rates of our method on the target model are almost all above 95%; 2) when no training data are available for the targeted model, our method is still able to implement targeted attacks; 3) the method transfers well across different models in the untargeted setting.

Jiazhu Dai,Le Shu

DOI: https://doi.org/10.48550/arXiv.1911.01172

2020-01-06

Abstract:Convolutional neural networks (CNN) have become one of the most popular machine learning tools and are being applied in various tasks, however, CNN models are vulnerable to universal perturbations, which are usually human-imperceptible but can cause natural images to be misclassified with high probability. One of the state-of-the-art algorithms to generate universal perturbations is known as UAP. UAP only aggregates the minimal perturbations in every iteration, which will lead to generated universal perturbation whose magnitude cannot rise up efficiently and cause a slow generation. In this paper, we proposed an optimized algorithm to improve the performance of crafting universal perturbations based on orientation of perturbation vectors. At each iteration, instead of choosing minimal perturbation vector with respect to each image, we aggregate the current instance of universal perturbation with the perturbation which has similar orientation to the former so that the magnitude of the aggregation will rise up as large as possible at every iteration. The experiment results show that we get universal perturbations in a shorter time and with a smaller number of training images. Furthermore, we observe in experiments that universal perturbations generated by our proposed algorithm have an average increment of fooling rate by 9% in white-box attacks and black-box attacks comparing with universal perturbations generated by UAP.

Machine Learning

Hong Liu,Rongrong Ji,Jie Li,Baochang Zhang,Yue Gao,Yongjian Wu,Feiyue Huang

DOI: https://doi.org/10.1109/iccv.2019.00303

2019-01-01

Abstract:Deep learning models have shown their vulnerabilities to universal adversarial perturbations (UAP), which are quasi-imperceptible. Compared to the conventional supervised UAPs that suffer from the knowledge of training data, the data-independent unsupervised UAPs are more applicable. Existing unsupervised methods fail to take advantage of the model uncertainty to produce robust perturbations. In this paper, we propose a new unsupervised universal adversarial perturbation method, termed as Prior Driven Uncertainty Approximation (PD-UA), to generate a robust UAP by fully exploiting the model uncertainty at each network layer. Specifically, a Monte Carlo sampling method is deployed to activate more neurons to increase the model uncertainty for a better adversarial perturbation. Thereafter, a textural bias prior to revealing a statistical uncertainty is proposed, which helps to improve the attacking performance. The UAP is crafted by the stochastic gradient descent algorithm with a boosted momentum optimizer, and a Laplacian pyramid frequency model is finally used to maintain the statistical uncertainty. Extensive experiments demonstrate that our method achieves well attacking performances on the ImageNet validation set, and significantly improves the fooling rate compared with the state-of-the-art methods.

Huili Luo,Zhaoquan Gu,Chunajing Zhang,Le Wang,Shuhao Li,Zhiqin Chen

DOI: https://doi.org/10.1109/DSC53577.2021.00032

2021-01-01

Abstract:Rapid advancement in deep neural networks (DNNs) has enhanced the prospect of image classification technologies like facial recognition. The emergence of adversarial examples, however, revealed the vulnerability of DNNs. A large number of attack methods have been proposed against DNNs and these methods can be divided into two types: targeted attacks and untargeted attacks. Specifically, targeted attacks misclassify the detection object into a specified target, whereas untargeted attacks only aim to lead the classifier (a DNN classifier, for instance) to misclassification of the object by adding adversarial examples. Most adversarial attack methods add different perturbations to different images, which is costly and inefficient. In this paper, we explore a universal targeted attack method against image classification, in which a universal perturbation is fabricated and added to all images to generate adversarial examples. These generated adversarial examples are classified by the classifier as a specified target with high probability. Through black-box and white-box attack experiments against the ResNet model on both CIFAR 10 and CIFAR100 datasets, we verified the effectiveness of our method.