Philipp Benz,Chaoning Zhang,Tooba Imtiaz,In So Kweon

DOI: https://doi.org/10.48550/arXiv.2010.03288

2020-10-07

Abstract:Despite their impressive performance, deep neural networks (DNNs) are widely known to be vulnerable to adversarial attacks, which makes it challenging for them to be deployed in security-sensitive applications, such as autonomous driving. Image-dependent perturbations can fool a network for one specific image, while universal adversarial perturbations are capable of fooling a network for samples from all classes without selection. We introduce a double targeted universal adversarial perturbations (DT-UAPs) to bridge the gap between the instance-discriminative image-dependent perturbations and the generic universal perturbations. This universal perturbation attacks one targeted source class to sink class, while having a limited adversarial effect on other non-targeted source classes, for avoiding raising suspicions. Targeting the source and sink class simultaneously, we term it double targeted attack (DTA). This provides an attacker with the freedom to perform precise attacks on a DNN model while raising little suspicion. We show the effectiveness of the proposed DTA algorithm on a wide range of datasets and also demonstrate its potential as a physical attack.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Donghua Wang,Wen Yao,Tingsong Jiang,Xiaoqian Chen

DOI: https://doi.org/10.1109/tip.2023.3345136

IF: 10.6

2023-01-01

IEEE Transactions on Image Processing

Abstract:Deep neural networks (DNNs) are shown to be vulnerable to universal adversarial perturbations (UAP), a single quasi-imperceptible perturbation that deceives the DNNs on most input images. The current UAP methods can be divided into data-dependent and data-independent methods. The former exhibits weak transferability in black-box models due to overly relying on model-specific features. The latter shows inferior attack performance in white-box models as it fails to exploit the model's response information to benign images. To address the above issues, this paper proposes a novel universal adversarial attack to generate UAP with strong transferability by disrupting the model-agnostic features (e.g., edges or simple texture), which are invariant to the models. Specifically, we first devise an objective function to weaken the significant channel-wise features and strengthen the less significant channel-wise features, which are partitioned by the designed strategy. Furthermore, the proposed objective function eliminates the dependency on labeled samples, allowing us to utilize out-of-distribution (OOD) data to train UAP. To enhance the attack performance with limited training samples, we exploit the average gradient of the mini-batch input to update the UAP iteratively, which encourages the UAP to capture the local information inside the mini-batch input. In addition, we introduce the momentum term to accumulate the gradient information at each iterative step for the purpose of perceiving the global information over the training set. Finally, extensive experimental results demonstrate that the proposed methods outperform the existing UAP approaches. Additionally, we exhaustively investigate the transferability of the UAP across models, datasets, and tasks.

Zifei Wang,Xiaolin Huang,Jie Yang,Nikola K. Kasabov

DOI: https://doi.org/10.1109/is48319.2020.9199956

2020-01-01

Abstract:The vulnerability of Deep Neural Networks (DNNs) to adversarial attacks has become an important research area of machine learning. It has been known that many state-of-the-art DNNs suffer the risk of universal adversarial perturbations, which are image-agnostic and able to lead misclassifications with high probability. In this paper, we propose a novel method to create such universal adversarial perturbations. Our approach is the first to generate universal perturbations by attacking the attention heat maps with the interpretation method, Layer-wise Relevance Propagation. It is demonstrated that our method achieves high fooling ratios on image classification DNNs pre-trained by ImageNet dataset. Moreover, our attack shows good transferability across different DNNs.

Geunhyeok Yu,Minwoo Jeon,Hyoseok Hwang

2023-08-14

Abstract:The susceptibility of deep neural networks (DNNs) to adversarial examples has prompted an increase in the deployment of adversarial attacks. Image-agnostic universal adversarial perturbations (UAPs) are much more threatening, but many limitations exist to implementing UAPs in real-world scenarios where only binary decisions are returned. In this research, we propose Decision-BADGE, a novel method to craft universal adversarial perturbations for executing decision-based black-box attacks. To optimize perturbation with decisions, we addressed two challenges, namely the magnitude and the direction of the gradient. First, we use batch loss, differences from distributions of ground truth, and accumulating decisions in batches to determine the magnitude of the gradient. This magnitude is applied in the direction of the revised simultaneous perturbation stochastic approximation (SPSA) to update the perturbation. This simple yet efficient method can be easily extended to score-based attacks as well as targeted attacks. Experimental validation across multiple victim models demonstrates that the Decision-BADGE outperforms existing attack methods, even image-specific and score-based attacks. In particular, our proposed method shows a superior success rate with less training time. The research also shows that Decision-BADGE can successfully deceive unseen victim models and accurately target specific classes.

Computer Vision and Pattern Recognition

Juanjuan Weng,Zhiming Luo,Dazhen Lin,Shaozi Li

2023-06-20

Abstract:The vulnerability of Convolutional Neural Networks (CNNs) to adversarial samples has recently garnered significant attention in the machine learning community. Furthermore, recent studies have unveiled the existence of universal adversarial perturbations (UAPs) that are image-agnostic and highly transferable across different CNN models. In this survey, our primary focus revolves around the recent advancements in UAPs specifically within the image classification task. We categorize UAPs into two distinct categories, i.e., noise-based attacks and generator-based attacks, thereby providing a comprehensive overview of representative methods within each category. By presenting the computational details of these methods, we summarize various loss functions employed for learning UAPs. Furthermore, we conduct a comprehensive evaluation of different loss functions within consistent training frameworks, including noise-based and generator-based. The evaluation covers a wide range of attack settings, including black-box and white-box attacks, targeted and untargeted attacks, as well as the examination of defense mechanisms. Our quantitative evaluation results yield several important findings pertaining to the effectiveness of different loss functions, the selection of surrogate CNN models, the impact of training data and data size, and the training frameworks involved in crafting universal attackers. Finally, to further promote future research on universal adversarial attacks, we provide some visualizations of the perturbations and discuss the potential research directions.

Computer Vision and Pattern Recognition

Huili Luo,Zhaoquan Gu,Chunajing Zhang,Le Wang,Shuhao Li,Zhiqin Chen

DOI: https://doi.org/10.1109/DSC53577.2021.00032

2021-01-01

Abstract:Rapid advancement in deep neural networks (DNNs) has enhanced the prospect of image classification technologies like facial recognition. The emergence of adversarial examples, however, revealed the vulnerability of DNNs. A large number of attack methods have been proposed against DNNs and these methods can be divided into two types: targeted attacks and untargeted attacks. Specifically, targeted attacks misclassify the detection object into a specified target, whereas untargeted attacks only aim to lead the classifier (a DNN classifier, for instance) to misclassification of the object by adding adversarial examples. Most adversarial attack methods add different perturbations to different images, which is costly and inefficient. In this paper, we explore a universal targeted attack method against image classification, in which a universal perturbation is fabricated and added to all images to generate adversarial examples. These generated adversarial examples are classified by the classifier as a specified target with high probability. Through black-box and white-box attack experiments against the ResNet model on both CIFAR 10 and CIFAR100 datasets, we verified the effectiveness of our method.

Ningping Mou,Binqing Guo,Lingchen Zhao,Cong Wang,Yue Zhao,Qian Wang

DOI: https://doi.org/10.1109/tifs.2024.3478828

IF: 7.231

2024-10-30

IEEE Transactions on Information Forensics and Security

Abstract:Recent advancements in adversarial attack research have seen a transition from white-box to black-box and even no-box threat models, greatly enhancing the practicality of these attacks. However, existing no-box attacks focus on instance-specific perturbations, leaving more powerful universal adversarial perturbations (UAPs) unexplored. This study addresses a crucial question: can UAPs be generated under a no-box threat model? Our findings provide an affirmative answer with a texture-based method. Artificially crafted textures can act as UAPs, termed Texture-Adv. With a modest density and a fixed budget for perturbations, it can achieve an attack success rate of 80% under the constraint of = 10/255. In addition, Texture-Adv can also take effect under traditional black-box threat models. Building upon a phenomenon associated with dominant labels, we utilize Texture-Adv to develop a highly efficient decision-based attack strategy, named Adv-Pool. This approach creates and traverses a set of Texture-Adv instances with diverse classification distributions, significantly reducing the average query budget to less than 1.3, which is near the 1-query lower bound for decision-based attacks. Moreover, we empirically demonstrate that Texture-Adv, when used as a starting point, can enhance the success rates of existing transfer attacks and the efficiency of decision-based attacks. The discovery suggests its potential as an effective starting point for various adversarial attacks while preserving the original constraints of their threat models.

computer science, theory & methods,engineering, electrical & electronic

Chaoning Zhang,Philipp Benz,Chenguo Lin,Adil Karjauv,Jing Wu,In So Kweon

DOI: https://doi.org/10.24963/ijcai.2021/635

2021-08-01

Abstract:The intriguing phenomenon of adversarial examples has attracted significant attention in machine learning and what might be more surprising to the community is the existence of universal adversarial perturbations (UAPs), i.e. a single perturbation to fool the target DNN for most images. With the focus on UAP against deep classifiers, this survey summarizes the recent progress on universal adversarial attacks, discussing the challenges from both the attack and defense sides, as well as the reason for the existence of UAP. We aim to extend this work as a dynamic survey that will regularly update its content to follow new works regarding UAP or universal attack in a wide range of domains, such as image, audio, video, text, etc. Relevant updates will be discussed at: https://bit.ly/2SbQlLG. We welcome authors of future works in this field to contact us for including your new findings.

Siyu Wang,Yucheng Shi,Yahong Han

DOI: https://doi.org/10.1109/icpr.2018.8546023

2018-01-01

Abstract:Image classifiers based on deep neural networks (DNNs) are vulnerable to tiny, imperceptible perturbations. Maliciously generated adversarial examples can exploit the instability of DNNs and mislead it into outputting a wrong classification result. Prior works showed the transferability of adversarial perturbations between models and between images. In this work, we shed light on the combination of source/target misclassification, black-box attack, and universal perturbation by employing improved evolutionary algorithms. We additionally find that the use of adversarial initialization enhances the efficiency of evolutionary algorithms finding universal perturbations. Experiments demonstrate impressive misclassification rates and surprising transferability for the proposed attack method using different models trained on CIFAR-10 and CIFAR-100 datasets. Our attach method also shows robustness against defensive measures like adversarial training.

Hong Liu,Rongrong Ji,Jie Li,Baochang Zhang,Yue Gao,Yongjian Wu,Feiyue Huang

DOI: https://doi.org/10.1109/iccv.2019.00303

2019-01-01

Abstract:Deep learning models have shown their vulnerabilities to universal adversarial perturbations (UAP), which are quasi-imperceptible. Compared to the conventional supervised UAPs that suffer from the knowledge of training data, the data-independent unsupervised UAPs are more applicable. Existing unsupervised methods fail to take advantage of the model uncertainty to produce robust perturbations. In this paper, we propose a new unsupervised universal adversarial perturbation method, termed as Prior Driven Uncertainty Approximation (PD-UA), to generate a robust UAP by fully exploiting the model uncertainty at each network layer. Specifically, a Monte Carlo sampling method is deployed to activate more neurons to increase the model uncertainty for a better adversarial perturbation. Thereafter, a textural bias prior to revealing a statistical uncertainty is proposed, which helps to improve the attacking performance. The UAP is crafted by the stochastic gradient descent algorithm with a boosted momentum optimizer, and a Laplacian pyramid frequency model is finally used to maintain the statistical uncertainty. Extensive experiments demonstrate that our method achieves well attacking performances on the ImageNet validation set, and significantly improves the fooling rate compared with the state-of-the-art methods.

Huijiao Wang,Ding Cai,Li Wang,Zhuo Xiong

DOI: https://doi.org/10.1109/access.2023.3335094

IF: 3.9

2023-12-01

IEEE Access

Abstract:The vulnerability of Deep Neural Networks (DNNs) to adversarial perturbations has been demonstrated in a large body of research. Compared to image-dependent adversarial perturbations, universal adversarial perturbations(UAPs) is more challenging for indiscriminately attacking the model inputs. However, there are few studies on generating data-free targeted UAPs and the targeted attack success rate of the latest method remains unsatisfactory. Not only that, fewer studies have implemented their approach on Transformers and its efficacy remains uncertain. Therefore, a novel method denoted as Denoising Targeted UAP (DT-UAP) is proposed in this paper that considers the training input as the noise, and takes the input of the last layer into calculation. Specifically, the proposed method minimizes the distance between perturbations and adversarial examples, then incorporates a targeted loss function to generate targeted universal adversarial perturbations for different DNNs and Transformers based on different proxy datasets. DT-UAP has achieved an average improvement of 5% to 10% in terms of both fooling rate and targeted fooling rate comparing to the most recent method for generating targeted universal adversarial perturbation with proxy dataset for DNNs. Additionally, DT-UAP has also achieved a targeted attack success rate of over 80% on Transformers such as MaxVit and SwinTransformer.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yi Ding,Fuyuan Tan,Ji Geng,Zhen Qin,Mingsheng Cao,Kim-Kwang Raymond Choo,Zhiguang Qin

DOI: https://doi.org/10.1109/tdsc.2022.3202544

2023-01-01

Abstract:Mitigating adversarial deep learning attacks remains challenging, partly because of the ease and low cost in carrying out such attacks. Therefore, in this article, we focus on the understanding of universal adversarial example attack on image classification models. Specifically, we seek to understand the difference(s) between adversarial examples in two adversarial datasets (DAmageNet and PGD dataset) and clean examples in ImageNet learned by the classification model, and whether we can use such findings to resist adversarial example attacks. We also seek to determine if we can retrain a discriminator to discriminate whether the input image is an adversarial example, using adversarial training. We then design a number of experiments (e.g., class activation map (CAM) analysis, feature map analysis, feature maps/filters changing, adversarial training, and binary classification model) to help us determine whether the universal adversarial dataset can be successfully used to attack the classification model. This, in turn, contributes to a better understanding of adversarial defenses over pretrained classification model from an interpretation perspective. To the best of our knowledge, this work is one of the earliest works to systematically investigate the interpretation of universal adversarial example attack on image classification models, both visually and quantitatively.

Shangyu Xie,Han Wang,Yu Kong,Yuan Hong

DOI: https://doi.org/10.48550/arXiv.2107.04284

2021-08-14

Abstract:Widely deployed deep neural network (DNN) models have been proven to be vulnerable to adversarial perturbations in many applications (e.g., image, audio and text classifications). To date, there are only a few adversarial perturbations proposed to deviate the DNN models in video recognition systems by simply injecting 2D perturbations into video frames. However, such attacks may overly perturb the videos without learning the spatio-temporal features (across temporal frames), which are commonly extracted by DNN models for video recognition. To our best knowledge, we propose the first black-box attack framework that generates universal 3-dimensional (U3D) perturbations to subvert a variety of video recognition systems. U3D has many advantages, such as (1) as the transfer-based attack, U3D can universally attack multiple DNN models for video recognition without accessing to the target DNN model; (2) the high transferability of U3D makes such universal black-box attack easy-to-launch, which can be further enhanced by integrating queries over the target model when necessary; (3) U3D ensures human-imperceptibility; (4) U3D can bypass the existing state-of-the-art defense schemes; (5) U3D can be efficiently generated with a few pre-learned parameters, and then immediately injected to attack real-time DNN-based video recognition systems. We have conducted extensive experiments to evaluate U3D on multiple DNN models and three large-scale video datasets. The experimental results demonstrate its superiority and practicality.

Cryptography and Security

Maosen Li,Yanhua Yang,Kun Wei,Xu Yang,Heng Huang

DOI: https://doi.org/10.1609/aaai.v36i2.20023

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep learning models have shown to be susceptible to universal adversarial perturbation (UAP), which has aroused wide concerns in the community. Compared with the conventional adversarial attacks that generate adversarial samples at the instance level, UAP can fool the target model for different instances with only a single perturbation, enabling us to evaluate the robustness of the model from a more effective and accurate perspective. The existing universal attack methods fail to exploit the differences and connections between the instance and universal levels to produce dominant perturbations. To address this challenge, we propose a new universal attack method that unifies instance-specific and universal attacks from a feature perspective to generate a more dominant UAP. Specifically, we reformulate the UAP generation task as a minimax optimization problem and then utilize the instance-specific attack method to solve the minimization problem thereby obtaining better training data for generating UAP. At the same time, we also introduce a consistency regularizer to explore the relationship between training data, thus further improving the dominance of the generated UAP. Furthermore, our method is generic with no additional assumptions about the training data and hence can be applied to both data-dependent (supervised) and data-independent (unsupervised) manners. Extensive experiments demonstrate that the proposed method improves the performance by a significant margin over the existing methods in both data-dependent and data-independent settings. Code is available at https://github.com/lisenxd/AT-UAP.

Yufei Song,Ziqi Zhou,Minghui Li,Xianlong Wang,Menghao Deng,Wei Wan,Shengshan Hu,Leo Yu Zhang

2024-12-21

Abstract:With the rapid advancement of deep learning, the model robustness has become a significant research hotspot, \ie, adversarial attacks on deep neural networks. Existing works primarily focus on image classification tasks, aiming to alter the model's predicted labels. Due to the output complexity and deeper network architectures, research on adversarial examples for segmentation models is still limited, particularly for universal adversarial perturbations. In this paper, we propose a novel universal adversarial attack method designed for segmentation models, which includes dual feature separation and low-frequency scattering modules. The two modules guide the training of adversarial examples in the pixel and frequency space, respectively. Experiments demonstrate that our method achieves high attack success rates surpassing the state-of-the-art methods, and exhibits strong transferability across different models.

Computer Vision and Pattern Recognition,Artificial Intelligence

Yuhang Zhao,Kunqing Wang,Yuan Xue,Quanxin Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1007/978-3-030-34139-8_7

2019-01-01

Abstract:With the continuous development of deep neural networks (DNNs), it has become the main means of solving problems in the field of computer vision. However, recent research has shown that deep neural networks are vulnerable to well-designed adversarial examples. In this paper, we used a deep neural network to generate adversarial examples to attack black-box object detectors. We trained a generation network to produce universal perturbations, achieving a cross-task attack against black-box object detectors. We demonstrated the feasibility of task-generalizable attacks. Our attack generated efficient universal perturbations on classifiers then attack object detectors. We proved the effectiveness of our attack on two representative object detectors: Faster R-CNN based on proposal and regression-based YOLOv3.

Jian Xu,Heng Liu,Dexin Wu,Fucai Zhou,Chong-zhi Gao,Linzhi Jiang

DOI: https://doi.org/10.1016/j.ins.2020.05.099

IF: 8.1

2020-01-01

Information Sciences

Abstract:Adversarial machine learning, as a research area, has received a great deal of attention in recent years. Much of this attention has been devoted to a phenomenon called adversarial perturbation, which is human-imperceptible and can be used to craft adversarial examples. The deep neural networks are vulnerable to adversarial examples, which raises security concerns on learning algorithms due to the potentially severe consequences. It was shown there exist universal perturbations that are image-agnostic can fool the network when added to the majority of images. Since different attack strategies proposed for generating universal perturbation are still suffering from attack success rate, attack efficiency, and transferability. In this paper, we design an attack framework that uses a residual network (ResNet) to create universal perturbation. We introduce a trainable residual network generator that converts random noise into universal adversarial perturbation, which can be used to efficiently generate perturbations for any instance after being trained. Unlike traditional methods, moreover, we use a loss network to guarantee the similarity of images in content. The new generator structure and objective function make our method achieve better attack results than the existing methods. A variety of experiments conducted on the CIFAR-10 dataset reveal that our proposed attack framework constitutes an advance in the creation of universal adversarial perturbation, as it can achieve a success rate of 89%, which outperforms the similar methods, along with low perturbation norms.

Zhuo Leng,Zesen Cheng,Pengxu Wei,Jie Chen

DOI: https://doi.org/10.1007/978-981-99-8555-5_22

2024-01-01

Abstract:Deep neural networks have been demonstrated to be vulnerable to adversarial noise from attacks. Compared with white-box attacks, black-box attacks fool deep neural networks to yield erroneous predictions without knowing the model parameters. Black-box attacks include query-based attacks and transfer-based attacks; the former rely on querying the model while the latter just rely on the transferability of adversarial examples, thus challenging. Existing transfer-based black-box adversarial attack methods focus on the image classification task. Especially, we empirically verify that those methods struggle to balance the attack on objects with different classes and sizes, and thus they perform poorly in the attack on object detectors. In this work, we propose an Object-Aware mechanism to address this issue. It includes Object-Wise Gradient (OWG) calculation to balance the attack on multiple objects and a Domain-Division Map (DDM) to weigh the attack in size. Incorporating our method with seminal baselines (e.g., I-FGSM, MI-FGSM), we achieve superior attack performance on multiple object detectors (e.g., Faster R-CNN, DETR, SSD), which justifies the effectiveness and generality of our method.

Hui Wu,Haoran Li,Jinhong Zhang,Wei Zhou,Lei Guo,Yunyun Dong

DOI: https://doi.org/10.1007/978-981-99-7356-9_25

2023-01-01

Abstract:Deep Neural Networks (DNNs) are suffering from adversarial attacks, where some imperceptible perturbations are added into examples and cause incorrect predictions. Generally, there are two types of adversarial attack methods, i.e., image-dependent and image agnostic. As for the first one, Image-dependent attacks involve crafting unique adversarial perturbations for each clean example. As for the latter case, image-agnostic attacks create a universal adversarial perturbation (UAP) that can fool the target model for all clean examples. However, existing UAP methods only utilize the output of the target DNNs within a limited magnitude, resulting in an ineffective application of UAP to the entire feature extraction process of the DNNs. In this paper, we consider the difference between the mid-level features of the clean example and their corresponding adversarial example in the different intermediate layers of target DNN. Specifically, we maximize the impact of the adversarial examples in the forward propagation process by pulling apart the feature representations of the clean and adversarial examples. Moreover, to achieve targeted and non-targeted attacks, we design a loss function that highlights the UAP feature representation to guide the direction of perturbations in the feature layers. Furthermore, to reduce the training time and training parameters, we adopt a direct optimization approach to craft UAPs and experimentally demonstrate that we can achieve a higher fooling rate with fewer examples. Extensive experimental results show that our approach outperforms state-of-the-art methods in both non-targeted and targeted universal attacks.

Zhaoyu Chen,Bo Li,Shuang Wu,Shouhong Ding,Wenqiang Zhang

2023-07-02

Abstract:Deep neural networks (DNNs) have been showed to be highly vulnerable to imperceptible adversarial perturbations. As a complementary type of adversary, patch attacks that introduce perceptible perturbations to the images have attracted the interest of researchers. Existing patch attacks rely on the architecture of the model or the probabilities of predictions and perform poorly in the decision-based setting, which can still construct a perturbation with the minimal information exposed -- the top-1 predicted label. In this work, we first explore the decision-based patch attack. To enhance the attack efficiency, we model the patches using paired key-points and use targeted images as the initialization of patches, and parameter optimizations are all performed on the integer domain. Then, we propose a differential evolutionary algorithm named DevoPatch for query-efficient decision-based patch attacks. Experiments demonstrate that DevoPatch outperforms the state-of-the-art black-box patch attacks in terms of patch area and attack success rate within a given query budget on image classification and face verification. Additionally, we conduct the vulnerability evaluation of ViT and MLP on image classification in the decision-based patch attack setting for the first time. Using DevoPatch, we can evaluate the robustness of models to black-box patch attacks. We believe this method could inspire the design and deployment of robust vision models based on various DNN architectures in the future.

Computer Vision and Pattern Recognition,Cryptography and Security