Yushun Xie,Zhaoquan Gu,Xiaopeng Fu,Le Wang,Weihong Han,Yuexuan Wang

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics50389.2020.00103

2020-01-01

Abstract:Deep neural networks are vulnerable to the adversarial examples that are generated by adding small perturbations to the original inputs. Similarly, traditional machine learning models such as logistic regression and support vector machine are also threatened by such carefully generated adversarial examples. In this paper, we study the adversarial texts that could mislead the sentiment analysis of traditional machine learning models. We present the Ensemble Word Addition (EWA) algorithm, which filters out a small number of words that have large attack ability and these words are added at the end of the original text. By extensive experiments, we show that the generated adversarial texts could fool some traditional machine learning models with a very high confidence, but they cannot affect human's judgment. The experimental results show that the proposed algorithm has a powerful attack ability to misleading the sentiment analysis, specifically the attack success rate could reach above 95% by only adding 4.6% words.

Naufal Suryanto,Hyoeun Kang,Yongsu Kim,Youngyeo Yun,Harashta Tatimma Larasati,Howon Kim

DOI: https://doi.org/10.3390/s20247158

IF: 3.9

2020-12-14

Sensors

Abstract:Adversarial attack techniques in deep learning have been studied extensively due to its stealthiness to human eyes and potentially dangerous consequences when applied to real-life applications. However, current attack methods in black-box settings mainly employ a large number of queries for crafting their adversarial examples, hence making them very likely to be detected and responded by the target system (e.g., artificial intelligence (AI) service provider) due to its high traffic volume. A recent proposal able to address the large query problem utilizes a gradient-free approach based on Particle Swarm Optimization (PSO) algorithm. Unfortunately, this original approach tends to have a low attack success rate, possibly due to the model’s difficulty of escaping local optima. This obstacle can be overcome by employing a multi-group approach for PSO algorithm, by which the PSO particles can be redistributed, preventing them from being trapped in local optima. In this paper, we present a black-box adversarial attack which can significantly increase the success rate of PSO-based attack while maintaining a low number of query by launching the attack in a distributed manner. Attacks are executed from multiple nodes, disseminating queries among the nodes, hence reducing the possibility of being recognized by the target system while also increasing scalability. Furthermore, we utilize Multi-Group PSO with Random Redistribution (MGRR-PSO) for perturbation generation, performing better than the original approach against local optima, thus achieving a higher success rate. Additionally, we propose to efficiently remove excessive perturbation (i.e, perturbation pruning) by utilizing again the MGRR-PSO rather than a standard iterative method as used in the original approach. We perform five different experiments: comparing our attack’s performance with existing algorithms, testing in high-dimensional space in ImageNet dataset, examining our hyperparameters (i.e., particle size, number of clients, search boundary), and testing on real digital attack to Google Cloud Vision. Our attack proves to obtain a 100% success rate on MNIST and CIFAR-10 datasets and able to successfully fool Google Cloud Vision as a proof of the real digital attack by maintaining a lower query and wide applicability.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Elie Alhajjar,Paul Maxwell,Nathaniel Bastian

DOI: https://doi.org/10.1016/j.eswa.2021.115782

IF: 8.5

2021-12-01

Expert Systems with Applications

Abstract:Adversarial examples are inputs to a machine learning system intentionally crafted by an attacker to fool the model into producing an incorrect output. These examples have achieved a great deal of success in several domains such as image recognition, speech recognition and spam detection. In this paper, we study the nature of the adversarial problem in Network Intrusion Detection Systems (NIDS). We focus on the attack perspective, which includes techniques to generate adversarial examples capable of evading a variety of machine learning models. More specifically, we explore the use of evolutionary computation (particle swarm optimization and genetic algorithm) and deep learning (generative adversarial networks) as tools for adversarial example generation. To assess the performance of these algorithms in evading a NIDS, we apply them to two publicly available data sets, namely the NSL-KDD and UNSW-NB15, and we contrast them to a baseline perturbation method: Monte Carlo simulation. The results show that our adversarial example generation techniques cause high misclassification rates in eleven different machine learning models, along with a voting classifier. Our work highlights the vulnerability of machine learning based NIDS in the face of adversarial perturbation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Wei Jiang,Shen You,Jinyu Zhan,Xupeng Wang,Hong Lei,Deepak Adhikari

DOI: https://doi.org/10.1109/tevc.2022.3231460

IF: 16.497

2022-01-01

IEEE Transactions on Evolutionary Computation

Abstract:Due to the inherent vulnerability of deep neural networks (DNNs), the adversarial example (AE) attack has become a serious threat to intelligent systems, e.g., the failure cause of an image classification system. Different to existing works, in this article we are interested in the generation of AEs for DNNs with defensive mechanisms. To make the attack more practical, we exploit a query-based method to generate image AEs in a black-box attack setting. Considering that the generation of AEs is inherently a constrained optimization problem, this article first formulates three objectives regarding defensive DNNs, i.e., attack effectiveness, attack evasiveness and attack coverage. Then, this article proposes a query-efficient AE attack based on the genetic algorithm (GA) and particle swarm optimization (PSO) to address the perturbation optimization problem. To improve the efficiency of search and query, AE-specific operators including block-level and pixel-level crossovers, discrete perturbation mutation and direction-driven reproduction are designed within the GA-based search framework. In addition, predication-based adaptation of reproduction-related parameters is implemented to speed up the search convergence. PSO-based jumping process is further devised to avoid stuck in local optimum. Benchmark-based experiments evaluated the efficiency of our method, which can achieve an attack success rate of 100% with averagely 52.95% reduced queries in contrast to existing black-box attacks on nondefensive models. For defensive DNN models, our method can obtain top attack performance with the query reduction up to 70.92% comparing with the candidates.

computer science, artificial intelligence, theory & methods

Battista Biggio,Blaine Nelson,Pavel Laskov

DOI: https://doi.org/10.48550/arXiv.1206.6389

2013-03-25

Abstract:We investigate a family of poisoning attacks against Support Vector Machines (SVM). Such attacks inject specially crafted training data that increases the SVM's test error. Central to the motivation for these attacks is the fact that most learning algorithms assume that their training data comes from a natural or well-behaved distribution. However, this assumption does not generally hold in security-sensitive settings. As we demonstrate, an intelligent adversary can, to some extent, predict the change of the SVM's decision function due to malicious input and use this ability to construct malicious data. The proposed attack uses a gradient ascent strategy in which the gradient is computed based on properties of the SVM's optimal solution. This method can be kernelized and enables the attack to be constructed in the input space even for non-linear kernels. We experimentally demonstrate that our gradient ascent procedure reliably identifies good local maxima of the non-convex validation error surface, which significantly increases the classifier's test error.

Machine Learning,Cryptography and Security

Jiming Chen,Xiangshan Gao,Ruilong Deng,Yang He,Chongrong Fang,Peng Cheng

DOI: https://doi.org/10.1109/tdsc.2020.3037500

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deploying machine learning (ML)-based intrusion detection systems (IDS) is an effective way to improve the security of industrial control systems (ICS). However, ML models themselves are vulnerable to adversarial examples, generated by deliberately adding subtle perturbation to the input sample that some people are not aware of, causing the model to give a false output with high confidence. In this article, our goal is to investigate the possibility of stealthy cyber attacks towards IDS, including injection attack, function code attack and reconnaissance attack, and enhance its robustness to adversarial attack. However, adversarial algorithms are subject to communication protocol and legal range of data in ICS, unlike only limited by the distance between original samples and newly generated samples in image domain. We propose two strategies - optimal solution attack and GAN attack - oriented to flexibility and volume of data, formulating an optimization problem to find stealthy attacks, where the former is appropriate for not too large and more flexible samples while the latter provides a more efficient solution for larger and not too flexible samples. Finally, we conduct experiments on a semi-physical ICS testbed with a high detection performance ensemble ML-based detector to show the effectiveness of our attacks. The results indicate that new samples of reconnaissance and function code attack produced by both optimal solution and GAN algorithm possess 80 percent higher probability to evade the detector, still maintaining the same attack effect. In the meantime, we adopt adversarial training as a method to defend against adversarial attack. After training on the mixture of orginal dataset and newly generated samples, the detector becomes more robust to adversarial examples.

Guofu Li,Pengjia Zhu,Jin Li,Zhemin Yang,Ning Cao,Zhiyi Chen

DOI: https://doi.org/10.48550/arXiv.1810.07339

2018-10-23

Abstract:Adversarial machine learning is a fast growing research area, which considers the scenarios when machine learning systems may face potential adversarial attackers, who intentionally synthesize input data to make a well-trained model to make mistake. It always involves a defending side, usually a classifier, and an attacking side that aims to cause incorrect output. The earliest studies on the adversarial examples for machine learning algorithms start from the information security area, which considers a much wider varieties of attacking methods. But recent research focus that popularized by the deep learning community places strong emphasis on how the "imperceivable" perturbations on the normal inputs may cause dramatic mistakes by the deep learning with supposed super-human accuracy. This paper serves to give a comprehensive introduction to a range of aspects of the adversarial deep learning topic, including its foundations, typical attacking and defending strategies, and some extended studies.

Machine Learning,Cryptography and Security

Li Chen,Zewei Xu,Qi Li,Jian Peng,Shaowen Wang,Haifeng Li

DOI: https://doi.org/10.1109/tgrs.2021.3051641

IF: 8.2

2021-09-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Deep neural networks (DNNs), which learn a hierarchical representation of features, have shown remarkable performance in big data analytics of remote sensing. However, previous research indicates that DNNs are easily spoofed by adversarial examples, which are crafted images with artificial perturbations that fool DNN models toward wrong predictions. To comprehensively evaluate the impact of adversarial examples on the remote sensing image (RSI) scene classification, this study tests eight state-of-the-art classification DNNs on six RSI benchmarks. These data sets include both optical and synthetic-aperture radar (SAR) images of different spectral and spatial resolutions. In the experiment, we create 48 classification scenarios and use four cutting-edge attack algorithms to investigate the influence of the adversarial example on the classification of RSIs. The experimental result shows that the fooling rates of the attacks are all over 98% across the 48 scenarios. We also find that, for the optical data, the seriousness of the adversarial problem has a negative relationship with the richness of the feature information. Besides, adversarial examples generated from SAR images are used easily for fooling the models with an average fooling rate of 76.01%. By analyzing the class distribution of these adversarial examples, we find that the distribution of the misclassifications is not affected by the types of models and attack algorithms—adversarial examples of RSIs of the same class cluster on fixed several classes. The analysis of classes of adversarial examples not only helps us explore the relationships between data set classes but also provides insights for further designing defensive algorithms.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Federico Concone,Salvatore Gaglio,Andrea Giammanco,Giuseppe Lo Re,Marco Morana

DOI: https://doi.org/10.1145/3643563

IF: 2.717

2024-01-26

ACM Transactions on Privacy and Security

Abstract:In recent years, the widespread adoption of Machine Learning (ML) at the core of complex IT systems has driven researchers to investigate the security and reliability of ML techniques. A very specific kind of threats concerns the adversary mechanisms through which an attacker could induce a classification algorithm to provide the desired output. Such strategies, known as Adversarial Machine Learning (AML), have a twofold purpose: to calculate a perturbation to be applied to the classifier’s input such that the outcome is subverted, while maintaining the underlying intent of the original data. Although any manipulation that accomplishes these goals is theoretically acceptable, in real scenarios perturbations must correspond to a set of permissible manipulations of the input, which is rarely considered in the literature. In this paper, we present AdverSPAM , an AML technique designed to fool the spam account detection system of an Online Social Network (OSN). The proposed black-box evasion attack is formulated as an optimization problem that computes the adversarial sample while maintaining two important properties of the feature space, namely statistical correlation and semantic dependency . Although being demonstrated in an OSN security scenario, such an approach might be applied in other context where the aim is to perturb data described by mutually related features. Experiments conducted on a public dataset show the effectiveness of AdverSPAM compared to five state-of-the-art competitors, even in the presence of adversarial defense mechanisms.

computer science, information systems

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Anli Yan,Xiaozhang Liu,Wanman Li,Hongwei Ye,Lang Li

DOI: https://doi.org/10.1016/j.bdr.2024.100451

IF: 3.3

2024-03-28

Big Data Research

Abstract:Neural network-based classifiers are vulnerable to adversarial example attacks even in a black-box setting. Existing adversarial example generation technologies mainly rely on optimization-based attacks, which optimize the objective function by iterative input perturbation. While being able to craft adversarial examples, these techniques require big budgets. Latest transfer-based attacks, though being limited queries, also have a disadvantage of low attack success rate. In this paper, we propose an adversarial example attack method called MEAttack using the model-agnostic explanation technology, which can more efficiently generate adversarial examples in the black-box setting with limited queries. The core idea is to design a novel model-agnostic explanation method for target models, and generate adversarial examples based on model explanations. We experimentally demonstrate that MEAttack outperforms the state-of-the-art attack technology, i.e., AutoZOOM. The success rate of MEAttack is 4.54%-47.42% higher than AutoZOOM, and its query efficiency is reduced by 2.6-4.2 times. Experimental results show that MEAttack is efficient in terms of both attack success rate and query efficiency.

computer science, information systems, artificial intelligence, theory & methods

Shen Wang,Yuxin Gong

DOI: https://doi.org/10.1007/s10489-021-02759-8

IF: 5.3

2021-09-06

Applied Intelligence

Abstract:In recent years, machine learning has greatly improved image recognition capability. However, studies have shown that neural network models are vulnerable to adversarial examples that make models output wrong answers with high confidence. To understand the vulnerabilities of models, we use interpretability methods to reveal the internal decision-making behaviors of models. Interpretation results reflect that the evolutionary process of nonnormalized saliency maps between clean and adversarial examples are increasingly differentiated along model hidden layers. By taking advantage of this phenomenon, we propose an adversarial example detection method based on multilayer saliency features, which can comprehensively capture the abnormal characteristics of adversarial example interpretations. Experimental results show that the proposed method can effectively detect adversarial examples based on gradient, optimization and black-box attacks, and it is comparable with the state-of-the-art methods.

computer science, artificial intelligence

Shuhuai Ren,Yihe Deng,Kun He,Wanxiang Che

DOI: https://doi.org/10.18653/v1/p19-1103

2019-01-01

Abstract:We address the problem of adversarial attacks on text classification, which is rarely studied comparing to attacks on image classification. The challenge of this task is to generate adversarial examples that maintain lexical correctness, grammatical correctness and semantic similarity. Based on the synonyms substitution strategy, we introduce a new word replacement order determined by both the word saliency and the classification probability, and propose a greedy algorithm called probability weighted word saliency (PWWS) for text adversarial attack. Experiments on three popular datasets using convolutional as well as LSTM models show that PWWS reduces the classification accuracy to the most extent, and keeps a very low word substitution rate. A human evaluation study shows that our generated adversarial examples maintain the semantic similarity well and are hard for humans to perceive. Performing adversarial training using our perturbed datasets improves the robustness of the models. At last, our method also exhibits a good transferability on the generated adversarial examples.

Erkun Yang,Tongliang Liu,Cheng Deng,Dacheng Tao

DOI: https://doi.org/10.1109/tcyb.2018.2882908

IF: 11.8

2018-01-01

IEEE Transactions on Cybernetics

Abstract:Due to its strong representation learning ability and its facilitation of joint learning for representation and hash codes, deep learning-to-hash has achieved promising results and is becoming increasingly popular for the large-scale approximate nearest neighbor search. However, recent studies highlight the vulnerability of deep image classifiers to adversarial examples; this also introduces profound security concerns for deep retrieval systems. Accordingly, in order to study the robustness of modern deep hashing models to adversarial perturbations, we propose hash adversary generation (HAG), a novel method of crafting adversarial examples for Hamming space search. The main goal of HAG is to generate imperceptibly perturbed examples as queries, whose nearest neighbors from a targeted hashing model are semantically irrelevant to the original queries. Extensive experiments prove that HAG can successfully craft adversarial examples with small perturbations to mislead targeted hashing models. The transferability of these perturbations under a variety of settings is also verified. Moreover, by combining heterogeneous perturbations, we further provide a simple yet effective method of constructing adversarial examples for black-box attacks.

Yuxin Gong,Shen Wang,Xunzhi Jiang,Liyao Yin,Fanghui Sun

DOI: https://doi.org/10.1016/j.asoc.2023.110317

2023-04-16

Applied Soft Computing Journal

Abstract:Deep neural networks have recently been found to be vulnerable to adversarial examples, which can deceive attacked models with high confidence. This has given rise to significant security threats and raised doubts about the reliability of deploying deep learning models in security-critical domains. Therefore, effectively dealing with various adversarial examples has become an essential but challenging requirement. Adversarial example detection can predict the existence of adversarial examples in advance. However, existing detection methods are usually restricted to specific attacks, lacking generalization and decision-making bases. In this paper, we discover that the common characteristic of adversarial examples is to alter the semantic information recognized by models, which can effectively distinguish adversarial examples and provide interpretability. Based on this perspective, we propose a semantic graph matching (SeMatch) method to execute attack-agnostic adversarial example detection. SeMatch detects adversarial examples by comparing the constructed semantic graphs with the semantic graph prototypes of their predicted classes and further corrects their classification results. Experimental results demonstrate that SeMatch can effectively detect and classify adversarial examples in several attack settings, achieving an average detection and classification accuracy of 96.01% and 89.71%, respectively. When applied to unknown attack scenarios, SeMatch is more effective and interpretable than state-of-the-art methods.

Lu Sun,Mingtian Tan,Zhe Zhou

DOI: https://doi.org/10.1186/s42400-018-0012-9

2018-01-01

Abstract:Adversarial examples revealed the weakness of machine learning techniques in terms of robustness, which moreover inspired adversaries to make use of the weakness to attack systems employing machine learning. Existing researches covered the methodologies of adversarial example generation, the root reason of the existence of adversarial examples, and some defense schemes. However practical attack against real world systems did not appear until recent, mainly because of the difficulty in injecting a artificially generated example into the model behind the hosting system without breaking the integrity. Recent case study works against face recognition systems and road sign recognition systems finally abridged the gap between theoretical adversarial example generation methodologies and practical attack schemes against real systems. To guide future research in defending adversarial examples in the real world, we formalize the threat model for practical attacks with adversarial examples, and also analyze the restrictions and key procedures for launching real world adversarial example attacks.

Li Chen,Guowei Zhu,Qi Li,Haifeng Li

DOI: https://doi.org/10.48550/arXiv.1910.13222

2019-10-29

Computer Vision and Pattern Recognition

Abstract:With the wide application of remote sensing technology in various fields, the accuracy and security requirements for remote sensing images (RSIs) recognition are also increasing. In recent years, due to the rapid development of deep learning in the field of image recognition, RSI recognition models based on deep convolution neural networks (CNNs) outperform traditional hand-craft feature techniques. However, CNNs also pose security issues when they show their capability of accurate classification. By adding a very small variation of the adversarial perturbation to the input image, the CNN model can be caused to produce erroneous results with extremely high confidence, and the modification of the image is not perceived by the human eye. This added adversarial perturbation image is called an adversarial example, which poses a serious security problem for systems based on CNN model recognition results. This paper, for the first time, analyzes adversarial example problem of RSI recognition under CNN models. In the experiments, we used different attack algorithms to fool multiple high-accuracy RSI recognition models trained on multiple RSI datasets. The results show that RSI recognition models are also vulnerable to adversarial examples, and the models with different structures trained on the same RSI dataset also have different vulnerabilities. For each RSI dataset, the number of features also affects the vulnerability of the model. Many features are good for defensive adversarial examples. Further, we find that the attacked class of RSI has an attack selectivity property. The misclassification of adversarial examples of the RSIs are related to the similarity of the original classes in the CNN feature space. In addition, adversarial examples in RSI recognition are of great significance for the security of remote sensing applications, showing a huge potential for future research.

Sensen Guo,Xiaoyu Li,Zhiying Mu

DOI: https://doi.org/10.3389/fphy.2021.766540

IF: 3.718

2021-11-29

Frontiers in Physics

Abstract:In recent years, machine learning technology has made great improvements in social networks applications such as social network recommendation systems, sentiment analysis, and text generation. However, it cannot be ignored that machine learning algorithms are vulnerable to adversarial examples, that is, adding perturbations that are imperceptible to the human eye to the original data can cause machine learning algorithms to make wrong outputs with high probability. This also restricts the widespread use of machine learning algorithms in real life. In this paper, we focus on adversarial machine learning algorithms on social networks in recent years from three aspects: sentiment analysis, recommendation system, and spam detection, We review some typical applications of machine learning algorithms and adversarial example generation and defense algorithms for machine learning algorithms in the above three aspects in recent years. besides, we also analyze the current research progress and prospects for the directions of future research.

physics, multidisciplinary

Shaohan Wu,Jingfeng Xue,Yong Wang,Zixiao Kong

DOI: https://doi.org/10.3390/electronics12112346

IF: 2.9

2023-05-24

Electronics

Abstract:Recently, malware detection models based on deep learning have gradually replaced manual analysis as the first line of defense for anti-malware systems. However, it has been shown that these models are vulnerable to a specific class of inputs called adversarial examples. It is possible to evade the detection model by adding some carefully crafted tiny perturbations to the malicious samples without changing the sample functions. Most of the adversarial example generation methods ignore the information contained in the detection results of benign samples from detection models. Our method extracts sequence fragments called benign payload from benign samples based on detection results and uses an RNN generative model to learn benign features embedded in these sequences. Then, we use the end of the original malicious sample as input to generate an adversarial perturbation that reduces the malicious probability of the sample and append it to the end of the sample to generate an adversarial sample. According to different adversarial scenarios, we propose two different generation strategies, which are the one-time generation method and the iterative generation method. Under different query times and append scale constraints, the maximum evasion success rate can reach 90.8%.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yao Li,Minhao Cheng,Cho-Jui Hsieh,Thomas C. M. Lee

DOI: https://doi.org/10.1080/00031305.2021.2006781

2021-11-19

Abstract:Despite the efficiency and scalability of machine learning systems, recent studies have demonstrated that many classification methods, especially deep neural networks (DNNs), are vulnerable to adversarial examples; i.e., examples that are carefully crafted to fool a well-trained classification model while being indistinguishable from natural data to human. This makes it potentially unsafe to apply DNNs or related methods in security-critical areas. Since this issue was first identified by Biggio et al. (2013) and Szegedy et al.(2014), much work has been done in this field, including the development of attack methods to generate adversarial examples and the construction of defense techniques to guard against such examples. This paper aims to introduce this topic and its latest developments to the statistical community, primarily focusing on the generation and guarding of adversarial examples. Computing codes (in python and R) used in the numerical experiments are publicly available for readers to explore the surveyed methods. It is the hope of the authors that this paper will encourage more statisticians to work on this important and exciting field of generating and defending against adversarial examples.

Cryptography and Security,Machine Learning