Dian Zhang,Yunwei Dong,Hongji Yang

DOI: https://doi.org/10.1007/s11042-023-17355-w

IF: 2.577

2023-01-01

Multimedia Tools and Applications

Abstract:Due to the continuous development of neural network technology, it has been widely applied in fields such as autonomous driving and biomedicine. However, adversarial attacks can significantly degrade the performance and reliability of neural networks, making defending against such attacks a crucial research area. In this paper, we propose a robust U-Net and adversarial generative network-based defense method, training the target model on a clean training set without adversarial samples. Firstly, we train the target neural network on a clean training set. Then, we train the robust U-Net using the clean training set, employing reparameterization and random noise to resist adversarial perturbations. To supervise the quality of transformed images, we employ the adversarial generative network, utilizing the RU-Net as the generator and a discriminator to ensure the quality of generated images. Finally, we use the transformed images to retrain the target neural network, obtaining a robust neural network model capable of defending against adversarial attacks. Experimental evaluations on CIFAR-10 and Tiny Image Net demonstrate the effectiveness of our method in countering adversarial attacks and enhancing neural network robustness.

Dian Zhang,Yunwei Dong,Yun Yang

DOI: https://doi.org/10.1016/j.asoc.2024.111733

IF: 8.7

2024-01-01

Applied Soft Computing

Abstract:With the widespread application of deep learning, the vulnerability of neural networks has attracted considerable attention, raising reliability and security concerns. Therefore, research on the robustness of neural networks has become increasingly critical. In this paper, we propose a novel sample-analysis based robustness evaluation method that overcomes the drawbacks of existing techniques, such as solving difficulty, single strategy, and loose radius. Our algorithm comprises two parts: robustness evaluation and adversarial attacks. Specifically, we introduce formal definitions of multiple sample types and a general solution to the problem of adversarial samples. We formulate a disturbance model-based description of adversarial samples in the adversarial attack algorithm and utilize saliency map to solve them. Our experimental results demonstrate that our adversarial attack algorithm not only achieves a high attack success rate in a relatively small disturbance range but also generates multiple adversarial examples for each clean example. Our algorithm can evaluate the robustness of complex datasets and models, overcome the lack of a single strategy in solving adversarial examples, and provide a more accurate radius of robustness.

Songyang Gao,Shihan Dou,Qi Zhang,Xuanjing Huang,Jin Ma,Ying Shan

DOI: https://doi.org/10.18653/v1/2023.findings-acl.857

2023-01-01

Abstract:Detecting adversarial samples that are carefully crafted to fool the model is a critical step to socially-secure applications.However, existing adversarial detection methods require access to sufficient training data, which brings noteworthy concerns regarding privacy leakage and generalizability.In this work, we validate that the adversarial sample generated by attack algorithms is strongly related to a specific vector in the high-dimensional inputs.Such vectors, namely UAPs (Universal Adversarial Perturbations), can be calculated without original training data.Based on this discovery, we propose a data-agnostic adversarial detection framework, which induces different responses between normal and adversarial samples to UAPs.Experimental results show that our method achieves competitive detection performance on various text classification tasks, and maintains an equivalent time consumption to normal inference.

Shaohao Lu,Yuqiao Xian,Ke Yan,Yi Hu,Xing Sun,Xiaowei Guo,Feiyue Huang,Wei-Shi Zheng

DOI: https://doi.org/10.1145/3474085.3475290

2021-01-01

Abstract:The Deep Neural Networks are vulnerable to adversarial examples (Figure 1), making the DNNs-based systems collapsed by adding the inconspicuous perturbations to the images. Most of the existing works for adversarial attack are gradient-based and suffer from the latency efficiencies and the load on GPU memory. The generative-based adversarial attacks can get rid of this limitation, and some relative works propose the approaches based on GAN. However, suffering from the difficulty of the convergence of training a GAN, the adversarial examples have either bad attack ability or bad visual quality. In this work, we find that the discriminator could be not necessary for generative-based adversarial attack, and propose the Symmetric Saliency-based Auto-Encoder (SSAE) to generate the perturbations, which is composed of the saliency map module and the angle-norm disentanglement of the features module. The advantage of our proposed method lies in that it is not depending on discriminator, and uses the generative saliency map to pay more attention to label-relevant regions. The extensive experiments among the various tasks, datasets, and models demonstrate that the adversarial examples generated by SSAE not only make the widely-used models collapse, but also achieves good visual quality. The code is available at: https://github.com/BravoLu/SSAE.

Chunkai Zhang,Xiaofeng Luo,Peiyi Han

DOI: https://doi.org/10.1016/j.cose.2022.102770

IF: 5.105

2022-01-01

Computers & Security

Abstract:Modern image classification networks endure adversarial attacks that deliberately alter the input image by adding small, often imperceptible, perturbations to mislead the network’s classification result. From a perspective of manifold theory, most adversarial examples generated by current adversarial attack methods are off-manifold and can be detected by adversarial defense methods based on manifold theory. In this study, we propose a novel adversarial attack method for crafting on-manifold adversarial examples. Specifically, we utilize the adversarial autoencoder (AAE) to obtain the low-dimensional manifold of data, and design a latent substitute model based on the data manifold to ensure that the generated adversarial examples are still on-manifold. Additionally, to overcome the difficulty in limiting the perturbation of adversarial examples when searching in the latent space, we propose a gradient decoding strategy (GDS) and confidence re-ranking strategy (CRS). The results demonstrate the competitive performance of our method compared with that of some of the current attack methods applied to state-of-the-art defense models, especially those based on the manifold theory. Additionally, when using the proposed method for adversarial training, the robustness of the model is improved without reducing the accuracy of classifying the original dataset. We hope that our proposed attack method can serve as a benchmark for evaluating and improving the robustness of networks.

Hongyu Yang,Renyun Zeng,Guangquan Xu,Liang Zhang

DOI: https://doi.org/10.1016/j.asoc.2021.107096

IF: 8.7

2021-04-01

Applied Soft Computing

Abstract:Aiming at the poor performance and flexibility of traditional assessment methods of network security in dealing with a large number of network attack data, this paper proposes a network security situation assessment method based on adversarial deep learning. Firstly, establish the Deep Autoencoder-Deep Neural Network (AEDNN) model based on Deep Autoencoder (DAE) and Deep Neural Network (DNN). Conduct feature learning on the DAE network and apply the DNN network as a network attacks classifier. In the training process, for considering the results of feature learning in DAE, this paper builds an adversarial training process by changing the training weights. Besides, to increase the performance of the model on the minority network attacks, the Under-Over Sampling Weighted (UOSW) algorithm is designed; Finally, conduct model testing and calculate the network security situation value. The compared results of other models show the proposed model is more accurate for identifying network attacks and can evaluate the network situation more comprehensively and flexibly.

computer science, artificial intelligence, interdisciplinary applications

Yanqing Yang,Kangfeng Zheng,Bin Wu,Yixian Yang,Xiujuan Wang

DOI: https://doi.org/10.1109/access.2020.2977007

IF: 3.9

2020-01-01

IEEE Access

Abstract:To explore the advantages of adversarial learning and deep learning, we propose a novel network intrusion detection model called SAVAER-DNN, which can not only detect known and unknown attacks but also improve the detection rate of low-frequent attacks. SAVAER is a supervised variational auto-encoder with regularization, which uses WGAN-GP instead of the vanilla GAN to learn the latent distribution of the original data. SAVAER's decoder is used to synthesize samples of low-frequent and unknown attacks, thereby increasing the diversity of training samples and balancing the training data set. SAVAER's encoder is used to initialize the weights of the hidden layers of the DNN and explore high-level feature representations of the original samples. The benchmark NSL-KDD (KDDTest+), NSL-KDD (KDDTest-21) and UNSW-NB15 datasets are used to evaluate the performance of the proposed model. The experimental results show that the proposed SAVAER-DNN is more suitable for data augmentation than the other three well-known data oversampling methods. Moreover, the proposed SAVAER-DNN outperforms eight well-known classification models in detection performance and is more effective in detecting low-frequent and unknown attacks. Furthermore, compared with other state-of-the-art intrusion detection models reported in the IDS literature, the proposed SAVAER-DNN offers better performance in terms of overall accuracy, detection rate, F1 score, and false positive rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Maosen Li,Yanhua Yang,Kun Wei,Xu Yang,Heng Huang

DOI: https://doi.org/10.1609/aaai.v36i2.20023

2022-06-28

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep learning models have shown to be susceptible to universal adversarial perturbation (UAP), which has aroused wide concerns in the community. Compared with the conventional adversarial attacks that generate adversarial samples at the instance level, UAP can fool the target model for different instances with only a single perturbation, enabling us to evaluate the robustness of the model from a more effective and accurate perspective. The existing universal attack methods fail to exploit the differences and connections between the instance and universal levels to produce dominant perturbations. To address this challenge, we propose a new universal attack method that unifies instance-specific and universal attacks from a feature perspective to generate a more dominant UAP. Specifically, we reformulate the UAP generation task as a minimax optimization problem and then utilize the instance-specific attack method to solve the minimization problem thereby obtaining better training data for generating UAP. At the same time, we also introduce a consistency regularizer to explore the relationship between training data, thus further improving the dominance of the generated UAP. Furthermore, our method is generic with no additional assumptions about the training data and hence can be applied to both data-dependent (supervised) and data-independent (unsupervised) manners. Extensive experiments demonstrate that the proposed method improves the performance by a significant margin over the existing methods in both data-dependent and data-independent settings. Code is available at https://github.com/lisenxd/AT-UAP.

YU Tingyue,WANG Shen,ZHANG Chunrui,WANG Zhenbang,LI Yetian,YU Xiangzhan

DOI: https://doi.org/10.1049/cje.2021.06.009

IF: 1.019

2021-09-01

Chinese Journal of Electronics

Abstract:In recent years, adversarial examples has become one of the most important security threats in deep learning applications. For testing the security of deep learning models in adversarial environment, many researches focus on generating adversarial examples quickly and efficiently. In order to solve the problems of existing generative adversarial networks based methods which can not effectively generate the targeted adversarial examples in black box settings, and to improve the temporal performance of gradient-based generating methods, an adversarial examples generating method based on conditional Variational autoencoder (cVAE) is proposed in this paper, where a cVAE is designed elaborately to generate adversarial examples without most of the detailed information about the attacked deep learning models, of which the output can be controlled arbitrarily by these crafted inputs, used to test the robustness of deep learning models against adversarial examples. The experimental results show that the proposed method can achieve a comparable attack success rate and a better temporal performance than the existing gradient-based generating methods in black box environment.

engineering, electrical & electronic

Xiaohui Kuang,Hongyi Liu,Ye Wang,Qikun Zhang,Quanxin Zhang,Jun Zheng

DOI: https://doi.org/10.1109/access.2019.2956553

IF: 3.9

2019-01-01

IEEE Access

Abstract:Deep neural networks(DNNs) are widely used in AI-controlled Cyber-Physical Systems (CPS) to controll cars, robotics, water treatment plants and railways. However, DNNs have vulnerabilities to well-designed input samples that are called adversarial examples. Adversary attack is one of the important techniques for detecting and improving the security of neural networks. Existing attacks, including state-of-the-art black-box attack have a lower success rate and make invalid queries that are not beneficial to obtain the direction of generating adversarial examples. For these reasons, this paper proposed a CMA-ES-based adversarial attack on black-box DNNs. Firstly, an efficient method to reduce the number of invalid queries is introduced. Secondly, a black-box attack of generating adversarial examples to fit a high-dimensional independent Gaussian distribution of the local solution space is proposed. Finally, a new CMA-based perturbation compression method is applied to make the process of reducing perturbation smoother. Experimental results on ImageNet classifiers show that the proposed attack has a higher success-rate than the state-of-the-art black-box attack but reduce the number of queries by 30% equally.

Tianyi Zhu,Lina Liu,Yibo Sun,Zhi Lu,Yuanlong Zhang,Chao Xu,Jun Chen

DOI: https://doi.org/10.1016/j.knosys.2024.112445

IF: 8.139

2024-01-01

Knowledge-Based Systems

Abstract:Most methods only use normal samples to learn anomaly detection (AD) models in an unsupervised manner. However, these samples may be noisy in real-world applications, causing the models to be unable to accurately identify anomaly objects. In addition, there are a small number of anomaly samples in real industrial production that should be fully utilized to help model discrimination. Existing methods of introducing anomaly samples still have bottlenecks in model identification capabilities. In this paper, by introducing both normal and a few abnormal samples, we propose a novel semi-supervised learning method for anomaly detection, named RobustPatch, which can improve the model discriminability through a self-cross scoring mechanism and the learning of feature AutoEncoder. Our approach contains two core designs: Firstly, we propose a self-cross scoring module, calculating the weights of normal and anomaly features extracted from corresponding images using a self-scoring and cross-scoring manner, respectively. Secondly, our approach proposes a fully connected feature AutoEncoder to rate the extracted features, which is trained with the supervision of the scored weights. Extensive experiments on the MVTecAD and BTAD datasets validate the superior anomaly boundaries discriminability of our approach and superior performance in noise-polluted scenarios.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Zhenhua Li,Huilin Cheng,Xinye Cai,Jun Zhao,Qingfu Zhang

DOI: https://doi.org/10.1109/tetci.2022.3214627

2023-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Deep neural networks are vulnerable to adversarial examples that alter the output significantly with imperceptible change in the input. In our black-box setting, the adversarial attacker can only query the model to predict the value after the softmax layer without accessing the underlying model. Currently, generating adversarial examples with high qualifications in the query-limited setting and investigating the distribution of adversarial examples are two main challenges in the black-box attack. In this paper, we propose a zeroth-order optimization method for the black-box adversarial attack, termed subspace activation evolution strategy (SA-ES). It captures the most promising direction for generating more convincing adversarial examples.Moreover, instead of only searching for one reliable adversarial example for an original input, SA-ES finds a distribution of adversarial examples, such that a sample drawn from this distribution is likely an adversarial example. We conduct comprehensive experiments on various data sets and validate that the proposed algorithm can efficiently find perturbation-sensitive regions of an image and stably explore the distribution of adversarial examples with the limited query, and outperforms the existing methods. In addition, we apply SA-ES to physical reality black-box attacks, which effectively generate simulated physical adversarial examples for the adversarial training model.

Jianxin Yang,Mingwen Shao,Huan Liu,Xinkai Zhuang

DOI: https://doi.org/10.1007/s13042-023-01778-w

2023-01-01

International Journal of Machine Learning and Cybernetics

Abstract:Existing adversarial attack methods usually add perturbations directly to the pixel space of an image, resulting in significant local noise in the image. Besides, the performance of existing attack methods is affected by various pixel-space based defense strategies. In this paper, we propose a novel method to generate adversarial examples by adding perturbations to the feature space. Specifically, the perturbation of the feature space is induced by a style-shifting-based network architecture called AdvAdaIN. Furthermore, we expose the feature space to the attacker via an encoder, and then the perturbation is injected into the feature space by AdvAdaIN. Simultaneously, due to the specificity of feature space perturbations, we trained a decoder to reflect the changes in feature space to pixel space and ensure that the perturbations are not easily detected. Meanwhile, we align the original image with another image in the feature space, adding additional adversarial information to the model. In addition, we can generate diverse adversarial samples by varying the perturbation parameters, which mainly change the overall color and brightness of the image. Experiments demonstrate that the proposed method outperforms existing methods and produces more natural adversarial samples when facing defensive strategies.

Lei Xu,Junhai Zhai

DOI: https://doi.org/10.26599/tst.2023.9010004

2024-04-01

Abstract:Deep neural network (DNN) has strong representation learning ability, but it is vulnerable and easy to be fooled by adversarial examples. In order to handle the vulnerability of DNN, many methods have been proposed. The general idea of existing methods is to reduce the chance of DNN models being fooled by observing some designed adversarial examples, which are generated by adding perturbations to the original images. In this paper, we propose a novel adversarial example generation method, called DCVAE-adv. Different from the existing methods, DCVAE-adv constructs adversarial examples by mixing both explicit and implicit perturbations without using original images. Furthermore, the proposed method can be applied to both white box and black box attacks. In addition, in the inference stage, the adversarial examples can be generated without loading the original images into memory, which greatly reduces the memory overhead. We compared DCVAE-adv with three most advanced adversarial attack algorithms: FGSM, AdvGAN, and AdvGAN++. The experimental results demonstrate that DCVAE-adv is superior to these state-of-the-art methods in terms of attack success rate and transfer ability for targeted attack. Our code is available at https://github.com/xzforeverlove/DCVAE-adv.

computer science, information systems,engineering, electrical & electronic, software engineering

Mingxing Duan,Kenli Li,Jiayan Deng,Bin Xiao,Qi Tian

DOI: https://doi.org/10.1145/3506852

2022-01-01

Abstract:Deep learning models are widely used in daily life, which bring great convenience to our lives, but they are vulnerable to attacks. How to build an attack system with strong generalization ability to test the robustness of deep learning systems is a hot issue in current research, among which the research on black-box attacks is extremely challenging. Most current research on black-box attacks assumes that the input dataset is known. However, in fact, it is difficult for us to obtain detailed information for those datasets. In order to solve the above challenges, we propose a multi-sample generation model for black-box model attacks, called MsGM. MsGM is mainly composed of three parts: multi-sample generation, substitute model training, and adversarial sample generation and attack. Firstly, we design a multi-task generation model to learn the distribution of the original dataset. The model first converts an arbitrary signal of a certain distribution into the shared features of the original dataset through deconvolution operations, and then according to different input conditions, multiple identical sub-networks generate the corresponding targeted samples. Secondly, the generated sample features achieve different outputs through querying the black-box model and training the substitute model, which are used to construct different loss functions to optimize and update the generator and substitute model. Finally, some common white-box attack methods are used to attack the substitute model to generate corresponding adversarial samples, which are utilized to attack the black-box model. We conducted a large number of experiments on the MNIST and CIFAR-10 datasets. The experimental results show that under the same settings and attack algorithms, MsGM achieves better performance than the based models.

Sensen Guo,Jinxiong Zhao,Xiaoyu Li,Junhong Duan,Dejun Mu,Xiao Jing

DOI: https://doi.org/10.1155/2021/5578335

IF: 1.968

2021-04-23

Security and Communication Networks

Abstract:In recent years, machine learning has made tremendous progress in the fields of computer vision, natural language processing, and cybersecurity; however, we cannot ignore that machine learning models are vulnerable to adversarial examples, with some minor malicious input modifications, while appearing unmodified to human observers, the outputs of machine learning-based model can be misled easily. Likewise, attackers can bypass machine-learning-based security defenses model to attack systems in real time by generating adversarial examples. In this paper, we propose a black-box attack method against machine-learning-based anomaly network flow detection algorithms. Our attack strategy consists in training another model to substitute for the target machine learning model. Based on the overall understanding of the substitute model and the migration of the adversarial examples, we use the substitute model to craft adversarial examples. The experiment has shown that our method can attack the target model effectively. We attack several kinds of network flow detection models, which are based on different kinds of machine learning methods, and we find that the adversarial examples crafted by our method can bypass the detection of the target model with high probability.

computer science, information systems,telecommunications

Song Gao,Ruxin Wang,Xiaoxuan Wang,Shui Yu,Yunyun Dong,Shaowen Yao,Wei Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3241428

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Despite achieving exceptional performance, deep neural networks (DNNs) suffer from the harassment caused by adversarial examples, which are produced by corrupting clean examples with tiny perturbations. Many powerful defense methods have been presented such as training data augmentation and input reconstruction which, however, usually rely on the prior knowledge of the targeted models or attacks. In this paper, we propose a novel approach for detecting adversarial images, which can protect any pre-trained DNN classifiers and resist an endless stream of new attacks. Specifically, we first adopt a dual autoencoder to project images to a latent space. The dual autoencoder uses the self-supervised learning to ensure that small modifications to samples do not significantly alter their latent representations. Next, the mutual information neural estimation is utilized to enhance the discrimination of the latent representations. We then leverage the prior distribution matching to regularize the latent representations. To easily compare the representations of examples in the two spaces, and not rely on the prior knowledge of the targeted model, a simple fully connected neural network is used to embed the learned representations into an eigenspace, which is consistent with the output eigenspace of the targeted model. Through the distribution similarity of an input example in the two eigenspaces, we can judge whether the input example is adversarial or not. Extensive experiments on MNIST, CIFAR-10, and ImageNet show that the proposed method has superior defense performance and transferability than state-of-the-arts.

Long Tang,Bin Yu

DOI: https://doi.org/10.1109/dsa51864.2020.00051

2020-01-01

Abstract:Deep neural network (DNN) has been widely used in many application scenarios, but it is easy to be affected by slight disturbance, which is referred to as adversarial examples, and produces wrong decisions endangering system security. It is difficult to obtain the structure and parameter information of the target network in the actual scene. In this paper, we propose an optimization-based method to generate adversarial examples. Inspired by the autoencoder and Conditional Generative Adversarial Net (CGAN), we train the encoder to encode the image into latent vector, of which the specific region (category field) is used to represent the category information of the image, and then train the decoder to generate adversarial examples of the specified category. We perform Natural Evolution Strategy in the low-dimensional latent space to further improve the attack. The result shows that our method can successfully attack the target network within only one or a few queries. We evaluate our method on Sign-Language-Digits (SLD) and Cifar-10 datasets. Compared with other methods, our approach can attack the target model with less queries, and maintain a high success rate.

Xu Kang,Bin Song,Dan Wang,Xiaohui Cai

DOI: https://doi.org/10.1016/j.neucom.2022.06.005

IF: 6

2022-01-01

Neurocomputing

Abstract:Recently, researches on universal adversarial perturbations have deepened the public’s attention to the security of deep neural networks (DNNs). Most researchers use iterative methods or generative adversarial networks (GANs) to find universal adversarial perturbations (UAPs). However, just focusing on outputs still cannot separate adversarial examples in feature space and there is almost no correlation between the perturbations generated by random noise and the target network. To cope with these problems, we propose a novel end-to-end UAPs generation framework that uses constant activation information as the input of the generator and adopts a feature adaptive loss function. Experiments show that the attack success rate of our UAPs has reached a competitive level against different classification networks on CIFAR-10 and ImageNet where the average fooling rate can reach 86% and 96%, leading to 19% and 16% improvements over UAP, respectively. Furthermore, we demonstrate the great generalization ability and strong transferability of proposed attacker. Finally, the proposed attacker can achieve lower mAP and mean IoU than several classical white box attackers in object detection task and image segmentation task.