Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Zhe Zhao,Guangke Chen,Tong Liu,Taishan Li,Fu Song,Jingyi Wang,Jun Sun

DOI: https://doi.org/10.1145/3631977

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:As a new programming paradigm, deep learning (DL) has achieved impressive performance in areas such as image processing and speech recognition, and has expanded its application to solve many real-world problems. However, neural networks and DL are normally black-box systems; even worse, DL-based software are vulnerable to threats from abnormal examples, such as adversarial and backdoored examples constructed by attackers with malicious intentions as well as unintentionally mislabeled samples. Therefore, it is important and urgent to detect such abnormal examples. Although various detection approaches have been proposed respectively addressing some specific types of abnormal examples, they suffer from some limitations; until today, this problem is still of considerable interest. In this work, we first propose a novel characterization to distinguish abnormal examples from normal ones based on the observation that abnormal examples have significantly different (adversarial) robustness from normal ones. We systemically analyze those three different types of abnormal samples in terms of robustness and find that they have different characteristics from normal ones. As robustness measurement is computationally expensive and hence can be challenging to scale to large networks, we then propose to effectively and efficiently measure robustness of an input sample using the cost of adversarially attacking the input, which was originally proposed to test robustness of neural networks against adversarial examples. Next, we propose a novel detection method, named attack as detection (A 2 D for short), which uses the cost of adversarially attacking an input instead of robustness to check if it is abnormal. Our detection method is generic, and various adversarial attack methods could be leveraged. Extensive experiments show that A 2 D is more effective than recent promising approaches that were proposed to detect only one specific type of abnormal examples. We also thoroughly discuss possible adaptive attack methods to our adversarial example detection method and show that A 2 D is still effective in defending carefully designed adaptive adversarial attack methods—for example, the attack success rate drops to 0% on CIFAR10.

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Jiliang Zhang,Chen Li

DOI: https://doi.org/10.1109/TNNLS.2019.2933524

2019-09-23

Abstract:Deep neural networks (DNNs) have shown huge superiority over humans in image recognition, speech processing, autonomous vehicles and medical diagnosis. However, recent studies indicate that DNNs are vulnerable to adversarial examples (AEs), which are designed by attackers to fool deep learning models. Different from real examples, AEs can mislead the model to predict incorrect outputs while hardly be distinguished by human eyes, therefore threaten security-critical deep-learning applications. In recent years, the generation and defense of AEs have become a research hotspot in the field of artificial intelligence (AI) security. This article reviews the latest research progress of AEs. First, we introduce the concept, cause, characteristics and evaluation metrics of AEs, then give a survey on the state-of-the-art AE generation methods with the discussion of advantages and disadvantages. After that, we review the existing defenses and discuss their limitations. Finally, future research opportunities and challenges on AEs are prospected.

Machine Learning

Huali Ren,Teng Huang,Hongyang Yan

DOI: https://doi.org/10.1007/s13042-020-01242-z

2021-01-04

International Journal of Machine Learning and Cybernetics

Abstract:Deep learning technology has become an important branch of artificial intelligence. However, researchers found that deep neural networks, as the core algorithm of deep learning technology, are vulnerable to adversarial examples. The adversarial examples are some special input examples which were added small magnitude and carefully crafted perturbations to yield erroneous results with extremely confidence. Hence, they bring serious security risks to deep-learning-based systems. Furthermore, adversarial examples exist not only in the digital world, but also in the physical world. This paper presents a comprehensive overview of adversarial attacks and defenses in the real physical world. First, we reviewed these works that can successfully generate adversarial examples in the digital world, analyzed the challenges faced by applications in real environments. Then, we compare and summarize the work of adversarial examples on image classification tasks, target detection tasks, and speech recognition tasks. In addition, the relevant feasible defense strategies are summarized. Finally, relying on the reviewed work, we propose potential research directions for the attack and defense of adversarial examples in the physical world.

Bo Wang,Mengnan Zhao,Wei Wang,Fei Wei,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tcsvt.2020.3017006

IF: 5.859

2020-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep neural networks (DNNs) have seen extensive studies on image recognition and classification, image segmentation, and related topics. However, recent studies show that DNNs are vulnerable in defending adversarial examples. The classification network can be deceived by adding a small amount of perturbation to clean samples. There are challenges when researchers want to design a general approach to defend against a wide variety of adversarial examples. To solve this problem, we introduce a defensive method to prevent adversarial examples from generating. Instead of designing a stronger classifier, we built a more robust classification system that can be viewed as a structural black box. After adding a buffer to the classification system, attackers can be efficiently deceived. The real evaluation results of the generated adversarial examples are often contrary to what the attacker thinks. Additionally, we do not assume a specific attack method premise. This incognizance to underlying attacks demonstrates the generalizability of the buffer to potential adversarial attacks. Extensive experiments indicate that the defense method greatly improves the security performance of DNNs.

Sicong Han,Chenhao Lin,Chao Shen,Qian Wang,Xiaohong Guan

DOI: https://doi.org/10.1145/3594869

IF: 16.6

2023-04-28

ACM Computing Surveys

Abstract:Deep learning technology is increasingly applied in safety-critical scenarios while it has recently been found to be susceptible to imperceptible adversarial perturbations, which raises a serious concern regarding the adversarial robustness of deep neural networks (DNNs) based applications. Accordingly, various adversarial attacks and defense approaches have been proposed. However, current studies implement different types of attacks and defenses with certain assumptions. There is still a lack of full theoretical understanding and interpretation of adversarial examples. Instead of reviewing technical progress in adversarial attacks and defenses, this paper presents a framework consisting of three perspectives to discuss recent works focusing on theoretically explaining adversarial examples comprehensively. In each perspective, various hypotheses are further categorized and summarized into several subcategories and introduced systematically. To the best of our knowledge, this study is the first to concentrate on surveying existing research on adversarial examples and adversarial robustness from the interpretability perspective. By drawing on the reviewed literature, this survey characterizes current problems and challenges that need to be addressed and highlights potential future research directions to further investigate adversarial examples.

computer science, theory & methods

Wenqi Wei,Ling Liu,Margaret Loper,Stacey Truex,Lei Yu,Mehmet Emre Gursoy,Yanzhao Wu

DOI: https://doi.org/10.48550/arXiv.1807.00051

IF: 5.414

2018-06-29

Machine Learning

Abstract:The burgeoning success of deep learning has raised the security and privacy concerns as more and more tasks are accompanied with sensitive data. Adversarial attacks in deep learning have emerged as one of the dominating security threat to a range of mission-critical deep learning systems and applications. This paper takes a holistic and principled approach to perform statistical characterization of adversarial examples in deep learning. We provide a general formulation of adversarial examples and elaborate on the basic principle for adversarial attack algorithm design. We introduce easy and hard categorization of adversarial attacks to analyze the effectiveness of adversarial examples in terms of attack success rate, degree of change in adversarial perturbation, average entropy of prediction qualities, and fraction of adversarial examples that lead to successful attacks. We conduct extensive experimental study on adversarial behavior in easy and hard attacks under deep learning models with different hyperparameters and different deep learning frameworks. We show that the same adversarial attack behaves differently under different hyperparameters and across different frameworks due to the different features learned under different deep learning model training process. Our statistical characterization with strong empirical evidence provides a transformative enlightenment on mitigation strategies towards effective countermeasures against present and future adversarial attacks.

Hongshuo Liang,Erlu He,Yangyang Zhao,Zhe Jia,Hao Li

DOI: https://doi.org/10.3390/electronics11081283

IF: 2.9

2022-04-18

Electronics

Abstract:In recent years, artificial intelligence technology represented by deep learning has achieved remarkable results in image recognition, semantic analysis, natural language processing and other fields. In particular, deep neural networks have been widely used in different security-sensitive tasks. Fields, such as facial payment, smart medical and autonomous driving, which accelerate the construction of smart cities. Meanwhile, in order to fully unleash the potential of edge big data, there is an urgent need to push the AI frontier to the network edge. Edge AI, the combination of artificial intelligence and edge computing, supports the deployment of deep learning algorithms to edge devices that generate data, and has become a key driver of smart city development. However, the latest research shows that deep neural networks are vulnerable to attacks from adversarial example and output wrong results. This type of attack is called adversarial attack, which greatly limits the promotion of deep neural networks in tasks with extremely high security requirements. Due to the influence of adversarial attacks, researchers have also begun to pay attention to the research in the field of adversarial defense. In the game process of adversarial attacks and defense technologies, both attack and defense technologies have been developed rapidly. This article first introduces the principles and characteristics of adversarial attacks, and summarizes and analyzes the adversarial example generation methods in recent years. Then, it introduces the adversarial example defense technology in detail from the three directions of model, data, and additional network. Finally, combined with the current status of adversarial example generation and defense technology development, put forward challenges and prospects in this field.

engineering, electrical & electronic,computer science, information systems,physics, applied

Rui Zhao

DOI: https://doi.org/10.48550/arXiv.2011.05976

2020-11-17

Abstract:With further development in the fields of computer vision, network security, natural language processing and so on so forth, deep learning technology gradually exposed certain security risks. The existing deep learning algorithms cannot effectively describe the essential characteristics of data, making the algorithm unable to give the correct result in the face of malicious input. Based on current security threats faced by deep learning, this paper introduces the problem of adversarial examples in deep learning, sorts out the existing attack and defense methods of the black box and white box, and classifies them. It briefly describes the application of some adversarial examples in different scenarios in recent years, compares several defense technologies of adversarial examples, and finally summarizes the problems in this research field and prospects for its future development. This paper introduces the common white box attack methods in detail, and further compares the similarities and differences between the attack of the black and white box. Correspondingly, the author also introduces the defense methods, and analyzes the performance of these methods against the black and white box attack.

Cryptography and Security,Computer Vision and Pattern Recognition

Alex Serban,Erik Poll,Joost Visser

DOI: https://doi.org/10.48550/arXiv.2008.04094

2020-08-07

Computer Vision and Pattern Recognition

Abstract:Deep neural networks are at the forefront of machine learning research. However, despite achieving impressive performance on complex tasks, they can be very sensitive: Small perturbations of inputs can be sufficient to induce incorrect behavior. Such perturbations, called adversarial examples, are intentionally designed to test the network's sensitivity to distribution drifts. Given their surprisingly small size, a wide body of literature conjectures on their existence and how this phenomenon can be mitigated. In this article we discuss the impact of adversarial examples on security, safety, and robustness of neural networks. We start by introducing the hypotheses behind their existence, the methods used to construct or protect against them, and the capacity to transfer adversarial examples between different machine learning models. Altogether, the goal is to provide a comprehensive and self-contained survey of this growing field of research.

Han Xu,Yao Ma,Hao-Chen Liu,Debayan Deb,Hui Liu,Ji-Liang Tang,Anil K. Jain

DOI: https://doi.org/10.1007/s11633-019-1211-x

2020-03-27

International Journal of Automation and Computing

Abstract:Abstract Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples raises our concerns in adopting deep learning to safety-critical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for three most popular data types, including images, graphs and text.

automation & control systems,computer science, artificial intelligence

Yutong Zhang,Yao Li,Yin Li,Zhichang Guo

DOI: https://doi.org/10.48550/arXiv.2308.07673

2023-08-15

Abstract:Deep neural networks have been widely used in various downstream tasks, especially those safety-critical scenario such as autonomous driving, but deep networks are often threatened by adversarial samples. Such adversarial attacks can be invisible to human eyes, but can lead to DNN misclassification, and often exhibits transferability between deep learning and machine learning models and real-world achievability. Adversarial attacks can be divided into white-box attacks, for which the attacker knows the parameters and gradient of the model, and black-box attacks, for the latter, the attacker can only obtain the input and output of the model. In terms of the attacker's purpose, it can be divided into targeted attacks and non-targeted attacks, which means that the attacker wants the model to misclassify the original sample into the specified class, which is more practical, while the non-targeted attack just needs to make the model misclassify the sample. The black box setting is a scenario we will encounter in practice.

Computer Vision and Pattern Recognition,Computation,Machine Learning

Mayra Macas,Chunming Wu,Walter Fuertes

DOI: https://doi.org/10.1016/j.eswa.2023.122223

IF: 8.5

2024-03-01

Expert Systems with Applications

Abstract:Over the last few years, the adoption of machine learning in a wide range of domains has been remarkable. Deep learning, in particular, has been extensively used to drive applications and services in specializations such as computer vision, natural language processing, machine translation, and cybersecurity, producing results that are comparable to or even surpass the performance of human experts. Nevertheless, machine learning systems are vulnerable to adversarial attacks, especially in nonstationary environments where actual adversaries exist, such as the cybersecurity domain. In this work, we comprehensively survey and present the latest research on attacks based on adversarial examples against deep learning-based cybersecurity systems, highlighting the risks they pose and promoting efficient countermeasures. To that end, adversarial attack methods are first categorized according to where they occur and the attacker’s goals and capabilities. Then, specific attacks based on adversarial examples and the respective defensive methods are reviewed in detail within the framework of eight principal cybersecurity application categories. Finally, the main trends in recent research are outlined, and the impact of recent advancements in adversarial machine learning is explored to provide guidelines and directions for future research in cybersecurity. In , this work is the first to systematically analyze adversarial example-based attacks in the cybersecurity field, discuss possible defenses, and highlight promising directions for future research.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Wei Jiang,Zhiyuan He,Jinyu Zhan,Weijia Pan,Deepak Adhikari

DOI: https://doi.org/10.1145/3470493

2021-10-31

Abstract:Great progress has been made in deep learning over the past few years, which drives the deployment of deep learning–based applications into cyber-physical systems. But the lack of interpretability for deep learning models has led to potential security holes. Recent research has found that deep neural networks are vulnerable to well-designed input examples, called adversarial examples . Such examples are often too small to detect, but they completely fool deep learning models. In practice, adversarial attacks pose a serious threat to the success of deep learning. With the continuous development of deep learning applications, adversarial examples for different fields have also received attention. In this article, we summarize the methods of generating adversarial examples in computer vision, speech recognition, and natural language processing and study the applications of adversarial examples. We also explore emerging research and open problems.

CHEN Meng-xuan,ZHANG Zhen-yong,JI Shou-ling,WEI Gui-yi,SHAO Jun

DOI: https://doi.org/10.11896/jsjkx.210800087

2022-01-01

Computer Science

Abstract:With the development of deep learning theory,deep neural network has made a series of breakthrough progress and has been widely applied in various fields.Among them,applications in the image field such as image classification are the most popular.However,research suggests that deep neural network has many security risks,especially the threat from adversarial examples,which seriously hinder the application of image classification.To address this challenge,many research efforts have recently been dedicated to adversarial examples in images,and a large number of research results have come out.This paper first introduces the relative concepts and terms of adversarial examples in images,reviews the adversarial attack methodsand defense me-thods based on the existing research results.In particular,it classifies them according to the attacker's ability and the train of thought in defense methods.This paper also analyzes the characteristics and the connections of different categories.Secondly,it briefly describes the adversarial attacks in the physical world.In the end,it discusses the challenges of adversarial examples in images and the potential future research directions.

Jiangfan Liu,Yishan Li,Yanming Guo,Yu Liu,Jun Tang,Ying Nie

DOI: https://doi.org/10.1007/s10462-024-10841-z

IF: 9.588

2024-07-09

Artificial Intelligence Review

Abstract:Recent studies have found that deep learning models are vulnerable to adversarial examples, demonstrating that applying a certain imperceptible perturbation on clean examples can effectively deceive the well-trained and high-accuracy deep learning models. Moreover, the adversarial examples can achieve a considerable level of certainty with the attacked label. In contrast, human could barely discern the difference between clean and adversarial examples, which raised tremendous concern about robust and trustworthy deep learning techniques. In this survey, we reviewed the existence, generation, and countermeasures of adversarial examples in Computer Vision, to provide comprehensive coverage of the field with an intuitive understanding of the mechanisms and summarized the strengths, weaknesses, and major challenges. We hope this effort will ignite further interest in the community to solve current challenges and explore this fundamental area.

computer science, artificial intelligence

Mesut Ozdag

DOI: https://doi.org/10.1016/j.procs.2018.10.315

2018-01-01

Procedia Computer Science

Abstract:Deep learning has achieved great successes in various types of applications over recent years. On the other hand, it has been found that deep neural networks (DNNs) can be easily fooled by adversarial input samples. This vulnerability raises major concerns in security-sensitive environments. Therefore, research in attacking and defending DNNs with adversarial examples has drawn great attention. The goal of this paper is to review the types of adversarial attacks and defenses, describe the state-of-the-art methods for each group, and compare their results. In addition, we present some of the top-scored competition submissions for Neural Information Processing Systems (NIPS) in 2017, their solution models, and demonstrate their results. This adversary competition was organized by Google Brain for research scientists to come up with novel solutions that generate adversarial examples and also defend against them. Its contribution is significant on this era of machine learning and DNNs.