Guanlin Li,Guowen Xu,Han Qiu,Ruan He,Jiwei Li,Tianwei Zhang

DOI: https://doi.org/10.1007/978-3-031-19772-7_39

2022-01-01

Abstract:3D point cloud classification models based on deep neural networks were proven to be vulnerable to adversarial examples, with a quantity of novel attack techniques proposed by researchers recently. It is of paramount importance to preserve the robustness of 3D models under adversarial environments, considering their broad application in safety- and security-critical tasks. Unfortunately, existing defenses are not general enough to satisfactorily mitigate all types of attacks. In this paper, we design two innovative methodologies to improve the adversarial robustness of 3D point cloud classification models. (1) We introduce CCN, a novel point cloud architecture which can smooth and disrupt the adversarial perturbations. (2) We propose AMS, a novel data augmentation strategy to adaptively balance the model usability and robustness. Extensive evaluations indicate the integration of the two techniques provides much more robustness than existing defense solutions for 3D classification models.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

S. Bharathiraja,B. Rajesh Kanna,M. Hariharan

DOI: https://doi.org/10.1007/s13369-022-06743-3

IF: 2.807

2022-03-22

Arabian Journal for Science and Engineering

Abstract:The main aim of digital image forensics is to validate the authenticity of images by identifying the camera that captured the image and finding traces of any alteration in the spatial content. The majority of the existing literature focuses on manual extraction of intrinsic camera features such as lens aberration, sensor imperfections, pixel non-uniformity, color filter array type, and so on. These handcrafted features are analyzed and characterized as a unique signature for detecting the camera and authenticating the image which is recorded from the device. To facilitate an end-to-end automated forensics analysis, the current research explores the ability of a novel deep learning framework to learn the intrinsic signature of a selected camera model. The proposed deep convolutional network performs source camera identification (SCI). It contains two functional blocks, namely, esidual noise feature extractor (RNFE) and Feature Modulator (FM). To extract the noise pattern from camera images, the RNFE module analyses the debayered image using a U-Net. The generated noise residue is then modulated through a CNN pipeline to an embedding vector. Triplet loss function is used to train the proposed SCI network such that, the images captured from the source cameras are located closer to each other than images from different cameras. Experimental results demonstrate that the CNN achieves a 97.59% F-score and 97.01% recall, on par with state-of-the-art. Hence, the unified architectural representation of the proposed deep-net could be treated as a generic deep net framework in learning the sensor pattern noise (SPN) fingerprint of a camera model.

multidisciplinary sciences

Bo Wang,Mengnan Zhao,Wei Wang,Xiaorui Dai,Yi Li,Yanqing Guo

DOI: https://doi.org/10.1109/tcsvt.2020.3047084

IF: 5.859

2021-11-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Recent studies highlight the vulnerability of convolutional neural networks (CNNs) to adversarial attacks, which also calls into question the reliability of forensic methods. Existing adversarial attacks generate one-to-one noise, which means these methods have not learned the fingerprint information. Therefore, we introduce two powerful attacks, fingerprint copy-move attack, and joint feature-based auto-learning attack. To validate the performance of attack methods, we move a step ahead and introduce the higher possible defense mechanism relation mismatch. which expands the characterization differences of classifiers in the same classification network. Extensive experiments show that relation mismatch is superior in recognizing adversarial examples and prove that the proposed fingerprint-based attacks are more powerful. Both proposed attacks show excellent attack transferability to unknown samples. The Pytorch® implementations of these methods can download from an open-source GitHub project https://github.com/Dlut-lab-zmn/Source-attack.

engineering, electrical & electronic

Zihao Pan,Weibin Wu,Yuhang Cao,Zibin Zheng

2024-10-23

Abstract:Deep neural network based systems deployed in sensitive environments are vulnerable to adversarial attacks. Unrestricted adversarial attacks typically manipulate the semantic content of an image (e.g., color or texture) to create adversarial examples that are both effective and photorealistic. Recent works have utilized the diffusion inversion process to map images into a latent space, where high-level semantics are manipulated by introducing perturbations. However, they often results in substantial semantic distortions in the denoised output and suffers from low efficiency. In this study, we propose a novel framework called Semantic-Consistent Unrestricted Adversarial Attacks (SCA), which employs an inversion method to extract edit-friendly noise maps and utilizes Multimodal Large Language Model (MLLM) to provide semantic guidance throughout the process. Under the condition of rich semantic information provided by MLLM, we perform the DDPM denoising process of each step using a series of edit-friendly noise maps, and leverage DPM Solver++ to accelerate this process, enabling efficient sampling with semantic consistency. Compared to existing methods, our framework enables the efficient generation of adversarial examples that exhibit minimal discernible semantic changes. Consequently, we for the first time introduce Semantic-Consistent Adversarial Examples (SCAE). Extensive experiments and visualizations have demonstrated the high efficiency of SCA, particularly in being on average 12 times faster than the state-of-the-art attacks. Our research can further draw attention to the security of multimedia information.

Computer Vision and Pattern Recognition,Artificial Intelligence

Chen Hui,Feng Jiang,Shaohui Liu,Debin Zhao

DOI: https://doi.org/10.1109/icme52920.2022.9859965

2022-01-01

Abstract:Source camera identification (SCI) technology has attracted increasing attentions over the past few years. However, the existing methods suppress image content with denoising filters that are largely agnostic to the specific sensor pattern noise (SPN) signal of interest. Such practices may potentially degrade the performance of SPN-based SCI due to un-reliable SPNs, especially when forensic images are transmitted through social networking platforms. In this paper, we address the problem of SPN-based device identification and propose a multi-scale feature fusion network (MSFFN) to boost the sensor-based source camera identification attribution. Specifically, several image patches of different scales are selected and input into the MSFFN to extract the SPN. The MSFFN is a multi-scale encoder-decoder structure, which is used to suppress image content and improve source attribution. Subsequently, the content-independent SPN features of different scales are fused. At last, the fused features are used for image source identification. Experimental results compared with the state-of-the-art demonstrate that the proposed scheme achieves significant improvements, especially in the accuracy of social networking image source identification.

Xin Yan,Yanjie Li,Tao Dai,Yang Bai,Shu-Tao Xia

DOI: https://doi.org/10.1109/IJCNN52387.2021.9533589

2021-01-01

Abstract:Convolutional neural networks (CNNs) have recently been widely applied in computer vision tasks, yet they are seriously vulnerable to imperceptible adversarial perturbations. Such phenomena have caused great attention on the adversary topic. Existing adversarial defense methods mainly focus on improving the robustness of models (e.g., adversarial training) or removing adversarial perturbations (e.g., input-transformation based methods) directly, while rarely considering the accurate recovery of image structures of the input, which also play a vital role in making predictions for CNNs. To this end, we propose a Dual-Domain based Defense (D2Defend) method by recovering low-frequency and high-frequency image structures in both spatial and transform domains, while removing adversarial perturbations simultaneously. Unlike the existing input-transformation based methods, our method can decompose the input image into edge feature and texture feature layers, accompanied with bilateral filtering and short-time fourier transform (STFT) filtering. Experimental results demonstrate the effectiveness of our method against various adversarial attacks, and show the superiority of our method over other adversarial defense methods especially at strong adversarial strength.

Ziang Yan,Yiwen Guo,Changshui Zhang

2018-01-01

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN models into making arbitrary predictions. To address this problem, we propose a training recipe named DeepDefense. Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms the state-of-the-arts by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results will be made publicly available.

Daizong Ding,Erling Jiang,Yuanmin Huang,Mi Zhang,Wenxuan Li,Min Yang

DOI: https://doi.org/10.1109/cvpr52729.2023.01180

2023-01-01

Abstract:Recently, deep neural networks have shown great success on 3D point cloud classification tasks, which simultaneously raises the concern of adversarial attacks that cause severe damage to real-world applications. Moreover, defending against adversarial examples in point cloud data is extremely difficult due to the emergence of various attack strategies. In this work, with the insight of the fact that the adversarial examples in this task still preserve the same semantic and structural information as the original input, we design a novel defense framework for improving the robustness of existing classification models, which consists of two main modules: the attention-based pooling and the dynamic contrastive learning. In addition, we also develop an algorithm to theoretically certify the robustness of the proposed framework. Extensive empirical results on two datasets and three classification models show the robustness of our approach against various attacks, e.g., the averaged attack success rate of PointNet decreases from 70.2% to 2.7% on the ModelNet40 dataset under 9 common attacks.

Xiaoshuang Shi,Yifan Peng,Qingyu Chen,Tiarnan Keenan,Alisa T. Thavikulwat,Sungwon Lee,Yuxing Tang,Emily Y. Chew,Ronald M. Summers,Zhiyong Lu

DOI: https://doi.org/10.1016/j.patcog.2022.108923

IF: 8

2022-01-01

Pattern Recognition

Abstract:Convolutional neural networks (CNNs) have been widely applied to medical images. However, medical images are vulnerable to adversarial attacks by perturbations that are undetectable to human experts. This poses significant security risks and challenges to CNN-based applications in clinic practice. In this work, we quantify the scale of adversarial perturbation imperceptible to clinical practitioners and in-vestigate the cause of the vulnerability in CNNs. Specifically, we discover that noise (i.e., irrelevant or corrupted discriminative information) in medical images might be a key contributor to performance de-terioration of CNNs against adversarial perturbations, as noisy features are learned unconsciously by CNNs in feature representations and magnified by adversarial perturbations. In response, we propose a novel defense method by embedding sparsity denoising operators in CNNs for improved robustness. Tested with various state-of-the-art attacking methods on two distinct medical image modalities, we demon-strate that the proposed method can successfully defend against those unnoticeable adversarial attacks by retaining as much as over 90% of its original performance. We believe our findings are critical for improving and deploying CNN-based medical applications in real-world scenarios. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license ( http://creativecommons.org/licenses/by-nc-nd/4.0/ )

Yue Zhou,Wanghan Jiang,Xue Jiang,Lin Chen,Xingzhao Liu

DOI: https://doi.org/10.3390/rs15215131

IF: 5

2023-10-27

Remote Sensing

Abstract:Object detection algorithms based on convolutional neural networks (CNNs) have achieved remarkable success in remote sensing images (RSIs), such as aircraft and ship detection, which play a vital role in military and civilian fields. However, CNNs are fragile and can be easily fooled. There have been a series of studies on adversarial attacks for image classification in RSIs. However, the existing gradient attack algorithms designed for classification cannot achieve excellent performance when directly applied to object detection, which is an essential task in RSI understanding. Although we can find some works on adversarial attacks for object detection, they are weak in concealment and easily detected by the naked eye. To handle these problems, we propose a target camouflage network for object detection in RSIs, called CamoNet, to deceive CNN-based detectors by adding imperceptible perturbation to the image. In addition, we propose a detection space initialization strategy to maximize the diversity in the detector’s outputs among the generated samples. It can enhance the performance of the gradient attack algorithms in the object detection task. Moreover, a key pixel distillation module is employed, which can further reduce the modified pixels without weakening the concealment effect. Compared with several of the most advanced adversarial attacks, the proposed attack has advantages in terms of both peak signal-to-noise ratio (PSNR) and attack success rate. The transferability of the proposed target camouflage network is evaluated on three dominant detection algorithms (RetinaNet, Faster R-CNN, and RTMDet) with two commonly used remote sensing datasets (i.e., DOTA and DIOR).

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Hong Wang,Yuefan Deng,Shinjae Yoo,Yuewei Lin

DOI: https://doi.org/10.1109/TCYB.2024.3380437

Abstract:While deep neural networks (DNNs) have revolutionized many fields, their fragility to carefully designed adversarial attacks impedes the usage of DNNs in safety-critical applications. In this article, we strive to explore the robust features that are not affected by the adversarial perturbations, that is, invariant to the clean image and its adversarial examples (AEs), to improve the model's adversarial robustness. Specifically, we propose a feature disentanglement model to segregate the robust features from nonrobust features and domain-specific features. The extensive experiments on five widely used datasets with different attacks demonstrate that robust features obtained from our model improve the model's adversarial robustness compared to the state-of-the-art approaches. Moreover, the trained domain discriminator is able to identify the domain-specific features from the clean images and AEs almost perfectly. This enables AE detection without incurring additional computational costs. With that, we can also specify different classifiers for clean images and AEs, thereby avoiding any drop in clean image accuracy.

Yan Wang,Qindong Sun,Dongzhu Rong

DOI: https://doi.org/10.3390/electronics13183630

IF: 2.9

2024-01-01

Electronics

Abstract:Source camera identification can verify whether two videos were shot by the same device, which is of great significance in multimedia forensics. Most existing identification methods use convolutional neural networks to learn sensor noise patterns to identify the source camera in closed forensic scenarios. While these methodologies have achieved remarkable results, they are nonetheless constrained by two primary challenges: (1) the interference of semantic information and (2) the incongruity in feature distributions across different datasets. The former will interfere with the extraction of effective features of the model. The latter will cause the model to fit the characteristic distribution of the training data and be sensitive to unseen data features. To address these challenges, we propose a novel source camera identification framework that determines whether a video was shot by the same device by obtaining similarities between source camera features. Firstly, we extract video key frames and use the integral image to optimize the smoothing blocks selection algorithm of inter-pixel variance to remove the interference of video semantic information. Secondly, we design a residual neural network fused with a constraint layer to adaptively learn video source features. Thirdly, we introduce a triplet loss metric learning strategy to optimize the network model to improve the discriminability of the model. Finally, we design a multi-dimensional feature vector similarity fusion strategy to achieve highly generalized source camera recognition. Extensive experiments show that our method achieved an AUC value of up to 0.9714 in closed-set forensic scenarios and an AUC value of 0.882 in open-set scenarios, representing an improvement of 5% compared to the best baseline method. Furthermore, our method demonstrates effectiveness in the task of deepfake detection.

Qiao Li,Cong Wu,Jing Chen,Zijun Zhang,Kun He,Ruiying Du,Xinxin Wang,Qingchuang Zhao,Yang Liu

2024-08-20

Abstract:Deep neural networks (DNNs) are increasingly used in critical applications such as identity authentication and autonomous driving, where robustness against adversarial attacks is crucial. These attacks can exploit minor perturbations to cause significant prediction errors, making it essential to enhance the resilience of DNNs. Traditional defense methods often rely on access to detailed model information, which raises privacy concerns, as model owners may be reluctant to share such data. In contrast, existing black-box defense methods fail to offer a universal defense against various types of adversarial attacks. To address these challenges, we introduce DUCD, a universal black-box defense method that does not require access to the target model's parameters or architecture. Our approach involves distilling the target model by querying it with data, creating a white-box surrogate while preserving data privacy. We further enhance this surrogate model using a certified defense based on randomized smoothing and optimized noise selection, enabling robust defense against a broad range of adversarial attacks. Comparative evaluations between the certified defenses of the surrogate and target models demonstrate the effectiveness of our approach. Experiments on multiple image classification datasets show that DUCD not only outperforms existing black-box defenses but also matches the accuracy of white-box defenses, all while enhancing data privacy and reducing the success rate of membership inference attacks.

Machine Learning,Artificial Intelligence,Cryptography and Security

Matthias Kirchner,Cameron Johnson

DOI: https://doi.org/10.48550/arXiv.2002.02927

2020-02-08

Abstract:We explore means to advance source camera identification based on sensor noise in a data-driven framework. Our focus is on improving the sensor pattern noise (SPN) extraction from a single image at test time. Where existing works suppress nuisance content with denoising filters that are largely agnostic to the specific SPN signal of interest, we demonstrate that a~deep learning approach can yield a more suitable extractor that leads to improved source attribution. A series of extensive experiments on various public datasets confirms the feasibility of our approach and its applicability to image manipulation localization and video source attribution. A critical discussion of potential pitfalls completes the text.

Computer Vision and Pattern Recognition,Multimedia,Image and Video Processing

Yunxu Xie,Shu Hu,Xin Wang,Quanyu Liao,Bin Zhu,Xi Wu,Siwei Lyu

DOI: https://doi.org/10.48550/arXiv.2301.11457

2023-01-26

Computer Vision and Pattern Recognition

Abstract:Deep neural networks have been demonstrated to be vulnerable to adversarial attacks: subtle perturbation can completely change the prediction result. Existing adversarial attacks on object detection focus on attacking anchor-based detectors, which may not work well for anchor-free detectors. In this paper, we propose the first adversarial attack dedicated to anchor-free detectors. It is a category-wise attack that attacks important pixels of all instances of a category simultaneously. Our attack manifests in two forms, sparse category-wise attack (SCA) and dense category-wise attack (DCA), that minimize the $L_0$ and $L_\infty$ norm-based perturbations, respectively. For DCA, we present three variants, DCA-G, DCA-L, and DCA-S, that select a global region, a local region, and a semantic region, respectively, to attack. Our experiments on large-scale benchmark datasets including PascalVOC, MS-COCO, and MS-COCO Keypoints indicate that our proposed methods achieve state-of-the-art attack performance and transferability on both object detection and human pose estimation tasks.

Anouar Kherchouche,Sid Ahmed Fezza,Wassim Hamidouche

DOI: https://doi.org/10.1007/s00521-021-06330-x

2021-07-21

Neural Computing and Applications

Abstract:Despite the enormous performance of deep neural networks (DNNs), recent studies have shown their vulnerability to adversarial examples (AEs), i.e., carefully perturbed inputs designed to fool the targeted DNN. Currently, the literature is rich with many effective attacks to craft such AEs. Meanwhile, many defense strategies have been developed to mitigate this vulnerability. However, these latter showed their effectiveness against specific attacks and does not generalize well to different attacks. In this paper, we propose a framework for defending DNN classifier against adversarial samples. The proposed method is based on a two-stage framework involving a separate detector and a denoising block. The detector aims to detect AEs by characterizing them through the use of natural scene statistic (NSS), where we demonstrate that these statistical features are altered by the presence of adversarial perturbations. The denoiser is based on block matching 3D (BM3D) filter fed by an optimum threshold value estimated by a convolutional neural network (CNN) to project back the samples detected as AEs into their data manifold. We conducted a complete evaluation on three standard datasets, namely MNIST, CIFAR-10 and Tiny-ImageNet. The experimental results show that the proposed defense method outperforms the state-of-the-art defense techniques by improving the robustness against a set of attacks under black-box, gray-box and white-box settings. The source code is available at: https://github.com/kherchouche-anouar/2DAE.

computer science, artificial intelligence

Tianrui Chen,Juanping Wu,Weiwei Guo,Zenghui Zhang

DOI: https://doi.org/10.1109/igarss53475.2024.10641464

2024-01-01

Abstract:The application of deep learning in the synthetic aperture radar (SAR) field is becoming increasingly widespread, but its black-box nature and the existence of adversarial samples limit its practical utility. In order to enhance the explainability and security of deep learning models, we initially selected 3 different deep convolutional neural network (DCNN) structures for training in SAR image classification. Subsequently, we applied Madry Defense Method to obtain robust models, and used 2 adversarial attack methods to attack DCNN classifiers. Finally, we employed 3 explainable artificial intelligence (XAI) methods to explain the predictions of different DCNN classifiers. Across different datasets and DCNNs, the Madry Defense Method helps classification models to reduce Infidelity and focus more on feature regions rich in semantic information when making decisions. The experimental results provide new insights into the adversarial robustness of DCNN classifiers in SAR image classification from an explainability viewpoint.

Da-Tian Peng,Jianmin Dong,Mingjiang Zhang,Jungang Yang,Zhen Wang

DOI: https://doi.org/10.1109/tifs.2024.3402385

IF: 7.231

2024-06-07

IEEE Transactions on Information Forensics and Security

Abstract:Extensive studies have revealed that the prevalent deep neural networks (DNNs) are vulnerable to adversarial examples in image recognition tasks. However, previous adversarial example attacks always work in either the global semantic space or local semantic attributes, resulting that these attacks may violate the sophisticated attackers' least-effort intentions, whereas adversarial perturbations due to the explicit semantic variations are probably perceived by human vision. In this paper, we propose a two-phase optimization modeling framework to devise a novel Critical Semantic Fusion guided least-effort Adversarial example attack (CSFAdv). Specifically, the first phase fuses the coarse-&fine-grained semantic maps to localize the latent critical semantic attention region (CSAR) from genuine image. Under the friendly guidance of CSAR-feasibility, the second phase absorbs the ReLU-penalization, -regularization and -limitation to formulate a Top-1&Top-2 misclassification optimization problem, which can characterize the holistic least-effort tampering behaviors embodied in localizing the most critical semantic space, doctoring the least amounts of pixels, injecting the limited amplitudes of perturbations and launching the most readily adversarial attacks. Further, to solve this NP-hard problem mildly, we adapt the gradient renewal by means of merging the momentum (past gradient), present gradient and Hessian (future gradient) to formalize a generalized gradient descent algorithm for generating an optimal adversarial image. Finally, we perform numerical experiments to verify the validity of our CSFAdv against seven types of DNN-based image classifiers on three public ImageNet, MNIST and CIFAR10. Empirical illustrations from ten evaluations indices shed light on the superiority of CSFAdv over eight kinds of state-of-the-art attacks and also offer key clues in reinforcing the DNNs' robustness.

computer science, theory & methods,engineering, electrical & electronic