Jieyu Lin,Wei Liu,Jiajie Zou,Nai Ding

DOI: https://doi.org/10.1007/978-981-99-6207-5_19

2023-01-01

Abstract:Pre-trained language models are sensitive to adversarial attacks, and recent works have demonstrated universal adversarial attacks that can apply input-agnostic perturbations to mislead models. Here, we demonstrate that universal adversarial attacks can also be used to harden NLP models. Based on NLI task, we propose a simple universal adversarial attack that can mislead models to produce the same output for all premises by replacing the original hypothesis with an irrelevant string of words. To defend against this attack, we propose Training with UNiversal Adversarial Samples (TUNAS), which iteratively generates universal adversarial samples and utilizes them for fine-tuning. The method is tested on two datasets, i.e., MNLI and SNLI. It is demonstrated that, TUNAS can reduce the mean success rate of the universal adversarial attack from above 79% to below 5%, while maintaining similar performance on the original datasets. Furthermore, TUNAS models are also more robust to the attack targeting at individual samples: When search for hypotheses that are best entailed by a premise, the hypotheses found by TUNAS models are more compatible with the premise than those found by baseline models. In sum, we use universal adversarial attack to yield more robust models.

Yujiang Liu,Wenjian Luo,Zhijian Chen,Muhammad Luqman Naseem

2024-09-26

Abstract:With the rapid development of Deep Neural Networks (DNNs), they have been applied in numerous fields. However, research indicates that DNNs are susceptible to adversarial examples, and this is equally true in the multi-label domain. To further investigate multi-label adversarial examples, we introduce a novel type of attacks, termed "Showing Many Labels". The objective of this attack is to maximize the number of labels included in the classifier's prediction results. In our experiments, we select nine attack algorithms and evaluate their performance under "Showing Many Labels". Eight of the attack algorithms were adapted from the multi-class environment to the multi-label environment, while the remaining one was specifically designed for the multi-label environment. We choose ML-LIW and ML-GCN as target models and train them on four popular multi-label datasets: VOC2007, VOC2012, NUS-WIDE, and COCO. We record the success rate of each algorithm when it shows the expected number of labels in eight different scenarios. Experimental results indicate that under the "Showing Many Labels", iterative attacks perform significantly better than one-step attacks. Moreover, it is possible to show all labels in the dataset.

Artificial Intelligence

Nan Zhou,Wenjian Luo,Jiajia Zhang,Linghao Kong,Hongwei Zhang

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534067

2021-01-01

Abstract:Adversarial examples about deep learning models have been paid much attention in recent years, including single-label adversarial examples and multi-label adversarial examples. In this paper, for the first time, an empirical study of generating a multi-label adversarial example to hide all labels in a multi-label example is presented. The objective of hiding all labels in a multi-label example is to make deep learning models know nothing about the environments. That is very worthy of studying because deep learning models will say there is nothing, although the real input has more than one label. In the empirical study, we use five state-of-the-art multi-label attack algorithms, i.e., ML-CW, ML-DP, FGSM, MI-FGSM, MLA-LP, four popular datasets, i.e., VOC2007, VOC2012, NUS-WIDE and COCO, and two typical models ML-GCN and ASL for evaluation. We conduct extensive experiments and report the attack success rates, the amount of perturbations of the adversarial examples generated by state-of-the-art multi-label attack algorithms. We also report the attack performance when a typical defending algorithm based on JPEG compression is used. The work in this paper is beneficial to the future study of generating multi-label adversarial examples as well as defending them.

Linghao Kong,Wenjian Luo,Hongwei Zhang,Yang Liu,Yuhui Shi

DOI: https://doi.org/10.1109/tai.2022.3198629

2022-01-01

IEEE Transactions on Artificial Intelligence

Abstract:Studies have shown that deep neural networks (DNNs) are vulnerable to adversarial attack. Minor malicious modifications of examples will lead to the DNN misclassification. Such maliciously modified examples are called adversarial examples. So far, the work on adversarial examples is mainly focused on multiclass classification tasks; there is less work in the field of multilabel classification. In this article, for the first time, a differential evolution (DE) algorithm that can effectively generate multilabel adversarial examples is proposed, which is called MLAE-DE. Different from traditional DE, we designed a complementary mutation operator for MLAE-DE, which can improve attack performance and reduce the number of fitness evaluations. As a black-box attack, MLAE-DE does not need to access model parameters and only uses model outputs to generate adversarial examples. Experiments on two typical multilabel classification models and three typical datasets under the black-box settings are conducted in this article. Experimental results demonstrate that, comparing with the existing black-box attack algorithms for multilabel classification models, the attack success rate of our proposed algorithm is much better.

Benedetta Tondi,Wei Guo,Mauro Barni

2024-01-02

Abstract:Most of the approaches proposed so far to craft targeted adversarial examples against Deep Learning classifiers are highly suboptimal and typically rely on increasing the likelihood of the target class, thus implicitly focusing on one-hot encoding settings. In this paper, we propose a more general, theoretically sound, targeted attack that resorts to the minimization of a Jacobian-induced MAhalanobis distance (JMA) term, taking into account the effort (in the input space) required to move the latent space representation of the input sample in a given direction. The minimization is solved by exploiting the Wolfe duality theorem, reducing the problem to the solution of a Non-Negative Least Square (NNLS) problem. The proposed algorithm provides an optimal solution to a linearized version of the adversarial example problem originally introduced by Szegedy et al. \cite{szegedy2013intriguing}. The experiments we carried out confirm the generality of the proposed attack which is proven to be effective under a wide variety of output encoding schemes. Noticeably, the JMA attack is also effective in a multi-label classification scenario, being capable to induce a targeted modification of up to half the labels in a complex multilabel classification scenario with 20 labels, a capability that is out of reach of all the attacks proposed so far. As a further advantage, the JMA attack usually requires very few iterations, thus resulting more efficient than existing methods.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition

Zhijian Chen,Wenjian Luo,Muhammad Luqman Naseem,Linghao Kong,Xiangkai Yang

DOI: https://doi.org/10.1007/s40747-024-01506-z

IF: 6.7

2024-01-01

Complex & Intelligent Systems

Abstract:Adversarial examples which mislead deep neural networks by adding well-crafted perturbations have become a major threat to classification models. Gradient-based white-box attack algorithms have been widely used to generate adversarial examples. However, most of them are designed for multi-class models, and only a few gradient-based adversarial attack algorithms specifically designed for multi-label classification models. Due to the correlation between multiple labels, the performance of these gradient-based algorithms in generating adversarial examples for multi-label classification is worthy of analyzing and evaluating comprehensively. In this paper, we first transplant five typical gradient-based adversarial attack algorithms in the multi-class environment to the multi-label environment. Secondly, we comprehensively compared the performance of these five attack algorithms and the other four existing multi-label adversarial attack algorithms by experiments on six different attack types, and evaluated the transferability of adversarial examples generated by all algorithms under two attack types. Experimental results show that, among different attack types, the majority of multi-step attack algorithms have higher attack success rates compared to one-step attack algorithms. Additionally, these gradient-based algorithms face greater difficulty in augmenting labels than in hiding them. For transfer experimental results, the adversarial examples generated by all attack algorithms exhibit weaker transferability when attacking other different models.

Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Xiaowei Zhou,Ivor W. Tsang,Jie Yin

DOI: https://doi.org/10.48550/arXiv.1907.07001

IF: 5.414

2019-07-16

Machine Learning

Abstract:Deep Neural Networks (DNNs) have recently achieved great success in many tasks, which encourages DNNs to be widely used as a machine learning service in model sharing scenarios. However, attackers can easily generate adversarial examples with a small perturbation to fool the DNN models to predict wrong labels. To improve the robustness of shared DNN models against adversarial attacks, we propose a novel method called Latent Adversarial Defence (LAD). The proposed LAD method improves the robustness of a DNN model through adversarial training on generated adversarial examples. Different from popular attack methods which are carried in the input space and only generate adversarial examples of repeating patterns, LAD generates myriad of adversarial examples through adding perturbations to latent features along the normal of the decision boundary which is constructed by an SVM with an attention mechanism. Once adversarial examples are generated, we adversarially train the model through augmenting the training data with generated adversarial examples. Extensive experiments on the MNIST, SVHN, and CelebA dataset demonstrate the effectiveness of our model in defending against different types of adversarial attacks.

Shigeng Zhang,Shuxin Chen,Chengyao Hua,Zhetao Li,Yanchun Li,Xuan Liu,Kai Chen,Zhankai Li,Weiping Wang

DOI: https://doi.org/10.1109/tifs.2023.3304455

IF: 7.231

2023-08-25

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural network (DNN) models have been widely used in many tasks due to their superior performance. However, DNN models are usually vulnerable to adversarial example attacks, which limits their applications in many safety-critic scenarios. How to effectively detect adversarial examples to enhance the robustness of DNN models has attracted much attention in recent years. Most adversarial example detection methods require modifying or retraining the model, which is impractical and reduces the classification accuracy of normal examples. In this paper, we propose an adversarial example detection approach that does not require modification of the DNN models and meanwhile retains the classification accuracy of normal examples. The key observation is that when we transform the input example with some operations (e.g., masking a pixel with a reference value), feed the transformed example to the target model, and use the output of the intermediate layers to predict the label of the example, the generated label sequences of adversarial examples will be extremely discrepant but the label sequences of normal examples keep nearly unchanged. Motivated by this observation, we design an approach to detect adversarial examples based on the label sequence discrepancy (LSD) of the given examples. The experimental results against five mainstream adversarial attacks on three benchmark datasets demonstrate that LSD outperforms the state-of-the-art solutions in the detection rate of adversarial examples. Moreover, LSD performs well at various confidence levels and exhibits good generalizability between different attacks.

computer science, theory & methods,engineering, electrical & electronic

Pu Zhao,Sijia Liu,Yanzhi Wang,Xue Lin

DOI: https://doi.org/10.48550/arXiv.1804.03193

2018-04-10

Abstract:Deep neural networks (DNNs) are known vulnerable to adversarial attacks. That is, adversarial examples, obtained by adding delicately crafted distortions onto original legal inputs, can mislead a DNN to classify them as any target labels. In a successful adversarial attack, the targeted mis-classification should be achieved with the minimal distortion added. In the literature, the added distortions are usually measured by L0, L1, L2, and L infinity norms, namely, L0, L1, L2, and L infinity attacks, respectively. However, there lacks a versatile framework for all types of adversarial attacks. This work for the first time unifies the methods of generating adversarial examples by leveraging ADMM (Alternating Direction Method of Multipliers), an operator splitting optimization approach, such that L0, L1, L2, and L infinity attacks can be effectively implemented by this general framework with little modifications. Comparing with the state-of-the-art attacks in each category, our ADMM-based attacks are so far the strongest, achieving both the 100% attack success rate and the minimal distortion.

Machine Learning,Computer Vision and Pattern Recognition

Xiaowei Zhou,Ivor W. Tsang,Jie Yin

DOI: https://doi.org/10.1007/s10994-022-06203-x

IF: 5.414

2022-09-11

Machine Learning

Abstract:Deep Neural Networks (DNNs) have recently achieved great success in many classification tasks. Unfortunately, they are vulnerable to adversarial attacks that generate adversarial examples with a small perturbation to fool DNN models, especially in model sharing scenarios. Adversarial training is proved to be the most effective strategy that injects adversarial examples into model training to improve the robustness of DNN models against adversarial attacks. However, adversarial training based on the existing adversarial examples fails to generalize well to standard, unperturbed test data. To achieve a better trade-off between standard accuracy and adversarial robustness, we propose a novel adversarial training framework called LAtent bounDary-guided aDvErsarial tRaining (LADDER) that adversarially trains DNN models on latent boundary-guided adversarial examples. As opposed to most of the existing methods that generate adversarial examples in the input space, LADDER generates a myriad of high-quality adversarial examples through adding perturbations to latent features. The perturbations are made along the normal of the decision boundary constructed by an SVM with an attention mechanism. We analyze the merits of our generated boundary-guided adversarial examples from a boundary field perspective and visualization view. Extensive experiments and detailed analysis on MNIST, SVHN, CelebA, and CIFAR-10 validate the effectiveness of LADDER in achieving a better trade-off between standard accuracy and adversarial robustness as compared with vanilla DNNs and competitive baselines.

computer science, artificial intelligence

Yepeng Deng,Chunkai Zhang,Xuan Wang

DOI: https://doi.org/10.1109/DSC.2019.00022

2019-01-01

Abstract:Image classifiers have been proven to be easily fooled by perturbations, but it is still exceedingly challenging to generate imperceptible disturbances, especially without the internal knowledge of the classifiers. Imperceptibility and attack capability are two main evaluating indicators of this problem, while most existing methods, so far, can only either maximize misclassification or minimize the distortion. Although there are some algorithms to consider both of them via the weighted sum method, which is equivalent to solve the multiple optimization problems, it will doubtless enlarge the computation complexity, and the strategy of setting the weights cannot make sure both indicators the optimal solutions. In this paper, we proposed an innovative general algorithm named MOEA-APGA, which is based on multi-objective evolutionary algorithm, taking both factors as the optimization objective function. A set of perturbations with diversity is generated by population evolution, and then an appropriate perturbation is selected by the proposed filtering strategy to synthesize the adversarial example. It can achieve the goal of the targeted attack without the internal knowledge of the victim networks. We tried four perturbation strategies to generate adversarial examples. The experimental results on the MNIST datasets demonstrate the effectiveness of MOEA-APGA. In addition, we refer to a slice of indicators to evaluate the power of the algorithm and the vulnerability of different samples.

Zimu Wang,Wei Wang,Qi Chen,Qiufeng Wang,Anh Nguyen

2023-11-20

Abstract:Deep learning-based natural language processing (NLP) models, particularly pre-trained language models (PLMs), have been revealed to be vulnerable to adversarial attacks. However, the adversarial examples generated by many mainstream word-level adversarial attack models are neither valid nor natural, leading to the loss of semantic maintenance, grammaticality, and human imperceptibility. Based on the exceptional capacity of language understanding and generation of large language models (LLMs), we propose LLM-Attack, which aims at generating both valid and natural adversarial examples with LLMs. The method consists of two stages: word importance ranking (which searches for the most vulnerable words) and word synonym replacement (which substitutes them with their synonyms obtained from LLMs). Experimental results on the Movie Review (MR), IMDB, and Yelp Review Polarity datasets against the baseline adversarial attack models illustrate the effectiveness of LLM-Attack, and it outperforms the baselines in human and GPT-4 evaluation by a significant margin. The model can generate adversarial examples that are typically valid and natural, with the preservation of semantic meaning, grammaticality, and human imperceptibility.

Computation and Language,Artificial Intelligence

Minjie Liu,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1049/ell2.12437

2022-01-01

Electronics Letters

Abstract:Nowadays, adversarial examples of images which are generated by adding special perturbations on their hosts make great impact on many deep neural network (DNN)-based computer vision tasks and bring security risks. With the deep insight into this field, researchers realize that many simple image processing methods can easily reduce the attack success rate. Therefore, studies on robust adversarial examples that are able to defend destruction become the emphasis. However, most existing methods focus more on the distortion in user transmitting procedures and physical deformation such as JPEG compression and brightness. Given that scale transformation is one of the commonest measures in data transformation and enhancement, a two-step algorithm is proposed to eliminate the effect caused by resizing during the model inferring process. The first step is to select pixels that can affect the classification result through a DNN. As a binary classification task, the network predicts whether the pixel deserves to be modified or not. The second one is to strategically compute the amplitude of noise and add it to the host image. Experiments verify that this method resists the scale transformation and guarantees the invisibility of humans as well.

Chunkai Zhang,Xiaofeng Luo,Peiyi Han

DOI: https://doi.org/10.1016/j.cose.2022.102770

IF: 5.105

2022-01-01

Computers & Security

Abstract:Modern image classification networks endure adversarial attacks that deliberately alter the input image by adding small, often imperceptible, perturbations to mislead the network’s classification result. From a perspective of manifold theory, most adversarial examples generated by current adversarial attack methods are off-manifold and can be detected by adversarial defense methods based on manifold theory. In this study, we propose a novel adversarial attack method for crafting on-manifold adversarial examples. Specifically, we utilize the adversarial autoencoder (AAE) to obtain the low-dimensional manifold of data, and design a latent substitute model based on the data manifold to ensure that the generated adversarial examples are still on-manifold. Additionally, to overcome the difficulty in limiting the perturbation of adversarial examples when searching in the latent space, we propose a gradient decoding strategy (GDS) and confidence re-ranking strategy (CRS). The results demonstrate the competitive performance of our method compared with that of some of the current attack methods applied to state-of-the-art defense models, especially those based on the manifold theory. Additionally, when using the proposed method for adversarial training, the robustness of the model is improved without reducing the accuracy of classifying the original dataset. We hope that our proposed attack method can serve as a benchmark for evaluating and improving the robustness of networks.

Wenli Xiao,Hao Jiang,Song Xia

DOI: https://doi.org/10.1109/ictc49638.2020.9123270

2020-01-01

Abstract:Machine learning can be misled by adversarial examples, which is formed by making small changes to the original data. Nowadays, there are kinds of methods to produce adversarial examples. However, they can not apply non-differentiable models, reduce the amount of calculations, and shorten the sample generation time at the same time. In this paper, we propose a new black box attack generating adversarial examples based on reinforcement learning. By using deep Q-learning network, we can train the substitute model and generate adversarial examples at the same time. Experimental results show that this method only needs 7.7ms to produce an adversarial example, which solves the problems of low efficiency, large amount of calculation and inapplicable to non-differentiable model.

Haobo Wang,Chenxi Zhu,Yangjie Cao,Yan Zhuang,Jie Li,Xianfu Chen

DOI: https://doi.org/10.3390/electronics12040816

IF: 2.9

2023-01-01

Electronics

Abstract:Deep neural networks are susceptible to interference from deliberately crafted noise, which can lead to incorrect classification results. Existing approaches make less use of latent space information and conduct pixel-domain modification in the input space instead, which increases the computational cost and decreases the transferability. In this work, we propose an effective adversarial distribution searching-driven attack (ADSAttack) algorithm to generate adversarial examples against deep neural networks. ADSAttack introduces an affiliated network to search for potential distributions in image latent space for synthesizing adversarial examples. ADSAttack uses an edge-detection algorithm to locate low-level feature mapping in input space to sketch the minimum effective disturbed area. Experimental results demonstrate that ADSAttack achieves higher transferability, better imperceptible visualization, and faster generation speed compared to traditional algorithms. To generate 1000 adversarial examples, ADSAttack takes 11.08s and, on average, achieves a success rate of 98.01%.

Xiaopei Zhu,Peiyang Xu,Guanning Zeng,Yingpeng Dong,Xiaolin Hu

2024-10-11

Abstract:Research of adversarial attacks is important for AI security because it shows the vulnerability of deep learning models and helps to build more robust models. Adversarial attacks on images are most widely studied, which include noise-based attacks, image editing-based attacks, and latent space-based attacks. However, the adversarial examples crafted by these methods often lack sufficient semantic information, making it challenging for humans to understand the failure modes of deep learning models under natural conditions. To address this limitation, we propose a natural language induced adversarial image attack method. The core idea is to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model. To adopt commercial text-to-image models for synthesizing more natural adversarial images, we propose an adaptive genetic algorithm (GA) for optimizing discrete adversarial prompts without requiring gradients and an adaptive word space reduction method for improving query efficiency. We further used CLIP to maintain the semantic consistency of the generated images. In our experiments, we found that some high-frequency semantic information such as "foggy", "humid", "stretching", etc. can easily cause classifier errors. This adversarial semantic information exists not only in generated images but also in photos captured in the real world. We also found that some adversarial semantic information can be transferred to unknown classification tasks. Furthermore, our attack method can transfer to different text-to-image models (e.g., Midjourney, DALL-E 3, etc.) and image classifiers. Our code is available at: <a class="link-external link-https" href="https://github.com/zxp555/Natural-Language-Induced-Adversarial-Images" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Computer Vision and Pattern Recognition,Multimedia

Hongwei Zhang,Wenjian Luo,Zhijian Chen,Qi Zhou

DOI: https://doi.org/10.1007/978-3-031-36625-3_23

2023-01-01

Abstract:Adversarial examples have become an important issue in the field of deep learning security. There have been many studies on adversarial example attack and defense algorithms for single-label classification models. However, in the real world, multi-label classification models are also widely used. There are only a few studies on adversarial example attack and defense algorithms for multi-label classification models. In this paper, we propose a negative correlation ensemble defense scheme against multi-label adversarial examples (ML-NCEn). The fundamental principle of ML-NCEn is to make the gradient directions and magnitudes of member models negatively correlated with those of other members, respectively, in the positive and negative label sets. Experimental results show that ML-NCEn has good adversarial robustness.

Yuying Hao,Tuanhui Li,Yang Bai,Li Li,Yong Jiang,Xuanye Cheng

DOI: https://doi.org/10.1007/978-3-030-30508-6_52

2019-01-01

Abstract:Deep neural networks (DNNs) have been widely applied in many areas. However, they are quite vulnerable to well-designed perturbations. Most recent methods of generating adversarial examples fail to limit the perturbations while keeping good transferability. In this work, we propose a new method to address these problems. We combine local attack and gradient descent optimization method to generate adversarial examples. Specifically, in forward propagation, we select sensitive pixels and add perturbations to them. In backward propagation, we propose a novel loss function to reduce the difference between adversarial examples and benign images. Extensive experiments demonstrate that our method achieves strong attack ability with lower distortion.