Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Guanlin Li,Guowen Xu,Shangwei Guo,Han Qiu,Jiwei Li,Tianwei Zhang

2023-01-01

Abstract:Model extraction attacks are proven to be a severe privacy threat to Machine Learning as a Service (MLaaS). A variety of techniques have been designed to steal a remote machine learning model with high accuracy and fidelity. However, how to extract a robust model with similar resilience against adversarial attacks is never investigated. This paper presents the first study toward this goal. We first analyze those existing extraction solutions either fail to maintain the model accuracy or model robustness or lead to the robust overfitting issue. Then we propose Boundary Entropy Searching Thief (BEST), a novel model extraction attack to achieve both accuracy and robustness extraction under restricted attack budgets. BEST generates a new kind of uncertain examples for querying and reconstructing the victim model. These samples have uniform confidence scores across different classes, which can perfectly balance the trade-off between model accuracy and robustness. Extensive experiments demonstrate that BEST outperforms existing attack methods over different datasets and model architectures under limited data. It can also effectively invalidate state-of-the-art extraction defenses.

Samuel Henrique Silva,Peyman Najafirad

DOI: https://doi.org/10.48550/arXiv.2007.00753

IF: 5.414

2020-07-01

Machine Learning

Abstract:As we seek to deploy machine learning models beyond virtual and controlled domains, it is critical to analyze not only the accuracy or the fact that it works most of the time, but if such a model is truly robust and reliable. This paper studies strategies to implement adversary robustly trained algorithms towards guaranteeing safety in machine learning algorithms. We provide a taxonomy to classify adversarial attacks and defenses, formulate the Robust Optimization problem in a min-max setting and divide it into 3 subcategories, namely: Adversarial (re)Training, Regularization Approach, and Certified Defenses. We survey the most recent and important results in adversarial example generation, defense mechanisms with adversarial (re)Training as their main defense against perturbations. We also survey mothods that add regularization terms that change the behavior of the gradient, making it harder for attackers to achieve their objective. Alternatively, we've surveyed methods which formally derive certificates of robustness by exactly solving the optimization problem or by approximations using upper or lower bounds. In addition, we discuss the challenges faced by most of the recent algorithms presenting future research perspectives.

Shufei Zhang,Kaizhu Huang,Zenglin Xu

DOI: https://doi.org/10.48550/arXiv.1911.06479

2020-06-10

Abstract:We study the model robustness against adversarial examples, referred to as small perturbed input data that may however fool many state-of-the-art deep learning models. Unlike previous research, we establish a novel theory addressing the robustness issue from the perspective of stability of the loss function in the small neighborhood of natural examples. We propose to exploit an energy function to describe the stability and prove that reducing such energy guarantees the robustness against adversarial examples. We also show that the traditional training methods including adversarial training with the $l_2$ norm constraint (AT) and Virtual Adversarial Training (VAT) tend to minimize the lower bound of our proposed energy function. We make an analysis showing that minimization of such lower bound can however lead to insufficient robustness within the neighborhood around the input sample. Furthermore, we design a more rational method with the energy regularization which proves to achieve better robustness than previous methods. Through a series of experiments, we demonstrate the superiority of our model on both supervised tasks and semi-supervised tasks. In particular, our proposed adversarial framework achieves the best performance compared with previous adversarial training methods on benchmark datasets MNIST, CIFAR-10, and SVHN. Importantly, they demonstrate much better robustness against adversarial examples than all the other comparison methods.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Zhuang Qian,Kaizhu Huang,Qiu-Feng Wang,Xu-Yao Zhang

DOI: https://doi.org/10.1016/j.patcog.2022.108889

IF: 8

2022-11-01

Pattern Recognition

Abstract:Deep neural networks have achieved remarkable success in machine learning, computer vision, and pattern recognition in the last few decades. Recent studies, however, show that neural networks (both shallow and deep) may be easily fooled by certain imperceptibly perturbed input samples called adversarial examples. Such security vulnerability has resulted in a large body of research in recent years because real-world threats could be introduced due to the vast applications of neural networks. To address the robustness issue to adversarial examples particularly in pattern recognition, robust adversarial training has become one mainstream. Various ideas, methods, and applications have boomed in the field. Yet, a deep understanding of adversarial training including characteristics, interpretations, theories, and connections among different models has remained elusive. This paper presents a comprehensive survey trying to offer a systematic and structured investigation on robust adversarial training in pattern recognition. We start with fundamentals including definition, notations, and properties of adversarial examples. We then introduce a general theoretical framework with gradient regularization for defending against adversarial samples - robust adversarial training with visualizations and interpretations on why adversarial training can lead to model robustness. Connections will also be established between adversarial training and other traditional learning theories. After that, we summarize, review, and discuss various methodologies with defense/training algorithms in a structured way. Finally, we present analysis, outlook, and remarks on adversarial training.

computer science, artificial intelligence,engineering, electrical & electronic

Pin-Yu Chen,Sijia Liu

DOI: https://doi.org/10.48550/arXiv.2202.07201

2023-01-05

Abstract:Adversarial robustness studies the worst-case performance of a machine learning model to ensure safety and reliability. With the proliferation of deep-learning-based technology, the potential risks associated with model development and deployment can be amplified and become dreadful vulnerabilities. This paper provides a comprehensive overview of research topics and foundational principles of research methods for adversarial robustness of deep learning models, including attacks, defenses, verification, and novel applications.

Machine Learning,Artificial Intelligence,Cryptography and Security

Mark Huasong Meng,Guangdong Bai,Sin Gee Teo,Zhe Hou,Yan Xiao,Yun Lin,Jin Song Dong

DOI: https://doi.org/10.1109/tdsc.2022.3179131

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Neural networks have been widely applied in security applications such as spam and phishing detection, intrusion prevention, and malware detection. This black-box method, however, often has uncertainty and poor explainability in applications. Furthermore, neural networks themselves are often vulnerable to adversarial attacks. For those reasons, there is a high demand for trustworthy and rigorous methods to verify the robustness of neural network models. Adversarial robustness, which concerns the reliability of a neural network when dealing with maliciously manipulated inputs, is one of the hottest topics in security and machine learning. In this work, we survey existing literature in adversarial robustness verification for neural networks and collect 39 diversified research works across machine learning, security, and software engineering domains. We systematically analyze their approaches, including how robustness is formulated, what verification techniques are used, and the strengths and limitations of each technique. We provide a taxonomy from a formal verification perspective for a comprehensive understanding of this topic. We classify the existing techniques based on property specification, problem reduction, and reasoning strategies. We also demonstrate representative techniques that have been applied in existing studies with a sample model. Finally, we discuss open questions for future research.

Zhang Shufei,Huang Kaizhu,Xu Zenglin

DOI: https://doi.org/10.1007/s10994-022-06186-9

IF: 5.414

2022-01-01

Machine Learning

Abstract:We study the model robustness against adversarial examples, referred to as small perturbed input data that may however fool many state-of-the-art deep learning models. Unlike previous research, we establish a novel theory addressing the robustness issue from the perspective of stability of the loss function in the small neighborhood of natural examples. We propose to exploit an energy function to describe the total variation in a small neighborhood and prove that reducing such energy guarantees the robustness against adversarial examples. We also show that the traditional training methods including adversarial training and virtual adversarial training tend to minimize the lower bound of our proposed energy function. Importantly, we prove that minimizing the energy function can obtain a better generalization bound than traditional adversarial training approaches. Through a series of experiments, we demonstrate the superiority of our model on different datasets for defending adversarial attacks. In particular, our proposed adversarial framework achieves the best performance compared with previous adversarial training methods on benchmark datasets CIFAR-10, CIFAR-100 and SVHN and they demonstrate much better robustness against adversarial examples than all the other comparison methods.

Prashis Raghuwanshi

DOI: https://doi.org/10.29070/q2reyr59

2024-05-01

Journal of Advances and Scholarly Researches in Allied Education

Abstract:This work investigates advanced methods for improving the resilience of machine learning models against adversarial attacks. Ensuring that these models can withstand deliberately crafted inputs—called adversarial examples—has become critical as machine learning expands into high-stakes fields such as computer vision, cybersecurity, and healthcare. The study examines several types of adversarial attacks, including black-box attacks, where the attacker has no direct knowledge of the model, and white-box attacks, where the attacker has complete access to the model. Popular defense strategies, such as the Fast Gradient Sign Method (FGSM), Iterative FGSM (I-FGSM), and the Carlini and Wagner (C&W) attack, are also discussed. The work emphasizes how adversarial learning contributes to creating more resilient models by addressing both theoretical foundations and practical applications. This thorough investigation highlights the strengths and weaknesses of current approaches, as well as the ongoing need for advancements to protect model integrity against evolving threats.

Xianmin Wang,Jing Li,Xiaohui Kuang,Yu-an Tan,Jin Li

DOI: https://doi.org/10.1016/j.jpdc.2019.03.003

IF: 4.542

2019-01-01

Journal of Parallel and Distributed Computing

Abstract:Machine learning (ML) methods have demonstrated impressive performance in many application fields such as autopilot, facial recognition, and spam detection. Traditionally, ML models are trained and deployed in a benign setting, in which the testing and training data have identical statistical characteristics. However, this assumption usually does not hold in the sense that the ML model is designed in an adversarial setting, where some statistical properties of the data can be tampered with by a capable adversary. Specifically, it has been observed that adversarial examples (also known as adversarial input perambulations) elaborately crafted during training/test phases can seriously undermine the ML performance. The susceptibility of ML models in adversarial settings and the corresponding countermeasures have been studied by many researchers in both academic and industrial communities. In this work, we present a comprehensive overview of the investigation of the security properties of ML algorithms under adversarial settings. First, we analyze the ML security model to develop a blueprint for this interdisciplinary research area. Then, we review adversarial attack methods and discuss the defense strategies against them. Finally, relying upon the reviewed work, we provide prospective relevant future works for designing more secure ML models.

Yanjie Li,Bin Xie,Songtao Guo,Yuanyuan Yang,Bin Xiao

2023-10-01

Abstract:Benefiting from the rapid development of deep learning, 2D and 3D computer vision applications are deployed in many safe-critical systems, such as autopilot and identity authentication. However, deep learning models are not trustworthy enough because of their limited robustness against adversarial attacks. The physically realizable adversarial attacks further pose fatal threats to the application and human safety. Lots of papers have emerged to investigate the robustness and safety of deep learning models against adversarial attacks. To lead to trustworthy AI, we first construct a general threat model from different perspectives and then comprehensively review the latest progress of both 2D and 3D adversarial attacks. We extend the concept of adversarial examples beyond imperceptive perturbations and collate over 170 papers to give an overview of deep learning model robustness against various adversarial attacks. To the best of our knowledge, we are the first to systematically investigate adversarial attacks for 3D models, a flourishing field applied to many real-world applications. In addition, we examine physical adversarial attacks that lead to safety violations. Last but not least, we summarize present popular topics, give insights on challenges, and shed light on future research on trustworthy AI.

Machine Learning,Artificial Intelligence

Jia Liu,Yaochu Jin

DOI: https://doi.org/10.1016/j.jai.2023.10.002

2023-01-01

Journal of Automation and Intelligence

Abstract:Deep learning has presented remarkable progress in various tasks. Despite the excellent performance, deep learning models remain not robust, especially to well-designed adversarial examples, limiting deep learning models employed in security-critical applications. Therefore, how to improve the robustness of deep learning has attracted increasing attention from researchers. This paper investigates the progress on the threat of deep learning and the techniques that can enhance the model robustness in computer vision. Unlike previous relevant survey papers summarizing adversarial attacks and defense technologies, this paper also provides an overview of the general robustness of deep learning. Besides, this survey elaborates on the current robustness evaluation approaches, which require further exploration. This paper also reviews the recent literature on making deep learning models resistant to adversarial examples from an architectural perspective, which was rarely mentioned in previous surveys. Finally, interesting directions for future research are listed based on the reviewed literature. This survey is hoped to serve as the basis for future research in this topical field.

Jun Guo,Wei Bao,Jiakai Wang,Yuqing Ma,Xinghai Gao,Gang Xiao,Aishan Liu,Jian Dong,Xianglong Liu,Wenjun Wu

DOI: https://doi.org/10.1016/j.patcog.2023.109308

IF: 8

2023-01-01

Pattern Recognition

Abstract:Deep neural networks (DNNs) have achieved remarkable performance across a wide range of applica-tions, while they are vulnerable to adversarial examples, which motivates the evaluation and benchmark of model robustness. However, current evaluations usually use simple metrics to study the performance of defenses, which are far from understanding the limitation and weaknesses of these defense methods. Thus, most proposed defenses are quickly shown to be attacked successfully, which results in the "arm race" phenomenon between attack and defense. To mitigate this problem, we establish a model robust-ness evaluation framework containing 23 comprehensive and rigorous metrics, which consider two key perspectives of adversarial learning (i.e., data and model). Through neuron coverage and data impercep-tibility, we use data-oriented metrics to measure the integrity of test examples; by delving into model structure and behavior, we exploit model-oriented metrics to further evaluate robustness in the adversar-ial setting. To fully demonstrate the effectiveness of our framework, we conduct large-scale experiments on multiple datasets including CIFAR-10, SVHN, and ImageNet using different models and defenses with our open-source platform. Overall, our paper provides a comprehensive evaluation framework, where re-searchers could conduct comprehensive and fast evaluations using the open-source toolkit, and the ana-lytical results could inspire deeper understanding and further improvement to the model robustness.(c) 2023 Elsevier Ltd. All rights reserved.

Yishan Li,Yanming Guo,Yuxiang Xie,Qi Wang

DOI: https://doi.org/10.1109/bigdia56350.2022.9874193

2022-01-01

Abstract:With the development of artificial intelligence technology, to our surprise, deep neural networks have made a series of breakthroughs and achieved optimal results in lots of machine learning tasks, while the image field is the most prominent. Although deep learning technology has brought great convenience to our lives, the security problems of artificial intelligence have gradually become prominent. But deep neural networks are very fragile, and usually a small perturbation can have a serious impact on the neural network, especially adversarial examples. As a small imperceptible perturbation, it can cause malicious effects on the results of image classification. What can we do to protect clean examples from perturbations has become the most important and practical research direction in the current image field. A large number of scholars have begun to invest in adversarial examples research, especially in defense, the achievements are more abundant, and related research results have also shown a blowout state. Based on the research status of recent years, this paper first explains the concept of adversarial examples, organizes the current attack methods, and then summarizes different defense methods according to the criteria of detection defense and robust defense. Improvements are discussed to help further development of adversarial defense of images.

Tao Bai,Jinqi Luo,Jun Zhao,Bihan Wen,Qian Wang

DOI: https://doi.org/10.24963/ijcai.2021/591

2021-08-01

Abstract:Adversarial training is one of the most effective approaches for deep learning models to defend against adversarial examples. Unlike other defense strategies, adversarial training aims to enhance the robustness of models intrinsically. During the past few years, adversarial training has been studied and discussed from various aspects, which deserves a comprehensive review. For the first time in this survey, we systematically review the recent progress on adversarial training for adversarial robustness with a novel taxonomy. Then we discuss the generalization problems in adversarial training from three perspectives and highlight the challenges which are not fully tackled. Finally, we present potential future directions.

Khoi Nguyen Tiet Nguyen,Wenyu Zhang,Kangkang Lu,Yuhuan Wu,Xingjian Zheng,Hui Li Tan,Liangli Zhen

2024-08-06

Abstract:Deep learning models excel in various computer vision tasks but are susceptible to adversarial examples-subtle perturbations in input data that lead to incorrect predictions. This vulnerability poses significant risks in safety-critical applications such as autonomous vehicles, security surveillance, and aircraft health monitoring. While numerous surveys focus on adversarial attacks in image classification, the literature on such attacks in object detection is limited. This paper offers a comprehensive taxonomy of adversarial attacks specific to object detection, reviews existing adversarial robustness evaluation metrics, and systematically assesses open-source attack methods and model robustness. Key observations are provided to enhance the understanding of attack effectiveness and corresponding countermeasures. Additionally, we identify crucial research challenges to guide future efforts in securing automated object detection systems.

Computer Vision and Pattern Recognition

Yangyi Chen,Hongcheng Gao,Ganqu Cui,Lifan Yuan,Dehan Kong,Hanlu Wu,Ning Shi,Bo Yuan,Longtao Huang,Hui Xue,Zhiyuan Liu,Maosong Sun,Heng Ji

2023-05-29

Abstract:Textual adversarial attacks can discover models' weaknesses by adding semantic-preserved but misleading perturbations to the inputs. The long-lasting adversarial attack-and-defense arms race in Natural Language Processing (NLP) is algorithm-centric, providing valuable techniques for automatic robustness evaluation. However, the existing practice of robustness evaluation may exhibit issues of incomprehensive evaluation, impractical evaluation protocol, and invalid adversarial samples. In this paper, we aim to set up a unified automatic robustness evaluation framework, shifting towards model-centric evaluation to further exploit the advantages of adversarial attacks. To address the above challenges, we first determine robustness evaluation dimensions based on model capabilities and specify the reasonable algorithm to generate adversarial samples for each dimension. Then we establish the evaluation protocol, including evaluation settings and metrics, under realistic demands. Finally, we use the perturbation degree of adversarial samples to control the sample validity. We implement a toolkit RobTest that realizes our automatic robustness evaluation framework. In our experiments, we conduct a robustness evaluation of RoBERTa models to demonstrate the effectiveness of our evaluation framework, and further show the rationality of each component in the framework. The code will be made public at \url{<a class="link-external link-https" href="https://github.com/thunlp/RobTest" rel="external noopener nofollow">this https URL</a>}.

Computation and Language,Cryptography and Security,Machine Learning

JI Shou-Ling,DU Tian-Yu,DENG Shui-Guang,CHENG Peng,SHI Jie,YANG Min,LI Bo

DOI: https://doi.org/10.11897/SP.J.1016.2022.00190

2022-01-01

Chinese Journal of Computers

Abstract:In the era of big data, breakthroughs in theories and technologies of deep learning have provided strong support for artificial intelligence at the data and the algorithm level, as well as have promoted the development of scale and industrialization of deep learning in a large number of tasks, such as image classification, object detection, semantic segmentation, natural language processing and speech recognition. However, though deep learning models have excellent performance in many real-world applications, they still suffer many security threats. For instance, it is now known that deep neural networks are fundamentally vulnerable to malicious manipulations, such as

Max Kaufmann,Daniel Kang,Yi Sun,Steven Basart,Xuwang Yin,Mantas Mazeika,Akul Arora,Adam Dziedzic,Franziska Boenisch,Tom Brown,Jacob Steinhardt,Dan Hendrycks

DOI: https://doi.org/10.48550/arXiv.1908.08016

2023-10-30

Abstract:Adversarial robustness research primarily focuses on L_p perturbations, and most defenses are developed with identical training-time and test-time adversaries. However, in real-world applications developers are unlikely to have access to the full range of attacks or corruptions their system will face. Furthermore, worst-case inputs are likely to be diverse and need not be constrained to the L_p ball. To narrow in on this discrepancy between research and reality we introduce ImageNet-UA, a framework for evaluating model robustness against a range of unforeseen adversaries, including eighteen new non-L_p attacks. To perform well on ImageNet-UA, defenses must overcome a generalization gap and be robust to a diverse attacks not encountered during training. In extensive experiments, we find that existing robustness measures do not capture unforeseen robustness, that standard robustness techniques are beat by alternative training strategies, and that novel methods can improve unforeseen robustness. We present ImageNet-UA as a useful tool for the community for improving the worst-case behavior of machine learning systems.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Sihui Dai,Saeed Mahloujifar,Chong Xiang,Vikash Sehwag,Pin-Yu Chen,Prateek Mittal

2023-07-20

Abstract:The bulk of existing research in defending against adversarial examples focuses on defending against a single (typically bounded Lp-norm) attack, but for a practical setting, machine learning (ML) models should be robust to a wide variety of attacks. In this paper, we present the first unified framework for considering multiple attacks against ML models. Our framework is able to model different levels of learner's knowledge about the test-time adversary, allowing us to model robustness against unforeseen attacks and robustness against unions of attacks. Using our framework, we present the first leaderboard, MultiRobustBench, for benchmarking multiattack evaluation which captures performance across attack types and attack strengths. We evaluate the performance of 16 defended models for robustness against a set of 9 different attack types, including Lp-based threat models, spatial transformations, and color changes, at 20 different attack strengths (180 attacks total). Additionally, we analyze the state of current defenses against multiple attacks. Our analysis shows that while existing defenses have made progress in terms of average robustness across the set of attacks used, robustness against the worst-case attack is still a big open problem as all existing models perform worse than random guessing.

Machine Learning,Cryptography and Security