Pang Jiangmiao,Chen Kai,Shi Jianping,Lin Dahua,Ouyang Wanli,Feng Huajun

2021-01-01

Abstract:The present invention relates to an image processing method and device, an electronic equipment and a storage medium. The method comprises: performing feature equalization on a sample image by detecting an equalization subnetwork of a network, to obtain equalized feature image of the sample image; performing target detection on the equalized feature image by means of a detection subnetwork to obtain prediction regions of a target object in the equalized feature image; respectively determining the intersection over union of each prediction region; sampling the plurality of prediction regions according to the intersection over union of each prediction region to obtain a target region; and training the detection network according to the target region and a marked region. In the image processing method of the embodiments of the present disclosure, feature equalization is performed on a target sample image, thus avoiding information loss and improving training effect. Moreover, the target region can be extracted according to the intersection over union of each prediction region, thus increasing the probability of extracting prediction regions that are difficult to be determined and improving training efficiency and training effect.

zhu jianxin,yang xiaohu,ye ronghua

DOI: https://doi.org/10.3321/j.issn:1002-8331.2002.16.022

2002-01-01

Abstract:Evaluating the performance of biometric systems is a complex problem.This paper describes a number of im-portant concepts about the performance evaluating of biometric systems ,such as accuracy,speed,robustness and storage requirements.It analyzes detailedly the performance evaluating of fingerprint recognition,face recognition and voice recog-nition.In security area including computer security,how and where biometric systems are deployed will depend on their performance.

Zheng Yun,Zhang Yanhao,Pan Pan,Ren Xiaofeng

2020-01-01

Abstract:The invention discloses a method and device for determining image features, a storage medium and a processor. The method comprises the steps of receiving a to-be-queried image; based on image featuremodel , determining image features of the to-be-queried image, wherein the image feature model is obtained by using multiple groups of triple image samples through machine learning training; each of the triple image samples in the multiple groups of triple image samples comprises a query image, an image positive sample of the query image and an image negative sample of the query image, and the image positive sample and the image negative sample are determined based on a click behavior on the image. According to the invention, the technical problem that image features cannot be accurately determined is solved.

Shigeng Zhang,Shuxin Chen,Xuan Liu,Chengyao Hua,Weiping Wang,Kai Chen,Jian Zhang,Jianxin Wang

DOI: https://doi.org/10.1109/tnse.2021.3057071

IF: 6.6

2022-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Deep learning techniques such as convolutional neural networks (CNNs) have been used in a wide range of fields due to their superior performance, e.g., image classification, autonomous driving and natural language processing. However, recent progress shows that deep learning models are vulnerable to adversarial samples, which are crafted by adding small perturbations on normal samples that are imperceptible to human beings but can mislead the deep learning models to output incorrect results. Many adversarial attack models are proposed and many adversarial detection methods are developed to detect adversarial samples generated by these attack models. However, the evaluations of these detection methods are fragmented and scatter in separate literature, and the community still lacks a comprehensive understanding of the ability and performance of existing adversarial detection methods when facing different attack models on different datasets. In this paper, by using image classification as the example application scenario, we conduct a comprehensive study on the performance of five mainstream adversarial detection methods against five major attack models on four widely used benchmark datasets. We find that the detection accuracy of different methods interleaves for different attack models and dataset. Moreover, besides detection accuracy, we also evaluate the time efficiency of different detection methods. The findings reported in this paper can provide useful insights when designing systems to detect adversarial samples and act as a guideline to design new methods to detect adversarial samples.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Xiao Yang,Yinpeng Dong,Tianyu Pang,Zihao Xiao,Hang Su,Jun Zhu

DOI: https://doi.org/10.48550/arXiv.2203.04623

2022-03-09

Computer Vision and Pattern Recognition

Abstract:Recent studies have revealed the vulnerability of face recognition models against physical adversarial patches, which raises security concerns about the deployed face recognition systems. However, it is still challenging to ensure the reproducibility for most attack algorithms under complex physical conditions, which leads to the lack of a systematic evaluation of the existing methods. It is therefore imperative to develop a framework that can enable a comprehensive evaluation of the vulnerability of face recognition in the physical world. To this end, we propose to simulate the complex transformations of faces in the physical world via 3D-face modeling, which serves as a digital counterpart of physical faces. The generic framework allows us to control different face variations and physical conditions to conduct reproducible evaluations comprehensively. With this digital simulator, we further propose a Face3DAdv method considering the 3D face transformations and realistic physical variations. Extensive experiments validate that Face3DAdv can significantly improve the effectiveness of diverse physically realizable adversarial patches in both simulated and physical environments, against various white-box and black-box face recognition models.

Yanpeng Li,Xiang Li,Hongqiang Wang,Yiping Chen,Zhaowen Zhuang,Yongqiang Cheng,Bin Deng,Liandong Wang,Yonghu Zeng,Lei Gao

DOI: https://doi.org/10.3390/s140711308

IF: 3.9

2014-01-01

Sensors

Abstract:This paper offers a compacted mechanism to carry out the performance evaluation work for an automatic target recognition (ATR) system: (a) a standard description of the ATR system's output is suggested, a quantity to indicate the operating condition is presented based on the principle of feature extraction in pattern recognition, and a series of indexes to assess the output in different aspects are developed with the application of statistics; (b) performance of the ATR system is interpreted by a quality factor based on knowledge of engineering mathematics; (c) through a novel utility called "context-probability" estimation proposed based on probability, performance prediction for an ATR system is realized. The simulation result shows that the performance of an ATR system can be accounted for and forecasted by the above-mentioned measures. Compared to existing technologies, the novel method can offer more objective performance conclusions for an ATR system. These conclusions may be helpful in knowing the practical capability of the tested ATR system. At the same time, the generalization performance of the proposed method is good.

YanWei Wang,XiaoQing Ding,ChangSong Liu,Kongqiao Wang

DOI: https://doi.org/10.1117/12.840119

2010-01-01

Electronic Imaging

Abstract:Detection of characters regions is a meaningful research work for both highlighting region of interest and recognition for further information processing. A lot of researches have been performed on character localization and extraction and this leads to the great needs of performance evaluation scheme to inspect detection algorithms. In this paper, two probability models are established to accomplish evaluation tasks for different applications respectively. For highlighting region of interest, a Gaussian probability model, which simulates the property of a low-pass Gaussian filter of human vision system (HVS), was constructed to allocate different weights to different character parts. It reveals the greatest potential to describe the performance of detectors, especially, when the result detected is an incomplete character, where other methods cannot effectively work. For the recognition destination, we also introduced a weighted probability model to give an appropriate description for the contribution of detection results to final recognition results. The validity of performance evaluation models proposed in this paper are proved by experiments on web images and natural scene images. These models proposed in this paper may also be able to be applied in evaluating algorithms of locating other objects, like face detection and more wide experiments need to be done to examine the assumption.

Xi Yang,Huanling Liu,Nannan Wang,Xinbo Gao

DOI: https://doi.org/10.1109/tip.2024.3456000

IF: 10.6

2024-09-20

IEEE Transactions on Image Processing

Abstract:The potential vulnerability of deep neural networks and the complexity of pedestrian images, greatly limits the application of person re-identification techniques in the field of smart security. Current attack methods often focus on generating carefully crafted adversarial samples or only disrupting the metric distances between targets and similar pedestrians. However, both aspects are crucial for evaluating the security of methods adapted for person re-identification tasks. For this reason, we propose an image-level adaptive adversarial ranking method that comprehensively considers two aspects to adapt to changes in pedestrians in the real world and effectively evaluate the robustness of models in adversarial environments. To generate more refined adversarial samples, our image representation enhancement module leverages channel-wise information entropy, assigning varying weights to different channels to produce images with richer information content, along with a generative adversarial network to create adversarial samples. Subsequently, for adaptive perturbation of ranking, the adaptive weight confusion ranking loss is presented to calculate the weights of distances between positive or negative samples and query samples. It endeavors to push positive samples away from query samples and bring negative samples closer, thereby interfering with the ranking of system. Notably, this method requires no additional hyperparameter tuning or extra data training, making it an adaptive attack strategy. Experimental results on large-scale datasets such as Market1501, CUHK03, and DukeMTMC demonstrate the effectiveness of our method in attacking ReID systems.

computer science, artificial intelligence,engineering, electrical & electronic

Jiatian Pi,Fusen Wen,Quan Lu,Ning Jiang,Haiying Wu,Qiao Liu

DOI: https://doi.org/10.1016/j.infrared.2024.105285

IF: 2.997

2024-01-01

Infrared Physics & Technology

Abstract:Existing black-box attack methods for infrared detectors often rely on heuristic techniques due to the unavailability of useful gradient information from the target detection model. However, existing heuristic-based attack methods suffer from the following two drawbacks. First, they are often prone to falling into local optima. Second, their convergence speed is particularly slow in the later stages of the optimization algorithm. To address these challenges, we propose a thermal infrared detector Attack (TID-Attack) based on free velocity and rollback mutation. This algorithm enables effective black-box digital adversarial attacks on infrared object detection models. Specifically, we first introduce a free velocity attack method in the particle swarm optimization algorithm. This method effectively balances the local and global search capabilities of particles during the optimization process, mitigating the risk of particles getting trapped in local optima. Additionally, we design a rollback mutation search strategy that allows particles trapped in local optima to bounce to new areas, farther away from their current positions, and then perform the optimization process again. These two modules make heuristic-based attack methods more robust and better stable. To evaluate the effectiveness of TID-Attack, we perform black-box attack tests on the YOLOv5 and YOLOv3 using three infrared detection datasets: FLIR-ADAS V2, CVC-09,(Daytime and Nighttime), and KAIST. Extensive experimental results demonstrate that our method achieves superior performance in terms of attack success rate and query times.

Su Zheng,Jialin Chen,Lingli Wang

DOI: https://doi.org/10.1109/ijcnn.2019.8852078

2019-01-01

Abstract:Deep neural networks (DNNs) are widely applied to image classification tasks. Due to the fact that these models are usually vulnerable, subtle perturbations of pixels may lead to classification errors, which poses a serious threat to the success of DNN applications. Moreover, perturbations of pixels can also corrupt other pattern recognition models such as Naive Bayes (NB), Decision Tree (DT) and Random Forest (RF). In this paper, a general method is proposed to carry out targeted black-box attacks for image classification models. The proposed method can achieve targeted fool rates (TFRs) of 0.873 and 0.781 on CIFAR-10 dataset with and without the access to the training set of the target model respectively. For cross-model attacks, the proposed method can still achieve a TFR of 0.630 on CIFAR-10. Furthermore, the proposed method is able to mount attacks for up to 100 classes on CIFAR-100 dataset with a TFR of 0.721, successfully handling 99 cases for each class. In our experiments, the proposed method shows higher performance and higher reliability than other black-box attack methods, with 0.123 greater maximum TFR and 0.602 greater minimum TFR than previous methods UPSET and ANGRI on CIFAR-10 in attacks trained on a single model.

Xiaopei Zhu,Peiyang Xu,Guanning Zeng,Yingpeng Dong,Xiaolin Hu

2024-10-11

Abstract:Research of adversarial attacks is important for AI security because it shows the vulnerability of deep learning models and helps to build more robust models. Adversarial attacks on images are most widely studied, which include noise-based attacks, image editing-based attacks, and latent space-based attacks. However, the adversarial examples crafted by these methods often lack sufficient semantic information, making it challenging for humans to understand the failure modes of deep learning models under natural conditions. To address this limitation, we propose a natural language induced adversarial image attack method. The core idea is to leverage a text-to-image model to generate adversarial images given input prompts, which are maliciously constructed to lead to misclassification for a target model. To adopt commercial text-to-image models for synthesizing more natural adversarial images, we propose an adaptive genetic algorithm (GA) for optimizing discrete adversarial prompts without requiring gradients and an adaptive word space reduction method for improving query efficiency. We further used CLIP to maintain the semantic consistency of the generated images. In our experiments, we found that some high-frequency semantic information such as "foggy", "humid", "stretching", etc. can easily cause classifier errors. This adversarial semantic information exists not only in generated images but also in photos captured in the real world. We also found that some adversarial semantic information can be transferred to unknown classification tasks. Furthermore, our attack method can transfer to different text-to-image models (e.g., Midjourney, DALL-E 3, etc.) and image classifiers. Our code is available at: <a class="link-external link-https" href="https://github.com/zxp555/Natural-Language-Induced-Adversarial-Images" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Computer Vision and Pattern Recognition,Multimedia

Huili Luo,Zhaoquan Gu,Chunajing Zhang,Le Wang,Shuhao Li,Zhiqin Chen

DOI: https://doi.org/10.1109/DSC53577.2021.00032

2021-01-01

Abstract:Rapid advancement in deep neural networks (DNNs) has enhanced the prospect of image classification technologies like facial recognition. The emergence of adversarial examples, however, revealed the vulnerability of DNNs. A large number of attack methods have been proposed against DNNs and these methods can be divided into two types: targeted attacks and untargeted attacks. Specifically, targeted attacks misclassify the detection object into a specified target, whereas untargeted attacks only aim to lead the classifier (a DNN classifier, for instance) to misclassification of the object by adding adversarial examples. Most adversarial attack methods add different perturbations to different images, which is costly and inefficient. In this paper, we explore a universal targeted attack method against image classification, in which a universal perturbation is fabricated and added to all images to generate adversarial examples. These generated adversarial examples are classified by the classifier as a specified target with high probability. Through black-box and white-box attack experiments against the ResNet model on both CIFAR 10 and CIFAR100 datasets, we verified the effectiveness of our method.

Youqian Zhang,Michael Cheung,Chunxi Yang,Xinwei Zhai,Zitong Shen,Xinyu Ji,Eugene Y. Fu,Sze-Yiu Chau,Xiapu Luo

2024-08-09

Abstract:Numerous safety- or security-critical systems depend on cameras to perceive their surroundings, further allowing artificial intelligence (AI) to analyze the captured images to make important decisions. However, a concerning attack vector has emerged, namely, electromagnetic waves, which pose a threat to the integrity of these systems. Such attacks enable attackers to manipulate the images remotely, leading to incorrect AI decisions, e.g., autonomous vehicles missing detecting obstacles ahead resulting in collisions. The lack of understanding regarding how different systems react to such attacks poses a significant security risk. Furthermore, no effective solutions have been demonstrated to mitigate this threat. To address these gaps, we modeled the attacks and developed a simulation method for generating adversarial images. Through rigorous analysis, we confirmed that the effects of the simulated adversarial images are indistinguishable from those from real attacks. This method enables researchers and engineers to rapidly assess the susceptibility of various AI vision applications to these attacks, without the need for constructing complicated attack devices. In our experiments, most of the models demonstrated vulnerabilities to these attacks, emphasizing the need to enhance their robustness. Fortunately, our modeling and simulation method serves as a stepping stone toward developing more resilient models. We present a pilot study on adversarial training to improve their robustness against attacks, and our results demonstrate a significant improvement by recovering up to 91% performance, offering a promising direction for mitigating this threat.

Cryptography and Security,Computer Vision and Pattern Recognition

Jun-Ho Choi,Huan Zhang,Jun-Hyuk Kim,Cho-Jui Hsieh,Jong-Seok Lee

DOI: https://doi.org/10.48550/arXiv.2104.15022

2021-04-30

Computer Vision and Pattern Recognition

Abstract:Recently, the vulnerability of deep image classification models to adversarial attacks has been investigated. However, such an issue has not been thoroughly studied for image-to-image tasks that take an input image and generate an output image (e.g., colorization, denoising, deblurring, etc.) This paper presents comprehensive investigations into the vulnerability of deep image-to-image models to adversarial attacks. For five popular image-to-image tasks, 16 deep models are analyzed from various standpoints such as output quality degradation due to attacks, transferability of adversarial examples across different tasks, and characteristics of perturbations. We show that unlike image classification tasks, the performance degradation on image-to-image tasks largely differs depending on various factors, e.g., attack methods and task objectives. In addition, we analyze the effectiveness of conventional defense methods used for classification models in improving the robustness of the image-to-image models.

Gu Yuxiang,Lei Yu,Gao Chao,Zhang Xin,Su Jiabin,Ni Wei,Yang Heng,Hu Zhonghua,Sun Gufei,Zhou Jianhua,Lu-Wang Tianyu

2018-01-01

Abstract:The invention relates to an image classification method and device and a computer readable medium. The method comprises the steps: obtaining a drawn image, extracting the features of an object in theimage, and obtaining the feature information; searching a category label corresponding to the feature information according to a preset corresponding relationship between the feature information and the category label; and determining the category label as a classification result mode of the drawn image, the mode of subjective judgment on the drawn image manually is replaced; according to the method, the classification result of the drawn image is determined by extracting the feature information of the object and combining the corresponding relation between the feature information and the category label, so that the deviation of subjective classification of the drawn image is avoided, the drawn image can be classified more accurately, and the accuracy of the classification result is further improved.

Jing Wu,Mingyi Zhou,Ce Zhu,Yipeng Liu,Mehrtash Harandi,Li Li

DOI: https://doi.org/10.48550/arxiv.2104.11103

2021-01-01

Abstract: Recently, adversarial attack methods have been developed to challenge the robustness of machine learning models. However, mainstream evaluation criteria experience limitations, even yielding discrepancies among results under different settings. By examining various attack algorithms, including gradient-based and query-based attacks, we notice the lack of a consensus on a uniform standard for unbiased performance evaluation. Accordingly, we propose a Piece-wise Sampling Curving (PSC) toolkit to effectively address the aforementioned discrepancy, by generating a comprehensive comparison among adversaries in a given range. In addition, the PSC toolkit offers options for balancing the computational cost and evaluation effectiveness. Experimental results demonstrate our PSC toolkit presents comprehensive comparisons of attack algorithms, significantly reducing discrepancies in practice.

Zhaojie Chen,Puxi Lin,Zoe Lin Jiang,Zhanhang Wei,Sichen Yuan,Junbin Fang

DOI: https://doi.org/10.1007/978-3-030-71852-7_4

2020-01-01

Abstract:In recent years, physical adversarial attacks have been placed an increasing emphasis. However, previous studies usually use a printer to physically realize adversarial perturbations, and such an attack scheme will meet inevitable disadvantages of perturbation distortion and low concealment. In this paper, we propose a novel attack scheme based on illumination modulation. Because of the rolling shutter effect of CMOS sensor, the created perturbation will not be distorted and completely invisible. According to the attack scheme, we have proposed two novel attack methods, denial of service attack (DoS attack) and escape attack, and offered a real scene to apply the attack methods. The experimental results show that both of two attack methods have a good performance against AFR. DoS attack has an attack success rate of 92.13% and escape attack has an attack success rate of 82%.

Haichuan Zhang,Meiyu Lin,Zhaoyi Liu,Renyuan Li,Zhiyuan Cheng,Carl Yang,Mingjie Tang

2024-10-19

Abstract:As generative models achieve great success, tampering and modifying the sensitive image contents (i.e., human faces, artist signatures, commercial logos, etc.) have induced a significant threat with social impact. The backdoor attack is a method that implants vulnerabilities in a target model, which can be activated through a trigger. In this work, we innovatively prevent the abuse of image content modification by implanting the backdoor into image-editing models. Once the protected sensitive content on an image is modified by an editing model, the backdoor will be triggered, making the editing fail. Unlike traditional backdoor attacks that use data poisoning, to enable protection on individual images and eliminate the need for model training, we developed the first framework for run-time backdoor implantation, which is both time- and resource- efficient. We generate imperceptible perturbations on the images to inject the backdoor and define the protected area as the only backdoor trigger. Editing other unprotected insensitive areas will not trigger the backdoor, which minimizes the negative impact on legal image modifications. Evaluations with state-of-the-art image editing models show that our protective method can increase the CLIP-FID of generated images from 12.72 to 39.91, or reduce the SSIM from 0.503 to 0.167 when subjected to malicious editing. At the same time, our method exhibits minimal impact on benign editing, which demonstrates the efficacy of our proposed framework. The proposed run-time backdoor can also achieve effective protection on the latest diffusion models. Code are available.

Cryptography and Security

Song Bai,Yingwei Li,Yuyin Zhou,Qizhu Li,Philip H.S. Torr

DOI: https://doi.org/10.1109/tpami.2020.3031625

IF: 23.6

2021-06-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Person re-identification (re-ID) has attracted much attention recently due to its great importance in video surveillance. In general, distance metrics used to identify two person images are expected to be robust under various appearance changes. However, our work observes the extreme vulnerability of existing distance metrics to adversarial examples, generated by simply adding human-imperceptible perturbations to person images. Hence, the security danger is dramatically increased when deploying commercial re-ID systems in video surveillance. Although adversarial examples have been extensively applied for classification analysis, it is rarely studied in metric analysis like person re-identification. The most likely reason is the natural gap between the training and testing of re-ID networks, that is, the predictions of a re-ID network cannot be directly used during testing without an effective metric. In this work, we bridge the gap by proposing Adversarial Metric Attack, a parallel methodology to adversarial classification attacks. Comprehensive experiments clearly reveal the adversarial effects in re-ID systems. Meanwhile, we also present an early attempt of training a metric-preserving network, thereby defending the metric against adversarial attacks. At last, by benchmarking various adversarial settings, we expect that our work can facilitate the development of adversarial attack and defense in metric-based applications.

computer science, artificial intelligence,engineering, electrical & electronic

Chenwei Li,Hengwei Zhang,Bo Yang,Jindong Wang

DOI: https://doi.org/10.7717/peerj-cs.1475

2023-07-25

Abstract:Convolutional neural networks have achieved great success in computer vision, but incorrect predictions would be output when applying intended perturbations on original input. These human-indistinguishable replicas are called adversarial examples, which on this feature can be used to evaluate network robustness and security. White-box attack success rate is considerable, when already knowing network structure and parameters. But in a black-box attack, the adversarial examples success rate is relatively low and the transferability remains to be improved. This article refers to model augmentation which is derived from data augmentation in training generalizable neural networks, and proposes resizing invariance method. The proposed method introduces improved resizing transformation to achieve model augmentation. In addition, ensemble models are used to generate more transferable adversarial examples. Extensive experiments verify the better performance of this method in comparison to other baseline methods including the original model augmentation method, and the black-box attack success rate is improved on both the normal models and defense models.