Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Pouya Samangouei,Maya Kabkab,Rama Chellappa

DOI: https://doi.org/10.48550/arXiv.1805.06605

2018-05-17

Computer Vision and Pattern Recognition

Abstract:In recent years, deep neural network approaches have been widely adopted for machine learning tasks, including classification. However, they were shown to be vulnerable to adversarial perturbations: carefully crafted small perturbations can cause misclassification of legitimate images. We propose Defense-GAN, a new framework leveraging the expressive capability of generative models to defend deep neural networks against such attacks. Defense-GAN is trained to model the distribution of unperturbed images. At inference time, it finds a close output to a given image which does not contain the adversarial changes. This output is then fed to the classifier. Our proposed method can be used with any classification model and does not modify the classifier structure or training procedure. It can also be used as a defense against any attack as it does not assume knowledge of the process for generating the adversarial examples. We empirically show that Defense-GAN is consistently effective against different attack methods and improves on existing defense strategies. Our code has been made publicly available at https://github.com/kabkabm/defensegan

Shuqi Liu,Mingwen Shao,Xinping Liu

DOI: https://doi.org/10.3233/jifs-200280

2020-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:In recent years, deep neural networks have made significant progress in image classification, object detection and face recognition. However, they still have the problem of misclassification when facing adversarial examples. In order to address security issue and improve the robustness of the neural network, we propose a novel defense network based on generative adversarial network (GAN). The distribution of clean - and adversarial examples are matched to solve the mentioned problem. This guides the network to remove invisible noise accurately, and restore the adversarial example to a clean example to achieve the effect of defense. In addition, in order to maintain the classification accuracy of clean examples and improve the fidelity of neural network, we input clean examples into proposed network for denoising. Our method can effectively remove the noise of the adversarial examples, so that the denoised adversarial examples can be correctly classified. In this paper, extensive experiments are conducted on five benchmark datasets, namely MNIST, Fashion-MNIST, CIFAR10, CIFAR100 and ImageNet. Moreover, six mainstream attack methods are adopted to test the robustness of our defense method including FGSM, PGD, MIM, JSMA, CW and Deep-Fool. Results show that our method has strong defensive capabilities against the tested attack methods, which confirms the effectiveness of the proposed method.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Jun Feng,Laurence T. Yang,Yuxiang Zhu,Nicholaus J. Gati,Yijun Mo

DOI: https://doi.org/10.1145/3404890

IF: 5.3

2021-01-01

ACM Transactions on Internet Technology

Abstract:Deep learning techniques have shown significant success in cyber-physical-social systems (CPSS). As an instance of deep learning models, generative adversarial nets (GAN) model enables powerful and flexible image augmentation, image generation, and classification, thus can be applied to real-world CPSS settings. GAN model training needs a large collection of cyber-physical-social data originating from various CPSS devices. Numerous prevailing GAN models depend on a tacit assumption that several cyber-physical-social data providers present a reliable source to collect training data, which is seldom the case in real CPSS. The existing GAN models also fail to consider multi-dimensional latent structure. In our work, we put forward a novel blockchain-enabled tensor-based conditional deep convolutional GAN (TCDC-GAN) model for cyber-physical-social systems. The blockchain is employed to develop a decentralized and reliable cyber-physical-social data-sharing platform between numerous cyber-physical-social data providers, such that the training data and the model are documented on a ledger that is distributed. Furthermore, a tensor-based generator and a tensor-based discriminator are well designed by employing the tensor model. The results of extensive simulation experiments show the efficacy of the proposed TCDC-GAN model. Compared with the state-of-the-art models, our model gains superior estimation performance.

Gong Cheng,Xuxiang Sun,Ke Li,Lei Guo,Junwei Han

DOI: https://doi.org/10.1109/TGRS.2021.3081421

IF: 8.2

2022-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:The methods for remote sensing image (RSI) scene classification based on deep convolutional neural networks (DCNNs) have achieved prominent success. However, confronted with adversarial examples obtained by adding imperceptible perturbations to clean images, the great vulnerability of DCNNs makes it worth exploring effective defense methods. To date, numerous countermeasures for adversarial examples have been proposed, but how to improve the defensive ability for unknown attacks still to be answered. To address this issue, in this article, we propose an effective defense framework specified for RSI scene classification, named perturbation-seeking generative adversarial networks (PSGANs). In brief, a new training framework is designed to train the classifier by introducing the examples generated during the image reconstruction process, in addition to clean examples and adversarial ones. These generated examples can be random kinds of unknown attacks during training and thus are utilized to eliminate the blind spots of a classifier. To assist the proposed training framework, a reconstruction method is developed. First, instead of modeling the distribution of clean examples, we model the distributions of the perturbations added in adversarial examples. Second, to make a tradeoff between the diversity of the reconstructed examples and the optimization of PSGAN, a scale factor named seeking radius is introduced to scale the generated perturbations before they are subtracted by the given adversarial examples. Comprehensive and extensive experimental results on three widely used benchmarks for RSI scene classification demonstrate the great effectiveness of PSGAN when faced with both known and unknown attacks. Our source code is available at https://github.com/xuxiangsun/PSGAN.

Yikui Zhou,Jie Wang,Junnan Tang,Chao Gou,Zigui Jiang,Dan Li,See-Kiong Ng

DOI: https://doi.org/10.1109/AIoTSys58602.2023.00049

2023-01-01

Abstract:Cyber-Physical System (CPS) integrates sensing, computation, cybernetics, and networking to control a hybrid physical system consisting of different functional subsystems, making the production process more intelligent and controllable. However, cyber-attacks during its operation will lead to abnormal system behaviors or even system breakdowns. In recent years, data-driven anomaly detection methods have been adopted to judge whether the CPS system is under cyber-attacks based on rich sensor measurements to avoid further economic losses or safety issues. However, the multi-process essence of CPS has not been adequately addressed in existing works to locate the processes or points being attacked for in-time actions. In this work, we proposed a Multi-Process Generative Adversarial Network (MP-GAN) framework to detect anomalous CPS statuses and locate cyber-attacks. Specifically, the Long-Short-Term-Memory Recurrent Neural Networks (LSTM-RNN) was adopted as the base model to capture the temporal correlation of time series distributions, and the data was transferred between latent space and data space in a bi-directional manner, which regulated the generator to generate more realistic samples and thus better grasping the underline principles of the system. Moreover, parallel generators were employed to capture system performances at different physical processes, thus localizing the attacked CPS processes. Experiments on three CPS datasets, two collected from the Secure Water Treatment (SWaT) system and one collected from the water Distribution (WADI) system, showed that the proposed MP-GAN framework effectively reported anomalies caused by various cyber-attacks inserted in these complex multiprocess CPSs, which outperforms the state-of-the-art methods and can also locate most of the detected irregularities at the corresponding stages where the attacks were inserted.

Wanting Yu,Hongyi Yu,Lingyun Jiang,Mengli Zhang,Kai Qiao

DOI: https://doi.org/10.48550/arXiv.1909.07558

2019-09-17

Computer Vision and Pattern Recognition

Abstract:Adversarial examples reveal the vulnerability and unexplained nature of neural networks. Studying the defense of adversarial examples is of considerable practical importance. Most adversarial examples that misclassify networks are often undetectable by humans. In this paper, we propose a defense model to train the classifier into a human-perception classification model with shape preference. The proposed model comprising a texture transfer network (TTN) and an auxiliary defense generative adversarial networks (GAN) is called Human-perception Auxiliary Defense GAN (HAD-GAN). The TTN is used to extend the texture samples of a clean image and helps classifiers focus on its shape. GAN is utilized to form a training framework for the model and generate the necessary images. A series of experiments conducted on MNIST, Fashion-MNIST and CIFAR10 show that the proposed model outperforms the state-of-the-art defense methods for network robustness. The model also demonstrates a significant improvement on defense capability of adversarial examples.

Haoyu Wang,Chunhua Wu,Kangfeng Zheng

DOI: https://doi.org/10.1016/j.neunet.2024.106176

IF: 7.8

2024-05-01

Neural Networks

Abstract:Deep Learning algorithms have achieved state-of-the-art performance in various important tasks. However, recent studies have found that an elaborate perturbation may cause a network to misclassify, which is known as an adversarial attack. Based on current research, it is suggested that adversarial examples cannot be eliminated completely. Consequently, it is always possible to determine an attack that is effective against a defense model. We render existing adversarial examples invalid by altering the classification boundaries. Meanwhile, for valid adversarial examples generated against the defense model, the adversarial perturbations are increased so that they can be distinguished by the human eye. This paper proposes a method for implementing the abovementioned concepts through color space transformation. Experiments on CIFAR-10, CIFAR-100, and Mini-ImageNet demonstrate the effectiveness and versatility of our defense method. To the best of our knowledge, this is the first defense model based on the amplification of adversarial perturbations.

computer science, artificial intelligence,neurosciences

Huaxia Wang,Chun-Nam Yu

DOI: https://doi.org/10.48550/arXiv.1905.09591

2019-05-23

Computer Vision and Pattern Recognition

Abstract:Deep neural networks have been shown to perform well in many classical machine learning problems, especially in image classification tasks. However, researchers have found that neural networks can be easily fooled, and they are surprisingly sensitive to small perturbations imperceptible to humans. Carefully crafted input images (adversarial examples) can force a well-trained neural network to provide arbitrary outputs. Including adversarial examples during training is a popular defense mechanism against adversarial attacks. In this paper we propose a new defensive mechanism under the generative adversarial network (GAN) framework. We model the adversarial noise using a generative network, trained jointly with a classification discriminative network as a minimax game. We show empirically that our adversarial network approach works well against black box attacks, with performance on par with state-of-art methods such as ensemble adversarial training and adversarial training with projected gradient descent.

Shao Mingwen,Liu Shuqi,Wang Ran,Zhang Gaozhi

DOI: https://doi.org/10.1007/s13042-021-01374-w

2021-01-01

International Journal of Machine Learning and Cybernetics

Abstract:In recent years, the development of deep neural networks is in full gear in the fields of computer vision, natural language processing, and others. However, the existence of adversarial examples brings risks to the completion of these tasks, which is also a huge obstacle to implement deep learning applications in the real world. In order to solve the aforementioned problems and improve the robustness of neural networks, a novel defense network based on generative adversarial networks (GANs) is proposed. First, we use generators to eliminate disturbances of adversarial samples and utilize multi-scale discriminators to classify images of different scales to better assist the generator to produce high-quality images. Then, we utilize salient feature extraction model to extract salient maps of both clean examples and adversarial samples, thus improving the denoising effect of the generator by reducing the difference between salient images. The proposed method can guide the generation networks to accurately remove the invisible disturbance and to restore the adversarial samples to clean samples, which not only improves the success rate of classification, but also achieves satisfactory defense effect. Extensive experiments are conducted to compare the defense effect of our proposed method with other defense methods against various attacks. Results show that our method has strong defensive capabilities against the tested attack methods.

Yingxin Qin,Kejia Zhang,Haiwei Pan

DOI: https://doi.org/10.1016/j.cose.2023.103460

IF: 5.105

2023-01-01

Computers & Security

Abstract:In recent years, deep learning security has become a hot research topic, and attackers often use well-designed adversarial examples as input to trick the deep learning model, especially in object detection. Recently, the adversarial patch has been widely used in the attack of the object detector by adding a continuous region of noise to the image. However, current research on the adversarial patch for object detectors has certain limitations. The adversarial attack performance tends to degrade when certain regions of the adversarial patch are accidentally obscured. So the two-stage method based on Generative Adversarial Network (TS-GAN) is proposed to address this issue. To train the generator, the TS-GAN uses the occlusion rule to simulate various situations where patches are occluded in physical scenes. Then the generator's parameters are fixed, and the optimization method is adopted to select the latent variables to generate the most effective adversarial patches. The results of extensive experiments in the digital world and physical environments show that our method achieves stable attack performance under complex conditions which are different occlusion.

Guanxiong Liu,Issa Khalil,Abdallah Khreishah

DOI: https://doi.org/10.48550/arXiv.1903.02585

IF: 5.414

2019-03-06

Machine Learning

Abstract:Machine learning models, especially neural network (NN) classifiers, are widely used in many applications including natural language processing, computer vision and cybersecurity. They provide high accuracy under the assumption of attack-free scenarios. However, this assumption has been defied by the introduction of adversarial examples -- carefully perturbed samples of input that are usually misclassified. Many researchers have tried to develop a defense against adversarial examples; however, we are still far from achieving that goal. In this paper, we design a Generative Adversarial Net (GAN) based adversarial training defense, dubbed GanDef, which utilizes a competition game to regulate the feature selection during the training. We analytically show that GanDef can train a classifier so it can defend against adversarial examples. Through extensive evaluation on different white-box adversarial examples, the classifier trained by GanDef shows the same level of test accuracy as those trained by state-of-the-art adversarial training defenses. More importantly, GanDef-Comb, a variant of GanDef, could utilize the discriminator to achieve a dynamic trade-off between correctly classifying original and adversarial examples. As a result, it achieves the highest overall test accuracy when the ratio of adversarial examples exceeds 41.7%.

Qi Liang,Qiang Li,Weizhi Nie

DOI: https://doi.org/10.1016/j.image.2022.116659

2022-01-01

Abstract:Deep neural networks achieve outstanding performance in many tasks, so they have been widely used in many applications. However, the vulnerability of deep neural networks will produce many security threats, which drives us to provide sufficient attention to adversarial robustness. Many researchers have paid attention to addressing this problem based on the perturbation injection method, which may fail to consider the content of images that correspond to the perturbed feature while only focusing on their classification scores. In general, the existing methods often improve the robustness of the model at the expense of accuracy. In this paper, we propose LD-GAN, a novel framework to improve the adversarial robustness by learning perturbations and guaranteeing classification accuracy. The classic GAN structure is employed in this work. First, we utilize a generative model to reconstruct a training image from the corresponding perturbed feature. Then, the discriminative model is utilized to control the category. The purpose is to control the magnitude of noise addition and ensure that the noise addition does not fundamentally change the feature distribution of the original category. More specifically, we utilize the soft-attention model in the perturbation-injection module, which generates noise according to different layer concerns and improves the flexibility of the noise parameters. Extensive white-box and black-box attack experiments on CIFAR-10 and CIF-100 with state-of-the-art defense methods show the effectiveness of our method.

Hu Jianjun,Yu Mengjing,Xu Qingzhen,Gao Jing

DOI: https://doi.org/10.1007/s11036-020-01618-z

2020-01-01

Mobile Networks and Applications

Abstract:Deep learning is widely used in classification tasks to achieve advanced performance. However, in the face of well-designed image classifications, such as the Fast Gradient Sign Method (FGSM), there are glaring errors. This paper proposes a new technique to eliminate interference using generative adversarial networks (GAN), called multi-branch perturbed generative adversarial networks ( MBP-GAN). MBP-GAN minimizes the input feature flow graph in generator noise filtering by introducing multi-branch fusion perturbations. This makes the sample of the generator more aware of this perturbation, thereby improving the ability of the generator and discriminator to resist classification against attacks in combat training. Through this kind of training, this model can be used as a defense against arbitrary attacks. Then we design the loss function, so that the generator and the discriminator can keep accurate results for general images and classification against images. We verify our experimental results on the MNIST, F-MNIST and CelebA datasets. The results show that the MBP-GAN can effectively eliminate the interference from the classification against the attack.

Jinlai Zhang,Yinpeng Dong,Minchi Kuang,Binbin Liu,Bo Ouyang,Jihong Zhu,Houqing Wang,Yanmei Meng

DOI: https://doi.org/10.1109/tifs.2023.3278458

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:3D perception of objects is critical for many real-world applications, such as autonomous cars and robots. Among them, most state-of-the-art (SOTA) 3D perception systems are based on deep learning models. Recently, the research community found that 3D object classifiers on point cloud based on deep learning are easily fooled by adversarial point cloud craft by attackers. To overcome this, adversarial defenses are considered the most effective ways to improve the robustness of deep learning models, and most adversarial defenses on point cloud are focused on input transformation. However, all previous defense methods decrease the natural accuracy, and the nature of the point cloud classifiers itself has been overlooked. To this end, in this paper, we propose a novel adversarial defense for 3D point cloud classifiers that makes full use of the nature of the point cloud classifiers. Due to the disorder of point cloud, all point cloud classifiers have the property of permutation invariant to the input point cloud. Based on this nature, we design invariant transformations defense (IT-Defense). We show that, even after accounting for obfuscated gradients, our IT-Defense is a resilient defense against SOTA 3D attacks. Moreover, IT-Defense does not hurt clean accuracy compared to previous SOTA 3D defenses. Our code will be available at: https://github.com/cuge1995/ IT-Defense.

Chaofei Yang,Lei Ding,Yiran Chen,Hai Li

DOI: https://doi.org/10.48550/arXiv.2006.07421

2020-06-13

Abstract:Deepfake represents a category of face-swapping attacks that leverage machine learning models such as autoencoders or generative adversarial networks. Although the concept of the face-swapping is not new, its recent technical advances make fake content (e.g., images, videos) more realistic and imperceptible to Humans. Various detection techniques for Deepfake attacks have been explored. These methods, however, are passive measures against Deepfakes as they are mitigation strategies after the high-quality fake content is generated. More importantly, we would like to think ahead of the attackers with robust defenses. This work aims to take an offensive measure to impede the generation of high-quality fake images or videos. Specifically, we propose to use novel transformation-aware adversarially perturbed faces as a defense against GAN-based Deepfake attacks. Different from the naive adversarial faces, our proposed approach leverages differentiable random image transformations during the generation. We also propose to use an ensemble-based approach to enhance the defense robustness against GAN-based Deepfake variants under the black-box setting. We show that training a Deepfake model with adversarial faces can lead to a significant degradation in the quality of synthesized faces. This degradation is twofold. On the one hand, the quality of the synthesized faces is reduced with more visual artifacts such that the synthesized faces are more obviously fake or less convincing to human observers. On the other hand, the synthesized faces can easily be detected based on various metrics.

Computer Vision and Pattern Recognition,Cryptography and Security,Image and Video Processing

Ronghua Shi,Hai Shu,Hongtu Zhu,Ziqi Chen

2020-01-01

Abstract:Deep convolutional neural networks (DCNNs) have achieved great success in image classification, but they may be very vulnerable to adversarial attacks with small perturbations to images. Moreover, the adversarial training based on adversarial image samples has been shown to improve the robustness and generalization of DCNNs. The aim of this paper is to develop a novel framework based on information-geometry sensitivity analysis and the particle swarm optimization to improve two aspects of adversarial image generation and training for DCNNs. The first one is customized generation of adversarial examples. It can design adversarial attacks from options of the number of perturbed pixels, the misclassification probability, and the targeted incorrect class, and hence it is more flexible and effective to locate vulnerable pixels and also enjoys certain adversarial universality. The other is targeted adversarial training. DCNN models can be improved in training with the adversarial information using a manifold-based influence measure effective in vulnerable image/pixel detection as well as allowing for targeted attacks, thereby exhibiting an enhanced adversarial defense in testing.

Sicheng Zhang,Jie Liu,Zhida Bao,Yandie Yang,Meiyu Wang,Yun Lin

DOI: https://doi.org/10.1109/tr.2024.3386216

IF: 5.883

2024-01-01

IEEE Transactions on Reliability

Abstract:Automatic modulation classification (AMC) is a key technology in cyber-physical systems (CPSs), which enables the monitoring and identification of communication signals exchanged between devices. One of the most recognized solutions for the AMC is deep learning (DL), which can automatically learn and extract feature representations in signals. However, data-driven DL models are susceptible to adversarial examples, which can cause significant instability in the CPS. To tackle this issue, in this article, we examine the distribution shift between original signals and adversarial examples from a domain distribution perspective and present a system model for addressing the defense problem. We propose the adversarial domain generalization defense (ADGD) framework. The ADGD framework adopts a dual-stream architecture with the AMC as its central task, and extracts and constrains the maximum mean discrepancy distance between the task-relevant features of original signals and adversarial examples to reduce the distribution shift and improve the adversarial robustness. Comprehensive experiments and ablations were conducted to demonstrate the superiority of the proposed ADGD framework on the RML2016.10a and miniRML2018.01a datasets. The results indicate that the ADGD framework shows promising results in improving the adversarial robustness of AMC systems, which is crucial for the stability of the CPS.

Weiwei Feng,Nanqing Xu,Tianzhu Zhang,Baoyuan Wu,Yongdong Zhang

DOI: https://doi.org/10.1109/tifs.2023.3288426

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural networks are known to be vulnerable to adversarial examples, where adding carefully crafted adversarial perturbations to the inputs can mislead the DNN model. However, it is challenging to generate effective adversarial examples in the physical world due to many uncontrollable physical dynamics, which pose security and safety threats in the real world. Current physical attack methods aim to generate robust physical adversarial examples by simulating all possible physical dynamics. If attacking a new image or a new DNN model, they require expensive manual efforts for simulating physical dynamics or considerable time for iteratively optimizing. To tackle these limitations, we propose a robust and generalized physical adversarial attack method with Meta-GAN (Meta-GAN Attack), which is able to not only generate robust physical adversarial examples, but also generalize to attacking novel images and novel DNN models by accessing a few digital and physical images. First, we propose to craft robust physical adversarial examples with a generative attack model via simulating color and shape distortions. Second, we formulate the physical attack as a few-shot learning problem and design a novel class-agnostic and model-agnostic meta-learning algorithm to solve this problem. Extensive experiments on two benchmark datasets with four challenging experimental settings verify the superior robustness and generalization of our method by comparing to state-of-the-art physical attack methods. The source code is released at github.