Qianqian Song,Xiangwei Kong,Ziming Wang

DOI: https://doi.org/10.1007/978-3-030-93049-3_4

2021-01-01

Abstract:The accurate interpretation of neural network about how the network works is important. However, a manipulated explanation may have the potential to mislead human users not to trust a reliable network. Therefore, it is necessary to verify interpretation algorithms by designing effective attacks to simulate various possible threats in the real world. In this work, we mainly explore how to mislead interpretation. More specifically, we optimize the noise added to the input, which aims to highlight a certain area that we specify without changing the output category of network. With our proposed algorithm, we demonstrate that the state-of-the-art saliency maps based interpreters, e.g., Grad-CAM, Guided-Feature-Inversion, Grad-CAM++, Score-CAM and Full-Grad can be easily fooled. We propose two situations of fooling, Single-target attack and Multi-target attack, and show that the fooling can be transfered to different interpretation methods as well as generalized to the unseen samples with the universal noise. We also take image patches to fool Grad-CAM. Our results are proved in both qualitative and quantitative ways and we further propose a quantitative metric to measure the effectiveness of algorithm. We believe that our method can serve as an additional evaluation of robustness for future interpretation algorithms.

Haohan Liu,Xingquan Zuo,Hai Huang,Xing Wan

DOI: https://doi.org/10.1007/978-3-031-20500-2_1

2022-01-01

Abstract:The current deep neural networks (DNN) are easily fooled by adversarial examples, which are generated by adding some small, well-designed and human-imperceptible perturbations to clean examples. Adversarial examples will mislead deep learning (DL) model to make wrong predictions. At present, many existing white-box attack methods in the image field are mainly based on the global gradient of the model. That is, the global gradient is first calculated, and then the perturbation is added into the gradient direction. Those methods usually have a high attack success rate. However, there are also some shortcomings, such as excessive perturbation and easy detection by the human's eye. Therefore, in this paper we propose a SaliencyMap-based Local white-box Adversarial Attack method (SMLAA). The saliencymap used in the interpretability of artificial intelligence is introduced in SMLAA. First, Gradient-weighted Class Activation Mapping (Grad-CAM) is utilized to provide a visual interpretation of model decisions to find important areas in an image. Then, the perturbation is added only to important local areas to reduce the magnitude of perturbations. Experimental results show that compared with the global attack method, SMLAA reduces the average robustness measure by 9%-24% while ensuring the attack success rate. It means that SMLAA has a high attack success rate with fewer pixels changed.

Zifei Zhang,Kai Qiao,Lingyun Jiang,Linyuan Wang,Jian Chen,Bin Yan

DOI: https://doi.org/10.1007/978-3-030-62460-6_42

2020-01-01

Abstract:Compared with traditional machine learning models, deep neural networks perform better, especially in image classification tasks. However, they are vulnerable to adversarial examples. Adding small perturbations on examples causes a good-performance model to misclassify the crafted examples, without category differences in the human eyes, and fools deep models successfully. There are two requirements for generating adversarial examples: the attack success rate and image fidelity metrics. Generally, the magnitudes of perturbation are increased to ensure the adversarial examples’ high attack success rate; however, the adversarial examples obtained have poor concealment. To alleviate the tradeoff between the attack success rate and image fidelity, we propose a method named AdvJND, adding visual model coefficients, just noticeable difference, in the constraint of a distortion function when generating adversarial examples. In fact, the visual subjective feeling of the human eyes is added as a priori information, which decides the distribution of perturbations, to improve the image quality of adversarial examples. We tested our method on the FashionMNIST, CIFAR10, and MiniImageNet datasets. Our adversarial examples keep high image quality under slightly decreasing attack success rate. Since our AdvJND algorithm yield gradient distributions that are similar to those of the original inputs, the crafted noise can be hidden in the original inputs, improving the attack concealment significantly.

Jiabao Liu,Qixiang Zhang,Kanghua Mo,Xiaoyu Xiang,Jin Li,Debin Cheng,Rui Gao,Beishui Liu,Kongyang Chen,Guanjie Wei

DOI: https://doi.org/10.1016/j.csi.2021.103612

2022-08-01

Abstract:Most existing deep neural networks are susceptible to the influence of adversarial examples, which may cause them to output incorrect prediction results. An adversarial example is the addition of small noise disturbances to the input data samples, which will deceive the classification. Generally, these modifications are very small noise disturbances, which are not easily noticed by the human eye. However, most existing adversarial attacks achieve only low success rates in typical black-box settings, where the attackers have no prior knowledge about the model structures and/or model parameters. To tackle this problem, we propose an iterative algorithm based on an acceleration gradient to enhance the adversary attack. Our method accumulates the gradient of the loss function in each iteration and uses the next gradient information to influence the future gradient. We also introduce the scaling invariance principle of a deep neural network to optimize the input images for black-box attacks. In addition, to handle the drawbacks of a traditional iterative fast gradient sign method, we further present two gradient optimization methods. Experimental results on the ImageNet dataset show that our attack methods can achieve good transferability. In addition, those models obtained by integrated adversarial training with strong defense capability are also quite vulnerable to our black-box attack.

computer science, software engineering, hardware & architecture

Bo Luo,Yannan Liu,Lingxiao Wei,Qiang Xu

DOI: https://doi.org/10.1609/aaai.v32i1.11499

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Machine learning systems based on deep neural networks, being able to produce state-of-the-art results on various perception tasks, have gained mainstream adoption in many applications. However, they are shown to be vulnerable to adversarial example attack, which generates malicious output by adding slight perturbations to the input. Previous adversarial example crafting methods, however, use simple metrics to evaluate the distances between the original examples and the adversarial ones, which could be easily detected by human eyes. In addition, these attacks are often not robust due to the inevitable noises and deviation in the physical world. In this work, we present a new adversarial example attack crafting method, which takes the human perceptual system into consideration and maximizes the noise tolerance of the crafted adversarial example. Experimental results demonstrate the efficacy of the proposed technique.

J. Dong,Saiyu Qi,Qian Li,Qingyuan Hu,Yong Qi,Yun Lin

DOI: https://doi.org/10.1109/TIFS.2020.3047752

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Adversarial Examples threaten to fool deep learning models to output erroneous predictions with high confidence. Optimization-based methods for constructing such samples have been extensively studied. While being effective in terms of aggression, they typically lack clear interpretation and constraint about their underlying generation process, which thus hinders us from leveraging the produced adversarial samples for model protection in the reverse direction. Hence, we expect them to repair bugs in the pre-trained models by produced additional training data equipped with strong attack ability rather than time-consuming full re-training from scratch. To address these issues, we first study the black-box behaviors and the intrinsic deficiency of neighborhood information in previous optimization-based adversarial attacks and defenses, respectively. Then we introduce a new method dubbed FeaCP, which uses correct predicted samples in disjoint classes to guide the generation of more explainable adversarial samples in the ambiguous region around the decision boundary instead of uncontrolled “blind spots”, via convex combination in a feature component-wise manner which takes the individual importance of feature ingredients into account. Our method incorporates the prior fact that for well-separated samples, the path connecting them would go through model’s decision-boundary that lies in a low-density region, however, wherein adversarial examples are spread with high probability, thus having an impact on the ultimate trained model. In our work, the path is constructed by proposed inhomogeneous feature-wise convex interpolation rather than operating on sample-wise level, limiting the search space of FeaCP to obtain an adaptive neighborhood. Finally, we provide detailed insights and extend our method to adversarial fine-tuning using vicinity distribution to optimize the approximated decision boundary, and validate the significance of our FeaCP to model performance. The experimental results show that our method provides competitive performance on various datasets and networks.

Mathematics,Computer Science

Zhongwang Fu,Xiaohui Cui

DOI: https://doi.org/10.3390/e25020215

IF: 2.738

2023-01-22

Entropy

Abstract:The research on image-classification-adversarial attacks is crucial in the realm of artificial intelligence (AI) security. Most of the image-classification-adversarial attack methods are for white-box settings, demanding target model gradients and network architectures, which is less practical when facing real-world cases. However, black-box adversarial attacks immune to the above limitations and reinforcement learning (RL) seem to be a feasible solution to explore an optimized evasion policy. Unfortunately, existing RL-based works perform worse than expected in the attack success rate. In light of these challenges, we propose an ensemble-learning-based adversarial attack (ELAA) targeting image-classification models which aggregate and optimize multiple reinforcement learning (RL) base learners, which further reveals the vulnerabilities of learning-based image-classification models. Experimental results show that the attack success rate for the ensemble model is about 35% higher than for a single model. The attack success rate of ELAA is 15% higher than those of the baseline methods.

physics, multidisciplinary

Kunyu Wang,Juluan Shi,Wenxuan Wang

2023-11-01

Abstract:Deep neural networks are susceptible to adversarial attacks, which pose a significant threat to their security and reliability in real-world applications. The most notable adversarial attacks are transfer-based attacks, where an adversary crafts an adversarial example to fool one model, which can also fool other models. While previous research has made progress in improving the transferability of untargeted adversarial examples, the generation of targeted adversarial examples that can transfer between models remains a challenging task. In this work, we present a novel approach to generate transferable targeted adversarial examples by exploiting the vulnerability of deep neural networks to perturbations on high-frequency components of images. We observe that replacing the high-frequency component of an image with that of another image can mislead deep models, motivating us to craft perturbations containing high-frequency information to achieve targeted attacks. To this end, we propose a method called Low-Frequency Adversarial Attack (\name), which trains a conditional generator to generate targeted adversarial perturbations that are then added to the low-frequency component of the image. Extensive experiments on ImageNet demonstrate that our proposed approach significantly outperforms state-of-the-art methods, improving targeted attack success rates by a margin from 3.2\% to 15.5\%.

Computer Vision and Pattern Recognition

Tao Xiang,Hangcheng Liu,Shangwei Guo,Tianwei Zhang,Xiaofeng Liao

DOI: https://doi.org/10.48550/arxiv.2101.01032

2021-01-01

Abstract: Adversarial attacks have threatened the application of deep neural networks in security-sensitive scenarios. Most existing black-box attacks fool the target model by interacting with it many times and producing global perturbations. However, global perturbations change the smooth and insignificant background, which not only makes the perturbation more easily be perceived but also increases the query overhead. In this paper, we propose a novel framework to perturb the discriminative areas of clean examples only within limited queries in black-box attacks. Our framework is constructed based on two types of transferability. The first one is the transferability of model interpretations. Based on this property, we identify the discriminative areas of a given clean example easily for local perturbations. The second is the transferability of adversarial examples. It helps us to produce a local pre-perturbation for improving query efficiency. After identifying the discriminative areas and pre-perturbing, we generate the final adversarial examples from the pre-perturbed example by querying the targeted model with two kinds of black-box attack techniques, i.e., gradient estimation and random search. We conduct extensive experiments to show that our framework can significantly improve the query efficiency during black-box perturbing with a high attack success rate. Experimental results show that our attacks outperform state-of-the-art black-box attacks under various system settings.

Liangru Sun,Felix Juefei-Xu,Yihao Huang,Qing Guo,Jiayi Zhu,Jincao Feng,Yang Liu,Geguang Pu

2022-01-01

Abstract: Most researchers have tried to enhance the robustness of deep neural networks (DNNs) by revealing and repairing the vulnerability of DNNs with specialized adversarial examples. Parts of the attack examples have imperceptible perturbations restricted by Lp norm. However, due to their high-frequency property, the adversarial examples usually have poor transferability and can be defensed by denoising methods. To avoid the defects, some works make the perturbations unrestricted to gain better robustness and transferability. However, these examples usually look unnatural and alert the guards. To generate unrestricted adversarial examples with high image quality and good transferability, in this paper, we propose Adversarial Lightness Attack (ALA), a white-box unrestricted adversarial attack that focuses on modifying the lightness of the images. The shape and color of the samples, which are crucial to human perception, are barely influenced. To obtain adversarial examples with high image quality, we craft a naturalness-aware regularization. To achieve stronger transferability, we propose random initialization and non-stop attack strategy in the attack procedure. We verify the effectiveness of ALA on two popular datasets for different tasks (i.e., ImageNet for image classification and Places-365 for scene recognition). The experiments show that the generated adversarial examples have both strong transferability and high image quality. Besides, the adversarial examples can also help to improve the standard trained ResNet50 on defending lightness corruption.

Wei Shi,Wentao Zhang,Ruixuan Wang

DOI: https://doi.org/10.1145/3603273.3630044

2023-01-01

Abstract:Recently, deep learning models have demonstrated outstanding performance, but the lack of interpretability makes it difficult to apply them to high-risk tasks. Many existing post-hoc explanation methods have been proposed to explain specific model predictions, but they mostly focus on which locations influence the model decision. In other words, they only provide the location information of discriminative regions but cannot provide the visual differences of the relevant categories in these regions. In this paper, a simple yet effective approach is proposed to explain specific model prediction, which uses visual differences between different categories to provide more intuitive explanations. The basic idea is to use adversarial attacks to transform discriminative features in local regions of an image into features of another class, thereby achieving an explanation of the model's predictions. In this way, the location difference between the original class and the target class in the image will be localized, and an intuitive explanation will be provided through visual changes within the region. Extensive evaluation demonstrates that the proposed method can accurately and adaptively locate discriminative regions in images, and provide users with an intuitive explanation of the classification basis for model predictions through visualization results.

Qi Guo,Shanmin Pang,Xiaojun Jia,Yang Liu,Qing Guo

2024-07-23

Abstract:Adversarial attacks, particularly \textbf{targeted} transfer-based attacks, can be used to assess the adversarial robustness of large visual-language models (VLMs), allowing for a more thorough examination of potential security flaws before deployment. However, previous transfer-based adversarial attacks incur high costs due to high iteration counts and complex method structure. Furthermore, due to the unnaturalness of adversarial semantics, the generated adversarial examples have low transferability. These issues limit the utility of existing methods for assessing robustness. To address these issues, we propose AdvDiffVLM, which uses diffusion models to generate natural, unrestricted and targeted adversarial examples via score matching. Specifically, AdvDiffVLM uses Adaptive Ensemble Gradient Estimation to modify the score during the diffusion model's reverse generation process, ensuring that the produced adversarial examples have natural adversarial targeted semantics, which improves their transferability. Simultaneously, to improve the quality of adversarial examples, we use the GradCAM-guided Mask method to disperse adversarial semantics throughout the image rather than concentrating them in a single area. Finally, AdvDiffVLM embeds more target semantics into adversarial examples after multiple iterations. Experimental results show that our method generates adversarial examples 5x to 10x faster than state-of-the-art transfer-based adversarial attacks while maintaining higher quality adversarial examples. Furthermore, compared to previous transfer-based adversarial attacks, the adversarial examples generated by our method have better transferability. Notably, AdvDiffVLM can successfully attack a variety of commercial VLMs in a black-box environment, including GPT-4V.

Computer Vision and Pattern Recognition

Tsz-Him Cheung,Chiu Wai Yan,Dit-Yan Yeung

Abstract:Adversarial attack aims to generate deceptive inputs to fool a machine learning model. In deep learning, an adversarial input created for a specific neural network can also trick other neural networks. This intriguing property is known as black-box transferability of adversarial examples. To improve black-box trans-ferability, a previously proposed method called Intermediate Level Attack (ILA) fine-tunes an adversarial example by maximizing its perturbation on an intermediate layer of the source model. Meanwhile, it has been shown that simple image transformations can also enhance attack transferability. Based on these two observations, we propose ILA-DA, which employs three novel augmentation techniques to enhance ILA. Specifically, we propose (1) an automated way to apply effective image transformations, (2) an efficient reverse adversarial update technique, and (3) an attack interpolation method to create more transferable adversarial examples. Shown by extensive experiments, ILA-DA greatly outperforms ILA and other state-of-the-art attacks by a large margin. On ImageNet, we attain an average attack success rate of 84.5%, which is 19.5% better than ILA and 4.7% better than the previous state-of-the-art across nine undefended models. For defended models, ILA-DA also leads existing attacks and provides further gains when incorporated into more advanced attack methods. The code is available at https://github.com/argenycw/ILA-DA .

Computer Science,Engineering

Long Tang,Bin Yu

DOI: https://doi.org/10.1109/dsa51864.2020.00051

2020-01-01

Abstract:Deep neural network (DNN) has been widely used in many application scenarios, but it is easy to be affected by slight disturbance, which is referred to as adversarial examples, and produces wrong decisions endangering system security. It is difficult to obtain the structure and parameter information of the target network in the actual scene. In this paper, we propose an optimization-based method to generate adversarial examples. Inspired by the autoencoder and Conditional Generative Adversarial Net (CGAN), we train the encoder to encode the image into latent vector, of which the specific region (category field) is used to represent the category information of the image, and then train the decoder to generate adversarial examples of the specified category. We perform Natural Evolution Strategy in the low-dimensional latent space to further improve the attack. The result shows that our method can successfully attack the target network within only one or a few queries. We evaluate our method on Sign-Language-Digits (SLD) and Cifar-10 datasets. Compared with other methods, our approach can attack the target model with less queries, and maintain a high success rate.

Haobo Wang,Chenxi Zhu,Yangjie Cao,Yan Zhuang,Jie Li,Xianfu Chen

DOI: https://doi.org/10.3390/electronics12040816

IF: 2.9

2023-01-01

Electronics

Abstract:Deep neural networks are susceptible to interference from deliberately crafted noise, which can lead to incorrect classification results. Existing approaches make less use of latent space information and conduct pixel-domain modification in the input space instead, which increases the computational cost and decreases the transferability. In this work, we propose an effective adversarial distribution searching-driven attack (ADSAttack) algorithm to generate adversarial examples against deep neural networks. ADSAttack introduces an affiliated network to search for potential distributions in image latent space for synthesizing adversarial examples. ADSAttack uses an edge-detection algorithm to locate low-level feature mapping in input space to sketch the minimum effective disturbed area. Experimental results demonstrate that ADSAttack achieves higher transferability, better imperceptible visualization, and faster generation speed compared to traditional algorithms. To generate 1000 adversarial examples, ADSAttack takes 11.08s and, on average, achieves a success rate of 98.01%.

Zhaoxia Yin,Shaowei Zhu,Hang Su,Jianteng Peng,Wanli Lyu,Bin Luo

DOI: https://doi.org/10.48550/arxiv.2305.04436

2023-01-01

Abstract: Deep Neural Networks (DNNs) have recently made significant progress in many fields. However, studies have shown that DNNs are vulnerable to adversarial examples, where imperceptible perturbations can greatly mislead DNNs even if the full underlying model parameters are not accessible. Various defense methods have been proposed, such as feature compression and gradient masking. However, numerous studies have proven that previous methods create detection or defense against certain attacks, which renders the method ineffective in the face of the latest unknown attack methods. The invisibility of adversarial perturbations is one of the evaluation indicators for adversarial example attacks, which also means that the difference in the local correlation of high-frequency information in adversarial examples and normal examples can be used as an effective feature to distinguish the two. Therefore, we propose an adversarial example detection framework based on a high-frequency information enhancement strategy, which can effectively extract and amplify the feature differences between adversarial examples and normal examples. Experimental results show that the feature augmentation module can be combined with existing detection models in a modular way under this framework. Improve the detector's performance and reduce the deployment cost without modifying the existing detection model.

Yixiang Wang,Jiqiang Liu,Xiaolin Chang,Ricardo J. Rodriguez,Jianhua Wang

DOI: https://doi.org/10.1016/j.ins.2022.07.157

IF: 8.1

2022-01-01

Information Sciences

Abstract:White-box adversarial example (AE) attacks on deep neural networks (DNNs) have a more powerful destructive capacity than black-box attacks using AE strategies. However, few studies have been conducted on the generation of low-perturbation adversarial examples from the interpretability perspective. Specifically, adversaries who conducted attacks lacked interpretation from the point of view of DNNs , and the perturbation was not further considered. To address these, we propose an interpretable white-box AE attack approach, DI-AA, which not only explores the application of the interpretable method of deep Taylor decomposition in selecting the most contributing features but also adopts the Lagrangian relaxation optimization of the logit output and L p norm to make the perturbation more unnoticeable. We compare DI-AA with eight baseline attacks on four representative datasets. Experimental results reveal that our approach can (1) attack nonrobust models with low perturbation, where the perturbation is closer to or lower than that of the state-of-the-art white-box AE attacks; (2) evade the detection of the adversarial-training robust models with the highest success rate; (3) be flexible in the degree of AE generation saturation. Additionally, the AE generated by DI-AA can reduce the accuracy of the robust black-box models by 16–31 % in the black-box manner.

Yajie Wang,Shangbo Wu,Wenyi Jiang,Shengang Hao,Yu-an Tan,Quanxin Zhang

DOI: https://doi.org/10.48550/arXiv.2107.01396

2021-07-03

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples. Adversarial examples are malicious images with visually imperceptible perturbations. While these carefully crafted perturbations restricted with tight $\Lp$ norm bounds are small, they are still easily perceivable by humans. These perturbations also have limited success rates when attacking black-box models or models with defenses like noise reduction filters. To solve these problems, we propose Demiguise Attack, crafting ``unrestricted'' perturbations with Perceptual Similarity. Specifically, we can create powerful and photorealistic adversarial examples by manipulating semantic information based on Perceptual Similarity. Adversarial examples we generate are friendly to the human visual system (HVS), although the perturbations are of large magnitudes. We extend widely-used attacks with our approach, enhancing adversarial effectiveness impressively while contributing to imperceptibility. Extensive experiments show that the proposed method not only outperforms various state-of-the-art attacks in terms of fooling rate, transferability, and robustness against defenses but can also improve attacks effectively. In addition, we also notice that our implementation can simulate illumination and contrast changes that occur in real-world scenarios, which will contribute to exposing the blind spots of DNNs.

Computer Vision and Pattern Recognition,Artificial Intelligence

Zhiyi Lin,Changgen Peng,Weijie Tan,Xing He

DOI: https://doi.org/10.3390/e25030487

2023-03-10

Abstract:Adversarial example generation techniques for neural network models have exploded in recent years. In the adversarial attack scheme for image recognition models, it is challenging to achieve a high attack success rate with very few pixel modifications. To address this issue, this paper proposes an adversarial example generation method based on adaptive parameter adjustable differential evolution. The method realizes the dynamic adjustment of the algorithm performance by adjusting the control parameters and operation strategies of the adaptive differential evolution algorithm, while searching for the optimal perturbation. Finally, the method generates adversarial examples with a high success rate, modifying just a very few pixels. The attack effectiveness of the method is confirmed in CIFAR10 and MNIST datasets. The experimental results show that our method has a greater attack success rate than the One Pixel Attack based on the conventional differential evolution. In addition, it requires significantly less perturbation to be successful compared to global or local perturbation attacks, and is more resistant to perception and detection.

Pin-Yu Chen,Yash Sharma,Huan Zhang,Jinfeng Yi,Cho-Jui Hsieh

DOI: https://doi.org/10.1609/aaai.v32i1.11302

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Recent studies have highlighted the vulnerability of deep neural networks (DNNs) to adversarial examples — a visually indistinguishable adversarial image can easily be crafted to cause a well-trained model to misclassify. Existing methods for crafting adversarial examples are based on L2 and L∞ distortion metrics. However, despite the fact that L1 distortion accounts for the total variation and encourages sparsity in the perturbation, little has been developed for crafting L1-based adversarial examples. In this paper, we formulate the process of attacking DNNs via adversarial examples as an elastic-net regularized optimization problem. Our elastic-net attacks to DNNs (EAD) feature L1-oriented adversarial examples and include the state-of-the-art L2 attack as a special case. Experimental results on MNIST, CIFAR10 and ImageNet show that EAD can yield a distinct set of adversarial examples with small L1 distortion and attains similar attack performance to the state-of-the-art methods in different attack scenarios. More importantly, EAD leads to improved attack transferability and complements adversarial training for DNNs, suggesting novel insights on leveraging L1 distortion in adversarial machine learning and security implications of DNNs.