Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Tianyi Chu,Wei Xing,Jiafu Chen,Zhizhong Wang,Jiakai Sun,Lei Zhao,Haibo Chen,Huaizhong Lin

DOI: https://doi.org/10.1609/aaai.v38i2.27900

2024-01-01

Abstract:Existing generative adversarial network (GAN) based conditional imagegenerative models typically produce fixed output for the same conditionalinput, which is unreasonable for highly subjective tasks, such as large-maskimage inpainting or style transfer. On the other hand, GAN-based diverse imagegenerative methods require retraining/fine-tuning the network or designingcomplex noise injection functions, which is computationally expensive,task-specific, or struggle to generate high-quality results. Given that manydeterministic conditional image generative models have been able to producehigh-quality yet fixed results, we raise an intriguing question: is it possiblefor pre-trained deterministic conditional image generative models to generatediverse results without changing network structures or parameters? To answerthis question, we re-examine the conditional image generation tasks from theperspective of adversarial attack and propose a simple and efficient plug-inprojected gradient descent (PGD) like method for diverse and controllable imagegeneration. The key idea is attacking the pre-trained deterministic generativemodels by adding a micro perturbation to the input condition. In this way,diverse results can be generated without any adjustment of network structuresor fine-tuning of the pre-trained models. In addition, we can also control thediverse results to be generated by specifying the attack direction according toa reference text or image. Our work opens the door to applying adversarialattack to low-level vision tasks, and experiments on various conditional imagegeneration tasks demonstrate the effectiveness and superiority of the proposedmethod.

Xueluan Gong,Ziyao Wang,Shuaike Li,Yanjiao Chen,Qian Wang

DOI: https://doi.org/10.1109/tifs.2023.3295944

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the development of deep learning, deep neural network (DNN)-based application have become an indispensable aspect of daily life. However, recent studies have shown that these well-trained DNN models are vulnerable to model inversion attacks (MIAs), where attackers can recover their training data with high fidelity. Although several defensive strategies have been proposed to mitigate the impact of such attacks, existing defenses will inevitably compromise the model performance and are ineffective against more sophisticated attacks, such as Mirror (An et al., 2022). In this paper, we introduce a novel GAN-based defense approach against model inversion attacks. Unlike previous works that perturb the prediction vector of the model, we manipulate the training procedure of the victim model by incorporating carefully-designed GAN-based fake samples. We also adjust the loss of the inversed samples to inject misleading features into the protected label of the victim model. Additionally, we adopt the concept of continual learning to improve the utility of the model. Extensive experiments conducted on the CelebA, VGG-Face, and VGG-Face2 datasets demonstrate that our proposed method outperforms existing defenses against state-of-the-art model inversion attacks, including DMI (Chen et al., 2021), Mirror (An et al., 2022), Privacy (Fredrikson et al., 2014), and AMI (Yang et al., 2019). It is shown that our proposed method can also retain a high defense performance in black-box scenarios.

Pouya Samangouei,Maya Kabkab,Rama Chellappa

DOI: https://doi.org/10.48550/arXiv.1805.06605

2018-05-17

Computer Vision and Pattern Recognition

Abstract:In recent years, deep neural network approaches have been widely adopted for machine learning tasks, including classification. However, they were shown to be vulnerable to adversarial perturbations: carefully crafted small perturbations can cause misclassification of legitimate images. We propose Defense-GAN, a new framework leveraging the expressive capability of generative models to defend deep neural networks against such attacks. Defense-GAN is trained to model the distribution of unperturbed images. At inference time, it finds a close output to a given image which does not contain the adversarial changes. This output is then fed to the classifier. Our proposed method can be used with any classification model and does not modify the classifier structure or training procedure. It can also be used as a defense against any attack as it does not assume knowledge of the process for generating the adversarial examples. We empirically show that Defense-GAN is consistently effective against different attack methods and improves on existing defense strategies. Our code has been made publicly available at https://github.com/kabkabm/defensegan

Weimin Zhao,Qusay H Mahmoud,Sanaa Alwidian

DOI: https://doi.org/10.3390/s23052697

2023-03-01

Abstract:Deep learning has been successfully utilized in many applications, but it is vulnerable to adversarial samples. To address this vulnerability, a generative adversarial network (GAN) has been used to train a robust classifier. This paper presents a novel GAN model and its implementation to defend against L∞ and L2 constraint gradient-based adversarial attacks. The proposed model is inspired by some of the related work, but it includes multiple new designs such as a dual generator architecture, four new generator input formulations, and two unique implementations with L∞ and L2 norm constraint vector outputs. The new formulations and parameter settings of GAN are proposed and evaluated to address the limitations of adversarial training and defensive GAN training strategies, such as gradient masking and training complexity. Furthermore, the training epoch parameter has been evaluated to determine its effect on the overall training results. The experimental results indicate that the optimal formulation of GAN adversarial training must utilize more gradient information from the target classifier. The results also demonstrate that GANs can overcome gradient masking and produce effective perturbation to augment the data. The model can defend PGD L2 128/255 norm perturbation with over 60% accuracy and PGD L∞ 8/255 norm perturbation with around 45% accuracy. The results have also revealed that robustness can be transferred between the constraints of the proposed model. In addition, a robustness-accuracy tradeoff was discovered, along with overfitting and the generalization capabilities of the generator and classifier. These limitations and ideas for future work will be discussed.

Hyeungill Lee,Sungyeob Han,Jungwoo Lee

2023-07-04

Abstract:We propose a novel technique to make neural network robust to adversarial examples using a generative adversarial network. We alternately train both classifier and generator networks. The generator network generates an adversarial perturbation that can easily fool the classifier network by using a gradient of each image. Simultaneously, the classifier network is trained to classify correctly both original and adversarial images generated by the generator. These procedures help the classifier network to become more robust to adversarial perturbations. Furthermore, our adversarial training framework efficiently reduces overfitting and outperforms other regularization methods such as Dropout. We applied our method to supervised learning for CIFAR datasets, and experimantal results show that our method significantly lowers the generalization error of the network. To the best of our knowledge, this is the first method which uses GAN to improve supervised learning.

Machine Learning

Guoqing Jin,Shiwei Shen,Dongming Zhang,Feng Dai,Yongdong Zhang

DOI: https://doi.org/10.1109/icassp.2019.8683044

2017-01-01

Abstract:Although Deep Neural Networks could achieve state-of-the-art performance while recongnizing images, they often suffer a tremendous defeat from adversarial examples-inputs generated by utilizing imperceptible but intentional perturbations to samples from the datasets. So far, very few methods have provided a significant defense to adversarial examples. In this paper, an effective framework based Generative Adversarial Nets(GAN) is proposed to defense against the adversarial examples. The essense of the model is to eliminate the adversarial perturbations being highly aligned with the weight vectors of nueral models. Extensive experiments on benchmark datasets MNIST, CIFAR10 and ImageNet indicate that our framework is able to defense against adversarial examples effectively.

Huaxia Wang,Chun-Nam Yu

DOI: https://doi.org/10.48550/arXiv.1905.09591

2019-05-23

Computer Vision and Pattern Recognition

Abstract:Deep neural networks have been shown to perform well in many classical machine learning problems, especially in image classification tasks. However, researchers have found that neural networks can be easily fooled, and they are surprisingly sensitive to small perturbations imperceptible to humans. Carefully crafted input images (adversarial examples) can force a well-trained neural network to provide arbitrary outputs. Including adversarial examples during training is a popular defense mechanism against adversarial attacks. In this paper we propose a new defensive mechanism under the generative adversarial network (GAN) framework. We model the adversarial noise using a generative network, trained jointly with a classification discriminative network as a minimax game. We show empirically that our adversarial network approach works well against black box attacks, with performance on par with state-of-art methods such as ensemble adversarial training and adversarial training with projected gradient descent.

Qi Liang,Qiang Li,Song Yang

DOI: https://doi.org/10.1016/j.imavis.2021.104370

IF: 3.86

2022-01-01

Image and Vision Computing

Abstract:With the rapid development of technologies for 3D model construction and analysis, the 3D model has been utilized in many applications, such as 3D reconstruction, object detection, and self-driving vehicles. Moreover, the development of deep learning theory has also enabled 3D model analysis to achieve revolutionary performance in many tasks. However, the adversarial robustness of these models has not received sufficient attention. Few methods focus on the generation of better adversarial samples for attacking the point cloud models that are utilized for testing the adversarial robustness. Many approaches only focus on shifting the critical points based on the perturbation metric but ignore the characteristics of adversarial points. In this work, we propose a novel generative model to produce adversarial samples. Based on the GAN, the generator can learn the representation of the adversarial points effectively, and adjust the adversarial samples to fool the point cloud models according to different point clouds. Furthermore, we hope that the adversarial samples not only fool the point cloud models but also can fool the human visual system with unnoticeable points, which is also the characteristic of the adversarial examples. Here, we propose a perception loss to improve the quality of the adversarial samples according to the original sample. Based on the generative model and perception loss, the final adversarial samples can effectively be utilized to improve the adversarial robustness of the point cloud models. Extensive attack experiments conducted on the ModelNet with state-of-the-art point cloud models demonstrate the effectiveness of our method.

Haibin Zheng,Jinyin Chen,Hang Du,Weipeng Zhu,Shouling Ji,Xuhong Zhang

DOI: https://doi.org/10.1109/tdsc.2021.3124337

2022-01-01

Abstract:Despite of its tremendous popularity and success in computer vision (CV) and natural language processing, deep learning is inherently vulnerable to adversarial attacks in which adversarial examples (AEs) are carefully crafted by imposing imperceptible perturbations on the clean examples to deceive the target deep neural networks (DNNs). Many defense solutions in CV have been proposed. However, most of them, e.g., adversarial training, suffer from a low generality due to the reliance on limited AEs. Moreover, some solutions even have a non-negligible negative impact on the classification accuracy of clean examples. Last but not least, they are impotent against the unconstrained attacks in which the attackers optimize the perturbation direction and size by additionally taking the defense methods into accounts. In this article, we propose GRIP-GAN to learn a general robust inverse perturbation (GRIP), which is not only able to offset any potential adversarial perturbations but also strengthen the target class-related features, purely from the clean images via a generative adversarial network (GAN). By feeding a random noise, GRIP-GAN is able to generate a dynamic GRIP for each input image to defend against unconstrained attacks. To further improve the defense performance, we also enable GRIP-GAN to generate a GRIP tailored to each input image via feeding input image specific noise to GRIP-GAN. Extensive experiments are carried out on MNIST, CIFAR10, and ImageNet datasets against 17 adversarial attacks. The results show that GRIP-GAN outperforms all the baselines. We further share insights on the success of GRIP-GAN and provide visualized proofs.

Qian Wu,Chunjie Cao,Jianbin Mai,Fangjian Tao

DOI: https://doi.org/10.1007/978-3-030-73671-2_8

2020-01-01

Abstract:Deep neural networks (DNNs) have been found to be easily mislead by adversarial examples that add small perturbations to inputs to produce false results. Different attack and defense strategies have been proposed to better study the security of deep neural networks. But these works only focus on an aspect such as attack or defense. In this work, we propose a robust GAN based on the attention mechanism, which uses the deep latent features of the original image as prior knowledge to generate adversarial examples, and it can jointly optimize the generator and discriminator in the case of adversarial attacks. The generator generates fake images based on the attention mechanism to deceive discriminator, the adversarial attacker perturbs the real images to deceive discriminator, and the discriminator wants to minimize the loss between fake images and adversarial images. Through this training, we can not only improve the quality of adversarial images generated by GAN, but also enhance the robustness of the discriminator under strong adversarial attacks. Experimental results show that our classifier is more robust than Rob-GAN [14], and the generator outperforms Rob-GAN on CIFAR-10.

Desheng Wang,Weidong Jin,Yunpu Wu,Aamir Khan

DOI: https://doi.org/10.48550/arXiv.2103.04513

2021-03-08

Computer Vision and Pattern Recognition

Abstract:Convolutional neural networks (CNNs) have achieved beyond human-level accuracy in the image classification task and are widely deployed in real-world environments. However, CNNs show vulnerability to adversarial perturbations that are well-designed noises aiming to mislead the classification models. In order to defend against the adversarial perturbations, adversarially trained GAN (ATGAN) is proposed to improve the adversarial robustness generalization of the state-of-the-art CNNs trained by adversarial training. ATGAN incorporates adversarial training into standard GAN training procedure to remove obfuscated gradients which can lead to a false sense in defending against the adversarial perturbations and are commonly observed in existing GANs-based adversarial defense methods. Moreover, ATGAN adopts the image-to-image generator as data augmentation to increase the sample complexity needed for adversarial robustness generalization in adversarial training. Experimental results in MNIST SVHN and CIFAR-10 datasets show that the proposed method doesn't rely on obfuscated gradients and achieves better global adversarial robustness generalization performance than the adversarially trained state-of-the-art CNNs.

Ziqiang Li,Pengfei Xia,Mingdao Yue,Bin Li

2020-01-01

Abstract:There is an interesting discovery that several neural networks are vulnerable to adversarial examples. That is, many machines learning models misclassify the samples with only a little change which will not be noticed by human eyes. Generative adversarial networks (GANs) are the most popular models for image generation by jointly optimizing discriminator and generator. With stability train, some regularization and normalization have been used to let the discriminator satisfy Lipschitz consistency. In this paper, we have analyzed that the generator may produce adversarial examples for discriminator during the training process, which may cause the unstable training of GANs. For this reason, we propose a direct adversarial training method for GANs. At the same time, we prove that this direct adversarial training can limit the lipschitz constant of the discriminator and accelerate the convergence of the generator. We have verified the advanced performs of the method on multiple baseline networks, such as DCGAN, WGAN, WGAN-GP, and WGAN-LP.

Shuqi Liu,Mingwen Shao,Xinping Liu

DOI: https://doi.org/10.3233/jifs-200280

2020-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:In recent years, deep neural networks have made significant progress in image classification, object detection and face recognition. However, they still have the problem of misclassification when facing adversarial examples. In order to address security issue and improve the robustness of the neural network, we propose a novel defense network based on generative adversarial network (GAN). The distribution of clean - and adversarial examples are matched to solve the mentioned problem. This guides the network to remove invisible noise accurately, and restore the adversarial example to a clean example to achieve the effect of defense. In addition, in order to maintain the classification accuracy of clean examples and improve the fidelity of neural network, we input clean examples into proposed network for denoising. Our method can effectively remove the noise of the adversarial examples, so that the denoised adversarial examples can be correctly classified. In this paper, extensive experiments are conducted on five benchmark datasets, namely MNIST, Fashion-MNIST, CIFAR10, CIFAR100 and ImageNet. Moreover, six mainstream attack methods are adopted to test the robustness of our defense method including FGSM, PGD, MIM, JSMA, CW and Deep-Fool. Results show that our method has strong defensive capabilities against the tested attack methods, which confirms the effectiveness of the proposed method.

Hu Jianjun,Yu Mengjing,Xu Qingzhen,Gao Jing

DOI: https://doi.org/10.1007/s11036-020-01618-z

2020-01-01

Mobile Networks and Applications

Abstract:Deep learning is widely used in classification tasks to achieve advanced performance. However, in the face of well-designed image classifications, such as the Fast Gradient Sign Method (FGSM), there are glaring errors. This paper proposes a new technique to eliminate interference using generative adversarial networks (GAN), called multi-branch perturbed generative adversarial networks ( MBP-GAN). MBP-GAN minimizes the input feature flow graph in generator noise filtering by introducing multi-branch fusion perturbations. This makes the sample of the generator more aware of this perturbation, thereby improving the ability of the generator and discriminator to resist classification against attacks in combat training. Through this kind of training, this model can be used as a defense against arbitrary attacks. Then we design the loss function, so that the generator and the discriminator can keep accurate results for general images and classification against images. We verify our experimental results on the MNIST, F-MNIST and CelebA datasets. The results show that the MBP-GAN can effectively eliminate the interference from the classification against the attack.

Zijie Lou,Gang Cao,Man Lin

DOI: https://doi.org/10.48550/arxiv.2211.03509

IF: 8

2023-01-01

Engineering Applications of Artificial Intelligence

Abstract:Visually realistic GAN-generated facial images raise obvious concerns on potential misuse. Many effective forensic algorithms have been developed to detect such synthetic images in recent years. It is significant to assess the vulnerability of such forensic detectors against adversarial attacks. In this paper, we propose a new black-box attack method against GAN-generated image detectors. A novel contrastive learning strategy is adopted to train the encoder-decoder network based anti-forensic model under a contrastive loss function. GAN images and their simulated real counterparts are constructed as positive and negative samples, respectively. Leveraging on the trained attack model, imperceptible contrastive perturbation could be applied to input synthetic images for removing GAN fingerprint to some extent. As such, existing GAN-generated image detectors are expected to be deceived. Extensive experimental results verify that the proposed attack effectively reduces the accuracy of three state-of-the-art detectors on six popular GANs. High visual quality of the attacked images is also achieved. The source code will be available at https://github.com/ZXMMD/BAttGAND.

Gong Cheng,Xuxiang Sun,Ke Li,Lei Guo,Junwei Han

DOI: https://doi.org/10.1109/TGRS.2021.3081421

IF: 8.2

2022-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:The methods for remote sensing image (RSI) scene classification based on deep convolutional neural networks (DCNNs) have achieved prominent success. However, confronted with adversarial examples obtained by adding imperceptible perturbations to clean images, the great vulnerability of DCNNs makes it worth exploring effective defense methods. To date, numerous countermeasures for adversarial examples have been proposed, but how to improve the defensive ability for unknown attacks still to be answered. To address this issue, in this article, we propose an effective defense framework specified for RSI scene classification, named perturbation-seeking generative adversarial networks (PSGANs). In brief, a new training framework is designed to train the classifier by introducing the examples generated during the image reconstruction process, in addition to clean examples and adversarial ones. These generated examples can be random kinds of unknown attacks during training and thus are utilized to eliminate the blind spots of a classifier. To assist the proposed training framework, a reconstruction method is developed. First, instead of modeling the distribution of clean examples, we model the distributions of the perturbations added in adversarial examples. Second, to make a tradeoff between the diversity of the reconstructed examples and the optimization of PSGAN, a scale factor named seeking radius is introduced to scale the generated perturbations before they are subtracted by the given adversarial examples. Comprehensive and extensive experimental results on three widely used benchmarks for RSI scene classification demonstrate the great effectiveness of PSGAN when faced with both known and unknown attacks. Our source code is available at https://github.com/xuxiangsun/PSGAN.

Shao Mingwen,Liu Shuqi,Wang Ran,Zhang Gaozhi

DOI: https://doi.org/10.1007/s13042-021-01374-w

2021-01-01

International Journal of Machine Learning and Cybernetics

Abstract:In recent years, the development of deep neural networks is in full gear in the fields of computer vision, natural language processing, and others. However, the existence of adversarial examples brings risks to the completion of these tasks, which is also a huge obstacle to implement deep learning applications in the real world. In order to solve the aforementioned problems and improve the robustness of neural networks, a novel defense network based on generative adversarial networks (GANs) is proposed. First, we use generators to eliminate disturbances of adversarial samples and utilize multi-scale discriminators to classify images of different scales to better assist the generator to produce high-quality images. Then, we utilize salient feature extraction model to extract salient maps of both clean examples and adversarial samples, thus improving the denoising effect of the generator by reducing the difference between salient images. The proposed method can guide the generation networks to accurately remove the invisible disturbance and to restore the adversarial samples to clean samples, which not only improves the success rate of classification, but also achieves satisfactory defense effect. Extensive experiments are conducted to compare the defense effect of our proposed method with other defense methods against various attacks. Results show that our method has strong defensive capabilities against the tested attack methods.

Peilun Du,Xiaolong Zheng,Liang Liu,Huadong Ma

DOI: https://doi.org/10.1109/jiot.2022.3230427

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Deep-learning-based (DL-based) face recognition has become an important application in the Internet of Things (IoT) environment. However, recent studies demonstrate that elaborate adversarial examples can mislead the results of DL-based face recognition on mobile and edge devices. Such vulnerability threats the robustness of face recognition systems and causes security issues. Generative adversarial defense methods can reform adversarial examples before input into the face recognition model to improve the accuracy under adversarial attacks. Unfortunately, the existing generative adversarial defense methods cannot completely remove the misleading features of adversarial examples due to the lack of robust encoding ability. In this article, we propose a local consistency generative adversarial network (LC-GAN) framework by adding the constraint of local consistency to force the encoder to mine consistent features in each local area, achieving robust encoding ability consequently. The framework includes three main novel designs. First, we present a patch-wise contrastive learning-based refinement stage with local consistency loss to encode robust identity features from nonsalient areas that are undamaged by adversarial attacks. Second, we use a powerful expert network to guide the training of LC-GAN for eliminating adversarial identity features. Third, we design a multilevel identity loss to enhance the identity preservation ability by unifying the local and global identity features. Experimental results on four widely used face data sets show that LC-GAN outperforms other generative adversarial defense methods.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.