Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Yuying Hao,Tuanhui Li,Li Li,Yong Jiang,Xuanye Cheng

DOI: https://doi.org/10.1007/978-3-030-30508-6_57

2019-01-01

Abstract:Neural networks can be fooled by adversarial examples. Recently, many methods have been proposed to generate adversarial examples, but these works mainly concentrate on the pixel-wise information, which limits the transferability of adversarial examples. Different from these methods, we introduce perceptual module to extract the high-level representations and change the manifold of the adversarial examples. Besides, we propose a novel network structure to replace the generative adversarial network (GAN). The improved structure ensures high similarity of adversarial examples and promotes the stability of training process. Extensive experiments demonstrate that our method has significant improvement on the transferability. Furthermore, the adversarial training defence method is invalid for our attack.

Zhiyi Lin,Changgen Peng,Weijie Tan,Xing He

DOI: https://doi.org/10.3390/e25030487

2023-03-10

Abstract:Adversarial example generation techniques for neural network models have exploded in recent years. In the adversarial attack scheme for image recognition models, it is challenging to achieve a high attack success rate with very few pixel modifications. To address this issue, this paper proposes an adversarial example generation method based on adaptive parameter adjustable differential evolution. The method realizes the dynamic adjustment of the algorithm performance by adjusting the control parameters and operation strategies of the adaptive differential evolution algorithm, while searching for the optimal perturbation. Finally, the method generates adversarial examples with a high success rate, modifying just a very few pixels. The attack effectiveness of the method is confirmed in CIFAR10 and MNIST datasets. The experimental results show that our method has a greater attack success rate than the One Pixel Attack based on the conventional differential evolution. In addition, it requires significantly less perturbation to be successful compared to global or local perturbation attacks, and is more resistant to perception and detection.

Mahmood Sharif,Sruti Bhagavatula,Lujo Bauer,Michael K. Reiter

DOI: https://doi.org/10.1145/3317611

IF: 2.717

2019-07-19

ACM Transactions on Privacy and Security

Abstract:Images perturbed subtly to be misclassified by neural networks, called adversarial examples , have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

computer science, information systems

Yifeng Li,Ya Zhang,Rui Zhang,Yanfeng Wang

DOI: https://doi.org/10.1145/3376067.3376112

2019-01-01

Abstract:Despite their superior performance in computer vision tasks, deep neural networks are found to be vulnerable to adversarial examples, slightly perturbed examples that can mislead trained models. Moreover, adversarial examples are often transferable, i.e., adversaries crafted for one model can attack another model. Most existing adversarial attack methods are iterative or optimization-based, consuming relatively long time in crafting adversarial examples. Besides, the crafted examples usually underfit or overfit the source model, which reduces their transferability to other target models. In this paper, we introduce the Generative Transferable Adversarial Attack (GTAA), which generate highly transferable adversarial examples efficiently. GTAA leverages a generator network to produce adversarial examples in a single forward pass. To further enhance the transferability, we train the generator with an objective of making the intermediate features of the generated examples diverge from those of their original version. Extensive experiments on challenging ILSVRC2012 dataset show that our method achieves impressive performance in both white-box and black-box attacks. In addition, we verify that our method is even faster than one-step gradient-based method, and the generator converges extremely rapidly in training phase.

Shumeet Baluja,Ian Fischer

DOI: https://doi.org/10.48550/arXiv.1703.09387

2017-03-28

Neural and Evolutionary Computing

Abstract:Multiple different approaches of generating adversarial examples have been proposed to attack deep neural networks. These approaches involve either directly computing gradients with respect to the image pixels, or directly solving an optimization on the image pixels. In this work, we present a fundamentally new method for generating adversarial examples that is fast to execute and provides exceptional diversity of output. We efficiently train feed-forward neural networks in a self-supervised manner to generate adversarial examples against a target network or set of networks. We call such a network an Adversarial Transformation Network (ATN). ATNs are trained to generate adversarial examples that minimally modify the classifier's outputs given the original input, while constraining the new classification to match an adversarial target class. We present methods to train ATNs and analyze their effectiveness targeting a variety of MNIST classifiers as well as the latest state-of-the-art ImageNet classifier Inception ResNet v2.

Yuying Hao,Tuanhui Li,Yang Bai,Li Li,Yong Jiang,Xuanye Cheng

DOI: https://doi.org/10.1007/978-3-030-30508-6_52

2019-01-01

Abstract:Deep neural networks (DNNs) have been widely applied in many areas. However, they are quite vulnerable to well-designed perturbations. Most recent methods of generating adversarial examples fail to limit the perturbations while keeping good transferability. In this work, we propose a new method to address these problems. We combine local attack and gradient descent optimization method to generate adversarial examples. Specifically, in forward propagation, we select sensitive pixels and add perturbations to them. In backward propagation, we propose a novel loss function to reduce the difference between adversarial examples and benign images. Extensive experiments demonstrate that our method achieves strong attack ability with lower distortion.

Jiabao Liu,Qixiang Zhang,Kanghua Mo,Xiaoyu Xiang,Jin Li,Debin Cheng,Rui Gao,Beishui Liu,Kongyang Chen,Guanjie Wei

DOI: https://doi.org/10.1016/j.csi.2021.103612

2022-08-01

Abstract:Most existing deep neural networks are susceptible to the influence of adversarial examples, which may cause them to output incorrect prediction results. An adversarial example is the addition of small noise disturbances to the input data samples, which will deceive the classification. Generally, these modifications are very small noise disturbances, which are not easily noticed by the human eye. However, most existing adversarial attacks achieve only low success rates in typical black-box settings, where the attackers have no prior knowledge about the model structures and/or model parameters. To tackle this problem, we propose an iterative algorithm based on an acceleration gradient to enhance the adversary attack. Our method accumulates the gradient of the loss function in each iteration and uses the next gradient information to influence the future gradient. We also introduce the scaling invariance principle of a deep neural network to optimize the input images for black-box attacks. In addition, to handle the drawbacks of a traditional iterative fast gradient sign method, we further present two gradient optimization methods. Experimental results on the ImageNet dataset show that our attack methods can achieve good transferability. In addition, those models obtained by integrated adversarial training with strong defense capability are also quite vulnerable to our black-box attack.

computer science, software engineering, hardware & architecture

Xiaosen Wang,Kun He,Chuanbiao Song,Liwei Wang,John E. Hopcroft

DOI: https://doi.org/10.48550/arXiv.1904.07793

2019-04-16

Computer Vision and Pattern Recognition

Abstract:Despite the rapid development of adversarial machine learning, most adversarial attack and defense researches mainly focus on the perturbation-based adversarial examples, which is constrained by the input images. In comparison with existing works, we propose non-constrained adversarial examples, which are generated entirely from scratch without any constraint on the input. Unlike perturbation-based attacks, or the so-called unrestricted adversarial attack which is still constrained by the input noise, we aim to learn the distribution of adversarial examples to generate non-constrained but semantically meaningful adversarial examples. Following this spirit, we propose a novel attack framework called AT-GAN (Adversarial Transfer on Generative Adversarial Net). Specifically, we first develop a normal GAN model to learn the distribution of benign data, and then transfer the pre-trained GAN model to estimate the distribution of adversarial examples for the target model. In this way, AT-GAN can learn the distribution of adversarial examples that is very close to the distribution of real data. To our knowledge, this is the first work of building an adversarial generator model that could produce adversarial examples directly from any input noise. Extensive experiments and visualizations show that the proposed AT-GAN can very efficiently generate diverse adversarial examples that are more realistic to human perception. In addition, AT-GAN yields higher attack success rates against adversarially trained models under white-box attack setting and exhibits moderate transferability against black-box models.

Minjie Liu,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1049/ell2.12437

2022-01-01

Electronics Letters

Abstract:Nowadays, adversarial examples of images which are generated by adding special perturbations on their hosts make great impact on many deep neural network (DNN)-based computer vision tasks and bring security risks. With the deep insight into this field, researchers realize that many simple image processing methods can easily reduce the attack success rate. Therefore, studies on robust adversarial examples that are able to defend destruction become the emphasis. However, most existing methods focus more on the distortion in user transmitting procedures and physical deformation such as JPEG compression and brightness. Given that scale transformation is one of the commonest measures in data transformation and enhancement, a two-step algorithm is proposed to eliminate the effect caused by resizing during the model inferring process. The first step is to select pixels that can affect the classification result through a DNN. As a binary classification task, the network predicts whether the pixel deserves to be modified or not. The second one is to strategically compute the amplitude of noise and add it to the host image. Experiments verify that this method resists the scale transformation and guarantees the invisibility of humans as well.

Zheng Yuan,Jie Zhang,Zhaoyan Jiang,Liangliang Li,Shiguang Shan

DOI: https://doi.org/10.1109/tpami.2024.3367773

IF: 23.6

2024-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:In recent years, the security of deep learning models achieves more and more attentions with the rapid development of neural networks, which are vulnerable to adversarial examples. Almost all existing gradient-based attack methods use the sign function in the generation to meet the requirement of perturbation budget on L_∞ norm. However, we find that the sign function may be improper for generating adversarial examples since it modifies the exact gradient direction. Instead of using the sign function, we propose to directly utilize the exact gradient direction with a scaling factor for generating adversarial perturbations, which improves the attack success rates of adversarial examples even with fewer perturbations. At the same time, we also theoretically prove that this method can achieve better black-box transferability. Moreover, considering that the best scaling factor varies across different images, we propose an adaptive scaling factor generator to seek an appropriate scaling factor for each image, which avoids the computational cost for manually searching the scaling factor. Our method can be integrated with almost all existing gradient-based attack methods to further improve their attack success rates. Extensive experiments on the CIFAR10 and ImageNet datasets show that our method exhibits higher transferability and outperforms the state-of-the-art methods.

computer science, artificial intelligence,engineering, electrical & electronic

Bo Yang,Hengwei Zhang,Zheming Li,Yuchen Zhang,Kaiyong Xu,Jindong Wang

DOI: https://doi.org/10.1007/s10489-022-03469-5

IF: 5.3

2022-05-09

Applied Intelligence

Abstract:Deep neural networks are vulnerable to adversarial examples, which are crafted by applying small, human-imperceptible perturbations on the original images, so as to mislead deep neural networks to output inaccurate predictions. Adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, most existing adversarial attacks often achieve relatively low success rates on normally trained networks and adversarially trained networks. In this paper, we regard the generation process of adversarial examples as an optimization process similar to deep neural network training. From this point of view, we introduce AdaBelief optimizer and crop invariance into the generation of adversarial examples, and propose AdaBelief Iterative Fast Gradient Method (ABI-FGM) and Crop-Invariant attack Method (CIM) to improve the transferability of adversarial examples. By adopting adaptive learning rate into the iterative attacks, ABI-FGM can optimize the convergence process, resulting in more transferable adversarial examples. CIM is based on our discovery on the crop-invariant property of deep neural networks, which we thus leverage to optimize the adversarial perturbations over an ensemble of crop copies so as to avoid overfitting on the white-box model being attacked and improve the transferability of adversarial examples. ABI-FGM and CIM can be readily integrated to build a strong gradient-based attack to further boost the success rates of adversarial examples for black-box attacks. Moreover, our method can also be naturally combined with other gradient-based attack methods to build a more robust attack to generate more transferable adversarial examples against the defense models. Extensive experiments on the ImageNet dataset demonstrate the method's effectiveness. Whether on normally trained networks or adversarially trained networks, our method has higher success rates than state-of-the-art gradient-based attack methods.

computer science, artificial intelligence

Wenrong Xie,Fashan Dong,Haiyang Yu,Zhaoquan Gu,Le Wang,Zhihong Tian

DOI: https://doi.org/10.1109/dsc53577.2021.00044

2021-01-01

Abstract:With the rapid development of artificial intelligence technology, artificial intelligence-based systems and applications have shown explosive growth, bringing great convenience to people's lives. As a representative of artificial intelligence, deep learning, whose excellent performance in the classification task has been proved, can obtain high-precision classification models by effectively training from large amounts of data. However, recent studies have shown that deep neural networks are vulnerable to attacks. By carefully constructing input data, Deep Neural Networks can export the output results expected by the attacker. In general, it is difficult to detect the difference between the carefully constructed data and the original data, but it can induce the neural network to output wrong results. This kind of attack is called adversarial example attack, and the carefully constructed data used to deceive deep learning is called adversarial examples. This paper proposes a generation method of adversarial example that combines the distribution of image entropy. The areas with high entropy values in the image tend to have complex tones, so the added perturbation cannot be noticed by naked eyes easily, and experiments have proved that the adversarial examples generated by adding perturbations in this area are more aggressive. This paper proposes that the greater the entropy in a region of an image, the greater the weight assigned to the position of the Adversarial Perturbation; the smaller the entropy in a region of the image, the lower the weight is assigned to the position of the Adversarial Perturbation, so that an adversarial example with lower disturbance and less noticeable is generated, and at the same time, the adversarial example is more aggressive.

Xinxin Fan,Mengfan Li,Jia Zhou,Quanliang Jing,Chi Lin,Yunfeng Lu,Jingping Bi

DOI: https://doi.org/10.1109/tce.2024.3358179

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:This paper focuses on the transferability problem of adversarial examples towards black-box attack scenarios wherein model information such as the neural network structure is unavailable. To tackle this predicament, we propose a new adversarial example-generating scheme through bridging a data-modal conversion regime to spawn transferable adversarial examples without referring to the substitute model. Three contributions are mainly involved: i) we figure out an integrated framework to produce transferable adversarial examples through resorting to three components, i.e., image-to-graph conversion, perturbation on converted graph and graph-to-image inversion; ii) upon the conversion from image to graph, we pinpoint critical graph characteristics to implement perturbation using gradient-oriented and optimization-oriented adversarial attacks, then, invert the perturbation on graph into the pixel disturbance correspondingly; iii) multi-facet experiments verify the reasonability and effectiveness with the comparison to three baseline methods. Our work has two novelties: first, without referring to the substitute model, our proposed scheme does not need to acquire any information about the victim model in advance; second, we explore the possibility that inferring the adversarial features of image data through drawing support from network/graph science. In addition, we present three key issues worth deeper discussion, along with these open issues, our work deserves more studies in future.

telecommunications,engineering, electrical & electronic

Yepeng Deng,Chunkai Zhang,Xuan Wang

DOI: https://doi.org/10.1109/DSC.2019.00022

2019-01-01

Abstract:Image classifiers have been proven to be easily fooled by perturbations, but it is still exceedingly challenging to generate imperceptible disturbances, especially without the internal knowledge of the classifiers. Imperceptibility and attack capability are two main evaluating indicators of this problem, while most existing methods, so far, can only either maximize misclassification or minimize the distortion. Although there are some algorithms to consider both of them via the weighted sum method, which is equivalent to solve the multiple optimization problems, it will doubtless enlarge the computation complexity, and the strategy of setting the weights cannot make sure both indicators the optimal solutions. In this paper, we proposed an innovative general algorithm named MOEA-APGA, which is based on multi-objective evolutionary algorithm, taking both factors as the optimization objective function. A set of perturbations with diversity is generated by population evolution, and then an appropriate perturbation is selected by the proposed filtering strategy to synthesize the adversarial example. It can achieve the goal of the targeted attack without the internal knowledge of the victim networks. We tried four perturbation strategies to generate adversarial examples. The experimental results on the MNIST datasets demonstrate the effectiveness of MOEA-APGA. In addition, we refer to a slice of indicators to evaluate the power of the algorithm and the vulnerability of different samples.

Shixian Wen,Laurent Itti

DOI: https://doi.org/10.48550/arXiv.1910.04279

IF: 5.414

2019-10-09

Machine Learning

Abstract:Adversarial training, in which a network is trained on both adversarial and clean examples, is one of the most trusted defense methods against adversarial attacks. However, there are three major practical difficulties in implementing and deploying this method - expensive in terms of extra memory and computation costs; accuracy trade-off between clean and adversarial examples; and lack of diversity of adversarial perturbations. Classical adversarial training uses fixed, precomputed perturbations in adversarial examples (input space). In contrast, we introduce dynamic adversarial perturbations into the parameter space of the network, by adding perturbation biases to the fully connected layers of deep convolutional neural network. During training, using only clean images, the perturbation biases are updated in the Fast Gradient Sign Direction to automatically create and store adversarial perturbations by recycling the gradient information computed. The network learns and adjusts itself automatically to these learned adversarial perturbations. Thus, we can achieve adversarial training with negligible cost compared to requiring a training set of adversarial example images. In addition, if combined with classical adversarial training, our perturbation biases can alleviate accuracy trade-off difficulties, and diversify adversarial perturbations.

Weixiong Hu,Zhaoquan Gu,Chuanjing Zhang,Le Wang,Keke Tang

DOI: https://doi.org/10.1007/978-981-15-8101-4_9

2020-01-01

Abstract:In recent years, deep neural networks have greatly facilitated machine learning tasks. However, emergence of adversarial examples revealed the vulnerability of neural networks. As a result, security of neural networks is drawing more research attention than before and a large number of attack methods have been proposed to generate adversarial examples to evaluate the robustness of neural networks. Furthermore, adversarial examples can be widely adopted in machine vision, natural language processing, and video recognition applications. In this paper, we study adversarial examples against image classification networks. Inspired by the method of detecting key regions in object detection tasks, we built a restrict region-based adversarial example generation system for image classification. We proposed a novel method called gradient mask to generate adversarial examples that have a high attack success rate and small disturbances. The experimental results also validated the method’s performance.

Xingxing Wei,Siyuan Liang,Ning Chen,Xiaochun Cao

DOI: https://doi.org/10.24963/ijcai.2019/134

2019-08-01

Abstract:Identifying adversarial examples is beneficial for understanding deep networks and developing robust models. However, existing attacking methods for image object detection have two limitations: weak transferability---the generated adversarial examples often have a low success rate to attack other kinds of detection methods, and high computation cost---they need much time to deal with video data, where many frames need polluting. To address these issues, we present a generative method to obtain adversarial images and videos, thereby significantly reducing the processing time. To enhance transferability, we manipulate the feature maps extracted by a feature network, which usually constitutes the basis of object detectors. Our method is based on the Generative Adversarial Network (GAN) framework, where we combine a high-level class loss and a low-level feature loss to jointly train the adversarial example generator. Experimental results on PASCAL VOC and ImageNet VID datasets show that our method efficiently generates image and video adversarial examples, and more importantly, these adversarial examples have better transferability, therefore being able to simultaneously attack two kinds of representative object detection models: proposal based models like Faster-RCNN and regression based models like SSD.