Kai Zhao,Sheng Di,Sihuan Li,Xin Liang,Yujia Zhai,Jieyang Chen,Kaiming Ouyang,Franck Cappello,Zizhong Chen

DOI: https://doi.org/10.1109/tpds.2020.3043449

IF: 5.3

2021-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Convolutional neural networks (CNNs) are becoming more and more important for solving challenging and critical problems in many fields. CNN inference applications have been deployed in safety-critical systems, which may suffer from soft errors caused by high-energy particles, high temperature, or abnormal voltage. Of critical importance is ensuring the stability of the CNN inference process against soft errors. Traditional fault tolerance methods are not suitable for CNN inference because error-correcting code is unable to protect computational components, instruction duplication techniques incur high overhead, and existing algorithm-based fault tolerance (ABFT) techniques cannot protect all convolution implementations. In this article, we focus on how to protect the CNN inference process against soft errors as efficiently as possible, with the following three contributions. (1) We propose several systematic ABFT schemes based on checksum techniques and analyze their fault protection ability and runtime thoroughly. Unlike traditional ABFT based on matrix-matrix multiplication, our schemes support any convolution implementations. (2) We design a novel workflow integrating all the proposed schemes to obtain a high detection/correction ability with limited total runtime overhead. (3) We perform our evaluation using ImageNet with well-known CNN models including AlexNet, VGG-19, ResNet-18, and YOLOv2. Experimental results demonstrate that our implementation can handle soft errors with very limited runtime overhead (4%$\sim$∼8% in both error-free and error-injected situations).

computer science, theory & methods,engineering, electrical & electronic

Wenjun Jiang,Tianlong Fan,Changhao Li,Chuanfu Zhang,Tao Zhang,Zong-fu Luo

2024-05-29

Abstract:Connectivity robustness, a crucial aspect for understanding, optimizing, and repairing complex networks, has traditionally been evaluated through time-consuming and often impractical simulations. Fortunately, machine learning provides a new avenue for addressing this challenge. However, several key issues remain unresolved, including the performance in more general edge removal scenarios, capturing robustness through attack curves instead of directly training for robustness, scalability of predictive tasks, and transferability of predictive capabilities. In this paper, we address these challenges by designing a convolutional neural networks (CNN) model with spatial pyramid pooling networks (SPP-net), adapting existing evaluation metrics, redesigning the attack modes, introducing appropriate filtering rules, and incorporating the value of robustness as training data. The results demonstrate the thoroughness of the proposed CNN framework in addressing the challenges of high computational time across various network types, failure component types and failure scenarios. However, the performance of the proposed CNN model varies: for evaluation tasks that are consistent with the trained network type, the proposed CNN model consistently achieves accurate evaluations of both attack curves and robustness values across all removal scenarios. When the predicted network type differs from the trained network, the CNN model still demonstrates favorable performance in the scenario of random node failure, showcasing its scalability and performance transferability. Nevertheless, the performance falls short of expectations in other removal scenarios. This observed scenario-sensitivity in the evaluation of network features has been overlooked in previous studies and necessitates further attention and optimization. Lastly, we discuss important unresolved questions and further investigation.

Computer Vision and Pattern Recognition,Machine Learning,Networking and Internet Architecture,Social and Information Networks

Xin Zhang,Yuqi Song,Xiaofeng Wang,Fei Zuo

2023-04-03

Abstract:Convolutional neural networks (CNNs) have been widely applied in many safety-critical domains, such as autonomous driving and medical diagnosis. However, concerns have been raised with respect to the trustworthiness of these models: The standard testing method evaluates the performance of a model on a test set, while low-quality and insufficient test sets can lead to unreliable evaluation results, which can have unforeseeable consequences. Therefore, how to comprehensively evaluate CNNs and, based on the evaluation results, how to enhance their trustworthiness are the key problems to be urgently addressed. Prior work has used mutation tests to evaluate the test sets of CNNs. However, the evaluation scores are black boxes and not explicit enough for what is being tested. In this paper, we propose a white-box diagnostic approach that uses mutation operators and image transformation to calculate the feature and attention distribution of the model and further present a diagnosis score, namely D-Score, to reflect the model's robustness and fitness to a dataset. We also propose a D-Score based data augmentation method to enhance the CNN's performance to translations and rescalings. Comprehensive experiments on two widely used datasets and three commonly adopted CNNs demonstrate the effectiveness of our approach.

Computer Vision and Pattern Recognition

Jack Highton,Quok Zong Chong,Samuel Finestone,Arian Beqiri,Julia A. Schnabel,Kanwal K. Bhatia

2024-06-28

Abstract:Deep learning models for medical image segmentation and object detection are becoming increasingly available as clinical products. However, as details are rarely provided about the training data, models may unexpectedly fail when cases differ from those in the training distribution. An approach allowing potential users to independently test the robustness of a model, treating it as a black box and using only a few cases from their own site, is key for adoption. To address this, a method to test the robustness of these models against CT image quality variation is presented. In this work we present this framework by demonstrating that given the same training data, the model architecture and data pre processing greatly affect the robustness of several frequently used segmentation and object detection methods to simulated CT imaging artifacts and degradation. Our framework also addresses the concern about the sustainability of deep learning models in clinical use, by considering future shifts in image quality due to scanner deterioration or imaging protocol changes which are not reflected in a limited local test dataset.

Image and Video Processing,Computer Vision and Pattern Recognition,Medical Physics

Tiange Luo,Tianle Cai,Mengxiao Zhang,Siyu Chen,Di He,Liwei Wang

2019-01-01

Abstract:Robustness of convolutional neural networks (CNNs) has gained in importance on account of adversarial examples, i.e., inputs added as well-designed perturbations that are imperceptible to humans but can cause the model to predict incorrectly. Recent research suggests that the noises in adversarial examples break the textural structure, which eventually leads to wrong predictions. To mitigate the threat of such adversarial attacks, we propose defective convolutional networks that make predictions relying less on textural information but more on shape information by properly integrating defective convolutional layers into standard CNNs. The defective convolutional layers contain defective neurons whose activations are set to be a constant function. As defective neurons contain no information and are far different from standard neurons in its spatial neighborhood, the textural features cannot be accurately extracted, and so the model has to seek other features for classification, such as the shape. We show extensive evidence to justify our proposal and demonstrate that defective CNNs can defense against black-box attacks better than standard CNNs. In particular, they achieve state-of-the-art performance against transfer-based attacks without any adversarial training being applied.

Yunrui Yu,Xitong Gao,Cheng-Zhong Xu

DOI: https://doi.org/10.1109/tpami.2023.3323698

IF: 23.6

2023-12-08

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Deep convolutional neural networks (CNNs) can be easily tricked to give incorrect outputs by adding tiny perturbations to the input that are imperceptible to humans. This makes them susceptible to adversarial attacks, and poses significant security risks to deep learning systems, and presents a great challenge in making CNNs robust against such attacks. An influx of defense strategies have thus been proposed to improve the robustness of CNNs. Current attack methods, however, may fail to accurately or efficiently evaluate the robustness of defending models. In this paper, we thus propose a unified lp white-box attack strategy, LAFIT, to harness the defender's latent features in its gradient descent steps, and further employ a new loss function to normalize logits to overcome floating-point-based gradient masking. We show that not only is it more efficient, but it is also a stronger adversary than the current state-of-the-art when examined across a wide range of defense mechanisms. This suggests that adversarial attacks/defenses could be contingent on the effective use of the defender's hidden components, and robustness evaluation should no longer view models holistically.

computer science, artificial intelligence,engineering, electrical & electronic

Jing Yu,Shukai Duan,Xiaojun Ye

DOI: https://doi.org/10.1109/tnnls.2022.3156620

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With the introduction of neuron coverage as a testing criterion for deep neural networks (DNNs), covering more neurons to detect more internal logic of DNNs became the main goal of many research studies. While some works had made progress, some new challenges for testing methods based on neuron coverage had been proposed, mainly as establishing better neuron selection and activation strategies influenced not only obtaining higher neuron coverage, but also more testing efficiency, validating testing results automatically, labeling generated test cases to extricate manual work, and so on. In this article, we put forward Test4Deep, an effective white-box testing DNN approach based on neuron coverage. It is based on a differential testing framework to automatically verify inconsistent DNNs' behavior. We designed a strategy that can track inactive neurons and constantly triggered them in each iteration to maximize neuron coverage. Furthermore, we devised an optimization function that guided the DNN under testing to deviate predictions between the original input and generated test data and dominated unobservable generation perturbations to avoid manually checking test oracles. We conducted comparative experiments with two state-of-the-art white-box testing methods DLFuzz and DeepXplore. Empirical results on three popular datasets with nine DNNs demonstrated that compared to DLFuzz and DeepXplore, Test4Deep, on average, exceeded by 32.87% and 35.69% in neuron coverage, while reducing 58.37% and 53.24% testing time, respectively. In the meantime, Test4Deep also produced 58.37% and 53.24% more test cases with 23.81% and 98.40% fewer perturbations. Even compared with the two highest neuron coverage strategies of DLFuzz, Test4Deep still enhanced neuron coverage by 4.34% and 23.23% and achieved 94.48% and 85.67% higher generation time efficiency. Furthermore, Test4Deep could improve the accuracy and robustness of DNNs by merging generated test cases and retraining.

Jan Peleska,Felix Brüning,Mario Gleirscher,Wen-ling Huang

2023-12-21

Abstract:This technical report presents research results achieved in the field of verification of trained Convolutional Neural Network (CNN) used for image classification in safety-critical applications. As running example, we use the obstacle detection function needed in future autonomous freight trains with Grade of Automation (GoA) 4. It is shown that systems like GoA 4 freight trains are indeed certifiable today with new standards like ANSI/UL 4600 and ISO 21448 used in addition to the long-existing standards EN 50128 and EN 50129. Moreover, we present a quantitative analysis of the system-level hazard rate to be expected from an obstacle detection function. It is shown that using sensor/perceptor fusion, the fused detection system can meet the tolerable hazard rate deemed to be acceptable for the safety integrity level to be applied (SIL-3). A mathematical analysis of CNN models is performed which results in the identification of classification clusters and equivalence classes partitioning the image input space of the CNN. These clusters and classes are used to introduce a novel statistical testing method for determining the residual error probability of a trained CNN and an associated upper confidence limit. We argue that this greybox approach to CNN verification, taking into account the CNN model's internal structure, is essential for justifying that the statistical tests have covered the trained CNN with its neurons and inter-layer mappings in a comprehensive way.

Computer Vision and Pattern Recognition,Machine Learning

Meixi Zheng,Xuanchen Yan,Zihao Zhu,Hongrui Chen,Baoyuan Wu

DOI: https://doi.org/10.48550/arXiv.2312.16979

2023-12-28

Abstract:Adversarial examples are well-known tools to evaluate the vulnerability of deep neural networks (DNNs). Although lots of adversarial attack algorithms have been developed, it is still challenging in the practical scenario that the model's parameters and architectures are inaccessible to the attacker/evaluator, i.e., black-box adversarial attacks. Due to the practical importance, there has been rapid progress from recent algorithms, reflected by the quick increase in attack success rate and the quick decrease in query numbers to the target model. However, there is a lack of thorough evaluations and comparisons among these algorithms, causing difficulties of tracking the real progress, analyzing advantages and disadvantages of different technical routes, as well as designing future development roadmap of this field. Thus, in this work, we aim at building a comprehensive benchmark of black-box adversarial attacks, called BlackboxBench. It mainly provides: 1) a unified, extensible and modular-based codebase, implementing 25 query-based attack algorithms and 30 transfer-based attack algorithms; 2) comprehensive evaluations: we evaluate the implemented algorithms against several mainstreaming model architectures on 2 widely used datasets (CIFAR-10 and a subset of ImageNet), leading to 14,106 evaluations in total; 3) thorough analysis and new insights, as well analytical tools. The website and source codes of BlackboxBench are available at <a class="link-external link-https" href="https://blackboxbench.github.io/" rel="external noopener nofollow">this https URL</a> and <a class="link-external link-https" href="https://github.com/SCLBD/BlackboxBench/" rel="external noopener nofollow">this https URL</a>, respectively.

Cryptography and Security

Rakesh Podder,Sudipto Ghosh

2024-10-03

Abstract:Autonomous vehicle navigation and healthcare diagnostics are among the many fields where the reliability and security of machine learning models for image data are critical. We conduct a comprehensive investigation into the susceptibility of Convolutional Neural Networks (CNNs), which are widely used for image data, to white-box adversarial attacks. We investigate the effects of various sophisticated attacks -- Fast Gradient Sign Method, Basic Iterative Method, Jacobian-based Saliency Map Attack, Carlini & Wagner, Projected Gradient Descent, and DeepFool -- on CNN performance metrics, (e.g., loss, accuracy), the differential efficacy of adversarial techniques in increasing error rates, the relationship between perceived image quality metrics (e.g., ERGAS, PSNR, SSIM, and SAM) and classification performance, and the comparative effectiveness of iterative versus single-step attacks. Using the MNIST, CIFAR-10, CIFAR-100, and Fashio_MNIST datasets, we explore the effect of different attacks on the CNNs performance metrics by varying the hyperparameters of CNNs. Our study provides insights into the robustness of CNNs against adversarial threats, pinpoints vulnerabilities, and underscores the urgent need for developing robust defense mechanisms to protect CNNs and ensuring their trustworthy deployment in real-world scenarios.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Lin Xiang,Xiaoqin Zeng,Shengli Wu,Yanjun Liu,Baohua Yuan

DOI: https://doi.org/10.1007/s11063-020-10420-7

IF: 2.565

2021-01-03

Neural Processing Letters

Abstract:Although Convolutional Neural Networks (CNNs) are considered as being "approximately invariant" to nuisance perturbations such as image transformation, shift, scaling, and other small deformations, some existing studies show that intense noises can cause noticeable variation to CNNs' outputs. This paper focuses on exploring a method of measuring sensitivity by observing corresponding output variation to input perturbation on CNNs. The sensitivity is statistically defined in a bottom-up way from neuron to layer, and finally to the entire CNN network. An iterative algorithm is proposed for approximating the defined sensitivity. On the basic architecture of CNNs, the theoretically computed sensitivity is verified on the MNIST database with four types of commonly used noise distributions: Gaussian, Uniform, Salt and Pepper, and Rayleigh. Experimental results show the theoretical sensitivity is on the one hand in agreement with the actual output variation what on the maps, layers or entire networks are, and on the other hand an applicable quantitative measure for robust network selection.

computer science, artificial intelligence

Qizhang Li,Yiwen Guo,Wangmeng Zuo,Hao Chen

2023-11-02

Abstract:The adversarial vulnerability of deep neural networks (DNNs) has drawn great attention due to the security risk of applying these models in real-world applications. Based on transferability of adversarial examples, an increasing number of transfer-based methods have been developed to fool black-box DNN models whose architecture and parameters are inaccessible. Although tremendous effort has been exerted, there still lacks a standardized benchmark that could be taken advantage of to compare these methods systematically, fairly, and practically. Our investigation shows that the evaluation of some methods needs to be more reasonable and more thorough to verify their effectiveness, to avoid, for example, unfair comparison and insufficient consideration of possible substitute/victim models. Therefore, we establish a transfer-based attack benchmark (TA-Bench) which implements 30+ methods. In this paper, we evaluate and compare them comprehensively on 25 popular substitute/victim models on ImageNet. New insights about the effectiveness of these methods are gained and guidelines for future evaluations are provided. Code at: <a class="link-external link-https" href="https://github.com/qizhangli/TA-Bench" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Matthew Wicker,Xiaowei Huang,Marta Kwiatkowska

DOI: https://doi.org/10.1007/978-3-319-89960-2_22

2018-01-01

Abstract:Despite the improved accuracy of deep neural networks, the discovery of adversarial examples has raised serious safety concerns. Most existing approaches for crafting adversarial examples necessitate some knowledge (architecture, parameters, etc) of the network at hand. In this paper, we focus on image classifiers and propose a feature-guided black-box approach to test the safety of deep neural networks that requires no such knowledge. Our algorithm employs object detection techniques such as SIFT (Scale Invariant Feature Transform) to extract features from an image. These features are converted into a mutable saliency distribution, where high probability is assigned to pixels that affect the composition of the image with respect to the human visual system. We formulate the crafting of adversarial examples as a two-player turn-based stochastic game, where the first player’s objective is to minimise the distance to an adversarial example by manipulating the features, and the second player can be cooperative, adversarial, or random. We show that, theoretically, the two-player game can converge to the optimal strategy, and that the optimal strategy represents a globally minimal adversarial image. For Lipschitz networks, we also identify conditions that provide safety guarantees that no adversarial examples exist. Using Monte Carlo tree search we gradually explore the game state space to search for adversarial examples. Our experiments show that, despite the black-box setting, manipulations guided by a perception-based saliency distribution are competitive with state-of-the-art methods that rely on white-box saliency matrices or sophisticated optimization procedures. Finally, we show how our method can be used to evaluate robustness of neural networks in safety-critical applications such as traffic sign recognition in self-driving cars.

Minhui Jin,Mengce Zheng,Honggang Hu,Nenghai Yu

DOI: https://doi.org/10.48550/arXiv.2009.08898

2020-09-18

Abstract:In recent years, the convolutional neural networks (CNNs) have received a lot of interest in the side-channel community. The previous work has shown that CNNs have the potential of breaking the cryptographic algorithm protected with masking or desynchronization. Before, several CNN models have been exploited, reaching the same or even better level of performance compared to the traditional side-channel attack (SCA). In this paper, we investigate the architecture of Residual Network and build a new CNN model called attention network. To enhance the power of the attention network, we introduce an attention mechanism - Convolutional Block Attention Module (CBAM) and incorporate CBAM into the CNN architecture. CBAM points out the informative points of the input traces and makes the attention network focus on the relevant leakages of the measurements. It is able to improve the performance of the CNNs. Because the irrelevant points will introduce the extra noises and cause a worse performance of attacks. We compare our attention network with the one designed for the masking AES implementation called ASCAD network in this paper. We show that the attention network has a better performance than the ASCAD network. Finally, a new visualization method, named Class Gradient Visualization (CGV) is proposed to recognize which points of the input traces have a positive influence on the predicted result of the neural networks. In another aspect, it can explain why the attention network is superior to the ASCAD network. We validate the attention network through extensive experiments on four public datasets and demonstrate that the attention network is efficient in different AES implementations.

Cryptography and Security

Zhe Zhao,Yedi Zhang,Guangke Chen,Fu Song,Taolue Chen,Jiaxiang Liu

DOI: https://doi.org/10.1007/978-3-031-22308-2_20

2022-01-01

Abstract:Deep neural networks (DNNs) have achieved remarkable performance in a myriad of complex tasks. However, lacking of robustness and black-box nature hinder their deployment in safety-critical systems. A large number of testing and formal verification techniques have been proposed recently, aiming to provide quality assurance for DNNs. Generally speaking, testing is a fast and simple way to disprove-but not to prove-certain properties of DNNs, while formal verification can provide correctness guarantees but often suffers from scalability and efficiency issues. In this work, we present a novel methodology, CLEVEREST, to accelerate formal verification of DNNs by synergistically combining testing and formal verification techniques based on the counterexample guided abstraction refinement (CEGAR) framework. We instantiate our methodology by leveraging CEGAR-NN, a CEGAR-based neural network verification method, and a representative adversarial attack method for testing. We conduct extensive experiments on the widely-used ACAS Xu DNN benchmark. The experimental results show that the testing can effectively reduce the usage of formal verification in the check-refine loop, hence significantly improves the efficiency.

Zesheng Lin,Hongxia Ye,Bin Zhan,Xiaofeng Huang

DOI: https://doi.org/10.3390/app10176085

2020-01-01

Abstract:Convolutional neural networks (CNN) have achieved promising performance in surface defect detection recently. Although many CNN-based methods have been proposed, most of them are limited by the few samples available for training, and the imbalance of positive and negative samples. Hence, their detection performance needs to be further improved. To this end, we propose a multi-scale cascade CNN called MobileNet-v2-dense to detect defects more efficiently. Specifically, the multi-scale cascade structure used in our network can help capture the weak defect semantics that may be lost in the deep network. Then, we propose a novel asymmetric loss function to further improve detection performance. Lastly, a two-stage augmentation method effectively enlarges the training dataset. Experimental results show that, compared to the state-of-the-art, the area under the receiver-operating characteristic curve (AUC-ROC) score of our method increased by 0.16.

Mohammad Wardat,Abdullah Al-Alaj

DOI: https://doi.org/10.1109/access.2024.3384981

IF: 3.9

2024-04-12

IEEE Access

Abstract:Deep learning models, particularly Convolutional Neural Networks (CNNs), play a pivotal role in intelligent software. However, like any software application, CNN-based applications are susceptible to bugs. Bug-fix patterns in CNN differ from traditional techniques, primarily due to their inherent black box nature. Moreover, current methods, although tailored for generic DNN structures, are time consuming, require specialized expertise, and are not directly applicable to the unique structure and requirements of CNNs. To address these issues, we propose DeepCNN, an innovative automated tool to identify the root causes of CNN faults and autonomously fix prevalent training faults that impact the performance and efficiency of CNN programs. DeepCNN, a data-driven tool, employs a transformer encoder model to abstract token-level CNN code, enabling it to effectively detect and fix bugs in real-world CNN models. Beyond mere identification, DeepCNN offers automated solutions for repairing CNN hyperparameter misconfigurations using an optimization solver. Additionally, by analyzing data dependencies and employing a search algorithm, it determines the most optimal hyperparameter values for the problematic models, ultimately generating patch fixes. Through rigorous evaluation on 36 diverse buggy models, DeepCNN outperformed existing methods in fault localization and repair, showing a robustness in identifying potential problems with a 90% detection rate. Among these problematic models, it manages to repair 90% of them — resulting in a 30% average accuracy boost.

computer science, information systems,telecommunications,engineering, electrical & electronic

Aishwarya Gupta,Indranil Saha,Piyush Rai

2024-08-13

Abstract:Rigorous testing of machine learning models is necessary for trustworthy deployments. We present a novel black-box approach for generating test-suites for robust testing of deep neural networks (DNNs). Most existing methods create test inputs based on maximizing some "coverage" criterion/metric such as a fraction of neurons activated by the test inputs. Such approaches, however, can only analyze each neuron's behavior or each layer's output in isolation and are unable to capture their collective effect on the DNN's output, resulting in test suites that often do not capture the various failure modes of the DNN adequately. These approaches also require white-box access, i.e., access to the DNN's internals (node activations). We present a novel black-box coverage criterion called Co-Domain Coverage (CDC), which is defined as a function of the model's output and thus takes into account its end-to-end behavior. Subsequently, we develop a new fuzz testing procedure named CoDoFuzz, which uses CDC to guide the fuzzing process to generate a test suite for a DNN. We extensively compare the test suite generated by CoDoFuzz with those generated using several state-of-the-art coverage-based fuzz testing methods for the DNNs trained on six publicly available datasets. Experimental results establish the efficiency and efficacy of CoDoFuzz in generating the largest number of misclassified inputs and the inputs for which the model lacks confidence in its decision.

Machine Learning

Ruoli Zhao,Yong Xie,Debiao He,Kim-Kwang Raymond Choo,Zoe L. Jiang

DOI: https://doi.org/10.1109/tnse.2024.3434643

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Using Convolutional Neural Network (CNN) model to analyze monitoring data in Body Area Network (BAN) has become an important way to solve health related issues in the current large sub-health population and aging population. However, the inference and analysis process of BAN data needs to ensure efficiency and security. At present, ensuring a balance of efficiency and security in the inference of CCN models is challenging. Therefore, an efficient and secure CNN inference scheme is proposed based on two Edge-Cloud-Servers (CS$_{0}$ and CS$_{1}$). By analyzing the CNN model and combining two secret sharing semantics, we optimize the communication overhead of inference. Specifically, a new non-interactive secure convolutional layer computation protocol is designed to significantly reduce the number of interactions between CS$_{0}$ and CS$_{1}$. For non-linear layers, we propose a simpler secure comparison computation functionality to reduce the communication overhead. Moreover, we also design some lightweight secure building blocks based on secret sharing to improve computing efficiency. We implement our proposed scheme on two standard datasets. Through the theoretical analysis and experimental comparison, our scheme improves the computational efficiency.

engineering, multidisciplinary,mathematics, interdisciplinary applications