Zhou Yutian,Tan Yu-an,Zhang Quanxin,Kuang Xiaohui,Han Yahong,Hu Jingjing

DOI: https://doi.org/10.1007/s11036-019-01499-x

2020-01-01

Mobile Networks and Applications

Abstract:Deep neural networks are susceptible to tiny crafted adversarial perturbations which are always added to all the pixels of the image to craft an adversarial example. Most of the existing adversarial attacks can reduce the L2 distance between the adversarial image and the source image to a minimum but ignore the L0 distance which is still huge. To address this issue, we introduce a new black-box adversarial attack based on evolutionary method and bisection method, which can greatly reduce the L0 distance while limiting the L2 distance. By flipping pixels of the target image, an adversarial example is generated, in which a small number of pixels come from the target image and the rest pixels are from the source image. Experiments show that our attack method is able to generate high quality adversarial examples steadily. Especially for generating adversarial examples for large scale images, our method performs better.

Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Phoenix Williams,Ke Li

DOI: https://doi.org/10.48550/arXiv.2203.04405

2022-03-07

Abstract:Deep neural networks (DNNs) have achieved state-of-the-art performance in many tasks but have shown extreme vulnerabilities to attacks generated by adversarial examples. Many works go with a white-box attack that assumes total access to the targeted model including its architecture and gradients. A more realistic assumption is the black-box scenario where an attacker only has access to the targeted model by querying some input and observing its predicted class probabilities. Different from most prevalent black-box attacks that make use of substitute models or gradient estimation, this paper proposes a gradient-free attack by using a concept of evolutionary art to generate adversarial examples that iteratively evolves a set of overlapping transparent shapes. To evaluate the effectiveness of our proposed method, we attack three state-of-the-art image classification models trained on the CIFAR-10 dataset in a targeted manner. We conduct a parameter study outlining the impact the number and type of shapes have on the proposed attack's performance. In comparison to state-of-the-art black-box attacks, our attack is more effective at generating adversarial examples and achieves a higher attack success rate on all three baseline models.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Hao Peng,Zhe Wang,Dandan Zhao,Yiming Wu,Jianming Han,Shixin Guo,Shouling Ji,Ming Zhong

DOI: https://doi.org/10.1016/j.jksuci.2023.03.017

IF: 9.006

2023-01-01

Journal of King Saud University - Computer and Information Sciences

Abstract:Deep neural networks that play a pivotal role in fields such as images, text, and audio are vulnerable to adversarial attacks. In current textual adversarial attacks, the vast majority are configured with a black-box soft-label which is achieved by the gradient information or confidence of the model. Therefore, it becomes challenging and realistic to implement adversarial attacks using only the predicted top labels of the hard-label model. Existing methods to implement hard-label adversarial attacks use population-based genetic optimization algorithms. However, this approach requires significant query consumption, which is a considerable shortcoming. To solve this problem, we propose a new textual black-box hard-label adversarial attack algorithm based on the idea of differential evolution of populations, called the text-based differential evolution (TDE) algorithm. First, the method will judge the importance of the words of the initial rough adversarial examples, according to which only the keywords in the text sentence will be operated, and the rest of the words will be gradually replaced with the original words so as to reduce the words in the sentence in which the replacement occurs. Our method judges the quality of semantic similarity of the adversarial examples in the replacement process and deposits high-quality adversarial example individuals into the population. Secondly, the optimization process of adversarial examples is combined and optimized according to the word importance. Compared with existing methods based on genetic algorithm guidance, our method avoids a large number of meaningless repetitive queries and significantly improves the overall attack efficiency of the algorithm and the semantic quality of the generated adversarial examples. We experimented with multiple datasets on three text tasks of sentiment classification, natural language inference, and toxic comment, and also perform experimental comparisons on models and APIs in realistic scenarios. For example, in the Google Cloud commercial API adversarial attack experiment, compared to the existing hard-label method, our method reduces the average number of queries required for the attack from 6986 to 176, and increases semantic similarity from 0.844 to 0.876. It is shown through extensive experimental data that our approach not only significantly reduces the number of queries, but also significantly outperforms existing methods in terms of the quality of adversarial examples.

Zhijian Chen,Wenjian Luo,Muhammad Luqman Naseem,Linghao Kong,Xiangkai Yang

DOI: https://doi.org/10.1007/s40747-024-01506-z

IF: 6.7

2024-01-01

Complex & Intelligent Systems

Abstract:Adversarial examples which mislead deep neural networks by adding well-crafted perturbations have become a major threat to classification models. Gradient-based white-box attack algorithms have been widely used to generate adversarial examples. However, most of them are designed for multi-class models, and only a few gradient-based adversarial attack algorithms specifically designed for multi-label classification models. Due to the correlation between multiple labels, the performance of these gradient-based algorithms in generating adversarial examples for multi-label classification is worthy of analyzing and evaluating comprehensively. In this paper, we first transplant five typical gradient-based adversarial attack algorithms in the multi-class environment to the multi-label environment. Secondly, we comprehensively compared the performance of these five attack algorithms and the other four existing multi-label adversarial attack algorithms by experiments on six different attack types, and evaluated the transferability of adversarial examples generated by all algorithms under two attack types. Experimental results show that, among different attack types, the majority of multi-step attack algorithms have higher attack success rates compared to one-step attack algorithms. Additionally, these gradient-based algorithms face greater difficulty in augmenting labels than in hiding them. For transfer experimental results, the adversarial examples generated by all attack algorithms exhibit weaker transferability when attacking other different models.

Nan Zhou,Wenjian Luo,Xin Lin,Peilan Xu,Zhenya Zhang

DOI: https://doi.org/10.1109/ijcnn48605.2020.9206614

2020-01-01

Abstract:Deep neural networks (DNNs) are used in various domains, such as image classification, natural language processing and face recognition, etc. However, the presence of malicious examples, generated by specific methods, could result in DNNs misclassification. Such maliciously modified examples are called adversarial examples. So far, most work about adversarial examples mainly focuses on the multi-class classification tasks, and only a little work has been done in the field of multi-label classification.In this study, we have proposed a novel algorithm that generates effective multi-label adversarial examples by solving a linear programming problem (MLA-LP). We minimize the l ∞ norm of distortion while constraining the changes in the label loss of the example after being perturbed. Then, we transform this constrained optimization problem into a linear programming problem for reducing the time cost. In comparison to the existing multi-label classification model attack algorithms, the attack performance of the proposed MLA-LP is found to be competitive, and the adversarial examples generated by MLA-LP have significantly smaller distortions.

Ayane Tajima,Satoshi Ono

2024-07-09

Abstract:Research has shown that deep neural networks (DNNs) have vulnerabilities that can lead to the misrecognition of Adversarial Examples (AEs) with specifically designed perturbations. Various adversarial attack methods have been proposed to detect vulnerabilities under hard-label black box (HL-BB) conditions in the absence of loss gradients and confidence scores.However, these methods fall into local solutions because they search only local regions of the search space. Therefore, this study proposes an adversarial attack method named EvolBA to generate AEs using Covariance Matrix Adaptation Evolution Strategy (CMA-ES) under the HL-BB condition, where only a class label predicted by the target DNN model is available. Inspired by formula-driven supervised learning, the proposed method introduces domain-independent operators for the initialization process and a jump that enhances search exploration. Experimental results confirmed that the proposed method could determine AEs with smaller perturbations than previous methods in images where the previous methods have difficulty.

Computer Vision and Pattern Recognition

YiGui Luo,RuiJia Yang,Wei Sha,WeiYi Ding,YouTeng Sun,YiSi Wang

DOI: https://doi.org/10.48550/arXiv.1906.09072

2019-06-21

Abstract:Many studies have been done to prove the vulnerability of neural networks to adversarial example. A trained and well-behaved model can be fooled by a visually imperceptible perturbation, i.e., an originally correctly classified image could be misclassified after a slight perturbation. In this paper, we propose a black-box strategy to attack such networks using an evolution algorithm. First, we formalize the generation of an adversarial example into the optimization problem of perturbations that represent the noise added to an original image at each pixel. To solve this optimization problem in a black-box way, we find that an evolution algorithm perfectly meets our requirement since it can work without any gradient information. Therefore, we test various evolution algorithms, including a simple genetic algorithm, a parameter-exploring policy gradient, an OpenAI evolution strategy, and a covariance matrix adaptive evolution strategy. Experimental results show that a covariance matrix adaptive evolution Strategy performs best in this optimization problem. Additionally, we also perform several experiments to explore the effect of different regularizations on improving the quality of an adversarial example.

Computer Vision and Pattern Recognition

Xiaolei Liu,Teng Hu,Kangyi Ding,Yang Bai,Weina Niu,Jiazhong Lu

DOI: https://doi.org/10.1007/978-3-030-55304-3_14

2020-01-01

Abstract:Neural networks play an increasingly important role in the field of machine learning and are included in many applications in society. Unfortunately, neural networks suffer from adversarial examples generated to attack them. However, most of the generation approaches either assume that the attacker has full knowledge of the neural network model or are limited by the type of attacked model. In this paper, we propose a new approach that generates a black-box attack to neural networks based on the swarm evolutionary algorithm. Benefiting from the improvements in the technology and theoretical characteristics of evolutionary algorithms, our approach has the advantages of effectiveness, black-box attack, generality, and randomness. Our experimental results show that both the MNIST images and the CIFAR-10 images can be perturbed to successful generate a black-box attack with 100% probability on average. In addition, the proposed attack, which is successful on distilled neural networks with almost 100% probability, is resistant to defensive distillation. The experimental results also indicate that the robustness of the artificial intelligence algorithm is related to the complexity of the model and the data set. In addition, we find that the adversarial examples to some extent reproduce the characteristics of the sample data learned by the neural network model.

Junyu Lin,Lei Xu,Yingqi Liu,Xiangyu Zhang

DOI: https://doi.org/10.1016/j.jss.2020.110767

IF: 3.5

2020-01-01

Journal of Systems and Software

Abstract:Deep Neural Networks (DNNs) are being used in various daily tasks such as object detection, speech processing, and machine translation. However, it is known that DNNs suffer from robustness problems — perturbed inputs called adversarial samples leading to misbehaviors of DNNs. In this paper, we propose a black-box technique called Black-box Momentum Iterative Fast Gradient Sign Method (BMI-FGSM) to test the robustness of DNN models. The technique does not require any knowledge of the structure or weights of the target DNN. Compared to existing white-box testing techniques that require accessing model internal information such as gradients, our technique approximates gradients through Differential Evolution and uses approximated gradients to construct adversarial samples. Experimental results show that our technique can achieve 100% success in generating adversarial samples to trigger misclassification, and over 95% success in generating samples to trigger misclassification to a specific target output label. It also demonstrates better perturbation distance and better transferability. Compared to the state-of-the-art black-box technique, our technique is more efficient. Furthermore, we conduct testing on the commercial Aliyun API and successfully trigger its misbehavior within a limited number of queries, demonstrating the feasibility of real-world black-box attack.

Xinjie Feng,Hongxun Yao,Wenbin Che,Shengping Zhang

DOI: https://doi.org/10.1007/978-3-030-37731-1_32

2019-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples. Generally speaking adversarial examples are defined by adding input samples a small-magnitude perturbation, which is hardly misleading human observers' decision but would lead to misclassifications for a well trained models. Most of existing iterative adversarial attack methods suffer from low success rates in fooling model in a black-box manner. And we find that it is because perturbation neutralize each other in iterative process. To address this issue, we propose a novel boosted iterative method to effectively promote success rates. We conduct the experiments on ImageNet dataset, with five models normally trained for classification. The experimental results show that our proposed strategy can significantly improve success rates of fooling models in a black-box manner. Furthermore, it also outperforms the momentum iterative method (MI-FSGM), which won the first places in NeurIPS Non-targeted Adversarial Attack and Targeted Adversarial Attack competitions.

Wenli Xiao,Hao Jiang,Song Xia

DOI: https://doi.org/10.1109/ictc49638.2020.9123270

2020-01-01

Abstract:Machine learning can be misled by adversarial examples, which is formed by making small changes to the original data. Nowadays, there are kinds of methods to produce adversarial examples. However, they can not apply non-differentiable models, reduce the amount of calculations, and shorten the sample generation time at the same time. In this paper, we propose a new black box attack generating adversarial examples based on reinforcement learning. By using deep Q-learning network, we can train the substitute model and generate adversarial examples at the same time. Experimental results show that this method only needs 7.7ms to produce an adversarial example, which solves the problems of low efficiency, large amount of calculation and inapplicable to non-differentiable model.

Dian Zhang,Yunwei Dong

DOI: https://doi.org/10.1016/j.neunet.2023.08.048

IF: 7.8

2023-01-01

Neural Networks

Abstract:Deep neural networks have become increasingly significant in our daily lives due to their remarkable performance. The issue of adversarial examples, which are responsible for the vulnerability problem of deep neural networks, has attracted the attention of researchers in the study of robustness of these networks. To address the issues caused by the restricted diversity and precision of adversarial perturbations in neural networks, we introduce a novel technique called Adversarial Boundary Diffusion Probability Modeling (Adv-BDPM). This approach combines boundary analysis and diffusion probability modeling. First, we combined the denoising diffusion probability model with the boundary loss to design the boundary diffusion probability model, which can generate corresponding boundary perturbations for a specific neural network. Then, through the iterative process of boundary perturbations and its corresponding orthogonal perturbations, we proposed a decision boundary search algorithm to generate adversarial samples. The comparison experiments with black-box attacks in ImageNet demonstrate that Adv-BDPM has better attack success rate and perturbation precision. The comparison experiments with white-box attacks in CIFAR-10 and CIFAR-100 demonstrate that Adv-BDPM has better attack success rate, attack diversity for the same sample, and can effectively defend against adversarial training with shorter running time.

Mingxing Duan,Kenli Li,Lingxi Xie,Qi Tian,Bin Xiao

DOI: https://doi.org/10.1145/3474085.3475542

2021-01-01

Abstract:The current research on adversarial attacks aims at a single model while the research on attacking multiple models simultaneously is still challenging. In this paper, we propose a novel black-box attack method, referred to as MBbA, which can attack multiple black-boxes at the same time. By encoding input image and its target category into an associated space, each decoder seeks the appropriate attack areas from the image through the designed loss functions, and then generates effective adversarial examples. This process realizes end-to-end adversarial example generation without involving substitute models for the black-box scenario. On the other hand, adopting the adversarial examples generated by MBbA for adversarial training, the robustness of the attacked models are greatly improved. More importantly, those adversarial examples can achieve satisfactory attack performance, even if these blackbox models are trained with the adversarial examples generated by other black-box attack methods, which show good transferability. Finally, extensive experiments show that compared with other state-of-the-art methods: (1) MBbA takes the least time to obtain the most effective attack effects in multi-black-box attack scenario. Furthermore, MBbA achieves the highest attack success rates in a single black-box attack scenario; (2) the adversarial examples generated by MBbA can effectively improve the robustness of the attacked models and exhibit good transferability.

I. Goodfellow,Z. B. Celik,S. Jha,Nicolas Papernot,A. Swami,P. Mcdaniel

2016-02-08

Abstract:Advances in deep learning have led to the broad adoption of Deep Neural Networks (DNNs) to a range of important machine learning problems, e.g., guiding autonomous vehicles, speech recognition, malware detection. Yet, machine learning models, including DNNs, were shown to be vulnerable to adversarial samples-subtly (and often humanly indistinguishably) modified malicious inputs crafted to compromise the integrity of their outputs. Adversarial examples thus enable adversaries to manipulate system behaviors. Potential attacks include attempts to control the behavior of vehicles, have spam content identified as legitimate content, or have malware identified as legitimate software. Adversarial examples are known to transfer from one model to another, even if the second model has a different architecture or was trained on a different set. We introduce the first practical demonstration that this cross-model transfer phenomenon enables attackers to control a remotely hosted DNN with no access to the model, its parameters, or its training data. In our demonstration, we only assume that the adversary can observe outputs from the target DNN given inputs chosen by the adversary. We introduce the attack strategy of fitting a substitute model to the input-output pairs in this manner, then crafting adversarial examples based on this auxiliary model. We evaluate the approach on existing DNN datasets and real-world settings. In one experiment, we force a DNN supported by MetaMind (one of the online APIs for DNN classifiers) to mis-classify inputs at a rate of 84.24%. We conclude with experiments exploring why adversarial samples transfer between DNNs, and a discussion on the applicability of our attack when targeting machine learning algorithms distinct from DNNs.

Computer Science

Xiaohui Kuang,Hongyi Liu,Ye Wang,Qikun Zhang,Quanxin Zhang,Jun Zheng

DOI: https://doi.org/10.1109/access.2019.2956553

IF: 3.9

2019-01-01

IEEE Access

Abstract:Deep neural networks(DNNs) are widely used in AI-controlled Cyber-Physical Systems (CPS) to controll cars, robotics, water treatment plants and railways. However, DNNs have vulnerabilities to well-designed input samples that are called adversarial examples. Adversary attack is one of the important techniques for detecting and improving the security of neural networks. Existing attacks, including state-of-the-art black-box attack have a lower success rate and make invalid queries that are not beneficial to obtain the direction of generating adversarial examples. For these reasons, this paper proposed a CMA-ES-based adversarial attack on black-box DNNs. Firstly, an efficient method to reduce the number of invalid queries is introduced. Secondly, a black-box attack of generating adversarial examples to fit a high-dimensional independent Gaussian distribution of the local solution space is proposed. Finally, a new CMA-based perturbation compression method is applied to make the process of reducing perturbation smoother. Experimental results on ImageNet classifiers show that the proposed attack has a higher success-rate than the state-of-the-art black-box attack but reduce the number of queries by 30% equally.

Qingan Da,Guoyin Zhang,Sizhao Li,Zechao Liu,Wenshan Wang

DOI: https://doi.org/10.1504/ijbic.2023.136087

2024-01-18

International Journal of Bio-Inspired Computation

Abstract:Deep learning models are susceptible to adversarial examples even in the black-box setting. This means there are security risks in intelligent systems based on deep learning. Research on adversarial attacks is crucial to improving the robustness of deep learning models. Most of the existing algorithms are query-intensive and require models to provide more detailed results. We focus on a restrictive threat model and propose a gradient-free adversarial attack algorithm based on differential evolution. In particular, we design two fitness functions to achieve targeted attacks and non-targeted attacks. And we introduce an elimination mechanism in the selection phase to speed up the convergence of the algorithm. Experiments on MNIST, CIFAR-10, and ImageNet show the effectiveness of the proposed method. The comparison with C&W, ZOO and GenAttack shows our method has better advantages in the attack success rate, the number of queries required for a successful attack, and the information obtained in a single query.

computer science, artificial intelligence, theory & methods

Lei Xu,Junhai Zhai

DOI: https://doi.org/10.26599/tst.2023.9010004

2024-04-01

Abstract:Deep neural network (DNN) has strong representation learning ability, but it is vulnerable and easy to be fooled by adversarial examples. In order to handle the vulnerability of DNN, many methods have been proposed. The general idea of existing methods is to reduce the chance of DNN models being fooled by observing some designed adversarial examples, which are generated by adding perturbations to the original images. In this paper, we propose a novel adversarial example generation method, called DCVAE-adv. Different from the existing methods, DCVAE-adv constructs adversarial examples by mixing both explicit and implicit perturbations without using original images. Furthermore, the proposed method can be applied to both white box and black box attacks. In addition, in the inference stage, the adversarial examples can be generated without loading the original images into memory, which greatly reduces the memory overhead. We compared DCVAE-adv with three most advanced adversarial attack algorithms: FGSM, AdvGAN, and AdvGAN++. The experimental results demonstrate that DCVAE-adv is superior to these state-of-the-art methods in terms of attack success rate and transfer ability for targeted attack. Our code is available at https://github.com/xzforeverlove/DCVAE-adv.

computer science, information systems,engineering, electrical & electronic, software engineering

Yepeng Deng,Chunkai Zhang,Xuan Wang

DOI: https://doi.org/10.1109/DSC.2019.00022

2019-01-01

Abstract:Image classifiers have been proven to be easily fooled by perturbations, but it is still exceedingly challenging to generate imperceptible disturbances, especially without the internal knowledge of the classifiers. Imperceptibility and attack capability are two main evaluating indicators of this problem, while most existing methods, so far, can only either maximize misclassification or minimize the distortion. Although there are some algorithms to consider both of them via the weighted sum method, which is equivalent to solve the multiple optimization problems, it will doubtless enlarge the computation complexity, and the strategy of setting the weights cannot make sure both indicators the optimal solutions. In this paper, we proposed an innovative general algorithm named MOEA-APGA, which is based on multi-objective evolutionary algorithm, taking both factors as the optimization objective function. A set of perturbations with diversity is generated by population evolution, and then an appropriate perturbation is selected by the proposed filtering strategy to synthesize the adversarial example. It can achieve the goal of the targeted attack without the internal knowledge of the victim networks. We tried four perturbation strategies to generate adversarial examples. The experimental results on the MNIST datasets demonstrate the effectiveness of MOEA-APGA. In addition, we refer to a slice of indicators to evaluate the power of the algorithm and the vulnerability of different samples.

Mingxing Duan,Kenli Li,Jiayan Deng,Bin Xiao,Qi Tian

DOI: https://doi.org/10.1145/3506852

2022-01-01

Abstract:Deep learning models are widely used in daily life, which bring great convenience to our lives, but they are vulnerable to attacks. How to build an attack system with strong generalization ability to test the robustness of deep learning systems is a hot issue in current research, among which the research on black-box attacks is extremely challenging. Most current research on black-box attacks assumes that the input dataset is known. However, in fact, it is difficult for us to obtain detailed information for those datasets. In order to solve the above challenges, we propose a multi-sample generation model for black-box model attacks, called MsGM. MsGM is mainly composed of three parts: multi-sample generation, substitute model training, and adversarial sample generation and attack. Firstly, we design a multi-task generation model to learn the distribution of the original dataset. The model first converts an arbitrary signal of a certain distribution into the shared features of the original dataset through deconvolution operations, and then according to different input conditions, multiple identical sub-networks generate the corresponding targeted samples. Secondly, the generated sample features achieve different outputs through querying the black-box model and training the substitute model, which are used to construct different loss functions to optimize and update the generator and substitute model. Finally, some common white-box attack methods are used to attack the substitute model to generate corresponding adversarial samples, which are utilized to attack the black-box model. We conducted a large number of experiments on the MNIST and CIFAR-10 datasets. The experimental results show that under the same settings and attack algorithms, MsGM achieves better performance than the based models.