Yanru Xiao,Cong Wang

DOI: https://doi.org/10.1109/CVPR46437.2021.00197

2021-01-01

Abstract:With the large multimedia content online, deep hashing has become a popular method for efficient image retrieval and storage. However, by inheriting the algorithmic back-end from softmax classification, these techniques are vulnerable to the well-known adversarial examples as well. The massive collection of online images into the database also opens up new attack vectors. Attackers can embed adversarial images into the database and target specific categories to be retrieved by user queries. In this paper, we start from an adversarial standpoint to explore and enhance the capacity of targeted black-box transferability attack for deep hashing. We motivate this work by a series of empirical studies to see the unique challenges in image retrieval. We study the relations between adversarial subspace and black-box transferability via utilizing random noise as a proxy. Then we develop a new attack that is simultaneously adversarial and robust to noise to enhance transferability. Our experimental results demonstrate about 1.2-3x improvements of black-box transferability compared with the state-of-the-art mechanisms.

MaungMaung AprilPyone,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2005.07998

2020-05-16

Abstract:Conventional adversarial defenses reduce classification accuracy whether or not a model is under attacks. Moreover, most of image processing based defenses are defeated due to the problem of obfuscated gradients. In this paper, we propose a new adversarial defense which is a defensive transform for both training and test images inspired by perceptual image encryption methods. The proposed method utilizes a block-wise pixel shuffling method with a secret key. The experiments are carried out on both adaptive and non-adaptive maximum-norm bounded white-box attacks while considering obfuscated gradients. The results show that the proposed defense achieves high accuracy (91.55 %) on clean images and (89.66 %) on adversarial examples with noise distance of 8/255 on CIFAR-10 dataset. Thus, the proposed defense outperforms state-of-the-art adversarial defenses including latent adversarial training, adversarial training and thermometer encoding.

Machine Learning,Cryptography and Security

Xiuli Chai,Xiaoyu Zheng,Zhihua Gan,Yiran Chen

DOI: https://doi.org/10.1007/s00521-019-04312-8

2019-01-01

Abstract:Nowadays, many image cryptosystems have been cracked by chosen-plaintext attacks, for they are not highly sensitive to plain image. To solve this problem, we introduce a plaintext-related mechanism for secure color image encryption, and it is established in the generation and selection of chaotic sequences, permutation and diffusion. In the proposed image cryptosystem, the architecture of permutation and diffusion is adopted. Firstly, plaintext-related Latin-square-based block permutation is proposed to randomly shuffle pixels of the color plain image, diffusion method dependent on the plaintext and scrambled image is further given to modify pixels of permutated image, and finally cipher image is gotten. The chaotic sequence for diffusing the current pixel is dynamically generated according to the plain image and scrambled image, and diffusion operations of red, green and blue components of color plain image affect each other. Besides, chaotic sequences used in encryption are produced by new one-dimensional chaotic systems and dynamically selected, and initial values of chaotic systems are computed by plain image and external keys. Experimental results and security analyses demonstrate that our image encryption has large key space and high security level, and it can be applied for the secure communication of image information.

Shi Hu,Eric Nalisnick,Max Welling

DOI: https://doi.org/10.48550/arXiv.2203.10290

2022-03-19

Abstract:In the literature on adversarial examples, white box and black box attacks have received the most attention. The adversary is assumed to have either full (white) or no (black) access to the defender's model. In this work, we focus on the equally practical gray box setting, assuming an attacker has partial information. We propose a novel defense that assumes everything but a private key will be made available to the attacker. Our framework uses an image denoising procedure coupled with encryption via a discretized Baker map. Extensive testing against adversarial images (e.g. FGSM, PGD) crafted using various gradients shows that our defense achieves significantly better results on CIFAR-10 and CIFAR-100 than the state-of-the-art gray box defenses in both natural and adversarial accuracy.

Machine Learning,Cryptography and Security

Ricardo Sanchez-Matilla,Chau Yi Li,Ali Shahin Shamsabadi,Riccardo Mazzon,Andrea Cavallaro

DOI: https://doi.org/10.48550/arXiv.2007.09766

2020-07-19

Computer Vision and Pattern Recognition

Abstract:Adversarial perturbations can be added to images to protect their content from unwanted inferences. These perturbations may, however, be ineffective against classifiers that were not {seen} during the generation of the perturbation, or against defenses {based on re-quantization, median filtering or JPEG compression. To address these limitations, we present an adversarial attack {that is} specifically designed to protect visual content against { unseen} classifiers and known defenses. We craft perturbations using an iterative process that is based on the Fast Gradient Signed Method and {that} randomly selects a classifier and a defense, at each iteration}. This randomization prevents an undesirable overfitting to a specific classifier or defense. We validate the proposed attack in both targeted and untargeted settings on the private classes of the Places365-Standard dataset. Using ResNet18, ResNet50, AlexNet and DenseNet161 {as classifiers}, the performance of the proposed attack exceeds that of eleven state-of-the-art attacks. The implementation is available at https://github.com/smartcameras/RP-FGSM/.

Jun Liu,Jiantao Zhou,Jinyu Tian,Weiwei Sun

2023-10-19

Abstract:With the increasing prevalence of cloud computing platforms, ensuring data privacy during the cloud-based image related services such as classification has become crucial. In this study, we propose a novel privacypreserving image classification scheme that enables the direct application of classifiers trained in the plaintext domain to classify encrypted images, without the need of retraining a dedicated classifier. Moreover, encrypted images can be decrypted back into their original form with high fidelity (recoverable) using a secret key. Specifically, our proposed scheme involves utilizing a feature extractor and an encoder to mask the plaintext image through a newly designed Noise-like Adversarial Example (NAE). Such an NAE not only introduces a noise-like visual appearance to the encrypted image but also compels the target classifier to predict the ciphertext as the same label as the original plaintext image. At the decoding phase, we adopt a Symmetric Residual Learning (SRL) framework for restoring the plaintext image with minimal degradation. Extensive experiments demonstrate that 1) the classification accuracy of the classifier trained in the plaintext domain remains the same in both the ciphertext and plaintext domains; 2) the encrypted images can be recovered into their original form with an average PSNR of up to 51+ dB for the SVHN dataset and 48+ dB for the VGGFace2 dataset; 3) our system exhibits satisfactory generalization capability on the encryption, decryption and classification tasks across datasets that are different from the training one; and 4) a high-level of security is achieved against three potential threat models. The code is available at <a class="link-external link-https" href="https://github.com/csjunjun/RIC.git" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Tong Wu,Liang Tong,Yevgeniy Vorobeychik

DOI: https://doi.org/10.48550/arXiv.1909.09552

2020-02-15

Abstract:We study the problem of defending deep neural network approaches for image classification from physically realizable attacks. First, we demonstrate that the two most scalable and effective methods for learning robust models, adversarial training with PGD attacks and randomized smoothing, exhibit very limited effectiveness against three of the highest profile physical attacks. Next, we propose a new abstract adversarial model, rectangular occlusion attacks, in which an adversary places a small adversarially crafted rectangle in an image, and develop two approaches for efficiently computing the resulting adversarial examples. Finally, we demonstrate that adversarial training using our new attack yields image classification models that exhibit high robustness against the physically realizable attacks we study, offering the first effective generic defense against such attacks.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition,Image and Video Processing

Zhi-hua Gan,Xiu-li Chai,Dao-jun Han,Yi-ran Chen

DOI: https://doi.org/10.1007/s00521-018-3541-y

2018-01-01

Neural Computing and Applications

Abstract:There are two shortcomings existing in the current color image encryption. One is that high correlation between R , G , B components of the original image may be neglected, the other is that the encryption has little relationship with the plain image, and then it is vulnerable to be broken. In order to solve these two problems and present secure and effective image encryption scheme, we introduce a novel chaos-based image encryption algorithm for color images based on three-dimensional (3-D) bit-plane permutation. In the proposed algorithm, the color plain image is firstly converted to 24 bit planes by RGB splitting and bit plane decomposition, next three-dimensional bit-plane permutation is performed on bit planes, position sequences for permutation are obtained from the 3D Chen chaotic system, and then the three confused components are gotten. Secondly, three key matrices are generated by a 1D chaotic system and a multilevel discretization method, and finally, the color cipher image is obtained by diffusing the confused components using key matrices. The SHA 256 hash function value of the plain image is obtained and combined with the given parameters to calculate the parameters and initial values of the chaotic system, so that the proposed scheme highly depends on the plain image and it may effectively withstand known-plaintext and chosen-plaintext attacks. Simulation results and security analyses demonstrate that our algorithm not only has good encryption effect, but can also resist against common attacks, so it is reliable to be applied for image secure communications.

Xiu-Li Chai,Zhi-Hua Gan,Ke Yuan,Yang Lu,Yi-Ran Chen

DOI: https://doi.org/10.1088/1674-1056/26/2/020504

2017-01-01

Chinese Physics B

Abstract:At present, many chaos-based image encryption algorithms have proved to be unsafe, few encryption schemes permute the plain images as three-dimensional (3D) bit matrices, and thus bits cannot move to any position, the movement range of bits are limited, and based on them, in this paper we present a novel image encryption algorithm based on 3D Brownian motion and chaotic systems. The architecture of confusion and diffusion is adopted. Firstly, the plain image is converted into a 3D bit matrix and split into sub blocks. Secondly, block confusion based on 3D Brownian motion (BCB3DBM) is proposed to permute the position of the bits within the sub blocks, and the direction of particle movement is generated by logistic-tent system (LTS). Furthermore, block confusion based on position sequence group (BCBPSG) is introduced, a four-order memristive chaotic system is utilized to give random chaotic sequences, and the chaotic sequences are sorted and a position sequence group is chosen based on the plain image, then the sub blocks are confused. The proposed confusion strategy can change the positions of the bits and modify their weights, and effectively improve the statistical performance of the algorithm. Finally, a pixel level confusion is employed to enhance the encryption effect. The initial values and parameters of chaotic systems are produced by the SHA 256 hash function of the plain image. Simulation results and security analyses illustrate that our algorithm has excellent encryption performance in terms of security and speed.

Tatsuya Chuman,Hitoshi Kiya

DOI: https://doi.org/10.48550/arXiv.2207.08109

2022-07-17

Cryptography and Security

Abstract:The security of learnable image encryption schemes for image classification using deep neural networks against several attacks has been discussed. On the other hand, block scrambling image encryption using the vision transformer has been proposed, which applies to lossless compression methods such as JPEG standard by dividing an image into permuted blocks. Although robustness of the block scrambling image encryption against jigsaw puzzle solver attacks that utilize a correlation among the blocks has been evaluated under the condition of a large number of encrypted blocks, the security of encrypted images with a small number of blocks has never been evaluated. In this paper, the security of the block scrambling image encryption against ciphertext-only attacks is evaluated by using jigsaw puzzle solver attacks.

Hetvi Waghela,Jaydip Sen,Sneha Rakshit

2024-08-20

Abstract:Adversarial attacks, particularly the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) pose significant threats to the robustness of deep learning models in image classification. This paper explores and refines defense mechanisms against these attacks to enhance the resilience of neural networks. We employ a combination of adversarial training and innovative preprocessing techniques, aiming to mitigate the impact of adversarial perturbations. Our methodology involves modifying input data before classification and investigating different model architectures and training strategies. Through rigorous evaluation of benchmark datasets, we demonstrate the effectiveness of our approach in defending against FGSM and PGD attacks. Our results show substantial improvements in model robustness compared to baseline methods, highlighting the potential of our defense strategies in real-world applications. This study contributes to the ongoing efforts to develop secure and reliable machine learning systems, offering practical insights and paving the way for future research in adversarial defense. By bridging theoretical advancements and practical implementation, we aim to enhance the trustworthiness of AI applications in safety-critical domains.

Cryptography and Security,Computer Vision and Pattern Recognition

Yongwei Wang,Mingquan Feng,Rabab Ward,Z. Jane Wang,Lanjun Wang

DOI: https://doi.org/10.48550/arXiv.2011.05254

2020-10-30

Computer Vision and Pattern Recognition

Abstract:Deep neural networks are vulnerable to adversarial attacks. White-box adversarial attacks can fool neural networks with small adversarial perturbations, especially for large size images. However, keeping successful adversarial perturbations imperceptible is especially challenging for transfer-based black-box adversarial attacks. Often such adversarial examples can be easily spotted due to their unpleasantly poor visual qualities, which compromises the threat of adversarial attacks in practice. In this study, to improve the image quality of black-box adversarial examples perceptually, we propose structure-aware adversarial attacks by generating adversarial images based on psychological perceptual models. Specifically, we allow higher perturbations on perceptually insignificant regions, while assigning lower or no perturbation on visually sensitive regions. In addition to the proposed spatial-constrained adversarial perturbations, we also propose a novel structure-aware frequency adversarial attack method in the discrete cosine transform (DCT) domain. Since the proposed attacks are independent of the gradient estimation, they can be directly incorporated with existing gradient-based attacks. Experimental results show that, with the comparable attack success rate (ASR), the proposed methods can produce adversarial examples with considerably improved visual quality for free. With the comparable perceptual quality, the proposed approaches achieve higher attack success rates: particularly for the frequency structure-aware attacks, the average ASR improves more than 10% over the baseline attacks.

Jan Philip Göpfert,André Artelt,Heiko Wersing,Barbara Hammer

DOI: https://doi.org/10.1007/978-3-030-44584-3_19

2020-01-01

Abstract:Convolutional neural networks have been used to achieve a string of successes during recent years, but their lack of interpretability remains a serious issue. Adversarial examples are designed to deliberately fool neural networks into making any desired incorrect classification, potentially with very high certainty. Several defensive approaches increase robustness against adversarial attacks, demanding attacks of greater magnitude, which lead to visible artifacts. By considering human visual perception, we compose a technique that allows to hide such adversarial attacks in regions of high complexity, such that they are imperceptible even to an astute observer. We carry out a user study on classifying adversarially modified images to validate the perceptual quality of our approach and find significant evidence for its concealment with regards to human visual perception.

Yuchao Duan,Zhe Zhao,Lei Bu,Fu Song

2019-01-01

Abstract:Numerous methods for crafting adversarial examples were proposed recently with high success rate. Since most existing machine learning based classifiers normalize images into some continuous, real vector, domain firstly, attacks often craft adversarial examples in such domain. However, adversarial examples may become benign after denormalizing them back into the discrete integer domain, known as the discretization problem. This problem was mentioned in some work, but has received relatively little attention. In this work, we first conduct a comprehensive study of existing methods and tools for crafting. We theoretically analyze 34 representative methods and empirically study 20 representative open source tools for crafting adversarial images. Our study reveals that the discretization problem is far more serious than originally thought. This suggests that the discretization problem should be taken into account seriously when crafting adversarial examples and measuring attack success rate. As a first step towards addressing this problem in black-box scenario, we propose a black-box method which reduces the adversarial example searching problem to a derivative-free optimization problem. Our method is able to craft adversarial images by derivative-free search in the discrete integer domain. Experimental results show that our method is comparable to recent white-box methods (e.g., FGSM, BIM and C\&W) and achieves significantly higher success rate in terms of adversarial examples in the discrete integer domain than recent black-box methods (e.g., ZOO, NES-PGD and Bandits). Moreover, our method is able to handle models that is non-differentiable and successfully break the winner of NIPS 2017 competition on defense with 95\% success rate. Our results suggest that discrete optimization algorithms open up a promising area of research into effective black-box attacks.

Tao Yu,Shengyuan Hu,Chuan Guo,Wei-Lun Chao,Kilian Q. Weinberger

DOI: https://doi.org/10.48550/arXiv.1910.07629

IF: 5.414

2019-10-16

Machine Learning

Abstract:Natural images are virtually surrounded by low-density misclassified regions that can be efficiently discovered by gradient-guided search --- enabling the generation of adversarial images. While many techniques for detecting these attacks have been proposed, they are easily bypassed when the adversary has full knowledge of the detection mechanism and adapts the attack strategy accordingly. In this paper, we adopt a novel perspective and regard the omnipresence of adversarial perturbations as a strength rather than a weakness. We postulate that if an image has been tampered with, these adversarial directions either become harder to find with gradient methods or have substantially higher density than for natural images. We develop a practical test for this signature characteristic to successfully detect adversarial attacks, achieving unprecedented accuracy under the white-box setting where the adversary is given full knowledge of our detection mechanism.

Alex Habeen Chang,Benjamin M. Case

DOI: https://doi.org/10.48550/arXiv.2004.13263

2020-04-29

Abstract:Privacy preserving machine learning is an active area of research usually relying on techniques such as homomorphic encryption or secure multiparty computation. Recent novel encryption techniques for performing machine learning using deep neural nets on images have recently been proposed by Tanaka and Sirichotedumrong, Kinoshita, and Kiya. We present new chosen-plaintext and ciphertext-only attacks against both of these proposed image encryption schemes and demonstrate the attacks' effectiveness on several examples.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Yuchao Duan,Zhe Zhao,Lei Bu,Fu Song

2019-01-01

Abstract:Numerous methods for crafting adversarial examples were proposed recently with high success rate. Since most existing machine learning based classifiers normalize images into some continuous, real vector, domain firstly, attacks often craft adversarial examples in such domain. However," adversarial" examples may become benign after denormalizing them back into the discrete integer domain, known as the discretization problem. This problem was mentioned in some work, but has received relatively little attention. In this work, we first conduct a comprehensive study of existing methods and tools for crafting. We theoretically analyze 34 representative methods and empirically study 20 representative open source tools for crafting adversarial images. Our study reveals that the discretization problem is far more serious than originally thought. This suggests that the discretization problem should be taken into …

Haoyu Wang,Chunhua Wu,Kangfeng Zheng

DOI: https://doi.org/10.1016/j.neunet.2024.106176

IF: 7.8

2024-05-01

Neural Networks

Abstract:Deep Learning algorithms have achieved state-of-the-art performance in various important tasks. However, recent studies have found that an elaborate perturbation may cause a network to misclassify, which is known as an adversarial attack. Based on current research, it is suggested that adversarial examples cannot be eliminated completely. Consequently, it is always possible to determine an attack that is effective against a defense model. We render existing adversarial examples invalid by altering the classification boundaries. Meanwhile, for valid adversarial examples generated against the defense model, the adversarial perturbations are increased so that they can be distinguished by the human eye. This paper proposes a method for implementing the abovementioned concepts through color space transformation. Experiments on CIFAR-10, CIFAR-100, and Mini-ImageNet demonstrate the effectiveness and versatility of our defense method. To the best of our knowledge, this is the first defense model based on the amplification of adversarial perturbations.

computer science, artificial intelligence,neurosciences

Maungmaung Aprilpyone,Hitoshi Kiya

DOI: https://doi.org/10.1109/tifs.2021.3062977

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this paper, we propose a novel defensive transformation that enables us to maintain a high classification accuracy under the use of both clean images and adversarial examples for adversarially robust defense. The proposed transformation is a block-wise preprocessing technique with a secret key to input images. The proposed defense obfuscates gradients in the absence of the secret key unlike previously defeated obfuscating defenses. We developed three algorithms to realize the proposed transformation: Pixel Shuffling, Bit Flipping, and FFX Encryption. Experiments were carried out on the CIFAR-10 and ImageNet datasets by using both black-box and white-box attacks with various metrics including adaptive ones. The results show that the proposed defense achieves high accuracy close to that of using clean images even under adaptive attacks for the first time. In the best-case scenario, a model trained by using images transformed by FFX Encryption (block size of 4) yielded an accuracy of 92.30% on clean images and 91.48% under PGD attack with a noise distance of 8/255, which is close to the non-robust accuracy (95.45%) for the CIFAR-10 dataset, and it yielded an accuracy of 72.18% on clean images and 71.43% under the same attack, which is also close to the standard accuracy (73.70%) for the ImageNet dataset. Overall, all three proposed algorithms are demonstrated to outperform state-of-the-art defenses including adversarial training whether or not a model is under attack.

computer science, theory & methods,engineering, electrical & electronic

William Villegas-Ch,Angel Jaramillo-Alcázar,Sergio Luján-Mora

DOI: https://doi.org/10.3390/bdcc8010008

2024-01-16

Big Data and Cognitive Computing

Abstract:This study evaluated the generation of adversarial examples and the subsequent robustness of an image classification model. The attacks were performed using the Fast Gradient Sign method, the Projected Gradient Descent method, and the Carlini and Wagner attack to perturb the original images and analyze their impact on the model’s classification accuracy. Additionally, image manipulation techniques were investigated as defensive measures against adversarial attacks. The results highlighted the model’s vulnerability to conflicting examples: the Fast Gradient Signed Method effectively altered the original classifications, while the Carlini and Wagner method proved less effective. Promising approaches such as noise reduction, image compression, and Gaussian blurring were presented as effective countermeasures. These findings underscore the importance of addressing the vulnerability of machine learning models and the need to develop robust defenses against adversarial examples. This article emphasizes the urgency of addressing the threat posed by harmful standards in machine learning models, highlighting the relevance of implementing effective countermeasures and image manipulation techniques to mitigate the effects of adversarial attacks. These efforts are crucial to safeguarding model integrity and trust in an environment marked by constantly evolving hostile threats. An average 25% decrease in accuracy was observed for the VGG16 model when exposed to the Fast Gradient Signed Method and Projected Gradient Descent attacks, and an even more significant 35% decrease with the Carlini and Wagner method.