Yaguan Qian,Jiamin Wang,Xiang Ling,Zhaoquan Gu,Bin Wang,Chunming Wu

2021-01-01

Abstract:Recently, to deal with the vulnerability to generate examples of CNNs, there are many advanced algorithms that have been proposed. These algorithms focus on modifying global pixels directly with small perturbations, and some work involves modifying local pixels. However, the global attacks have the problem of perturbations’ redundancy and the local attacks are not effective. To overcome this challenge, we achieve a trade-off between the perturbation power and the number of perturbed pixels in this paper. The key idea is to find the feature contributive regions (FCRs) of the images. Furthermore, in order to create an adversarial example similar to the corresponding clean image as much as possible, we redefine a loss function as the objective function of the optimization in this paper and then using gradient descent optimization algorithm to find the efficient perturbations. Various experiments have been carried out on CIFAR-10 and ILSVRC2012 datasets, which show the excellence of this method, and in addition, the FCRs attack shows strong attack ability in both white-box and black-box settings.

Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Yang Bai,Yuyuan Zeng,Yong Jiang,Yisen Wang,Shu-Tao Xia,Weiwei Guo

DOI: https://doi.org/10.48550/arXiv.2009.11508

2020-09-25

Abstract:Deep neural networks (DNNs) have demonstrated excellent performance on various tasks, however they are under the risk of adversarial examples that can be easily generated when the target model is accessible to an attacker (white-box setting). As plenty of machine learning models have been deployed via online services that only provide query outputs from inaccessible models (e.g. Google Cloud Vision API2), black-box adversarial attacks (inaccessible target model) are of critical security concerns in practice rather than white-box ones. However, existing query-based black-box adversarial attacks often require excessive model queries to maintain a high attack success rate. Therefore, in order to improve query efficiency, we explore the distribution of adversarial examples around benign inputs with the help of image structure information characterized by a Neural Process, and propose a Neural Process based black-box adversarial attack (NP-Attack) in this paper. Extensive experiments show that NP-Attack could greatly decrease the query counts under the black-box setting.

Machine Learning

Jiabao Liu,Qixiang Zhang,Kanghua Mo,Xiaoyu Xiang,Jin Li,Debin Cheng,Rui Gao,Beishui Liu,Kongyang Chen,Guanjie Wei

DOI: https://doi.org/10.1016/j.csi.2021.103612

2022-08-01

Abstract:Most existing deep neural networks are susceptible to the influence of adversarial examples, which may cause them to output incorrect prediction results. An adversarial example is the addition of small noise disturbances to the input data samples, which will deceive the classification. Generally, these modifications are very small noise disturbances, which are not easily noticed by the human eye. However, most existing adversarial attacks achieve only low success rates in typical black-box settings, where the attackers have no prior knowledge about the model structures and/or model parameters. To tackle this problem, we propose an iterative algorithm based on an acceleration gradient to enhance the adversary attack. Our method accumulates the gradient of the loss function in each iteration and uses the next gradient information to influence the future gradient. We also introduce the scaling invariance principle of a deep neural network to optimize the input images for black-box attacks. In addition, to handle the drawbacks of a traditional iterative fast gradient sign method, we further present two gradient optimization methods. Experimental results on the ImageNet dataset show that our attack methods can achieve good transferability. In addition, those models obtained by integrated adversarial training with strong defense capability are also quite vulnerable to our black-box attack.

computer science, software engineering, hardware & architecture

Zhaohui Che,Ali Borji,Guangtao Zhai,Suiyi Ling,Jing Li,Yuan Tian,Guodong Guo,Patrick Le Callet

DOI: https://doi.org/10.1109/TIP.2021.3050303

Abstract:Saliency detection is an effective front-end process to many security-related tasks, e.g. automatic drive and tracking. Adversarial attack serves as an efficient surrogate to evaluate the robustness of deep saliency models before they are deployed in real world. However, most of current adversarial attacks exploit the gradients spanning the entire image space to craft adversarial examples, ignoring the fact that natural images are high-dimensional and spatially over-redundant, thus causing expensive attack cost and poor perceptibility. To circumvent these issues, this paper builds an efficient bridge between the accessible partially-white-box source models and the unknown black-box target models. The proposed method includes two steps: 1) We design a new partially-white-box attack, which defines the cost function in the compact hidden space to punish a fraction of feature activations corresponding to the salient regions, instead of punishing every pixel spanning the entire dense output space. This partially-white-box attack reduces the redundancy of the adversarial perturbation. 2) We exploit the non-redundant perturbations from some source models as the prior cues, and use an iterative zeroth-order optimizer to compute the directional derivatives along the non-redundant prior directions, in order to estimate the actual gradient of the black-box target model. The non-redundant priors boost the update of some "critical" pixels locating at non-zero coordinates of the prior cues, while keeping other redundant pixels locating at the zero coordinates unaffected. Our method achieves the best tradeoff between attack ability and perturbation redundancy. Finally, we conduct a comprehensive experiment to test the robustness of 18 state-of-the-art deep saliency models against 16 malicious attacks, under both of white-box and black-box settings, which contributes a new robustness benchmark to the saliency community for the first time.

Xiangyuan Yang,Jie Lin,Hanlin Zhang,Peng Zhao

DOI: https://doi.org/10.1016/j.ins.2024.121013

IF: 8.1

2024-06-15

Information Sciences

Abstract:Black-box query attacks are effective at compromising deep-learning models using only the model's output. These attacks typically face challenges with low attack success rates (ASRs) when limited to fewer than ten queries per example. Recent approaches have improved ASRs due to the transferability of initial perturbations, yet they still suffer from inefficient querying. Our study introduces the Gradient-Aligned Attack (GAA) to enhance ASRs with minimal perturbation by focusing on the model's preference. We define a preference property where the generated adversarial example prefers to be misclassified as the wrong category with a high initial confidence. This property is further elucidated by the gradient preference, suggesting a positive correlation between the magnitude of a coefficient in a partial derivative and the norm of the derivative itself. Utilizing this, we devise the gradient-aligned CE (GACE) loss to precisely estimate gradients by aligning these coefficients between the surrogate and victim models, with coefficients assessed by the victim model's outputs. GAA, based on the GACE loss, also aims to achieve the smallest perturbation. Our tests on ImageNet, CIFAR10, and Imagga API show that GAA can increase ASRs by 25.7% and 40.3% for untargeted and targeted attacks respectively, while only needing minimally disruptive perturbations. Furthermore, the GACE loss reduces the number of necessary queries by up to 2.5x and enhances the transferability of advanced attacks by up to 14.2%, especially when using an ensemble surrogate model. Code is available at https://github.com/HaloMoto/GradientAlignedAttack .

computer science, information systems

Fuxun Yu,Qide Dong,Xiang Chen

DOI: https://doi.org/10.48550/arXiv.1802.05763

2018-02-15

Computer Vision and Pattern Recognition

Abstract:With the excellent accuracy and feasibility, the Neural Networks have been widely applied into the novel intelligent applications and systems. However, with the appearance of the Adversarial Attack, the NN based system performance becomes extremely vulnerable:the image classification results can be arbitrarily misled by the adversarial examples, which are crafted images with human unperceivable pixel-level perturbation. As this raised a significant system security issue, we implemented a series of investigations on the adversarial attack in this work: We first identify an image's pixel vulnerability to the adversarial attack based on the adversarial saliency analysis. By comparing the analyzed saliency map and the adversarial perturbation distribution, we proposed a new evaluation scheme to comprehensively assess the adversarial attack precision and efficiency. Then, with a novel adversarial saliency prediction method, a fast adversarial example generation framework, namely "ASP", is proposed with significant attack efficiency improvement and dramatic computation cost reduction. Compared to the previous methods, experiments show that ASP has at most 12 times speed-up for adversarial example generation, 2 times lower perturbation rate, and high attack success rate of 87% on both MNIST and Cifar10. ASP can be also well utilized to support the data-hungry NN adversarial training. By reducing the attack success rate as much as 90%, ASP can quickly and effectively enhance the defense capability of NN based system to the adversarial attacks.

Qikun Zhang,Yuzhi Zhang,Yanling Shao,Mengqi Liu,Jianyong Li,Junling Yuan,Ruifang Wang

DOI: https://doi.org/10.3390/electronics12061464

IF: 2.9

2023-03-21

Electronics

Abstract:Deep neural networks are extremely vulnerable to attacks and threats from adversarial examples. These adversarial examples deliberately crafted by attackers can easily fool classification models by adding imperceptibly tiny perturbations on clean images. This brings a great challenge to image security for deep learning. Therefore, studying and designing attack algorithms for generating adversarial examples is essential for building robust models. Moreover, adversarial examples are transferable in that they can mislead multiple different classifiers across models. This makes black-box attacks feasible for practical applications. However, most attack methods have low success rates and weak transferability against black-box models. This is because they often overfit the model during the production of adversarial examples. To address this issue, we propose a Nadam iterative fast gradient method (NAI-FGM), which combines an improved Nadam optimizer with gradient-based iterative attacks. Specifically, we introduce the look-ahead momentum vector and the adaptive learning rate component based on the Momentum Iterative Fast Gradient Sign Method (MI-FGSM). The look-ahead momentum vector is dedicated to making the loss function converge faster and get rid of the poor local maximum. Additionally, the adaptive learning rate component is used to help the adversarial example to converge to a better extreme point by obtaining adaptive update directions according to the current parameters. Furthermore, we also carry out different input transformations to further enhance the attack performance before using NAI-FGM for attack. Finally, we consider attacking the ensemble model. Extensive experiments show that the NAI-FGM has stronger transferability and black-box attack capability than advanced momentum-based iterative attacks. In particular, when using the adversarial examples produced by way of ensemble attack to test the adversarially trained models, the NAI-FGM improves the success rate by 8% to 11% over the other attack methods. Last but not least, the NAI-DI-TI-SI-FGM combined with the input transformation achieves a success rate of 91.3% on average.

engineering, electrical & electronic,computer science, information systems,physics, applied

Lianli Gao,Qilong Zhang,Xiaosu Zhu,Jingkuan Song,Heng Tao Shen

2021-01-01

Abstract:Crafting adversarial examples for the transfer-based attack is challenging and remains a research hot spot. Cur-rently, such attack methods are based on the hypothesis that the substitute model and the victim model learn similar decision boundaries, and they conventionally apply Sign Method (SM) to manipulate the gradient as the resultant perturbation. Although SM is efficient, it only extracts the sign of gradient units but ignores their value difference, which inevitably leads to a deviation. Therefore, we propose a novel Staircase Sign Method (S 2 M) to alleviate this is-sue, thus boosting attacks. Technically, our method heuristically divides the gradient sign into several segments according to the values of the gradient units, and then assigns each segment with a staircase weight for better crafting adversarial perturbation. As a result, our adversarial examples perform better in both white-box and black-box manner without being more visible. Since S 2 M just manipulates the resultant gradient, our method can be generally integrated into the family of FGSM algorithms, and the computational overhead is negligible. Extensive experiments on the ImageNet dataset demonstrate the effectiveness of our proposed methods, which significantly improve the transferability (i.e., on average, 5.1% for normally trained models and 12.8% for adversarially trained defenses). Our code is available at https://github.com/qilong-zhang/Staircase-sign-method .

Tao Bai,Yiming Cao,Yonghao Xu,Bihan Wen

DOI: https://doi.org/10.1109/tgrs.2024.3377009

IF: 8.2

2024-03-30

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Deep learning methods have been proven effective in remote sensing image analysis and interpretation, where semantic segmentation plays a vital role. These deep segmentation methods are susceptible to adversarial attacks, while most of the existing attack methods tend to manipulate the image globally, leading to noticeable perturbations and chaotic segmentation. In this work, we propose a novel stealthy attack for semantic segmentation (SASS), which can largely increase the effectiveness and stealthiness from the existing attack methods on remote sensing images. SASS manipulates specific victim classes or objects of interest while preserving the original segmentation results for other classes or objects. In practice, as different inference mechanisms, overlapped inference, can be applied in segmentation, the efficacy of SASS may be degraded. To this end, we further introduce the masked SASS (MSASS), which generates augmented adversarial perturbations that only affect victim areas. We evaluate the effectiveness of SASS and MSASS using four state-of-the-art semantic segmentation models on the Vaihingen and Zurich Summer datasets. Extensive experiments demonstrate that our SASS and MSASS methods achieve superior attack performances on victim areas while maintaining high accuracies of other areas (drop less than 2%). The detection success rates of adversarial examples for segmentation, as characterized by Xiao et al., significantly drop from 97.78% for the untargeted projected gradient descent (PGD) attack to 28.71% for our MSASS method on the Zurich Summer dataset. Our work contributes to the field of adversarial attacks in semantic segmentation for remote sensing images by improving stealthiness, flexibility, and robustness. We anticipate that our findings will inspire the development of defense methods to enhance the security and reliability of semantic segmentation models against our stealthy attack.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Hanbin Hong,Xinyu Zhang,Binghui Wang,Zhongjie Ba,Yuan Hong

2024-09-06

Abstract:Black-box adversarial attacks have demonstrated strong potential to compromise machine learning models by iteratively querying the target model or leveraging transferability from a local surrogate model. Recently, such attacks can be effectively mitigated by state-of-the-art (SOTA) defenses, e.g., detection via the pattern of sequential queries, or injecting noise into the model. To our best knowledge, we take the first step to study a new paradigm of black-box attacks with provable guarantees -- certifiable black-box attacks that can guarantee the attack success probability (ASP) of adversarial examples before querying over the target model. This new black-box attack unveils significant vulnerabilities of machine learning models, compared to traditional empirical black-box attacks, e.g., breaking strong SOTA defenses with provable confidence, constructing a space of (infinite) adversarial examples with high ASP, and the ASP of the generated adversarial examples is theoretically guaranteed without verification/queries over the target model. Specifically, we establish a novel theoretical foundation for ensuring the ASP of the black-box attack with randomized adversarial examples (AEs). Then, we propose several novel techniques to craft the randomized AEs while reducing the perturbation size for better imperceptibility. Finally, we have comprehensively evaluated the certifiable black-box attacks on the CIFAR10/100, ImageNet, and LibriSpeech datasets, while benchmarking with 16 SOTA black-box attacks, against various SOTA defenses in the domains of computer vision and speech recognition. Both theoretical and experimental results have validated the significance of the proposed attack. The code and all the benchmarks are available at \url{<a class="link-external link-https" href="https://github.com/datasec-lab/CertifiedAttack" rel="external noopener nofollow">this https URL</a>}.

Machine Learning,Cryptography and Security

Xinxin Fan,Mengfan Li,Jia Zhou,Quanliang Jing,Chi Lin,Yunfeng Lu,Jingping Bi

DOI: https://doi.org/10.1109/tce.2024.3358179

2024-01-01

IEEE Transactions on Consumer Electronics

Abstract:This paper focuses on the transferability problem of adversarial examples towards black-box attack scenarios wherein model information such as the neural network structure is unavailable. To tackle this predicament, we propose a new adversarial example-generating scheme through bridging a data-modal conversion regime to spawn transferable adversarial examples without referring to the substitute model. Three contributions are mainly involved: i) we figure out an integrated framework to produce transferable adversarial examples through resorting to three components, i.e., image-to-graph conversion, perturbation on converted graph and graph-to-image inversion; ii) upon the conversion from image to graph, we pinpoint critical graph characteristics to implement perturbation using gradient-oriented and optimization-oriented adversarial attacks, then, invert the perturbation on graph into the pixel disturbance correspondingly; iii) multi-facet experiments verify the reasonability and effectiveness with the comparison to three baseline methods. Our work has two novelties: first, without referring to the substitute model, our proposed scheme does not need to acquire any information about the victim model in advance; second, we explore the possibility that inferring the adversarial features of image data through drawing support from network/graph science. In addition, we present three key issues worth deeper discussion, along with these open issues, our work deserves more studies in future.

telecommunications,engineering, electrical & electronic

Dian Hong,Deng Chen,Yanduo Zhang,Huabing Zhou,Liang Xie,Jianping Ju,Jianyin Tang

DOI: https://doi.org/10.3390/electronics13132464

IF: 2.9

2024-06-25

Electronics

Abstract:Adversarial example generation is a technique that involves perturbing inputs with imperceptible noise to induce misclassifications in neural networks, serving as a means to assess the robustness of such models. Among the adversarial attack algorithms, momentum iterative fast gradient sign Method (MI-FGSM) and its variants constitute a class of highly effective offensive strategies, achieving near-perfect attack success rates in white-box settings. However, these methods' use of sign activation functions severely compromises gradient information, which leads to low success rates in black-box attacks and results in large adversarial perturbations. In this paper, we introduce a novel adversarial attack algorithm, NA-FGTM. Our method employs the Tanh activation function instead of the sign which can accurately preserve gradient information. In addition, it utilizes the Adam optimization algorithm as well as the Nesterov acceleration, which is able to stabilize gradient update directions and expedite gradient convergence. Above all, the transferability of adversarial examples can be enhanced. Through integration with data augmentation techniques such as DIM, TIM, and SIM, NA-FGTM can further improve the efficacy of black-box attacks. Extensive experiments on the ImageNet dataset demonstrate that our method outperforms the state-of-the-art approaches in terms of black-box attack success rate and generates adversarial examples with smaller perturbations.

engineering, electrical & electronic,computer science, information systems,physics, applied

Bo Yang,Hengwei Zhang,Zheming Li,Yuchen Zhang,Kaiyong Xu,Jindong Wang

DOI: https://doi.org/10.1007/s10489-022-03469-5

IF: 5.3

2022-05-09

Applied Intelligence

Abstract:Deep neural networks are vulnerable to adversarial examples, which are crafted by applying small, human-imperceptible perturbations on the original images, so as to mislead deep neural networks to output inaccurate predictions. Adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, most existing adversarial attacks often achieve relatively low success rates on normally trained networks and adversarially trained networks. In this paper, we regard the generation process of adversarial examples as an optimization process similar to deep neural network training. From this point of view, we introduce AdaBelief optimizer and crop invariance into the generation of adversarial examples, and propose AdaBelief Iterative Fast Gradient Method (ABI-FGM) and Crop-Invariant attack Method (CIM) to improve the transferability of adversarial examples. By adopting adaptive learning rate into the iterative attacks, ABI-FGM can optimize the convergence process, resulting in more transferable adversarial examples. CIM is based on our discovery on the crop-invariant property of deep neural networks, which we thus leverage to optimize the adversarial perturbations over an ensemble of crop copies so as to avoid overfitting on the white-box model being attacked and improve the transferability of adversarial examples. ABI-FGM and CIM can be readily integrated to build a strong gradient-based attack to further boost the success rates of adversarial examples for black-box attacks. Moreover, our method can also be naturally combined with other gradient-based attack methods to build a more robust attack to generate more transferable adversarial examples against the defense models. Extensive experiments on the ImageNet dataset demonstrate the method's effectiveness. Whether on normally trained networks or adversarially trained networks, our method has higher success rates than state-of-the-art gradient-based attack methods.

computer science, artificial intelligence

Rui Zhang,Hui Xia,Chunqiang Hu,Cheng Zhang,Chao Liu,Fu Xiao

DOI: https://doi.org/10.1109/tii.2021.3139902

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:The reduction in the number of queries to the object model is a hot topic in the current research of black-box adversarial attack methods. To solve this problem, in this article, we propose generating adversarial examples with shadow model (GASM) that shifts the number of queries to the object model to the shadow model. The method first determines the shadow model based on the robustness and transferability of classifiers and fine-tunes the decision boundary of the shadow model by constructing adversarial datasets. Second, accesses the shadow model and constructs adversarial examples by maximizing the output probability of the targeted class (any class other than the current one) to modify the image gradient information. Finally, the results show that GASM has the strongest transferability and outperforms white-box attacks when AlexNet (MNIST), VGG-19 (CIFAR10), and MobileNet v2 (Tiny ImageNet) are selected as shadow models.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Chuan Guo,Jacob R. Gardner,Yurong You,Andrew Gordon Wilson,Kilian Q. Weinberger

DOI: https://doi.org/10.48550/arXiv.1905.07121

IF: 5.414

2019-05-17

Machine Learning

Abstract:We propose an intriguingly simple method for the construction of adversarial images in the black-box setting. In constrast to the white-box scenario, constructing black-box adversarial images has the additional constraint on query budget, and efficient attacks remain an open problem to date. With only the mild assumption of continuous-valued confidence scores, our highly query-efficient algorithm utilizes the following simple iterative principle: we randomly sample a vector from a predefined orthonormal basis and either add or subtract it to the target image. Despite its simplicity, the proposed method can be used for both untargeted and targeted attacks -- resulting in previously unprecedented query efficiency in both settings. We demonstrate the efficacy and efficiency of our algorithm on several real world settings including the Google Cloud Vision API. We argue that our proposed algorithm should serve as a strong baseline for future black-box attacks, in particular because it is extremely fast and its implementation requires less than 20 lines of PyTorch code.

Mengnan Zhao,Lihe Zhang,Wei Wang,Yuqiu Kong,Baocai Yin

DOI: https://doi.org/10.1109/tifs.2024.3360880

IF: 7.231

2024-02-14

IEEE Transactions on Information Forensics and Security

Abstract:Scene graph generation (SGG) effectively improves semantic understanding of the visual world. However, the recent interest of researchers focuses on enhancing SGG in non-adversarial settings, which raises our curiosity about the adversarial robustness of SGG models. To bridge this gap, we perform adversarial attacks on two typical SGG tasks, Scene Graph Detection (SGDet) and Scene Graph Classification (SGCls). Specifically, we initially propose a bounding box relabeling method to reconstruct reasonable attack targets for SGCls. It solves the inconsistency between the specified bounding boxes and the scene graphs selected as attack targets. Subsequently, we introduce a two-step weighted attack by removing the predicted objects and relational triples that affect attack performance, which significantly increases the success rate of adversarial attacks on two SGG tasks. Extensive experiments demonstrate the effectiveness of our methods on five popular SGG models and four adversarial attacks. The Pytorch® implementation can be downloaded from an open-source Github project https://github.com/Dlut-lab-zmn/SGG_Attack.

computer science, theory & methods,engineering, electrical & electronic

Jaydeep Borkar,Pin-Yu Chen

DOI: https://doi.org/10.48550/arXiv.2105.09685

2021-05-20

Abstract:There has been a rise in the use of Machine Learning as a Service (MLaaS) Vision APIs as they offer multiple services including pre-built models and algorithms, which otherwise take a huge amount of resources if built from scratch. As these APIs get deployed for high-stakes applications, it's very important that they are robust to different manipulations. Recent works have only focused on typical adversarial attacks when evaluating the robustness of vision APIs. We propose two new aspects of adversarial image generation methods and evaluate them on the robustness of Google Cloud Vision API's optical character recognition service and object detection APIs deployed in real-world settings such as <a class="link-external link-http" href="http://sightengine.com" rel="external noopener nofollow">this http URL</a>, <a class="link-external link-http" href="http://picpurify.com" rel="external noopener nofollow">this http URL</a>, Google Cloud Vision API, and Microsoft Azure's Computer Vision API. Specifically, we go beyond the conventional small-noise adversarial attacks and introduce secret embedding and transparent adversarial examples as a simpler way to evaluate robustness. These methods are so straightforward that even non-specialists can craft such attacks. As a result, they pose a serious threat where APIs are used for high-stakes applications. Our transparent adversarial examples successfully evade state-of-the art object detections APIs such as Azure Cloud Vision (attack success rate 52%) and Google Cloud Vision (attack success rate 36%). 90% of the images have a secret embedded text that successfully fools the vision of time-limited humans but is detected by Google Cloud Vision API's optical character recognition. Complementing to current research, our results provide simple but unconventional methods on robustness evaluation.

Computer Vision and Pattern Recognition,Artificial Intelligence,Cryptography and Security,Machine Learning

Wei Jiang,Shen You,Jinyu Zhan,Xupeng Wang,Hong Lei,Deepak Adhikari

DOI: https://doi.org/10.1109/tevc.2022.3231460

IF: 16.497

2022-01-01

IEEE Transactions on Evolutionary Computation

Abstract:Due to the inherent vulnerability of deep neural networks (DNNs), the adversarial example (AE) attack has become a serious threat to intelligent systems, e.g., the failure cause of an image classification system. Different to existing works, in this article we are interested in the generation of AEs for DNNs with defensive mechanisms. To make the attack more practical, we exploit a query-based method to generate image AEs in a black-box attack setting. Considering that the generation of AEs is inherently a constrained optimization problem, this article first formulates three objectives regarding defensive DNNs, i.e., attack effectiveness, attack evasiveness and attack coverage. Then, this article proposes a query-efficient AE attack based on the genetic algorithm (GA) and particle swarm optimization (PSO) to address the perturbation optimization problem. To improve the efficiency of search and query, AE-specific operators including block-level and pixel-level crossovers, discrete perturbation mutation and direction-driven reproduction are designed within the GA-based search framework. In addition, predication-based adaptation of reproduction-related parameters is implemented to speed up the search convergence. PSO-based jumping process is further devised to avoid stuck in local optimum. Benchmark-based experiments evaluated the efficiency of our method, which can achieve an attack success rate of 100% with averagely 52.95% reduced queries in contrast to existing black-box attacks on nondefensive models. For defensive DNN models, our method can obtain top attack performance with the query reduction up to 70.92% comparing with the candidates.

computer science, artificial intelligence, theory & methods