Zhe Zhao,Guangke Chen,Tong Liu,Taishan Li,Fu Song,Jingyi Wang,Jun Sun

DOI: https://doi.org/10.1145/3631977

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:As a new programming paradigm, deep learning (DL) has achieved impressive performance in areas such as image processing and speech recognition, and has expanded its application to solve many real-world problems. However, neural networks and DL are normally black-box systems; even worse, DL-based software are vulnerable to threats from abnormal examples, such as adversarial and backdoored examples constructed by attackers with malicious intentions as well as unintentionally mislabeled samples. Therefore, it is important and urgent to detect such abnormal examples. Although various detection approaches have been proposed respectively addressing some specific types of abnormal examples, they suffer from some limitations; until today, this problem is still of considerable interest. In this work, we first propose a novel characterization to distinguish abnormal examples from normal ones based on the observation that abnormal examples have significantly different (adversarial) robustness from normal ones. We systemically analyze those three different types of abnormal samples in terms of robustness and find that they have different characteristics from normal ones. As robustness measurement is computationally expensive and hence can be challenging to scale to large networks, we then propose to effectively and efficiently measure robustness of an input sample using the cost of adversarially attacking the input, which was originally proposed to test robustness of neural networks against adversarial examples. Next, we propose a novel detection method, named attack as detection (A 2 D for short), which uses the cost of adversarially attacking an input instead of robustness to check if it is abnormal. Our detection method is generic, and various adversarial attack methods could be leveraged. Extensive experiments show that A 2 D is more effective than recent promising approaches that were proposed to detect only one specific type of abnormal examples. We also thoroughly discuss possible adaptive attack methods to our adversarial example detection method and show that A 2 D is still effective in defending carefully designed adaptive adversarial attack methods—for example, the attack success rate drops to 0% on CIFAR10.

Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Rui Yang,Tian-Jie Cao,Xiu-Qing Chen,Feng-Rong Zhang

DOI: https://doi.org/10.1016/j.cose.2021.102457

2021-12-01

Abstract:Some recent studies have demonstrated that the deep neural network (DNN) is vulnerable to adversarial examples, which contain some subtle and human-imperceptible perturbations. Although numerous countermeasures have been proposed and play a significant role, most of them all have some flaws and are only effective for certain types of adversarial examples. In the paper, we present a novel and universal countermeasure to recover multiple types of adversarial examples to benign examples before they are fed into the deep neural network. The idea is to model the mapping between adversarial examples and benign examples using a generative adversarial network (GAN). Its GAN architecture consists of a generator based on UNET, a discriminator based on ACGAN, and a newly added third-party classifier. The UNET can enhance the capacity of the generator to recover adversarial examples to benign examples. The loss function makes full use of the advantages of ACGAN and WGAN-GP to ensure the stability of the training process and accelerate its convergence. Besides, a classification loss and a perceptual loss, all from the third-party classifier, are employed to improve further the generator's capacity to eliminate adversarial perturbations. Experiments are conducted on the MNIST, CIFAR10, and IMAGENET datasets. First, we perform ablation experiments to prove the proposed countermeasure's validity. Then, we defend against seven types of state-of-the-art adversarial examples on four deep neural networks and compare them with six existing countermeasures. Finally, the experimental results demonstrate that the proposed countermeasure is universal and has a more excellent performance than other countermeasures. The experimental code is available at https://github.com/Afreadyang/IAED-GAN.

computer science, information systems

Guanxiong Liu,Issa Khalil,Abdallah Khreishah

DOI: https://doi.org/10.48550/arXiv.1903.02585

IF: 5.414

2019-03-06

Machine Learning

Abstract:Machine learning models, especially neural network (NN) classifiers, are widely used in many applications including natural language processing, computer vision and cybersecurity. They provide high accuracy under the assumption of attack-free scenarios. However, this assumption has been defied by the introduction of adversarial examples -- carefully perturbed samples of input that are usually misclassified. Many researchers have tried to develop a defense against adversarial examples; however, we are still far from achieving that goal. In this paper, we design a Generative Adversarial Net (GAN) based adversarial training defense, dubbed GanDef, which utilizes a competition game to regulate the feature selection during the training. We analytically show that GanDef can train a classifier so it can defend against adversarial examples. Through extensive evaluation on different white-box adversarial examples, the classifier trained by GanDef shows the same level of test accuracy as those trained by state-of-the-art adversarial training defenses. More importantly, GanDef-Comb, a variant of GanDef, could utilize the discriminator to achieve a dynamic trade-off between correctly classifying original and adversarial examples. As a result, it achieves the highest overall test accuracy when the ratio of adversarial examples exceeds 41.7%.

Dongwei Xu,Hao Yang,Chuntao Gu,Zhuangzhi Chen,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2021.3095663

2021-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:In the field of deep learning, deep neural networks (DNNs) have shown good performance on classification applications. However, a DNN model is vulnerable to adversarial examples, which is formed by adding tiny perturbations on a normal example and can mislead the DNN model to make a wrong estimate during the prediction. In this brief, for adversarial attacks in radio signals field, we propose a novel adversarial example detection strategy based on multifeature fusion and provide a framework which includes generating adversarial examples, extracting the local intrinsic dimensionality (LID) features and the constellation diagram (CD) features, detecting adversarial examples. We obtain the output values of normal examples and adversarial examples in each layer of the model respectively, and then, calculate the LID features values of examples by the maximum likelihood estimate based on a certain neighborhood range. Meanwhile, we calculate the CD features values by the range feature and density feature of the constellation diagram distribution. Finally, a logistic regression classifier is trained based on multifeature fusion values to detect adversarial examples. The experimental results across two benchmark datasets demonstrate that the proposed multifeature fusion method could accurately detect adversarial examples of radio signals. The detection accuracy is up to 98.7% when the perturbation reached 10%.

Dongwei Xu,Ruochen Fang,Qi Xuan,Weiguo Shen,Shilian Zheng,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2024.3357830

2024-01-01

Abstract:Recently, backdoor attacks posed a new security threat against radio signals modulation models. The attacked model performs well on benign samples, whereas performs abnormally on backdoor samples. Current backdoor attacks usually inject static trigger into benign samples, which can be easily detected with static trigger patterns and large perturbation. In this paper, inspired by the Generative Adversarial Network (GAN), we proposed a backdoor attack against radio signals modulation based on adaptive trigger (AT-GAN) to learn the patterns of adaptive trigger, which can generate different trigger for specific radio signal. AT-GAN is composed of Adaptive Backdoor Generate Network (A-BaN), discriminator and radio signals modulation model. A-BaN is trained to generate adaptive triggers, discriminator is used to limit the perturbation of triggers and modulation model is poisoned based on generated poisoned samples. By a three-player game, A-BaN can generate adaptive triggers with small perturbation. The experimental results on two benchmark datasets demonstrate that our method can achieve better attack performance and reduce the detection rate of backdoor attacks compared to baseline backdoor attacks.

Qiao Li,Jing Chen,Kun He,Zijun Zhang,Ruiying Du,Jisi She,Xinxin Wang

DOI: https://doi.org/10.1016/j.cose.2024.103791

IF: 5.105

2024-02-01

Computers & Security

Abstract:Image classification based on Deep Neural Networks (DNNs) is vulnerable to adversarial examples, which make the classifier output incorrect predictions. One approach to defending against this attack is to detect whether the input is an adversarial example. Unfortunately, existing adversarial example detection methods heavily rely on the underlying classifier and may fail when the classifier is upgraded. In this paper, we propose a model-agnostic detection method that leverages high-frequency signals from adversarial noises in adversarial examples and does not need interactions with the underlying classifier. We amplify redundant high-frequency signals brought by adversarial noises and represent object boundaries with these signals in an image. Our key insight is that the boundaries extracted by redundant high-frequency signals have a strong correlation with the boundaries of images in adversarial examples, while this correlation does not exist in clean images. Furthermore, adversarial examples of large images have more high-frequency signals and make adversarial detection easier on large image datasets. Experimental results show that our method has good transferability and can accurately detect various adversarial examples on different datasets.

computer science, information systems

Eyad Shtaiwi,Ahmed El Ouadrhiri,Majid Moradikia,Salma Sultana,Ahmed Abdelhadi,Zhu Han

DOI: https://doi.org/10.48550/arXiv.2205.15743

IF: 5.414

2022-05-29

Machine Learning

Abstract:Automatic modulation classification (AMC) using the Deep Neural Network (DNN) approach outperforms the traditional classification techniques, even in the presence of challenging wireless channel environments. However, the adversarial attacks cause the loss of accuracy for the DNN-based AMC by injecting a well-designed perturbation to the wireless channels. In this paper, we propose a novel generative adversarial network (GAN)-based countermeasure approach to safeguard the DNN-based AMC systems against adversarial attack examples. GAN-based aims to eliminate the adversarial attack examples before feeding to the DNN-based classifier. Specifically, we have shown the resiliency of our proposed defense GAN against the Fast-Gradient Sign method (FGSM) algorithm as one of the most potent kinds of attack algorithms to craft the perturbed signals. The existing defense-GAN has been designed for image classification and does not work in our case where the above-mentioned communication system is considered. Thus, our proposed countermeasure approach deploys GANs with a mixture of generators to overcome the mode collapsing problem in a typical GAN facing radio signal classification problem. Simulation results show the effectiveness of our proposed defense GAN so that it could enhance the accuracy of the DNN-based AMC under adversarial attacks to 81%, approximately.

Dongyang Li,Linyuan Wang,Guangwei Xiong,Bin Yan,Dekui Ma,Jinxian Peng

2024-10-02

Abstract:With the development and application of deep learning in signal detection tasks, the vulnerability of neural networks to adversarial attacks has also become a security threat to signal detection networks. This paper defines a signal adversarial examples generation model for signal detection network from the perspective of adding perturbations to the signal. The model uses the inequality relationship of L2-norm between time domain and time-frequency domain to constrain the energy of signal perturbations. Building upon this model, we propose a method for generating signal adversarial examples utilizing gradient-based attacks and Short-Time Fourier Transform. The experimental results show that under the constraint of signal perturbation energy ratio less than 3%, our adversarial attack resulted in a 28.1% reduction in the mean Average Precision (mAP), a 24.7% reduction in recall, and a 30.4% reduction in precision of the signal detection network. Compared to random noise perturbation of equivalent intensity, our adversarial attack demonstrates a significant attack effect.

Computer Vision and Pattern Recognition,Cryptography and Security

Guoqing Jin,Shiwei Shen,Dongming Zhang,Feng Dai,Yongdong Zhang

DOI: https://doi.org/10.1109/icassp.2019.8683044

2017-01-01

Abstract:Although Deep Neural Networks could achieve state-of-the-art performance while recongnizing images, they often suffer a tremendous defeat from adversarial examples-inputs generated by utilizing imperceptible but intentional perturbations to samples from the datasets. So far, very few methods have provided a significant defense to adversarial examples. In this paper, an effective framework based Generative Adversarial Nets(GAN) is proposed to defense against the adversarial examples. The essense of the model is to eliminate the adversarial perturbations being highly aligned with the weight vectors of nueral models. Extensive experiments on benchmark datasets MNIST, CIFAR10 and ImageNet indicate that our framework is able to defense against adversarial examples effectively.

Donghua Wang,Li Dong,Rangding Wang,Diqun Yan,Jie Wang

DOI: https://doi.org/10.1109/ACCESS.2020.3006130

IF: 3.9

2020-01-01

IEEE Access

Abstract:Although neural network-based speech recognition models have enjoyed significant success in many acoustic systems, they are susceptible to be attacked by the adversarial examples. In this work, we make first step towards using generative adversarial network (GAN) for constructing the targeted speech adversarial examples. Specifically, we integrate the target speech recognition network with GAN framework, which can then be formulated as a three-party game. The generator in GAN aims at generating perturbation that could make the target network misclassified to a specific target, while simultaneously fooling the discriminator treating the adversarial example as a beguine one. The discriminator is to distinguish the crafted examples from the geniue samples. The classification error of the target network is back-propagated via gradient flow to the generator for updating. The target network is responsible for back-propagating the classification error via gradients to the generator for updating, but the target network itself is freezed. With the carefully designed network architecture, loss function and training strategy, we successfully train a generator that could generate the adversarial perturbation for a given speech clip and a target label. Experiential results show that the generated adversarial examples could effectively fool the state-of-the-art speech classification networks, while attaining an acceptable auditory perception quality. In addition, our proposed method runs much faster than the prevalent optimization-based schemes. To facilitate reproducible research, codes, models and data are publicly available at https://github.com/winterwindwang/SpeechAdvGan.

Weimin Zhao,Qusay H Mahmoud,Sanaa Alwidian

DOI: https://doi.org/10.3390/s23052697

2023-03-01

Abstract:Deep learning has been successfully utilized in many applications, but it is vulnerable to adversarial samples. To address this vulnerability, a generative adversarial network (GAN) has been used to train a robust classifier. This paper presents a novel GAN model and its implementation to defend against L∞ and L2 constraint gradient-based adversarial attacks. The proposed model is inspired by some of the related work, but it includes multiple new designs such as a dual generator architecture, four new generator input formulations, and two unique implementations with L∞ and L2 norm constraint vector outputs. The new formulations and parameter settings of GAN are proposed and evaluated to address the limitations of adversarial training and defensive GAN training strategies, such as gradient masking and training complexity. Furthermore, the training epoch parameter has been evaluated to determine its effect on the overall training results. The experimental results indicate that the optimal formulation of GAN adversarial training must utilize more gradient information from the target classifier. The results also demonstrate that GANs can overcome gradient masking and produce effective perturbation to augment the data. The model can defend PGD L2 128/255 norm perturbation with over 60% accuracy and PGD L∞ 8/255 norm perturbation with around 45% accuracy. The results have also revealed that robustness can be transferred between the constraints of the proposed model. In addition, a robustness-accuracy tradeoff was discovered, along with overfitting and the generalization capabilities of the generator and classifier. These limitations and ideas for future work will be discussed.

Heng Li,ShiYao Zhou,Wei Yuan,Jiahuan Li,Henry Leung

DOI: https://doi.org/10.1109/jsyst.2019.2906120

IF: 4.802

2020-03-01

IEEE Systems Journal

Abstract:Recently, it was shown that the generative adversarial network (GAN) based adversarial-example attacks could thoroughly defeat the existing Android malware detection systems. However, they can be easily defended through deploying a firewall (i.e., adversarial example detector) to filter adversarial examples. To evade both malware detection and adversarial example detection, we develop a new adversarial-example attack method based on our proposed bi-objective GAN. Experiments show that over $text{95}%$ of adversarial examples generated by our method break through the firewall-equipped Android malware detection system, outperforming the state-of-the-art method by $text{247.68}%$.

Sujata Sinha,Alkan Soysal

2023-12-01

Abstract:We introduce a Channel Distribution Information (CDI)-aware Generative Adversarial Network (GAN), designed to address the unique challenges of adversarial attacks in wireless communication systems. The generator in this CDI-aware GAN maps random input noise to the feature space, generating perturbations intended to deceive a target modulation classifier. Its discriminators play a dual role: one enforces that the perturbations follow a Gaussian distribution, making them indistinguishable from Gaussian noise, while the other ensures these perturbations account for realistic channel effects and resemble no-channel perturbations. Our proposed CDI-aware GAN can be used as an attacker and a defender. In attack scenarios, the CDI-aware GAN demonstrates its prowess by generating robust adversarial perturbations that effectively deceive the target classifier, outperforming known methods. Furthermore, CDI-aware GAN as a defender significantly improves the target classifier's resilience against adversarial attacks.

Information Theory,Networking and Internet Architecture,Signal Processing

Pouya Samangouei,Maya Kabkab,Rama Chellappa

DOI: https://doi.org/10.48550/arXiv.1805.06605

2018-05-17

Computer Vision and Pattern Recognition

Abstract:In recent years, deep neural network approaches have been widely adopted for machine learning tasks, including classification. However, they were shown to be vulnerable to adversarial perturbations: carefully crafted small perturbations can cause misclassification of legitimate images. We propose Defense-GAN, a new framework leveraging the expressive capability of generative models to defend deep neural networks against such attacks. Defense-GAN is trained to model the distribution of unperturbed images. At inference time, it finds a close output to a given image which does not contain the adversarial changes. This output is then fed to the classifier. Our proposed method can be used with any classification model and does not modify the classifier structure or training procedure. It can also be used as a defense against any attack as it does not assume knowledge of the process for generating the adversarial examples. We empirically show that Defense-GAN is consistently effective against different attack methods and improves on existing defense strategies. Our code has been made publicly available at https://github.com/kabkabm/defensegan

Dongyu Meng,Hao Chen

DOI: https://doi.org/10.48550/arXiv.1705.09064

2017-09-11

Abstract:Deep learning has shown promising results on hard perceptual problems in recent years. However, deep learning systems are found to be vulnerable to small adversarial perturbations that are nearly imperceptible to human. Such specially crafted perturbations cause deep learning systems to output incorrect decisions, with potentially disastrous consequences. These vulnerabilities hinder the deployment of deep learning systems where safety or security is important. Attempts to secure deep learning systems either target specific attacks or have been shown to be ineffective. In this paper, we propose MagNet, a framework for defending neural network classifiers against adversarial examples. MagNet does not modify the protected classifier or know the process for generating adversarial examples. MagNet includes one or more separate detector networks and a reformer network. Different from previous work, MagNet learns to differentiate between normal and adversarial examples by approximating the manifold of normal examples. Since it does not rely on any process for generating adversarial examples, it has substantial generalization power. Moreover, MagNet reconstructs adversarial examples by moving them towards the manifold, which is effective for helping classify adversarial examples with small perturbation correctly. We discuss the intrinsic difficulty in defending against whitebox attack and propose a mechanism to defend against graybox attack. Inspired by the use of randomness in cryptography, we propose to use diversity to strengthen MagNet. We show empirically that MagNet is effective against most advanced state-of-the-art attacks in blackbox and graybox scenarios while keeping false positive rate on normal examples very low.

Cryptography and Security,Machine Learning

Weiwei Hu,Ying Tan

DOI: https://doi.org/10.1007/978-981-19-8991-9_29

2022-01-01

Abstract:Machine learning has been used to detect new malware in recent years, while malware authors have strong motivation to attack such algorithms. Malware authors usually have no access to the detailed structures and parameters of the machine learning models used by malware detection systems, and therefore they can only perform black-box attacks. This paper proposes a generative adversarial network (GAN) based algorithm named MalGAN to generate adversarial malware examples, which are able to bypass black-box machine learning based detection models. MalGAN uses a substitute detector to fit the black-box malware detection system. A generative network is trained to minimize the generated adversarial examples' malicious probabilities predicted by the substitute detector. The superiority of MalGAN over traditional gradient based adversarial example generation algorithms is that MalGAN is able to decrease the detection rate to nearly zero and make the retraining based defensive method against adversarial examples hard to work.

Long Yuan,Junmei Sun,Xiumei Li,Zhenxiong Pan,Sisi Liu

DOI: https://doi.org/10.1007/s11042-024-18189-w

IF: 2.577

2024-01-30

Multimedia Tools and Applications

Abstract:Object detection is widely employed in security-critical scenarios. With the rapid development of deep learning, deep learning-based object detection methods have gradually replaced the traditional object detection technology due to their higher efficiency and accuracy in detection. However, these deep learning-based models are vulnerable to adversarial examples, which pose a serious security threat. Currently, existing adversarial attack methods have limited attack ability and are time-consuming. To address this issue, a low-frequency adversarial examples generation method for object detection using a generative model is proposed. By transforming the generation of adversarial examples from a traditional optimization mechanism into a generation mechanism, our method greatly shortens the time required for generating adversarial examples. Two auxiliary networks are added to the Generative Adversarial Networks framework to guide the network training, using adversarial loss and the feature layer loss to improve the attack ability of adversarial examples. Moreover, a Gaussian Filtering Module is incorporated behind the generator to smooth the perturbation and preserve effective low-frequency perturbation. Experiment results on PASCAL VOC 2007 datasets show that our method can significantly improve generation speed and attack success rate compared to other attack methods. Furthermore, compared with the UEA methods, which also use a generation mechanism, our method exhibits superior performance in terms of generated image quality and attack success rate.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Bo Wang,Mengnan Zhao,Wei Wang,Fei Wei,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tcsvt.2020.3017006

IF: 5.859

2020-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep neural networks (DNNs) have seen extensive studies on image recognition and classification, image segmentation, and related topics. However, recent studies show that DNNs are vulnerable in defending adversarial examples. The classification network can be deceived by adding a small amount of perturbation to clean samples. There are challenges when researchers want to design a general approach to defend against a wide variety of adversarial examples. To solve this problem, we introduce a defensive method to prevent adversarial examples from generating. Instead of designing a stronger classifier, we built a more robust classification system that can be viewed as a structural black box. After adding a buffer to the classification system, attackers can be efficiently deceived. The real evaluation results of the generated adversarial examples are often contrary to what the attacker thinks. Additionally, we do not assume a specific attack method premise. This incognizance to underlying attacks demonstrates the generalizability of the buffer to potential adversarial attacks. Extensive experiments indicate that the defense method greatly improves the security performance of DNNs.