Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Mengqian Li,Chunjie Cao

DOI: https://doi.org/10.1109/icbda55095.2022.9760353

2022-01-01

Abstract:The Deep Neural Networks models have been extensively applied to many real-world areas due to their outstanding performance, especially to safety-critical applications such as autonomous vehicles, healthcare and face recognition. However, many types of research showed that they are easily disturbed by some carefully crafted tiny perturbations, which are called adversarial examples. Therefore, in this paper, a novel method is proposed as image preprocessing. When preprocessing, without discriminating the input images clean images or adversarial examples, the adaptive parameters adjust the images of label loss and pixel-level loss to jointly guide the model to generate reconstructed images and eliminate adversarial perturbation without affecting the images quality and classification result. Moreover, the model uses an architecture of a sparsity constraint that ensures that a neuron fires only for meaningful patterns, limiting the influence of adversarial perturbation on clean images. The defense proposed against attacks of FGSM, MI-FGSM, C&W, PGD, RAND+FGSM under the MNIST and CIFAR-10 datasets. The experimental results show that the target model can reach the average accuracy of 98% and 92% separately when the MNIST and CIFAR-10 datasets are attacked through the defense proposed, demonstrating the effectiveness of the proposed method.

Dhairya Vyas,Viral V. Kapadia

DOI: https://doi.org/10.7717/peerj-cs.1868

2024-03-09

PeerJ Computer Science

Abstract:Adversarial attacks pose a significant challenge to deep neural networks used in image classification systems. Although deep learning has achieved impressive success in various tasks, it can easily be deceived by adversarial patches created by adding subtle yet deliberate distortions to natural images. These attacks are designed to remain hidden from both human and computer-based classifiers. Considering this, we propose novel model designs that enhance adversarial strength with incorporating feature denoising blocks. Exclusively, proposed model utilizes Gaussian data augmentation (GDA) and spatial smoothing (SS) to denoise the features. These techniques are reasonable and can be mixed in a joint finding context to accomplish superior recognition levels versus adversarial assaults while also balancing other defenses. We tested the proposed approach on the ImageNet and CIFAR-10 datasets using 10-iteration projected gradient descent (PGD), fast gradient sign method (FGSM), and DeepFool attacks. The proposed method achieved an accuracy of 95.62% in under four minutes, which is highly competitive compared to existing approaches. We also conducted a comparative analysis with existing methods.

computer science, information systems, artificial intelligence, theory & methods

Yishan Li,Yanming Guo,Yuxiang Xie,Qi Wang

DOI: https://doi.org/10.1109/bigdia56350.2022.9874193

2022-01-01

Abstract:With the development of artificial intelligence technology, to our surprise, deep neural networks have made a series of breakthroughs and achieved optimal results in lots of machine learning tasks, while the image field is the most prominent. Although deep learning technology has brought great convenience to our lives, the security problems of artificial intelligence have gradually become prominent. But deep neural networks are very fragile, and usually a small perturbation can have a serious impact on the neural network, especially adversarial examples. As a small imperceptible perturbation, it can cause malicious effects on the results of image classification. What can we do to protect clean examples from perturbations has become the most important and practical research direction in the current image field. A large number of scholars have begun to invest in adversarial examples research, especially in defense, the achievements are more abundant, and related research results have also shown a blowout state. Based on the research status of recent years, this paper first explains the concept of adversarial examples, organizes the current attack methods, and then summarizes different defense methods according to the criteria of detection defense and robust defense. Improvements are discussed to help further development of adversarial defense of images.

Meikang Qiu,Han Qiu

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00027

2020-05-01

Abstract:Recent research works showed that deep neural networks are vulnerable to adversarial examples, which are usually maliciously created by carefully adding deliberate and imperceptible perturbations to examples. Several states of the art defense methods are proposed based on the existing image processing methods like image compression and image denoising. However, such approaches are not the final optimal solution for defense adversarial perturbations in DNN models. In this paper, we reviewed two main approaches to deploying image processing methods as a defense. By analyzing and discus!sing the remaining issues, we present two open questions for future research direction including the definition of adversarial perturbations and noises, the novel defense-aware threat model. A further research direction is also given by re-thinking the impacts of adversarial perturbations on all frequency bands.

Ke Wu,Zichi Wang,Xinpeng Zhang,Zhenjun Tang

DOI: https://doi.org/10.1117/1.jei.32.2.023016

IF: 0.829

2023-01-01

Journal of Electronic Imaging

Abstract:Conventional deep neural networks (DNNs) have been shown to be vulnerable to images with adversarial perturbations, referred to as adversarial examples. In this study, we propose a method to protect neural networks against adversarial examples using perceptual image hashing. Because perceptual hashing is robust to adversarial perturbations, we combine hash sequences of input images with the parameters of a neural network in an image-hash processing network. Thus, outputs of the neural network are affected by image hashes, which render the model robust to adversarial examples to some extent. Thus, the proposed approach provides a defense against adversarial examples. The experiment was conducted on the CIFAR-10 dataset, and we used ResNet-18 as our target network. To verify our method, we tested our defense network using several common white-box attacks and black-box attacks. The results show that it achieved a significant improvement in the classification accuracy for adversarial examples.

Ziang Yan,Yiwen Guo,Changshui Zhang

2018-01-01

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN models into making arbitrary predictions. To address this problem, we propose a training recipe named DeepDefense. Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms the state-of-the-arts by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results will be made publicly available.

Ziang Yan,Yiwen Guo,Changshui Zhang

DOI: https://doi.org/10.48550/arXiv.1803.00404

2018-02-23

Computer Vision and Pattern Recognition

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN classifiers into making arbitrary predictions. To address this problem, we propose a training recipe named "deep defense". Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms training with adversarial/Parseval regularizations by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results are available at https://github.com/ZiangYan/deepdefense.pytorch

Han Xu,Yao Ma,Hao-Chen Liu,Debayan Deb,Hui Liu,Ji-Liang Tang,Anil K. Jain

DOI: https://doi.org/10.1007/s11633-019-1211-x

2020-03-27

International Journal of Automation and Computing

Abstract:Abstract Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples raises our concerns in adopting deep learning to safety-critical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for three most popular data types, including images, graphs and text.

automation & control systems,computer science, artificial intelligence

Pengfei Qiu,Qian Wang,Dongsheng Wang,Yongqiang Lyu,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.1109/ASP-DAC47756.2020.9045107

2020-01-01

Abstract:Typical Deep Neural Networks (DNN) are susceptible to adversarial attacks that add malicious perturbations to input to mislead the DNN model. Most of the state-of-theart countermeasures concentrate on the defensive distillation or parameter re-training, which require prior knowledge of the target DNN and/or the attacking methods and hence greatly limit their generality and usability. In this paper, we propose to defend against adversarial attacks by utilizing the input deformation and augmentation techniques that are currently widely utilized to enlarge the dataset during DNN's training phase. This is based on the observation that certain input deformation and augmentation methods will have little or no impact on DNN model's accuracy, but the adversarial attacks will fail when the maliciously induced perturbations are randomly deformed. We also use the ensemble of decisions to further improve DNN model's accuracy and the effectiveness of defending various attacks. Our proposed mitigation method is model independent (i.e. it does not require additional training, parameter finetuning, or any structure modifications of the target DNN model) and attack independent (i.e., it does not require any knowledge of the adversarial attacks). So it has excellent generality and usability. We conduct experiments on standard CIFAR-10 dataset and three representative adversarial attacks: Fast Gradient Sign Method, Carlini and Wagner, and Jacobian-based Saliency Map Attack. Results show that the average success rate of the attacks can be reduced from 96.5% to 28.7% while the DNN model accuracy is improved by about 2%.

Yu Aust Zhang,Huan Xu,Chengfei Pei,Gaoming Yang

DOI: https://doi.org/10.7717/peerj-cs.811

2021-12-24

Abstract:The rapid development of deep neural networks (DNN) has promoted the widespread application of image recognition, natural language processing, and autonomous driving. However, DNN is vulnerable to adversarial examples, such as an input sample with imperceptible perturbation which can easily invalidate the DNN and even deliberately modify the classification results. Therefore, this article proposes a preprocessing defense framework based on image compression reconstruction to achieve adversarial example defense. Firstly, the defense framework performs pixel depth compression on the input image based on the sensitivity of the adversarial example to eliminate adversarial perturbations. Secondly, we use the super-resolution image reconstruction network to restore the image quality and then map the adversarial example to the clean image. Therefore, there is no need to modify the network structure of the classifier model, and it can be easily combined with other defense methods. Finally, we evaluate the algorithm with MNIST, Fashion-MNIST, and CIFAR-10 datasets; the experimental results show that our approach outperforms current techniques in the task of defending against adversarial example attacks.

Adnan Siraj Rakin,Zhezhi He,Boqing Gong,Deliang Fan

2018-01-01

Abstract:Deep learning algorithms and networks are vulnerable to perturbed inputs which are known as the adversarial attack. Many defense methodologies have been investigated to defend such adversarial attack. In this work, we propose a novel methodology to defend the existing powerful attack model. Such attack models have achieved record success against MNIST dataset to force it to miss-classify all of its inputs. Whereas Our proposed defense method robust pre-processing achieves the best accuracy among the current state of the art defenses. It consists of Tanh (hyperbolic tangent) function, smoothing and batch normalization to process the input data which will make it more robust over the adversarial attack. robust pre-processing improves the white box attack accuracy of MNIST from 94.3% to 98.7%. Even with increasing defense when others defenses completely fail, robust pre-processing remains one of the strongest ever reported. Another strength of our defense is that it eliminates the need for adversarial training as it can significantly increase the MNIST accuracy without adversarial training as well. This makes it a more generalized defense method with almost half training overhead and much-improved accuracy. robust pre-processing can also increase the inference accuracy in the face of the powerful attack on CIFAR-10 and SVHN data set as well without much sacrificing clean data accuracy.

Hua Wang,Jie Wang,Zhaoxia Yin

2019-01-01

Abstract:Deep Neural Networks (DNNs) are vulnerable to adversarial examples generated by imposing subtle perturbations to inputs that lead a model to predict incorrect outputs. Currently, a large number of researches on defending adversarial examples pay little attention to the real-world applications, either with high computational complexity or poor defensive effects. Motivated by this observation, we develop an efficient preprocessing method to defend adversarial images. Specifically, before an adversarial example is fed into the model, we perform two image transformations: WebP compression, which is utilized to remove the small adversarial noises. Flip operation, which flips the image once along one side of the image to destroy the specific structure of adversarial perturbations. Finally, a de-perturbed sample is obtained and can be correctly classified by DNNs. Experimental results on ImageNet show that our method outperforms the state-of-the-art defense methods. It can effectively defend adversarial attacks while ensure only very small accuracy drop on normal images.

Yigit Alparslan,Ken Alparslan,Jeremy Keim-Shenk,Shweta Khade,Rachel Greenstadt

DOI: https://doi.org/10.48550/arXiv.2001.11137

IF: 5.414

2020-01-30

Machine Learning

Abstract:Numerous recent studies have demonstrated how Deep Neural Network (DNN) classifiers can be fooled by adversarial examples, in which an attacker adds perturbations to an original sample, causing the classifier to misclassify the sample. Adversarial attacks that render DNNs vulnerable in real life represent a serious threat in autonomous vehicles, malware filters, or biometric authentication systems. In this paper, we apply Fast Gradient Sign Method to introduce perturbations to a facial image dataset and then test the output on a different classifier that we trained ourselves, to analyze transferability of this method. Next, we craft a variety of different black-box attack algorithms on a facial image dataset assuming minimal adversarial knowledge, to further assess the robustness of DNNs in facial recognition. While experimenting with different image distortion techniques, we focus on modifying single optimal pixels by a large amount, or modifying all pixels by a smaller amount, or combining these two attack approaches. While our single-pixel attacks achieved about a 15% average decrease in classifier confidence level for the actual class, the all-pixel attacks were more successful and achieved up to an 84% average decrease in confidence, along with an 81.6% misclassification rate, in the case of the attack that we tested with the highest levels of perturbation. Even with these high levels of perturbation, the face images remained identifiable to a human. Understanding how these noised and perturbed images baffle the classification algorithms can yield valuable advances in the training of DNNs against defense-aware adversarial attacks, as well as adaptive noise reduction techniques. We hope our research may help to advance the study of adversarial attacks on DNNs and defensive mechanisms to counteract them, particularly in the facial recognition domain.

Weiqi Fan,Guangling Sun,Yuying Su,Zhi Liu,Xiaofeng Lu

DOI: https://doi.org/10.1109/icmew.2019.00-85

2019-01-01

Abstract:Nowadays, deep neural networks (DNN) have achieved significant success in computer vision. However, recent investigations have shown that DNN models are highly vulnerable to an input adversarial example. How to defense against adversarial examples is an essential issue to improve the robustness of DNN models. In this paper, we present a hybrid defense framework that integrates detecting and cleaning adversarial perturbations to protect DNN. Specifically, the detecting part consists of statistical detector and Gaussian noise injection detector which are adaptive to perturbation characteristics to inspect adversarial examples, and the cleaning part is a deep residual generative network (ResGN) for removing or mitigating the adversarial perturbations. The parameters of ResGN are optimized by minimizing a joint loss including a pixel loss, a texture loss and a task loss. In the experiments, we evaluate our approach on ImageNet and the comprehensive results validate its robustness against current representative attacks.

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Samer Y. Khamaiseh,Derek Bagagem,Abdullah Al-Alaj,Mathew Mancino,Hakam W. Alomari

DOI: https://doi.org/10.1109/access.2022.3208131

IF: 3.9

2022-10-04

IEEE Access

Abstract:The popularity of adapting deep neural networks (DNNs) in solving hard problems has increased substantially. Specifically, in the field of computer vision, DNNs are becoming a core element in developing many image and video classification and recognition applications. However, DNNs are vulnerable to adversarial attacks, in which, given a well-trained image classification model, a malicious input can be crafted by adding mere perturbations to misclassify the image. This phenomena raise many security concerns in utilizing DNNs in critical life applications which attracts the attention of academic and industry researchers. As a result, multiple studies have proposed discussing novel attacks that can compromise the integrity of state-of-the-art image classification neural networks. The raise of these attacks urges the research community to explore countermeasure methods to mitigate these attacks and increase the reliability of adapting DDNs in different major applications. Hence, various defense strategies have been proposed to protect DNNs against adversarial attacks. In this paper, we thoroughly review the most recent and state-of-the-art adversarial attack methods by providing an in-depth analysis and explanation of the working process of these attacks. In our review, we focus on explaining the mathematical concepts and terminologies of the adversarial attacks, which provide a comprehensive and solid survey to the research community. Additionally, we provide a comprehensive review of the most recent defense mechanisms and discuss their effectiveness in defending DNNs against adversarial attacks. Finally, we highlight the current challenges and open issues in this field as well as future research directions.

computer science, information systems,telecommunications,engineering, electrical & electronic

Adnan Siraj Rakin,Zhezhi He,Boqing Gong,Deliang Fan

DOI: https://doi.org/10.48550/arXiv.1802.01549

IF: 5.414

2018-02-05

Machine Learning

Abstract:Deep learning algorithms and networks are vulnerable to perturbed inputs which is known as the adversarial attack. Many defense methodologies have been investigated to defend against such adversarial attack. In this work, we propose a novel methodology to defend the existing powerful attack model. We for the first time introduce a new attacking scheme for the attacker and set a practical constraint for white box attack. Under this proposed attacking scheme, we present the best defense ever reported against some of the recent strong attacks. It consists of a set of nonlinear function to process the input data which will make it more robust over the adversarial attack. However, we make this processing layer completely hidden from the attacker. Blind pre-processing improves the white box attack accuracy of MNIST from 94.3\% to 98.7\%. Even with increasing defense when others defenses completely fail, blind pre-processing remains one of the strongest ever reported. Another strength of our defense is that it eliminates the need for adversarial training as it can significantly increase the MNIST accuracy without adversarial training as well. Additionally, blind pre-processing can also increase the inference accuracy in the face of a powerful attack on CIFAR-10 and SVHN data set as well without much sacrificing clean data accuracy.

Zhangao Yi,Yongfeng Qian,Min Chen,Salman A. Alqahtani,M. Shamim Hossain

DOI: https://doi.org/10.1016/j.adhoc.2023.103263

IF: 4.816

2023-01-01

Ad Hoc Networks

Abstract:The metaverse, as an impressive technology, can achieve outstanding performance in many fields. With the development of deep neural networks (DNNs), more and more metaverse artificial intelligence (AI) applications are emerging, which have low tolerance for delay. The edge computing based metaverse AI can overcome this problem. However, these AI applications bring new challenges of high reliability, especially DNNs are subject to the security risk of adversarial attacks that generate small and imperceptible noise and cause classifier to make predictions with a high error probability. To meet the reliability requirements of AI applications, in this paper, we propose a security mechanism against adversarial attacks in edge computing based metaverse AI applications. This mechanism utilizes a modified ResNet model that defends against adversarial attacks. We deploy it on the edge cloud to preprocess the data uploaded by metaverse AI applications. In order to achieve a better model performance, we use multiple residual network blocks to build this neural network model on the basis of autoencoder. To assist the model to produce defensively high-quality images, we utilize several convolution layers with various step sizes to process multi-scale images and design to use multiple types of samples with different properties together for the model training. We evaluate our method with experiments on MNIST, CIFAR-10, and CIFAR-100 datasets, and against five attacks such as FGSM and DeepFool attacks. We show that our method achieves 96% defence success rate in MNIST and significantly outperforms existing denoising methods in terms of residual network block, multi-scale image, and training methods.