Siyue Wang,Xiao Wang,Pu Zhao,Wujie Wen,David Kaeli,Peter Chin,Xue Lin

DOI: https://doi.org/10.1145/3240765.3264699

2018-09-14

Abstract:Deep neural networks (DNNs) are known vulnerable to adversarial attacks. That is, adversarial examples, obtained by adding delicately crafted distortions onto original legal inputs, can mislead a DNN to classify them as any target labels. This work provides a solution to hardening DNNs under adversarial attacks through defensive dropout. Besides using dropout during training for the best test accuracy, we propose to use dropout also at test time to achieve strong defense effects. We consider the problem of building robust DNNs as an attacker-defender two-player game, where the attacker and the defender know each others' strategies and try to optimize their own strategies towards an equilibrium. Based on the observations of the effect of test dropout rate on test accuracy and attack success rate, we propose a defensive dropout algorithm to determine an optimal test dropout rate given the neural network model and the attacker's strategy for generating adversarial <a class="link-external link-http" href="http://examples.We" rel="external noopener nofollow">this http URL</a> also investigate the mechanism behind the outstanding defense effects achieved by the proposed defensive dropout. Comparing with stochastic activation pruning (SAP), another defense method through introducing randomness into the DNN model, we find that our defensive dropout achieves much larger variances of the gradients, which is the key for the improved defense effects (much lower attack success rate). For example, our defensive dropout can reduce the attack success rate from 100% to 13.89% under the currently strongest attack i.e., C&W attack on MNIST dataset.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Ranjie Duan,Yuefeng Chen,Dantong Niu,Yun Yang,A. K. Qin,Yuan He

DOI: https://doi.org/10.1109/iccv48922.2021.00741

2021-10-01

Abstract:Human can easily recognize visual objects with lost information: even losing most details with only contour reserved, e.g. cartoon. However, in terms of visual perception of Deep Neural Networks (DNNs), the ability for recognizing abstract objects (visual objects with lost information) is still a challenge. In this work, we investigate this issue from an adversarial viewpoint: will the performance of DNNs decrease even for the images only losing a little information? Towards this end, we propose a novel adversarial attack, named AdvDrop, which crafts adversarial examples by dropping existing information of images. Previously, most adversarial attacks add extra disturbing information on clean images explicitly. Opposite to previous works, our proposed work explores the adversarial robustness of DNN models in a novel perspective by dropping imperceptible de-tails to craft adversarial examples. We demonstrate the effectiveness of AdvDrop by extensive experiments, and show that this new type of adversarial examples is more difficult to be defended by current defense systems.

Yulong Wang,Tong Sun,Xin Yuan,Shenghong Li,Wei Ni

DOI: https://doi.org/10.1109/tifs.2024.3474973

IF: 7.231

2024-10-22

IEEE Transactions on Information Forensics and Security

Abstract:Training deep neural networks (DNNs) with altered data, known as adversarial training, is essential for improving their robustness. A significant challenge emerges as the robustness strengthened during training often diminishes during inference, resulting in drops in robust pronounced accuracy. Contemporary strategies either necessitate excessively large training data or risk compromising the natural accuracy of non-adversarial images. Our analysis identifies that the inherent vulnerability of DNNs to adversarial attacks stems from certain input space segments that are inadequately populated by training data, leading to decision-making voids with incorrect predictions. The minimum number of training samples required for successful adversarial training can be attained by maximizing the representativeness of the samples. In light of this, we put forth an advanced training data augmentation method anchored on a Generative Adversarial Network. The generated samples are evaluated by the image classifier during training and selected based on their confidence scores. Evaluations on public datasets, such as Tiny-ImageNet, MS COCO, and CIFAR-100, using various deep neural networks (DNNs), including Vision Transformer, MobileNet, and WideResNet, under recent attacks like DifAttack, SQBA, and AutoAttack, confirm that our method significantly enhances the adversarial robustness of DNN image classifiers. Our method outperforms state-of-the-art adversarial training methods by 35.66% on Tiny-ImageNet, 13.53% on MS COCO, and 13.06% on CIFAR-100.

computer science, theory & methods,engineering, electrical & electronic

Bo Wang,Mengnan Zhao,Wei Wang,Fei Wei,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tcsvt.2020.3017006

IF: 5.859

2020-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Deep neural networks (DNNs) have seen extensive studies on image recognition and classification, image segmentation, and related topics. However, recent studies show that DNNs are vulnerable in defending adversarial examples. The classification network can be deceived by adding a small amount of perturbation to clean samples. There are challenges when researchers want to design a general approach to defend against a wide variety of adversarial examples. To solve this problem, we introduce a defensive method to prevent adversarial examples from generating. Instead of designing a stronger classifier, we built a more robust classification system that can be viewed as a structural black box. After adding a buffer to the classification system, attackers can be efficiently deceived. The real evaluation results of the generated adversarial examples are often contrary to what the attacker thinks. Additionally, we do not assume a specific attack method premise. This incognizance to underlying attacks demonstrates the generalizability of the buffer to potential adversarial attacks. Extensive experiments indicate that the defense method greatly improves the security performance of DNNs.

Dian Zhang,Yunwei Dong

DOI: https://doi.org/10.1016/j.neunet.2023.08.048

IF: 7.8

2023-01-01

Neural Networks

Abstract:Deep neural networks have become increasingly significant in our daily lives due to their remarkable performance. The issue of adversarial examples, which are responsible for the vulnerability problem of deep neural networks, has attracted the attention of researchers in the study of robustness of these networks. To address the issues caused by the restricted diversity and precision of adversarial perturbations in neural networks, we introduce a novel technique called Adversarial Boundary Diffusion Probability Modeling (Adv-BDPM). This approach combines boundary analysis and diffusion probability modeling. First, we combined the denoising diffusion probability model with the boundary loss to design the boundary diffusion probability model, which can generate corresponding boundary perturbations for a specific neural network. Then, through the iterative process of boundary perturbations and its corresponding orthogonal perturbations, we proposed a decision boundary search algorithm to generate adversarial samples. The comparison experiments with black-box attacks in ImageNet demonstrate that Adv-BDPM has better attack success rate and perturbation precision. The comparison experiments with white-box attacks in CIFAR-10 and CIFAR-100 demonstrate that Adv-BDPM has better attack success rate, attack diversity for the same sample, and can effectively defend against adversarial training with shorter running time.

Omer Faruk Tuna,Ferhat Ozgur Catak,M. Taner Eskil

DOI: https://doi.org/10.48550/arXiv.2102.04150

2021-02-14

Abstract:Deep neural network architectures are considered to be robust to random perturbations. Nevertheless, it was shown that they could be severely vulnerable to slight but carefully crafted perturbations of the input, termed as adversarial samples. In recent years, numerous studies have been conducted in this new area called "Adversarial Machine Learning" to devise new adversarial attacks and to defend against these attacks with more robust DNN architectures. However, almost all the research work so far has been concentrated on utilising model loss function to craft adversarial examples or create robust models. This study explores the usage of quantified epistemic uncertainty obtained from Monte-Carlo Dropout Sampling for adversarial attack purposes by which we perturb the input to the areas where the model has not seen before. We proposed new attack ideas based on the epistemic uncertainty of the model. Our results show that our proposed hybrid attack approach increases the attack success rates from 82.59% to 85.40%, 82.86% to 89.92% and 88.06% to 90.03% on MNIST Digit, MNIST Fashion and CIFAR-10 datasets, respectively.

Machine Learning,Artificial Intelligence

Jingyi Wang,Guoliang Dong,Jun Sun,Xinyu Wang,Peixin Zhang

DOI: https://doi.org/10.1109/icse.2019.00126

2019-05-01

Abstract:Deep neural networks (DNN) have been shown to be useful in a wide range of applications. However, they are also known to be vulnerable to adversarial samples. By transforming a normal sample with some carefully crafted human imperceptible perturbations, even highly accurate DNN make wrong decisions. Multiple defense mechanisms have been proposed which aim to hinder the generation of such adversarial samples. However, a recent work show that most of them are ineffective. In this work, we propose an alternative approach to detect adversarial samples at runtime. Our main observation is that adversarial samples are much more sensitive than normal samples if we impose random mutations on the DNN. We thus first propose a measure of ‘sensitivity’ and show empirically that normal samples and adversarial samples have distinguishable sensitivity. We then integrate statistical hypothesis testing and model mutation testing to check whether an input sample is likely to be normal or adversarial at runtime by measuring its sensitivity. We evaluated our approach on the MNIST and CIFAR10 datasets. The results show that our approach detects adversarial samples generated by state-of-the-art attacking methods efficiently and accurately.

Lin Jing,Njilla Laurent L.,Xiong Kaiqi

DOI: https://doi.org/10.1186/s13635-021-00125-2

2022-01-01

EURASIP Journal on Information Security

Abstract:Deep neural networks (DNNs) are widely used to handle many difficult tasks, such as image classification and malware detection, and achieve outstanding performance. However, recent studies on adversarial examples, which have maliciously undetectable perturbations added to their original samples that are indistinguishable by human eyes but mislead the machine learning approaches, show that machine learning models are vulnerable to security attacks. Though various adversarial retraining techniques have been developed in the past few years, none of them is scalable. In this paper, we propose a new iterative adversarial retraining approach to robustify the model and to reduce the effectiveness of adversarial inputs on DNN models. The proposed method retrains the model with both Gaussian noise augmentation and adversarial generation techniques for better generalization. Furthermore, the ensemble model is utilized during the testing phase in order to increase the robust test accuracy. The results from our extensive experiments demonstrate that the proposed approach increases the robustness of the DNN model against various adversarial attacks, specifically, fast gradient sign attack, Carlini and Wagner (C&W) attack, Projected Gradient Descent (PGD) attack, and DeepFool attack. To be precise, the robust classifier obtained by our proposed approach can maintain a performance accuracy of 99% on average on the standard test set. Moreover, we empirically evaluate the runtime of two of the most effective adversarial attacks, i.e., C&W attack and BIM attack, to find that the C&W attack can utilize GPU for faster adversarial example generation than the BIM attack can. For this reason, we further develop a parallel implementation of the proposed approach. This parallel implementation makes the proposed approach scalable for large datasets and complex models.

Ziming Zhao,Zhaoxuan Li,Tingting Li,Jiongchi Yu,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1145/3589335.3651524

2024-01-01

Abstract:Recent studies show that deep neural networks are extremely vulnerable, especially for adversarial examples of image classification models. However, the current defense technologies exhibit a series of limitations in terms of the adaptability of different attacks, the trade-off between clean-instance accuracy and robust one, as well as efficiency for train time overhead. To tackle these problems, we present a novel component, named redundant fully connected layer, which can be combined with existing model backbones in a pluggable manner. Specifically, we design a tailor-made loss function for it that leverages cosine similarity to maximize the difference and diversity of multiple fully connected parts. We conduct extensive experiments against 12 representative attacks (white-box and black-box), based on the popular dataset. The empirical evaluations show that our scheme realizes significant outcomes against various attacks with negligible additional training overhead, while hardly bringing collateral damage for clean-instance accuracy.

Guangyong Chen,Pengfei Chen,Yujun Shi,Chang-Yu Hsieh,Benben Liao,Shengyu Zhang

DOI: https://doi.org/10.48550/arxiv.1905.05928

2019-01-01

Abstract:In this work, we propose a novel technique to boost training efficiency of a neural network. Our work is based on an excellent idea that whitening the inputs of neural networks can achieve a fast convergence speed. Given the well-known fact that independent components must be whitened, we introduce a novel Independent-Component (IC) layer before each weight layer, whose inputs would be made more independent. However, determining independent components is a computationally intensive task. To overcome this challenge, we propose to implement an IC layer by combining two popular techniques, Batch Normalization and Dropout, in a new manner that we can rigorously prove that Dropout can quadratically reduce the mutual information and linearly reduce the correlation between any pair of neurons with respect to the dropout layer parameter p. As demonstrated experimentally, the IC layer consistently outperforms the baseline approaches with more stable training process, faster convergence speed and better convergence limit on CIFAR10/100 and ILSVRC2012 datasets. The implementation of our IC layer makes us rethink the common practices in the design of neural networks. For example, we should not place Batch Normalization before ReLU since the non-negative responses of ReLU will make the weight layer updated in a suboptimal way, and we can achieve better performance by combining Batch Normalization and Dropout together as an IC layer.

Tianyang Wang,Jun Huan,Bo Li

DOI: https://doi.org/10.1109/ICTAI.2018.00017

2018-01-01

Abstract:Deep learning models learn to fit training data while they are highly expected to generalize well to testing data. Most works aim at finding such models by creatively designing architectures and fine-tuning parameters. To adapt to particular tasks, hand-crafted information such as image prior has also been incorporated into end-to-end learning. However, very little progress has been made on investigating how an individual training sample will influence the generalization ability of a model. In other words, to achieve high generalization accuracy, do we really need all the samples in a training dataset? In this paper, we demonstrate that deep learning models such as convolutional neural networks may not favor all training samples, and generalization accuracy can be further improved by dropping those unfavorable samples. Specifically, the influence of removing a training sample is quantifiable, and we propose a Two-Round Training approach, aiming to achieve higher generalization accuracy. We locate unfavorable samples after the first round of training, and then retrain the model from scratch with the reduced training dataset in the second round. Since our approach is essentially different from fine-tuning or further training, the computational cost should not be a concern. Our extensive experimental results indicate that, with identical settings, the proposed approach can boost performance of the well-known networks on both high-level computer vision problems such as image classification, and low-level vision problems such as image denoising.

Yuanyuan Chen,Zhang Yi

DOI: https://doi.org/10.1016/j.neucom.2021.04.047

IF: 6

2021-01-01

Neurocomputing

Abstract:Dropout is an important training method for deep neural networks, because it can help avoid over-fitting. Traditional dropout methods and many extended dropout methods, omit some of the neurons’ activation values according to the probabilities. These methods calculate the activation probability of neurons using the designed formula, without providing a plausible explanation of the calculation method. This paper proposes an adaptive sparse dropout (AS-Dropout) method for neural network training. The algorithm maps the neurons’ activation values in a layer to a relative linear range of a sigmoid function, determines the ratio of active neurons by a probability calculation process, and drops most of neurons according to the probabilities. The probability calculation depends on the activation values of the neurons. The selection of active neurons is according to the probabilities. Therefore, AS-Dropout learns both the certainty and uncertainty in deep neural networks. Additionally, since only a small number of neurons are active, AS-Dropout increases the sparsity of the network. We applied AS-Dropout in different neural network structures. When evaluated on MNIST, COIL-100, and Caltech-101 datasets, the experimental results demonstrated that, overall, AS-Dropout substantially outperformed the traditional dropout and some improved dropout methods.

Vivek B.S.,R. Venkatesh Babu

DOI: https://doi.org/10.48550/arXiv.2004.08628

2020-04-18

Abstract:Deep learning models have shown impressive performance across a spectrum of computer vision applications including medical diagnosis and autonomous driving. One of the major concerns that these models face is their susceptibility to adversarial attacks. Realizing the importance of this issue, more researchers are working towards developing robust models that are less affected by adversarial attacks. Adversarial training method shows promising results in this direction. In adversarial training regime, models are trained with mini-batches augmented with adversarial samples. Fast and simple methods (e.g., single-step gradient ascent) are used for generating adversarial samples, in order to reduce computational complexity. It is shown that models trained using single-step adversarial training method (adversarial samples are generated using non-iterative method) are pseudo robust. Further, this pseudo robustness of models is attributed to the gradient masking effect. However, existing works fail to explain when and why gradient masking effect occurs during single-step adversarial training. In this work, (i) we show that models trained using single-step adversarial training method learn to prevent the generation of single-step adversaries, and this is due to over-fitting of the model during the initial stages of training, and (ii) to mitigate this effect, we propose a single-step adversarial training method with dropout scheduling. Unlike models trained using existing single-step adversarial training methods, models trained using the proposed single-step adversarial training method are robust against both single-step and multi-step adversarial attacks, and the performance is on par with models trained using computationally expensive multi-step adversarial training methods, in white-box and black-box settings.

Machine Learning,Computer Vision and Pattern Recognition

Yandong Li,Lijun Li,Liqiang Wang,Tong Zhang,Boqing Gong

DOI: https://doi.org/10.48550/arXiv.1905.00441

IF: 5.414

2019-05-01

Machine Learning

Abstract:Powerful adversarial attack methods are vital for understanding how to construct robust deep neural networks (DNNs) and for thoroughly testing defense techniques. In this paper, we propose a black-box adversarial attack algorithm that can defeat both vanilla DNNs and those generated by various defense techniques developed recently. Instead of searching for an "optimal" adversarial example for a benign input to a targeted DNN, our algorithm finds a probability density distribution over a small region centered around the input, such that a sample drawn from this distribution is likely an adversarial example, without the need of accessing the DNN's internal layers or weights. Our approach is universal as it can successfully attack different neural networks by a single algorithm. It is also strong; according to the testing against 2 vanilla DNNs and 13 defended ones, it outperforms state-of-the-art black-box or white-box attack methods for most test cases. Additionally, our results reveal that adversarial training remains one of the best defense techniques, and the adversarial examples are not as transferable across defended DNNs as them across vanilla DNNs.

Xu Shen,Xinmei Tian,Tongliang Liu,Fang Xu,Dacheng Tao

DOI: https://doi.org/10.1109/tnnls.2017.2750679

2018-01-01

IEEE Transactions on Neural Networks

Abstract:Dropout has been proven to be an effective algorithm for training robust deep networks because of its ability to prevent overfitting by avoiding the co-adaptation of feature detectors. Current explanations of dropout include bagging, naive Bayes, regularization, and sex in evolution. According to the activation patterns of neurons in the human brain, when faced with different situations, the firing rates of neurons are random and continuous, not binary as current dropout does. Inspired by this phenomenon, we extend the traditional binary dropout to continuous dropout. On the one hand, continuous dropout is considerably closer to the activation characteristics of neurons in the human brain than traditional binary dropout. On the other hand, we demonstrate that continuous dropout has the property of avoiding the co-adaptation of feature detectors, which suggests that we can extract more independent feature detectors for model averaging in the test stage. We introduce the proposed continuous dropout to a feedforward neural network and comprehensively compare it with binary dropout, adaptive dropout, and DropConnect on Modified National Institute of Standards and Technology, Canadian Institute for Advanced Research-10, Street View House Numbers, NORB, and ImageNet large scale visual recognition competition-12. Thorough experiments demonstrate that our method performs better in preventing the co-adaptation of feature detectors and improves test performance.

Hossein Hosseini,Sreeram Kannan,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1905.00180

2019-05-01

Abstract:Deep neural networks are vulnerable against adversarial examples. In this paper, we propose to train and test the networks with randomly subsampled images with high drop rates. We show that this approach significantly improves robustness against adversarial examples in all cases of bounded L0, L2 and L_inf perturbations, while reducing the standard accuracy by a small value. We argue that subsampling pixels can be thought to provide a set of robust features for the input image and, thus, improves robustness without performing adversarial training.

Machine Learning

Chen Ouyang,Wei Yang,Rong Hu

DOI: https://doi.org/10.1109/ictai56018.2022.00097

2022-01-01

Abstract:Deep neural networks (DNNs) have lately shown tremendous performance in various applications. However, along-side their superiority in these tasks, recent studies have demonstrated that DNNs are easily fooled by adversarial attacks. To guard against adversarial examples, we provide a new solution to hardening DNNs through Block-term Dropout (BT-Dropout), an adversarial defense technique that leverages a latent high-order factorization of the network. Specifically, we impose low-rank block-term tensor structure on the weights of fully-connected layer to obtain compact networks, and then apply BT-Dropout in the latent subspace without pruning the weights directly. Meanwhile, for activation tensor fed into fully-connected layer, Tucker Dropout which can be viewed as a special case of BT-Dropout is introduced to preserve multilinear structure of activations. Furthermore, we show that BT-Dropout implicitly regularizes the tensor decomposition. Comprehensive experiments have demonstrated the effectiveness of our proposed method to improve the adversarial robustness for the models on standard image classification benchmarks.

Da Teng,Xiao m Song,Guanghong Gong,Liang Han

2017-01-01

Abstract:Deep neural networks have achieved state-of-the-art performance in many artificial intelligence areas, such as object recognition, speech recognition and machine translation. While the deep neural networks have high expression capabilities, they are prone to over fitting due to the high dimensionalities of the networks. Recently, deep neural networks are found to be unstable to adversarial perturbations, which are small but can maximize the network’s prediction error. This paper proposes a novel training algorithm to improve the robustness of the neural networks to adversarial examples.

Jing Lin,Laurent L. Njilla,Kaiqi Xiong

DOI: https://doi.org/10.1109/icc40277.2020.9149002

2020-01-01

Abstract:Though the performance of deep learning is remarkable, recent works have shown that deep learning models are vulnerable to adversarial samples that are close to their original samples to human eyes but misclassified by Deep Neural Network (DNN). This is a serious problem as many deep learning models are used in physical infrastructures and critical application domains such as medical diagnosis, self-driving cars, malware detection, as well as digital assistants like Google Assistant, Alexa, and Siri. Many researchers have attempted to secure neural networks through techniques such as defensive distillation and adversarial retraining. Nevertheless, many of these techniques are ineffective to new or slightly strong adversarial attacks such as the Carlini and Wagner (C&W)’s attack. In this paper, we propose a robust adversarial retraining method to iteratively retrain a given model so that it can not only detect the adversarial examples but also maintain the prediction accuracy for the normal dataset. Our experimental results show that the prediction accuracy on the MNIST test set is maintained while the accuracies under FGSM, C&W, and DeepFool attacks increase from 29% to 91%, 7% to 70%, and 29% to 91%, respectively.