Yaguan Qian,Jiamin Wang,Xiang Ling,Zhaoquan Gu,Bin Wang,Chunming Wu

2021-01-01

Abstract:Recently, to deal with the vulnerability to generate examples of CNNs, there are many advanced algorithms that have been proposed. These algorithms focus on modifying global pixels directly with small perturbations, and some work involves modifying local pixels. However, the global attacks have the problem of perturbations’ redundancy and the local attacks are not effective. To overcome this challenge, we achieve a trade-off between the perturbation power and the number of perturbed pixels in this paper. The key idea is to find the feature contributive regions (FCRs) of the images. Furthermore, in order to create an adversarial example similar to the corresponding clean image as much as possible, we redefine a loss function as the objective function of the optimization in this paper and then using gradient descent optimization algorithm to find the efficient perturbations. Various experiments have been carried out on CIFAR-10 and ILSVRC2012 datasets, which show the excellence of this method, and in addition, the FCRs attack shows strong attack ability in both white-box and black-box settings.

Bin Liang,Hongcheng Li,Miaoqiang Su,Xirong Li,Wenchang Shi,Xiaofeng Wang

DOI: https://doi.org/10.1109/tdsc.2018.2874243

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recently, many studies have demonstrated deep neural network (DNN) classifiers can be fooled by the adversarial example, which is crafted via introducing some perturbations into an original sample. Accordingly, some powerful defense techniques were proposed. However, existing defense techniques often require modifying the target model or depend on the prior knowledge of attacks. In this paper, we propose a straightforward method for detecting adversarial image examples, which can be directly deployed into unmodified off-the-shelf DNN models. We consider the perturbation to images as a kind of noise and introduce two classic image processing techniques, scalar quantization and smoothing spatial filter, to reduce its effect. The image entropy is employed as a metric to implement an adaptive noise reduction for different kinds of images. Consequently, the adversarial example can be effectively detected by comparing the classification results of a given sample and its denoised version, without referring to any prior knowledge of attacks. More than 20,000 adversarial examples against some state-of-the-art DNN models are used to evaluate the proposed method, which are crafted with different attack techniques. The experiments show that our detection method can achieve a high overall F1 score of 96.39 percent and certainly raises the bar for defense-aware attacks.

Chengxuan Li,Zhou Yang,Yang Xiao,Haozhao Liu,Yuning Zhang,Qingqi Pei

DOI: https://doi.org/10.1109/NaNA60121.2023.00092

2023-01-01

Abstract:Deep learning-based image recognition technology has significantly advanced the development of modern industrial intelligence. However, the issue of image adversarial examples that follows has gradually garnered the attention of researchers. By injecting adversarial disturbances that are difficult for humans to detect into the image, the deep learning model generates incorrect results, severely impacting the security of deep learning applications. To address this problem and improve the accuracy and robustness of deep learning image recognition models, a combined adversarial examples detection method based on residual learning and difference assessment has been proposed. To start, an image denoising module, based on residual learning and named ANDNet, is designed. This method incorporates a depth separable convolution structure and conducts step processing on the channel number of the hidden layer in ANDNet, which significantly reduces the model's memory consumption and improves its computational efficiency. In addition, the difference assessment involves computing the l <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</inf> norm distance between the original image and the denoised image softmax output of the classification model, to measure the disparity between the input image before and after denoising. The obtained detection threshold from the training dataset is integrated with this difference evaluation to accomplish the task of testing the input image for adversarial detection. Both theoretical analysis and experimental results confirm the effectiveness of the ANDNet noise reduction network, as well as the efficacy of the adversarial examples detection scheme in identifying adversarial examples. The model exhibits exceptional performance in terms of detection accuracy and F1 value.

Weiqi Fan,Guangling Sun,Yuying Su,Zhi Liu,Xiaofeng Lu

DOI: https://doi.org/10.1007/s11042-019-7353-6

IF: 2.577

2019-01-01

Multimedia Tools and Applications

Abstract:Deep Neural Networks (DNN) has achieved a great success in many tasks in recent years. However, researchers found that DNN is vulnerable to adversarial examples that are maliciously perturbed inputs. The elaborately designed adversarial perturbations can easily confuse the model whereas have no impacts on human perception. To counter adversarial examples, we propose an integrated detection framework for detecting adversarial examples, which involves statistical detector and Gaussian noise injection detector. The statistical detector extracts Subtractive Pixel Adjacency Matrix (SPAM) and uses the second order Markov transition probability matrix to model SPAM so as to highlight the statistical anomaly hidden in an adversarial input. Then an ensemble classifier using SPAM based feature is applied to detect the adversarial input containing large perturbation. The Gaussian noise injection detector first injects an additive Gaussian noise into the input, and then feeds both the original input and its Gaussian noise injected counterpart into a targeted network. By comparing the two outputs difference, the detector is applied to detect adversarial input containing small perturbation: if the difference exceeds a threshold, the input is adversarial; otherwise legitimate. The two detectors are adaptive to different characteristics of adversarial perturbation so that the proposed detection framework is capable of detecting multiple types of adversarial examples. In our work, we test six categories of adversarial examples produced by Fast Gradient Sign Method (FGSM, untargeted), Randomized Fast Gradient Sign Method (R-FGSM, untargeted), Basic Iterative Method (BIM, untargeted), DeepFool (untargeted), Carlini&Wagner Method (CW_UT, untargeted) and CW_T(targeted). Comprehensive empirical results show that the proposed detection framework has achieved a promising performance on ImageNet database.

Zhun Zhang,Qihe Liu,Shijie Zhou

DOI: https://doi.org/10.1007/978-3-030-86137-7_19

2021-01-01

Abstract:The emergence of adversarial examples has seriously threatened the security of deep learning models, and how to effectively detect them has become an issue. Most of the existing detection methods have low detection accuracy in the face of strong attacks such as C&W. Inspired by the visualization techniques of the model, this paper proposes a Guided-Grade-Cam based method to detect adversarial examples, which mainly consists of two parts. The first part is to extract the Guided Grad-CAM of the samples based on the model of resnet50. In the second part, we construct a classifier to detect the adversarial examples by the differences of the Guided Grad-CAM. This method is the first to introduce the model interpretation method into the detection of adversarial examples. Through experimental observation, it is found that there is a difference between the normal samples and the adversarial examples in Guided Grad-CAM, that is, the outlines information is masked after the adversarial perturbations are added to the normal samples. Experimental results on ImageNet based on the ResNet50 show that our method achieves an average success rate of 99.2% in the face of C&W attacks, which is superior to other methods.

Qiao Li,Jing Chen,Kun He,Zijun Zhang,Ruiying Du,Jisi She,Xinxin Wang

DOI: https://doi.org/10.1016/j.cose.2024.103791

IF: 5.105

2024-02-01

Computers & Security

Abstract:Image classification based on Deep Neural Networks (DNNs) is vulnerable to adversarial examples, which make the classifier output incorrect predictions. One approach to defending against this attack is to detect whether the input is an adversarial example. Unfortunately, existing adversarial example detection methods heavily rely on the underlying classifier and may fail when the classifier is upgraded. In this paper, we propose a model-agnostic detection method that leverages high-frequency signals from adversarial noises in adversarial examples and does not need interactions with the underlying classifier. We amplify redundant high-frequency signals brought by adversarial noises and represent object boundaries with these signals in an image. Our key insight is that the boundaries extracted by redundant high-frequency signals have a strong correlation with the boundaries of images in adversarial examples, while this correlation does not exist in clean images. Furthermore, adversarial examples of large images have more high-frequency signals and make adversarial detection easier on large image datasets. Experimental results show that our method has good transferability and can accurately detect various adversarial examples on different datasets.

computer science, information systems

Yuchen Wang,Xiaoguang Li,Li Yang,Jianfeng Ma,Hui Li

DOI: https://doi.org/10.1109/tdsc.2023.3269012

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Notwithstanding the tremendous success of deep neural networks in a range of realms, previous studies have shown that these learning models are exposed to an inherent hazard called adversarial example — images to which an elaborate perturbation is maliciously added could deceive a network, which entails the study of countermeasures urgently. However, existing solutions suffer from some weaknesses, e.g. parameters are usually determined empirically in some processing-based detection methods might result in a sub-optimal effect, and the directly performed processing on images might affect the classification of benign samples, leading to increment of false positive. In this paper, we propose a novel imAge-DepenDent noIse reducTION (ADDITION) model based on deep learning for adversarial detection. The ADDITION model can adaptively convert the adversarial perturbation in each image to approximate Gaussian noise by injecting image-dependent additional noise, then perform noise reduction to eliminate the adversarial perturbation, and finally detect adversarial examples by examining the classification inconsistency between the input image and its denoised version. The ADDITION model is trained end-to-end on benign samples without any prior knowledge of adversarial attacks, and thus avoid time-consuming task of generating adversarial examples in practical use. We generate more than 220,000 adversarial examples based on six attack algorithms for evaluation and present state-of-the-art comparisons on three real-word datasets. Extensive experiments demonstrate that our proposed method achieves improved performance in both detection accuracy rate and false positive rate.

Mihui Kim,Junhyeok Yun

DOI: https://doi.org/10.1155/2022/3440123

IF: 1.968

2022-12-19

Security and Communication Networks

Abstract:With the rapid development of image processing technology, image recognition systems based on massive image data are being developed and deployed. The wrong decision regarding an image recognition system for security-sensitive systems can cause serious problems such as personal accidents and property damage. Furthermore, adversarial attacks, which are security attacks that cause malfunctions in image recognition systems by inserting adversarial noise, have emerged and evolved. Several studies have been conducted to prevent adversarial attacks. However, existing mechanisms have low classification accuracy and low detection accuracy for adversarial examples with small adversarial noise. This paper proposes an adversarial example detection mechanism based on image feature extraction and a deep neural network (DNN) model. The proposed system achieves versatility and independence by detecting adversarial examples based on image features, such as edge noise and discrete cosine transform (DCT) bias, which adversarial examples have in common. The proposed system shows relatively higher detection accuracy than existing mechanisms for various types and amounts of adversarial noise and different sharpness of adversarial examples because the proposed system detects them depending on the characteristics of each type of adversarial example.

computer science, information systems,telecommunications

Sizhao Huang,Shuai Wang,Jian Chen,Guozhi Li,Wenyi Wang

DOI: https://doi.org/10.1109/icassp43922.2022.9747171

2022-01-01

Abstract:Deep neural network (DNN) shows impressive performance on many tasks but they usually suffer from adversarial examples with human eyes invisible slight perturbation. Such examples can not be distinguished by human but can mislead DNN classifiers leading to its important role in DNN attack and defense. Many adversarial examples detection methods perform well in identifying global perturbation adversarial examples but less efficiently for local perturbation ones. We observe both global perturbation and local perturbation adversarial examples have similar BOF histogram distribution after JPEG compression and Error Level Analysis (ELA) while these distributions are clearly different to clean example’s distribution. Meanwhile, researchers have found that the stability of adversarial example after space mapping is worse than that of the clean example. Therefore, we propose a two-branch architecture to detect adversarial examples based on the aforementioned strategies. Experiments show that our method has achieved better or similar performance compared to several state-of-the-art methods in terms of the detection accuracy and generation property for adversarial examples with global and local perturbation.

Sainan Sun,Bin Song,Xiaohui Cai,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1016/j.neucom.2022.05.065

IF: 6

2022-01-01

Neurocomputing

Abstract:The emergence of adversarial examples has aroused widespread attention to the safety of deep learning. Most recent research focuses on how to obtain adversarial examples which make networks’ predictions wrong, and rarely observe the changes in feature embedding space from the perspective of interpretability. In addition, researchers have proposed various attack algorithms for a single task, but there are few general methods that can perform multiple tasks at the same time, such as image classification, object detection, and face recognition. To resolve these issues, we propose a new attack algorithm CAMA for deep neural networks (DNNs). CAMA perturbs each feature extraction layer through adaptive feature measurement function, thereby disrupting the predicted class activation mapping of DNNs. Experiments show that CAMA is good at creating white-box adversarial examples on classification networks and has the highest attack success rate. To solve the problem of the disappearance of aggression caused by image transformation, we propose spread-spectrum compression CAMA, which achieve a better attack success rate under various defensive measures. In addition, we successfully attack face recognition networks and object detection networks using CAMA, and achieve excellent performance. It verifies that our algorithm is a general attack algorithm for attacking different tasks.

Zhaoxia Yin,Shaowei Zhu,Hang Su,Jianteng Peng,Wanli Lyu,Bin Luo

DOI: https://doi.org/10.48550/arxiv.2305.04436

2023-01-01

Abstract: Deep Neural Networks (DNNs) have recently made significant progress in many fields. However, studies have shown that DNNs are vulnerable to adversarial examples, where imperceptible perturbations can greatly mislead DNNs even if the full underlying model parameters are not accessible. Various defense methods have been proposed, such as feature compression and gradient masking. However, numerous studies have proven that previous methods create detection or defense against certain attacks, which renders the method ineffective in the face of the latest unknown attack methods. The invisibility of adversarial perturbations is one of the evaluation indicators for adversarial example attacks, which also means that the difference in the local correlation of high-frequency information in adversarial examples and normal examples can be used as an effective feature to distinguish the two. Therefore, we propose an adversarial example detection framework based on a high-frequency information enhancement strategy, which can effectively extract and amplify the feature differences between adversarial examples and normal examples. Experimental results show that the feature augmentation module can be combined with existing detection models in a modular way under this framework. Improve the detector's performance and reduce the deployment cost without modifying the existing detection model.

Wenzhao Liu,Wanli Zhang,Kuiwu Yang,Yue Chen,Kaiwei Guo,Jianghong Wei,Liu, Wenzhao,Zhang, Wanli,Yang, Kuiwu,Chen, Yue,Guo, Kaiwei,Wei, Jianghong

DOI: https://doi.org/10.1007/s11063-024-11572-6

IF: 2.565

2024-03-06

Neural Processing Letters

Abstract:Deep neural networks, particularly convolutional neural networks, are vulnerable to adversarial examples, undermining their reliability in visual recognition tasks. Adversarial example detection is a crucial defense mechanism against such attacks but often relies on empirical observations and specialized metrics, posing challenges in terms of data efficiency, generalization to unknown attacks, and scalability to high-resolution datasets like ImageNet. To address these issues, we propose a prototypical network-based method using a deep residual network as the backbone architecture. This approach is capable of extracting discriminative features of adversarial and normal examples from various known adversarial examples by constructing few-shot adversarial detection tasks. Then the optimal mapping matrix is computed using the Sinkhorn algorithm from optimal transport theory, and the class centers are iteratively updated, enabling the detection of unknown adversarial examples across scenarios. Experimental results show that the proposed approach outperforms existing methods in the cross-adversary benchmark and achieves enhanced generalization on a subset of ImageNet in detecting both new adversarial attacks and adaptive white-box attacks. The proposed approach offers a promising solution for improving the safety of deep neural networks in practical applications.

computer science, artificial intelligence

Jiabao Liu,Qixiang Zhang,Kanghua Mo,Xiaoyu Xiang,Jin Li,Debin Cheng,Rui Gao,Beishui Liu,Kongyang Chen,Guanjie Wei

DOI: https://doi.org/10.1016/j.csi.2021.103612

2022-08-01

Abstract:Most existing deep neural networks are susceptible to the influence of adversarial examples, which may cause them to output incorrect prediction results. An adversarial example is the addition of small noise disturbances to the input data samples, which will deceive the classification. Generally, these modifications are very small noise disturbances, which are not easily noticed by the human eye. However, most existing adversarial attacks achieve only low success rates in typical black-box settings, where the attackers have no prior knowledge about the model structures and/or model parameters. To tackle this problem, we propose an iterative algorithm based on an acceleration gradient to enhance the adversary attack. Our method accumulates the gradient of the loss function in each iteration and uses the next gradient information to influence the future gradient. We also introduce the scaling invariance principle of a deep neural network to optimize the input images for black-box attacks. In addition, to handle the drawbacks of a traditional iterative fast gradient sign method, we further present two gradient optimization methods. Experimental results on the ImageNet dataset show that our attack methods can achieve good transferability. In addition, those models obtained by integrated adversarial training with strong defense capability are also quite vulnerable to our black-box attack.

computer science, software engineering, hardware & architecture

Li Chen,Hailun Ding,Qi Li,Jiawei Zhu,Haozhe Huang,Yifan Chang,Haifeng Li

2018-01-01

Abstract:Convolutional neural networks (CNNs) are easily spoofed by adversarial examples which lead to wrong classification results. Most of the defense methods focus only on how to improve the robustness of CNNs or to detect adversarial examples. They are incapable of detecting and correctly classifying adversarial examples simultaneously. We find that adversarial examples and original images have diverse representations in the feature space, and this difference grows as layers go deeper, which we call Adversarial Feature Separability (AFS). Inspired by AFS, we propose a defense framework based on Adversarial Feature Genome (AFG), which can detect and correctly classify adversarial examples into original classes simultaneously. AFG is an innovative encoding for both image and adversarial example. It consists of group features and a mixed label. With group features which are visual representations of adversarial and original images via group visualization method, one can detect adversarial examples because of ASF of group features. With a mixed label, one can trace back to the original label of an adversarial example. Then, the classification of adversarial example is modeled as a multi-label classification trained on the AFG dataset, which can get the original class of adversarial example. Experiments show that the proposed framework not only effectively detects adversarial examples from different attack algorithms, but also correctly classifies adversarial examples. Our framework potentially gives a new perspective, i.e., a data-driven way, to improve the robustness of a CNN model.

Dejian Guan,Wentao Zhao

DOI: https://doi.org/10.3390/app12199406

2022-01-01

Applied Sciences

Abstract:Deep neural networks (DNNs) have attracted extensive attention because of their excellent performance in many areas; however, DNNs are vulnerable to adversarial examples. In this paper, we propose a similarity metric called inner-class adjusted cosine similarity (IACS) and apply it to detect adversarial examples. Motivated by the fast gradient sign method (FGSM), we propose to utilize an adjusted cosine similarity which takes both the feature angle and scale information into consideration and therefore is able to effectively discriminate subtle differences. Given the predicted label, the proposed IACS is measured between the features of the test sample and those of the normal samples with the same label. Unlike other detection methods, we can extend our method to extract disentangled features with different deep network models but are not limited to the target model (the adversarial attack model). Furthermore, the proposed method is able to detect adversarial examples crossing attacks, that is, a detector learned with one type of attack can effectively detect other types. Extensive experimental results show that the proposed IACS features can well distinguish adversarial examples and normal examples and achieve state-of-the-art performance.

Chunlong Fan,Cailong Li,Jici Zhang,Yiping Teng,Jianzhong Qiao

DOI: https://doi.org/10.1142/s0218126622500074

2021-01-01

Abstract:Neural network technology has achieved good results in many tasks, such as image classification. However, for some input examples of neural networks, after the addition of designed and imperceptible perturbations to the examples, these adversarial examples can change the output results of the original examples. For image classification problems, we derive low-dimensional attack perturbation solutions on multidimensional linear classifiers and extend them to multidimensional nonlinear neural networks. Based on this, a new adversarial example generation algorithm is designed to modify a specified number of pixels. The algorithm adopts a greedy iterative strategy, and gradually iteratively determines the importance and attack range of pixel points. Finally, experiments demonstrate that the algorithm-generated adversarial example is of good quality, and the effects of key parameters in the algorithm are also analyzed.

Feng Guo,Qingjie Zhao,Xuan Li,Xiaohui Kuang,Jianwei Zhang,Yahong Han,Yu-an Tan

DOI: https://doi.org/10.1016/j.ins.2019.05.084

IF: 8.1

2019-01-01

Information Sciences

Abstract:Deep neural networks (DNNs) perform effectively in many computer vision tasks. However, DNNs are found to be vulnerable to adversarial examples which are generated by adding imperceptible perturbations to original images. To address this problem, we propose a novel defense method, transferability prediction difference (TPD), to drastically improve the adversarial robustness of DNNs with small sacrificing verified accuracy. We find out that the adversarial examples have lager prediction difference for various DNN models due to their various complicated decision boundaries, which can be used to identify the adversarial examples by converging decision boundaries to a prediction difference threshold. We adopt the K-means clustering algorithm on benign data to determine transferability prediction difference threshold, by which we can detect adversarial examples accurately and efficiently. Furthermore, TPD method neither modifies the target model nor needs to take knowledge of adversarial attacks. We perform four state-of-the-art adversarial attacks (FGSM, BIM, JSMA and C&W) to evaluate TPD models trained on MNIST and CIFAR-10 and the average detection accuracy is 96.74% and 86.61%. The results show that TPD model has high detection ratio on the demonstrably advanced white-box adversarial examples while keeping low false positive rate on benign examples.

Li Chen,Hailun Ding,Qi Li,Jiawei Zhu,Jian Peng,Haifeng Li

2018-01-01

Abstract:Convolutional neural networks (CNNs) are easily spoofed by adversarial examples which lead to wrong classification results. Most of the defense methods focus only on how to improve the robustness of CNNs or to detect adversarial examples. They are incapable of detecting and correctly classifying adversarial examples simultaneously. We find that adversarial examples and original images have diverse representations in the feature space, and this difference grows as layers go deeper, which we call Adversarial Feature Separability (AFS). Inspired by AFS, we propose a defense framework based on Adversarial Feature Genome (AFG), which can detect and correctly classify adversarial examples into original classes simultaneously. AFG is an innovative encoding for both image and adversarial example. It consists of group features and a mixed label. With group features which are visual representations of adversarial and original images via group visualization method, one can detect adversarial examples because of ASF of group features. With a mixed label, one can trace back to the original label of an adversarial example. Then, the classification of adversarial example is modeled as a multi-label classification trained on the AFG dataset, which can get the original class of adversarial example. Experiments show that the proposed framework not only effectively detects adversarial examples from different attack algorithms, but also correctly classifies adversarial examples. Our framework potentially gives a new perspective, i.e., a data-driven way, to improve the robustness of a CNN model.

Yating Ma,Ruiqi Zha,Zhichao Lian

DOI: https://doi.org/10.1109/smartworld-uic-atc-scalcom-digitaltwin-pricomp-metaverse56740.2022.00028

2022-01-01

Abstract:Perception algorithms are commonly used in ubiquitous computing. Deep neural networks have achieved significant performance in computer vision field, yet were found that exist vulnerabilities which was misclassified by adversarial examples. This issue has attracted great attention to explore methods to defend against adversarial examples. Detecting adversarial examples is a basic work for improving robustness of models. However, how to exploit an efficient feature to distinguish clean examples and adversarial ones is a challenging problem. In this paper, we investigate the adversarial examples from frequency domain and propose a framework to detect and classify adversarial attacks combing with attention mechanism. We first demonstrate that adversarial perturbations are more perceptible in the frequency domain and exploit this to achieve significant detection results. Then, combined with the advantages of the attention mechanism, an integrate network is proposed to achieve a more refined classification of attack methods. Based on the structure of ResNetl8, our results achieve optimal detection rate and high classification rate of 73% among FGSM, PGD-$\ell_{2}$, PGD$-\ell_{\infty}$, Deepfool and MI-FGSM.

Shen Wang,Yuxin Gong

DOI: https://doi.org/10.1007/s10489-021-02759-8

IF: 5.3

2021-09-06

Applied Intelligence

Abstract:In recent years, machine learning has greatly improved image recognition capability. However, studies have shown that neural network models are vulnerable to adversarial examples that make models output wrong answers with high confidence. To understand the vulnerabilities of models, we use interpretability methods to reveal the internal decision-making behaviors of models. Interpretation results reflect that the evolutionary process of nonnormalized saliency maps between clean and adversarial examples are increasingly differentiated along model hidden layers. By taking advantage of this phenomenon, we propose an adversarial example detection method based on multilayer saliency features, which can comprehensively capture the abnormal characteristics of adversarial example interpretations. Experimental results show that the proposed method can effectively detect adversarial examples based on gradient, optimization and black-box attacks, and it is comparable with the state-of-the-art methods.

computer science, artificial intelligence