Ying Zhu,Grace Li Zhang,Bing Li,Xunzhao Yin,Cheng Zhuo,Huaxi Gu,Tsung-Yi Ho,Ulf Schlichtmann

DOI: https://doi.org/10.1145/3400302.3415682

2020-01-01

Abstract:Optical neural networks (ONNs) have emerged as a promising high-performance computing platform to accelerate deep neural networks. In ONNs, phases of light are modulated through Mach-Zehnder Interferometers (MZIs), and MZIs are connected in a grid-like layout to implement multiply-accumulate operations. However, ONNs are very sensitive to process variations and thermal effects. This sensitivity leads to a significant degradation of inference accuracy of ONNs and thus renders them unusable in practice. In this paper, we propose a framework to calibrate process variations and counter thermal effects by power compensation. Experimental results demonstrate that the proposed framework can recover the inference accuracy under variations and thermal effects, e.g., from as low as 11.05% back to 74.11% for LeNet-5 on Cifar10, so that ONNs can achieve an inference accuracy similar to the accuracy after software training while providing their high bandwidth in neuromorphic computing.

Qianqian Song,Xiangwei Kong,Ziming Wang

DOI: https://doi.org/10.1007/978-3-030-93049-3_4

2021-01-01

Abstract:The accurate interpretation of neural network about how the network works is important. However, a manipulated explanation may have the potential to mislead human users not to trust a reliable network. Therefore, it is necessary to verify interpretation algorithms by designing effective attacks to simulate various possible threats in the real world. In this work, we mainly explore how to mislead interpretation. More specifically, we optimize the noise added to the input, which aims to highlight a certain area that we specify without changing the output category of network. With our proposed algorithm, we demonstrate that the state-of-the-art saliency maps based interpreters, e.g., Grad-CAM, Guided-Feature-Inversion, Grad-CAM++, Score-CAM and Full-Grad can be easily fooled. We propose two situations of fooling, Single-target attack and Multi-target attack, and show that the fooling can be transfered to different interpretation methods as well as generalized to the unseen samples with the universal noise. We also take image patches to fool Grad-CAM. Our results are proved in both qualitative and quantitative ways and we further propose a quantitative metric to measure the effectiveness of algorithm. We believe that our method can serve as an additional evaluation of robustness for future interpretation algorithms.

Kaibo Wang,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.1007/978-3-031-28990-3_9

2023-01-01

Abstract:As deep learning-based computer vision is widely used in IoT devices, it is especially critical to ensure its security. Among the attacks against deep neural networks, adversarial attacks are a stealthy means of attack, which can mislead model decisions during the testing phase. Therefore, the exploration of adversarial attacks can help to understand the vulnerability of models in advance and make targeted defense. Existing unrestricted adversarial attacks beyond the $$\ell _p$$ norm often require additional models to be both adversarial and imperceptible, which leads to a high computational cost and task-specific design. Inspired by the observation that models exhibit unexpected vulnerability to changes in illumination, we develop Adversarial Illumination Attack (AIA), an unrestricted adversarial attack that imposes large but imperceptible alterations to the image. The core of the attack lies in simulating adversarial illumination through Planckian jitter, of which the effectiveness comes from a causal chain where the attacker misleads the model by manipulating the confusion factor. We propose an efficient approach to generate adversarial samples without additional models by image gradient regularization. We validate the effectiveness of adversarial illumination in the face of black-box models, data preprocessing, and adversarially trained models through extensive experiments. Experiment results confirm that AIA can be both a lightweight unrestricted attack and a plug-in to boost the effectiveness of other attacks.

Abhiram Gnanasambandam,Alex M. Sherman,Stanley H. Chan

DOI: https://doi.org/10.48550/arXiv.2108.06247

2021-08-16

Abstract:We introduce OPtical ADversarial attack (OPAD). OPAD is an adversarial attack in the physical space aiming to fool image classifiers without physically touching the objects (e.g., moving or painting the objects). The principle of OPAD is to use structured illumination to alter the appearance of the target objects. The system consists of a low-cost projector, a camera, and a computer. The challenge of the problem is the non-linearity of the radiometric response of the projector and the spatially varying spectral response of the scene. Attacks generated in a conventional approach do not work in this setting unless they are calibrated to compensate for such a projector-camera model. The proposed solution incorporates the projector-camera model into the adversarial attack optimization, where a new attack formulation is derived. Experimental results prove the validity of the solution. It is demonstrated that OPAD can optically attack a real 3D object in the presence of background lighting for white-box, black-box, targeted, and untargeted attacks. Theoretical analysis is presented to quantify the fundamental performance limit of the system.

Artificial Intelligence

Junbin Fang,You Jiang,Canjian Jiang,Zoe L. Jiang,Chuanyi Liu,Siu-Ming Yiu

DOI: https://doi.org/10.1016/j.eswa.2024.123761

IF: 8.5

2024-04-08

Expert Systems with Applications

Abstract:Adversarial attacks can mislead deep learning models to make false predictions by implanting small perturbations to the original input that are imperceptible to the human eye, which poses a huge security threat to computer vision systems based on deep learning. Physical adversarial attacks, which is more realistic, as the perturbation is introduced to the input before it is captured and converted to a image inside the vision system, when compared to digital adversarial attacks. In this paper, we focus on physical adversarial attacks and further classify them into invasive and non-invasive. Optical-based physical adversarial attack techniques (e.g. using light irradiation) belong to the non-invasive category. The perturbations can be easily ignored by humans as the perturbations are very similar to the effects generated by a natural environment in the real world. With high invisibility and executability, optical-based physical adversarial attacks can pose a significant or even lethal threat to real systems. This paper focuses on optical-based physical adversarial attack techniques for computer vision systems, with emphasis on the introduction and discussion of optical-based physical adversarial attack techniques.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Hanyu Wu,Ke Yan,Peng Xu,Bei Hui,Ling Tian

DOI: https://doi.org/10.1109/isdfs60797.2024.10527292

2024-01-01

Abstract:Deep neural networks for image classification have been widely used to enhance user experience, but adversarial attacks continue to pose a threat to the security of deep neural networks related systems. To advance the development of more robust and secure models, research in this field is important. Laser attacks have overcome some issues of previous attacks. To enhance the laser-based attack strategy, we propose a novel physical adversarial attack method that optimizes cross-laser parameters using a Bayesian Optimization algorithm improved by contour detection technology. Our method solves the problems of traditional laser-based methods including positioning, insufficient perturbation intensity, low optimization efficiency, lack of multi-angle robustness, and optical path continuity issues. Digital and physical experiments were implemented, and our method achieved an attack success rate of up to 86.24%. Our adversarial attacks pose new challenges and requirements for artificial intelligence security.

Kyulim Kim,JeongSoo Kim,Seungri Song,Jun-Ho Choi,Chulmin Joo,Jong-Seok Lee

DOI: https://doi.org/10.1364/OE.450058

2022-02-28

Abstract:Adversarial attacks inject imperceptible noise to images to deteriorate the performance of deep image classification models. However, most of the existing studies consider attacks in the digital (pixel) domain where an image acquired by an image sensor with sampling and quantization is recorded. This paper, for the first time, introduces a scheme for optical adversarial attack, which physically alters the light field information arriving at the image sensor so that the classification model yields misclassification. We modulate the phase of the light in the Fourier domain using a spatial light modulator placed in the photographic system. The operative parameters of the modulator for adversarial attack are obtained by gradient-based optimization to maximize cross-entropy and minimize distortion. Experiments based on both simulation and a real optical system demonstrate the feasibility of the proposed optical attack. We show that our attack can conceal perturbations in the image more effectively than the existing pixel-domain attack. It is also verified that the proposed attack is completely different from common optical aberrations such as spherical aberration, defocus, and astigmatism in terms of both perturbation patterns and classification results.

Kyulim Kim,JeongSoo Kim,Seungri Song,Jun-Ho Choi,Chulmin Joo,Jong-Seok Lee

DOI: https://doi.org/10.48550/arXiv.2106.09908

2021-07-14

Abstract:A significant amount of work has been done on adversarial attacks that inject imperceptible noise to images to deteriorate the image classification performance of deep models. However, most of the existing studies consider attacks in the digital (pixel) domain where an image acquired by an image sensor with sampling and quantization has been recorded. This paper, for the first time, introduces an optical adversarial attack, which physically alters the light field information arriving at the image sensor so that the classification model yields misclassification. More specifically, we modulate the phase of the light in the Fourier domain using a spatial light modulator placed in the photographic system. The operative parameters of the modulator are obtained by gradient-based optimization to maximize cross-entropy and minimize distortions. We present experiments based on both simulation and a real hardware optical system, from which the feasibility of the proposed optical attack is demonstrated. It is also verified that the proposed attack is completely different from common optical-domain distortions such as spherical aberration, defocus, and astigmatism in terms of both perturbation patterns and classification results.

Computer Vision and Pattern Recognition,Image and Video Processing

Jianmin Xiong,Zejun Zhang,Jing Xu

DOI: https://doi.org/10.1117/12.2586296

2021-01-01

Abstract:With the development of artificial intelligence technology, such as artificial neural networks, the increasing demand for computing drives the upgrading of computing accelerators. It’s known that the semiconductor process is approaching physical limits and the Von Neumann architecture of storage-computing separation affects the computing efficiency, which both lead to the gradual failure of electronic devices to meet application requirements. Optical neural networks (ONNs) can take full advantage of high speed, high bandwidth, high parallelism, and low power consumption of optical transmission to overcome the deficiencies of electronic devices. In this paper, we summarize and analyze previous researches on optical neural networks according to different physical implementations. And we conclude that most studies apply the characteristics of special materials to realize the dense matrix multiplication and nonlinear activation function of ONNs. Less research focuses on the nonlinear characteristics inherent in the optical signal transmission to realize important components of traditional neural networks. ONNs show great potentials in analog computing and information processing, such as marine in-situ imaging and optical receiver of underwater optical communication. And ONN is possible to be a new generation of neural network accelerator. But the large-scale application of ONNs requires more studies in optical implementation of nonlinear activation function and loss function, and accuracy improvement of optical computing.

Salma Afifi,Ishan Thakkar,Sudeep Pasricha

2024-11-23

Abstract:The rapid proliferation of deep learning has revolutionized computing hardware, driving innovations to improve computationally expensive multiply-and-accumulate operations in deep neural networks. Among these innovations are integrated silicon-photonic systems that have emerged as energy-efficient platforms capable of achieving light speed computation and communication, positioning optical neural network (ONN) platforms as a transformative technology for accelerating deep learning models such as convolutional neural networks (CNNs). However, the increasing complexity of optical hardware introduces new vulnerabilities, notably the risk of hardware trojan (HT) attacks. Despite the growing interest in ONN platforms, little attention has been given to how HT-induced threats can compromise performance and security. This paper presents an in-depth analysis of the impact of such attacks on the performance of CNN models accelerated by ONN accelerators. Specifically, we show how HTs can compromise microring resonators (MRs) in a state-of-the-art non-coherent ONN accelerator and reduce classification accuracy across CNN models by up to 7.49% to 80.46% by just targeting 10% of MRs. We then propose techniques to enhance ONN accelerator robustness against these attacks and show how the best techniques can effectively recover the accuracy drops.

Cryptography and Security,Hardware Architecture,Machine Learning

Haoqin Deng,Mercedeh Khajavikhan

DOI: https://doi.org/10.48550/arXiv.2203.09546

2022-03-16

Abstract:Optical neural networks (ONNs), implemented on an array of cascaded Mach-Zehnder interferometers (MZIs), have recently been proposed as a possible replacement for conventional deep learning hardware. They potentially offer higher energy efficiency and computational speed when compared to their electronic counterparts. By utilizing tunable phase shifters, one can adjust the output of each of MZIs in order to enable emulation of arbitrary matrix-vector multiplication. These phase shifters are central to the programmability of ONNs, but they require large footprint and are relatively slow. Here we propose an ONN architecture that utilizes parity-time (PT) symmetric couplers as its building blocks. Instead of modulating phase, gain/loss contrasts across the array are adjusted as a means to train the network. We demonstrate that PT symmetric optical neural networks (PT-ONN) are adequately expressive by performing the digit-recognition task on the modified national institute of standard and technology (MNIST) dataset. Compared to conventional ONNs, the PT-ONN achieves a comparable accuracy (67% vs. 71%) while circumventing the problems associated with changing phase. Our approach may lead to new and alternative avenues for fast training in chip-scale optical neural networks.

Optics,Emerging Technologies

Chengyin Hu,Yilong Wang,Kalibinuer Tiliwalidi,Wen Li

DOI: https://doi.org/10.48550/arXiv.2206.01034

2023-05-23

Abstract:Most existing deep neural networks (DNNs) are easily disturbed by slight noise. However, there are few researches on physical attacks by deploying lighting equipment. The light-based physical attacks has excellent covertness, which brings great security risks to many vision-based applications (such as self-driving). Therefore, we propose a light-based physical attack, called adversarial laser spot (AdvLS), which optimizes the physical parameters of laser spots through genetic algorithm to perform physical attacks. It realizes robust and covert physical attack by using low-cost laser equipment. As far as we know, AdvLS is the first light-based physical attack that perform physical attacks in the daytime. A large number of experiments in the digital and physical environments show that AdvLS has excellent robustness and covertness. In addition, through in-depth analysis of the experimental data, we find that the adversarial perturbations generated by AdvLS have superior adversarial attack migration. The experimental results show that AdvLS impose serious interference to advanced DNNs, we call for the attention of the proposed AdvLS. The code of AdvLS is available at: <a class="link-external link-https" href="https://github.com/ChengYinHu/AdvLS" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition,Artificial Intelligence

Xiao-Ming Zhang,Man-Hong Yung

DOI: https://doi.org/10.48550/arXiv.1904.02165

2019-05-18

Abstract:Optical neural network (ONN) is emerging as an attractive proposal for machine-learning applications, enabling high-speed computation with low-energy consumption. However, there are several challenges in applying ONN for industrial applications, including the realization of activation functions and maintaining stability. In particular, the stability of ONNs decrease with the circuit depth, limiting the scalability of the ONNs for practical uses. Here we demonstrate how to compress the circuit depth of ONN to scale only logarithmically, leading to an exponential gain in terms of noise robustness. Our low-depth (LD) ONN is based on an architecture, called Optical CompuTing Of dot-Product UnitS (OCTOPUS), which can also be applied individually as a linear perceptron for solving classification problems. Using the standard data set of Letter Recognition, we present numerical evidence showing that LD-ONN can exhibit a significant gain in noise robustness, compared with a previous ONN proposal based on singular-value decomposition [Nature Photonics 11, 441 (2017)].

Optics,Machine Learning

Ying Zuo,Bohan Li,Yujun Zhao,Yue Jiang,You-Chiuan Chen,Peng Chen,Gyu-Boong Jo,Junwei Liu,Shengwang Du

DOI: https://doi.org/10.1364/OPTICA.6.001132

IF: 10.4

2019-11-25

Optica

Abstract:Artificial neural networks (ANNs) have been widely used for industrial applications and have played a more important role in fundamental research. Although most ANN hardware systems are electronic-based, their optical implementation is particularly attractive because of its intrinsic parallelism and low energy consumption. Here, we demonstrate a fully functioning all-optical neural network (AONN), in which linear operations are programmed by spatial light modulators and Fourier lenses, while nonlinear optical activation functions are realized in laser-cooled atoms with electromagnetically induced transparency. Because all errors from different optical neurons are independent, it is possible to scale up the size of such an AONN. Moreover, our hardware system is reconfigurable for different applications without the need to modify the physical structure. We confirm its capability and feasibility in machine-learning application by successfully classifying order and disorder phases of a statistical Ising model. The demonstrated AONN scheme can be used to construct various ANN architectures with intrinsic optical parallel computation. © 2019 Optical Society of America under the terms of the OSA Open Access Publishing Agreement

optics

Chengyin Hu,Weiwen Shi,Ling Tian

DOI: https://doi.org/10.1016/j.imavis.2023.104861

2022-01-01

Abstract:While deep neural networks (DNNs) have made remarkable advancements in various fields recently, the latest research indicates that DNNs are susceptible to disruptions from minor perturbations. However, conventional physical attacks employing stickers as physical perturbations to deceive classifiers encounter challenges in achieving stealthiness and are susceptible to issues such as printing quality loss. Recent advancements in physical attacks have harnessed light beams to execute attacks, producing artificial optical patterns rather than natural ones. In this study, we introduce a black-box projector-based physical attack called Adversarial Color Projection (AdvCP), which manipulates the physical parameters of color projection to execute adversarial attacks. AdvCP revolves around three pivotal criteria: effectiveness, stealthiness, and robustness. In a digital environment, our approach attains an impressive attack success rate of 97.60% on a subset of ImageNet. In the physical realm, we achieve a remarkable 100% attack success rate in indoor testing and 82.14% in outdoor testing. To underscore the stealthiness of our approach, we juxtapose the adversarial samples generated by AdvCP with baseline samples. When applied to challenge advanced and robust DNNs, our experimental results reveal that our method achieves an attack success rate exceeding 85% across most all of the models, establishing the robustness of AdvCP. Finally, we contemplate the potential threats posed by AdvCP to future vision-based systems and applications, and proffer some innovative concepts pertaining to light-based physical attacks. Our code can be accessed from the following link: https://github.com/ChengYinHu/AdvCP.git

Buu Phan,Fahim Mannan,Felix Heide

DOI: https://doi.org/10.48550/arXiv.2102.03728

2021-02-19

Abstract:Adversarial attacks play an essential role in understanding deep neural network predictions and improving their robustness. Existing attack methods aim to deceive convolutional neural network (CNN)-based classifiers by manipulating RGB images that are fed directly to the classifiers. However, these approaches typically neglect the influence of the camera optics and image processing pipeline (ISP) that produce the network inputs. ISPs transform RAW measurements to RGB images and traditionally are assumed to preserve adversarial patterns. However, these low-level pipelines can, in fact, destroy, introduce or amplify adversarial patterns that can deceive a downstream detector. As a result, optimized patterns can become adversarial for the classifier after being transformed by a certain camera ISP and optic but not for others. In this work, we examine and develop such an attack that deceives a specific camera ISP while leaving others intact, using the same down-stream classifier. We frame camera-specific attacks as a multi-task optimization problem, relying on a differentiable approximation for the ISP itself. We validate the proposed method using recent state-of-the-art automotive hardware ISPs, achieving 92% fooling rate when attacking a specific ISP. We demonstrate physical optics attacks with 90% fooling rate for a specific camera lenses.

Computer Vision and Pattern Recognition,Image and Video Processing

Lu Fang,Zhihao Xu,Xiaoyun Yuan,Tiankuang Zhou

DOI: https://doi.org/10.21203/rs.3.rs-1283910/v1

2022-01-01

Abstract:Abstract Endowed with the superior computing speed and energy efficiency, all-optical and optoelectronics neural networks (ONNs) have attracted ever-growing attention in recent years. Previous studies lacking viable way for multichannel optical processing, mainly implement single-channel optical computing to solve simple tasks including hand-written digit classification, saliency detection, etc. Aiming for more powerful ONNs to solve complex tasks, we innovatively develop Monet: a multichannel optical neural network for advanced machine vision. The inter- and intra- channel connections are mapped to optical interference and diffraction. By further designing a novel projection-interference-prediction framework on the basis of these connections, optical interference patterns are generated by projecting and interfering the multichannel inputs in a shared domain. These patterns encoding the correspondences together with feature embeddings are iteratively produced through the projection-interference process to predict the final output. Unlike existing ONNs trying to inherit ANN architectures, the framework of Monet is initially designed following the innate characters of light propagation and interaction, to fully explore the potential of wave optics for optical computing. For the first time, we validate that Monet is capable for advanced machine vision tasks such as 3D depth estimation and moving objection detection. Moreover, a prototype system of Monet is developed to accomplish 3D perception for real-world scenarios. We anticipate that the proposed technique will accelerate the development of more powerful optical AI as critical support for modern advanced machine vision.

Chen Hongwei,Yu Zhenming,Zhang Tian,Zang Yubin,Dan Yihang,Xu Kun

DOI: https://doi.org/10.3788/cjl202047.0500004

2020-01-01

Chinese Journal of Lasers

Abstract:Neural networks, as one of the most representative techniques in artificial intelligence, have been in rapid development towards high computational speed and low power cost. Due to intrinsic limitations brought by electronic devices, it can be hard for electronic implemented neural networks to further improve these two performances. Optical neural networks can combine both optoelectronic technique and neural network model to provide ways to break the bottleneck. In order to have a brighter view on the history, frontiers and future of optical neural networks, optical neural networks of feed -forward, recurrent and spiking models arc illustrated in this paper. Challenges and future trends of optical neural networks on in situ training, nonlinear computing, expanding scale and applications will thus be revealed.

Caihong Teng,Weijie He,Wen Du,Jiang Wu,Zhiming Wang

DOI: https://doi.org/10.1364/josab.482672

2023-01-01

Abstract:In recent years, optical neural network (ONN) research has blossomed due to the outstanding advantage of energy consumption and computing property. Regrettably, nonlinear processing in the optical domain remains a huge challenge. The optical characteristics of 2D material, particularly related to saturable absorption (SA), have enabled nonlinear operation. Here, we discuss the SA models with various categories and their application in ONNs. A feedforward artificial neural network was built for handwritten digit recognition to illustrate the feasibility of SA features as nonlinear mapping. For comparison, ONNs without the assistance of the activation function were used as a benchmark to examine the capability of the nonlinear models. A simulation shows that the accuracy of digit classification ranged from 86% to 95%, depending on the nonlinearity of the mediums. This work offers an optical nonlinear unit selection guideline to explore ONNS.