Lei Xu,Junhai Zhai

DOI: https://doi.org/10.26599/tst.2023.9010004

2024-04-01

Abstract:Deep neural network (DNN) has strong representation learning ability, but it is vulnerable and easy to be fooled by adversarial examples. In order to handle the vulnerability of DNN, many methods have been proposed. The general idea of existing methods is to reduce the chance of DNN models being fooled by observing some designed adversarial examples, which are generated by adding perturbations to the original images. In this paper, we propose a novel adversarial example generation method, called DCVAE-adv. Different from the existing methods, DCVAE-adv constructs adversarial examples by mixing both explicit and implicit perturbations without using original images. Furthermore, the proposed method can be applied to both white box and black box attacks. In addition, in the inference stage, the adversarial examples can be generated without loading the original images into memory, which greatly reduces the memory overhead. We compared DCVAE-adv with three most advanced adversarial attack algorithms: FGSM, AdvGAN, and AdvGAN++. The experimental results demonstrate that DCVAE-adv is superior to these state-of-the-art methods in terms of attack success rate and transfer ability for targeted attack. Our code is available at https://github.com/xzforeverlove/DCVAE-adv.

computer science, information systems,engineering, electrical & electronic, software engineering

Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Wenli Xiao,Hao Jiang,Song Xia

DOI: https://doi.org/10.1109/ictc49638.2020.9123270

2020-01-01

Abstract:Machine learning can be misled by adversarial examples, which is formed by making small changes to the original data. Nowadays, there are kinds of methods to produce adversarial examples. However, they can not apply non-differentiable models, reduce the amount of calculations, and shorten the sample generation time at the same time. In this paper, we propose a new black box attack generating adversarial examples based on reinforcement learning. By using deep Q-learning network, we can train the substitute model and generate adversarial examples at the same time. Experimental results show that this method only needs 7.7ms to produce an adversarial example, which solves the problems of low efficiency, large amount of calculation and inapplicable to non-differentiable model.

Yankun Ren,Jianbin Lin,Siliang Tang,Jun Zhou,Shuang Yang,Yuan Qi,Xiang Ren

DOI: https://doi.org/10.3233/faia200340

2020-01-01

Abstract:Today text classification models have been widely used. However, these classifiers are found to be easily fooled by adversarial examples. Fortunately, standard attacking methods generate adversarial texts in a pair-wise way, that is, an adversarial text can only be created from a real-world text by replacing a few words. In many applications, these texts are limited in numbers, therefore their corresponding adversarial examples are often not diverse enough and sometimes hard to read, thus can be easily detected by humans and cannot create chaos at a large scale. In this paper, we propose an end to end solution to efficiently generate adversarial texts from scratch using generative models, which are not restricted to perturbing the given texts. We call it unrestricted adversarial text generation. Specifically, we train a conditional variational autoencoder (VAE) with an additional adversarial loss to guide the generation of adversarial examples. Moreover, to improve the validity of adversarial texts, we utilize discrimators and the training framework of generative adversarial networks (GANs) to make adversarial texts consistent with real data. Experimental results on sentiment analysis demonstrate the scalability and efficiency of our method. It can attack text classification models with a higher success rate than existing methods, and provide acceptable quality for humans in the meantime.

Long Tang,Bin Yu

DOI: https://doi.org/10.1109/dsa51864.2020.00051

2020-01-01

Abstract:Deep neural network (DNN) has been widely used in many application scenarios, but it is easy to be affected by slight disturbance, which is referred to as adversarial examples, and produces wrong decisions endangering system security. It is difficult to obtain the structure and parameter information of the target network in the actual scene. In this paper, we propose an optimization-based method to generate adversarial examples. Inspired by the autoencoder and Conditional Generative Adversarial Net (CGAN), we train the encoder to encode the image into latent vector, of which the specific region (category field) is used to represent the category information of the image, and then train the decoder to generate adversarial examples of the specified category. We perform Natural Evolution Strategy in the low-dimensional latent space to further improve the attack. The result shows that our method can successfully attack the target network within only one or a few queries. We evaluate our method on Sign-Language-Digits (SLD) and Cifar-10 datasets. Compared with other methods, our approach can attack the target model with less queries, and maintain a high success rate.

Jiabao Liu,Qixiang Zhang,Kanghua Mo,Xiaoyu Xiang,Jin Li,Debin Cheng,Rui Gao,Beishui Liu,Kongyang Chen,Guanjie Wei

DOI: https://doi.org/10.1016/j.csi.2021.103612

2022-08-01

Abstract:Most existing deep neural networks are susceptible to the influence of adversarial examples, which may cause them to output incorrect prediction results. An adversarial example is the addition of small noise disturbances to the input data samples, which will deceive the classification. Generally, these modifications are very small noise disturbances, which are not easily noticed by the human eye. However, most existing adversarial attacks achieve only low success rates in typical black-box settings, where the attackers have no prior knowledge about the model structures and/or model parameters. To tackle this problem, we propose an iterative algorithm based on an acceleration gradient to enhance the adversary attack. Our method accumulates the gradient of the loss function in each iteration and uses the next gradient information to influence the future gradient. We also introduce the scaling invariance principle of a deep neural network to optimize the input images for black-box attacks. In addition, to handle the drawbacks of a traditional iterative fast gradient sign method, we further present two gradient optimization methods. Experimental results on the ImageNet dataset show that our attack methods can achieve good transferability. In addition, those models obtained by integrated adversarial training with strong defense capability are also quite vulnerable to our black-box attack.

computer science, software engineering, hardware & architecture

Weixiong Hu,Zhaoquan Gu,Chuanjing Zhang,Le Wang,Keke Tang

DOI: https://doi.org/10.1007/978-981-15-8101-4_9

2020-01-01

Abstract:In recent years, deep neural networks have greatly facilitated machine learning tasks. However, emergence of adversarial examples revealed the vulnerability of neural networks. As a result, security of neural networks is drawing more research attention than before and a large number of attack methods have been proposed to generate adversarial examples to evaluate the robustness of neural networks. Furthermore, adversarial examples can be widely adopted in machine vision, natural language processing, and video recognition applications. In this paper, we study adversarial examples against image classification networks. Inspired by the method of detecting key regions in object detection tasks, we built a restrict region-based adversarial example generation system for image classification. We proposed a novel method called gradient mask to generate adversarial examples that have a high attack success rate and small disturbances. The experimental results also validated the method’s performance.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

LI Jian,GUO Yan-ming,YU Tian-yuan,WU Yu-lun,WANG Xiang-han,LAO Song-yang

DOI: https://doi.org/10.11896/jsjkx.210800130

2022-01-01

Computer Science

Abstract:Although deep neural networks perform well in many areas,research shows that deep neural networks are vulnerable to attacks from adversarial examples.There are many algorithms for attacking neural networks,but the attack speed of most attack algorithms is slow.Therefore,the rapid generation of adversarial examples has gradually become the focus of research in the area of adversarial examples.AdvGAN is an algorithm that uses the network to attack another network,which can generate adversarial samples extremely faster than other methods.However,when carrying out a targeted attack,AdvGAN needs to train a network for each target,so the efficiency of the attack is low.In this article,we propose a multi-target attack network(MTA) based on the generative adversarial network,which can complete multi-target attacks and quickly generate adversarial examples by training only once.Experiments show that MTA has a higher success rate for targeted attacks on the CIFAR10 and MNIST datasets than AdvGAN.We have also done adversarial sample transfer experiments and attack experiments under defense.The results show that the transferability of the adversarial examples generated by MTA is stronger than other multi-target attack algorithms,and our MTA method also has a higher attack success rate under defense.

Keyuan Zhang,Kaiyue Wu,Siyu Chen,Yunce Zhao,Xin Yao

DOI: https://doi.org/10.1007/978-3-030-91100-3_25

2021-01-01

Abstract:Deep neural networks are fragile as they are easily fooled by inputs with deliberate perturbations, which are key concerns in image security issues. Given a trained neural network, we are always curious about whether the neural network has learned the concept that we'd like it to learn. We want to know whether there might be some vulnerabilities of the neural network that could be exploited by hackers. It could be useful if there is a tool that can be used by non-experts to test a trained neural network and try to find its vulnerabilities. In this paper, we introduce a tool named AdverseGen for generating adversarial examples to a trained deep neural network using the black-box approach, i.e., without using any information about the neural network architecture and its gradient information. Our tool provides customized adversarial attacks for both non-professional users and developers. It can be invoked by a graphical user interface or command line mode to launch adversarial attacks. Moreover, this tool supports different attack goals (targeted, non-targeted) and different distance metrics.

Chengru Song,Changqiao Xu,Shujie Yang,Zan Zhou,Changhui Gong

DOI: https://doi.org/10.1109/dsc.2019.00078

2019-01-01

Abstract:Generating adversarial samples is gathering much attention as an intuitive approach to evaluate the robustness of learning models. Extensive recent works have demonstrated that numerous advanced image classifiers are defenseless to adversarial perturbations in the white-box setting. However, the white-box setting assumes attackers to have prior knowledge of model parameters, which are generally inaccessible in real world cases. In this paper, we concentrate on the hard-label black-box setting where attackers can only pose queries to probe the model parameters responsible for classifying different images. Therefore, the issue is converted into minimizing non-continuous function. A black-box approach is proposed to address both massive queries and the non-continuous step function problem by applying a combination of a linear fine-grained search, Fibonacci search, and a zeroth order optimization algorithm. However, the input dimension of a image is so high that the estimation of gradient is noisy. Hence, we adopt a zeroth-order optimization method in high dimensions. The approach converts calculation of gradient into a linear regression model and extracts dimensions that are more significant. Experimental results illustrate that our approach can relatively reduce the amount of queries and effectively accelerate convergence of the optimization method.

Bo Yang,Hengwei Zhang,Zheming Li,Yuchen Zhang,Kaiyong Xu,Jindong Wang

DOI: https://doi.org/10.1007/s10489-022-03469-5

IF: 5.3

2022-05-09

Applied Intelligence

Abstract:Deep neural networks are vulnerable to adversarial examples, which are crafted by applying small, human-imperceptible perturbations on the original images, so as to mislead deep neural networks to output inaccurate predictions. Adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, most existing adversarial attacks often achieve relatively low success rates on normally trained networks and adversarially trained networks. In this paper, we regard the generation process of adversarial examples as an optimization process similar to deep neural network training. From this point of view, we introduce AdaBelief optimizer and crop invariance into the generation of adversarial examples, and propose AdaBelief Iterative Fast Gradient Method (ABI-FGM) and Crop-Invariant attack Method (CIM) to improve the transferability of adversarial examples. By adopting adaptive learning rate into the iterative attacks, ABI-FGM can optimize the convergence process, resulting in more transferable adversarial examples. CIM is based on our discovery on the crop-invariant property of deep neural networks, which we thus leverage to optimize the adversarial perturbations over an ensemble of crop copies so as to avoid overfitting on the white-box model being attacked and improve the transferability of adversarial examples. ABI-FGM and CIM can be readily integrated to build a strong gradient-based attack to further boost the success rates of adversarial examples for black-box attacks. Moreover, our method can also be naturally combined with other gradient-based attack methods to build a more robust attack to generate more transferable adversarial examples against the defense models. Extensive experiments on the ImageNet dataset demonstrate the method's effectiveness. Whether on normally trained networks or adversarially trained networks, our method has higher success rates than state-of-the-art gradient-based attack methods.

computer science, artificial intelligence

Zhenhua Li,Huilin Cheng,Xinye Cai,Jun Zhao,Qingfu Zhang

DOI: https://doi.org/10.1109/tetci.2022.3214627

2023-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Deep neural networks are vulnerable to adversarial examples that alter the output significantly with imperceptible change in the input. In our black-box setting, the adversarial attacker can only query the model to predict the value after the softmax layer without accessing the underlying model. Currently, generating adversarial examples with high qualifications in the query-limited setting and investigating the distribution of adversarial examples are two main challenges in the black-box attack. In this paper, we propose a zeroth-order optimization method for the black-box adversarial attack, termed subspace activation evolution strategy (SA-ES). It captures the most promising direction for generating more convincing adversarial examples.Moreover, instead of only searching for one reliable adversarial example for an original input, SA-ES finds a distribution of adversarial examples, such that a sample drawn from this distribution is likely an adversarial example. We conduct comprehensive experiments on various data sets and validate that the proposed algorithm can efficiently find perturbation-sensitive regions of an image and stably explore the distribution of adversarial examples with the limited query, and outperforms the existing methods. In addition, we apply SA-ES to physical reality black-box attacks, which effectively generate simulated physical adversarial examples for the adversarial training model.

Mingxing Duan,Kenli Li,Lingxi Xie,Qi Tian,Bin Xiao

DOI: https://doi.org/10.1145/3474085.3475542

2021-01-01

Abstract:The current research on adversarial attacks aims at a single model while the research on attacking multiple models simultaneously is still challenging. In this paper, we propose a novel black-box attack method, referred to as MBbA, which can attack multiple black-boxes at the same time. By encoding input image and its target category into an associated space, each decoder seeks the appropriate attack areas from the image through the designed loss functions, and then generates effective adversarial examples. This process realizes end-to-end adversarial example generation without involving substitute models for the black-box scenario. On the other hand, adopting the adversarial examples generated by MBbA for adversarial training, the robustness of the attacked models are greatly improved. More importantly, those adversarial examples can achieve satisfactory attack performance, even if these blackbox models are trained with the adversarial examples generated by other black-box attack methods, which show good transferability. Finally, extensive experiments show that compared with other state-of-the-art methods: (1) MBbA takes the least time to obtain the most effective attack effects in multi-black-box attack scenario. Furthermore, MBbA achieves the highest attack success rates in a single black-box attack scenario; (2) the adversarial examples generated by MBbA can effectively improve the robustness of the attacked models and exhibit good transferability.

Mingxing Duan,Kailun Jiao,Siyang Yu,Zhibang Yang,Bin Xiao,Kenli Li

DOI: https://doi.org/10.1109/tifs.2024.3356812

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:One area of current research on adversarial attacks is how to generate plausible adversarial examples when only a small number of datasets are available. Current adversarial attack algorithms used to attack these black-box systems face a number of challenges, such as difficulty in training convergence, ambiguous sample images, substitute models collapse, unsatisfactory attack success rates, high query cost, and low defense capability improvement of target models. As a result, constructing plausible adversarial situations in a few known real-world sample circumstances remains difficult. As a solution to the aforementioned issues, this study introduces MC-Net, a novel multi-stage and multi-class balanced generating method based on a limited number of samples to generate realistic adversarial examples. Firstly, a multi-task learning approach is used to train the GAN by fully utilizing the small samples, ensuring that the size of the generated dataset for each category is balanced. In addition, we design a weight-balancing strategy to ensure faster convergence of each sub-network. Then, in the second stage, the generated samples of different categories are used to train a substitute model, and the distillation method is adopted to learn the output distribution of the target model. Finally, adversarial examples are constructed on the generated samples to complete the attack on the target models. Extensive experiments have proven that MC-Net has the following advantages: 1) The substitute model converges quickly using limited samples and queries; 2) High attack success rates can be obtained with a few queries; and 3) The constructed adversarial examples significantly improve the target model's defense. Furthermore, we only utilize a few queries for the Microsoft Azure online model to obtain a satisfactory result. Our code can be found at https://github.com/jiaokailun/A-fast.

computer science, theory & methods,engineering, electrical & electronic

Chenming Yang,Liang Zhou,Hui Wen,Yue Wu

DOI: https://doi.org/10.1109/infocomwkshps50562.2020.9162699

2020-01-01

Abstract:Semi-supervised machine learning models, especially deep neural networks, have been widely used in network anomaly detection for their capability of capturing patterns in normal data. However, the models face security challenges when an attacker has obtained their full details. In this paper, we propose a universal adversarial sample generator (U-ASG), to perform white-box adversarial attacks on autoencoder-based semi-supervised network anomaly detection (SSNAD) systems. The purpose of adversarial attacks is to generate small adversarial perturbations and add them to targeted anomalous samples to fly under the radar. We model the generation process of adversarial perturbations as an optimization problem, in which we minimize the reconstruction errors of the adversarial samples through the trained autoencoder and approximate it to solve. Furthermore, to improve the attack performance against the variational autoencoder (VAE), which is robust to tiny perturbations through uncertainty modeling, we design a mechanism to weaken its robustness by introducing a variance regularizer to the optimization. Simulation results show that the adversarial attacks generated by our U-ASG can effectively degrade the performance of the autoencoder-based SSNAD systems.

Mingxing Duan,Kenli Li,Jiayan Deng,Bin Xiao,Qi Tian

DOI: https://doi.org/10.1145/3506852

2022-01-01

Abstract:Deep learning models are widely used in daily life, which bring great convenience to our lives, but they are vulnerable to attacks. How to build an attack system with strong generalization ability to test the robustness of deep learning systems is a hot issue in current research, among which the research on black-box attacks is extremely challenging. Most current research on black-box attacks assumes that the input dataset is known. However, in fact, it is difficult for us to obtain detailed information for those datasets. In order to solve the above challenges, we propose a multi-sample generation model for black-box model attacks, called MsGM. MsGM is mainly composed of three parts: multi-sample generation, substitute model training, and adversarial sample generation and attack. Firstly, we design a multi-task generation model to learn the distribution of the original dataset. The model first converts an arbitrary signal of a certain distribution into the shared features of the original dataset through deconvolution operations, and then according to different input conditions, multiple identical sub-networks generate the corresponding targeted samples. Secondly, the generated sample features achieve different outputs through querying the black-box model and training the substitute model, which are used to construct different loss functions to optimize and update the generator and substitute model. Finally, some common white-box attack methods are used to attack the substitute model to generate corresponding adversarial samples, which are utilized to attack the black-box model. We conducted a large number of experiments on the MNIST and CIFAR-10 datasets. The experimental results show that under the same settings and attack algorithms, MsGM achieves better performance than the based models.

Yan Liu,Wei Yang,Xueyu Zhang,Yi Zhang,Liusheng Huang

2019-01-01

Abstract:State-of-the-art deep neural networks have achieved impressive results on many image classification tasks. However, these neural networks consistently misclassify adversarial examples that humans can clarify correctly classified, the adversarial examples result in the model outputting an incorrect answer with high confidence. Therefore, a black box attack method for efficiently generating a large number of adversarial samples using GAN is proposed. These attack samples are very similar to real images and can fool deep neural networks. Extensive experimental results show that our approach perform well in the task of generate samples of adversarial attacks.