Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Wei Jiang,Zhiyuan He,Jinyu Zhan,Weijia Pan,Deepak Adhikari

DOI: https://doi.org/10.1145/3470493

2021-10-31

Abstract:Great progress has been made in deep learning over the past few years, which drives the deployment of deep learning–based applications into cyber-physical systems. But the lack of interpretability for deep learning models has led to potential security holes. Recent research has found that deep neural networks are vulnerable to well-designed input examples, called adversarial examples . Such examples are often too small to detect, but they completely fool deep learning models. In practice, adversarial attacks pose a serious threat to the success of deep learning. With the continuous development of deep learning applications, adversarial examples for different fields have also received attention. In this article, we summarize the methods of generating adversarial examples in computer vision, speech recognition, and natural language processing and study the applications of adversarial examples. We also explore emerging research and open problems.

Wenqi Wei,Ling Liu,Margaret Loper,Stacey Truex,Lei Yu,Mehmet Emre Gursoy,Yanzhao Wu

DOI: https://doi.org/10.48550/arXiv.1807.00051

IF: 5.414

2018-06-29

Machine Learning

Abstract:The burgeoning success of deep learning has raised the security and privacy concerns as more and more tasks are accompanied with sensitive data. Adversarial attacks in deep learning have emerged as one of the dominating security threat to a range of mission-critical deep learning systems and applications. This paper takes a holistic and principled approach to perform statistical characterization of adversarial examples in deep learning. We provide a general formulation of adversarial examples and elaborate on the basic principle for adversarial attack algorithm design. We introduce easy and hard categorization of adversarial attacks to analyze the effectiveness of adversarial examples in terms of attack success rate, degree of change in adversarial perturbation, average entropy of prediction qualities, and fraction of adversarial examples that lead to successful attacks. We conduct extensive experimental study on adversarial behavior in easy and hard attacks under deep learning models with different hyperparameters and different deep learning frameworks. We show that the same adversarial attack behaves differently under different hyperparameters and across different frameworks due to the different features learned under different deep learning model training process. Our statistical characterization with strong empirical evidence provides a transformative enlightenment on mitigation strategies towards effective countermeasures against present and future adversarial attacks.

Yishan Li,Yanming Guo,Yuxiang Xie,Qi Wang

DOI: https://doi.org/10.1109/bigdia56350.2022.9874193

2022-01-01

Abstract:With the development of artificial intelligence technology, to our surprise, deep neural networks have made a series of breakthroughs and achieved optimal results in lots of machine learning tasks, while the image field is the most prominent. Although deep learning technology has brought great convenience to our lives, the security problems of artificial intelligence have gradually become prominent. But deep neural networks are very fragile, and usually a small perturbation can have a serious impact on the neural network, especially adversarial examples. As a small imperceptible perturbation, it can cause malicious effects on the results of image classification. What can we do to protect clean examples from perturbations has become the most important and practical research direction in the current image field. A large number of scholars have begun to invest in adversarial examples research, especially in defense, the achievements are more abundant, and related research results have also shown a blowout state. Based on the research status of recent years, this paper first explains the concept of adversarial examples, organizes the current attack methods, and then summarizes different defense methods according to the criteria of detection defense and robust defense. Improvements are discussed to help further development of adversarial defense of images.

Han Xu,Yao Ma,Hao-Chen Liu,Debayan Deb,Hui Liu,Ji-Liang Tang,Anil K. Jain

DOI: https://doi.org/10.1007/s11633-019-1211-x

2020-03-27

International Journal of Automation and Computing

Abstract:Abstract Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples raises our concerns in adopting deep learning to safety-critical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for three most popular data types, including images, graphs and text.

automation & control systems,computer science, artificial intelligence

Zhengfei Yu,Yun Zhou,Weiming Zhang

DOI: https://doi.org/10.1109/icaci49185.2020.9177527

2020-01-01

Abstract:Recently, deep neural network has been widely used in computer vision, machine translation and Go playing and has become the important part of artificial intelligence applications. However, the existence of adversarial examples designed by adversaries could let deep neural networks make incorrect outputs, and fail to work in their applications. Indeed, a considerable amount of work on generating adversarial examples has emerged. Thus, it’s important to investigate adversarial examples in deep learning community. Throughout this paper, we introduce some basic knowledge about attacks on DNNs. Then, we discuss several attack methods to generate adversarial examples. Subsequently, we introduce some defense mechanisms to classify or detect adversarial examples correctly. Finally, we review the challenges in this field, along with the corresponding future directions towards dealing with adversarial examples.

Wei Emma Zhang,Quan Z. Sheng,Ahoud Alhazmi,Chenliang Li

DOI: https://doi.org/10.48550/arXiv.1901.06796

2019-04-11

Abstract:With the development of high computational devices, deep neural networks (DNNs), in recent years, have gained significant popularity in many Artificial Intelligence (AI) applications. However, previous efforts have shown that DNNs were vulnerable to strategically modified samples, named adversarial examples. These samples are generated with some imperceptible perturbations but can fool the DNNs to give false predictions. Inspired by the popularity of generating adversarial examples for image DNNs, research efforts on attacking DNNs for textual applications emerges in recent years. However, existing perturbation methods for images cannotbe directly applied to texts as text data is discrete. In this article, we review research works that address this difference and generatetextual adversarial examples on DNNs. We collect, select, summarize, discuss and analyze these works in a comprehensive way andcover all the related information to make the article self-contained. Finally, drawing on the reviewed literature, we provide further discussions and suggestions on this topic.

Computation and Language

Shuai Zhou,Chi Liu,Dayong Ye,Tianqing Zhu,Wanlei Zhou,Philip S. Yu

DOI: https://doi.org/10.1145/3547330

IF: 16.6

2022-12-24

ACM Computing Surveys

Abstract:The outstanding performance of deep neural networks has promoted deep learning applications in a broad set of domains. However, the potential risks caused by adversarial samples have hindered the large-scale deployment of deep learning. In these scenarios, adversarial perturbations, imperceptible to human eyes, significantly decrease the model’s final performance. Many papers have been published on adversarial attacks and their countermeasures in the realm of deep learning. Most focus on evasion attacks, where the adversarial examples are found at test time, as opposed to poisoning attacks where poisoned data is inserted into the training data. Further, it is difficult to evaluate the real threat of adversarial attacks or the robustness of a deep learning model, as there are no standard evaluation methods. Hence, with this article, we review the literature to date. Additionally, we attempt to offer the first analysis framework for a systematic understanding of adversarial attacks. The framework is built from the perspective of cybersecurity to provide a lifecycle for adversarial attacks and defenses.

computer science, theory & methods

Alex Serban,Erik Poll,Joost Visser

DOI: https://doi.org/10.48550/arXiv.2008.04094

2020-08-07

Computer Vision and Pattern Recognition

Abstract:Deep neural networks are at the forefront of machine learning research. However, despite achieving impressive performance on complex tasks, they can be very sensitive: Small perturbations of inputs can be sufficient to induce incorrect behavior. Such perturbations, called adversarial examples, are intentionally designed to test the network's sensitivity to distribution drifts. Given their surprisingly small size, a wide body of literature conjectures on their existence and how this phenomenon can be mitigated. In this article we discuss the impact of adversarial examples on security, safety, and robustness of neural networks. We start by introducing the hypotheses behind their existence, the methods used to construct or protect against them, and the capacity to transfer adversarial examples between different machine learning models. Altogether, the goal is to provide a comprehensive and self-contained survey of this growing field of research.

Hongshuo Liang,Erlu He,Yangyang Zhao,Zhe Jia,Hao Li

DOI: https://doi.org/10.3390/electronics11081283

IF: 2.9

2022-04-18

Electronics

Abstract:In recent years, artificial intelligence technology represented by deep learning has achieved remarkable results in image recognition, semantic analysis, natural language processing and other fields. In particular, deep neural networks have been widely used in different security-sensitive tasks. Fields, such as facial payment, smart medical and autonomous driving, which accelerate the construction of smart cities. Meanwhile, in order to fully unleash the potential of edge big data, there is an urgent need to push the AI frontier to the network edge. Edge AI, the combination of artificial intelligence and edge computing, supports the deployment of deep learning algorithms to edge devices that generate data, and has become a key driver of smart city development. However, the latest research shows that deep neural networks are vulnerable to attacks from adversarial example and output wrong results. This type of attack is called adversarial attack, which greatly limits the promotion of deep neural networks in tasks with extremely high security requirements. Due to the influence of adversarial attacks, researchers have also begun to pay attention to the research in the field of adversarial defense. In the game process of adversarial attacks and defense technologies, both attack and defense technologies have been developed rapidly. This article first introduces the principles and characteristics of adversarial attacks, and summarizes and analyzes the adversarial example generation methods in recent years. Then, it introduces the adversarial example defense technology in detail from the three directions of model, data, and additional network. Finally, combined with the current status of adversarial example generation and defense technology development, put forward challenges and prospects in this field.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jiliang Zhang,Chen Li

DOI: https://doi.org/10.1109/TNNLS.2019.2933524

2019-09-23

Abstract:Deep neural networks (DNNs) have shown huge superiority over humans in image recognition, speech processing, autonomous vehicles and medical diagnosis. However, recent studies indicate that DNNs are vulnerable to adversarial examples (AEs), which are designed by attackers to fool deep learning models. Different from real examples, AEs can mislead the model to predict incorrect outputs while hardly be distinguished by human eyes, therefore threaten security-critical deep-learning applications. In recent years, the generation and defense of AEs have become a research hotspot in the field of artificial intelligence (AI) security. This article reviews the latest research progress of AEs. First, we introduce the concept, cause, characteristics and evaluation metrics of AEs, then give a survey on the state-of-the-art AE generation methods with the discussion of advantages and disadvantages. After that, we review the existing defenses and discuss their limitations. Finally, future research opportunities and challenges on AEs are prospected.

Machine Learning

Mayra Macas,Chunming Wu,Walter Fuertes

DOI: https://doi.org/10.1016/j.eswa.2023.122223

IF: 8.5

2024-03-01

Expert Systems with Applications

Abstract:Over the last few years, the adoption of machine learning in a wide range of domains has been remarkable. Deep learning, in particular, has been extensively used to drive applications and services in specializations such as computer vision, natural language processing, machine translation, and cybersecurity, producing results that are comparable to or even surpass the performance of human experts. Nevertheless, machine learning systems are vulnerable to adversarial attacks, especially in nonstationary environments where actual adversaries exist, such as the cybersecurity domain. In this work, we comprehensively survey and present the latest research on attacks based on adversarial examples against deep learning-based cybersecurity systems, highlighting the risks they pose and promoting efficient countermeasures. To that end, adversarial attack methods are first categorized according to where they occur and the attacker’s goals and capabilities. Then, specific attacks based on adversarial examples and the respective defensive methods are reviewed in detail within the framework of eight principal cybersecurity application categories. Finally, the main trends in recent research are outlined, and the impact of recent advancements in adversarial machine learning is explored to provide guidelines and directions for future research in cybersecurity. In , this work is the first to systematically analyze adversarial example-based attacks in the cybersecurity field, discuss possible defenses, and highlight promising directions for future research.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Wenqi Wang,Benxiao Tang,Run Wang,Lina Wang,Aoshuang Ye

2019-01-01

Abstract:Deep neural networks (DNNs) have achieved remarkable success in various tasks (e.g., image classification, speech recognition, and natural language processing). However, researches have shown that DNN models are vulnerable to adversarial examples, which cause incorrect predictions by adding imperceptible perturbations into normal inputs. Studies on adversarial examples in image domain have been well investigated, but in texts the research is not enough, let alone a comprehensive survey in this field. In this paper, we aim at presenting a comprehensive understanding of adversarial attacks and corresponding mitigation strategies in texts. Specifically, we first give a taxonomy of adversarial attacks and defenses in texts from the perspective of different natural language processing (NLP) tasks, and then introduce how to build a robust DNN model via testing and verification. Finally, we discuss the existing challenges of adversarial attacks and defenses in texts and present the future research directions in this emerging field.

Jian-Xun Mi,Xu-Dong Wang,Li-Fang Zhou,Kun Cheng

DOI: https://doi.org/10.1016/j.neucom.2022.10.046

IF: 6

2022-11-15

Neurocomputing

Abstract:Deep learning plays a critical role in the applications of artificial intelligence. The trend of processing images or videos as input data and pursuing execution efficiency in practical applications is unstoppable. However, the vulnerability due to the complex structure of deep networks makes it at risk of attacks. Object detection, as the significant product impacted by the deep learning frame, corresponds to this weakness implicated by its multiple-tasks property. Besides, these applications involving object detection techniques are integrated deeply into our lives, potentially leading to unimaginable loss. Adversarial example attacks, as the mainstream attack method, provide an efficacious and comprehensible idea to generate perturbation. In this survey, we review the existing adversarial example attacks in object detection tasks and inductively discuss the similarity and differences among these approaches. Finally, we construct this survey for discussing the attacks in the object detection field and point out the possible direction for adversarial defenses in future studies.

computer science, artificial intelligence

Qi Wang,Jie Jiang,Jinyuan Mo,Qiuyu Kong,Yishan Li,Suru Feng

DOI: https://doi.org/10.1109/iccc56324.2022.10065959

2022-01-01

Abstract:As an important part of artificial intelligence, deep learning has been widely used in computer vision. However, since deep neural networks lack of theoretical support, their security has been questioned by lots of researchers. Recent studies have shown that deep neural networks are susceptible to subtle perturbation. Researchers call the method of using perturbation to mislead the model adversarial attack. In this paper, we introduce some basic concepts of adversarial attacks in the computer vision field and analyze the causes of adversarial examples. We describe and compare some attack methods. Finally, we review the development of adversarial attack technology in computer vision and prospect potential development directions in this field.

Anirban Chakraborty,Manaar Alam,Vishal Dey,Anupam Chattopadhyay,Debdeep Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1810.00069

IF: 5.414

2018-09-28

Machine Learning

Abstract:Deep learning has emerged as a strong and efficient framework that can be applied to a broad spectrum of complex learning problems which were difficult to solve using the traditional machine learning techniques in the past. In the last few years, deep learning has advanced radically in such a way that it can surpass human-level performance on a number of tasks. As a consequence, deep learning is being extensively used in most of the recent day-to-day applications. However, security of deep learning systems are vulnerable to crafted adversarial examples, which may be imperceptible to the human eye, but can lead the model to misclassify the output. In recent times, different types of adversaries based on their threat model leverage these vulnerabilities to compromise a deep learning system where adversaries have high incentives. Hence, it is extremely important to provide robustness to deep learning algorithms against these adversaries. However, there are only a few strong countermeasures which can be used in all types of attack scenarios to design a robust deep learning system. In this paper, we attempt to provide a detailed discussion on different types of adversarial attacks with various threat models and also elaborate the efficiency and challenges of recent countermeasures against them.

Ninghao Liu,Mengnan Du,Ruocheng Guo,Huan Liu,Xia Hu

DOI: https://doi.org/10.48550/arXiv.2004.11488

IF: 5.414

2020-04-23

Machine Learning

Abstract:Despite the recent advances in a wide spectrum of applications, machine learning models, especially deep neural networks, have been shown to be vulnerable to adversarial attacks. Attackers add carefully-crafted perturbations to input, where the perturbations are almost imperceptible to humans, but can cause models to make wrong predictions. Techniques to protect models against adversarial input are called adversarial defense methods. Although many approaches have been proposed to study adversarial attacks and defenses in different scenarios, an intriguing and crucial challenge remains that how to really understand model vulnerability? Inspired by the saying that "if you know yourself and your enemy, you need not fear the battles", we may tackle the aforementioned challenge after interpreting machine learning models to open the black-boxes. The goal of model interpretation, or interpretable machine learning, is to extract human-understandable terms for the working mechanism of models. Recently, some approaches start incorporating interpretation into the exploration of adversarial attacks and defenses. Meanwhile, we also observe that many existing methods of adversarial attacks and defenses, although not explicitly claimed, can be understood from the perspective of interpretation. In this paper, we review recent work on adversarial attacks and defenses, particularly from the perspective of machine learning interpretation. We categorize interpretation into two types, feature-level interpretation and model-level interpretation. For each type of interpretation, we elaborate on how it could be used for adversarial attacks and defenses. We then briefly illustrate additional correlations between interpretation and adversaries. Finally, we discuss the challenges and future directions along tackling adversary issues with interpretation.