Zhen Wang,Buhong Wang,Chuanlei Zhang,Yaohui Liu

DOI: https://doi.org/10.3390/rs15061690

IF: 5

2023-03-22

Remote Sensing

Abstract:Deep learning (DL) models have recently been widely used in UAV aerial image semantic segmentation tasks and have achieved excellent performance. However, DL models are vulnerable to adversarial examples, which bring significant security risks to safety-critical systems. Existing research mainly focuses on solving digital attacks for aerial image semantic segmentation, but adversarial patches with physical attack attributes are more threatening than digital attacks. In this article, we systematically evaluate the threat of adversarial patches on the aerial image semantic segmentation task for the first time. To defend against adversarial patch attacks and obtain accurate semantic segmentation results, we construct a novel robust feature extraction network (RFENet). Based on the characteristics of aerial images and adversarial patches, RFENet designs a limited receptive field mechanism (LRFM), a spatial semantic enhancement module (SSEM), a boundary feature perception module (BFPM) and a global correlation encoder module (GCEM), respectively, to solve adversarial patch attacks from the DL model architecture design level. We discover that semantic features, shape features and global features contained in aerial images can significantly enhance the robustness of the DL model against patch attacks. Extensive experiments on three aerial image benchmark datasets demonstrate that the proposed RFENet has strong resistance to adversarial patch attacks compared with the existing state-of-the-art methods.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Zhen Wang,Buhong Wang,Yaohui Liu,Jianxin Guo

DOI: https://doi.org/10.3390/rs15051325

IF: 5

2023-02-27

Remote Sensing

Abstract:Aerial Image Semantic segmentation based on convolution neural networks (CNNs) has made significant process in recent years. Nevertheless, their vulnerability to adversarial example attacks could not be neglected. Existing studies typically focus on adversarial attacks for image classification, ignoring the negative effect of adversarial examples on semantic segmentation. In this article, we systematically assess and verify the influence of adversarial attacks on aerial image semantic segmentation. Meanwhile, based on the robust characteristics of global features, we construct a novel global feature attention network (GFANet) for aerial image semantic segmentation to solve the threat of adversarial attacks. GFANet uses the global context encoder (GCE) to obtain the context dependencies of global features, introduces the global coordinate attention mechanism (GCAM) to enhance the global feature representation to suppress adversarial noise, and the feature consistency alignment (FCA) is used for feature calibration. In addition, we construct a universal adversarial training strategy to improve the robustness of the semantic segmentation model against adversarial example attacks. Extensive experiments on three aerial image datasets demonstrate that GFANet is more robust against adversarial attacks than existing state-of-the-art semantic segmentation models.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Dian Zhang,Yunwei Dong,Hongji Yang

DOI: https://doi.org/10.1007/s11042-023-17355-w

IF: 2.577

2023-01-01

Multimedia Tools and Applications

Abstract:Due to the continuous development of neural network technology, it has been widely applied in fields such as autonomous driving and biomedicine. However, adversarial attacks can significantly degrade the performance and reliability of neural networks, making defending against such attacks a crucial research area. In this paper, we propose a robust U-Net and adversarial generative network-based defense method, training the target model on a clean training set without adversarial samples. Firstly, we train the target neural network on a clean training set. Then, we train the robust U-Net using the clean training set, employing reparameterization and random noise to resist adversarial perturbations. To supervise the quality of transformed images, we employ the adversarial generative network, utilizing the RU-Net as the generator and a discriminator to ensure the quality of generated images. Finally, we use the transformed images to retrain the target neural network, obtaining a robust neural network model capable of defending against adversarial attacks. Experimental evaluations on CIFAR-10 and Tiny Image Net demonstrate the effectiveness of our method in countering adversarial attacks and enhancing neural network robustness.

Yiming Li,Yanjie Li,Yalei Lv,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.48550/arXiv.2103.04038

2021-03-06

Cryptography and Security

Abstract:Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack}, which intends to embed hidden backdoors in DNNs by poisoning training data. The attacked model behaves normally on benign samples, whereas its prediction will be changed to a particular target label if hidden backdoors are activated. So far, backdoor research has mostly been conducted towards classification tasks. In this paper, we reveal that this threat could also happen in semantic segmentation, which may further endanger many mission-critical applications ($e.g.$, autonomous driving). Except for extending the existing attack paradigm to maliciously manipulate the segmentation models from the image-level, we propose a novel attack paradigm, the \emph{fine-grained attack}, where we treat the target label ($i.e.$, annotation) from the object-level instead of the image-level to achieve more sophisticated manipulation. In the annotation of poisoned samples generated by the fine-grained attack, only pixels of specific objects will be labeled with the attacker-specified target class while others are still with their ground-truth ones. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data. Our method not only provides a new perspective for designing novel attacks but also serves as a strong baseline for improving the robustness of semantic segmentation methods.

Gong Cheng,Xuxiang Sun,Ke Li,Lei Guo,Junwei Han

DOI: https://doi.org/10.1109/TGRS.2021.3081421

IF: 8.2

2022-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:The methods for remote sensing image (RSI) scene classification based on deep convolutional neural networks (DCNNs) have achieved prominent success. However, confronted with adversarial examples obtained by adding imperceptible perturbations to clean images, the great vulnerability of DCNNs makes it worth exploring effective defense methods. To date, numerous countermeasures for adversarial examples have been proposed, but how to improve the defensive ability for unknown attacks still to be answered. To address this issue, in this article, we propose an effective defense framework specified for RSI scene classification, named perturbation-seeking generative adversarial networks (PSGANs). In brief, a new training framework is designed to train the classifier by introducing the examples generated during the image reconstruction process, in addition to clean examples and adversarial ones. These generated examples can be random kinds of unknown attacks during training and thus are utilized to eliminate the blind spots of a classifier. To assist the proposed training framework, a reconstruction method is developed. First, instead of modeling the distribution of clean examples, we model the distributions of the perturbations added in adversarial examples. Second, to make a tradeoff between the diversity of the reconstructed examples and the optimization of PSGAN, a scale factor named seeking radius is introduced to scale the generated perturbations before they are subtracted by the given adversarial examples. Comprehensive and extensive experimental results on three widely used benchmarks for RSI scene classification demonstrate the great effectiveness of PSGAN when faced with both known and unknown attacks. Our source code is available at https://github.com/xuxiangsun/PSGAN.

Chuan Du,Lei Zhang

DOI: https://doi.org/10.3390/rs13214358

IF: 5

2021-01-01

Remote Sensing

Abstract:Some recent articles have revealed that synthetic aperture radar automatic target recognition (SAR-ATR) models based on deep learning are vulnerable to the attacks of adversarial examples and cause security problems. The adversarial attack can make a deep convolutional neural network (CNN)-based SAR-ATR system output the intended wrong label predictions by adding small adversarial perturbations to the SAR images. The existing optimization-based adversarial attack methods generate adversarial examples by minimizing the mean-squared reconstruction error, causing smooth target edge and blurry weak scattering centers in SAR images. In this paper, we build a UNet-generative adversarial network (GAN) to refine the generation of the SAR-ATR models' adversarial examples. The UNet learns the separable features of the targets and generates the adversarial examples of SAR images. The GAN makes the generated adversarial examples approximate to real SAR images (with sharp target edge and explicit weak scattering centers) and improves the generation efficiency. We carry out abundant experiments using the proposed adversarial attack algorithm to fool the SAR-ATR models based on several advanced CNNs, which are trained on the measured SAR images of the ground vehicle targets. The quantitative and qualitative results demonstrate the high-quality adversarial example generation and excellent attack effectiveness and efficiency improvement.

Yangming Chen

2024-05-19

Abstract:Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. These attacks can occur in almost every stage of the deep learning pipeline. Although the attacked model behaves normally on benign samples, it makes wrong predictions for samples containing triggers. However, most existing attacks use visible patterns (e.g., a patch or image transformations) as triggers, which are vulnerable to human inspection. In this paper, we propose a novel backdoor attack, making imperceptible changes. Concretely, our attack first utilizes the pre-trained victim model to extract low-level and high-level semantic features from clean images and generates trigger pattern associated with high-level features based on channel attention. Then, the encoder model generates poisoned images based on the trigger and extracted low-level semantic features without causing noticeable feature loss. We evaluate our attack on three prominent image classification DNN across three standard datasets. The results demonstrate that our attack achieves high attack success rates while maintaining robustness against backdoor defenses. Furthermore, we conduct extensive image similarity experiments to emphasize the stealthiness of our attack strategy.

Computer Vision and Pattern Recognition,Artificial Intelligence

Honglu He,Zhiying Zhu,Xinpeng Zhang

DOI: https://doi.org/10.32604/cmes.2023.025923

2023-01-01

Abstract:In recent years, the number of parameters of deep neural networks (DNNs) has been increasing rapidly. The training of DNNs is typically computation-intensive. As a result, many users leverage cloud computing and outsource their training procedures. Outsourcing computation results in a potential risk called backdoor attack, in which a well trained DNN would perform abnormally on inputs with a certain trigger. Backdoor attacks can also be classified as attacks that exploit fake images. However, most backdoor attacks design a uniform trigger for all images, which can be easily detected and removed. In this paper, we propose a novel adaptive backdoor attack. We overcome this defect and design a generator to assign a unique trigger for each image depending on its texture. To achieve this goal, we use a texture complexity metric to create a special mask for each image, which forces the trigger to be embedded into the rich texture regions. The trigger is distributed in texture regions, which makes it invisible to humans. Besides the stealthiness of triggers, we limit the range of modification of backdoor models to evade detection. Experiments show that our method is efficient in multiple datasets, and traditional detectors cannot reveal the existence of a backdoor.

Huaxia Wang,Chun-Nam Yu

DOI: https://doi.org/10.48550/arXiv.1905.09591

2019-05-23

Computer Vision and Pattern Recognition

Abstract:Deep neural networks have been shown to perform well in many classical machine learning problems, especially in image classification tasks. However, researchers have found that neural networks can be easily fooled, and they are surprisingly sensitive to small perturbations imperceptible to humans. Carefully crafted input images (adversarial examples) can force a well-trained neural network to provide arbitrary outputs. Including adversarial examples during training is a popular defense mechanism against adversarial attacks. In this paper we propose a new defensive mechanism under the generative adversarial network (GAN) framework. We model the adversarial noise using a generative network, trained jointly with a classification discriminative network as a minimax game. We show empirically that our adversarial network approach works well against black box attacks, with performance on par with state-of-art methods such as ensemble adversarial training and adversarial training with projected gradient descent.

Anurag Arnab,Ondrej Miksik,Philip H S Torr

DOI: https://doi.org/10.1109/TPAMI.2019.2919707

Abstract:Deep Neural Networks (DNNs) have demonstrated exceptional performance on most recognition tasks such as image classification and segmentation. However, they have also been shown to be vulnerable to adversarial examples. This phenomenon has recently attracted a lot of attention but it has not been extensively studied on multiple, large-scale datasets and structured prediction tasks such as semantic segmentation which often require more specialised networks with additional components such as CRFs, dilated convolutions, skip-connections and multiscale processing. In this paper, we present what to our knowledge is the first rigorous evaluation of adversarial attacks on modern semantic segmentation models, using two large-scale datasets. We analyse the effect of different network architectures, model capacity and multiscale processing, and show that many observations made on the task of classification do not always transfer to this more complex task. Furthermore, we show how mean-field inference in deep structured models, multiscale processing (and more generally, input transformations) naturally implement recently proposed adversarial defenses. Our observations will aid future efforts in understanding and defending against adversarial examples. Moreover, in the shorter term, we show how to effectively benchmark robustness and show which segmentation models should currently be preferred in safety-critical applications due to their inherent robustness.

Lina Wang,Xingshu Chen,Rui Tang,Yawei Yue,Yi Zhu,Xuemei Zeng,Wei Wang

DOI: https://doi.org/10.1016/j.knosys.2021.107141

IF: 8.139

2021-01-01

Knowledge-Based Systems

Abstract:The vulnerability of deep neural networks (DNNs) to adversarial attack, which is an attack that can mislead state-of-the-art classifiers into making an incorrect classification with high confidence by deliberately perturbing the original inputs, raises concerns about the robustness of DNNs to such attacks. Adversarial training, which is the main heuristic method for improving adversarial robustness and the first line of defense against adversarial attacks, requires many sample-by-sample calculations to increase training size and is usually insufficiently strong for an entire network. This paper provides a new perspective on the issue of adversarial robustness, one that shifts the focus from the network as a whole to the critical part of the region close to the decision boundary corresponding to a given class. From this perspective, we propose a method to generate a single but image-agnostic adversarial perturbation that carries the semantic information implying the directions to the fragile parts on the decision boundary and causes inputs to be misclassified as a specified target. We call the adversarial training based on such perturbations "region adversarial training" (RAT), which resembles classical adversarial training but is distinguished in that it reinforces the semantic information missing in the relevant regions. Experimental results on the MNIST and CIFAR-10 datasets show that this approach greatly improves adversarial robustness even when a very small dataset from the training data is used; moreover, it can defend against fast gradient sign method, universal perturbation, projected gradient descent, and Carlini and Wagner adversarial attacks, which have a completely different pattern from those encountered by the model during retraining. (C) 2021 Elsevier B.V. All rights reserved.

Haibin Zheng,Jinyin Chen,Hang Du,Weipeng Zhu,Shouling Ji,Xuhong Zhang

DOI: https://doi.org/10.1109/tdsc.2021.3124337

2022-01-01

Abstract:Despite of its tremendous popularity and success in computer vision (CV) and natural language processing, deep learning is inherently vulnerable to adversarial attacks in which adversarial examples (AEs) are carefully crafted by imposing imperceptible perturbations on the clean examples to deceive the target deep neural networks (DNNs). Many defense solutions in CV have been proposed. However, most of them, e.g., adversarial training, suffer from a low generality due to the reliance on limited AEs. Moreover, some solutions even have a non-negligible negative impact on the classification accuracy of clean examples. Last but not least, they are impotent against the unconstrained attacks in which the attackers optimize the perturbation direction and size by additionally taking the defense methods into accounts. In this article, we propose GRIP-GAN to learn a general robust inverse perturbation (GRIP), which is not only able to offset any potential adversarial perturbations but also strengthen the target class-related features, purely from the clean images via a generative adversarial network (GAN). By feeding a random noise, GRIP-GAN is able to generate a dynamic GRIP for each input image to defend against unconstrained attacks. To further improve the defense performance, we also enable GRIP-GAN to generate a GRIP tailored to each input image via feeding input image specific noise to GRIP-GAN. Extensive experiments are carried out on MNIST, CIFAR10, and ImageNet datasets against 17 adversarial attacks. The results show that GRIP-GAN outperforms all the baselines. We further share insights on the success of GRIP-GAN and provide visualized proofs.

Guo-Qiang Zeng,Hai-Nan Wei,Kang-Di Lu,Guang-Gang Geng,Jian Weng

DOI: https://doi.org/10.1109/tim.2024.3436130

IF: 5.6

2024-08-18

IEEE Transactions on Instrumentation and Measurement

Abstract:Deep neural networks (DNNs) have been widely used in the field of synthetic aperture radar (SAR) image classification, but they also face increasingly serious threats from various malicious attacks, among which the backdoor attack is a common threat. The defense methods against backdoor attacks are extremely important. Although the defense methods against backdoor attacks have been studied in the area of traditional computer vision, there is no relevant research on defense against backdoor attacks in DNNs for SAR image classification. This work is the first time to automatically design a data augmentation combinatorial optimization-based backdoor defense, called DACO-BD, for DNNs-based SAR image classifier. In DACO-BD, the automated data augmentation design for the backdoor defense strategy is formulated as the variable-length combinatorial optimization problem. By considering both model performance loss and backdoor attack defense performance, we design the objective function by minimizing the weight sum of the change of testing accuracy error and the attack success rate (ASR). To describe and evolve the length and different combinations of data augmentation strategies, we develop an efficient encoding strategy and discrete optimization operations under the framework of genetic algorithm (GA) including crossover operation and mutation operation. The experimental results on the three SAR image classification datasets including FUSAR-ship, moving and stationary target acquisition and recognition (MSTAR), and UC Merced Land-Use (UCM) demonstrate that the proposed DACO-BD method achieves satisfactory defense performance against five different types of backdoor attacks, while keeping low model performance loss. Furthermore, the proposed DACO-BD outperforms four state-of-the-art backdoor defense methods and one novel classifier originally developed for hyperspectral image classification.

engineering, electrical & electronic,instruments & instrumentation

You Zhai,Liqun Yang,Jian Yang,Longtao He,Zhoujun Li

DOI: https://doi.org/10.3390/electronics12030736

IF: 2.9

2023-01-01

Electronics

Abstract:Due to the outstanding performance of deep neural networks (DNNs), many researchers have begun to transfer deep learning techniques to their fields. To detect algorithmically generated domains (AGDs) generated by domain generation algorithm (DGA) in botnets, a long short-term memory (LSTM)-based DGA detector has achieved excellent performance. However, the previous DNNs have found various inherent vulnerabilities, so cyberattackers can use these drawbacks to deceive DNNs, misleading DNNs into making wrong decisions. Backdoor attack as one of the popular attack strategies strike against DNNs has attracted widespread attention in recent years. In this paper, to cheat the LSTM-based DGA detector, we propose BadDGA, a backdoor attack against the LSTM-based DGA detector. Specifically, we offer four backdoor attack trigger construction methods: TLD-triggers, Ngram-triggers, Word-triggers, and IDN-triggers. Finally, we evaluate BadDGA on ten popular DGA datasets. The experimental results show that under the premise of 1‰ poisoning rate, our proposed backdoor attack can achieve a 100% attack success rate to verify the effectiveness of our method. Meanwhile, the model’s utility on clean data is influenced slightly.

Wanghan Jiang,Yue Zhou,Xue Jiang

DOI: https://doi.org/10.1109/igarss52108.2023.10281657

2023-01-01

Abstract:Object detection in remote sensing images is an essential application of deep learning. However, due to the vulnerability of deep learning models, they are susceptible to adversarial attacks, which can undermine their reliability and accuracy. While significant progress has been made in the field of adversarial attacks, most of the work has focused on image classification tasks due to the complexity of object detection. In this paper, we propose a target camouflage method based on adversarial attacks that can mislead detectors and hide targets with minimal pixel perturbations. Experiments on the DIOR dataset demonstrate the effectiveness of our approach. Our method generates adversarial examples that can successfully fool Faster R-CNN into failing to detect objects with minimal perturbations.

Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Ying He,Zhili Shen,Chang Xia,Jingyu Hua,Wei Tong,Zhaohan Sheng

2021-01-01

Abstract:With the development of Deep Neural Network (DNN), as well as the demand growth of third-party DNN model stronger, there leaves a gap for backdoor attack. Backdoor can be injected into a third-party model and has strong stealthiness in normal situation, thus has been widely discussed. Nowadays backdoor attack on deep neural network has been concerned a lot and there comes lots of researches about attack and defense around backdoor in DNN. In this paper, we propose a robust avatar backdoor attack that integrated with adversarial attack. Our attack can escape mainstream detection schemes with popularity and impact that detect whether a model has backdoor or not before deployed. It reveals that although many effective backdoor defense schemes has been put forward, backdoor attack in DNN still needs to be concerned. We select three popular datasets and two detection schemes with high impact factor to prove that our attack has a great performance in aggressivity and stealthiness.

Jindong Gu,Hengshuang Zhao,Volker Tresp,Philip Torr

2023-08-15

Abstract:Deep neural network-based image classifications are vulnerable to adversarial perturbations. The image classifications can be easily fooled by adding artificial small and imperceptible perturbations to input images. As one of the most effective defense strategies, adversarial training was proposed to address the vulnerability of classification models, where the adversarial examples are created and injected into training data during training. The attack and defense of classification models have been intensively studied in past years. Semantic segmentation, as an extension of classifications, has also received great attention recently. Recent work shows a large number of attack iterations are required to create effective adversarial examples to fool segmentation models. The observation makes both robustness evaluation and adversarial training on segmentation models challenging. In this work, we propose an effective and efficient segmentation attack method, dubbed SegPGD. Besides, we provide a convergence analysis to show the proposed SegPGD can create more effective adversarial examples than PGD under the same number of attack iterations. Furthermore, we propose to apply our SegPGD as the underlying attack method for segmentation adversarial training. Since SegPGD can create more effective adversarial examples, the adversarial training with our SegPGD can boost the robustness of segmentation models. Our proposals are also verified with experiments on popular Segmentation model architectures and standard segmentation datasets.

Computer Vision and Pattern Recognition,Image and Video Processing

Zhen Gao,Liyou Wang,Jingning Xu,Hongfei Fan,Rongjie Yu

DOI: https://doi.org/10.1109/cscwd61410.2024.10580743

2024-01-01

Abstract:Ensuring the resilience of deep learning algorithms against adversarial attacks during edge-cloud data transmission between edge and cloud systems is crucial. Although significant strides have been made in enhancing the accuracy of hazardous driving scenario detection in autonomous vehicles, bolstering the robustness against adversarial attacks during data transfer and model recognition remains an urgent challenge. In this paper, we propose a novel approach to enhance adversarial robustness and maintain high accuracy in benign data. Using a lightweight CNN model, we detect hazardous driving scenarios, while a generative adversarial network generates decision boundary samples from original scenario images. These samples are incorporated into adversarial training, preventing overfitting on adversarial examples. Experimental results show our approach achieves robust accuracy (AUC) of 0.83 and 0.66 under FGSM and PGD attacks, surpassing vanilla adversarial training and TRADES methods with improving the standard accuracy (AUC) on benign samples by 0.22 and 0.12 relatively. Our proposed method advances beyond current adversarial training techniques to significantly enhance the model’s resilience to adversarial attacks during edge-cloud data transmission phases and minimize the loss of standard accuracy simultaneously. This advancement is crucial in enhancing the capability to correctly detect a wider range of hazardous driving scenarios, thereby providing significant support for the secure deployment of autonomous vehicles in edge-cloud collaborative environments.

Natasha Kees,Yaxuan Wang,Yiling Jiang,Fang Lue,Patrick P. K. Chan

DOI: https://doi.org/10.1109/icmlc51923.2020.9469037

2020-01-01

Abstract:Backdoor attacks have become a serious security concern because of the rising popularity of unverified third party machine learning resources such as datasets, pretrained models, and processors. Pre-trained models and shared datasets have become popular due to the high training requirement of deep learning. This raises a serious security concern since the shared models and datasets may be modified intentionally in order to reduce system efficacy. A backdoor attack is difficult to detect since the embedded adversarial decision rule will only be triggered by a pre-chosen pattern, and the contaminated model behaves normally on benign samples. This paper devises a backdoor attack detection method to identify whether a sample is attacked for image-related applications. The information consistence provided by an image without each segment is considered. The absence of the segment containing a trigger strongly affects the consistence since the trigger dominates the decision. Our proposed method is evaluated empirically to confirm the effectiveness in various settings. As there is no restrictive assumption on the trigger of backdoor attacks, we expect our proposed model is generalizable and can defend against a wider range of modern attacks.