Zhe Zhao,Guangke Chen,Tong Liu,Taishan Li,Fu Song,Jingyi Wang,Jun Sun

DOI: https://doi.org/10.1145/3631977

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:As a new programming paradigm, deep learning (DL) has achieved impressive performance in areas such as image processing and speech recognition, and has expanded its application to solve many real-world problems. However, neural networks and DL are normally black-box systems; even worse, DL-based software are vulnerable to threats from abnormal examples, such as adversarial and backdoored examples constructed by attackers with malicious intentions as well as unintentionally mislabeled samples. Therefore, it is important and urgent to detect such abnormal examples. Although various detection approaches have been proposed respectively addressing some specific types of abnormal examples, they suffer from some limitations; until today, this problem is still of considerable interest. In this work, we first propose a novel characterization to distinguish abnormal examples from normal ones based on the observation that abnormal examples have significantly different (adversarial) robustness from normal ones. We systemically analyze those three different types of abnormal samples in terms of robustness and find that they have different characteristics from normal ones. As robustness measurement is computationally expensive and hence can be challenging to scale to large networks, we then propose to effectively and efficiently measure robustness of an input sample using the cost of adversarially attacking the input, which was originally proposed to test robustness of neural networks against adversarial examples. Next, we propose a novel detection method, named attack as detection (A 2 D for short), which uses the cost of adversarially attacking an input instead of robustness to check if it is abnormal. Our detection method is generic, and various adversarial attack methods could be leveraged. Extensive experiments show that A 2 D is more effective than recent promising approaches that were proposed to detect only one specific type of abnormal examples. We also thoroughly discuss possible adaptive attack methods to our adversarial example detection method and show that A 2 D is still effective in defending carefully designed adaptive adversarial attack methods—for example, the attack success rate drops to 0% on CIFAR10.

Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Zhenqin Yin,Lingjian Ye,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2024.3431587

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:In recent years, more and more open environment have led to confidential links and data exposure, which seriously threatens the security of industrial systems. Adversarial attacks can easily fool machine learning models by adding tiny perturbations to input data. Industrial fault detection and classification (FDC) system is an indispensable part of ensuring production safety, but it is also not immune to the impact of adversarial risks. Once it is under attack, the disastrous consequences that may be caused to the industrial system are unimaginable. Adversarial training is among the most effective defense methods to protect those data-driven intelligent systems. This article studies a novel reweighted adversarial training approach called adversarial weight prediction networks. By assigning more appropriate weights to different data samples, we can make better use of the limited model capacity of the industrial FDC system. Particularly, predicting weights through a synchronized network overcomes the limitations of insufficient information and nontransferability of existing statistical methods. Performance evaluation on three industrial cases containing structured and image data shows the superior generalization and stability of our proposed method.

Han Qiu,Tian Dong,Tianwei Zhang,Jialiang Lu,Gerard Memmi,Meikang Qiu

DOI: https://doi.org/10.1109/jiot.2020.3048038

IF: 10.6

2021-07-01

IEEE Internet of Things Journal

Abstract:Deep learning (DL) has gained popularity in network intrusion detection, due to its strong capability of recognizing subtle differences between normal and malicious network activities. Although a variety of methods have been designed to leverage DL models for security protection, whether these systems are vulnerable to adversarial examples (AEs) is unknown. In this article, we design a novel adversarial attack against DL-based network intrusion detection systems (NIDSs) in the Internet-of-Things environment, with only black-box accesses to the DL model in such NIDS. We introduce two techniques: 1) model extraction is adopted to replicate the black-box model with a small amount of training data and 2) a saliency map is then used to disclose the impact of each packet attribute on the detection results, and the most critical features. This enables us to efficiently generate AEs using conventional methods. With these tehniques, we successfully compromise one state-of-the-art NIDS, Kitsune: the adversary only needs to modify less than 0.005% of bytes in the malicious packets to achieve an average 94.31% attack success rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Boyu Sun,Wenyuan Yang,Mengqi Yan,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/icccs55155.2022.9846237

2022-01-01

Abstract:Website Fingerprinting (WF) can be used by network eavesdroppers to infer information about the content of encrypted and anonymous connections. Several defenses leverage adversarial examples to mitigate the threat of WF attacks, but they require to get entire traffic traces after network sessions have concluded to produce adversarial examples, thus offer users little protection in practical settings. In this paper, a novel practical WF defense method called WF-UAP is proposed by crafting Universal Adversarial Perturbations (UAP) to fight back against WF attacks, in which adversarial examples are produced to fool the classifiers used in WF attacks when UAPs are added to any network traffic trace in the target domain. We further present a Generative Adversarial Network (GAN) based UAP generation approach to enhance the performance of UAPs. It can efficiently generate UAPs once the generator is trained and make the adversarial traces and original traffic traces are more difficult to distinguish. Our experimental results over a public dataset demonstrate that WF-UAP reduces the accuracy of the state-of-the-art WF attacks from 98% to 15% with at most 20% increased bandwidth overhead, which outperforms the previous defenses in terms of the defense performance and overhead.

Lijia Shi,Shihao Dong

2024-06-18

Abstract:The challenge of WAD (web attack detection) is growing as hackers continuously refine their methods to evade traditional detection. Deep learning models excel in handling complex unknown attacks due to their strong generalization and adaptability. However, they are vulnerable to backdoor attacks, where contextually irrelevant fragments are inserted into requests, compromising model stability. While backdoor attacks are well studied in image recognition, they are largely unexplored in WAD. This paper introduces backdoor attacks in WAD, proposing five methods and corresponding defenses. Testing on textCNN, biLSTM, and tinybert models shows an attack success rate over 87%, reducible through fine-tuning. Future research should focus on backdoor defenses in WAD. All the code and data of this paper can be obtained at https://anonymous.4open.science/r/attackDefenceinDL-7E05

Machine Learning,Cryptography and Security

Haoyu Yin,Yingjian Liu,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.26599/tst.2024.9010073

2024-12-11

Tsinghua Science & Technology

Abstract:Recent advancements in deep learning (DL) have introduced new security challenges in the form of side-channel attacks. A prime example is the website fingerprinting attack (WFA), which targets anonymity networks like Tor, enabling attackers to unveil users' protected browsing activities from traffic data. While state-of-the-art WFAs have achieved remarkable results, they often rely on unrealistic single-website assumptions. In this paper, we undertake an exhaustive exploration of multi-tab website fingerprinting attacks (MTWFAs) in more realistic scenarios. We delve into MTWFAs and introduce MTWFA-SEG, a task involving the fine-grained packet-level classification within multi-tab Tor traffic. By employing deep learning models, we reveal their potential to threaten user privacy by discerning visited websites and browsing session timing. We design an improved fully convolutional model for MTWFA-SEG, which are enhanced by both network architecture advances and traffic data instincts. In the evaluations on interlocking browsing datasets, the proposed models achieve remarkable accuracy rates of over 68.6%, 71.8%, and 76.1% in closed, imbalanced open, and balanced open-world settings, respectively. Furthermore, the proposed models exhibit substantial robustness across diverse train-test settings. We further validate our designs in a coarse-grained task, MTWFA-MultiLabel, where they not only achieve state-of-the-art performance but also demonstrate high robustness in challenging situations.

computer science, information systems,engineering, electrical & electronic, software engineering

Shawn Shan,Arjun Nitin Bhagoji,Haitao Zheng,Ben Y. Zhao

DOI: https://doi.org/10.48550/arXiv.2102.04291

2021-02-08

Abstract:Anonymity systems like Tor are vulnerable to Website Fingerprinting (WF) attacks, where a local passive eavesdropper infers the victim's activity. Current WF attacks based on deep learning classifiers have successfully overcome numerous proposed defenses. While recent defenses leveraging adversarial examples offer promise, these adversarial examples can only be computed after the network session has concluded, thus offer users little protection in practical settings. We propose Dolos, a system that modifies user network traffic in real time to successfully evade WF attacks. Dolos injects dummy packets into traffic traces by computing input-agnostic adversarial patches that disrupt deep learning classifiers used in WF attacks. Patches are then applied to alter and protect user traffic in real time. Importantly, these patches are parameterized by a user-side secret, ensuring that attackers cannot use adversarial training to defeat Dolos. We experimentally demonstrate that Dolos provides 94+% protection against state-of-the-art WF attacks under a variety of settings. Against prior defenses, Dolos outperforms in terms of higher protection performance and lower information leakage and bandwidth overhead. Finally, we show that Dolos is robust against a variety of adaptive countermeasures to detect or disrupt the defense.

Cryptography and Security

Litao Qiao,Bang Wu,Shuijun Yin,Heng Li,Wei Yuan,Xiapu Luo

DOI: https://doi.org/10.1109/tifs.2023.3304528

IF: 7.231

2023-09-06

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural network (DNN) based website fingerprinting (WF) attacks pose a severe threat to the privacy of Tor users. To overcome this challenge, adversarial perturbation based WF defenses have been recently proposed to fool the classifiers of attackers, through purposefully perturbing the user's traffic traces. Unfortunately, these defenses significantly deteriorate once the WF attacks are enhanced with adversarial training (AT). AT endows the WF attacks with more powerful website recognition capability, through learning the perturbed traffic traces generated by attackers. To resist the WF attacks enhanced by AT, we develop a black-box WF defense, called Acup3. First, Acup3 leverages many-to- one website imitation to make the traffic traces associated with different websites look more like each other, increasing the difficulty of website classification. Second, Acup3 generates trace-agnostic perturbations without accessing traffic traces, making it suitable for practical deployment. Third, Acup3 employs perturbation variation to diversify the traffic traces of different users visiting the same website, making the knowledge learnt from AT less helpful for WF attacks. Therefore, Acup3 is more robust against AT. Experiments demonstrate Acup3 markedly surpasses four representative WF defenses (e.g., Mockingbird and AWA) in defense capability and bandwidth overhead. Facing the state-of-the-art (SOTA) attack Var-CNN enhanced with AT, Acup3 depresses its attack success rate (ASR) from 98% to 24.29% with only 13.95% bandwidth overhead. Compared to the SOTA defense AWA, Acup3 causes a 24.5% larger decrement in ASR of WF attacks, and achieves a more than 100 times faster speed of perturbation generation.

computer science, theory & methods,engineering, electrical & electronic

Mohammad Saidur Rahman,Mohsen Imani,Nate Mathews,Matthew Wright

DOI: https://doi.org/10.48550/arXiv.1902.06626

2020-10-29

Abstract:Website Fingerprinting (WF) is a type of traffic analysis attack that enables a local passive eavesdropper to infer the victim's activity, even when the traffic is protected by a VPN or an anonymity system like Tor. Leveraging a deep-learning classifier, a WF attacker can gain over 98% accuracy on Tor traffic. In this paper, we explore a novel defense, Mockingbird, based on the idea of adversarial examples that have been shown to undermine machine-learning classifiers in other domains. Since the attacker gets to design and train his attack classifier based on the defense, we first demonstrate that at a straightforward technique for generating adversarial-example based traces fails to protect against an attacker using adversarial training for robust classification. We then propose Mockingbird, a technique for generating traces that resists adversarial training by moving randomly in the space of viable traces and not following more predictable gradients. The technique drops the accuracy of the state-of-the-art attack hardened with adversarial training from 98% to 42-58% while incurring only 58% bandwidth overhead. The attack accuracy is generally lower than state-of-the-art defenses, and much lower when considering Top-2 accuracy, while incurring lower bandwidth overheads.

Cryptography and Security,Machine Learning

Xinyu Gong,Huidi Zhu,Ruofan Deng,Fu Wang,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00048

2019-01-01

Abstract:Deep learning (DL) techniques have provided state-of-the-art results for many machine learning tasks. In response to the increasing demand for web security, many researchers have been focusing on applying DL to detect web attacks. However, these works just pay attention to the detection accuracy, not the robustness of the detection model itself. In this paper, we proved that it is possible to generate adversarial web requests by modifying only a few characters of them, which can lead the existing DL based model to wrong predictions. The attackers may take this vulnerability to trigger false positive alarms or even disable the whole detection model. As the defensive measure, we propose to use a combined method of kernel density estimation and model uncertainty estimation to detect these adversaries. Through experiment, we report a ROC-AUC of over 95% of detecting these adversarial web requests.

Chaoyun Zhang,Paul Patras,Xavier Costa-Perez

DOI: https://doi.org/10.1109/tnet.2021.3137084

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Neural networks (NNs) are increasingly popular in developing NIDS, yet can prove vulnerable to adversarial examples. Through these, attackers that may be oblivious to the precise mechanics of the targeted NIDS add subtle perturbations to malicious traffic features, with the aim of evading detection and disrupting critical systems. Defending against such adversarial attacks is of high importance, but requires to address daunting challenges. Here, we introduce TIKI- TAKA, a general framework for (i) assessing the robustness of state-of-the-art deep learning-based NIDS against adversarial manipulations, and which (ii) incorporates defense mechanisms that we propose to increase resistance to attacks employing such evasion techniques. Specifically, we select five cutting-edge adversarial attack types to subvert three popular malicious traffic detectors that employ NNs. We experiment with publicly available datasets and consider both one-to-all and one-to-one classification scenarios, i.e., discriminating illicit vs benign traffic and respectively identifying specific types of anomalous traffic among many observed. The results obtained reveal that attackers can evade NIDS with up to 35.7% success rates, by only altering time-based features of the traffic generated. To counteract these weaknesses, we propose three defense mechanisms: model voting ensembling, ensembling adversarial training, and query detection. We demonstrate that these methods can restore intrusion detection rates to nearly 100% against most types of malicious traffic, and attacks with potentially catastrophic consequences (e.g., botnet) can be thwarted. This confirms the effectiveness of our solutions and makes the case for their adoption when designing robust and reliable deep anomaly detectors.

Jiahui Chen,Yi Zhao,Qi Li,Xuewei Feng,Ke Xu

DOI: https://doi.org/10.1109/tifs.2023.3297369

IF: 7.231

2023-08-05

IEEE Transactions on Information Forensics and Security

Abstract:Deep learning (DL) methods have been widely applied to anomaly-based network intrusion detection system (NIDS) to detect malicious traffic. To expand the usage scenarios of DL-based methods, federated learning (FL) allows multiple users to train a global model on the basis of respecting individual data privacy. However, it has not yet been systematically evaluated how robust FL-based NIDSs are against existing privacy attacks under existing defenses. To address this issue, we propose two privacy evaluation metrics designed for FL-based NIDSs, including (1) privacy score that evaluates the similarity between the original and recovered traffic features using reconstruction attacks, and (2) evasion rate against NIDSs using adversarial attack with the recovered traffic. We conduct experiments to illustrate that existing defenses provide little protection and the corresponding adversarial traffic can even evade the SOTA NIDS Kitsune. To defend against such attacks and build a more robust FL-based NIDS, we further propose FedDef, a novel optimization-based input perturbation defense strategy with theoretical guarantee. It achieves both high utility by minimizing the gradient distance and strong privacy protection by maximizing the input distance. We experimentally evaluate four existing defenses on four datasets and show that our defense outperforms all the baselines in terms of privacy protection with up to 7 times higher privacy score, while maintaining model accuracy loss within 3% under optimal parameter combination.

computer science, theory & methods,engineering, electrical & electronic

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Shanjun Xu,Linghui Li,Kaiguo Yuan,Bingyu Li

2024-11-11

Abstract:Deep neural networks can be vulnerable to adversarially crafted examples, presenting significant risks to practical applications. A prevalent approach for adversarial attacks relies on the transferability of adversarial examples, which are generated from a substitute model and leveraged to attack unknown black-box models. Despite various proposals aimed at improving transferability, the success of these attacks in targeted black-box scenarios is often hindered by the tendency for adversarial examples to overfit to the surrogate models. In this paper, we introduce a novel framework based on Salient region & Weighted Feature Drop (SWFD) designed to enhance the targeted transferability of adversarial examples. Drawing from the observation that examples with higher transferability exhibit smoother distributions in the deep-layer outputs, we propose the weighted feature drop mechanism to modulate activation values according to weights scaled by norm distribution, effectively addressing the overfitting issue when generating adversarial examples. Additionally, by leveraging salient region within the image to construct auxiliary images, our method enables the adversarial example's features to be transferred to the target category in a model-agnostic manner, thereby enhancing the transferability. Comprehensive experiments confirm that our approach outperforms state-of-the-art methods across diverse configurations. On average, the proposed SWFD raises the attack success rate for normally trained models and robust models by 16.31% and 7.06% respectively.

Information Retrieval

Wang Weidong,Li Zhi,Liu Shuaiwei,Zhang Li,Yang Jin,Wang Yi

DOI: https://doi.org/10.1016/j.imavis.2024.104931

IF: 3.86

2024-02-20

Image and Vision Computing

Abstract:Recently, it was found that deep neural networks (DNNs) are susceptible to adversarial input perturbations. Most defense strategies adopt the denoising method based on preprocessing, which mitigates the impacts of adversarial perturbations on DNNs by learning the distributions of nonadversarial datasets and projecting adversarial inputs into the learned nonadversarial manifolds. However, existing defense strategies commonly focus on reconstructing clean images while ignoring the role of adversarial perturbations, which results in the reconstructed images failing to achieve the visual quality and classification accuracy of the original clean images, and the induced adversarial robustness improvement is limited. This paper proposes a feature decoupling-interaction network (FDIN), which introduces the concepts of clean features and adversarial features to separate the two kinds of features from the input adversarial examples (AEs) in a feature decoupling-interaction manner. The clean features are used to reconstruct the input image so that it is infinitely close to the original clean image, and the adversarial features are used to reconstruct the adversarial perturbations. Adversarial perturbations are removed from the adversarial examples across multiple cross cycles to improve further the reconstructed image's visual quality and classification accuracy. The features of the original clean image are used as prior knowledge to guide the network to learn the clean features of the adversarial examples and improve the classification accuracy of the model on the clean examples. In addition, a classification loss function based on the Carlini & Wagner (CW) attack algorithm is used instead of the conventional cross-entropy loss function to improve the adversarial robustness of the FDIN. The experimental results show that the proposed method achieves better defense performance than the current state-of-the-art methods on both standard tests and various attack tests and even exceeds the test accuracy of the target classifier on the original test set.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, software engineering,optics

Mohammed Nasser Al-Andoli,Shing Chiang Tan,Kok Swee Sim,Pey Yun Goh,Chee Peng Lim

DOI: https://doi.org/10.1109/access.2024.3354699

IF: 3.9

2024-02-07

IEEE Access

Abstract:Deep learning (DL) has demonstrated remarkable achievements in various fields. Nevertheless, DL models encounter significant challenges in detecting and defending against adversarial samples (AEs). These AEs are meticulously crafted by adversaries, introducing imperceptible perturbations to clean data to deceive DL models. Consequently, AEs pose potential risks to DL applications. In this paper, we propose an effective framework for enhancing the robustness of DL models against adversarial attacks. The framework leverages convolutional neural networks (CNNs) for feature learning, Deep Neural Networks (DNNs) with softmax for classification, and a defense mechanism to identify and exclude AEs. Evasion attacks are employed to create AEs to evade and mislead the classifier by generating malicious samples during the test phase of DL models i.e., CNN and DNN, using the Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Projected Gradient Descent (PGD), and Square Attack (SA). A protection layer is developed as a detection mechanism placed before the DNN classifier to identify and exclude AEs. The detection mechanism incorporates a machine learning model, which includes one of the following: Fuzzy ARTMAP, Random Forest, K-Nearest Neighbors, XGBoost, or Gradient Boosting Machine. Extensive evaluations are conducted on the MNIST, CIFAR-10, SVHN, and Fashion-MNIST data sets to assess the effectiveness of the proposed framework. The experimental results indicate the framework's ability to effectively and accurately detect AEs generated by four popular attacking methods, highlighting the potential of our developed framework in enhancing its robustness against AEs.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yaoyao Zhong,Weihong Deng

DOI: https://doi.org/10.1109/tifs.2020.3036801

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Face recognition has achieved great success in the last five years due to the development of deep learning methods. However, deep convolutional neural networks (DCNNs) have been found to be vulnerable to adversarial examples. In particular, the existence of transferable adversarial examples can severely hinder the robustness of DCNNs since this type of attacks can be applied in a fully black-box manner without queries on the target system. In this work, we first investigate the characteristics of transferable adversarial attacks in face recognition by showing the superiority of feature-level methods over label-level methods. Then, to further improve transferability of feature-level adversarial examples, we propose DFANet, a dropout-based method used in convolutional layers, which can increase the diversity of surrogate models and obtain ensemble-like effects. Extensive experiments on state-of-the-art face models with various training databases, loss functions and network architectures show that the proposed method can significantly enhance the transferability of existing attack methods. Finally, by applying DFANet to the LFW database, we generate a new set of adversarial face pairs that can successfully attack four commercial APIs without any queries. This TALFW database is available to facilitate research on the robustness and defense of deep face recognition.

computer science, theory & methods,engineering, electrical & electronic

Yanbin Wang,Haitao Xu,Zhenhao Guo,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/TIFS.2022.3158086

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The website fingerprinting (WF) attack enables a local eavesdropper to identify which website a client is visiting under encrypted network connections. By leveraging deep neural networks, the state-of-the-art WF attacks achieve high accuracy in classic experimental scenes. However, due to the high variance of neural networks, those attacks are sensitive to the specific information in the data and would result in less-than-ideal performance on data outside the training set or on data that is impacted by the effect of concept drift. In this paper, we present snWF, a novelWF attack, which leverages an out-of-the ordinary ensemble to reduce the variance of neural networks and improve the robustness of the attack. In a large open-world setting with 400,000 websites, snWF manages to determine whether a user is visiting a monitored website, with a true positive rate of 98.1% and a false positive rate of 5.7%. We also evaluated snWF in a more realistic attack scenario, termed as <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">wide-world</i> , to examine whether snWF can correctly classify websites that even an adversary has not seen before, and we found that snWF achieves a higher classification accuracy than the state-of-the-art attacks in this new setting. In addition, in the face of concept drift, snWF is found to be more resilient than any other attacks. Moreover, we are the first to reveal that under concept drift WF attacks suffer more severe performance degradation in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">open-world</i> setting than in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">closed-world</i> setting.