Xiangyin Kong,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3093386

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Neural-network-based soft sensors are widely employed in the industrial process. Such models have great significance to smart manufacturing. Considering the strict requirements of industrial production, it is vital to ensure the safety and robustness of these models in their actual deployment. However, recent research has shown that neural networks are quite vulnerable to adversarial attacks. By imposing tiny perturbation to the original sample, the fabricated adversarial sample can cheat these models to make wrong decisions. Such a phenomenon may bring serious trouble to the practical application of soft sensors. This article focuses on the adversarial attacks on industrial soft sensors. For the first time, we verify and analyze the effectiveness and deficiencies of the existing attack methods in the industrial soft sensor scenario. Based on solving these defects, this article proposes a novel perspective for attacking soft sensors. We analyze the optimization mechanism behind this new idea and then design two algorithms to perform attacks. The proposed methods more conform to the actual situation. Besides, compared with the existing approaches, the proposed methods have potentials to cause severer damages since their attacks are not only more concealed but also more likely to cheat the technicians to execute wrong operations. The research and analyses of the proposed methods lay a solid foundation for more thorough defenses against various attacks, which is quite necessary for making the deployed soft sensors more robust and secure.

Yifan Jia,Jingyi Wang,Christopher M. Poskitt,Sudipta Chattopadhyay,Jun Sun,Yuqi Chen

DOI: https://doi.org/10.1016/j.ijcip.2021.100452

IF: 3.683

2021-01-01

International Journal of Critical Infrastructure Protection

Abstract:The threats faced by cyber-physical systems (CPSs) in critical infrastructure have motivated research into a multitude of attack detection mechanisms, including anomaly detectors based on neural network models. The effectiveness of anomaly detectors can be assessed by subjecting them to test suites of attacks, but less consideration has been given to adversarial attackers that craft noise specifically designed to deceive them. While successfully applied in domains such as images and audio, adversarial attacks are much harder to implement in CPSs due to the presence of other built-in defence mechanisms such as rule checkers (or invariant checkers). In this work, we present an adversarial attack that simultaneously evades the anomaly detectors and rule checkers of a CPS. Inspired by existing gradient-based approaches, our adversarial attack crafts noise over the sensor and actuator values, then uses a genetic algorithm to optimise the latter, ensuring that the neural network and the rule checking system are both deceived. We implemented our approach for two real-world critical infrastructure testbeds, successfully reducing the classification accuracy of their detectors by over 50% on average, while simultaneously avoiding detection by rule checkers. Finally, we explore whether these attacks can be mitigated by training the detectors on adversarial samples.

Qianqian Song,Xiangwei Kong,Ziming Wang

DOI: https://doi.org/10.1007/978-3-030-93049-3_4

2021-01-01

Abstract:The accurate interpretation of neural network about how the network works is important. However, a manipulated explanation may have the potential to mislead human users not to trust a reliable network. Therefore, it is necessary to verify interpretation algorithms by designing effective attacks to simulate various possible threats in the real world. In this work, we mainly explore how to mislead interpretation. More specifically, we optimize the noise added to the input, which aims to highlight a certain area that we specify without changing the output category of network. With our proposed algorithm, we demonstrate that the state-of-the-art saliency maps based interpreters, e.g., Grad-CAM, Guided-Feature-Inversion, Grad-CAM++, Score-CAM and Full-Grad can be easily fooled. We propose two situations of fooling, Single-target attack and Multi-target attack, and show that the fooling can be transfered to different interpretation methods as well as generalized to the unseen samples with the universal noise. We also take image patches to fool Grad-CAM. Our results are proved in both qualitative and quantitative ways and we further propose a quantitative metric to measure the effectiveness of algorithm. We believe that our method can serve as an additional evaluation of robustness for future interpretation algorithms.

Yuzhe Gu,Na Jiang,Yanjiao Chen,Xueluan Gong

DOI: https://doi.org/10.1007/978-3-031-28990-3_16

2023-01-01

Abstract:Recently, the Internet of Things (IoT) technology has made tremendous progress, and it is beginning to enter many areas of social life, such as autonomous driving, medical care, etc. Due to the massive data in IoT, deep neural networks (DNN) are often involved in helping process and analyzing data, but DNNs still face many security threats. Adversarial example attack is a common attack against DNN models, which interferes with model decisions through processed samples. It will undoubtedly threaten DNN-based IoT systems. This paper presents the possible attack scenarios of adversarial example attacks in IoT systems and extensively studies the defense methods of adversarial example attacks in IoT systems.

Chen Yan,Hocheol Shin,Connor Bolton,Wenyuan Xu,Yongdae Kim,Kevin Fu

DOI: https://doi.org/10.1109/sp40000.2020.00026

2020-01-01

Abstract:Over the last six years, several papers demonstrated how intentional analog interference based on acoustics, RF, lasers, and other physical modalities could induce faults, influence, or even control the output of sensors. Damage to the availability and integrity of sensor output carries significant risks to safety-critical systems that make automated decisions based on trusted sensor measurement. Established signal processing models use transfer functions to express reliability and dependability characteristics of sensors, but existing models do not provide a deliberate way to express and capture security properties meaningfully. Our work begins to fill this gap by systematizing knowledge of analog attacks against sensor circuitry and defenses. Our primary contribution is a simple sensor security model such that sensor engineers can better express analog security properties of sensor circuitry without needing to learn significantly new notation. Our model introduces transfer functions and a vector of adversarial noise to represent adversarial capabilities at each stage of a sensor's signal conditioning chain. The primary goals of the systematization are (1) to enable more meaningful quantification of risk for the design and evaluation of past and future sensors, (2) to better predict new attack vectors, and (3) to establish defensive design patterns that make sensors more resistant to analog attacks.

Zhenqin Yin,Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1016/j.ress.2023.109299

IF: 7.247

2023-01-01

Reliability Engineering & System Safety

Abstract:As indispensable parts of industrial production control, data-driven industrial intelligent systems (IIS) achieve efficient executions of significant tasks such as fault classification (FC), fault detection (FD), and soft sensing (SS). Recently, machine learning models have been proven vulnerable to adversarial attacks, where the transfer-based attacks provide highly feasible attacks on systems in real-world black-box scenarios. In this paper, to study the practical security risks of IIS, we investigate transferable adversarial attacks from: (1) showing the existence of transferable adversarial examples across different industrial tasks; (2) exploring factors (e.g., data feature, model structure, and attack method) affecting transferability under multi-scenarios; (3) proposing a new method to enhance the transferability; (4) providing guidelines on practical system deployments to defend against transferable adversarial threats. The attacks demonstrate generality on two types of datasets, Tennessee Eastman industrial process (TEP) and WM-811K wafer map dataset, and the experiment results show that: (1) transfer is asymmetric and complex models are relatively stable with low sample transferability; (2) iterative and single-step methods have opposite performance characteristics under the intra-and cross-task transfer; (3) overfitting of optimization methods leads to weak transferability; (4) smoothing gradients and widening intermediate layer perturbations are effective directions for improving transferability.

Xiaoyu Jiang,Xiangyin Kong,Junhua Zheng,Zhiqiang Ge,Xinmin Zhang,Zhihuan Song

DOI: https://doi.org/10.1109/tii.2024.3449999

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:In recent years, deep neural networks (DNNs) have been widely applied in fault classification tasks. Their adversarial security has received attention, but little consideration has been given to the robustness of adversarial attacks against imperfect DNNs. Owing to the data scarcity and quality deficiencies prevalent in industrial data, the performance of DNNs may be severely constrained. In addition, black-box attacks against industrial fault classification models have difficulty in obtaining sufficient and comprehensive data for constructing surrogate models with perfect decision boundaries. To address this gap, this article analyzes the outcomes of adversarial attacks on imperfect DNNs and categorizes their decision scenarios. Subsequently, building on this analysis, we propose a robust adversarial attack strategy that transforms traditional adversarial attacks into an iterative targeted attack (ITA). The ITA framework begins with an evaluation of DNNs, during which a classification confidence score (CCS) is designed. Using the CCS and the prediction probability of the data, the labels and sequences for targeted attacks are defined. The adversarial attacks are then carried out by iteratively selecting attack targets and using gradient optimization. Experimental results on both a benchmark dataset and an industrial case demonstrate the superiority of the proposed method.

Shizhong Li,Wenchao Meng,Chen Liu,Shibo He

DOI: https://doi.org/10.1109/jiot.2024.3451449

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Artificial neural networks (ANNs) have been widely used for tasks like electricity theft detection (ETD) in smart meters. However, due to the subtle mechanisms and inherent opaque characteristics, ANNs are vulnerable to attacks. Although this attack surface poses significant risks, it has been largely overlooked in industrial scenarios. To alert the widespread adoption of industrial intelligence, this paper studies the impact of backdoor attacks in ETD for the first time and proposes a feature attention distillation defense. First, the attack surface in current model training pipeline is analyzed, and the adversaries can embed malicious backdoors for specific triggers to escape ETD. Then, six prevalent ANN-based models are tested and the adversaries can bypass the backdoored ETD models with success rates over 90.53%, which would inevitably bring huge losses to electricity companies. We further argue that the electricity companies can mitigate such attacks when noticing the abnormal non-technical loss. A novel feature attention distillation defense that aligns the intermediate feature maps between fine-tuned models and backdoored models is proposed, which can eliminate backdoors more efficiently with few resources compared with two classic defenses. The average attack success rate can drop by 90.71% with slight impacts on ETD performance. This work sheds light on a novel but perilous attack surface, and raises a warning for the wide adoption of artificial intelligence in smart measurement scenarios.

Yue Zhuo,Yuri A. W. Shardt,Zhiqiang Ge

DOI: https://doi.org/10.1016/j.eng.2021.07.033

IF: 12.834

2022-01-01

Engineering

Abstract:Recently developed fault classification methods for industrial processes are mainly data-driven. Notably, models based on deep neural networks have significantly improved fault classification accuracy owing to the inclusion of a large number of data patterns. However, these data-driven models are vulnerable to adversarial attacks; thus, small perturbations on the samples can cause the models to provide incorrect fault predictions. Several recent studies have demonstrated the vulnerability of machine learning methods and the existence of adversarial samples. This paper proposes a black-box attack method with an extreme constraint for a safe-critical industrial fault classification system: Only one variable can be perturbed to craft adversarial samples. Moreover, to hide the adversarial samples in the visualization space, a Jacobian matrix is used to guide the perturbed variable selection, making the adversarial samples in the dimensional reduction space invisible to the human eye. Using the one-variable attack (OVA) method, we explore the vulnerability of industrial variables and fault types, which can help understand the geometric characteristics of fault classification systems. Based on the attack method, a corresponding adversarial training defense method is also proposed, which efficiently defends against an OVA and improves the prediction accuracy of the classifiers. In experiments, the proposed method was tested on two datasets from the Tennessee–Eastman process (TEP) and steel plates (SP). We explore the vulnerability and correlation within variables and faults and verify the effectiveness of OVAs and defenses for various classifiers and datasets. For industrial fault classification systems, the attack success rate of our method is close to (on TEP) or even higher than (on SP) the current most effective first-order white-box attack method, which requires perturbation of all variables.

Xiaoyu Jiang,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3104056

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Data-driven artificial intelligence (AI) models have been widely used in industrial systems helping big data analytic due to its convenience and flexibility. However, adversarial attacks have the ability to mislead AI models to make incorrect predictions just by adding specific perturbation to actual samples. With the high integration of industrial systems and information technology, the reliability and safety of AI models in industrial systems have been seriously threatened. In the article, fault diagnosis models and soft sensing models rely on AI technology are verified to be vulnerable facing adversarial attack. To this end, the concept of information fingerprint for industrial data is introduced to distinguish actual samples from adversarial samples with small perturbation. With fault diagnosis models and soft sensing models as the background, information fingerprint exaction networks based on deep learning is developed to extract the information fingerprint for further analysis. It utilizes supervised contrastive pretraining and unsupervised training to realize parameter learning for the structure of siamese neural network and autoencoder. Finally, the effectiveness and feasibility of the proposed information fingerprint for adversarial sample detection are verified in two industrial benchmark cases.

Felix Specht,Jens Otto

DOI: https://doi.org/10.1007/978-3-662-62746-4_11

2020-12-24

Abstract:Abstract Condition monitoring systems based on deep neural networks are used for system failure detection in cyber-physical production systems. However, deep neural networks are vulnerable to attacks with adversarial examples. Adversarial examples are manipulated inputs, e.g. sensor signals, are able to mislead a deep neural network into misclassification. A consequence of such an attack may be the manipulation of the physical production process of a cyber-physical production system without being recognized by the condition monitoring system. This can result in a serious threat for production systems and employees. This work introduces an approach named CyberProtect to prevent misclassification caused by adversarial example attacks. The approach generates adversarial examples for retraining a deep neural network which results in a hardened variant of the deep neural network. The hardened deep neural network sustains a significant better classification rate (82% compared to 20%) while under attack with adversarial examples, as shown by empirical results.

Bo Luo,Yannan Liu,Lingxiao Wei,Qiang Xu

DOI: https://doi.org/10.1609/aaai.v32i1.11499

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Machine learning systems based on deep neural networks, being able to produce state-of-the-art results on various perception tasks, have gained mainstream adoption in many applications. However, they are shown to be vulnerable to adversarial example attack, which generates malicious output by adding slight perturbations to the input. Previous adversarial example crafting methods, however, use simple metrics to evaluate the distances between the original examples and the adversarial ones, which could be easily detected by human eyes. In addition, these attacks are often not robust due to the inevitable noises and deviation in the physical world. In this work, we present a new adversarial example attack crafting method, which takes the human perceptual system into consideration and maximizes the noise tolerance of the crafted adversarial example. Experimental results demonstrate the efficacy of the proposed technique.

Nicholas Carlini,D. Wagner

DOI: https://doi.org/10.1109/SP.2017.49

2016-08-16

Abstract:Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input x and any target classification t, it is possible to find a new input x' that is similar to x but classified as t. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from 95% to 0.5%.In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with 100% probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

Computer Science

Ruoxi Chen,Haibo Jin,Jinyin Chen,Haibin Zheng,Yue Yu,Shouling Ji

2021-01-01

Abstract:Although deep learning models have achieved unprecedented success, their vulnerabilities towards adversarial attacks have attracted increasing attention, especially when deployed in security-critical domains. To address the challenge, numerous defense strategies, including reactive and proactive ones, have been proposed for robustness improvement. From the perspective of image feature space, some of them cannot reach satisfying results due to the shift of features. Besides, features learned by models are not directly related to classification results. Different from them, We consider defense method essentially from model inside and investigated the neuron behaviors before and after attacks. We observed that attacks mislead the model by dramatically changing the neurons that contribute most and least to the correct label. Motivated by it, we introduce the concept of neuron influence and further divide neurons into front, middle and tail part. Based on it, we propose neuron-level inverse perturbation(NIP), the first neuron-level reactive defense method against adversarial attacks. By strengthening front neurons and weakening those in the tail part, NIP can eliminate nearly all adversarial perturbations while still maintaining high benign accuracy. Besides, it can cope with different sizes of perturbations via adaptivity, especially larger ones. Comprehensive experiments conducted on three datasets and six models show that NIP outperforms the state-of-the-art baselines against eleven adversarial attacks. We further provide interpretable proofs via neuron activation and visualization for better understanding. Impact Statement—Deep learning has attracted tremendous attentions in many fields but some studies have proved that they are vulnerable to adversarial attacks. Meanwhile, defense methods against them are developed as well. Some solutions via simple image transformations are easy to implement but may be compromised in the event of larger perturbations. Methods based on feature space are recently proposed, by projecting or mappings the distribution of adversarial examples back to that of benign examples. But they may fail due to the shift of feature during operations on adversarial examples. Besides, feature distribution doesn’t directly relate to classifications. We propose NIP, a neuron-level defense against generic adversarial attack, which This research was supported by the National Natural Science Foundation of China under Grant No. 62072406, the Natural Science Foundation of Zhejiang Provincial under Grant No. LY19F020025. R. Chen is with the College of Information Engineering at Zhejiang University of Technology, Hangzhou 310007, China. (e-mail: 2112003149@zjut.edu.cn). H. Jin is with the College of Information Engineering at Zhejiang University of Technology, Hangzhou 310007, China. (e-mail: 2112003035@zjut.edu.cn). J. Chen is with the Institute of Cyberspace Security, College of Information Engineering, Zhejiang University of Technology, Hangzhou, 310023, China. (e-mail: chenjinyin@zjut.edu.cn) H. Zheng is with the College of Information Engineering at Zhejiang University of Technology, Hangzhou 310007, China. (e-mail: haibinzheng320@gmail.com). Y. Yue is with the Key Laboratory of Parallel and Distributed Computing, College of Computer, National University of Defense Technology, Changsha, 410000, China. (email: yuyue@nudt.edu.cn) S. Ji is with the College of Computer Science and Technology at Zhejiang University, Hangzhou 310007, China. (e-mail: sji@zju.edu.cn) bridge the neuron behaviors and correct classifications, from the perspective of model inside. By suppressing neurons exploited by attacks and enhancing class-relevant ones, it provides an attackagnostic, input-aware and more fine-grained solution for defense.

Feixia Min,Xiaofeng Qiu,Fan Wu

DOI: https://doi.org/10.1109/bigcom.2018.00021

2018-01-01

Abstract:Deep learning is playing a more and more important role in our daily life and scientific research such as autonomous systems, intelligent life and data mining. However, numerous studies have showed that deep learning with superior performance on many tasks may suffer from subtle perturbations constructed by attacker purposely, called adversarial perturbations, which are imperceptible to human observers but completely effect deep neural network models. The emergence of adversarial attacks has led to questions about neural networks. Therefore, machine learning security and privacy are becoming an increasingly active research area. In this paper, we summarize the prevalent methods for the generating adversarial attacks according to three groups. We elaborated on their ideas and principles of generation. We further analyze the common limitations of these methods and implement statistical experiments of the last layer output on CleverHans to reveal that the detection of adversarial samples is not as difficult as it seems and can be achieved in some relatively simple manners.

Ship Peng Xu,Ke Wang,Mohammad Mehedi Hassan,Chien-Ming Chen,Md. Rafiul Hassan

DOI: https://doi.org/10.1109/tii.2022.3177442

IF: 12.3

2022-11-13

IEEE Transactions on Industrial Informatics

Abstract:In this article, we propose and analyze a group of adversarial backdoor attack methods on neural-architecture-search (NAS) enabled edge AI systems in industrial Internet of Things (IIoT) domain. NAS is a new popular way to generate scale-adaptive deep neural networks which can meet the respective requirements of cloud, edge, and terminal AI computing in IIoT domain. However, since most users in NAS-enabled edge side are not the generators of AI models, the deployed edge AI models may have some vulnerabilities such as backdoors. These might pose serious security issues in IIoT. We propose some effective policies to attack such edge AI systems and provide advice about how to defend them. The most significant attack through third-party pretrained NAS in IIoT may occur by backdoor attacks while the third party might introduce vulnerability in the training dataset. The article designs backdoor attack processes to NAS-enabled edge devices to identify NAS's vulnerability to adversarial trojaning attacks and interpret the backdoor attacks. It shows that the existence of high impact nodes greatly weakens the robustness of the network. A malicious attacker can quickly paralyze the network by only selecting a few high impact nodes. Finally, it provides advice and possible solution on defending the adversarial backdoor attacks to NAS.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Jiming Chen,Xiangshan Gao,Ruilong Deng,Yang He,Chongrong Fang,Peng Cheng

DOI: https://doi.org/10.1109/tdsc.2020.3037500

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deploying machine learning (ML)-based intrusion detection systems (IDS) is an effective way to improve the security of industrial control systems (ICS). However, ML models themselves are vulnerable to adversarial examples, generated by deliberately adding subtle perturbation to the input sample that some people are not aware of, causing the model to give a false output with high confidence. In this article, our goal is to investigate the possibility of stealthy cyber attacks towards IDS, including injection attack, function code attack and reconnaissance attack, and enhance its robustness to adversarial attack. However, adversarial algorithms are subject to communication protocol and legal range of data in ICS, unlike only limited by the distance between original samples and newly generated samples in image domain. We propose two strategies - optimal solution attack and GAN attack - oriented to flexibility and volume of data, formulating an optimization problem to find stealthy attacks, where the former is appropriate for not too large and more flexible samples while the latter provides a more efficient solution for larger and not too flexible samples. Finally, we conduct experiments on a semi-physical ICS testbed with a high detection performance ensemble ML-based detector to show the effectiveness of our attacks. The results indicate that new samples of reconnaissance and function code attack produced by both optimal solution and GAN algorithm possess 80 percent higher probability to evade the detector, still maintaining the same attack effect. In the meantime, we adopt adversarial training as a method to defend against adversarial attack. After training on the mixture of orginal dataset and newly generated samples, the detector becomes more robust to adversarial examples.

Mark Huasong Meng,Guangdong Bai,Sin Gee Teo,Zhe Hou,Yan Xiao,Yun Lin,Jin Song Dong

DOI: https://doi.org/10.1109/tdsc.2022.3179131

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Neural networks have been widely applied in security applications such as spam and phishing detection, intrusion prevention, and malware detection. This black-box method, however, often has uncertainty and poor explainability in applications. Furthermore, neural networks themselves are often vulnerable to adversarial attacks. For those reasons, there is a high demand for trustworthy and rigorous methods to verify the robustness of neural network models. Adversarial robustness, which concerns the reliability of a neural network when dealing with maliciously manipulated inputs, is one of the hottest topics in security and machine learning. In this work, we survey existing literature in adversarial robustness verification for neural networks and collect 39 diversified research works across machine learning, security, and software engineering domains. We systematically analyze their approaches, including how robustness is formulated, what verification techniques are used, and the strengths and limitations of each technique. We provide a taxonomy from a formal verification perspective for a comprehensive understanding of this topic. We classify the existing techniques based on property specification, problem reduction, and reasoning strategies. We also demonstrate representative techniques that have been applied in existing studies with a sample model. Finally, we discuss open questions for future research.

Han Qiu,Tian Dong,Tianwei Zhang,Jialiang Lu,Gerard Memmi,Meikang Qiu

DOI: https://doi.org/10.1109/jiot.2020.3048038

IF: 10.6

2021-07-01

IEEE Internet of Things Journal

Abstract:Deep learning (DL) has gained popularity in network intrusion detection, due to its strong capability of recognizing subtle differences between normal and malicious network activities. Although a variety of methods have been designed to leverage DL models for security protection, whether these systems are vulnerable to adversarial examples (AEs) is unknown. In this article, we design a novel adversarial attack against DL-based network intrusion detection systems (NIDSs) in the Internet-of-Things environment, with only black-box accesses to the DL model in such NIDS. We introduce two techniques: 1) model extraction is adopted to replicate the black-box model with a small amount of training data and 2) a saliency map is then used to disclose the impact of each packet attribute on the detection results, and the most critical features. This enables us to efficiently generate AEs using conventional methods. With these tehniques, we successfully compromise one state-of-the-art NIDS, Kitsune: the adversary only needs to modify less than 0.005% of bytes in the malicious packets to achieve an average 94.31% attack success rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pengfei Qiu,Qian Wang,Dongsheng Wang,Yongqiang Lyu,Zhaojun Lu,Gang Qu

DOI: https://doi.org/10.1109/ASP-DAC47756.2020.9045107

2020-01-01

Abstract:Typical Deep Neural Networks (DNN) are susceptible to adversarial attacks that add malicious perturbations to input to mislead the DNN model. Most of the state-of-theart countermeasures concentrate on the defensive distillation or parameter re-training, which require prior knowledge of the target DNN and/or the attacking methods and hence greatly limit their generality and usability. In this paper, we propose to defend against adversarial attacks by utilizing the input deformation and augmentation techniques that are currently widely utilized to enlarge the dataset during DNN's training phase. This is based on the observation that certain input deformation and augmentation methods will have little or no impact on DNN model's accuracy, but the adversarial attacks will fail when the maliciously induced perturbations are randomly deformed. We also use the ensemble of decisions to further improve DNN model's accuracy and the effectiveness of defending various attacks. Our proposed mitigation method is model independent (i.e. it does not require additional training, parameter finetuning, or any structure modifications of the target DNN model) and attack independent (i.e., it does not require any knowledge of the adversarial attacks). So it has excellent generality and usability. We conduct experiments on standard CIFAR-10 dataset and three representative adversarial attacks: Fast Gradient Sign Method, Carlini and Wagner, and Jacobian-based Saliency Map Attack. Results show that the average success rate of the attacks can be reduced from 96.5% to 28.7% while the DNN model accuracy is improved by about 2%.