Chaowei Xiao,Bo Li,Jun-yan Zhu,Warren He,Mingyan Liu,Dawn Song

DOI: https://doi.org/10.24963/ijcai.2018/543

2018-07-01

Abstract:Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Haibo Chen,Lei Zhao,Lihong Qiu,Zhizhong Wang,Huiming Zhang,Wei Xing,Dongming Lu

DOI: https://doi.org/10.1049/iet-cvi.2020.0014

IF: 1.484

2020-01-01

IET Computer Vision

Abstract:Existing style transfer methods have achieved great success in artwork generation by transferring artistic styles onto everyday photographs while keeping their contents unchanged. Despite this success, these methods have one inherent limitation: they cannot produce newly created image contents, lacking creativity and flexibility. On the other hand, generative adversarial networks (GANs) can synthesise images with new content, whereas cannot specify the artistic style of these images. The authors consider combining style transfer with convolutional GANs to generate more creative and diverse artworks. Instead of simply concatenating these two networks: the first for synthesising new content and the second for transferring artistic styles, which is inefficient and inconvenient, they design an end-to-end network called ArtistGAN to perform these two operations at the same time and achieve visually better results. Moreover, to generate images of higher quality, they propose the bi-discriminator GAN containing a pixel discriminator and a feature discriminator that constrain the generated image from pixel level and feature level, respectively. They conduct extensive experiments and comparisons to evaluate their methods quantitatively and qualitatively. The experimental results verify the effectiveness of their methods.

Xiaosen Wang,Kun He,Chuanbiao Song,Liwei Wang,John E. Hopcroft

DOI: https://doi.org/10.48550/arXiv.1904.07793

2019-04-16

Computer Vision and Pattern Recognition

Abstract:Despite the rapid development of adversarial machine learning, most adversarial attack and defense researches mainly focus on the perturbation-based adversarial examples, which is constrained by the input images. In comparison with existing works, we propose non-constrained adversarial examples, which are generated entirely from scratch without any constraint on the input. Unlike perturbation-based attacks, or the so-called unrestricted adversarial attack which is still constrained by the input noise, we aim to learn the distribution of adversarial examples to generate non-constrained but semantically meaningful adversarial examples. Following this spirit, we propose a novel attack framework called AT-GAN (Adversarial Transfer on Generative Adversarial Net). Specifically, we first develop a normal GAN model to learn the distribution of benign data, and then transfer the pre-trained GAN model to estimate the distribution of adversarial examples for the target model. In this way, AT-GAN can learn the distribution of adversarial examples that is very close to the distribution of real data. To our knowledge, this is the first work of building an adversarial generator model that could produce adversarial examples directly from any input noise. Extensive experiments and visualizations show that the proposed AT-GAN can very efficiently generate diverse adversarial examples that are more realistic to human perception. In addition, AT-GAN yields higher attack success rates against adversarially trained models under white-box attack setting and exhibits moderate transferability against black-box models.

Guoqing Jin,Shiwei Shen,Dongming Zhang,Feng Dai,Yongdong Zhang

DOI: https://doi.org/10.1109/icassp.2019.8683044

2017-01-01

Abstract:Although Deep Neural Networks could achieve state-of-the-art performance while recongnizing images, they often suffer a tremendous defeat from adversarial examples-inputs generated by utilizing imperceptible but intentional perturbations to samples from the datasets. So far, very few methods have provided a significant defense to adversarial examples. In this paper, an effective framework based Generative Adversarial Nets(GAN) is proposed to defense against the adversarial examples. The essense of the model is to eliminate the adversarial perturbations being highly aligned with the weight vectors of nueral models. Extensive experiments on benchmark datasets MNIST, CIFAR10 and ImageNet indicate that our framework is able to defense against adversarial examples effectively.

Pin-Yu Chen,Yash Sharma,Huan Zhang,Jinfeng Yi,Cho-Jui Hsieh

DOI: https://doi.org/10.1609/aaai.v32i1.11302

2018-04-25

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Recent studies have highlighted the vulnerability of deep neural networks (DNNs) to adversarial examples — a visually indistinguishable adversarial image can easily be crafted to cause a well-trained model to misclassify. Existing methods for crafting adversarial examples are based on L2 and L∞ distortion metrics. However, despite the fact that L1 distortion accounts for the total variation and encourages sparsity in the perturbation, little has been developed for crafting L1-based adversarial examples. In this paper, we formulate the process of attacking DNNs via adversarial examples as an elastic-net regularized optimization problem. Our elastic-net attacks to DNNs (EAD) feature L1-oriented adversarial examples and include the state-of-the-art L2 attack as a special case. Experimental results on MNIST, CIFAR10 and ImageNet show that EAD can yield a distinct set of adversarial examples with small L1 distortion and attains similar attack performance to the state-of-the-art methods in different attack scenarios. More importantly, EAD leads to improved attack transferability and complements adversarial training for DNNs, suggesting novel insights on leveraging L1 distortion in adversarial machine learning and security implications of DNNs.

Weiwei Feng,Nanqing Xu,Tianzhu Zhang,Baoyuan Wu,Yongdong Zhang

DOI: https://doi.org/10.1109/tifs.2023.3288426

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep neural networks are known to be vulnerable to adversarial examples, where adding carefully crafted adversarial perturbations to the inputs can mislead the DNN model. However, it is challenging to generate effective adversarial examples in the physical world due to many uncontrollable physical dynamics, which pose security and safety threats in the real world. Current physical attack methods aim to generate robust physical adversarial examples by simulating all possible physical dynamics. If attacking a new image or a new DNN model, they require expensive manual efforts for simulating physical dynamics or considerable time for iteratively optimizing. To tackle these limitations, we propose a robust and generalized physical adversarial attack method with Meta-GAN (Meta-GAN Attack), which is able to not only generate robust physical adversarial examples, but also generalize to attacking novel images and novel DNN models by accessing a few digital and physical images. First, we propose to craft robust physical adversarial examples with a generative attack model via simulating color and shape distortions. Second, we formulate the physical attack as a few-shot learning problem and design a novel class-agnostic and model-agnostic meta-learning algorithm to solve this problem. Extensive experiments on two benchmark datasets with four challenging experimental settings verify the superior robustness and generalization of our method by comparing to state-of-the-art physical attack methods. The source code is released at github.

Rui Yang,Tian-Jie Cao,Xiu-Qing Chen,Feng-Rong Zhang

DOI: https://doi.org/10.1016/j.cose.2021.102457

2021-12-01

Abstract:Some recent studies have demonstrated that the deep neural network (DNN) is vulnerable to adversarial examples, which contain some subtle and human-imperceptible perturbations. Although numerous countermeasures have been proposed and play a significant role, most of them all have some flaws and are only effective for certain types of adversarial examples. In the paper, we present a novel and universal countermeasure to recover multiple types of adversarial examples to benign examples before they are fed into the deep neural network. The idea is to model the mapping between adversarial examples and benign examples using a generative adversarial network (GAN). Its GAN architecture consists of a generator based on UNET, a discriminator based on ACGAN, and a newly added third-party classifier. The UNET can enhance the capacity of the generator to recover adversarial examples to benign examples. The loss function makes full use of the advantages of ACGAN and WGAN-GP to ensure the stability of the training process and accelerate its convergence. Besides, a classification loss and a perceptual loss, all from the third-party classifier, are employed to improve further the generator's capacity to eliminate adversarial perturbations. Experiments are conducted on the MNIST, CIFAR10, and IMAGENET datasets. First, we perform ablation experiments to prove the proposed countermeasure's validity. Then, we defend against seven types of state-of-the-art adversarial examples on four deep neural networks and compare them with six existing countermeasures. Finally, the experimental results demonstrate that the proposed countermeasure is universal and has a more excellent performance than other countermeasures. The experimental code is available at https://github.com/Afreadyang/IAED-GAN.

computer science, information systems

Jiacheng Zhao,Xiuming Zhao,Zhihua Gan,Xiuli Chai,Tianfeng Ma,Zhen Chen

DOI: https://doi.org/10.1007/s00530-024-01425-6

IF: 3.9

2024-01-01

Multimedia Systems

Abstract:The rise of online sharing platforms has provided people with diverse and convenient ways to share images. However, a substantial amount of sensitive user information is contained within these images, which can be easily captured by malicious neural networks. To ensure the secure utilization of authorized protected data, reversible adversarial attack techniques have emerged. Existing algorithms for generating adversarial examples do not strike a good balance between visibility and attack capability. Additionally, the network oscillations generated during the training process affect the quality of the final examples. To address these shortcomings, we propose a novel reversible adversarial network based on generative adversarial networks (RA-RevGAN). In this paper, the generator is used for noise generation to map features into perturbations of the image, while the region selection module confines these perturbations to specific areas that significantly affect classification. Furthermore, a robust attack mechanism is integrated into the discriminator to stabilize the network’s training by optimizing convergence speed and minimizing time cost. Extensive experiments have demonstrated that the proposed method ensures a high image generation rate, excellent attack capability, and superior visual quality while maintaining high classification accuracy in image restoration.

Weimin Zhao,Qusay H Mahmoud,Sanaa Alwidian

DOI: https://doi.org/10.3390/s23052697

2023-03-01

Abstract:Deep learning has been successfully utilized in many applications, but it is vulnerable to adversarial samples. To address this vulnerability, a generative adversarial network (GAN) has been used to train a robust classifier. This paper presents a novel GAN model and its implementation to defend against L∞ and L2 constraint gradient-based adversarial attacks. The proposed model is inspired by some of the related work, but it includes multiple new designs such as a dual generator architecture, four new generator input formulations, and two unique implementations with L∞ and L2 norm constraint vector outputs. The new formulations and parameter settings of GAN are proposed and evaluated to address the limitations of adversarial training and defensive GAN training strategies, such as gradient masking and training complexity. Furthermore, the training epoch parameter has been evaluated to determine its effect on the overall training results. The experimental results indicate that the optimal formulation of GAN adversarial training must utilize more gradient information from the target classifier. The results also demonstrate that GANs can overcome gradient masking and produce effective perturbation to augment the data. The model can defend PGD L2 128/255 norm perturbation with over 60% accuracy and PGD L∞ 8/255 norm perturbation with around 45% accuracy. The results have also revealed that robustness can be transferred between the constraints of the proposed model. In addition, a robustness-accuracy tradeoff was discovered, along with overfitting and the generalization capabilities of the generator and classifier. These limitations and ideas for future work will be discussed.

Yuying Hao,Tuanhui Li,Li Li,Yong Jiang,Xuanye Cheng

DOI: https://doi.org/10.1007/978-3-030-30508-6_57

2019-01-01

Abstract:Neural networks can be fooled by adversarial examples. Recently, many methods have been proposed to generate adversarial examples, but these works mainly concentrate on the pixel-wise information, which limits the transferability of adversarial examples. Different from these methods, we introduce perceptual module to extract the high-level representations and change the manifold of the adversarial examples. Besides, we propose a novel network structure to replace the generative adversarial network (GAN). The improved structure ensures high similarity of adversarial examples and promotes the stability of training process. Extensive experiments demonstrate that our method has significant improvement on the transferability. Furthermore, the adversarial training defence method is invalid for our attack.

Zhiyi Lin,Changgen Peng,Weijie Tan,Xing He

DOI: https://doi.org/10.3390/e25030487

2023-03-10

Abstract:Adversarial example generation techniques for neural network models have exploded in recent years. In the adversarial attack scheme for image recognition models, it is challenging to achieve a high attack success rate with very few pixel modifications. To address this issue, this paper proposes an adversarial example generation method based on adaptive parameter adjustable differential evolution. The method realizes the dynamic adjustment of the algorithm performance by adjusting the control parameters and operation strategies of the adaptive differential evolution algorithm, while searching for the optimal perturbation. Finally, the method generates adversarial examples with a high success rate, modifying just a very few pixels. The attack effectiveness of the method is confirmed in CIFAR10 and MNIST datasets. The experimental results show that our method has a greater attack success rate than the One Pixel Attack based on the conventional differential evolution. In addition, it requires significantly less perturbation to be successful compared to global or local perturbation attacks, and is more resistant to perception and detection.

Cong Hu,Yuanbo Li,Zhenhua Feng,Xiaojun Wu

DOI: https://doi.org/10.1016/j.patcog.2023.109760

IF: 8

2023-06-14

Pattern Recognition

Abstract:In recent years, face recognition has achieved promising results along with the development of advanced Deep Neural Networks (DNNs). The existing face recognition systems are vulnerable to adversarial examples, which brings potential security risks. Evolutionary Attack (EA) has been successfully used to fool face recognition by inducing a minimum perturbation to a face image with few queries. However, EA employs the global information of face images but ignores their local characteristics. In addition, restricting the l2 -norm of adversarial perturbations hinders the diversity of adversarial perturbations. To solve the above problems, we propose Attention-guided Evolutionary Attack with Elastic-Net Regularization (ERAEA) for attacking face recognition. ERAEA extracts local facial characteristics by attention mechanism, effectively improving the attack effect and image perception quality. In particular, ERAEA adopts an attention mechanism to guide evolutionary direction, which operates on the covariance matrix as it contains crucial information about the evolutionary path. Furthermore, we design an adaptive elastic-net regularization to diversify the adversarial perturbation, accelerating the optimization performance. Extensive experiments obtained on three benchmarks demonstrate that our proposed method achieves better perturbation norm than the state-of-the-art methods with limited queries on face recognition and generates adversarial face images with higher perceptual quality. Besides, ERAEA requires fewer queries to achieve a fixed adversarial perturbation norm.

computer science, artificial intelligence,engineering, electrical & electronic

Mahmood Sharif,Sruti Bhagavatula,Lujo Bauer,Michael K. Reiter

DOI: https://doi.org/10.1145/3317611

IF: 2.717

2019-07-19

ACM Transactions on Privacy and Security

Abstract:Images perturbed subtly to be misclassified by neural networks, called adversarial examples , have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

computer science, information systems

Minjie Liu,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1049/ell2.12437

2022-01-01

Electronics Letters

Abstract:Nowadays, adversarial examples of images which are generated by adding special perturbations on their hosts make great impact on many deep neural network (DNN)-based computer vision tasks and bring security risks. With the deep insight into this field, researchers realize that many simple image processing methods can easily reduce the attack success rate. Therefore, studies on robust adversarial examples that are able to defend destruction become the emphasis. However, most existing methods focus more on the distortion in user transmitting procedures and physical deformation such as JPEG compression and brightness. Given that scale transformation is one of the commonest measures in data transformation and enhancement, a two-step algorithm is proposed to eliminate the effect caused by resizing during the model inferring process. The first step is to select pixels that can affect the classification result through a DNN. As a binary classification task, the network predicts whether the pixel deserves to be modified or not. The second one is to strategically compute the amplitude of noise and add it to the host image. Experiments verify that this method resists the scale transformation and guarantees the invisibility of humans as well.

Aishan Liu,Xianglong Liu,Jiaxin Fan,Yuqing Ma,Anlan Zhang,Huiyuan Xie,Dacheng Tao

DOI: https://doi.org/10.1609/aaai.v33i01.33011028

2019-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples where inputs with imperceptible perturbations mislead DNNs to incorrect results. Recently, adversarial patch, with noise confined to a small and localized patch, emerged for its easy accessibility in real-world. However, existing attack strategies are still far from generating visually natural patches with strong attacking ability, since they often ignore the perceptual sensitivity of the attacked network to the adversarial patch, including both the correlations with the image context and the visual attention. To address this problem, this paper proposes a perceptual-sensitive generative adversarial network (PS-GAN) that can simultaneously enhance the visual fidelity and the attacking ability for the adversarial patch. To improve the visual fidelity, we treat the patch generation as a patch-to-patch translation via an adversarial process, feeding any types of seed patch and outputting the similar adversarial patch with high perceptual correlation with the attacked image. To further enhance the attacking ability, an attention mechanism coupled with adversarial generation is introduced to predict the critical attacking areas for placing the patches, which can help producing more realistic and aggressive patches. Extensive experiments under semi-whitebox and black-box settings on two large-scale datasets GTSRB and ImageNet demonstrate that the proposed PS-GAN outperforms state-of-the-art adversarial patch attack methods.

Youheng Sun,Shengming Yuan,Xuanhan Wang,Lianli Gao,Jingkuan Song

2024-07-17

Abstract:Targeted adversarial attack, which aims to mislead a model to recognize any image as a target object by imperceptible perturbations, has become a mainstream tool for vulnerability assessment of deep neural networks (DNNs). Since existing targeted attackers only learn to attack known target classes, they cannot generalize well to unknown classes. To tackle this issue, we propose $\bf{G}$eneralized $\bf{A}$dversarial attac$\bf{KER}$ ($\bf{GAKer}$), which is able to construct adversarial examples to any target class. The core idea behind GAKer is to craft a latently infected representation during adversarial example generation. To this end, the extracted latent representations of the target object are first injected into intermediate features of an input image in an adversarial generator. Then, the generator is optimized to ensure visual consistency with the input image while being close to the target object in the feature space. Since the GAKer is class-agnostic yet model-agnostic, it can be regarded as a general tool that not only reveals the vulnerability of more DNNs but also identifies deficiencies of DNNs in a wider range of classes. Extensive experiments have demonstrated the effectiveness of our proposed method in generating adversarial examples for both known and unknown classes. Notably, compared with other generative methods, our method achieves an approximately $14.13\%$ higher attack success rate for unknown classes and an approximately $4.23\%$ higher success rate for known classes. Our code is available in <a class="link-external link-https" href="https://github.com/VL-Group/GAKer" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence

Xinheng Xie,Yue Wu,Cuiyu He

2024-12-05

Abstract:Understanding adversarial examples is crucial for improving the model's robustness, as they introduce imperceptible perturbations that deceive models. Effective adversarial examples, therefore, offer the potential to train more robust models by removing their singularities. We propose NODE-AdvGAN, a novel approach that treats adversarial generation as a continuous process and employs a Neural Ordinary Differential Equation (NODE) for simulating the dynamics of the generator. By mimicking the iterative nature of traditional gradient-based methods, NODE-AdvGAN generates smoother and more precise perturbations that preserve high perceptual similarity when added to benign images. We also propose a new training strategy, NODE-AdvGAN-T, which enhances transferability in black-box attacks by effectively tuning noise parameters during training. Experiments demonstrate that NODE-AdvGAN and NODE-AdvGAN-T generate more effective adversarial examples that achieve higher attack success rates while preserving better perceptual quality than traditional GAN-based methods.

Machine Learning,Artificial Intelligence

Haibin Zheng,Jinyin Chen,Hang Du,Weipeng Zhu,Shouling Ji,Xuhong Zhang

DOI: https://doi.org/10.1109/tdsc.2021.3124337

2022-01-01

Abstract:Despite of its tremendous popularity and success in computer vision (CV) and natural language processing, deep learning is inherently vulnerable to adversarial attacks in which adversarial examples (AEs) are carefully crafted by imposing imperceptible perturbations on the clean examples to deceive the target deep neural networks (DNNs). Many defense solutions in CV have been proposed. However, most of them, e.g., adversarial training, suffer from a low generality due to the reliance on limited AEs. Moreover, some solutions even have a non-negligible negative impact on the classification accuracy of clean examples. Last but not least, they are impotent against the unconstrained attacks in which the attackers optimize the perturbation direction and size by additionally taking the defense methods into accounts. In this article, we propose GRIP-GAN to learn a general robust inverse perturbation (GRIP), which is not only able to offset any potential adversarial perturbations but also strengthen the target class-related features, purely from the clean images via a generative adversarial network (GAN). By feeding a random noise, GRIP-GAN is able to generate a dynamic GRIP for each input image to defend against unconstrained attacks. To further improve the defense performance, we also enable GRIP-GAN to generate a GRIP tailored to each input image via feeding input image specific noise to GRIP-GAN. Extensive experiments are carried out on MNIST, CIFAR10, and ImageNet datasets against 17 adversarial attacks. The results show that GRIP-GAN outperforms all the baselines. We further share insights on the success of GRIP-GAN and provide visualized proofs.

Wei Jiang,Shen You,Jinyu Zhan,Xupeng Wang,Hong Lei,Deepak Adhikari

DOI: https://doi.org/10.1109/tevc.2022.3231460

IF: 16.497

2022-01-01

IEEE Transactions on Evolutionary Computation

Abstract:Due to the inherent vulnerability of deep neural networks (DNNs), the adversarial example (AE) attack has become a serious threat to intelligent systems, e.g., the failure cause of an image classification system. Different to existing works, in this article we are interested in the generation of AEs for DNNs with defensive mechanisms. To make the attack more practical, we exploit a query-based method to generate image AEs in a black-box attack setting. Considering that the generation of AEs is inherently a constrained optimization problem, this article first formulates three objectives regarding defensive DNNs, i.e., attack effectiveness, attack evasiveness and attack coverage. Then, this article proposes a query-efficient AE attack based on the genetic algorithm (GA) and particle swarm optimization (PSO) to address the perturbation optimization problem. To improve the efficiency of search and query, AE-specific operators including block-level and pixel-level crossovers, discrete perturbation mutation and direction-driven reproduction are designed within the GA-based search framework. In addition, predication-based adaptation of reproduction-related parameters is implemented to speed up the search convergence. PSO-based jumping process is further devised to avoid stuck in local optimum. Benchmark-based experiments evaluated the efficiency of our method, which can achieve an attack success rate of 100% with averagely 52.95% reduced queries in contrast to existing black-box attacks on nondefensive models. For defensive DNN models, our method can obtain top attack performance with the query reduction up to 70.92% comparing with the candidates.

computer science, artificial intelligence, theory & methods

Chaoyue Wang,Chang Xu,Xin Yao,Dacheng Tao

DOI: https://doi.org/10.48550/arXiv.1803.00657

2018-03-02

Abstract:Generative adversarial networks (GAN) have been effective for learning generative models for real-world data. However, existing GANs (GAN and its variants) tend to suffer from training problems such as instability and mode collapse. In this paper, we propose a novel GAN framework called evolutionary generative adversarial networks (E-GAN) for stable GAN training and improved generative performance. Unlike existing GANs, which employ a pre-defined adversarial objective function alternately training a generator and a discriminator, we utilize different adversarial training objectives as mutation operations and evolve a population of generators to adapt to the environment (i.e., the discriminator). We also utilize an evaluation mechanism to measure the quality and diversity of generated samples, such that only well-performing generator(s) are preserved and used for further training. In this way, E-GAN overcomes the limitations of an individual adversarial training objective and always preserves the best offspring, contributing to progress in and the success of GANs. Experiments on several datasets demonstrate that E-GAN achieves convincing generative performance and reduces the training problems inherent in existing GANs.

Machine Learning,Neural and Evolutionary Computing