Xiuli Chai,Zhen Chen,Zhihua Gan,Yushu Zhang,Yong Tan

DOI: https://doi.org/10.1109/icspcc59353.2023.10400335

2023-01-01

Abstract:Nowadays, large numbers of private images are stored in the cloud, which may be recognized by unauthorized models, seriously threatening users' privacy security. Although adversarial example (AE) can mislead unauthorized models to protect image privacy, the irreversible perturbations added to images can also mislead the authorized models. Reversible adversarial example (RAE) provides an effective solution that misleads unauthorized models without affecting authorized ones. However, existing RAE generation methods have low attack ability and imperfect image recovery, which makes them unsatisfactory. This paper proposes an RAE generation method that is RAE based on Thumbnail Preserving Encryption (RAE-TPE), where the semantic information of the images is unchanged but the generated RAEs successfully fool traditional classification models. Through decryption, the images can be recovered losslessly. Additionally, we present a novel optimization algorithm called dual annealing evolution (DAE) to enhance the RAEs' visual quality and attack ability. The experimental results on the ImageNet dataset demonstrate that RAEs generated by RAE-TPE show excellent attack ability and robustness.

Jiayang Liu,Weiming Zhang,Kazuto Fukuchi,Youhei Akimoto,Jun Sakuma

DOI: https://doi.org/10.1016/j.patcog.2022.109048

IF: 8

2023-01-01

Pattern Recognition

Abstract:In this study, we propose a new methodology to control how user's data is recognized and used by AI via exploiting the properties of adversarial examples. For this purpose, we propose reversible adversarial example (RAE), a new type of adversarial example. A remarkable feature of RAE is that the image can be correctly recognized and used by the AI model specified by the user because the authorized AI can recover the original image from the RAE exactly by eliminating adversarial perturbation. On the other hand, other unauthorized AI models cannot recognize it correctly because it functions as an adversarial example. Moreover, RAE can be considered as one type of encryption to computer vision since reversibil-ity guarantees the decryption. To realize RAE, we combine three technologies, adversarial example, re-versible data hiding for exact recovery of adversarial perturbation, and encryption for selective control of AIs who can remove adversarial perturbation. Experimental results show that the proposed method can achieve comparable attack ability with the corresponding adversarial attack method and similar visual quality with the original image, including white-box attacks and black-box attacks. (c) 2022 Elsevier Ltd. All rights reserved.

Jiayang Liu,Weiming Zhang,Kazuto Fukuchi,Youhei Akimoto,Jun Sakuma

DOI: https://doi.org/10.1016/j.patcog.2022.109048

IF: 8

2023-01-01

Pattern Recognition

Abstract:• Reversible adversarial example controls how user’s data is recognized by AI. • The original image can be exactly recovered from reversible adversarial example. • Reversible adversarial example still functions as adversarial example. In this study, we propose a new methodology to control how user’s data is recognized and used by AI via exploiting the properties of adversarial examples. For this purpose, we propose reversible adversarial example (RAE), a new type of adversarial example. A remarkable feature of RAE is that the image can be correctly recognized and used by the AI model specified by the user because the authorized AI can recover the original image from the RAE exactly by eliminating adversarial perturbation. On the other hand, other unauthorized AI models cannot recognize it correctly because it functions as an adversarial example. Moreover, RAE can be considered as one type of encryption to computer vision since reversibility guarantees the decryption. To realize RAE, we combine three technologies, adversarial example, reversible data hiding for exact recovery of adversarial perturbation, and encryption for selective control of AIs who can remove adversarial perturbation. Experimental results show that the proposed method can achieve comparable attack ability with the corresponding adversarial attack method and similar visual quality with the original image, including white-box attacks and black-box attacks.

Zhen Chen,Xiuli Chai,Zhihua Gan,Binjie Wang,Yushu Zhang

DOI: https://doi.org/10.1109/jiot.2024.3373636

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Medical images on the Internet of Medical Things (IoMT) can be easily collected, recognized and analyzed by unauthorized individuals and companies using deep neural networks (DNNs). The illegal use of this data compromises patient privacy and the rights of authorized users. The reversible adversarial example (RAE) is proposed to prevent unauthorized DNNs from recognizing privacy images without affecting authorized users. Nevertheless, existing RAE methods lack research on copyright protection, and unrestricted distribution and sale of these images can seriously jeopardize the copyrights of the image owners. To address this issue, this paper proposes an RAE based on visible watermark perturbation (RAE-VWP). Specifically, we first obtain the watermark embedding region (WER) of the image by the proposed saliency map fusion algorithm and save the information of this region using the reversible data hiding technique. Then, the proposed adaptive memory harmony search algorithm is applied to optimize the position and transparency of the embedded watermark perturbation. Finally, the RAE is generated by embedding the watermark perturbation into the WER of the image using the alpha blending technique. Particularly, the ensemble watermark vaccine is proposed to defend against attacks from watermark removal networks, significantly improving the robustness of RAE-VWP. The original image can be recovered without distortion by extracting the information saved in the RAE. Numerous experiments have shown that RAE-VWP can simultaneously protect image privacy and copyright with excellent reversibility.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaoxia Yin,Hua Wang,Li Chen,Jie Wang,Weiming Zhang

DOI: https://doi.org/10.48550/arxiv.1911.02360

2019-01-01

Abstract:In order to prevent illegal or unauthorized access of image data such ashuman faces and ensure legitimate users can use authorization-protected data,reversible adversarial attack technique is rise. Reversible adversarialexamples (RAE) get both attack capability and reversibility at the same time.However, the existing technique can not meet application requirements becauseof serious distortion and failure of image recovery when adversarialperturbations get strong. In this paper, we take advantage of Reversible ImageTransformation technique to generate RAE and achieve reversible adversarialattack. Experimental results show that proposed RAE generation scheme canensure imperceptible image distortion and the original image can bereconstructed error-free. What's more, both the attack ability and the imagequality are not limited by the perturbation amplitude.

Fei Zuo,Qiang Zeng

DOI: https://doi.org/10.48550/arXiv.2001.00116

2020-12-13

Abstract:By adding carefully crafted perturbations to input images, adversarial examples (AEs) can be generated to mislead neural-network-based image classifiers. $L_2$ adversarial perturbations by Carlini and Wagner (CW) are among the most effective but difficult-to-detect attacks. While many countermeasures against AEs have been proposed, detection of adaptive CW-$L_2$ AEs is still an open question. We find that, by randomly erasing some pixels in an $L_2$ AE and then restoring it with an inpainting technique, the AE, before and after the steps, tends to have different classification results, while a benign sample does not show this symptom. We thus propose a novel AE detection technique, Erase-and-Restore (E&R), that exploits the intriguing sensitivity of $L_2$ attacks. Experiments conducted on two popular image datasets, CIFAR-10 and ImageNet, show that the proposed technique is able to detect over 98% of $L_2$ AEs and has a very low false positive rate on benign images. The detection technique exhibits high transferability: a detection system trained using CW-$L_2$ AEs can accurately detect AEs generated using another $L_2$ attack method. More importantly, our approach demonstrates strong resilience to adaptive $L_2$ attacks, filling a critical gap in AE detection. Finally, we interpret the detection technique through both visualization and quantification.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning,Image and Video Processing

Ziming Zhao,Zhaoxuan Li,Tingting Li,Zhuoxue Song,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1145/3576915.3624396

2023-01-01

Abstract:Image watermark is a technique widely used for copyright protection. Recent studies show that the image watermark can be added to the clear image as a kind of noise to realize fooling deep learning models. However, previous adversarial example (AE) detection schemes tend to be ineffective since the watermark logo differs from typical noise perturbations. In this poster, we propose Themis, a novel AE detection method against watermark perturbation. Different from prior methods, Themis neither modifies the protected classifier nor requires knowledge of the process for generating AEs. Specifically, Themis leverages usable information theory to calculate the pointwise score, thereby discovering those instances that may be watermark AEs. The empirical evaluations involving 5 different logo watermark perturbations demonstrate the proposed scheme can efficiently detect AEs, and significantly (over 15% accuracy) outperforms five state-of-the-art (SOTA) detection methods. The visualization results display our detection metric is more distinguishable between AEs and non-AEs. Meanwhile, Themis realizes a larger Area Under Curve (AUC) in a threshold-resilient manner, while only introducing similar to 0.04s overhead.

Chengyao Hua,Shigeng Zhang,Weiping Wang,Zhankai Li,Jian Zhang

DOI: https://doi.org/10.1109/trustcom56396.2022.00057

2022-01-01

Abstract:The human can easily recognize the incongruous parts of an image, for example, perturbations unrelated to the image itself, but are poor at spotting the small geometric transformations. However, in terms of the robustness of deep neural networks (DNNs), the ability to properly recognize objects with small geometric transformations is still a challenge. In this work, we investigate the problem from the perspective of adversarial attacks: does the performance of DNNs degrade even when small geometric transformations are applied to images? To this end, we propose a novel adversarial attack method, called WBA, a Warping-Based Adversarial attack method, which does not introduce information independent of the original images but manipulates the existing pixels of the images by elastic warping transformations to generate adversarial examples that are imperceptible to the human eye. At the same time, existing adversarial attacks typically generate adversarial examples by modifying pixels in the spatial domain of the image, the addition of such perturbations introduces extra information unrelated to the image itself and is easily detected by the naked eyes. We demonstrate the effectiveness of WBA by extensive experiments on commonly used datasets, including MNIST, CIFAR10, and ImageNet. The results show that WBA can quickly generate adversarial examples with the highest adversarial strength, consumes less time, and can be comparable to optimization-based adversarial attack methods in image perception evaluation metrics such as LPIPS, SSIM, and far more than gradient direction-based iterative methods.

Haodong Zhang,Chi Man Pun,Xia Du

2023-06-20

Abstract:Reversible adversarial examples (RAE) combine adversarial attacks and reversible data-hiding technology on a single image to prevent illegal access. Most RAE studies focus on achieving white-box attacks. In this paper, we propose a novel framework to generate reversible adversarial examples, which combines a novel beam search based black-box attack and reversible data hiding with grayscale invariance (RDH-GI). This RAE uses beam search to evaluate the adversarial gain of historical perturbations and guide adversarial perturbations. After the adversarial examples are generated, the framework RDH-GI embeds the secret data that can be recovered losslessly. Experimental results show that our method can achieve an average Peak Signal-to-Noise Ratio (PSNR) of at least 40dB compared to source images with limited query budgets. Our method can also achieve a targeted black-box reversible adversarial attack for the first time.

Cryptography and Security

Fan Xing,Xiaoyi Zhou,Xuefeng Fan,Zhuo Tian,Yan Zhao

2023-10-25

Abstract:Collected and annotated datasets, which are obtained through extensive efforts, are effective for training Deep Neural Network (DNN) models. However, these datasets are susceptible to be misused by unauthorized users, resulting in infringement of Intellectual Property (IP) rights owned by the dataset creators. Reversible Adversarial Exsamples (RAE) can help to solve the issues of IP protection for datasets. RAEs are adversarial perturbed images that can be restored to the original. As a cutting-edge approach, RAE scheme can serve the purposes of preventing unauthorized users from engaging in malicious model training, as well as ensuring the legitimate usage of authorized users. Nevertheless, in the existing work, RAEs still rely on the embedded auxiliary information for restoration, which may compromise their adversarial abilities. In this paper, a novel self-generation and self-recovery method, named as RAEDiff, is introduced for generating RAEs based on a Denoising Diffusion Probabilistic Models (DDPM). It diffuses datasets into a Biased Gaussian Distribution (BGD) and utilizes the prior knowledge of the DDPM for generating and recovering RAEs. The experimental results demonstrate that RAEDiff effectively self-generates adversarial perturbations for DNN models, including Artificial Intelligence Generated Content (AIGC) models, while also exhibiting significant self-recovery capabilities.

Cryptography and Security,Artificial Intelligence,Graphics,Machine Learning

Yichen Wang,Yuxuan Chou,Ziqi Zhou,Hangtao Zhang,Wei Wan,Shengshan Hu,Minghui Li

2024-12-22

Abstract:As deep neural networks (DNNs) are widely applied in the physical world, many researches are focusing on physical-world adversarial examples (PAEs), which introduce perturbations to inputs and cause the model's incorrect outputs. However, existing PAEs face two challenges: unsatisfactory attack performance (i.e., poor transferability and insufficient robustness to environment conditions), and difficulty in balancing attack effectiveness with stealthiness, where better attack effectiveness often makes PAEs more perceptible. In this paper, we explore a novel perturbation-based method to overcome the challenges. For the first challenge, we introduce a strategy Deceptive RF injection based on robust features (RFs) that are predictive, robust to perturbations, and consistent across different models. Specifically, it improves the transferability and robustness of PAEs by covering RFs of other classes onto the predictive features in clean images. For the second challenge, we introduce another strategy Adversarial Semantic Pattern Minimization, which removes most perturbations and retains only essential adversarial patterns in AEsBased on the two strategies, we design our method Robust Feature Coverage Attack (RFCoA), comprising Robust Feature Disentanglement and Adversarial Feature Fusion. In the first stage, we extract target class RFs in feature space. In the second stage, we use attention-based feature fusion to overlay these RFs onto predictive features of clean images and remove unnecessary perturbations. Experiments show our method's superior transferability, robustness, and stealthiness compared to existing state-of-the-art methods. Additionally, our method's effectiveness can extend to Large Vision-Language Models (LVLMs), indicating its potential applicability to more complex tasks.

Computer Vision and Pattern Recognition

Jiliang Zhang,Shuang Peng,Yupeng Hu,Fei Peng,Wei Hu,Jinmei Lai,Jing Ye,Xiangqi Wang

DOI: https://doi.org/10.1109/ats49688.2020.9301586

2020-01-01

Abstract:With the rapid advancements of the artificial intelligence, machine learning, especially neural networks, have shown huge superiority over humans in image recognition, autonomous vehicles and medical diagnosis. However, its opacity and inexplicability provide many chances for malicious attackers. Recent researches have shown that neural networks are vulnerable to adversarial example (AE) attacks. In the testing stage, it fools the model by adding subtle perturbations to the original sample to misclassify the input, which poses a serious threat to safety-critical areas such as autonomous driving. In order to mitigate this threat, this paper proposes a hardware-assisted randomization method against AEs, where an approximate computing technique in hardware, voltage over-scaling (VOS), is used to randomize the training set of the model, then the processed data are used to generate multiple neural network models, finally multiple redundant models are used for the integrated classification and detection of the AEs. Various AE attacks on the proposed defense are evaluated to prove its effectiveness.

Jiahao Chen,Zhou Feng,Rui Zeng,Yuwen Pu,Chunyi Zhou,Yi Jiang,Yuyou Gan,Jinbao Li,Shouling Ji

2024-08-20

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples (AEs) that mislead the model while appearing benign to human observers. A critical concern is the transferability of AEs, which enables black-box attacks without direct access to the target model. However, many previous attacks have failed to explain the intrinsic mechanism of adversarial transferability. In this paper, we rethink the property of transferable AEs and reformalize the formulation of transferability. Building on insights from this mechanism, we analyze the generalization of AEs across models with different architectures and prove that we can find a local perturbation to mitigate the gap between surrogate and target models. We further establish the inner connections between model smoothness and flat local maxima, both of which contribute to the transferability of AEs. Further, we propose a new adversarial attack algorithm, \textbf{A}dversarial \textbf{W}eight \textbf{T}uning (AWT), which adaptively adjusts the parameters of the surrogate model using generated AEs to optimize the flat local maxima and model smoothness simultaneously, without the need for extra data. AWT is a data-free tuning method that combines gradient-based and model-based attack methods to enhance the transferability of AEs. Extensive experiments on a variety of models with different architectures on ImageNet demonstrate that AWT yields superior performance over other attacks, with an average increase of nearly 5\% and 10\% attack success rates on CNN-based and Transformer-based models, respectively, compared to state-of-the-art attacks.

Cryptography and Security

Yan Wang,Dongmei Zhang,Haiyang Zhang

DOI: https://doi.org/10.1007/978-3-031-20865-2_30

2022-01-01

Abstract:Adversarial Training (AT) is one of the most effective defense methods against adversarial examples, in which a model is trained on both clean and adversarial examples. Although AT improves the robustness by smoothing the small neighborhood, it reduces accuracy on clean examples. We propose Weighted Adaptive Perturbation Adversarial Training (WAPAT) to reduce the loss of clean accuracy and improve robustness, which is motivated by the adaptive learning rate of the model optimizer. In the adversarial examples generation stage of adversarial training, We introduce weights based on feature changes to adaptively adjust the perturbation step size for different features. In iterative attacks, if a feature is frequently attacked, we increase the attack strength of this area, otherwise, we weaken the attack strength of this area. WAPAT is a data augmentation method that shortens the distance of adversarial examples to the classification boundary. The generated adversarial examples maintain good adversarial effects while retaining more clean examples information. Therefore, such adversarial examples can help us to obtain a more robust model while reducing the loss of recognition accuracy for clean examples. To demonstrate our method, we implement WAPAT in three adversarial training frameworks. Experimental results on CIFAR-10 and MNIST show thatWAPAT significantly improves adversarial robustness with less sacrifice of accuracy.

Ming Li,Zhaoli Yang,Tao Wang,Yushu Zhang,Wenying Wen

DOI: https://doi.org/10.1109/tcsvt.2024.3448351

IF: 5.859

2024-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:In recent years, the uploading of massive personal images has increased the security risks, mainly including privacy breaches and copyright infringement. Adversarial examples provide a novel solution for protecting image privacy, as they can evade the detection by deep neural network (DNN)-based recognizers. However, the perturbations in the adversarial examples typically meaningless and therefore cannot be extracted as traceable information to support copyright protection. In this paper, we designed a dual protection scheme for image privacy and copyright via traceable adversarial examples. Specifically, a traceable adversarial model is proposed, which can be used to embed the invisible copyright information into images for copyright protection while fooling DNN-based recognizers for privacy protection. Inspired by the training method of generative adversarial networks (GANs), a new dynamic adversarial training strategy is designed, which allows our model for achieving stable multi-objective learning. Experimental results show that our scheme is exceptionally robust in the face of a variety of noise conditions and image processing methods, while exhibiting good model migration and defense robustness.

Wei Jia,Zhaojun Lu,Haichun Zhang,Zhenglin Liu,Jie Wang,Gang Qu

DOI: https://doi.org/10.14722/ndss.2022.24130

2022-01-01

Abstract:Adversarial Examples (AEs) can deceive Deep Neural Networks (DNNs) and have received a lot of attention recently. However, majority of the research on AEs is in the digital domain and the adversarial patches are static, which is very different from many real-world DNN applications such as Traffic Sign Recognition (TSR) systems in autonomous vehicles. In TSR systems, object detectors use DNNs to process streaming video in real time. From the view of object detectors, the traffic sign`s position and quality of the video are continuously changing, rendering the digital AEs ineffective in the physical world. In this paper, we propose a systematic pipeline to generate robust physical AEs against real-world object detectors. Robustness is achieved in three ways. First, we simulate the in-vehicle cameras by extending the distribution of image transformations with the blur transformation and the resolution transformation. Second, we design the single and multiple bounding boxes filters to improve the efficiency of the perturbation training. Third, we consider four representative attack vectors, namely Hiding Attack, Appearance Attack, Non-Target Attack and Target Attack. We perform a comprehensive set of experiments under a variety of environmental conditions, and considering illuminations in sunny and cloudy weather as well as at night. The experimental results show that the physical AEs generated from our pipeline are effective and robust when attacking the YOLO v5 based TSR system. The attacks have good transferability and can deceive other state-of-the-art object detectors. We launched HA and NTA on a brand-new 2021 model vehicle. Both attacks are successful in fooling the TSR system, which could be a life-threatening case for autonomous vehicles. Finally, we discuss three defense mechanisms based on image preprocessing, AEs detection, and model enhancing.

Zhiwei Zhang,Xunzhang Gao,Shuowei Liu,Bowen Peng,Yufei Wang

DOI: https://doi.org/10.3390/rs14205168

IF: 5

2022-10-16

Remote Sensing

Abstract:Adversarial examples (AEs) bring increasing concern on the security of deep-learning-based synthetic aperture radar (SAR) target recognition systems. SAR AEs with perturbation constrained to the vicinity of the target have been recently in the spotlight due to the physical realization prospects. However, current adversarial detection methods generally suffer severe performance degradation against SAR AEs with region-constrained perturbation. To solve this problem, we treated SAR AEs as low-probability samples incompatible with the clean dataset. With the help of energy-based models, we captured an inherent energy gap between SAR AEs and clean samples that is robust to the changes of the perturbation region. Inspired by this discovery, we propose an energy-based adversarial detector, which requires no modification to a pretrained model. To better distinguish the clean samples and AEs, energy regularization was adopted to fine-tune the pretrained model. Experiments demonstrated that the proposed method significantly boosts the detection performance against SAR AEs with region-constrained perturbation.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Xiaojun Jia,Xingxing Wei,Xiaochun Cao,Xiaoguang Han

DOI: https://doi.org/10.1145/3394171.3413976

2020-01-01

Abstract:Recent research has demonstrated that adding some imperceptible perturbations to original images can fool deep learning models. However, the current adversarial perturbations are usually shown in the form of noises, and thus have no practical meaning. Image watermark is a technique widely used for copyright protection. We can regard image watermark as a king of meaningful noises and adding it to the original image will not affect people's understanding of the image content, and will not arouse people's suspicion. Therefore, it will be interesting to generate adversarial examples using watermarks. In this paper, we propose a novel watermark perturbation for adversarial examples (Adv-watermark) which combines image watermarking techniques and adversarial example algorithms. Adding a meaningful watermark to the clean images can attack the DNN models. Specifically, we propose a novel optimization algorithm, which is called Basin Hopping Evolution (BHE), to generate adversarial watermarks in the black-box attack mode. Thanks to the BHE, Adv-watermark only requires a few queries from the threat models to finish the attacks. A series of experiments conducted on ImageNet and CASIA-WebFace datasets show that the proposed method can efficiently generate adversarial examples, and outperforms the state-of-the-art attack methods. Moreover, Adv-watermark is more robust against image transformation defense methods.

Mingjie Li,Hanzhou Wu,Xinpeng Zhang

DOI: https://doi.org/10.1117/1.jei.31.6.063034

IF: 0.829

2022-01-01

Journal of Electronic Imaging

Abstract:The adversarial examples have been proven to reveal the vulnerability of the deep neural networks (DNNs) model, which can be used to evaluate the performance and further improve the robustness of the model. Because text data is discrete, it is more difficult to generate adversarial examples in the natural language processing (NLP) domain than in the image domain. One of the challenges is that the generated adversarial text examples should maintain the correctness of grammar and the semantic similarity compared with the original texts. In this paper, we propose an adversarial text generation model, which generates high-quality adversarial text examples through an end-to-end model. Moreover, the adversarial text examples generated by our proposed model are embedded with watermarks, which can mark and trace the source of the generated adversarial text examples and prevent the model from being maliciously or illegally used. The experimental results show that the attack success rates of the proposed model can still reach higher than 88% even on the AG's News dataset where generating adversarial text examples is more difficult. And the quality of adversarial text examples generated by the proposed model is higher than that of the baseline models. At the same time, because of the generated adversarial text examples are embedded with strong robust watermarks, the model can be better protected. (c) 2022 SPIE and IS&T

Hui Zeng,Biwei Chen,Anjie Peng

2024-01-13

Abstract:Adversarial examples (AEs) have been extensively studied due to their potential for privacy protection and inspiring robust neural networks. Yet, making a targeted AE transferable across unknown models remains challenging. In this paper, to alleviate the overfitting dilemma common in an AE crafted by existing simple iterative attacks, we propose fine-tuning it in the feature space. Specifically, starting with an AE generated by a baseline attack, we encourage the features conducive to the target class and discourage the features to the original class in a middle layer of the source model. Extensive experiments demonstrate that only a few iterations of fine-tuning can boost existing attacks' targeted transferability nontrivially and universally. Our results also verify that the simple iterative attacks can yield comparable or even better transferability than the resource-intensive methods, which rest on training target-specific classifiers or generators with additional data. The code is available at:

Computer Vision and Pattern Recognition,Artificial Intelligence