scholarly journals A black-box adversarial attack strategy with adjustable sparsity and generalizability for deep image classifiers

2022 ◽  
Vol 122 ◽  
pp. 108279
Author(s):  
Arka Ghosh ◽  
Sankha Subhra Mullick ◽  
Shounak Datta ◽  
Swagatam Das ◽  
Asit Kr. Das ◽  
...  
Keyword(s):  
Black Box ◽  
Deep Image ◽  
Adversarial Attack ◽  
Attack Strategy

scholarly journals Real-Time Adversarial Attack Detection with Deep Image Prior Initialized as a High-Level Representation Based Blurring Network

Electronics ◽  
2020 ◽  
Vol 10 (1) ◽  
pp. 52
Author(s):  
Richard Evan Sutanto ◽  
Sukho Lee
Keyword(s):  
Neural Network ◽  
Attack Detection ◽  
Detection Methods ◽  
Defense System ◽  
Image Prior ◽  
The Neural Network ◽  
Adversarial Examples ◽  
Deep Image ◽  
Adversarial Attack ◽  
High Level

Several recent studies have shown that artificial intelligence (AI) systems can malfunction due to intentionally manipulated data coming through normal channels. Such kinds of manipulated data are called adversarial examples. Adversarial examples can pose a major threat to an AI-led society when an attacker uses them as means to attack an AI system, which is called an adversarial attack. Therefore, major IT companies such as Google are now studying ways to build AI systems which are robust against adversarial attacks by developing effective defense methods. However, one of the reasons why it is difficult to establish an effective defense system is due to the fact that it is difficult to know in advance what kind of adversarial attack method the opponent is using. Therefore, in this paper, we propose a method to detect the adversarial noise without knowledge of the kind of adversarial noise used by the attacker. For this end, we propose a blurring network that is trained only with normal images and also use it as an initial condition of the Deep Image Prior (DIP) network. This is in contrast to other neural network based detection methods, which require the use of many adversarial noisy images for the training of the neural network. Experimental results indicate the validity of the proposed method.

scholarly journals Optimal Attack against Autoregressive Models by Manipulating the Environment

2020 ◽  
Vol 34 (04) ◽  
pp. 3545-3552
Author(s):  
Yiding Chen ◽  
Xiaojin Zhu
Keyword(s):  
Predictive Control ◽  
Linear Models ◽  
Nonlinear Models ◽  
Linear Quadratic Regulator ◽  
Black Box ◽  
Combine System ◽  
Linear Quadratic ◽  
Time Series Forecast ◽  
Forecast Models ◽  
Adversarial Attack

We describe an optimal adversarial attack formulation against autoregressive time series forecast using Linear Quadratic Regulator (LQR). In this threat model, the environment evolves according to a dynamical system; an autoregressive model observes the current environment state and predicts its future values; an attacker has the ability to modify the environment state in order to manipulate future autoregressive forecasts. The attacker's goal is to force autoregressive forecasts into tracking a target trajectory while minimizing its attack expenditure. In the white-box setting where the attacker knows the environment and forecast models, we present the optimal attack using LQR for linear models, and Model Predictive Control (MPC) for nonlinear models. In the black-box setting, we combine system identification and MPC. Experiments demonstrate the effectiveness of our attacks.

scholarly journals SADA: Semantic Adversarial Diagnostic Attacks for Autonomous Applications

2020 ◽  
Vol 34 (07) ◽  
pp. 10901-10908 ◽  
Author(s):  
Abdullah Hamdi ◽  
Matthias Mueller ◽  
Bernard Ghanem
Keyword(s):  
Neural Networks ◽  
Recent Work ◽  
Autonomous Navigation ◽  
General Framework ◽  
Deep Neural Networks ◽  
Autonomous Driving ◽  
Black Box ◽  
Semantic Meaning ◽  
Safety Critical ◽  
Adversarial Attack

One major factor impeding more widespread adoption of deep neural networks (DNNs) is their lack of robustness, which is essential for safety-critical applications such as autonomous driving. This has motivated much recent work on adversarial attacks for DNNs, which mostly focus on pixel-level perturbations void of semantic meaning. In contrast, we present a general framework for adversarial attacks on trained agents, which covers semantic perturbations to the environment of the agent performing the task as well as pixel-level attacks. To do this, we re-frame the adversarial attack problem as learning a distribution of parameters that always fools the agent. In the semantic case, our proposed adversary (denoted as BBGAN) is trained to sample parameters that describe the environment with which the black-box agent interacts, such that the agent performs its dedicated task poorly in this environment. We apply BBGAN on three different tasks, primarily targeting aspects of autonomous navigation: object detection, self-driving, and autonomous UAV racing. On these tasks, BBGAN can generate failure cases that consistently fool a trained agent.

scholarly journals A New Ensemble Adversarial Attack Powered by Long-Term Gradient Memories

2020 ◽  
Vol 34 (04) ◽  
pp. 3405-3413
Author(s):  
Zhaohui Che ◽  
Ali Borji ◽  
Guangtao Zhai ◽  
Suiyi Ling ◽  
Jing Li ◽  
...  
Keyword(s):  
Broad Class ◽  
Black Box ◽  
Security Threat ◽  
Source Models ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Prediction Systems ◽  
Attack And Defense ◽  
Decision Boundaries

Deep neural networks are vulnerable to adversarial attacks. More importantly, some adversarial examples crafted against an ensemble of pre-trained source models can transfer to other new target models, thus pose a security threat to black-box applications (when the attackers have no access to the target models). Despite adopting diverse architectures and parameters, source and target models often share similar decision boundaries. Therefore, if an adversary is capable of fooling several source models concurrently, it can potentially capture intrinsic transferable adversarial information that may allow it to fool a broad class of other black-box target models. Current ensemble attacks, however, only consider a limited number of source models to craft an adversary, and obtain poor transferability. In this paper, we propose a novel black-box attack, dubbed Serial-Mini-Batch-Ensemble-Attack (SMBEA). SMBEA divides a large number of pre-trained source models into several mini-batches. For each single batch, we design 3 new ensemble strategies to improve the intra-batch transferability. Besides, we propose a new algorithm that recursively accumulates the “long-term” gradient memories of the previous batch to the following batch. This way, the learned adversarial information can be preserved and the inter-batch transferability can be improved. Experiments indicate that our method outperforms state-of-the-art ensemble attacks over multiple pixel-to-pixel vision tasks including image translation and salient region prediction. Our method successfully fools two online black-box saliency prediction systems including DeepGaze-II (Kummerer 2017) and SALICON (Huang et al. 2017). Finally, we also contribute a new repository to promote the research on adversarial attack and defense over pixel-to-pixel tasks: https://github.com/CZHQuality/AAA-Pix2pix.

An adversarial attack on DNN-based black-box object detectors

2020 ◽  
Vol 161 ◽  
pp. 102634 ◽  
Author(s):  
Yajie Wang ◽  
Yu-an Tan ◽  
Wenjiao Zhang ◽  
Yuhang Zhao ◽  
Xiaohui Kuang
Keyword(s):  
Black Box ◽  
Adversarial Attack

Black-Box Decision based Adversarial Attack with Symmetric α-stable Distribution

2019 ◽  
Author(s):  
Vignesh Srinivasan ◽  
Ercan E. Kuruoglu ◽  
Klaus-Robert Muller ◽  
Wojciech Samek ◽  
Shinichi Nakajima
Keyword(s):  
Stable Distribution ◽  
Black Box ◽  
Adversarial Attack

scholarly journals Stealthy and Efficient Adversarial Attacks against Deep Reinforcement Learning

2020 ◽  
Vol 34 (04) ◽  
pp. 5883-5891
Author(s):  
Jianwen Sun ◽  
Tianwei Zhang ◽  
Xiaofei Xie ◽  
Lei Ma ◽  
Yan Zheng ◽  
...  
Keyword(s):  
Deep Learning ◽  
Reinforcement Learning ◽  
Critical Point ◽  
State Of The Art ◽  
Great Success ◽  
Severe Damage ◽  
Minimal Set ◽  
Adversarial Attack ◽  
Attack Strategy ◽  
Critical Moments

Adversarial attacks against conventional Deep Learning (DL) systems and algorithms have been widely studied, and various defenses were proposed. However, the possibility and feasibility of such attacks against Deep Reinforcement Learning (DRL) are less explored. As DRL has achieved great success in various complex tasks, designing effective adversarial attacks is an indispensable prerequisite towards building robust DRL algorithms. In this paper, we introduce two novel adversarial attack techniques to stealthily and efficiently attack the DRL agents. These two techniques enable an adversary to inject adversarial samples in a minimal set of critical moments while causing the most severe damage to the agent. The first technique is the critical point attack: the adversary builds a model to predict the future environmental states and agent's actions, assesses the damage of each possible attack strategy, and selects the optimal one. The second technique is the antagonist attack: the adversary automatically learns a domain-agnostic model to discover the critical moments of attacking the agent in an episode. Experimental results demonstrate the effectiveness of our techniques. Specifically, to successfully attack the DRL agent, our critical point technique only requires 1 (TORCS) or 2 (Atari Pong and Breakout) steps, and the antagonist technique needs fewer than 5 steps (4 Mujoco tasks), which are significant improvements over state-of-the-art methods.

Sign in / Sign up

Export Citation Format

Share Document