scholarly journals Attack Analysis of Face Recognition Authentication Systems Using Fast Gradient Sign Method

2021 ◽  
pp. 1-15
Author(s):  
Arbena Musa ◽  
Kamer Vishi ◽  
Blerim Rexha
Keyword(s):  
Face Recognition ◽  
Fast Gradient ◽  
Sign Method

scholarly journals Deep ConvNet: Non-Random Weight Initialization for Repeatable Determinism, Examined with FSGM

Sensors ◽  
2021 ◽  
Vol 21 (14) ◽  
pp. 4772
Author(s):  
Richard N. M. Rudd-Orthner ◽  
Lyudmila Mihaylova
Keyword(s):  
Cross Validation ◽  
Color Image ◽  
Validation Dataset ◽  
Number Sequence ◽  
Random Weight ◽  
Fast Gradient ◽  
Weight Initialization ◽  
Fitting In ◽  
Sequence Substitution ◽  
Sign Method

A repeatable and deterministic non-random weight initialization method in convolutional layers of neural networks examined with the Fast Gradient Sign Method (FSGM). Using the FSGM approach as a technique to measure the initialization effect with controlled distortions in transferred learning, varying the dataset numerical similarity. The focus is on convolutional layers with induced earlier learning through the use of striped forms for image classification. Which provided a higher performing accuracy in the first epoch, with improvements of between 3–5% in a well known benchmark model, and also ~10% in a color image dataset (MTARSI2), using a dissimilar model architecture. The proposed method is robust to limit optimization approaches like Glorot/Xavier and He initialization. Arguably the approach is within a new category of weight initialization methods, as a number sequence substitution of random numbers, without a tether to the dataset. When examined under the FGSM approach with transferred learning, the proposed method when used with higher distortions (numerically dissimilar datasets), is less compromised against the original cross-validation dataset, at ~31% accuracy instead of ~9%. This is an indication of higher retention of the original fitting in transferred learning.

Enhancing adversarial attack transferability with multi-scale feature attack

2020 ◽  
pp. 2050076
Author(s):  
Caixia Sun ◽  
Lian Zou ◽  
Cien Fan ◽  
Yu Shi ◽  
Yifeng Liu
Keyword(s):  
Internal Representation ◽  
Feature Space ◽  
Source Model ◽  
Black Box ◽  
Space Representation ◽  
Scale Feature ◽  
Multi Scale ◽  
Adversarial Examples ◽  
Fast Gradient ◽  
Sign Method

Deep neural networks are vulnerable to adversarial examples, which can fool models by adding carefully designed perturbations. An intriguing phenomenon is that adversarial examples often exhibit transferability, thus making black-box attacks effective in real-world applications. However, the adversarial examples generated by existing methods typically overfit the structure and feature representation of the source model, resulting in a low success rate in a black-box manner. To address this issue, we propose the multi-scale feature attack to boost attack transferability, which adjusts the internal feature space representation of the adversarial image to get far to the internal representation of the original image. We show that we can select a low-level layer and a high-level layer of the source model to conduct the perturbations, and the crafted adversarial examples are confused with original images, not just in the class but also in the feature space representations. To further improve the transferability of adversarial examples, we apply reverse cross-entropy loss to reduce the overfitting further and show that it is effective for attacking adversarially trained models with strong defensive ability. Extensive experiments show that the proposed methods consistently outperform the iterative fast gradient sign method (IFGSM) and momentum iterative fast gradient sign method (MIFGSM) under the challenging black-box setting.

scholarly journals Fruit-classification model resilience under adversarial attack

2021 ◽  
Vol 4 (1) ◽  
Author(s):  
Raheel Siddiqi
Keyword(s):  
Real Life ◽  
Past Research ◽  
Industrial Applications ◽  
The Other ◽  
Classification Model ◽  
Test Time ◽  
Adversarial Training ◽  
Fast Gradient ◽  
Salt And Pepper ◽  
Sign Method

AbstractAn accurate and robust fruit image classifier can have a variety of real-life and industrial applications including automated pricing, intelligent sorting, and information extraction. This paper demonstrates how adversarial training can enhance the robustness of fruit image classifiers. In the past, research in deep-learning-based fruit image classification has focused solely on attaining the highest possible accuracy of the model used in the classification process. However, even the highest accuracy models are still susceptible to adversarial attacks which pose serious problems for such systems in practice. As a robust fruit classifier can only be developed with the aid of a fruit image dataset consisting of fruit images photographed in realistic settings (rather than images taken in controlled laboratory settings), a new dataset of over three thousand fruit images belonging to seven fruit classes is presented. Each image is carefully selected so that its classification poses a significant challenge for the proposed classifiers. Three Convolutional Neural Network (CNN)-based classifiers are suggested: 1) IndusNet, 2) fine-tuned VGG16, and 3) fine-tuned MobileNet. Fine-tuned VGG16 produced the best test set accuracy of 94.82% compared to the 92.32% and the 94.28% produced by the other two models, respectively. Fine-tuned MobileNet has proved to be the most efficient model with a test time of 9 ms/step compared to the test times of 28 ms/step and 29 ms/step for the other two models. The empirical evidence presented demonstrates that adversarial training enables fruit image classifiers to resist attacks crafted through the Fast Gradient Sign Method (FGSM), while simultaneously improving classifiers’ robustness against other noise forms including ‘Gaussian’, ‘Salt and pepper’ and ‘Speckle’. For example, when the amplitude of the perturbations generated through the Fast Gradient Sign Method (FGSM) was kept at 0.1, adversarial training improved the fine-tuned VGG16’s performance on adversarial images by around 18% (i.e., from 76.6% to 94.82%), while simultaneously improving the classifier’s performance on fruit images corrupted with ‘salt and pepper’ noise by around 8% (i.e., from 69.82% to 77.85%). Other reported results also follow this pattern and demonstrate the effectiveness of adversarial training as a means of enhancing the robustness of fruit image classifiers.

scholarly journals Random Transformation of image brightness for adversarial attack

2021 ◽  
pp. 1-12
Author(s):  
Bo Yang ◽  
Kaiyong Xu ◽  
Hengjun Wang ◽  
Hengwei Zhang
Keyword(s):  
Success Rate ◽  
Data Augmentation ◽  
Black Box ◽  
Image Brightness ◽  
Gradient Based ◽  
Adversarial Examples ◽  
Random Transformation ◽  
Fast Gradient ◽  
Adversarial Example ◽  
Sign Method

Deep neural networks (DNNs) are vulnerable to adversarial examples, which are crafted by adding small, human-imperceptible perturbations to the original images, but make the model output inaccurate predictions. Before DNNs are deployed, adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, the attack success rate, i.e., the transferability of adversarial examples, still needs to be improved. Based on image augmentation methods, this paper found that random transformation of image brightness can eliminate overfitting in the generation of adversarial examples and improve their transferability. In light of this phenomenon, this paper proposes an adversarial example generation method, which can be integrated with Fast Gradient Sign Method (FGSM)-related methods to build a more robust gradient-based attack and to generate adversarial examples with better transferability. Extensive experiments on the ImageNet dataset have demonstrated the effectiveness of the aforementioned method. Whether on normally or adversarially trained networks, our method has a higher success rate for black-box attacks than other attack methods based on data augmentation. It is hoped that this method can help evaluate and improve the robustness of models.

A Comparative Study on Adversarial Noise Generation for Single Image Classification

2020 ◽  
Vol 16 (1) ◽  
pp. 75-87
Author(s):  
Rishabh Saxena ◽  
Amit Sanjay Adate ◽  
Don Sasikumar
Keyword(s):  
Neural Network ◽  
Image Classification ◽  
Saliency Map ◽  
Use Case ◽  
Noise Generation ◽  
Single Image ◽  
Adversarial Learning ◽  
Map Algorithm ◽  
Fast Gradient ◽  
Sign Method

With the rise of neural network-based classifiers, it is evident that these algorithms are here to stay. Even though various algorithms have been developed, these classifiers still remain vulnerable to misclassification attacks. This article outlines a new noise layer attack based on adversarial learning and compares the proposed method to other such attacking methodologies like Fast Gradient Sign Method, Jacobian-Based Saliency Map Algorithm and DeepFool. This work deals with comparing these algorithms for the use case of single image classification and provides a detailed analysis of how each algorithm compares to each other.

scholarly journals Deep ConvNet: Non-Random Weight Initialization for Repeatable Determinism, examined with FSGM

2021 ◽  
Author(s):  
Richard Niall Mark Rudd-Orthner ◽  
Lyudmila Mihaylova
Keyword(s):  
Human Performance ◽  
Random Number ◽  
Validation Dataset ◽  
Random Weight ◽  
Random Initialization ◽  
Fast Gradient ◽  
Weight Initialization ◽  
Single Epoch ◽  
Better Than ◽  
Sign Method

This paper presents a non-random weight initialization method in convolutional layers of neural networks examined with the Fast Gradient Sign Method (FSGM) attack. This paper's focus is convolutional layers, and are the layers that have been responsible for better than human performance in image categorization. The proposed method induces earlier learning through the use of striped forms, and as such has less unlearning of the existing random number speckled methods, consistent with the intuitions of Hubel and Wiesel. The proposed method provides a higher performing accuracy in a single epoch, with improvements of between 3-5% in a well known benchmark model, of which the first epoch is the most relevant as it is the epoch after initialization. The proposed method is also repeatable and deterministic, as a desirable quality for safety critical applications in image classification within sensors. That method is robust to Glorot/Xavier and He initialization limits as well. The proposed non-random initialization was examined under adversarial perturbation attack through the FGSM approach with transferred learning, as a technique to measure the affect in transferred learning with controlled distortions, and finds that the proposed method is less compromised to the original validation dataset, with higher distorted datasets.

scholarly journals Face Recognition System Against Adversarial Attack Using Convolutional Neural Network

2021 ◽  
Vol 18 (1) ◽  
pp. 1-8
Author(s):  
Ansam Kadhim ◽  
Salah Al-Darraji
Keyword(s):  
Neural Network ◽  
Face Recognition ◽  
Convolutional Neural Network ◽  
Recognition System ◽  
Face Recognition System ◽  
The Face ◽  
Recognition Systems ◽  
Projected Gradient Descent ◽  
Employee Attendance ◽  
Sign Method

Face recognition is the technology that verifies or recognizes faces from images, videos, or real-time streams. It can be used in security or employee attendance systems. Face recognition systems may encounter some attacks that reduce their ability to recognize faces properly. So, many noisy images mixed with original ones lead to confusion in the results. Various attacks that exploit this weakness affect the face recognition systems such as Fast Gradient Sign Method (FGSM), Deep Fool, and Projected Gradient Descent (PGD). This paper proposes a method to protect the face recognition system against these attacks by distorting images through different attacks, then training the recognition deep network model, specifically Convolutional Neural Network (CNN), using the original and distorted images. Diverse experiments have been conducted using combinations of original and distorted images to test the effectiveness of the system. The system showed an accuracy of 93% using FGSM attack, 97% using deep fool, and 95% using PGD.

Sign in / Sign up

Export Citation Format

Share Document