A Black-Box Adversarial Attack via Deep Reinforcement Learning on the Feature Space

2021 ◽  
Author(s):  
Lyue Li ◽  
Amir Rezapour ◽  
Wen-Guey Tzeng
Keyword(s):  
Reinforcement Learning ◽  
Feature Space ◽  
Black Box ◽  
Adversarial Attack

scholarly journals Reinforcement Learning Based Sparse Black-box Adversarial Attack on Video Recognition Models

2021 ◽  
Author(s):  
Zeyuan Wang ◽  
Chaofeng Sha ◽  
Su Yang
Keyword(s):  
Reinforcement Learning ◽  
Heuristic Algorithms ◽  
Saliency Detection ◽  
Black Box ◽  
Selection Strategy ◽  
Target Class ◽  
Video Recognition ◽  
Adversarial Attack ◽  
Key Frames ◽  
Attack Process

We explore the black-box adversarial attack on video recognition models. Attacks are only performed on selected key regions and key frames to reduce the high computation cost of searching adversarial perturbations on a video due to its high dimensionality. To select key frames, one way is to use heuristic algorithms to evaluate the importance of each frame and choose the essential ones. However, it is time inefficient on sorting and searching. In order to speed up the attack process, we propose a reinforcement learning based frame selection strategy. Specifically, the agent explores the difference between the original class and the target class of videos to make selection decisions. It receives rewards from threat models which indicate the quality of the decisions. Besides, we also use saliency detection to select key regions and only estimate the sign of gradient instead of the gradient itself in zeroth order optimization to further boost the attack process. We can use the trained model directly in the untargeted attack or with little fine-tune in the targeted attack, which saves computation time. A range of empirical results on real datasets demonstrate the effectiveness and efficiency of the proposed method.

scholarly journals Optimal Attack against Autoregressive Models by Manipulating the Environment

2020 ◽  
Vol 34 (04) ◽  
pp. 3545-3552
Author(s):  
Yiding Chen ◽  
Xiaojin Zhu
Keyword(s):  
Predictive Control ◽  
Linear Models ◽  
Nonlinear Models ◽  
Linear Quadratic Regulator ◽  
Black Box ◽  
Combine System ◽  
Linear Quadratic ◽  
Time Series Forecast ◽  
Forecast Models ◽  
Adversarial Attack

We describe an optimal adversarial attack formulation against autoregressive time series forecast using Linear Quadratic Regulator (LQR). In this threat model, the environment evolves according to a dynamical system; an autoregressive model observes the current environment state and predicts its future values; an attacker has the ability to modify the environment state in order to manipulate future autoregressive forecasts. The attacker's goal is to force autoregressive forecasts into tracking a target trajectory while minimizing its attack expenditure. In the white-box setting where the attacker knows the environment and forecast models, we present the optimal attack using LQR for linear models, and Model Predictive Control (MPC) for nonlinear models. In the black-box setting, we combine system identification and MPC. Experiments demonstrate the effectiveness of our attacks.

scholarly journals SADA: Semantic Adversarial Diagnostic Attacks for Autonomous Applications

2020 ◽  
Vol 34 (07) ◽  
pp. 10901-10908 ◽  
Author(s):  
Abdullah Hamdi ◽  
Matthias Mueller ◽  
Bernard Ghanem
Keyword(s):  
Neural Networks ◽  
Recent Work ◽  
Autonomous Navigation ◽  
General Framework ◽  
Deep Neural Networks ◽  
Autonomous Driving ◽  
Black Box ◽  
Semantic Meaning ◽  
Safety Critical ◽  
Adversarial Attack

One major factor impeding more widespread adoption of deep neural networks (DNNs) is their lack of robustness, which is essential for safety-critical applications such as autonomous driving. This has motivated much recent work on adversarial attacks for DNNs, which mostly focus on pixel-level perturbations void of semantic meaning. In contrast, we present a general framework for adversarial attacks on trained agents, which covers semantic perturbations to the environment of the agent performing the task as well as pixel-level attacks. To do this, we re-frame the adversarial attack problem as learning a distribution of parameters that always fools the agent. In the semantic case, our proposed adversary (denoted as BBGAN) is trained to sample parameters that describe the environment with which the black-box agent interacts, such that the agent performs its dedicated task poorly in this environment. We apply BBGAN on three different tasks, primarily targeting aspects of autonomous navigation: object detection, self-driving, and autonomous UAV racing. On these tasks, BBGAN can generate failure cases that consistently fool a trained agent.

scholarly journals A New Ensemble Adversarial Attack Powered by Long-Term Gradient Memories

2020 ◽  
Vol 34 (04) ◽  
pp. 3405-3413
Author(s):  
Zhaohui Che ◽  
Ali Borji ◽  
Guangtao Zhai ◽  
Suiyi Ling ◽  
Jing Li ◽  
...  
Keyword(s):  
Broad Class ◽  
Black Box ◽  
Security Threat ◽  
Source Models ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Prediction Systems ◽  
Attack And Defense ◽  
Decision Boundaries

Deep neural networks are vulnerable to adversarial attacks. More importantly, some adversarial examples crafted against an ensemble of pre-trained source models can transfer to other new target models, thus pose a security threat to black-box applications (when the attackers have no access to the target models). Despite adopting diverse architectures and parameters, source and target models often share similar decision boundaries. Therefore, if an adversary is capable of fooling several source models concurrently, it can potentially capture intrinsic transferable adversarial information that may allow it to fool a broad class of other black-box target models. Current ensemble attacks, however, only consider a limited number of source models to craft an adversary, and obtain poor transferability. In this paper, we propose a novel black-box attack, dubbed Serial-Mini-Batch-Ensemble-Attack (SMBEA). SMBEA divides a large number of pre-trained source models into several mini-batches. For each single batch, we design 3 new ensemble strategies to improve the intra-batch transferability. Besides, we propose a new algorithm that recursively accumulates the “long-term” gradient memories of the previous batch to the following batch. This way, the learned adversarial information can be preserved and the inter-batch transferability can be improved. Experiments indicate that our method outperforms state-of-the-art ensemble attacks over multiple pixel-to-pixel vision tasks including image translation and salient region prediction. Our method successfully fools two online black-box saliency prediction systems including DeepGaze-II (Kummerer 2017) and SALICON (Huang et al. 2017). Finally, we also contribute a new repository to promote the research on adversarial attack and defense over pixel-to-pixel tasks: https://github.com/CZHQuality/AAA-Pix2pix.

scholarly journals Sparse reduced-order modelling: sensor-based dynamics to full-state estimation

2018 ◽  
Vol 844 ◽  
pp. 459-490 ◽  
Author(s):  
Jean-Christophe Loiseau ◽  
Bernd R. Noack ◽  
Steven L. Brunton
Keyword(s):  
Coherent Structures ◽  
Feature Space ◽  
Black Box ◽  
Box Model ◽  
Sensor Data ◽  
Dynamic Feature ◽  
Time Resolved ◽  
Reduced Order ◽  
Reduced Order Modelling ◽  
Full State

We propose a general dynamic reduced-order modelling framework for typical experimental data: time-resolved sensor data and optional non-time-resolved particle image velocimetry (PIV) snapshots. This framework can be decomposed into four building blocks. First, the sensor signals are lifted to a dynamic feature space without false neighbours. Second, we identify a sparse human-interpretable nonlinear dynamical system for the feature state based on the sparse identification of nonlinear dynamics (SINDy). Third, if PIV snapshots are available, a local linear mapping from the feature state to the velocity field is performed to reconstruct the full state of the system. Fourth, a generalized feature-based modal decomposition identifies coherent structures that are most dynamically correlated with the linear and nonlinear interaction terms in the sparse model, adding interpretability. Steps 1 and 2 define a black-box model. Optional steps 3 and 4 lift the black-box dynamics to a grey-box model in terms of the identified coherent structures, if non-time-resolved full-state data are available. This grey-box modelling strategy is successfully applied to the transient and post-transient laminar cylinder wake, and compares favourably with a proper orthogonal decomposition model. We foresee numerous applications of this highly flexible modelling strategy, including estimation, prediction and control. Moreover, the feature space may be based on intrinsic coordinates, which are unaffected by a key challenge of modal expansion: the slow change of low-dimensional coherent structures with changing geometry and varying parameters.

Chapter 10. Explainable Neuro-Symbolic Hierarchical Reinforcement Learning

2021 ◽  
Author(s):  
Daoming Lyu ◽  
Fangkai Yang ◽  
Hugh Kwon ◽  
Bo Liu ◽  
Wen Dong ◽  
...  
Keyword(s):  
Machine Learning ◽  
Decision Making ◽  
Reinforcement Learning ◽  
Black Box ◽  
Influential Factor ◽  
Hierarchical Reinforcement Learning ◽  
Interactive Decision Making ◽  
Symbolic Approach ◽  
Trust Systems ◽  
Symbolic Planning

Human-robot interactive decision-making is increasingly becoming ubiquitous, and explainability is an influential factor in determining the reliance on autonomy. However, it is not reasonable to trust systems beyond our comprehension, and typical machine learning and data-driven decision-making are black-box paradigms that impede explainability. Therefore, it is critical to establish computational efficient decision-making mechanisms enhanced by explainability-aware strategies. To this end, we propose the Trustworthy Decision-Making (TDM), which is an explainable neuro-symbolic approach by integrating symbolic planning into hierarchical reinforcement learning. The framework of TDM enables the subtask-level explainability from the causal relational and understandable subtasks. Besides, TDM also demonstrates the advantage of the integration between symbolic planning and reinforcement learning, reaping the benefits of both worlds. Experimental results validate the effectiveness of proposed method while improving the explainability in the process of decision-making.

An adversarial attack on DNN-based black-box object detectors

2020 ◽  
Vol 161 ◽  
pp. 102634 ◽  
Author(s):  
Yajie Wang ◽  
Yu-an Tan ◽  
Wenjiao Zhang ◽  
Yuhang Zhao ◽  
Xiaohui Kuang
Keyword(s):  
Black Box ◽  
Adversarial Attack
Sign in / Sign up

Export Citation Format

Share Document