scholarly journals Heuristic Black-Box Adversarial Attacks on Video Recognition Models

2020 ◽  
Vol 34 (07) ◽  
pp. 12338-12345 ◽  
Author(s):  
Zhipeng Wei ◽  
Jingjing Chen ◽  
Xingxing Wei ◽  
Linxi Jiang ◽  
Tat-Seng Chua ◽  
...  
Keyword(s):  
Black Box ◽  
Computation Cost ◽  
Attack Model ◽  
Video Recognition ◽  
Spatial Domains ◽  
Adversarial Examples ◽  
Salient Regions ◽  
Adversarial Attack ◽  
Adversarial Example ◽  
The Given

We study the problem of attacking video recognition models in the black-box setting, where the model information is unknown and the adversary can only make queries to detect the predicted top-1 class and its probability. Compared with the black-box attack on images, attacking videos is more challenging as the computation cost for searching the adversarial perturbations on a video is much higher due to its high dimensionality. To overcome this challenge, we propose a heuristic black-box attack model that generates adversarial perturbations only on the selected frames and regions. More specifically, a heuristic-based algorithm is proposed to measure the importance of each frame in the video towards generating the adversarial examples. Based on the frames' importance, the proposed algorithm heuristically searches a subset of frames where the generated adversarial example has strong adversarial attack ability while keeps the perturbations lower than the given bound. Besides, to further boost the attack efficiency, we propose to generate the perturbations only on the salient regions of the selected frames. In this way, the generated perturbations are sparse in both temporal and spatial domains. Experimental results of attacking two mainstream video recognition methods on the UCF-101 dataset and the HMDB-51 dataset demonstrate that the proposed heuristic black-box adversarial attack method can significantly reduce the computation cost and lead to more than 28% reduction in query numbers for the untargeted attack on both datasets.

scholarly journals A Non-Global Disturbance Targeted Adversarial Example Algorithm Combined with C&W and Grad-Cam

2021 ◽  
Author(s):  
Yinghui Zhu ◽  
Yuzhen Jiang
Keyword(s):  
Learning Systems ◽  
Fine Tuning ◽  
Generation Process ◽  
Original Image ◽  
Signal Features ◽  
Adversarial Examples ◽  
Salient Regions ◽  
Adversarial Attack ◽  
Adversarial Example ◽  
Generation Control

Abstract Adversarial examples are artificially crafted to mislead deep learning systems into making wrong decisions. In the research of attack algorithms against multi-class image classifiers, an improved strategy of applying category explanation to the generation control of targeted adversarial example is proposed to reduce the perturbation noise and improve the adversarial robustness. On the basis of C&W adversarial attack algorithm, the method uses Grad-Cam, a category visualization explanation algorithm of CNN, to dynamically obtain the salient regions according to the signal features of source and target categories during the iterative generation process. The adversarial example of non-global perturbation is finally achieved by gradually shielding the non salient regions and fine-tuning the perturbation signals. Compared with other similar algorithms under the same conditions, the method enhances the effects of the original image category signal on the perturbation position. Experimental results show that, the improved adversarial examples have higher PSNR. In addition, in a variety of different defense processing tests, the examples can keep high adversarial performance and show strong attacking robustness.

scholarly journals A New Ensemble Adversarial Attack Powered by Long-Term Gradient Memories

2020 ◽  
Vol 34 (04) ◽  
pp. 3405-3413
Author(s):  
Zhaohui Che ◽  
Ali Borji ◽  
Guangtao Zhai ◽  
Suiyi Ling ◽  
Jing Li ◽  
...  
Keyword(s):  
Broad Class ◽  
Black Box ◽  
Security Threat ◽  
Source Models ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Prediction Systems ◽  
Attack And Defense ◽  
Decision Boundaries

Deep neural networks are vulnerable to adversarial attacks. More importantly, some adversarial examples crafted against an ensemble of pre-trained source models can transfer to other new target models, thus pose a security threat to black-box applications (when the attackers have no access to the target models). Despite adopting diverse architectures and parameters, source and target models often share similar decision boundaries. Therefore, if an adversary is capable of fooling several source models concurrently, it can potentially capture intrinsic transferable adversarial information that may allow it to fool a broad class of other black-box target models. Current ensemble attacks, however, only consider a limited number of source models to craft an adversary, and obtain poor transferability. In this paper, we propose a novel black-box attack, dubbed Serial-Mini-Batch-Ensemble-Attack (SMBEA). SMBEA divides a large number of pre-trained source models into several mini-batches. For each single batch, we design 3 new ensemble strategies to improve the intra-batch transferability. Besides, we propose a new algorithm that recursively accumulates the “long-term” gradient memories of the previous batch to the following batch. This way, the learned adversarial information can be preserved and the inter-batch transferability can be improved. Experiments indicate that our method outperforms state-of-the-art ensemble attacks over multiple pixel-to-pixel vision tasks including image translation and salient region prediction. Our method successfully fools two online black-box saliency prediction systems including DeepGaze-II (Kummerer 2017) and SALICON (Huang et al. 2017). Finally, we also contribute a new repository to promote the research on adversarial attack and defense over pixel-to-pixel tasks: https://github.com/CZHQuality/AAA-Pix2pix.

scholarly journals On the Effectiveness of Adversarial Training in Defending against Adversarial Example Attacks for Image Classification

2020 ◽  
Vol 10 (22) ◽  
pp. 8079
Author(s):  
Sanglee Park ◽  
Jungmin So
Keyword(s):  
Data Augmentation ◽  
Black Box ◽  
Training Data ◽  
Model Parameters ◽  
Neural Network Models ◽  
Practical Applications ◽  
Target Network ◽  
Adversarial Examples ◽  
Adversarial Training ◽  
Adversarial Example

State-of-the-art neural network models are actively used in various fields, but it is well-known that they are vulnerable to adversarial example attacks. Throughout the efforts to make the models robust against adversarial example attacks, it has been found to be a very difficult task. While many defense approaches were shown to be not effective, adversarial training remains as one of the promising methods. In adversarial training, the training data are augmented by “adversarial” samples generated using an attack algorithm. If the attacker uses a similar attack algorithm to generate adversarial examples, the adversarially trained network can be quite robust to the attack. However, there are numerous ways of creating adversarial examples, and the defender does not know what algorithm the attacker may use. A natural question is: Can we use adversarial training to train a model robust to multiple types of attack? Previous work have shown that, when a network is trained with adversarial examples generated from multiple attack methods, the network is still vulnerable to white-box attacks where the attacker has complete access to the model parameters. In this paper, we study this question in the context of black-box attacks, which can be a more realistic assumption for practical applications. Experiments with the MNIST dataset show that adversarially training a network with an attack method helps defending against that particular attack method, but has limited effect for other attack methods. In addition, even if the defender trains a network with multiple types of adversarial examples and the attacker attacks with one of the methods, the network could lose accuracy to the attack if the attacker uses a different data augmentation strategy on the target network. These results show that it is very difficult to make a robust network using adversarial training, even for black-box settings where the attacker has restricted information on the target network.

scholarly journals Adv-Makeup: A New Imperceptible and Transferable Attack on Face Recognition

2021 ◽  
Author(s):  
Bangjie Yin ◽  
Wenxuan Wang ◽  
Taiping Yao ◽  
Junfeng Guo ◽  
Zelun Kong ◽  
...  
Keyword(s):  
Face Recognition ◽  
Black Box ◽  
Fine Grained ◽  
Box Models ◽  
Meta Learning ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Face Generation ◽  
Orbital Region ◽  
Black Box Models

Deep neural networks, particularly face recognition models, have been shown to be vulnerable to both digital and physical adversarial examples. However, existing adversarial examples against face recognition systems either lack transferability to black-box models, or fail to be implemented in practice. In this paper, we propose a unified adversarial face generation method - Adv-Makeup, which can realize imperceptible and transferable attack under the black-box setting. Adv-Makeup develops a task-driven makeup generation method with the blending module to synthesize imperceptible eye shadow over the orbital region on faces. And to achieve transferability, Adv-Makeup implements a fine-grained meta-learning based adversarial attack strategy to learn more vulnerable or sensitive features from various models. Compared to existing techniques, sufficient visualization results demonstrate that Adv-Makeup is capable to generate much more imperceptible attacks under both digital and physical scenarios. Meanwhile, extensive quantitative experiments show that Adv-Makeup can significantly improve the attack success rate under black-box setting, even attacking commercial systems.

scholarly journals Random Transformation of image brightness for adversarial attack

2021 ◽  
pp. 1-12
Author(s):  
Bo Yang ◽  
Kaiyong Xu ◽  
Hengjun Wang ◽  
Hengwei Zhang
Keyword(s):  
Success Rate ◽  
Data Augmentation ◽  
Black Box ◽  
Image Brightness ◽  
Gradient Based ◽  
Adversarial Examples ◽  
Random Transformation ◽  
Fast Gradient ◽  
Adversarial Example ◽  
Sign Method

Deep neural networks (DNNs) are vulnerable to adversarial examples, which are crafted by adding small, human-imperceptible perturbations to the original images, but make the model output inaccurate predictions. Before DNNs are deployed, adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, the attack success rate, i.e., the transferability of adversarial examples, still needs to be improved. Based on image augmentation methods, this paper found that random transformation of image brightness can eliminate overfitting in the generation of adversarial examples and improve their transferability. In light of this phenomenon, this paper proposes an adversarial example generation method, which can be integrated with Fast Gradient Sign Method (FGSM)-related methods to build a more robust gradient-based attack and to generate adversarial examples with better transferability. Extensive experiments on the ImageNet dataset have demonstrated the effectiveness of the aforementioned method. Whether on normally or adversarially trained networks, our method has a higher success rate for black-box attacks than other attack methods based on data augmentation. It is hoped that this method can help evaluate and improve the robustness of models.

scholarly journals A Hybrid Adversarial Attack for Different Application Scenarios

2020 ◽  
Vol 10 (10) ◽  
pp. 3559 ◽  
Author(s):  
Xiaohu Du ◽  
Jie Yu ◽  
Zibo Yi ◽  
Shasha Li ◽  
Jun Ma ◽  
...  
Keyword(s):  
Deep Learning ◽  
Success Rate ◽  
Black Box ◽  
De Algorithm ◽  
Word Level ◽  
Text Readability ◽  
Gradient Based ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Cosine Distance

Adversarial attack against natural language has been a hot topic in the field of artificial intelligence security in recent years. It is mainly to study the methods and implementation of generating adversarial examples. The purpose is to better deal with the vulnerability and security of deep learning systems. According to whether the attacker understands the deep learning model structure, the adversarial attack is divided into black-box attack and white-box attack. In this paper, we propose a hybrid adversarial attack for different application scenarios. Firstly, we propose a novel black-box attack method of generating adversarial examples to trick the word-level sentiment classifier, which is based on differential evolution (DE) algorithm to generate semantically and syntactically similar adversarial examples. Compared with existing genetic algorithm based adversarial attacks, our algorithm can achieve a higher attack success rate while maintaining a lower word replacement rate. At the 10% word substitution threshold, we have increased the attack success rate from 58.5% to 63%. Secondly, when we understand the model architecture and parameters, etc., we propose a white-box attack with gradient-based perturbation against the same sentiment classifier. In this attack, we use a Euclidean distance and cosine distance combined metric to find the most semantically and syntactically similar substitution, and we introduce the coefficient of variation (CV) factor to control the dispersion of the modified words in the adversarial examples. More dispersed modifications can increase human imperceptibility and text readability. Compared with the existing global attack, our attack can increase the attack success rate and make modification positions in generated examples more dispersed. We’ve increased the global search success rate from 75.8% to 85.8%. Finally, we can deal with different application scenarios by using these two attack methods, that is, whether we understand the internal structure and parameters of the model, we can all generate good adversarial examples.

scholarly journals Opportunistic Use of Crowdsourced Workers for Online Relabeling of Potential Adversarial Examples

2021 ◽  
Author(s):  
Shawqi Al-Maliki ◽  
Faissal El Bouanani ◽  
Kashif Ahmad ◽  
Mohamed Abdallah ◽  
Dinh Hoang ◽  
...  
Keyword(s):  
Language Processing ◽  
Deep Neural Networks ◽  
Black Box ◽  
Threshold Selection ◽  
Selection Algorithm ◽  
Comparable Performance ◽  
Adversarial Examples ◽  
System Robustness ◽  
Adversarial Example ◽  
The Impact

<div>Deep Neural Networks (DDNs) have achieved tremendous success in handling various Machine Learning (ML) tasks, such as speech recognition, Natural Language Processing, and image classification. However, they have shown vulnerability to well-designed inputs called adversarial examples. Researchers in industry and academia have proposed many adversarial example defense techniques. However, none can provide complete robustness. The cutting-edge defense techniques offer partial reliability. Thus, complementing them with another layer of protection is a must, especially for mission-critical applications. This paper proposes a novel Online Selection and Relabeling Algorithm (OSRA) that opportunistically utilizes a limited number of crowdsourced workers (budget-constraint crowdsourcing) to maximize the ML system’s robustness. OSRA strives to use crowdsourced workers effectively by selecting the most suspicious inputs (the potential adversarial examples) and moving them to the crowdsourced workers to be validated and corrected (relabeled). As a result, the impact of adversarial examples gets reduced, and accordingly, the ML system becomes more robust. We also proposed a heuristic threshold selection method that contributes to enhancing the prediction system’s reliability. We empirically validated our proposed algorithm and found that it can efficiently and optimally utilize the allocated budget for crowdsourcing. It is also effectively integrated with a state-ofthe- art black-box (transfer-based) defense technique, resulting in a more robust system. Simulation results show that OSRA can outperform a random selection algorithm by 60% and achieve comparable performance to an optimal offline selection benchmark. They also show that OSRA’s performance has a positive correlation with system robustness.<br></div>

scholarly journals Weighted-Sampling Audio Adversarial Example Attack

2020 ◽  
Vol 34 (04) ◽  
pp. 4908-4915 ◽  
Author(s):  
Xiaolei Liu ◽  
Kun Wan ◽  
Yufei Ding ◽  
Xiaosong Zhang ◽  
Qingxin Zhu
Keyword(s):  
Automatic Speech Recognition ◽  
Loss Function ◽  
State Of The Art ◽  
Low Noise ◽  
Denoising Method ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Recognition Systems ◽  
Level 1 ◽  
Adversarial Example

Recent studies have highlighted audio adversarial examples as a ubiquitous threat to state-of-the-art automatic speech recognition systems. Thorough studies on how to effectively generate adversarial examples are essential to prevent potential attacks. Despite many research on this, the efficiency and the robustness of existing works are not yet satisfactory. In this paper, we propose weighted-sampling audio adversarial examples, focusing on the numbers and the weights of distortion to reinforce the attack. Further, we apply a denoising method in the loss function to make the adversarial attack more imperceptible. Experiments show that our method is the first in the field to generate audio adversarial examples with low noise and high audio robustness at the minute time-consuming level 1.

scholarly journals A Frank-Wolfe Framework for Efficient and Effective Adversarial Attacks

2020 ◽  
Vol 34 (04) ◽  
pp. 3486-3494
Author(s):  
Jinghui Chen ◽  
Dongruo Zhou ◽  
Jinfeng Yi ◽  
Quanquan Gu
Keyword(s):  
Gradient Descent ◽  
State Of The Art ◽  
Black Box ◽  
Success Rates ◽  
Practical Usefulness ◽  
Efficiency And Effectiveness ◽  
Large Distortion ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Projected Gradient Descent

Depending on how much information an adversary can access to, adversarial attacks can be classified as white-box attack and black-box attack. For white-box attack, optimization-based attack algorithms such as projected gradient descent (PGD) can achieve relatively high attack success rates within moderate iterates. However, they tend to generate adversarial examples near or upon the boundary of the perturbation set, resulting in large distortion. Furthermore, their corresponding black-box attack algorithms also suffer from high query complexities, thereby limiting their practical usefulness. In this paper, we focus on the problem of developing efficient and effective optimization-based adversarial attack algorithms. In particular, we propose a novel adversarial attack framework for both white-box and black-box settings based on a variant of Frank-Wolfe algorithm. We show in theory that the proposed attack algorithms are efficient with an O(1/√T) convergence rate. The empirical results of attacking the ImageNet and MNIST datasets also verify the efficiency and effectiveness of the proposed algorithms. More specifically, our proposed algorithms attain the best attack performances in both white-box and black-box attacks among all baselines, and are more time and query efficient than the state-of-the-art.

scholarly journals Bayesian Adversarial Attack on Graph Neural Networks (Student Abstract)

2020 ◽  
Vol 34 (10) ◽  
pp. 13867-13868
Author(s):  
Xiao Liu ◽  
Jing Zhao ◽  
Shiliang Sun
Keyword(s):  
Gradient Descent ◽  
Random Variable ◽  
Misclassification Rate ◽  
Experimental Comparison ◽  
Graph Node ◽  
Adversarial Examples ◽  
Adversarial Attack ◽  
Projected Gradient Descent ◽  
Adversarial Example ◽  
Graph Neural Networks

Adversarial attack on graph neural network (GNN) is distinctive as it often jointly trains the available nodes to generate a graph as an adversarial example. Existing attacking approaches usually consider the case that all the training set is available which may be impractical. In this paper, we propose a novel Bayesian adversarial attack approach based on projected gradient descent optimization, called Bayesian PGD attack, which gets more general attack examples than deterministic attack approaches. The generated adversarial examples by our approach using the same partial dataset as deterministic attack approaches would make the GNN have higher misclassification rate on graph node classification. Specifically, in our approach, the edge perturbation Z is used for generating adversarial examples, which is viewed as a random variable with scale constraint, and the optimization target of the edge perturbation is to maximize the KL divergence between its true posterior distribution p(Z|D) and its approximate variational distribution qθ(Z). We experimentally find that the attack performance will decrease with the reduction of available nodes, and the effect of attack using different nodes varies greatly especially when the number of nodes is small. Through experimental comparison with the state-of-the-art attack approaches on GNNs, our approach is demonstrated to have better and robust attack performance.

Sign in / Sign up

Export Citation Format

Share Document