On the Effectiveness of Adversarial Training in Defending against Adversarial Example Attacks for Image Classification

State-of-the-art neural network models are actively used in various fields, but it is well-known that they are vulnerable to adversarial example attacks. Throughout the efforts to make the models robust against adversarial example attacks, it has been found to be a very difficult task. While many defense approaches were shown to be not effective, adversarial training remains as one of the promising methods. In adversarial training, the training data are augmented by “adversarial” samples generated using an attack algorithm. If the attacker uses a similar attack algorithm to generate adversarial examples, the adversarially trained network can be quite robust to the attack. However, there are numerous ways of creating adversarial examples, and the defender does not know what algorithm the attacker may use. A natural question is: Can we use adversarial training to train a model robust to multiple types of attack? Previous work have shown that, when a network is trained with adversarial examples generated from multiple attack methods, the network is still vulnerable to white-box attacks where the attacker has complete access to the model parameters. In this paper, we study this question in the context of black-box attacks, which can be a more realistic assumption for practical applications. Experiments with the MNIST dataset show that adversarially training a network with an attack method helps defending against that particular attack method, but has limited effect for other attack methods. In addition, even if the defender trains a network with multiple types of adversarial examples and the attacker attacks with one of the methods, the network could lose accuracy to the attack if the attacker uses a different data augmentation strategy on the target network. These results show that it is very difficult to make a robust network using adversarial training, even for black-box settings where the attacker has restricted information on the target network.

Download Full-text

Random Transformation of image brightness for adversarial attack

Journal of Intelligent & Fuzzy Systems ◽

10.3233/jifs-211157 ◽

2021 ◽

pp. 1-12

Author(s):

Bo Yang ◽

Kaiyong Xu ◽

Hengjun Wang ◽

Hengwei Zhang

Keyword(s):

Success Rate ◽

Data Augmentation ◽

Black Box ◽

Image Brightness ◽

Gradient Based ◽

Adversarial Examples ◽

Random Transformation ◽

Fast Gradient ◽

Adversarial Example ◽

Sign Method

Deep neural networks (DNNs) are vulnerable to adversarial examples, which are crafted by adding small, human-imperceptible perturbations to the original images, but make the model output inaccurate predictions. Before DNNs are deployed, adversarial attacks can thus be an important method to evaluate and select robust models in safety-critical applications. However, under the challenging black-box setting, the attack success rate, i.e., the transferability of adversarial examples, still needs to be improved. Based on image augmentation methods, this paper found that random transformation of image brightness can eliminate overfitting in the generation of adversarial examples and improve their transferability. In light of this phenomenon, this paper proposes an adversarial example generation method, which can be integrated with Fast Gradient Sign Method (FGSM)-related methods to build a more robust gradient-based attack and to generate adversarial examples with better transferability. Extensive experiments on the ImageNet dataset have demonstrated the effectiveness of the aforementioned method. Whether on normally or adversarially trained networks, our method has a higher success rate for black-box attacks than other attack methods based on data augmentation. It is hoped that this method can help evaluate and improve the robustness of models.

Download Full-text

Automated Ventricular System Segmentation in Paediatric Patients Treated for Hydrocephalus Using Deep Learning Methods

BioMed Research International ◽

10.1155/2019/3059170 ◽

2019 ◽

Vol 2019 ◽

pp. 1-9 ◽

Cited By ~ 2

Author(s):

Michał Klimont ◽

Mateusz Flieger ◽

Jacek Rzeszutek ◽

Joanna Stachera ◽

Aleksandra Zakrzewska ◽

...

Keyword(s):

Neural Network ◽

Data Augmentation ◽

Ct Images ◽

Policy Transfer ◽

Training Data ◽

Intraobserver Variability ◽

Practical Applications ◽

Brain Scans ◽

Rate Policy ◽

Ct Brain

Hydrocephalus is a common neurological condition that can have traumatic ramifications and can be lethal without treatment. Nowadays, during therapy radiologists have to spend a vast amount of time assessing the volume of cerebrospinal fluid (CSF) by manual segmentation on Computed Tomography (CT) images. Further, some of the segmentations are prone to radiologist bias and high intraobserver variability. To improve this, researchers are exploring methods to automate the process, which would enable faster and more unbiased results. In this study, we propose the application of U-Net convolutional neural network in order to automatically segment CT brain scans for location of CSF. U-Net is a neural network that has proven to be successful for various interdisciplinary segmentation tasks. We optimised training using state of the art methods, including “1cycle” learning rate policy, transfer learning, generalized dice loss function, mixed float precision, self-attention, and data augmentation. Even though the study was performed using a limited amount of data (80 CT images), our experiment has shown near human-level performance. We managed to achieve a 0.917 mean dice score with 0.0352 standard deviation on cross validation across the training data and a 0.9506 mean dice score on a separate test set. To our knowledge, these results are better than any known method for CSF segmentation in hydrocephalic patients, and thus, it is promising for potential practical applications.

Download Full-text

Insufficient Data Can Also Rock! Learning to Converse Using Smaller Data with Augmentation

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v33i01.33016698 ◽

2019 ◽

Vol 33 ◽

pp. 6698-6705

Author(s):

Juntao Li ◽

Lisong Qiu ◽

Bo Tang ◽

Dongmin Chen ◽

Dongyan Zhao ◽

...

Keyword(s):

Data Augmentation ◽

Network Models ◽

Generative Models ◽

Training Data ◽

Insufficient Data ◽

Dialogue System ◽

Neural Network Models ◽

Augmentation Techniques ◽

Training Pair ◽

Existing Data

Recent successes of open-domain dialogue generation mainly rely on the advances of deep neural networks. The effectiveness of deep neural network models depends on the amount of training data. As it is laboursome and expensive to acquire a huge amount of data in most scenarios, how to effectively utilize existing data is the crux of this issue. In this paper, we use data augmentation techniques to improve the performance of neural dialogue models on the condition of insufficient data. Specifically, we propose a novel generative model to augment existing data, where the conditional variational autoencoder (CVAE) is employed as the generator to output more training data with diversified expressions. To improve the correlation of each augmented training pair, we design a discriminator with adversarial training to supervise the augmentation process. Moreover, we thoroughly investigate various data augmentation schemes for neural dialogue system with generative models, both GAN and CVAE. Experimental results on two open corpora, Weibo and Twitter, demonstrate the superiority of our proposed data augmentation model.

Download Full-text

Attention-Aware Adversarial Network for Person Re-Identification

Applied Sciences ◽

10.3390/app9081550 ◽

2019 ◽

Vol 9 (8) ◽

pp. 1550 ◽

Cited By ~ 1

Author(s):

Aihong Shen ◽

Huasheng Wang ◽

Junjie Wang ◽

Hongchen Tan ◽

Xiuping Liu ◽

...

Keyword(s):

High Performance ◽

Large Scale ◽

Data Augmentation ◽

Fundamental Problem ◽

Training Data ◽

Specific Data ◽

Training Strategy ◽

Adversarial Network ◽

Benchmark Datasets ◽

Adversarial Training

Person re-identification (re-ID) is a fundamental problem in the field of computer vision. The performance of deep learning-based person re-ID models suffers from a lack of training data. In this work, we introduce a novel image-specific data augmentation method on the feature map level to enforce feature diversity in the network. Furthermore, an attention assignment mechanism is proposed to enforce that the person re-ID classifier focuses on nearly all important regions of the input person image. To achieve this, a three-stage framework is proposed. First, a baseline classification network is trained for person re-ID. Second, an attention assignment network is proposed based on the baseline network, in which the attention module learns to suppress the response of the current detected regions and re-assign attentions to other important locations. By this means, multiple important regions for classification are highlighted by the attention map. Finally, the attention map is integrated in the attention-aware adversarial network (AAA-Net), which generates high-performance classification results with an adversarial training strategy. We evaluate the proposed method on two large-scale benchmark datasets, including Market1501 and DukeMTMC-reID. Experimental results show that our algorithm performs favorably against the state-of-the-art methods.

Download Full-text

Maximizing Overall Diversity for Improved Uncertainty Estimates in Deep Ensembles

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i04.5849 ◽

2020 ◽

Vol 34 (04) ◽

pp. 4264-4271

Author(s):

Siddhartha Jain ◽

Ge Liu ◽

Jonas Mueller ◽

David Gifford

Keyword(s):

Network Models ◽

Predictive Performance ◽

Training Data ◽

Bayesian Optimization ◽

Neural Network Models ◽

Training Techniques ◽

Uncertainty Estimates ◽

Data Density ◽

Adversarial Training ◽

Diverse Ensemble

The inaccuracy of neural network models on inputs that do not stem from the distribution underlying the training data is problematic and at times unrecognized. Uncertainty estimates of model predictions are often based on the variation in predictions produced by a diverse ensemble of models applied to the same input. Here we describe Maximize Overall Diversity (MOD), an approach to improve ensemble-based uncertainty estimates by encouraging larger overall diversity in ensemble predictions across all possible inputs. We apply MOD to regression tasks including 38 Protein-DNA binding datasets, 9 UCI datasets, and the IMDB-Wiki image dataset. We also explore variants that utilize adversarial training techniques and data density estimation. For out-of-distribution test examples, MOD significantly improves predictive performance and uncertainty calibration without sacrificing performance on test data drawn from same distribution as the training data. We also find that in Bayesian optimization tasks, the performance of UCB acquisition is improved via MOD uncertainty estimates.

Download Full-text

Generating Adversarial Examples with Adversarial Networks

Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence ◽

10.24963/ijcai.2018/543 ◽

2018 ◽

Cited By ~ 65

Author(s):

Chaowei Xiao ◽

Bo Li ◽

Jun-yan Zhu ◽

Warren He ◽

Mingyan Liu ◽

...

Keyword(s):

Deep Neural Networks ◽

State Of The Art ◽

Black Box ◽

Generative Adversarial Networks ◽

Perceptual Quality ◽

Small Magnitude ◽

Adversarial Networks ◽

Original Target ◽

Adversarial Examples ◽

Adversarial Training

Deep neural networks (DNNs) have been found to be vulnerable to adversarial examples resulting from adding small-magnitude perturbations to inputs. Such adversarial examples can mislead DNNs to produce adversary-selected results. Different attack strategies have been proposed to generate adversarial examples, but how to produce them with high perceptual quality and more efficiently requires more research efforts. In this paper, we propose AdvGAN to generate adversarial exam- ples with generative adversarial networks (GANs), which can learn and approximate the distribution of original instances. For AdvGAN, once the generator is trained, it can generate perturbations efficiently for any instance, so as to potentially accelerate adversarial training as defenses. We apply Adv- GAN in both semi-whitebox and black-box attack settings. In semi-whitebox attacks, there is no need to access the original target model after the generator is trained, in contrast to traditional white-box attacks. In black-box attacks, we dynamically train a distilled model for the black-box model and optimize the generator accordingly. Adversarial examples generated by AdvGAN on different target models have high attack success rate under state-of-the-art defenses compared to other attacks. Our attack has placed the first with 92.76% accuracy on a public MNIST black-box attack challenge.

Download Full-text

LSGAN-AT: enhancing malware detector robustness against adversarial examples

Cybersecurity ◽

10.1186/s42400-021-00102-9 ◽

2021 ◽

Vol 4 (1) ◽

Author(s):

Jianhua Wang ◽

Xiaolin Chang ◽

Yixiang Wang ◽

Ricardo J. Rodríguez ◽

Jianan Zhang

Keyword(s):

Recognition Rate ◽

Black Box ◽

Least Square ◽

Generative Adversarial Network ◽

Adversarial Network ◽

Novel Approach ◽

Key Factor ◽

Adversarial Examples ◽

Adversarial Training ◽

And Training

AbstractAdversarial Malware Example (AME)-based adversarial training can effectively enhance the robustness of Machine Learning (ML)-based malware detectors against AME. AME quality is a key factor to the robustness enhancement. Generative Adversarial Network (GAN) is a kind of AME generation method, but the existing GAN-based AME generation methods have the issues of inadequate optimization, mode collapse and training instability. In this paper, we propose a novel approach (denote as LSGAN-AT) to enhance ML-based malware detector robustness against Adversarial Examples, which includes LSGAN module and AT module. LSGAN module can generate more effective and smoother AME by utilizing brand-new network structures and Least Square (LS) loss to optimize boundary samples. AT module makes adversarial training using AME generated by LSGAN to generate ML-based Robust Malware Detector (RMD). Extensive experiment results validate the better transferability of AME in terms of attacking 6 ML detectors and the RMD transferability in terms of resisting the MalGAN black-box attack. The results also verify the performance of the generated RMD in the recognition rate of AME.

Download Full-text

Black-Box Diagnosis and Calibration on GAN Intra-Mode Collapse: A Pilot Study

ACM Transactions on Multimedia Computing Communications and Applications ◽

10.1145/3472768 ◽

2021 ◽

Vol 17 (3s) ◽

pp. 1-18

Author(s):

Zhenyu Wu ◽

Zhaowen Wang ◽

Ye Yuan ◽

Jianming Zhang ◽

Zhangyang Wang ◽

...

Keyword(s):

State Of The Art ◽

Black Box ◽

Training Data ◽

Generative Adversarial Networks ◽

Small Scale ◽

Model Parameters ◽

Original Training ◽

Image Generation ◽

Adversarial Networks ◽

Calibration Techniques

Generative adversarial networks (GANs) nowadays are capable of producing images of incredible realism. Two concerns raised are whether the state-of-the-art GAN’s learned distribution still suffers from mode collapse and what to do if so. Existing diversity tests of samples from GANs are usually conducted qualitatively on a small scale and/or depend on the access to original training data as well as the trained model parameters. This article explores GAN intra-mode collapse and calibrates that in a novel black-box setting: access to neither training data nor the trained model parameters is assumed. The new setting is practically demanded yet rarely explored and significantly more challenging. As a first stab, we devise a set of statistical tools based on sampling that can visualize, quantify, and rectify intra-mode collapse . We demonstrate the effectiveness of our proposed diagnosis and calibration techniques, via extensive simulations and experiments, on unconditional GAN image generation (e.g., face and vehicle). Our study reveals that the intra-mode collapse is still a prevailing problem in state-of-the-art GANs and the mode collapse is diagnosable and calibratable in black-box settings. Our codes are available at https://github.com/VITA-Group/BlackBoxGANCollapse .

Download Full-text

On the combination of data augmentation method and gated convolution model for building effective and robust intrusion detection

Cybersecurity ◽

10.1186/s42400-020-00063-5 ◽

2020 ◽

Vol 3 (1) ◽

Author(s):

Yixiang Wang ◽

Shaohua lv ◽

Jiqiang Liu ◽

Xiaolin Chang ◽

Jinqiang Wang

Keyword(s):

Intrusion Detection ◽

Data Augmentation ◽

System Call ◽

Generation Algorithm ◽

Sequence Generation ◽

Convolution Model ◽

Adversarial Examples ◽

Adversarial Training ◽

System Call Sequences ◽

The Impact

AbstractDeep learning (DL) has exhibited its exceptional performance in fields like intrusion detection. Various augmentation methods have been proposed to improve data quality and eventually to enhance the performance of DL models. However, the classic augmentation methods cannot be applied to those DL models which exploit the system-call sequences to detect intrusion. Previously, the seq2seq model has been explored to augment system-call sequences. Following this work, we propose a gated convolutional neural network (GCNN) model to thoroughly extract the potential information of augmented sequences. Also, in order to enhance the model’s robustness, we adopt adversarial training to reduce the impact of adversarial examples on the model. Adversarial examples used in adversarial training are generated by the proposed adversarial sequence generation algorithm. The experimental results on different verified models show that GCNN model can better obtain the potential information of the augmented data and achieve the best performance. Furthermore, GCNN with adversarial training can enhance robustness significantly.

Download Full-text

Timing Black-Box Attacks: Crafting Adversarial Examples through Timing Leaks against DNNs on Embedded Devices

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i3.149-175 ◽

2021 ◽

pp. 149-175

Author(s):

Tsunato Nakai ◽

Daisuke Suzuki ◽

Takeshi Fujino

Keyword(s):

Input Data ◽

Processing Time ◽

Distributed Processing ◽

Activation Function ◽

Black Box ◽

Training Data ◽

Embedded Devices ◽

Adversarial Examples ◽

Microcontroller Unit ◽

Output Probability

Deep neural networks (DNNs) have been applied to various industries. In particular, DNNs on embedded devices have attracted considerable interest because they allow real-time and distributed processing on site. However, adversarial examples (AEs), which add small perturbations to the input data of DNNs to cause misclassification, are serious threats to DNNs. In this paper, a novel black-box attack is proposed to craft AEs based only on processing time, i.e., the side-channel leaks from DNNs on embedded devices. Unlike several existing black-box attacks that utilize output probability, the proposed attack exploits the relationship between the number of activated nodes and processing time without using training data, model architecture, parameters, substitute models, or output probability. The perturbations for AEs are determined by the differential processing time based on the input data of the DNNs in the proposed attack. The experimental results show that the AEs of the proposed attack effectively cause an increase in the number of activated nodes and the misclassification of one of the incorrect labels against the DNNs on a microcontroller unit. Moreover, these results indicate that the attack can evade gradient-masking and confidence reduction countermeasures, which conceal the output probability, to prevent the crafting of AEs against several black-box attacks. Finally, the countermeasures against the attack are implemented and evaluated to clarify that the implementation of an activation function with data-dependent timing leaks is the cause of the proposed attack.

Download Full-text