Generating adversarial examples without specifying a target model

Local Post-hoc Explainable Methods for Adversarial Text Attacks

10.36227/techrxiv.17185568.v1 ◽

2021 ◽

Author(s):

Yidong Chai ◽

Ruicheng Liang ◽

Hongyi Zhu ◽

Sagar Samtani ◽

Meng Wang ◽

...

Keyword(s):

Deep Learning ◽

Natural Language Processing ◽

Language Processing ◽

Black Box ◽

Learning Models ◽

Two Phase ◽

Sensitivity Estimation ◽

Execution Phase ◽

Adversarial Examples ◽

Post Hoc

Deep learning models have significantly advanced various natural language processing tasks. However, they are strikingly vulnerable to adversarial text attacks, even in the black-box setting where no model knowledge is accessible to hackers. Such attacks are conducted with a two-phase framework: 1) a sensitivity estimation phase to evaluate each element’s sensitivity to the target model’s prediction, and 2) a perturbation execution phase to craft the adversarial examples based on estimated element sensitivity. This study explored the connections between the local post-hoc explainable methods for deep learning and black-box adversarial text attacks and proposed a novel eXplanation-based method for crafting Adversarial Text Attacks (XATA). XATA leverages local post-hoc explainable methods (e.g., LIME or SHAP) to measure input elements’ sensitivity and adopts the word replacement perturbation strategy to craft adversarial examples. We evaluated the attack performance of the proposed XATA on three commonly used text-based datasets: IMDB Movie Review, Yelp Reviews-Polarity, and Amazon Reviews-Polarity. The proposed XATA outperformed existing baselines in various target models, including LSTM, GRU, CNN, and BERT. Moreover, we found that improved local post-hoc explainable methods (e.g., SHAP) lead to more effective adversarial attacks. These findings showed that when researchers constantly advance the explainability of deep learning models with local post-hoc methods, they also provide hackers with weapons to craft more targeted and dangerous adversarial attacks.

Download Full-text

Explainable Artificial Intelligence (xAI) Approaches and Deep Meta-Learning Models

Advances and Applications in Deep Learning ◽

10.5772/intechopen.92172 ◽

2020 ◽

Author(s):

Evren Dağlarli

Keyword(s):

Artificial Intelligence ◽

Deep Learning ◽

Black Box ◽

Learning Models ◽

Learning Methods ◽

Data Set ◽

Box Models ◽

Explainable Artificial Intelligence ◽

Artificial Neural ◽

Black Box Models

The explainable artificial intelligence (xAI) is one of the interesting issues that has emerged recently. Many researchers are trying to deal with the subject with different dimensions and interesting results that have come out. However, we are still at the beginning of the way to understand these types of models. The forthcoming years are expected to be years in which the openness of deep learning models is discussed. In classical artificial intelligence approaches, we frequently encounter deep learning methods available today. These deep learning methods can yield highly effective results according to the data set size, data set quality, the methods used in feature extraction, the hyper parameter set used in deep learning models, the activation functions, and the optimization algorithms. However, there are important shortcomings that current deep learning models are currently inadequate. These artificial neural network-based models are black box models that generalize the data transmitted to it and learn from the data. Therefore, the relational link between input and output is not observable. This is an important open point in artificial neural networks and deep learning models. For these reasons, it is necessary to make serious efforts on the explainability and interpretability of black box models.

Download Full-text

A Hybrid Adversarial Attack for Different Application Scenarios

Applied Sciences ◽

10.3390/app10103559 ◽

2020 ◽

Vol 10 (10) ◽

pp. 3559 ◽

Cited By ~ 1

Author(s):

Xiaohu Du ◽

Jie Yu ◽

Zibo Yi ◽

Shasha Li ◽

Jun Ma ◽

...

Keyword(s):

Deep Learning ◽

Success Rate ◽

Black Box ◽

De Algorithm ◽

Word Level ◽

Text Readability ◽

Gradient Based ◽

Adversarial Examples ◽

Adversarial Attack ◽

Cosine Distance

Adversarial attack against natural language has been a hot topic in the field of artificial intelligence security in recent years. It is mainly to study the methods and implementation of generating adversarial examples. The purpose is to better deal with the vulnerability and security of deep learning systems. According to whether the attacker understands the deep learning model structure, the adversarial attack is divided into black-box attack and white-box attack. In this paper, we propose a hybrid adversarial attack for different application scenarios. Firstly, we propose a novel black-box attack method of generating adversarial examples to trick the word-level sentiment classifier, which is based on differential evolution (DE) algorithm to generate semantically and syntactically similar adversarial examples. Compared with existing genetic algorithm based adversarial attacks, our algorithm can achieve a higher attack success rate while maintaining a lower word replacement rate. At the 10% word substitution threshold, we have increased the attack success rate from 58.5% to 63%. Secondly, when we understand the model architecture and parameters, etc., we propose a white-box attack with gradient-based perturbation against the same sentiment classifier. In this attack, we use a Euclidean distance and cosine distance combined metric to find the most semantically and syntactically similar substitution, and we introduce the coefficient of variation (CV) factor to control the dispersion of the modified words in the adversarial examples. More dispersed modifications can increase human imperceptibility and text readability. Compared with the existing global attack, our attack can increase the attack success rate and make modification positions in generated examples more dispersed. We’ve increased the global search success rate from 75.8% to 85.8%. Finally, we can deal with different application scenarios by using these two attack methods, that is, whether we understand the internal structure and parameters of the model, we can all generate good adversarial examples.

Download Full-text

Local Post-hoc Explainable Methods for Adversarial Text Attacks

10.36227/techrxiv.17185568 ◽

2021 ◽

Author(s):

Yidong Chai ◽

Ruicheng Liang ◽

Hongyi Zhu ◽

Sagar Samtani ◽

Meng Wang ◽

...

Keyword(s):

Deep Learning ◽

Natural Language Processing ◽

Language Processing ◽

Black Box ◽

Learning Models ◽

Two Phase ◽

Sensitivity Estimation ◽

Execution Phase ◽

Adversarial Examples ◽

Post Hoc

Deep learning models have significantly advanced various natural language processing tasks. However, they are strikingly vulnerable to adversarial text attacks, even in the black-box setting where no model knowledge is accessible to hackers. Such attacks are conducted with a two-phase framework: 1) a sensitivity estimation phase to evaluate each element’s sensitivity to the target model’s prediction, and 2) a perturbation execution phase to craft the adversarial examples based on estimated element sensitivity. This study explored the connections between the local post-hoc explainable methods for deep learning and black-box adversarial text attacks and proposed a novel eXplanation-based method for crafting Adversarial Text Attacks (XATA). XATA leverages local post-hoc explainable methods (e.g., LIME or SHAP) to measure input elements’ sensitivity and adopts the word replacement perturbation strategy to craft adversarial examples. We evaluated the attack performance of the proposed XATA on three commonly used text-based datasets: IMDB Movie Review, Yelp Reviews-Polarity, and Amazon Reviews-Polarity. The proposed XATA outperformed existing baselines in various target models, including LSTM, GRU, CNN, and BERT. Moreover, we found that improved local post-hoc explainable methods (e.g., SHAP) lead to more effective adversarial attacks. These findings showed that when researchers constantly advance the explainability of deep learning models with local post-hoc methods, they also provide hackers with weapons to craft more targeted and dangerous adversarial attacks.

Download Full-text

Parsing of Urban Facades from 3D Point Clouds Based on a Novel Multi-View Domain

Photogrammetric Engineering & Remote Sensing ◽

10.14358/pers.87.4.283 ◽

2021 ◽

Vol 87 (4) ◽

pp. 283-293

Author(s):

Wei Wang ◽

Yuan Xu ◽

Yingchao Ren ◽

Gang Wang

Keyword(s):

Deep Learning ◽

Prior Knowledge ◽

Performance Improvement ◽

Data Distribution ◽

Point Clouds ◽

Learning Models ◽

Data Set ◽

3D Point Clouds ◽

Segmentation Accuracy ◽

The Mean

Recently, performance improvement in facade parsing from 3D point clouds has been brought about by designing more complex network structures, which cost huge computing resources and do not take full advantage of prior knowledge of facade structure. Instead, from the perspective of data distribution, we construct a new hierarchical mesh multi-view data domain based on the characteristics of facade objects to achieve fusion of deep-learning models and prior knowledge, thereby significantly improving segmentation accuracy. We comprehensively evaluate the current mainstream method on the RueMonge 2014 data set and demonstrate the superiority of our method. The mean intersection-over-union index on the facade-parsing task reached 76.41%, which is 2.75% higher than the current best result. In addition, through comparative experiments, the reasons for the performance improvement of the proposed method are further analyzed.

Download Full-text

A New Ensemble Adversarial Attack Powered by Long-Term Gradient Memories

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i04.5743 ◽

2020 ◽

Vol 34 (04) ◽

pp. 3405-3413

Author(s):

Zhaohui Che ◽

Ali Borji ◽

Guangtao Zhai ◽

Suiyi Ling ◽

Jing Li ◽

...

Keyword(s):

Broad Class ◽

Black Box ◽

Security Threat ◽

Source Models ◽

Adversarial Examples ◽

Adversarial Attack ◽

Prediction Systems ◽

Attack And Defense ◽

Decision Boundaries

Deep neural networks are vulnerable to adversarial attacks. More importantly, some adversarial examples crafted against an ensemble of pre-trained source models can transfer to other new target models, thus pose a security threat to black-box applications (when the attackers have no access to the target models). Despite adopting diverse architectures and parameters, source and target models often share similar decision boundaries. Therefore, if an adversary is capable of fooling several source models concurrently, it can potentially capture intrinsic transferable adversarial information that may allow it to fool a broad class of other black-box target models. Current ensemble attacks, however, only consider a limited number of source models to craft an adversary, and obtain poor transferability. In this paper, we propose a novel black-box attack, dubbed Serial-Mini-Batch-Ensemble-Attack (SMBEA). SMBEA divides a large number of pre-trained source models into several mini-batches. For each single batch, we design 3 new ensemble strategies to improve the intra-batch transferability. Besides, we propose a new algorithm that recursively accumulates the “long-term” gradient memories of the previous batch to the following batch. This way, the learned adversarial information can be preserved and the inter-batch transferability can be improved. Experiments indicate that our method outperforms state-of-the-art ensemble attacks over multiple pixel-to-pixel vision tasks including image translation and salient region prediction. Our method successfully fools two online black-box saliency prediction systems including DeepGaze-II (Kummerer 2017) and SALICON (Huang et al. 2017). Finally, we also contribute a new repository to promote the research on adversarial attack and defense over pixel-to-pixel tasks: https://github.com/CZHQuality/AAA-Pix2pix.

Download Full-text

Metamorphic Detection of Adversarial Examples in Deep Learning Models with Affine Transformations

2019 IEEE/ACM 4th International Workshop on Metamorphic Testing (MET) ◽

10.1109/met.2019.00016 ◽

2019 ◽

Cited By ~ 1

Author(s):

Rohan Reddy Mekala ◽

Gudjon Einar Magnusson ◽

Adam Porter ◽

Mikael Lindvall ◽

Madeline Diep

Keyword(s):

Deep Learning ◽

Affine Transformations ◽

Learning Models ◽

Adversarial Examples

Download Full-text

Prediction of EGFR Mutation Status Based on 18F-FDG PET/CT Imaging Using Deep Learning-Based Model in Lung Adenocarcinoma

Frontiers in Oncology ◽

10.3389/fonc.2021.709137 ◽

2021 ◽

Vol 11 ◽

Author(s):

Guotao Yin ◽

Ziyang Wang ◽

Yingchao Song ◽

Xiaofeng Li ◽

Yiwen Chen ◽

...

Keyword(s):

Deep Learning ◽

Lung Adenocarcinoma ◽

Fdg Pet ◽

Egfr Mutation ◽

Learning Models ◽

Data Set ◽

Mutation Status ◽

Pet Ct ◽

Testing Data ◽

Fdg Pet Ct

ObjectiveThe purpose of this study was to develop a deep learning-based system to automatically predict epidermal growth factor receptor (EGFR) mutant lung adenocarcinoma in 18F-fluorodeoxyglucose (FDG) positron emission tomography/computed tomography (PET/CT).MethodsThree hundred and one lung adenocarcinoma patients with EGFR mutation status were enrolled in this study. Two deep learning models (SECT and SEPET) were developed with Squeeze-and-Excitation Residual Network (SE-ResNet) module for the prediction of EGFR mutation with CT and PET images, respectively. The deep learning models were trained with a training data set of 198 patients and tested with a testing data set of 103 patients. Stacked generalization was used to integrate the results of SECT and SEPET.ResultsThe AUCs of the SECT and SEPET were 0.72 (95% CI, 0.62–0.80) and 0.74 (95% CI, 0.65–0.82) in the testing data set, respectively. After integrating SECT and SEPET with stacked generalization, the AUC was further improved to 0.84 (95% CI, 0.75–0.90), significantly higher than SECT (p<0.05).ConclusionThe stacking model based on 18F-FDG PET/CT images is capable to predict EGFR mutation status of patients with lung adenocarcinoma automatically and non-invasively. The proposed model in this study showed the potential to help clinicians identify suitable advanced patients with lung adenocarcinoma for EGFR‐targeted therapy.

Download Full-text

Sentiment Analysis of Film Reviews Based on BI-GRU +Attention+Capsule Fusion

10.36227/techrxiv.14863401.v1 ◽

2021 ◽

Author(s):

zhifei hu

Keyword(s):

Deep Learning ◽

Sentiment Analysis ◽

Film Review ◽

The Other ◽

Learning Models ◽

Analysis Model ◽

Fusion Model ◽

Data Set ◽

Analysis Task ◽

Film Reviews

In this paper, a sentiment analysis model based on the bi-directional GRU, Attention and Capusle fusion of BI-GRU+Attention+Capsule was designed and implemented based on the sentiment analysis task of the open film review data set IMDB, and combined with the bi-directional GRU, Attention and Capsule. It is compared with six deep learning models, such as LSTM, CNN, GRU, BI-GRU, CNN+GRU and GRU+CNN. The experimental results show that the accuracy of the BI-GRU model combined with Attention and Capusule is higher than the other six models, and the accuracy of the GRU+CNN model is higher than that of the CNN+GRU model, and the accuracy of the CNN+GRU model is higher than that of the CNN model. The accuracy of CNN model was successively higher than that of LSTM, BI-GRU and GRU model. The fusion model of BI-GRU +Attention+Capsule adopted in this paper has the highest accuracy among all the models. In conclusion, the fusion model of BI-GRU+Attention+Capsule effectively improves the accuracy of text sentiment classification.<br>

Download Full-text